Pages:
Author

Topic: Proof-of-stake can never scale without blowing up, because PoS isn't trustless - page 3. (Read 5419 times)

legendary
Activity: 1092
Merit: 1000
As I explained already (see quote below), the coin age time employed to threshold the delay for signing in the variant of PoS you are using, isn't delayed by PoW computation delay. The coin age delay is a fabrication of the UXTO at that point in time. Since the attacker can construct a UXTO from his own stake and since in PoS there is no PoW computational delay impeding the attacker from rebuilding a Long Range chain attack, then the only way to prevent such an attack (i.e. the nothing-at-stake problem) in PoS is to employ checkpoints. This is is known to every expert who has studied PoS.

What is "PoW computation delay" in this context. If you are building a side chain you can assign whatever arbitrary timestamp you want to a PoW block, so there is no required delay.

The delay to compute the proof-of-work. You can't just magically pull proof-of-work out of thin air as it requires expending electricity.

Although an attacker could muck around with timestamps on his chain, he has start from some known block and he must produce a longer chain of PoW computation, which requires he consume more electricity than one the current longest chain.

These are Bitcoin101 concepts.


I added this after: Or maybe is the argument that... yes you could build a side chain that could confuse nodes up to a certain time, but that side chain will never catch up to the work added to the main chain?

So I suppose now if I am understanding the argument correctly is that.. sure you can alter the timestamps and perhaps make a confusing fork on a PoW coin, but at the end of the day it is going to be pretty much impossible to be able to have a chain that ends with the same level of computation that the main chain has.

On the other hand, using PoS, and supposing that there are no checkpoints... it would be possible to re-mine and restake all the way from the genesis block and and result in a chain that has higher trust than the main chain.

This part is where I have a problem, to achieve the above you need to be able to have a higher difficulty per chain than the main chain.
How do you accomplish this if , even without checkpoints
1. The Main Chain has more coins than you.
2. The Coin has months or years of blocks built up.
3. Coins require time before they can stake again , staking is not a continuous system. This would hamper the attempt.

I don't see how you can build up enough difficulty unless you own all of the coins, and if you do no one else cares what you do with it.
What % of the coins would you need to even attempt this as it seems you would need way more than 51% to reach the genesis block.
Also if you consider this as an issue why don't your coins use a checkpoint server?

 Cool
sr. member
Activity: 336
Merit: 265
So much anger.

You'd be pissed off too if some troll wasted your $300 per hour (opportunity cost) time for several hours. He could have raised his points with much less verbiage, rancor, and direct to the point on specifics. We could have concluded his education with a few cordial posts. But no, he was determined to be an asshat and was trying to humiliate me. It backfired on him, because I am somewhat expert.

There is a perception that a long POW chain has a lot computation work behind it.  This is not always true.  POW difficulty changes to meet the target block generation period.  There is no guarantee that a longer block chain has more work than a shorter chain.

Incorrect. A correctly programmed PoW block chain will compute the cumulative difficulty of the chain. This can be computed/verified mathematically from the number of leading 0s in each PoW hash for each block.

So I accept checkpoints.  They are cheap and make it highly difficult for attackers to workaround it.  

They are not cheap. They waste the entire block chain on a power vacuum clusterfuck. Please read the OP and all the links and think more carefully about the critical importance of the Nash equilibrium. Study what happened to Ethereum.

This issue becomes critical as your block chain scales to a $billion valuation and is a serious contender in CC.
newbie
Activity: 13
Merit: 0
So much anger.  I have read previous posts debating this topic.  One thing that comes up is POS needs checkpoints but POW doesn't.  I believe POW and POS needs to have checkpoints. Here are my thoughts.  Actually these ideas are not mine just what I have read previously on the same topic.  But for new users this might help.

There is a perception that a long POW chain has a lot computation work behind it.  This is not always true.  POW difficulty changes to meet the target block generation period.  There is no guarantee that a longer block chain has more work than a shorter chain.

