From what I can tell, it does not.
The problem is that there's nothing preventing hosts from mining on forks simultaneously. In bitcoin, if you mine on forks simultaneously you'll be working with different headers and wasting hashes. In POS, you have nothing to lose from mining forks, and then picking the fork that benefits you the greatest. Some bitcoin devs have called it the nothing-at-stake problem. On Thu, Feb 6, 2014 at 9:44 PM, Juan Garofalo <juan.g71@gmail.com> wrote:
...does it work?
Any functional complaint + it being illogical economically. Power to those that rule. Fantastic plan.
AIUI there are multiple ways to implement proof-of-stake. A friend of mine proposed treating the chain with the most coin days destroyed (along with correct difficulties for the standard proof-of-work function) as the "longest" one rather than only the most difficult chain. Does that not work? On Fri, Feb 7, 2014 at 2:40 AM, Lodewijk andré de la porte <l@odewijk.nl>wrote:
Any functional complaint + it being illogical economically. Power to those that rule. Fantastic plan.
The problem is that you have a bunch of your own coins, so you are mining the chains that have been announced, but you are also mining possible chains that involve you that you never announced. So if I never announce that I destroy 10 coin days, but I have 10 coin days to destroy, there is an alternate reality that I'm also mining, If I don't like the current chain, I can add my own coin days to a different fork in the past to make that fork now the heaviest fork. Then I announce it. Especially if I'm working with a bunch of other people, they can add their own coins and we can work together to make it the longest chain. If it becomes the longest chain, they get back any coins they destroyed in an alternate history. So basically, it's very cheap for a set of collaborating nodes to build a forest of alternate chains, and the longest can change anytime we collectively alter the history or add another fork somewhere to make it the new longest. It's relatively inexpensive to balance all these forks. So it works as long as the powerful individuals aren't mining multiple chain simultaneously. But what's to stop them? So it's ultimately not very secure once powerful groups start attacking the currency. On Fri, Feb 7, 2014 at 2:53 PM, Sean Lynch <seanl@literati.org> wrote:
AIUI there are multiple ways to implement proof-of-stake. A friend of mine proposed treating the chain with the most coin days destroyed (along with correct difficulties for the standard proof-of-work function) as the "longest" one rather than only the most difficult chain. Does that not work?
On Fri, Feb 7, 2014 at 2:40 AM, Lodewijk andré de la porte <l@odewijk.nl>wrote:
Any functional complaint + it being illogical economically. Power to those that rule. Fantastic plan.
The different transactions change the block hash, though, so it's the same problem for the attacker that you originally pointed out with proof-of-work, no? On Fri, Feb 7, 2014 at 12:06 PM, David Vorick <david.vorick@gmail.com>wrote:
The problem is that you have a bunch of your own coins, so you are mining the chains that have been announced, but you are also mining possible chains that involve you that you never announced.
So if I never announce that I destroy 10 coin days, but I have 10 coin days to destroy, there is an alternate reality that I'm also mining, If I don't like the current chain, I can add my own coin days to a different fork in the past to make that fork now the heaviest fork. Then I announce it. Especially if I'm working with a bunch of other people, they can add their own coins and we can work together to make it the longest chain. If it becomes the longest chain, they get back any coins they destroyed in an alternate history.
So basically, it's very cheap for a set of collaborating nodes to build a forest of alternate chains, and the longest can change anytime we collectively alter the history or add another fork somewhere to make it the new longest. It's relatively inexpensive to balance all these forks.
So it works as long as the powerful individuals aren't mining multiple chain simultaneously. But what's to stop them? So it's ultimately not very secure once powerful groups start attacking the currency.
On Fri, Feb 7, 2014 at 2:53 PM, Sean Lynch <seanl@literati.org> wrote:
AIUI there are multiple ways to implement proof-of-stake. A friend of mine proposed treating the chain with the most coin days destroyed (along with correct difficulties for the standard proof-of-work function) as the "longest" one rather than only the most difficult chain. Does that not work?
On Fri, Feb 7, 2014 at 2:40 AM, Lodewijk andré de la porte <l@odewijk.nl>wrote:
Any functional complaint + it being illogical economically. Power to those that rule. Fantastic plan.
2014-02-07 Sean Lynch <seanl@literati.org>:
The different transactions change the block hash, though, so it's the same problem for the attacker that you originally pointed out with proof-of-work, no?
The problem is that you've introduced trust into a trust-free system. And you didn't even pick wisely, you picked wealthy. The assumption used to justify wealthy is that people that are wealthy will want to preserve the system, and it's value. They are actually more likely driven with increasing their wealth. This, of course, is not unreasonable. But a "pretty cracked up currency" is still okay to enough people. You can't trust people to judge the crackedupness of a (psuedonymous) system. This is the same reason "regular banking" fails. @David, this would probably cause some trouble amongst those wealthy people.
--On Thursday, February 06, 2014 11:27 PM -0500 David Vorick <david.vorick@gmail.com> wrote:
From what I can tell, it does not.
The problem is that there's nothing preventing hosts from mining on forks simultaneously. In bitcoin, if you mine on forks simultaneously you'll be working with different headers and wasting hashes. In POS, you have nothing to lose from mining forks, and then picking the fork that benefits you the greatest.
Some bitcoin devs have called it the nothing-at-stake problem.
Thanks David. I guess I won't get the full picture until I spend some mental effort understanding the mechanism. Which is something I've been procrastinating on =P At any rate, an attack against, say, nextcoin should be 'feasible' and would be proof that proof of stake isn't too robust?
On Thu, Feb 6, 2014 at 9:44 PM, Juan Garofalo <juan.g71@gmail.com> wrote:
...does it work?
participants (4)
-
David Vorick -
Juan Garofalo -
Lodewijk andré de la porte -
Sean Lynch