It is time to squash Proof-of-Stake once and for all. It can
NEVER remain decentralized. Satoshi's Proof-of-Work is the only known solution to the Byzantine General's Problem (was a known unsolved problem since at least the 1970s).
Apologies I've been busy and hadn't had time to squash bytemaster's latest N.A.O.D. (nonsense algorithm of the day).
First of all, he never was able to address the issues I raised about
Transactions as Proof-of-Stake quoted as follows.
This proposal appears to be flawed, unless I am missing something. I have only read the first 4 pages thus far.
1. You propose to decrease the coin rewards as coin-days-destroyed volume increases, so this makes it less costly for an attacker to obtain > 50% of the hash rate assuming the attacker includes all the transactions. You apparently are attempting to imply there is no useful attack to do if the attacker is including the most coin-days-destroyed? Please confirm or deny then I will dig into more analysis of this vector.
2. Also how do you choose between someone who generates a proof-of-work hash with lower coin-days-destroyed several times sooner than the network propagation delay versus another who generates it that much delayed with a higher coin-days-destroyed? If you choose the latter, then you've killed the proof-of-work incentive because it means it will always pay to be later and wait for more transactions to arrive.
3. You claim to defeat my Transactions Withholding Attack, by blacklisting those who send blocks with transactions that were not recently seen by all miners. I
retorted against this recently. This centralizes the network (all for one and one for all outcome) by requiring every miner to be responsible for the incoming network connectivity of other miners. And it centralizes the network in other ways, such it can't tolerate a temporary partitioning of the network due to connectivity outages.
P.S. By coin-days-destroyed, I assume you mean coin value x days, otherwise you would motivate proliferation of dust.
The most significant flaw of any proof-of-stake system and any system that diminishes coin rewards, is it can't distribute currency from the hoarders to the users of the currency, thus it will end up with the hoarders (the banksters) accumulating all the coin and the currency usage dying.
This is because the wealthy spend a much lower % of their net worth than the masses do.
[snip]
Whereas those who actually mine are proactively using their time, ingenuity, initiative and capital to secure the network, thus it seems more capitalistic they should receive the redistribution from the hoarders. Besides it may beis the only viableplausible way to secure the public ledger.
The other attacks you describe all derive from the fundamental reason I declared all non-proof-of-work systems to be insecure back in April.
My logic was mathematically fundamental. The input entropy set is quite deterministic and well known and thus can be preimaged. For example, accumulating a lot of coin-days-destroyed and then targeting them in clever ways to subvert the security.
The randomness (entropy) of each proof-of-work is fundamental and mathematical and it can not be preimaged. It can only be surely defeated with > 50% of the network hash rate. Note I recently offered what I believe to a solution to the selfish-mining attack (the one at hackingdistributed.com that claims 25 - 35% attack).
I am skeptical that you can characterize all possible attack vectors of proof-of-stake in one coherent mathematical proof. Thus you will not know formally what the security is; instead a list of adhoc attacks and counter-measures.
[snip]
Edit: Perhaps coin-days-destroyed in some attack vectors motivates not transacting for long periods of time.
The bottom line is that no proof-of-stake system can ever remain decentralized.
They all will require some sort of delegation of reputation to achieve consensus. I would have to go through a laundry list of examples to cover all the cases. For example, in
Transactions as Proof-of-Stake it is required to delegate trust of propagation to the other nodes as I explained above. Thus there needs to be some reputation system to enforce this, e.g. blacklisting, whitelisting, etc.. All the other proof-of-stake systems have a requirement for some form of delegated reputation.
I have many times explained to bytemaster and others the fundamental problem is that any system that attempts to replace proof-of-work will rely on some form of reputation, and reputation is centralization. And centralization is precisely what decentralized crypto-currency is not supposed to be because centralization will always end up control and manipulated (i.e. it is a fiat system).
Trust is orthogonal to reputation and centralization. I can trust Proof-of-Work, which is decentralized trust without reputation. Reputation isn't needed in Proof-of-Work, because the input entropy is fresh (can't be preimaged) on every new TB.
You can 75% attack it if you like, but your nodes wont have any trust, so that block chain will just be ignored.
(In any non-Proof-of-Work design, ) It is mathematically impossible for there to be
external consensus trust of the honest chain if the dishonest chain is controlled by more than 51% of the peers. We've covered some of the scenarios upthread, and it always boils down to that the external viewers can not know who to trust except by trusting the majority of peers.
The only mathematical way around this is to centralize the network, by placing more trust in some peers than others over time.
Indeed long-term reputation is a mathematically viable alternative to Proof-of-Work. This is centralization. There are tradeoffs.
So this is not "7 billion individually watching the network", but rather a fewer # of peers with reputation being trusted. This is just the political power vacuum all over again with its contingent problems of
vested interests Olsen power scramble:
https://bitcointalksearch.org/topic/no-money-exists-without-the-majority-226033 (
No Money Exists Without the Majority)
Notwithstanding the above, any non-Proof-of-Work system can be attacked with much less than 51% of the peers, due to the fact that the input entropy is preimageable, as I explained upthread. Again the only way to work around this is to trust some established peers to guard against this.
Financial transactions must be recorded in a public or private ledger trusted by both the spender and the recipient, otherwise funds could be unspent or double-spent to a plurality of recipients. To provide a ledger that can't be captured, Satoshi described a proof-of-work (PoW) scheme where transaction peers communicating over the network compete to be the first to solve a computational puzzle which is unique for each block of transactions added to a public ledger. The security of this ledger against double-spends has three (3) essential requirements.
1. The computational puzzle can't be preimaged, i.e. nothing can be known about solving the puzzle until the prior block's puzzle is solved.
2. Without at least 50% of the aggregate computational power of all transaction peers, it is not possible to create a modified chain of blocks starting from any present or past block, which would contain more blocks than the block chain controlled by the remaining cooperating peers. Thus the longer chain is trusted.
3. The block chain is cryptographically linked in forward order, such that the historical proof-of-work and transactions can be independently verified at any time in the future. Thus the transaction peers may leave and rejoin the network at will without need for a trusted centralized storage.
Note security point #1 eliminates from consideration PoW schemes in which the puzzle is some real-world computational work because the puzzles are known a priori and are thus pre-imageable. Non-PoW voting and membership schemes disqualify because the ordering of designation of authority (to decide which transactions are in each block) to transaction peers is pre-imageable, or requires peers trusted by reputation which is centralizing on a slippery slope towards Olsen capture.
You must also consider the negative impacts of design features when you state the positive impacts.
Reputation has many downsides:
a. It can be stolen, e.g. threaten first to extort private key, then kill, and keep key.
b. Censorship based on metadata which doesn't always correlate rationally.
c. Discriminate against early adopters out of jealously, i.e. retribution for #b.
d. Regulatory authorities can require the BitName same as they now do Social Security # and Id. They can now establish the BitName is real, because it has (duration) reputation.
The high cost to transfer or revoke a name also has many downsides, e.g. see #d.
I thinking the pool operator (server) does so little relative to work of the pool miners that it doesn't need to charge a very high fee. Thus there isn't much ability (incentive for pool miners) to undercut competitors based on fee.
So there just needs to be a slightest incentive to encourage pool miners to seek out another pool as a pool grows large. This will encourage a poliferation of pools.
How do pool miners know that a pool server isn't cheating them by paying some of the earnings to themselves pretending to be a pool miner?
Go down that line of thought and you will discover what I am thinking.
The only way you can prove a pool isn't cheating is by estimating the hash rate of the pool and comparing it to the number of blocks found. Unfortunately, you could probably still skim a couple of a percent this way.
Modern protocols (GBT & Stratum) both have the full coinbase transaction visible to the miners, meaning you can verify that the block being built will be paid to a certain address or has a certain message encoded in the block that identifies the pool. This allows you to audit if the pool is trying to skim blocks if certain users start seeing work without a coinbase message that identifies the pool. In the case of BTC Guild, it's both, they always pay to the same address and always include "Mined by BTC Guild" in the coinbase message.
It's not no-trust, but all it would take is a few % of users monitoring this to determine if a pool was trying to skim blocks by sending a certain % of work that doesn't include identifying marks.
How could anything less than 100% of the pool miners know if some of the coinbase transactions were to addresses not owned by pool miners who contributed shares?
Since you can never know if you are the 100% (because mining pool shares* are not recorded in the block chain), thus seems to me there is no way to verify if there is skimming or not, as bytemaster and I wrote.
*For those who don't know the terminology, a pool share is a proof-of-work hash below some threshold that is easier than the current network difficulty. It might also be a block solution.
Why don't you just use P2Pool? Is there any reason?
I was waiting for bytemaster to answer because I wanted to know his thoughts. Seems to me that you have no way to stop the Share Withholding Attack since it is decentralized. And every peer has to run more of a full client if I am not mistake. And there is a lot more overhead I believe. And perhaps also much less resistance against denial-of-service flooding. Frankly I didn't analyze for long enough to be very sure of my initial intuition which is to stay away from it.
I know
it is generally impossible to enforce reputation on a 100% decentralized system. So I am intuitively skeptical of P2Pool.
P.S. I won't have time to go back here and debate. I am technically qualified and I am 100% sure I am correct.