On POW chain it is implied that work is being done and a longer POW chain has more work on it.  This is because on honest chains which have equal difficulty targets are for most part true.  But on this topic we are not worried about honest nodes trying to reach consensus with long running nodes which already have the honest chains.

In this case we are talking "checkpoint POS vs POW". Or as I like to say, "what happens when a new node comes online in a hostile hacker zone- how does a client trust one long chain vs another."

A hacker / attacker could basically fake blocks /w fake creation times for POS and POW chains.  For POW, the attacker would generate chains with lowest allowed difficulty level and then keep it this way while generating a longer block chain.  In this way an attacker can create a valid long POW block chain with low work / energy while following all the rules. This is sometimes overlooked because people look at bitcoin chain and see tons of energy expended in the mining races. The difficulty target in POW is to maintain block generation time not to insure there is a provable amount of work being done on the chain.

Enter the trusty checkpoint.  Without the checkpoints a POS or POW would fail in this scenario. A checkpoint hash however cements the block chain up to a given date.  With checkpoints an attacker has to mount the attack after this point which is more difficult to do with both POW or POS coins.  For POW, the attacker has to reduce the difficulty target using energy.  For POS, he would have to purchase a stake to reduce difficulty to generate a new fake chain.  

So I accept checkpoints.  They are cheap and make it highly difficult for attackers to workaround it.  
legendary
Activity: 1330
Merit: 1000
Blockchain Developer
Don't know what the hostility is for... Superiority complex I suppose.

I wasn't expressing any hostility. Why did you think so?

If I learn something from you, then you congratulate me for realizing what you had known, then I would be denying my gratitude by presuming you were gloating.

I had to deal with 5 pages of trolling by your colleague (well he claims some affiliation to you). I am entitled to acknowledge your realization. There is no animosity intended. You are being rational and so am I. I was just relieved the trolling had come to an end finally.

Carry on. We both have work to do.

I have no affiliation with Kiklo. I was pointed to this thread by someone else. I think people just tend to throw out my name at times when PoS code is being talked about.
sr. member
Activity: 336
Merit: 265
Don't know what the hostility is for... Superiority complex I suppose.

I wasn't expressing any hostility. Why did you think so?

If I learn something from you, then you congratulate me for realizing what you had known, then I would be denying my gratitude by presuming you were gloating.

I had to deal with 5 pages of trolling by your colleague (well he claims some affiliation to you). I am entitled to acknowledge your realization. There is no animosity intended. You are being rational and so am I. I was just relieved the trolling had come to an end finally.

Carry on. We both have work to do.
legendary
Activity: 1330
Merit: 1000
Blockchain Developer
I added this after: Or maybe is the argument that... yes you could build a side chain that could confuse nodes up to a certain time, but that side chain will never catch up to the work added to the main chain?

So I suppose now if I am understanding the argument correctly is that.. sure you can alter the timestamps and perhaps make a confusing fork on a PoW coin, but at the end of the day it is going to be pretty much impossible to be able to have a chain that ends with the same level of computation that the main chain has.

On the other hand, using PoS, and supposing that there are no checkpoints... it would be possible to re-mine and restake all the way from the genesis block and and result in a chain that has higher trust than the main chain.

Congratulations for realizing what all of us had realized.

Don't know what the hostility is for... Superiority complex I suppose.

So I guess my conclusion here would be, so long as there are hard checkpoints set into proof of stake chains after the coin has been widely distributed to many different individuals, and such that it turns into a proof-of-working-stake style coin, then there should not be any risk. At such a point it is not feasible to get enough coinage to launch an attack that would build a larger trust score.

