Proof of Stake...

Lodewijk andré de la porte l at
Sat Feb 8 06:02:11 PST 2014

> Either way, this is not equivalent to introducing trust into the system
> where it did not exist before. My claim about proof-of-stake not being
> trust any more than proof-of-work is stands.
> I was proposing using coin days destroyed as part of the "difficulty"
> computation, which would mean they actually DO have value, since you cannot
> use the same coin days more than once, and they would reduce the number of
> CPU cycles you need to burn in order to produce a block. The idea is to
> reduce the cost of mining in terms of pure CPU cycles by giving value to
> something that currently has no value: coin days. So you actually CAN do
> such math still.

No. Rewriting the blockchain gives back those coin days. I imagine it's
pretty hard to use many people's coin days for the same block, whereas a
nonce to a block is very easy to communicate.

> This is not a pure proof-of-stake system, though. I am as skeptical of
> pure proof of stake as you are.

Why? If it works it works and if it doesn't it doesn't. A mix between the
two is an extremely political and complicating choice.

>>  I'm more strongly in favor of using citizen's ID's as provided by
>> governments for the purpose of voting on blocks than in proof of stake.
> Not knowing you, this doesn't tell me much, since the same could be said
> of the most statist friend I actually tolerate, the one who thinks Bitcoin
> should die in a fire. I'm guessing that this means "not in favor of it at
> all."

I'm stuck with a democracy problem. Is Plutocracy better? Is Democracy
better? Is any Obliarchy better?

I tend to think that the people are incapable of making the best choice.
Things turn into a trust/populism issue as the people thinks emotionally.
Additionally it just often lacks the domain specific knowledge for a good

Thus a form of obliarchy should be better. The selection criteria is the
real problem. Elections typically reintroduce the previous problems.

A higher level of education is a start as it correlates with domain
specific knowledge. It correlates too weakly for my taste. And it lacks
testing for critical thinking and similar skills, although they also
correlate. This also puts a pressure on determining the level of education
that isn't in the best interest of academics.

Simple intelligence testing would be preferable. But it is as of yet
impossible to accurately determine intelligence.

Wealthy is a selector that would work if it were not for a distorted
political situation and different levels of economic engagement present
even amongst the most capable human beings.

Ultimately the obliarchs can be trusted to make choices best for them, and
not the rest, in the ideal situation. Thus I feel it is not adequate.

In the end however the social/political/economical power wins anyway. Might
as well hardcode it. Even with all choices made up front a system will only
thrive with the support of people. People can be convinced and coerced with
political or economic power, or the social pressure of their peers.

The standing arguments against POS are:
* "Stake" is reverted/restored when the blockchain is rewritten
* It's a political choice, not so much a functional one
* Bitcoin days become a commodity of it's own (it is now too, as it speeds
up transactions, but it becomes something worth buying not something that's
nice to have. Can you imagine trading 1 btc for 1.2 btc and it being worth
it? Sidetracking by exchanging private keys -_-'.... )
* One's investment might change in a single trade. This might also be true
of mining, but it doesn't have to be.
* Large scale mining is traceable. This is an interesting notion, actually.

It'd seem that POS mining is more government-resistant as it does not
require large energy expenses.

I think if someone can solve the "investedness" in a certain blockchain it
gets very interesting.

> There are a couple of problems people are trying to solve with
> proof-of-stake. The first is that the value of mining will eventually go
> down, meaning people will be willing to devote less computing power to it,
> reducing the cost of an attack.

The relative cost of an attack. It is also assumed that the overal usage
goes up. Mining not going down is a change I would make.

> The second is that, even if it didn't go down, we don't necessarily want a
> huge fraction of the world's computing power devoted to mining.

The everlasting counter argument is that money now is costlier still.
There's a simple trade between fraction of computing power devoted to
mining and security.

There's also stuff like that, if properly
implemented, could drive down computing costs for scientific application.

> The goal is to take some limited resource that doesn't depend on a trusted
> third party and that is difficult to corner and use that to distribute
> voting authority.

I think this sort of clarity is valuable. There's a lot of stuff that needs
additional support. If it has to be trusted it is usually not called a
third party. The wealth of individuals is definitely something governments
have* a lot* of influence on.

Difficult to corner for who? Why and how do you want to distributed voting
authority, that's the ultimate question. Ideally there wouldn't be such a
thing as votes, just transactions.

> In addition, we'd like the people doing the voting to have an economic
> incentive to vote correctly.

Correctly is undefined. If you give people economic incentive the most
profitable choice would be the one taken. Making the voters take a choice
best for the system, thus the most profitable, might also not have
desirable results. Depending, of course, on the ultimate question.

> Bitcoin does that by paying them to vote and revoking the payment if their
> block doesn't end up in the main chain.

You don't name the cost of voting. They are allowed to extend the
blockchain and get compensated for it. If they were wrong about their
extension, as defined by the mayority of extenders, their payment gets
revoked. This is enough to ensure each will apply the same rule to maximize

> Proof-of-stake does it by hoping that the voters care about the integrity
> of the system, similar to only allowing landowners to vote, only
> (hopefully) without the ability to prevent others from becoming
> stakeholders, which I think is your main worry about it.

You incentivise becoming a greater stakeholder. I also think that people
with a lot of money will have ulterior motives. They don't just sit on
their money.

There's also interplay between many currencies and their exchange. It all
complicates the system tremendously.

The chief concern for the blockchain is ensuring a singular sequence of
transactions. Nothing else is vital. As a side effect the miners can change
the policies, but this is not a pleasant feature.

Voluntary entrance to a system is ideal. No need to run with BitcoinXKE, I
prefer BitcoinXKA. Blockchain forking does enable that. But transactions
could cross between chains where they are legitimate and it could get very

I'm worried about wanting a digital gold and getting a digital euro.
Reducing the flexibility of votes is a good means to that end. In Bitcoin a
policy change is agreed on before hand, a switchover date is arranged, etc,
in order to not lose money. That's pretty good.

> Incidentally, the coin days are from ALL of the transactions in the block,
> not just your own. I'm not sure if I was clear about that before.

You weren't and I'm not sure how this would work. If I sent in a
transaction to the network, someone else can claim reward for it? Do I get
rewarded for it?

This sounds like I'd have to re-announce my presence on the network pretty
frequently, allowing for easier tracking of participants.

>  You could maybe override a transaction that had fewer coin days, but
> you'd have to burn a similar amount (though less) of CPU time in addition.

ASIC time? But why override? I just change the order and that's enough.

How does POS factor into POW in this case?

I suspect reminting older blocks with more transactions would be feasible.
But you have to link to or explain how you want to do POS.

> Speaking of which, is there any reason peers couldn't watch for forks and
> incorporate any still-valid transactions into new blocks and permanently
> blacklist any outputs that get double-spent? You could create a special
> "blacklist" transaction that just incorporates the two separate spends into
> the main chain, so that everyone could validate that the account holder
> attempted to double spend.

There may be legitimate incidents of accidental double spending. You're
also only fucking the recipient of the transaction, the sender has it's
trade long behind him.

It even means I could do a legitimate transaction and later destroy the
money I sent. Close but no ball. Without psuedonyms this is more feasible.
You could kill the sender's address, but that won't have much effect.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 13827 bytes
Desc: not available
URL: <>

More information about the cypherpunks mailing list