Pages:
Author

Topic: PoS is far inferior to PoW - why are so many people advocating switching to PoS - page 7. (Read 12865 times)

legendary
Activity: 1484
Merit: 1026
In Cryptocoins I Trust
Myriadcoin's multi-PoW framework helps with the decentralization of mining that some of you may be concerned about. More than you think, actually.

I agree. I have been touting Myriadcoin as one of the biggest innovations in the PoW cryptocurrency world. It is definitely a step forward. Unfortunately, it still doesn't change the fact that a lot of electricity and processing power is wasted in the process. Pretty much all scientists agree global warming is real and PoW only accelerates that. I see PoS or a variant of it as being the ideal solution for consensus mainly for this reason. Why increase emissions unnecessarily simply to reach decentralized consensus when it is not needed because PoS is sufficient at performing the same job? Also.. all of the processing power could actually be used to do something useful to society instead of simply securing a block chain, such as solving cancer or assisting other scientific research. Primecoin is a good example of a PoW algo that is actually useful to society.

These are my biggest concerns about PoW, not the centralization of it. All systems.. PoS and PoW.. inevitably tend towards centralization eventually. PoW tends towards centralization in mining pools and large farms setup with cheap power which utilize the economies of scale ASICs provide. PoS tends towards centralization with the need for check points to prevent certain attacks (or at least in the current variants of PoS.) DPoS works on the realization that all systems inevitably tend towards centralization, ad it gives you a way for stake holders to control that centralization. Stake holders choose who becomes a delegate, with PoW you cannot choose who secures the block chain.. whoever buys mining power can do it. This helps keep nefarious actors out. Also, you can vote in developers and people creating important core services for the coin as delegates to compensate them for doing so. Therefore, a DPoS coin can hire employees that work for the cryptocurrency... PoW can obviously only do this via donations. The use of only 101 delegates allows block times to be reduced to a little as 10 seconds and process many transactions a second.. something that is very hard to achieve (maybe impossible) with PoW. There are many benefits of DPoS over PoW in my mind which far outweigh the highly unlikely attack vectors, and that is why I support it over PoW alternatives.
legendary
Activity: 1442
Merit: 1005
Let's consider Proof Of Waste for a second. 51% of Bitcoin's hash power is on 2 to 3 mining pools. The paid NOTHING to obtain it. You are entrusting them directly (or indirectly when they get "hacked") to not fork your coin. By the way... this statement I can back up with facts and readily available data. Wink
First, it's not "waste". It's a highly specific impossible to forge or reuse effort to ensure security while also fairly converting value (energy) into tokens, bridging the outside and indise economy seamlessly.

The pools and their costs argument is only temporarily valid. The pools paid nothing, but they have nothing long-term. If they fuck up, miners will move quickly, miners paid A LOT of money for their power and have not usually recouped. I am entrusting the miners that need to collaborate and play fairly to profit.

You see the difference now?
It is waste in that it wastes electricity and processing power unnecessarily as has been proven by PoS. This is something Bytemaster (Bitshares main dev) came up with, for the Bitshares community to refer to PoW as Proof Of Waste to point out the fact that it is unnecessary to expend these resources simply to secure a block chain, as is proven by PoS and all of its variants.

I will concede you have a point as to the pools only being able to mount an attack temporarily before everyone switches pools. However, I stick to the fact that you simply made up "as it happens for many coins an exchange owns more than 51% of the supply", and you have no proof of this and it is not true. The point was that there are different attack vectors for PoW that exist other than achieving 51% of the hash power. Both PoW and PoS variants have vulnerabilities and different pros and cons. There is no perfect solution, and I believe that PoW is often touted on these forums as being a perfect solution when in actuality it is not.
I disagree again.

It is not waste, it is a conversion of energy value into coin value. PoS coins (various types as you mentioned) also use a method to get value into the coin itself:
- PoW stage: it's the same as a fully PoW coin, just that coin emission ends very quickly and is unfairly distributed with regards to future investors.
- gib muny: just "devs" ripping off investors and collecting pots of bitcoin (the irony) to give price decaying coins to them

There can be only one instance of proof when an exchange owns 51% of the supply, when all depositors account for all deposits in various known addresses and reach a 51% sum, otherwise it's not ensured that you can detect a 51% ownership.

Again, PoW attack vectors are valid for mere HOURS, while a PoS attack vector can be used FOREVER once it opens up. This is a very HUGE difference in the security model which reduces the effect of the attack.

Going back to the PoW "waste" which you pretty headed PoS supporters don't seem to understand not even 6 years after Bitcoin was invented. This is not "waste", it is a cost that is converted into new coins (scheduled or fees) from block rewards. The approximate cost to generate a block is found in the value of new tokens. This cost is real and significant, this gives value to Bitcoin.

The cost of generating PoS blocks is basically zero (5$ a month for electricity on donated hardware or a VPS bill). The value of the block rewards is thus zero, this gives no value to new PoS coins, the market cap remains the same, but new coins are added. Price per existing coin will be lower.

What does this mean? Let me show you:

PoW
Bitcoin: 0.7% price growth every day for 6 years, 5,678,828,589 USD market cap
Litecoin: oscilating but stable parity with Bitcoin for 3 years, 138,439,389 USD market cap
Namecoin: oscilating but stable parity with Bitcoin for 3 years, 10,064,647 USD market cap

Hybrid
Peercoin: oscilating but stable parity with Bitcoin for 2 years, 18,474,609 USD market cap
Novacoin: down the shitter in 2 years, 640,582 USD market cap
YACoin: down the shitter in 2 years, 37,320 USD market cap

PoS
I'll let you pick the best examples older than one year
sr. member
Activity: 448
Merit: 250
Myriadcoin's multi-PoW framework helps with the decentralization of mining that some of you may be concerned about. More than you think, actually.

legendary
Activity: 1484
Merit: 1026
In Cryptocoins I Trust
So.. you are going to cherry pick the version of PoS that best fits your argument? DPoS is PoS, it is just a variant of PoS.
There should be no confusion here. Please don't claim PoS has some features that are present only in DPoS as a supporting argument for PoS. When the title shows DPoS I will consider it fair to use those features as part of the discussion. I don't think PoS is the same as DPoS. What do you think?

A lot of people (me including) use the term PoS as more of a broad term that includes all consensus algorithms that are not based on PoW. This includes many different variants of PoS... PoS as in Peercoin, transparent forging as in Nxt, DPoS as in Bitshares, etc, etc...

Many people would refer to Bitshares and Nxt as being PoS even though they are actually a variant of it. I agree it is confusing, but a term was needed to differentiate PoW coins from non-PoW coins and I think PoS is a natural choice since it was the first non-PoW consensus algo. As long as people realize that there are different variants of PoS, each functioning differently and with their own sets of pros and cons, then I don't see any issues with the terminology.

Let's consider Proof Of Waste for a second. 51% of Bitcoin's hash power is on 2 to 3 mining pools. The paid NOTHING to obtain it. You are entrusting them directly (or indirectly when they get "hacked") to not fork your coin. By the way... this statement I can back up with facts and readily available data. Wink
First, it's not "waste". It's a highly specific impossible to forge or reuse effort to ensure security while also fairly converting value (energy) into tokens, bridging the outside and indise economy seamlessly.

The pools and their costs argument is only temporarily valid. The pools paid nothing, but they have nothing long-term. If they fuck up, miners will move quickly, miners paid A LOT of money for their power and have not usually recouped. I am entrusting the miners that need to collaborate and play fairly to profit.

You see the difference now?
It is waste in that it wastes electricity and processing power unnecessarily as has been proven by PoS. This is something Bytemaster (Bitshares main dev) came up with, for the Bitshares community to refer to PoW as Proof Of Waste to point out the fact that it is unnecessary to expend these resources simply to secure a block chain, as is proven by PoS and all of its variants.

I will concede you have a point as to the pools only being able to mount an attack temporarily before everyone switches pools. However, I stick to the fact that you simply made up "as it happens for many coins an exchange owns more than 51% of the supply", and you have no proof of this and it is not true. The point was that there are different attack vectors for PoW that exist other than achieving 51% of the hash power. Both PoW and PoS variants have vulnerabilities and different pros and cons. There is no perfect solution, and I believe that PoW is often touted on these forums as being a perfect solution when in actuality it is not.
legendary
Activity: 1484
Merit: 1026
In Cryptocoins I Trust
sr. member
Activity: 433
Merit: 267
NxT hashes every transaction consecutively in a block which is ultimately called the "payload". Is this what you're referring to?

Quote from: NxT Source code 11/13/2014
    MessageDigest digest = Crypto.sha256();
        for (Transaction transaction : newTransactions.values()) {
            digest.update(transaction.getBytes());
        }

byte[] payloadHash = digest.digest();

https://github.com/Blackcomb/nxt/blob/master/src/java/nxt/BlockchainProcessorImpl.java


The BaseTarget thing is described here;
https://github.com/Blackcomb/nxt/blob/master/src/java/nxt/BlockImpl.java

However, that doesn't require very many SHA256 operations. It just relies on the hashes of previous signatures to figure out what the appropriate time until the next block should be at a minimum. It seems like reorgs would be trivial to pull off if you are/were a major stakeholder, and you wouldn't need anywhere near 51% of the coins.
hero member
Activity: 583
Merit: 505
CTO @ Flixxo, Riecoin dev
why do you think there are many SHA256 operations involved?
That is what is required to calculate a longer chain that stands a chance of being accepted as legitimate.
The better chain needs to almost mirror the honest one in terms of certain properties.
The retargeting algo in Nxt plays an important role in this.

how would a large hashrate benefit an attacker?
See above.

We are talking about POS, right? and specifically you are talking about NXTs implementation, right?
The security of all POS coins is based on the premise that getting 75% of stake is hard, and it's not based on any brute force calculation of SHA256 hashes. Please explain exactly how would a large hashrate benefit an attacker?
No special hashrate (more than the number of accounts per second), is required to create the main chain, and also not any special hashrate would be required to create an attacking chain. You only need the staking power.
Regardless of the baseTarget ajustments (which I seen in the Java code for NXT v1.3.3, not in any documentation because reading NXT docs is terrible, you never know what is actually implemented and what not), if you have more coins than those that were at stake then you can rewrite up to 720 blocks. No need for much hashrate. This applies to all POS implementations that I have seen.

hero member
Activity: 574
Merit: 500
A bank such a JP Morgan with a FPGA super computer can conceivably do it (without figuring out how many operations are actually required).

I wouldn't be wrong to suppose no math will follow to back this statement, would I?

I say as much in the quote. Though, an FPGA should be an order of magnitude faster than a General-purpose computer (or even PoW hasher) for that type of problem.

The discussion I saw estimated that recalculating a better chain to attack Nxt would take the current bitcoin network hashrate several times the age of the Universe to do. I wouldn't like to comment but I haven't seen any advances on that which are backed by any calcs.

You would also need to calculate this attack chain in 720 blocks otherwise it would be rejected.
legendary
Activity: 1008
Merit: 1001
Let the chips fall where they may.
A bank such a JP Morgan with a FPGA super computer can conceivably do it (without figuring out how many operations are actually required).

I wouldn't be wrong to suppose no math will follow to back this statement, would I?

I say as much in the quote. Though, an FPGA should be an order of magnitude faster than a General-purpose computer (or even PoW hasher) for that type of problem.
hero member
Activity: 574
Merit: 500
sr. member
Activity: 336
Merit: 260
A bank such a JP Morgan with a FPGA super computer can conceivably do it (without figuring out how many operations are actually required).

I wouldn't be wrong to suppose no math will follow to back this statement, would I?
legendary
Activity: 1008
Merit: 1001
Let the chips fall where they may.
I have no idea what you're going on about.

I know  Grin Search nxtforum for "BaseTarget adjustment algorithm" thread (leads to Blind Shooter algorithm and how it interacts with the retargeting algo, in the same thread) if you are genuinely interested. I get the impression no one on BTT is, they just listen to the echo and then repeat it.

The above makes the Nothing at Stake 'problem' wishful thinking. At least in Nxt it does.

I tried that: https://nxtforum.org/proof-of-stake-algorithm/basetarget-adjustment-algorithm/ (linked from cite note 9 on the Wiki) requires me to log in.

A bank such a JP Morgan with a FPGA super computer can conceivably do it (without figuring out how many operations are actually required).

Quote from: Whitepaper:Nxt
Block generation time is targeted at 60 seconds, but variations in probabilities have resulted in an average block generation time of 80 seconds, with occasionally very long block intervals. An adjustment to the forging algorithm has been suggested by mthcl and modeled by Sebastien256 on NxtForum.org[9].

According to that, the updated algorithm was as suggestion. How are we supposed to analyze the specific PoS algorithm in NXT if you keep moving the goal-posts?
hero member
Activity: 798
Merit: 1000
‘Try to be nice’

This is what I have been repeatedly saying. As long as the Cartel controls Bitcoin, they shouldn't start arguing about vulnerabilities in other systems or claim they are decentralized. All it needs is the government or a bad actor to gain control of a couple of pools and Bitcoin is done.

