Proof of Stake...

newer
Snowden Drop to Poitras and...

older
Penetration of Target's HVAC...

Juan Garofalo

7 Feb 2014 7 Feb '14

2:44 a.m.

...does it work?

Show replies by date

David Vorick

7 Feb 7 Feb

4:27 a.m.

...

From what I can tell, it does not.

The problem is that there's nothing preventing hosts from mining on forks simultaneously. In bitcoin, if you mine on forks simultaneously you'll be working with different headers and wasting hashes. In POS, you have nothing to lose from mining forks, and then picking the fork that benefits you the greatest. Some bitcoin devs have called it the nothing-at-stake problem. On Thu, Feb 6, 2014 at 9:44 PM, Juan Garofalo wrote:

...

...does it work?

Lodewijk andré de la porte

10:40 a.m.

Any functional complaint + it being illogical economically. Power to those that rule. Fantastic plan.

Sean Lynch

7:53 p.m.

AIUI there are multiple ways to implement proof-of-stake. A friend of mine proposed treating the chain with the most coin days destroyed (along with correct difficulties for the standard proof-of-work function) as the "longest" one rather than only the most difficult chain. Does that not work? On Fri, Feb 7, 2014 at 2:40 AM, Lodewijk andré de la porte wrote:

...

Any functional complaint + it being illogical economically. Power to those that rule. Fantastic plan.

David Vorick

8:06 p.m.

The problem is that you have a bunch of your own coins, so you are mining the chains that have been announced, but you are also mining possible chains that involve you that you never announced. So if I never announce that I destroy 10 coin days, but I have 10 coin days to destroy, there is an alternate reality that I'm also mining, If I don't like the current chain, I can add my own coin days to a different fork in the past to make that fork now the heaviest fork. Then I announce it. Especially if I'm working with a bunch of other people, they can add their own coins and we can work together to make it the longest chain. If it becomes the longest chain, they get back any coins they destroyed in an alternate history. So basically, it's very cheap for a set of collaborating nodes to build a forest of alternate chains, and the longest can change anytime we collectively alter the history or add another fork somewhere to make it the new longest. It's relatively inexpensive to balance all these forks. So it works as long as the powerful individuals aren't mining multiple chain simultaneously. But what's to stop them? So it's ultimately not very secure once powerful groups start attacking the currency. On Fri, Feb 7, 2014 at 2:53 PM, Sean Lynch wrote:

...

AIUI there are multiple ways to implement proof-of-stake. A friend of mine proposed treating the chain with the most coin days destroyed (along with correct difficulties for the standard proof-of-work function) as the "longest" one rather than only the most difficult chain. Does that not work?

On Fri, Feb 7, 2014 at 2:40 AM, Lodewijk andré de la porte wrote:

...
Any functional complaint + it being illogical economically. Power to those that rule. Fantastic plan.

Sean Lynch

8:09 p.m.

The different transactions change the block hash, though, so it's the same problem for the attacker that you originally pointed out with proof-of-work, no? On Fri, Feb 7, 2014 at 12:06 PM, David Vorick wrote:

...

The problem is that you have a bunch of your own coins, so you are mining the chains that have been announced, but you are also mining possible chains that involve you that you never announced.

So if I never announce that I destroy 10 coin days, but I have 10 coin days to destroy, there is an alternate reality that I'm also mining, If I don't like the current chain, I can add my own coin days to a different fork in the past to make that fork now the heaviest fork. Then I announce it. Especially if I'm working with a bunch of other people, they can add their own coins and we can work together to make it the longest chain. If it becomes the longest chain, they get back any coins they destroyed in an alternate history.

So basically, it's very cheap for a set of collaborating nodes to build a forest of alternate chains, and the longest can change anytime we collectively alter the history or add another fork somewhere to make it the new longest. It's relatively inexpensive to balance all these forks.

So it works as long as the powerful individuals aren't mining multiple chain simultaneously. But what's to stop them? So it's ultimately not very secure once powerful groups start attacking the currency.

On Fri, Feb 7, 2014 at 2:53 PM, Sean Lynch wrote:

...
AIUI there are multiple ways to implement proof-of-stake. A friend of mine proposed treating the chain with the most coin days destroyed (along with correct difficulties for the standard proof-of-work function) as the "longest" one rather than only the most difficult chain. Does that not work?

On Fri, Feb 7, 2014 at 2:40 AM, Lodewijk andré de la porte wrote:

...
Any functional complaint + it being illogical economically. Power to those that rule. Fantastic plan.

Lodewijk andré de la porte

8:23 p.m.

2014-02-07 Sean Lynch :

...

The different transactions change the block hash, though, so it's the same problem for the attacker that you originally pointed out with proof-of-work, no?

The problem is that you've introduced trust into a trust-free system. And you didn't even pick wisely, you picked wealthy. The assumption used to justify wealthy is that people that are wealthy will want to preserve the system, and it's value. They are actually more likely driven with increasing their wealth. This, of course, is not unreasonable. But a "pretty cracked up currency" is still okay to enough people. You can't trust people to judge the crackedupness of a (psuedonymous) system. This is the same reason "regular banking" fails. @David, this would probably cause some trouble amongst those wealthy people.

Juan Garofalo

9:14 p.m.

--On Thursday, February 06, 2014 11:27 PM -0500 David Vorick wrote:

...

...
From what I can tell, it does not.

The problem is that there's nothing preventing hosts from mining on forks simultaneously. In bitcoin, if you mine on forks simultaneously you'll be working with different headers and wasting hashes. In POS, you have nothing to lose from mining forks, and then picking the fork that benefits you the greatest.

Some bitcoin devs have called it the nothing-at-stake problem.

Thanks David. I guess I won't get the full picture until I spend some mental effort understanding the mechanism. Which is something I've been procrastinating on =P At any rate, an attack against, say, nextcoin should be 'feasible' and would be proof that proof of stake isn't too robust?

...

On Thu, Feb 6, 2014 at 9:44 PM, Juan Garofalo wrote:

...
...does it work?

3877

Age (days ago)

3877

Last active (days ago)

List overview

Download

7 comments

4 participants

participants (4)

David Vorick
Juan Garofalo
Lodewijk andré de la porte
Sean Lynch

Proof of Stake...

Juan Garofalo

David Vorick

Lodewijk andré de la porte

Sean Lynch

David Vorick

Sean Lynch

Lodewijk andré de la porte

Juan Garofalo

tags

participants (4)