Of course thats just my opinion. And I am not here to be in a PoS is better than PoW argument. PoW that has significant hash power is that is widely distributed (ie not a few pools running the show) would probably be the safest system IMO. But at the end of the day, PoS is easy to use and you don't need to buy equipment from a select few group of companies that produce that equipment.
sr. member
Activity: 336
Merit: 265
As I explained already (see quote below), the coin age time employed to threshold the delay for signing in the variant of PoS you are using, isn't delayed by PoW computation delay. The coin age delay is a fabrication of the UXTO at that point in time. Since the attacker can construct a UXTO from his own stake and since in PoS there is no PoW computational delay impeding the attacker from rebuilding a Long Range chain attack, then the only way to prevent such an attack (i.e. the nothing-at-stake problem) in PoS is to employ checkpoints. This is is known to every expert who has studied PoS.

What is "PoW computation delay" in this context. If you are building a side chain you can assign whatever arbitrary timestamp you want to a PoW block, so there is no required delay.

The delay to compute the proof-of-work. You can't just magically pull proof-of-work out of thin air as it requires expending electricity.

Although an attacker could muck around with timestamps on his chain, he has start from some known block and he must produce a longer chain of PoW computation, which requires he consume more electricity than one the current longest chain.

These are Bitcoin101 concepts.


I added this after: Or maybe is the argument that... yes you could build a side chain that could confuse nodes up to a certain time, but that side chain will never catch up to the work added to the main chain?

So I suppose now if I am understanding the argument correctly is that.. sure you can alter the timestamps and perhaps make a confusing fork on a PoW coin, but at the end of the day it is going to be pretty much impossible to be able to have a chain that ends with the same level of computation that the main chain has.

On the other hand, using PoS, and supposing that there are no checkpoints... it would be possible to re-mine and restake all the way from the genesis block and and result in a chain that has higher trust than the main chain.

Congratulations for realizing what all of us had realized.
legendary
Activity: 1330
Merit: 1000
Blockchain Developer
As I explained already (see quote below), the coin age time employed to threshold the delay for signing in the variant of PoS you are using, isn't delayed by PoW computation delay. The coin age delay is a fabrication of the UXTO at that point in time. Since the attacker can construct a UXTO from his own stake and since in PoS there is no PoW computational delay impeding the attacker from rebuilding a Long Range chain attack, then the only way to prevent such an attack (i.e. the nothing-at-stake problem) in PoS is to employ checkpoints. This is is known to every expert who has studied PoS.

What is "PoW computation delay" in this context. If you are building a side chain you can assign whatever arbitrary timestamp you want to a PoW block, so there is no required delay.

The delay to compute the proof-of-work. You can't just magically pull proof-of-work out of thin air as it requires expending electricity.

Although an attacker could muck around with timestamps on his chain, he has start from some known block and he must produce a longer chain of PoW computation, which requires he consume more electricity than one the current longest chain.

These are Bitcoin101 concepts.


I added this after: Or maybe is the argument that... yes you could build a side chain that could confuse nodes up to a certain time, but that side chain will never catch up to the work added to the main chain?

So I suppose now if I am understanding the argument correctly is that.. sure you can alter the timestamps and perhaps make a confusing fork on a PoW coin, but at the end of the day it is going to be pretty much impossible to be able to have a chain that ends with the same level of computation that the main chain has.

On the other hand, using PoS, and supposing that there are no checkpoints... it would be possible to re-mine and restake all the way from the genesis block and and result in a chain that has higher trust than the main chain.
sr. member
Activity: 336
Merit: 265
As I explained already (see quote below), the coin age time employed to threshold the delay for signing in the variant of PoS you are using, isn't delayed by PoW computation delay. The coin age delay is a fabrication of the UXTO at that point in time. Since the attacker can construct a UXTO from his own stake and since in PoS there is no PoW computational delay impeding the attacker from rebuilding a Long Range chain attack, then the only way to prevent such an attack (i.e. the nothing-at-stake problem) in PoS is to employ checkpoints. This is is known to every expert who has studied PoS.

What is "PoW computation delay" in this context. If you are building a side chain you can assign whatever arbitrary timestamp you want to a PoW block, so there is no required delay.

The delay to compute the proof-of-work. You can't just magically pull proof-of-work out of thin air as it requires expending electricity.

Although an attacker could muck around with timestamps on his chain, he has start from some known block and he must produce a longer chain of PoW computation, which requires he consume more electricity than one the current longest chain.

These are Bitcoin101 concepts.

On the true chain, yes there will be delay because it is an honest chain. But on a fraudulent chain, you can do assign whatever timestamp you want, build the next block ten seconds or whatever later, all the while holding the chain privately. Or am I missing an important aspect, I could definitely be and would appreciate you expanding on that if you could.

I do not know what you are thinking about. Sounds weird. Are you thinking about Blockstream's Side-chains proposal (which is known to be insecure)?
legendary
Activity: 1330
Merit: 1000
Blockchain Developer
As I explained already (see quote below), the coin age time employed to threshold the delay for signing in the variant of PoS you are using, isn't delayed by PoW computation delay. The coin age delay is a fabrication of the UXTO at that point in time. Since the attacker can construct a UXTO from his own stake and since in PoS there is no PoW computational delay impeding the attacker from rebuilding a Long Range chain attack, then the only way to prevent such an attack (i.e. the nothing-at-stake problem) in PoS is to employ checkpoints. This is is known to every expert who has studied PoS.

What is "PoW computation delay" in this context. If you are building a side chain you can assign whatever arbitrary timestamp you want to a PoW block, so there is no required delay. On the true chain, yes there will be delay because it is an honest chain. But on a fraudulent chain, you can do assign whatever timestamp you want, build the next block ten seconds or whatever later, all the while holding the chain privately. Or am I missing an important aspect, I could definitely be and would appreciate you expanding on that if you could.

Edit: Or maybe is the argument that... yes you could build a side chain that could confuse nodes up to a certain time, but that side chain will never catch up to the work added to the main chain?
legendary
Activity: 1330
Merit: 1000
Blockchain Developer
The proof hash for PoS coins has always been hashed in SHA, the block hash algorithm really has no direct relevance to the difficulty of producing a PoS block.

Hmm,

Just to clear it up for everyone myself included.
Aside from PoW generation, when Blackcoin whitepaper say scrypt and moving to sha,
what exactly did Rat4 mean by the block hash was changing from Scrypt to Sha, in your opinion?

 Cool

FYI:
This was a tangent conversation , and has nothing to do with the fact
iamnotback is Wrong in his Slandering of proof of stake.



The block hash is not the same thing as the proof hash. The block hash is the identifier for a particular block, it hashes various elements of the block together and produces a hash of the inputs.

The proof hash is what you are producing when you are attempting to stake. Given your stake inputs, you hash them together using the timestamp instead of a nonce, and then have successfully produced a stake if your hash is less than the targeted value. The proof hash has always been done in SHA, lots of people don't realize this especially the type that say they are using Blake for light weight staking... The proof hash is part of the block, but is not the block hash.
legendary
Activity: 1092
Merit: 1000
Your Op Title is
Proof-of-stake can never scale without blowing up, because PoS isn't trustless

IMO this is more accurate

iamnotback makes up opinions without researching the facts , so iamnotback's opinions can not be Trusted


 Cool


legendary
Activity: 1092
Merit: 1000
Incorrect. The attacker can short the token (which btw is one reason why attacking these tiny PoS coins is not worth it).

Etc, etc., etc...

Blackcoin is ~ $3 million on market cap,
Mintcoin  is ~ $2 million on market cap,
now that you explained they are a sitting ducks , someone will destroy them.  Tongue

Oh Wait,
No Worries, You don't know what you are talking about.
Cheesy

 Cool

FYI:
5 Pages to get you to ignore me, I must say it was worth every post. Cheesy
Going to work on that fart bubble in your head?


kiklo you are not qualified to debate me. Any person who is qualified and reads what I have written to you, is shaking their head wondering how you can be such a dumb jackass. I have been warned to never argue with an idiot, because an idiot doesn't know when they are incorrect.

That's funny ,
I've read what you wrote and all I see is an arrogant prick that is too stupid to actually have a decent conversation,
hiding behind a pretense of intelligence, I have taken your measure, and you are lacking in intelligence and civility.
You are always sprouting Nash , like it is a big deal, kind of shows there are NO ORIGINAL THOUGHTS IN YOUR HEAD.
You Repeat yourself with the Repetition of Stupidity.  



sr. member
Activity: 336
Merit: 265
My Favorite coin is already up and running going on ~3 years.

Whoopee-doo. The famous unfalsifiable shitcoin illogical excuse, "you didn't attack my worthless shitcoin, therefor my shitcoin is secure".

Either it is not PoS, or it has adhoc social contract checkpoints (i.e. a centralized clusterfuck) and a large marketcap ($billion), or it has a tiny marketcap (< $100 million) that isn't worth attacking.

Goodbye asshat, you are now on Ignore because you write nonsense and you are not even a programmer.

kiklo you are not qualified to debate me. Any person who is qualified and reads what I have written to you, is shaking their head wondering how you can be such a dumb jackass. I have been warned to never argue with an idiot, because an idiot doesn't know when they are incorrect.

legendary
Activity: 1092
Merit: 1000
FYI:
Want to know what is funny ,
My Favorite coin is already up and running going on ~3 years.

Yours is still a fart bubble in your head, and the more misinformation you spread about Proof of Stake, the less likely your fart bubble ever becomes a reality.
Or did you just want to admit , a new coin design from you is just fantasy and you rather just proclaim your greatness instead of proving it.

 Cool

FYI:
Mr. Pretender
Those that can, Do.
Those that can't , Pretend like they can.
sr. member
Activity: 336
Merit: 265
Duplicate blocks are not propagated by the network and a limit is imposed on how often an attack can be attempted, by the coin age being consumed by staking. Secondly the top block is removed when a duplicate stake (using the same output more then once) is received directly punishing the attacker by delaying the reward, thus loosing out on compounding interest.

Incorrect. This is only known to nodes which were online at the time. The entire point about nothing-at-stake is that new nodes that come online can't verify which chain is valid without some adhoc social contract and checkpoints.

We experts don't have time to run around correcting all the places that these asshats promulgate their nonsense.

Another protection is that because the attacker has to own a considerable amount of coins, it exposes the attacker to exchange rate risk (the value of their investment collapsing); a risk that is increased by the person's own attempt to attack the network. The argument is flawed because it argues that the attacker has nothing at stake, when in reality the attacker has to spend resources to acquire the coins used in the attack, thereby exposing themselves to exchange rate risk.

Incorrect. The attacker can short the token (which btw is one reason why attacking these tiny PoS coins is not worth it).

Etc, etc., etc...
legendary
Activity: 1092
Merit: 1000
Here Peercoin explains why your G.Maxwell Nothing-at-stake theory is BS.

https://www.peercointalk.org/index.php?topic=2976.msg27787#msg27787

You can read it or you can just pretend like you already do know it like you do everything else.  Wink

 Cool

FYI:
Takes one to know one Asshat.
sr. member
Activity: 336
Merit: 265
legendary
Activity: 1092
Merit: 1000
Nice fantasy you have asshat.

Unlike you , I have an easier time telling one from the other.  Wink


 Cool

FYI:
Looks like you are developing a stutter.
legendary
Activity: 1092
Merit: 1000
The proof hash for PoS coins has always been hashed in SHA, the block hash algorithm really has no direct relevance to the difficulty of producing a PoS block.

Hmm,

Just to clear it up for everyone myself included.
Aside from PoW generation, when Blackcoin whitepaper say scrypt and moving to sha,
what exactly did Rat4 mean by the block hash was changing from Scrypt to Sha, in your opinion?

 Cool

FYI:
This was a tangent conversation , and has nothing to do with the fact
iamnotback is Wrong in his Slandering of proof of stake.

Pages:
Jump to: