Topic: Proof of Stake Bitcoin? - page 5. (Read 15932 times)

I think PoW is total junk and just like mining it keeps Intel, AMD and big oil rich but PoS is just I've got more money than you but you cannot touch it anyway
but what if maybe the miners were made to deposit some BTC much like happens with what the banker hubs are doing in the Lightning network and they
got a fine from the deposit if they started to be naughty boys.

implied trust is a hard one to nail down but maybe a cluster of coordinators  could police the miners and the miners police the coordinators and
dish out fines or something like that is worth investigating    

Truely trustless, decentralised technologies will always be slower and more wasteful than centralised alternatives, that's a fact I don't dispute.

Not at all.  Read it.  It is about the amount of waste produced by a successful PoW asset, eating up a significant part of earth's economy in electricity and hardware to produce waste and nothing else.  It has nothing to do with money, but all with Proof of Waste.

BTW, couldn't resist: https://ideas.repec.org/p/edn/esedps/110.html

Largely a very long rant about money being the root of all evil, isn't it?

I would like to draw one's attention to the thread I have elsewhere, which points to a fundamental problem with PoW.  

That is, for the proponents of PoW, what's the vision on that ?

https://bitcointalksearch.org/topic/the-paperclip-maximizer-2847680

Not really.  It depends on the exact PoS implementation.  I think I'm going to write up my arguments instead of partially typing them in forum posts.

PoS allows past stake holders to have same amount of power. That means early adopters retain complete power forever.
Also you can see that those past stake holders could have a lot less (even nothing) to lose by trying to revert the blockchain.

That will always be the case in an open, anonymous, permissionless system.  The only way to avoid that, is by using "one man (woman, animal, ...) , one vote", and then you need to rely on real-world identities, issued by, well, centrally controlled identity-issuers.  How else do you associate one single human being to one pseudonymous identity on an open network ?  From the moment the network is open and anonymous, sybil sock puppets are possible.  Whatever proxy you use for "person", be it a CPU, an IP address, a smart phone IMEI, a phone number, .... you have the double problem that:
1) there are centrally controlled entities that ISSUE these things and/or
2) the fatter your wallet, the more of them you can afford.

Within a crypto currency system, however, it seems normal that the stake holders can vote according to their stake, in the same way that share holders can vote according to their share.   It would mean that the more vested interest you have in the system, the more you have to say about the system.  In any case, in a value-carrying token system, if a majority of tokens are in the hands of a colluding group, you better get out right away in any case.

With PoW, you get a combination of fatter wallets and better energy and hardware opportunities to be the voting key distribution.

I cannot stand PoW and you raise a good point and I am working on something were server-side wallets become distributed across several
nodes and was kind of thinking about making the "Miners" or wallet nodes bid to host wallets using gas and then getting a fine paid in "Gas" if they
did not deliver the goods, time out, cheat or attack other nodes.

into the mix I might even throw a small sprinkling of this new thing called "trust" where nodes with good up times and good speeds are
invited to become members of the coordinators team so a human can be contacted within the network anonymously without taking control
and maybe I will give users a say in whats happening by allowing them to vote and not just reserving this privilege for "Miners"

Yes "power to the people" without fat cats and miners taking over.

Agree on you sir, i believe this would be a very bad idea to put BITCOIN in "Proof of stake". Not mentioning it's effect to the miners but the whole effect for the whole BTC users. I mean we all hate transaction delays as of now most of us are really complaining to it now imagine when this things happen. And the additional transaction fee will not be a very good thing to add with. But who knows those thing are uncontrollable factor, Let's just hope POS will not be implemented for BTC.

If you want to adhere to that, your system is unduly complicated.  

And look, this is EXACTLY what something like the LN is trying to achieve.  You don't have to know what happened in a channel, from the outside.  You don't want to know whether they screwed one-another or not.  You only see the final balance on the block chain.  You don't care what happened in those channels, and whether they did it according to the rules.   What matters is the end balance.

I could even say: this is already the case in bitcoin.  Nobody records the mempool for you if you aren't online.  Miners are supposed to be online.  Yes, PoW allows you to do "offline mining", like in my example, where you do offline mining of a whole year worth of block chain, just to overthrow all that has been done online during a year.  But that's a bad feature of PoW.  

The whole desire to have a system that has "its own offline clock" that can be checked, and to allow someone that has been absent for a whole year, to re-vote everything, is what makes the crypto consensus mechanism unduly heavy, and even prone to attacks that have no reason to exist if you take them to real time online.

After all, the only thing consensus is about, is an agreed-upon decision of what transactions are to be considered valid at a certain point in time, and to come to consensus that all competing transactions after that point in time, will be considered double spends.  That's something that can be judged "on the moment" by those online.  That's way easier.  The only thing that needs to be taken into account, is that due to network delays, if ever there are competing double spends, which one is the one we pick to be the true one.  After a few minutes, we can clearly declare that we've seen all sensible candidates, and pick one in a way everyone will agree upon.  Those that weren't there, simply have to accept that decision.

What screws up most consensus mechanisms, is that there's a reward for proposing consensus.  That complicates matters, because you can develop strategies to obtain the reward.  But if there's no reward, and there shouldn't be any, it is an almost trivial matter if you can take the decision within an online network.

We only have to "confirm the mempool" from time to time.  If you don't get a reward for that, you're not going to compete to do so.  You will do so if others don't, because you have stakes in the good functioning of the system.  If someone else stakes the mem pool slightly differently from you, that doesn't matter much, you can just as well accept his consensus as yours ; it is only a matter of a "symmetry-breaking agreed-upon rule" to decide between you and that other guy, which one is the one to be preferred.

I can't continue having this discussion if you truly believe that statement to be true.

The order doesn't need to be the one of real time.  Any order is good enough from the moment that it is an order.  Any set can be ordered.  One simply needs a consensus on the order, that's all.

And then there is of course obvious "real time ordering" on the long term.  The problem with all these false attacks is that one wants a system that can prove to a newcomer that it was ordered in real time before.  That's not needed.  A newcomer just accepts the next consensus, without asking questions about the past.  It is to a newcomer, as if the starting point, the "genesis block" if you want bitcoin speak, was published at the next consensus he will be aware of, and needs to accept that.  There's no need to dig into the past.

And yes, of course, once you're in the system, you have to remain attentive to the new consensus decisions.  If you're absent (if you are a long time off line), you cannot say anything.  You accept the new truth when you're online again, as if you were a newcomer.  Of course you have to stay on line, or trust your peers the time you're absent.  It is a silly idea to want to be able to prove to you that during your absence, everything happened according to the rules.

So the long-term real-time order is evident, because you were there, or you accept the truth from those that were there.  There's no way we will come back to the consensus decisions of yesterday.  Wanting to prove that, is what makes all these things difficult for no reason.   The consensus of yesterday is fixed once and for all, simply because you were there.  You're not going to wind back.   The consensus of today can still be discussed, but by tomorrow, that one will be fixed forever.  Simply  by those that were online.  The only thing that is needed for this to come to global consensus, is that there's sufficient communication between all participants during a lapse of one day.  Well, that is obviously the case.  There won't be a "split of the internet in large chunks for more than a few hours", so there won't, for all practical purposes, be entirely different histories when they are connected back ; and if there are, there's a simple rule to decide which one is to be accepted, on the basis of a pseudo-random number.

As I said, one is making this thing much more complicated on the grounds of unrealistic requirements, such as the need to prove that the system behaved well in the long past.  For all practical purposes, nobody cares.  Everyone accepts the state of yesterday, no matter how it got there, like everyone accepts what was printed in the newspaper yesterday, as being the thing that was printed in the newspaper yesterday.  We're not going to accept to re-write history "if we were there", and the others shouldn't care.  If you weren't there, you shouldn't have anything to say.  So it is normal that only those on-line decide about how this is advancing, and there, real-time order is evident if it is slow enough to account for every form of network delay.  You can think that one day is good enough.  Which is why there isn't any difficulty to consider that day by day, there are historical points of no return.  The block chain starts yesterday.  Every day.  How it got there, is of no importance any more.



That is an assumption about the attacker that you shouldn't make.  Of course, *within the system*, mining correctly is mostly profitable.  Not because of technical reasons, but because otherwise, you crash the market.  However, for an external attacker, you cannot know what are the motives.  As I said, piling up hardware without using it, and hence, without pushing up the difficulty, can be profitable if the market wouldn't crash.  When you orphan a big chunk of chain, you do not increase the difficulty, and you do reap in the block rewards of the chain you redo.  It may be profitable to buy hardware and pile it up (or just rent it) to do such an attack, rather than to pump up the difficulty by competing.  I think that the past total cost of bitcoin's yearly mining was about $2 billion.  Let us assume that $1 billion is in hardware costs, and $1 billion in mining costs.  Suppose now that an attacker piles up for $3 billion worth of mining equipment.  He has hence 3 times the total hash power of bitcoin.  However, he will use that hardware to redo last year's chain.  Yes, the whole last year's chain.  That will take him grossly 3-4 months to do so, while nobody knows about it.  He will use about the same amount of energy to do so, which is grossly in our case, $1 billion (the total mining cost last year was $2 billion, we put $1 billion in hardware, and $1 billion in energy).  So his total cost is $4 billion.  But now he publishes his chain, orphans the 1 year + 4 months of previous block chain, and hence reaps in the 60 000 block's rewards plus fees, and all reversals of all payments he did last year.  At the current price of bitcoin, $10 000, that would bring him already $9 billion of profits from the rewards only.  Add to that reversed transactions and all other things he can do with rewriting history and he's a winner.

Of course, in reality, bitcoin would be done.  So, for a total cost of $4 billion, someone external to the system can bring the whole thing down by redoing a whole year worth of history.  But even better now.  Suppose the guy shorts bitcoin for $20 billion in cash.  I think his $ 4 billion are well-spent.  




You cannot elect a block producer by stake, because you don't know if he's willing to stake.  You simply give an ordering those that do stake, to decide which one of the proposed competing consensus solutions is to be accepted.  If there's only one node online, of course that node will do all consensus decisions by himself repeatedly.  Any other design would be crazy.  If you are the genesis block creator, of course you stake all by yourself all the time until you have sent coins to someone else.  How could a PoS system even bootstrap if what you say is unavoidable ?  If you did recently stake, of course, that diminishes your priority to stake.  But if you are the only one, of course, even low priority, you can stake.  It is just that if there is a higher staker on the list that stakes, this one is to be preferred to stake on top.  So the NEXT staker is going to stake on top of the highest priority staker that did stake.  In case there is, because of network delays, a split that goes further than one last staker, another algorithm determines the FORK priority, which is cumulative over the different blocks, and indicates what prong the next staker should prefer.  A priori, the only way in which there can be a split is when two different stakers decide to stake within the time lapse of network propagation time between them ; the "ping" say.  When the chain splits because of this, most nodes will be aware of it within a few times the network propagation time.  The idea is that if such a split occurs, then all participants wait for a few times the network propagation delay to make sure everyone has the two prongs before continuing.   An algorithm them makes clear which of the prongs is to be continued.  If ever one finds out that two prongs continue to exist, the waiting time is doubled before staking.  When it is seen that the right prong grows, the waiting time is diminished again.

Again, there shouldn't be staker rewards, it should be a voluntary and altruistic act "of confirmation of mempool" and of "random choice of double spends received up to a point".  This avoids continuous staking on the losing prong with the hopes that it will take over.  If your transaction is within a single consensus which is old enough, and you haven't seen a competing prong, and you get from your on-line peers sufficient confirmation that they haven't seen any, then you can start to assume that your transaction has gotten into the irreversible consensus.

If there were no double spends, we don't need a blockchain, or bitcoin or anything fancy. But guess what?


Trustless ordering cannot occur without a unforgeable proxy for elapsed time.


No one piles up unused hardware because there exists a competition to mine; mining is, on average, more profitable than attacking the network, that is the key of why PoW is superior to PoS.


No it doesn't depend on the PoS algorithm; block producers are elected by stake, and to prevent that election happening repeatedly as stake moves around (creating attack vectors), stake must be bonded in some way by preventing new blocks from being produced right away. So if you send your stake to yourself, you're subject to that bonding period. If everyone does that, no one can produce a block and the network stalls, forever.

Order is simply a consensus.  It has not much to do with time.  In fact, transactions don't even need to be time-ordered.  If there are no double-spends, their order is automatic.  I could give you all the individual transactions in the bitcoin block chain in a random order, and you could be able to put them in order again.  They form a strictly ordered graph.  They don't need any time stamp.  They don't even need an indicated order, they order themselves.

The only thing one needs some "consensus state momentary pictures" is that one needs arbitration of double-spends.  One needs to come to consensus over which of two spendings is going to be part of the "accepted truth".  This doesn't even need to be the one with the earliest real-time stamp.  It is a random decision, but that random decision needs to be part of a consensus.  If there are no double spends, the consensus is automatic.  If there are double spends, we need to come to a consensus of which one to retain as the 'real one'.  It sounds like obvious that it should be the first in real time, but it doesn't have to.
It is only after this consensus is reached, that one can be certain about one's balance.  Up until the moment of global consensus, when transactions are pending, there could be double spendings, and one cannot know which one will be part of the next consensus.

The consensus images need to be ordered concerning transaction graphs.  They do not even need to be ordered between disjoint transaction subtrees.  Of course, when sub trees mix, there needs to be a logical order between the last "unsynchronized consensus" on each sub tree, and the first one after the mix.  In other words, the consensus pictures need to have a similar order than the ordered graph of transactions.

But that's all that is needed; order.  Not "real world time".  Of course, IF you tag real world time to transactions, you automatically get an ordering.  And IF you tag real world time to consensus pictures, they are of course also automatically ordered.  But it is not a necessary condition.


'Slightly more' work than the rest of the network is vastly more work than solving a single block.