Topic: Proof of Stake Bitcoin? - page 4. (Read 15932 times)

There isn't a way to achieve one without it. Without a profit motive, the rational behaviour to maximise gains is to attack the system, this is the opposite of a nash equilibrium.


No, they don't need to do anything. Their client, which can be offline, then online, will always know whether it is being presented with a candidate blockchain on the right hard fork, in the right blockchain.

You seem to be suggesting that the attack vector is to convince someone who's never had a bitcoin, or ethereum client before to install an impostor client. This is a social engineering attack, not a technical one.

This is the error: there's no *monetary* profit motive necessary to get a Nash equilibrium.  As you say, monetary profit centralizes by economies of scale which result, as you say, in a power law distribution.   There's no reason to motivate people to participate in consensus.  They can.  They don't have to.  If they don't, they accept others to vote in their place.  If that goes "wrong", their problem.   The motivation is to keep your share, or to risk that others will push you out of the consensus.  If that happens, too bad for you.  You weren't there.  You've lost your stash because you failed to be online ?  Your problem, not mine.  So, fear of missing consensus is a good motivation.


They can only tell the difference because they trust or were online.  They have to trust the signatures of the "true" rule manifest (usually a piece of software).

If there's a Martian visiting earth, how is that Martian going to know what is the true bitcoin block chain if he's not going to trust anyone and never was online before ?  He'll look at all block chains around, and find the one with the highest PoW in economic waste.  "that must the unique true consensus document".  From the moment you require OTHER extra rules, as I said, you have to trust those who said it were the right rules, or you must have been there when they were established, or you must trust someone that was there when they were established.

If someone saw bitcoin's protocol in early 2010, left for Jupiter for 8 years and came back, and imagine that BCH has more PoW, he would say that the true bitcoin ledger is BCH, and BTC is a tentative to fraud.

If someone had seen just Satoshi's paper in 2008, only remembering "maximum PoW", left for Saturn, and came back, realizing that rules may have changed completely, and ethereum would prove more PoW, he'd say that the only true ledger is the ethereum ledger, and all the rest is fraud.

In order to "know" that it isn't so, he will have to use and trust recent online information, or they "had to be there".

Other example.  Suppose that earth is hit by a catastrophe and for 500 years, we're back in the middle ages, even though the legend of bitcoin is orally transmitted.  500 years from now, technology is again developed, and some people go to look after that Satoshi of the Round Table and his trustless Ledger, some ledgers are finally discovered.  Which one is the "true" one ?  If the rule "maximum PoW" is recognized as the sole unique totally trustless rule, if ever the ethereum chain has more PoW to it, it will be said that it was bitcoin.

Finally "trustlessness and money" is an oxymoron. Money is about belief in value.  If you don't trust anyone, you don't believe that others believe in money.

The power law of economics says that anything which has a profit motive will centralise. But, there is no other way (yet discovered) to achieve a nash equilibrium than establishing a profit motive, so we're stuck with it.

I believe there is a way to achieve more decentralisation than we have in blockchains currently, still using PoW, but that's another post.


Are you honestly saying that the LCR rule doesn't distinguish between blockchains? Obviously it only functions within a single blockchain and yes, clients can tell the difference between an ethereum chain and a bitcoin one.

Well, it fails on decentralization already, and "asymptotically" means wasting more than half of human's resources.  
It is true that it solves trustless UNIQUENESS if we waste more than half of humanity's resources.  But it doesn't even guarantee that that unique document has been made according to the rules.  You cannot have it both ways: if the document is unique, you have to accept it.  You cannot put another requirement, because it is unique.  If you can put another requirement to select amongst possible candidates, obviously, it is not going to be unique.  So PoW only proves trustless uniqueness if that's the sole condition.
If tomorrow, the single entity that has more than half of world's power, decides to produce a unique document with the most PoW that has entirely different rules than bitcoin, you still have to accept it as the "unique true consensus".  Like I said, if ever it is the ethereum block chain, you would have to accept that bitcoin is now ethereum, and your bitcoin addresses are worthless.

Because if you are presented with different block chains, and the ethereum block chain contains more proof of economic waste than what people used to call the bitcoin block chain, according to your rule, you have to accept the ethereum block chain as the sole true consensus document ; if it contains a proof that more than half of human's resources have been wasted on it, you know that there cannot be any other such document around, and you have your unique consensus.  Too bad your addresses of your coins don't work on it.

If you are going to say: it is the highest PoW chain "within a certain set of documents that satisfy other rules" then you have the ambiguity from the moment there are forks.  Suppose that BCH overtakes the BTC chain.  Is bitcoin then from one day to another BCH, and should we reject BTC as a false document ?  No, of course not.  They are different crypto currencies.

The foolishness of uniqueness of PoW breaks down entirely when there's a crypto currency market.  Because there's no such thing as uniqueness.

I can see this as a problem in the future. Why would bitcoin need POS?

Nope.  Anti-cen has visibly the same relatively critical opinion as I do on PoW, but we're not the same person.  People can be different persons, and share an opinion.  Alas, it is impossible to prove that we're not the same, and the irony is that that's why Satoshi used PoW as a way to try to dismantle Sybils.  We're touching here the fundamental reasons of all these things.

Unfortunately, it didn't work, which is exactly why PoW fails.  It didn't work in the following sense: Satoshi presented PoW as a way to "make sybilling the network" expensive.  He presented PoW in his paper as a way so that each participant (human participant) would have "one vote".  He used "CPU" as a proxy for "human", with the idea that you could cheat a little bit, by using not one, but 10 CPU for instance, and get 10 votes, but if you wanted to have 10 000 votes, that would become quite expensive.  However, in Satoshi's presentation of things, votes didn't need to be EXACTLY right.  What Satoshi needed was that there were SUFFICIENT different voters, even if some had more weight than others ; as long as the majority wouldn't be in the hands of a small colluding club.  Whether Joe had 3 votes or 100 votes didn't matter, if in total there were 1 million votes.  The majority, that is to say, 500 000 votes, would still be distributed over enough different non-colluding entities for the system to acquire trustlessness by decentralization.

Trustlessness by decentralization is the brilliant idea behind bitcoin (which turned out to fail, exactly because PoW failed).  It is the game-theoretical "super-Nash" equilibrium, where the equilibrium is "follow the common set of rules", and where, contrary to a simple Nash equilibrium, which takes potentially a simple collusion of two players to be broken (in the typical example, the Prisoner's Dilemma, if the two prisoners collude, they can leave their Nash equilibrium), in this "super-Nash" equilibrium, it takes a collusion of majority of many, many players to be able to be broken ; which is so impractical to be done, that we can assume that every player stays in the equilibrium (that every player follows the same rule set).  This is the inverse "tragedy of the commons".

Satoshi said that one couldn't count on "different IP addresses" to do so, because it would be quite easy for an attacker to become the single controlling human of a large majority of IP numbers.  That's why "one node one vote" wasn't possible (and this is also why all this nonsense of "decentralization by full nodes" is bullshit: bitcoin was designed not to take this into account!) However, "holding the majority of CPU voting" would be much harder to do, which is why Satoshi presented PoW as a fairly robust way to defend against "having a majority of voting power in the hands of a small clique".

Well, it failed.  PoW IS in the hands of a small clique.  3 entities have majority, to be precise.  You can see it in the hash rate distribution of the mining pools.  Worse: even though we KNOW this now, there's nothing we can do about it.  The "majority vote by CPU" IS now in the hands of a few, and yes, they really do have control over the majority of CPU, even more so than would have been the case with IP numbers.

It is quite funny that Satoshi presented PoW as a way to avoid Sybils in his paper, and nevertheless was able in 2008 to explain that "mining would be left to specialists with farms of specialized hardware".  There's a slight contradiction here, because that is already admitting that his PoW system would not be a good approximation of "one human, one vote" by "one CPU one vote".  It is true that Satoshi seems to have thought that it would nevertheless be "hundreds or thousands" of "specialists", not 10, or 4.  However, that by itself doesn't make sense: the same dynamics (economies of scale) that would bring the "home CPU vote" into the "hands of specialists with farms" would continue to bring together "specialists with farms" into a few big farms.   His position simply doesn't make sense.

The fundamental reason why his "making sybilling the network expensive" didn't make sense, is that in his system, the more you sybil, the higher your costs, but also the higher your rewards !   His explanation that it would, nevertheless, remain profitable to "play by the rules" even if you have majority (that there's no reason to attack the network, while you can profit from your hash rate) is begging the question.  Remember the super-Nash equilibrium.  If you have majority, you DICTATE THE RULES.  Of course you will be following your own, dictated rules !   The error in all this is that if you reward voters, there's no way to remain decentralized, because all difficulties and costs of sybilling are compensated.  However, PoW requires compensation because it generates economic waste by definition.

All this is lies and deception.  This is why it works so well.  Like world religions.  They too, started out often with some good intentions.

I wouldn't mind this, if it weren't so wasteful.

Why do I get the feeling that you and dinofellis are the same person? 

Could not agree more and mining is even worse but for saying this we get called trolls around here even if our logic
is perfectly obvious and we lay out our reasons for not agreeing with the vicar of the church

The justification is asymptoticly secure, trustless, decentralisation. Take it or leave it.

PoS gives you none of that security model, and is slower than visa, making it an exercise in utter futility.

The point is that if you have to apply this kind of arguments, your system is, in the end, not as secure as you may want to believe, and hence the necessity of its monstrous waste, and even its danger to human economy, not justified.  If we need to risk to blow up human economy to avoid something, that can in fact in principle happen, but of which you argue that the attacker will not be motivated and it will not happen in practice, I call bullshit.  Because PoS like systems are also, for all practical purposes, secure (especially those that are based on on-line no-rewind principles).  In fact, these systems are even more secure for all practical purposes, from the moment that there are sufficient "slightly-to-be-trusted" entities online, because in that case, no attack is even possible.

If it is necessary for a system to waste GW of electricity as its fundamental "security" principle, as compared to systems that can be made as economical as technologically possible, there's no justification for that huge waste, which engenders a lot of OTHER problems, like the power concentration (the centralization of decision).  A PoS system that gets as centralized as bitcoin's PoW structure would economically be useless in any case, because it would mean that the majority of coins are held by just a few participants.  If that's the case, they can play amongst themselves, which is their good right, and the others will leave.  It is then a closed club, and they play their greater-fool game amongst themselves.  If we would be 10 people to possess 99% of a crypto currency, that currency would be worthless in the market.  Well, bitcoin's PoW is for 99% in the hands of 10 deciders.  To have a similar distribution in PoS, 99% of the coins would have to be in the hands of 10 entities, at which point, they can have it.  

Another problem with PoW is that you get a separation between the users/stake holders on one side, and the "consensus industry" on the other.  Users have to ask the consensus industry to please include their transaction, and have to pay that industry.  PoS kind of systems are do-it-yourself systems, where the users decide amongst themselves, with no need for an external industry.

The cost of a PoW system makes the system leak value.  What's wasted on PoW is value extracted from the system.  It is not even a zero-sum game, it is a lossy negative-sum game, because piles of waste have to be bought with inflation and fees.

And all these problems, plus the ecological/economical danger and damage of converting limited resources into huge quantities of waste do not even give us an absolute cryptographic guarantee of security.  In fact, an attack is even provably effective: use 3 times more resources, and you can blow up the system for sure.  There's not even a DOUBT that the attack will work, it will work FOR SURE.

Let us suppose bitcoin at $10 000, and let us suppose current technology, and mining equilibrium, that is: cost of waste = mining reward.  Let us assume total block reward + fees 20 BTC.  Let us assume antminer S9 hardware: 0.1 J/GH, $5000 per 13 TH/s.  Let us assume electricity price $0.1 per KWhr.

20 BTC per block is $200 000 per 10 minutes, is $1.2 M per hour.  It means one has to waste 12 GWhr per hour to arrive at a cost of $1.2M per hour.  If all this were smoked up in electricity, we would need to burn 12 GW.  But of course, hardware needs to be paid too.  We can take it that the life time of hardware is 2 years (I'm nice here: who is still competitive with 2 year old miners ?).  The price of an "antminer-hour" in hardware is hence: 5000/(2*8760) = $0.28  ; the power used in one hour is 1.3 KWhr which is a cost of $0.13.
Running an antminer for an hour hence costs $0.41.  The number of antminers needed hence to waste $1.2 M in electricity and hardware is grossly 3 million.  We need 3 million antminers to be at equilibrium.  We hence have an equilibrium power consumption of about:
4 GW, and a hash rate of about 39 million TH/s (twice the actual rate).

The total hardware investment is hence $15 billion dollars over two years.  Well, with a budget of $45 billion, you can successfully attack bitcoin.  You will have almost 3 times the hash rate, so you can redo the chain 3 times faster than it is advancing, giving you a net factor of 2.  You will have to consume 12 GW for the time of the attack.  Suppose you want to redo the last two months.  That will be scary enough, no ?  All transactions of the last two months erased, what do you think ? Funny idea, no ?  You will have to run for a month to do that.  One month at 12 GW will cost you grossly $0.8 billion in electricity, say $1 billion.

For the price of $46 billion dollars, bitcoin is entirely destroyed.  You publish a higher PoW chain that has totally screwed up the last 3 months, one month from now.  The big peak included in December !  My attack is guaranteed to work.

In reality, cost would be half of that, because bitcoin is now out of equilibrium as we saw.  Hash rate is only 20 million TH/s while equilibrium is 40 million TH/s.  So right now, destroying bitcoin could be done for $23 billion.  Which I can get out of the market by shorting bitcoin.

Now, $46 billion is quite an amount of money, but less than bitcoin's market cap.   I might short $50 billion in the futures market.  There will be a lot of takers of my offer for bitcoin at $20.  My expenses are covered.  But I might get subventions from states, and, most likely, even from climate change actions.  After all, I'm going to blow a big electricity waster to pieces.  This is not an "impossible" attack at all.

The argument that "it most probably won't happen because miner incentive" is very, very, very weak as compared to all the problems it brings.

There is of course something that might save bitcoin from such a devastating blow: people might restore the block chain before the attack was published, .... from a trusted source with a digital signature !  Say, a few Core devs that publish the "correct" block chain tag in an urgency release of the Core code.... mmmm...  maybe digital signatures of trusted entities is not such a bad idea, is it ?  

I think so! With the popularity of online currency I definitely believe in your statement... May we all benefit in this new trends...

To use PoS proponents mostly commonly used counter argument to this claim - why would anyone with huge stocks of highly expensive mining hardware risk making all their inventory worthless by carrying out this attack?

Even if they somehow make this a profitable attack, their chances of pulling it off are minimal because they still need to outpace the rest of the world in producing the longest chain.

So I take it that if ethereum overtakes bitcoin one day, and is still on PoW, you will think that ethereum is bitcoin now because it is a document that proves more PoW ?  And you're quite frustrated that you've been had with former transactions that do not exist on the unique ledger with most PoW ?

And you realize that all this talk on this forum, all the code signed by Core, and all the rest was just a big fraud, and the real bitcoin is made by software from Switzerland ? Or do you nevertheless trust some digital signatures and "old stuff" you've seen when you were on line ?

If you're talking about trustlessness, you cannot include hypotheses like this.   After all, this is very well not true, especially when there are possibilities to short bitcoin outside of the system.  It may very well be profitable to kill bitcoin, because, as you say, there's competition in the larger market too.  If bitmain has a long-ranging plan to kill bitcoin (say, because the Chinese gov wants it to and has convincing arguments), it is NOT going to join the competition with its extra hardware, because it would like to take bitcoin by surprise.  And they can even make a big benefit in the market if they know when they will do it.  Game theory arguments with limited game rules are not a solution to trustlessness.  Trustlessness is a lure.  It is a mirage.  It doesn't exist.  From the moment you have to use such arguments, your system is in any case not watertight.  

As such, having hundreds or thousands of "on line consensus spectators" see the consensus arrive, and sign it, and not accepting any form of major "rewind" is a more secure practical way of doing things for much less effort.  If you think that major exchanges all over the world are going to accept a major rewind for instance, together with all online amateur users, exactly when YOU were offline, that's just as improbable.  Because of the same reasons of game theory, benefits and losses.
And we'll not need to waste earth's electricity.

We've discussed this before. There is a competition to mine; it is more profitable to mine than it is to sit on mining hardware, therefore you can be pretty sure this isn't the case.


You don't have to. If you're presented with two candidate blockchains with different genesis blocks, the one you accept is the longer chain of PoW. PoS cannot use this feature because block production is costless, therefore its trivial to produce myriad candidate blockchains which only online nodes can distinguish from the true blockchain.

And as I said, the only fully secure proof of that is a proof of waste of more than half of humanity's resources.

Because if not, the other half may be used to produce that famous B.   How do you know that in fact, bitmain doesn't have 8 times the amount of mining hardware they have sold on the market, in a secret place somewhere, ready to be switched on to produce a "false" block chain ?  Maybe they get subventions from the Chinese government to screw bitcoin, who knows ? 

If you tell me "people would see it" then you've shown that *in reality* you are counting on people's past online presence to have "old copies of the block chain".  If you count on old fixed points of the block chain in Core's software, then you'trusting Core's digital signatures.  So the sole proof that is fully secure is if you have a document, a block chain that proves more than half of the worlds' resources wasted on it.  Otherwise, it is not secure and a "B type document" may be made.

But this is entirely idiotic.  After all, how are you going to check that in a trustless way ?
Are you going to build your own silicon foundry and make your own chips by your own design to make your own computer ?  Are you going to write your own operating system and writing your own bitcoin software to verify it ?  Because if not, you're trusting some entity.  You're trusting Intel, your computer OEM, Linus Thorwalds' signature if you install linux (you're not using Windows or Mac, are you ??),  you trust the world's assessments you find on the internet of the world's capacity in electricity, you trust miner hardware specifications, etc...

Hey, how come that you trust the genesis block ?  Because it is written in software that some dudes signed with their signatures on centralized Github ?  Maybe it is not the right one !  Maybe what that piece of software tells you, is actually not the "true" bitcoin block chain !  Who knows !  You trusted Core's signatures ?

So you're not doing something trustless.  If you try, you starve before you get half way.

So wasting humanities resources on a mirage of absolute trustlessness that you can't have in any case, is complete and utter madness.  Good for the asylum.

In reality, you have to trust some entities.  You have to trust some signatures.  You have to trust some functionality.  Blind trust in one entity is not good enough.  But if you can find several indications, at different places, that you have most probably the right data set, that's good enough to be practical.  

For instance, if there are a few hundred resources scattered all over the world that give you the same hash list of block headers, and if you can be online some time and see that some tracks of block headers do correspond to what they publish, that's good enough to have trust that you have the right block chain.  It cannot be 2 or 3 websites.  But if you have a few hundreds of them, and you "know" them by digital signature for a while, you can assume that they are not all "sybils surrounding you".  You start to build your "social cercle" in that environment, you start to know peers.  And after sufficient time, as with real people, you start to put some partial trust in them.  If all of them tell you the same thing independently, then you can accept that as the truth.  Like with everything else: if sufficient sources tell you something, you take it as real.   Because that's the practical compromise between blind trust and the madness of full trustlessness.

What do we think about PoW and PoS hybrids like LUX and others?

I think they do a good job of mitigating the risks and downsides of each of the two methods.

That is indeed correct. And, in fact, any consensus design which doesn't have this condition at it's core is utterly pointless, because once you remove any of these conditions, you might as well just use Visa, which is much faster and more widely accepted than any cryptocurrency.

A lot of the hype that you see around with all the new blockchain applications are people trying to securely scale and solve the PoS problem.

- It is unlikely bitcoin would do PoS, but I cannot see the future - perhaps in some future the miners become evil and attack the network and the nodes change the algo?

Unlikely man.

Wasteful to the point of using up a significant portion of earth's energy ?

The problem PoW tries to solve in bitcoin is bordering on the limit of madness and can indeed only solve it if it wastes provably more than half of human's resources.  As such, it solves a problem that needs not to be solved, because it is self-defying.

Here's the problem bitcoin's proof of waste tries to solve:

"show me that, amongst X different possible states of consensus, consensus proposal "A" is the unique right one, even if I wasn't there, and even if I don't trust ANYBODY".  Moreover, "show me that just any other entity like me, not trusting anyone, and not having been online when these decisions were made either, will come to the same conclusion that it was A, and not B, even if that other person is presented another collection Y of possible states of consensus.  The only condition is that both X and Y do contain the "right" consensus A.".

Bitcoin's PoW system has indeed found a way to solve this entirely idiotic problem: it is that consensus proposal that has shown most proof of waste, and that it is not possible that anyone ever has wasted more than the one that wrote proposal A.

With that rule, I don't need any trust in nothing.  I only need to find a document that is cryptographically linked to the biggest proof of waste, and if that document contains a proof of more waste than half of human's resources, I know that this document is unique. Simply because no other human has ever been capable of making another such document: there weren't sufficient resources on earth to do so.

From the moment that document A contains a HUGE amount of proof of waste, but humanity has still more resources, I cannot be sure that no document B exists that has MORE waste to it ; but if it has been wasting more than half of human's resources, this document must be unique.  There is no other way.

This is indeed, the ultimate solution to the consensus problem, that allows someone that doesn't trust ANYBODY, and HASN'T BEEN THERE during the consensus decision, to know that this is the unique consensus.

Moreover, proof of waste is unique in this respect, because no other cryptographic technique can hold and do the same.  Anything based upon digital signatures will require me to trust the owner(s) of those keys, and by definition, I don't want to.  And if you don't use more than half of human's economic output, you don't really know if some entity didn't put in more proof of waste, to override the "true" consensus.

But this is pure lunacy.  Needing more than half of human's economic output to be able to prove to Joe the Cavemen that doesn't trust anyone and never was online that his ledger is the true one, is silliness to the point of being criminal.

This is why, in practice, you have to relax some of these absolute consensus proof requirements.  And if you bring this down to something much more reasonable, the so-called advantages of proof of waste melt away.   In our society, total trustlessness is ridiculous.   People use devices they didn't design themselves, they didn't check the functioning, they install software they trust, they use name spaces they trust, they use digital signatures of entities they trust....
You cannot base your system on total trustlessness. There is a right balance to be found between cryptographic protections against scammers, and trust you can have.  Otherwise you run into ridiculous and potentially dangerous systems, excluding reasonable solutions on the basis of religious dogmas.

Proof of waste is such a case.

If, however, you relax the condition that consensus must be proven without any form of trust to someone that wasn't there when the decision was taken, you can reach reasonably solid consensus decisions without ANY waste.  That means that you have to accept to be "online" when consensus is reached, OR that you have to accept some form of trust in those that were online when consensus was reached.  This will hurt dogma's, but it is in practice just as workable, and you don't have to use a big part of human's resources to do so: a smart phone can do it.  That trade off is worth while, because in any case, all the rest of our human existence is also needing trust.

Note also that PoW trustlessness doesn't even need decentralization any more.  Indeed, like is almost the case in bitcoin, the consensus DECISION is taken by 3 or 4 mining pools holding majority, and at best, by some 10 mining pools making most of the chain.  PoW only serves to prove that that decision is graved in stone, not that it was taken according to some or other rule set.  PoW only proves the uniqueness of the document, and hence of the consensus, not that its rule set was respected.  At this moment, bitcoin's consensus decision based on PoW is quite more centralized, as I said jokingly, than the Euro, that needs 15 ministers to come to agreement.