At least with PoS, the attacker has to gain control of the coins through some means. Hacking exchanges won't give them enough so they will actually have to buy out the coins. Thats another key difference, anybody holding a PoS coin has a say in the network, Bitcoin holders don't.

now think harder and see if you can find an answer that would be the the best possible solution for both problems.

wait!

what about a continual PoW

and a PoS

or just continual PoW
hero member
Activity: 574
Merit: 500
I have no idea what you're going on about.

I know  Grin Search nxtforum for "BaseTarget adjustment algorithm" thread (leads to Blind Shooter algorithm and how it interacts with the retargeting algo, in the same thread) if you are genuinely interested. I get the impression no one on BTT is, they just listen to the echo and then repeat it.

The above makes the Nothing at Stake 'problem' wishful thinking. At least in Nxt it does.


sr. member
Activity: 433
Merit: 267
I have no idea what you're going on about.
hero member
Activity: 574
Merit: 500
Alice wants to attack the blockchain.
She owns private keys of 400 accounts totalling to 75% of the stake.
She is planning to rewrite the history from block 5'000.
Legit chain is at block 5'300 (less than 720).
Cumulative difficulty at block 5'000 is 8'000'000.
Cumulative difficulty at block 5'300 is 9'000'000.
How many SHA256 operations in average it's necessary to do to find a branch where cumulative difficulty at block 5'300 is at least 9'000'001?
Hint: Blocks from 5'000 to 5'300 were forged by 100% of the stake.

There is no answer because the question makes no sense.
first answer this: why do you think there are many SHA256 operations involved? how would a large hashrate benefit an attacker?
it's not a matter of hashrate, it's 300 blocks * 60 seconds * 400 accounts = 7200000. Hashing that many SHA256 takes less than one second on a modern cpu.

The question is not clear because it talks about "the stake", but what is "the stake"? the total amount of coins? or the amount of coins actively forging at the given time? were your 400 accounts forging on the main chain at block 5000 or not?

If you control more coins at block 5000 than those that were forging at block 5000 then you can simply rewrite everything.


why do you think there are many SHA256 operations involved?
That is what is required to calculate a longer chain that stands a chance of being accepted as legitimate.
The better chain needs to almost mirror the honest one in terms of certain properties.
The retargeting algo in Nxt plays an important role in this.

how would a large hashrate benefit an attacker?
See above.

it's not a matter of hashrate, it's 300 blocks * 60 seconds * 400 accounts = 7200000
Which POS implementation is this possible in? It doesn't look very secure.

what is "the stake"?
The stake is Alice's coins, 75% of all coins in existence.

were your 400 accounts forging on the main chain at block 5000 or not?
Assume worst case for coin, best in favour of the attacker.
hero member
Activity: 583
Merit: 505
CTO @ Flixxo, Riecoin dev
2. It does not bother to mention how many calculations are needed to secretly build a valid longer chain with a small stake in a specific PoS system. This is like saying sha512 algo can be cracked, without calculating how many tries one needs to crack it...

I'm eagerly awaiting a revised version that calculates needed computing power to n@s-attack, let's say current version of Nxt.
The tedious details that would go into trying to figure out precisely how NxT would be attacked don't resolve the problem that the paper is talking about, and more importantly, it's not the responsibility of us to put forward the security model.


The 'tedious detail' is what your argument is and relies upon. Until you provide this and show there is a problem, then there is no problem as it hasn't been articulated. It is in the same camp as stating categorically "The numbers 3 and 5 can never be used to give a sum of 23" and then not even attempting any calculations to check you are correct, as it isn't your "responsibility to put forward summation models".  



Below is paraphrased from Come-from-Beyond and is a question that was posed in May 2014. It has still gone unanswered (publicly at least, the silence of the initial Nothing at Stake zealots is telling I think).



Alice wants to attack the blockchain.
She owns private keys of 400 accounts totalling to 75% of the stake.
She is planning to rewrite the history from block 5'000.
Legit chain is at block 5'300 (less than 720).
Cumulative difficulty at block 5'000 is 8'000'000.
Cumulative difficulty at block 5'300 is 9'000'000.
How many SHA256 operations in average it's necessary to do to find a branch where cumulative difficulty at block 5'300 is at least 9'000'001?
Hint: Blocks from 5'000 to 5'300 were forged by 100% of the stake.



Without a detailed further explanation of the so called Nothing at Stake 'problem', further discussion is quite useless.

Bump.

I am genuinely interested in the answer,  I can only assume you are all busy with your calculators right now. I can wait.



My follow up question would then be...

Would doing this many SHA256 operations be at no cost?


If you still believe this would be free, check would it be possible to do. i.e. what is likelihood that you can do this many SHA256 operations to recalculate a better chain within the 720 block time limit?

There is no answer because the question makes no sense.
first answer this: why do you think there are many SHA256 operations involved? how would a large hashrate benefit an attacker?
it's not a matter of hashrate, it's 300 blocks * 60 seconds * 400 accounts = 7200000. Hashing that many SHA256 takes less than one second on a modern cpu.

The question is not clear because it talks about "the stake", but what is "the stake"? the total amount of coins? or the amount of coins actively forging at the given time? were your 400 accounts forging on the main chain at block 5000 or not?

If you control more coins at block 5000 than those that were forging at block 5000 then you can simply rewrite everything.
hero member
Activity: 574
Merit: 500
2. It does not bother to mention how many calculations are needed to secretly build a valid longer chain with a small stake in a specific PoS system. This is like saying sha512 algo can be cracked, without calculating how many tries one needs to crack it...

I'm eagerly awaiting a revised version that calculates needed computing power to n@s-attack, let's say current version of Nxt.
The tedious details that would go into trying to figure out precisely how NxT would be attacked don't resolve the problem that the paper is talking about, and more importantly, it's not the responsibility of us to put forward the security model.


The 'tedious detail' is what your argument is and relies upon. Until you provide this and show there is a problem, then there is no problem as it hasn't been articulated. It is in the same camp as stating categorically "The numbers 3 and 5 can never be used to give a sum of 23" and then not even attempting any calculations to check you are correct, as it isn't your "responsibility to put forward summation models".  



Below is paraphrased from Come-from-Beyond and is a question that was posed in May 2014. It has still gone unanswered (publicly at least, the silence of the initial Nothing at Stake zealots is telling I think).



Alice wants to attack the blockchain.
She owns private keys of 400 accounts totalling to 75% of the stake.
She is planning to rewrite the history from block 5'000.
Legit chain is at block 5'300 (less than 720).
Cumulative difficulty at block 5'000 is 8'000'000.
Cumulative difficulty at block 5'300 is 9'000'000.
How many SHA256 operations in average it's necessary to do to find a branch where cumulative difficulty at block 5'300 is at least 9'000'001?
Hint: Blocks from 5'000 to 5'300 were forged by 100% of the stake.



Without a detailed further explanation of the so called Nothing at Stake 'problem', further discussion is quite useless.

Bump.

I am genuinely interested in the answer,  I can only assume you are all busy with your calculators right now. I can wait.



My follow up question would then be...

Would doing this many SHA256 operations be at no cost?


If you still believe this would be free, check would it be possible to do. i.e. what is likelihood that you can do this many SHA256 operations to recalculate a better chain within the 720 block time limit?
legendary
Activity: 1181
Merit: 1002
[...]
I am entrusting the miners that need to collaborate and play fairly to profit.

[...]
otherwise you are "relying on the good will" of humans again.

Seems like a contradiction, could somebody please clarify?
There is no good will or bad will, just economic will in PoW. If you do the right thing to obtain maximum profit possible from mining, you are actually obeying and enforcing the protocol rules. It's that simple. Do the wrong thing and you lose.

Maximizing profit doesn't have to be equal to your "doing the right thing" or to reverse it "doing the wrong thin" might make you a winner.
You are oversimplifying, sorry.
legendary
Activity: 2548
Merit: 1054
CPU Web Mining 🕸️ on webmining.io
After having several farms of significant size for the last few generations of mining, I have finally switched sides and much prefer PoS now. I took a deeper look into the tech behind it and have been convinced that staking is a better idea as long as distribution was fair from mining

so you are no longer a miner? should have known this kind of Epiphany wouldnt happen while mining was profitable Roll Eyes

either way, welcome aboard the PoS train..

now you should look at PoI instead of waiting 6 months to find out its better than pos.. lol

https://medium.com/@xtester/the-new-economy-movement-fb9bb67eb9fe

No I still mine, just would prefer not to
Pages:
Jump to: