I read this and was disappointed. Addressing your summary:
Proof of stake is broken in the same fundamental way as DRM: you can make it arbitrarily difficult to break but in practice not difficult enough to be infeasible. Once broken it becomes a worse version of proof of work, at best. Ripple consensus does not work as advertised.
ASICs help Bitcoin for much the same reasons evand mentioned.
I am not a bitcoin maximalist despite claims to the contrary. I co-created Freicoin for pete’s sake.
Totally agree with the last point.
We’re all on the same side… Can’t we all get along without name calling or petty politics?
If used as advertised, with anyone selecting their own validator list, it fails to reach consensus under non-pathological cases. It basically only works if you have a common list of validators that everyone uses[1], as has been recently demonstrated on Stellar[2] (a fork of Ripple). That would mean there’d be a handful of known servers around the world which together control the ledger. That may be useful in some contexts, but it is absolutely not a comparable solution to bitcoin.
Is NXT’s Transparent Forging vulnerable to attacks by old private keys in the way that normal PoS is? Or does one have to control 51% of the current forging stake in order to attack it? If this is not vulnerable, then getting control of 1% of the stake seems as hard as controlling 51% of bitcoin hash power, and the person controlling this stake would not wish to harm their own stake. (The risk in the attack is if one can sell coins and then still attack).
Is Bitshares’ DPoS vulnerable to such attacks? It seems that in order to attack the network you would need to compromise 51 out of 101 delegates, who produce the blocks. The delegates are voted on by shareholders, and you can vote again at any time. So if someone held stake, used it to vote in delegates that would attack the network, and sold their stake, the new buyer could vote in different delegates right away (if they were paying attention).
I suppose that you could social engineer your way into a position to attack by building a reputation and then getting 51 delegates elected without people realizing they were all part of the attacking group. Is it harder to fool everyone, or to get 51% of mining hash power?
As long as these systems are at least ‘almost’ as hard to attack as bitcoin, then they seem useful as a low cost alternative for applications where absolute security is not required. That is, maybe you arent trying to be the ultimate store of value like Bitcoin is. For many applications, high security at a low cost would be a better choice than perfect security at a high cost.
Or you can just buy / steal the private keys to coins that have already been spent, and then simulate alternate histories.
The trouble with these schemes is that it is quite easy to make them more difficult to review, without actually adding any security. In both cases I saw earlly versions that were criticized for being entirely insecure, then there were some iterations that added no security, until it got complex and the people involved learned to not provide free consulting, which I won’t do here either: the objections to proof of stake schemes are general. It can be shown that any proof of stake scheme must be broken by simulation. It’s just a matter of showing what the necessary procedure is for a given scheme, which can be made arbitrary difficult to review. One of the guys I work with quiped that this “cryptographic security against review.” That shouldn’t be mistake for actual security.
There are general results showing that the security being advertised is not possible, the perpetual motion sense. It’s a waste of time for credible people to spend their time disproving perpetual motions machines, particularly when their proponents can make them arbitrarily difficult to review. Do not mistake a lack of review for an indication of security.
While basic Proof of Stake may be ‘broken’, that does not necessarily mean that every variant of it is similarly broken. Several variations on proof of stake are more secure than the original.
But it is possible for Proof of Stake to be useful even if its NOT as secure as Proof of Work, because it is MUCH less expensive. This means that if you have a blockchain application that doesnt need to be absolutely 100% ultra secure, but it needs to make a profit/spend less money securing the network, then Proof of Stake (or an improved variation) is probably better for that application than Proof of Work.
For the ultimate store of value (Gold 2.0), Bitcoin with Proof of Work and the high level of security it provides is probably best. This is why Bitcoin has a place, and will survive, imo. For application that need slightly less security, Proof of Stake might be better. For example, lets say you want to run a prediction market, which is something that LessWrong seems to love. Its useful that your prediction market is not subject to 3rd party risk of a centralized source, and is instead secured by the blockchain. But maybe you dont need quite as much security as bitcoin provides. Maybe you need to run your prediction market at low cost, so that fees are low. Maybe a Proof of Stake variant is enough security, and provides better value. From what I’ve read, both Ethereum and BitShares will in the future allow you to run such a prediction market, and both will not require massive mining costs to secure the network.
Regarding ASICs, the problem is that the large mining pools that have developed as a result of the need to be maximally efficient in bitcoin mining have resulted in increased centralizaiton. Right now if you controlled or compromised the top two mining pools, you could attack the network. There is much more centralization in bitcoin mining now in the ASIC era than there was several years ago.
No, the argument I was making does indeed fully generalize to the entire category of Proof of Stake solutions. The goal is to create a dynamic membership set signature, meaning that people can come and go by some mechanism. But that requirement enables simulations because if the future membership set can’t be predicted, then neither can alternative past histories be differentiated. Then no matter the construct used, with enough sybil identities anyone can grind variations on history until one is found which benefits the one doing the work. In this way any proof of stake system devolves into proof of work, only with worse properties (since if you’re going to have proof of work anyway, double-SHA256 is about as good as it gets).
Furthermore, because the incentives are structured such that grinding histories is profitable behavior (and it needs to be for the system to be secure, since it is the same incentive that protects proof of stake when people follow the rules), you can be assured that unscrupulous people will grind histories, and others will too because the alternative is losing out. So proof of stake is NOT any less expensive than proof of work, because any proof of stake system becomes proof of work.
The solution to the mining centralization issue has nothing to do with proof of work algorithms or ASICs. The solution is things like smart property miners, coinbase-only mining, and delegated transaction selection. These are being worked on.
I read this and was disappointed. Addressing your summary:
Proof of stake is broken in the same fundamental way as DRM: you can make it arbitrarily difficult to break but in practice not difficult enough to be infeasible. Once broken it becomes a worse version of proof of work, at best. Ripple consensus does not work as advertised.
ASICs help Bitcoin for much the same reasons evand mentioned.
I am not a bitcoin maximalist despite claims to the contrary. I co-created Freicoin for pete’s sake.
Totally agree with the last point.
We’re all on the same side… Can’t we all get along without name calling or petty politics?
I’m curious, what exactly is the problem with the Ripple consensus algorithm? Why doesn’t it work?
If used as advertised, with anyone selecting their own validator list, it fails to reach consensus under non-pathological cases. It basically only works if you have a common list of validators that everyone uses[1], as has been recently demonstrated on Stellar[2] (a fork of Ripple). That would mean there’d be a handful of known servers around the world which together control the ledger. That may be useful in some contexts, but it is absolutely not a comparable solution to bitcoin.
[1] https://forum.ripple.com/viewtopic.php?f=2&t=7801&sid=b12325e49ace885697ed5448201824f1
[2] https://www.stellar.org/blog/safety\_liveness\_and\_fault\_tolerance\_consensus\_choice/
Thanks for the info, two more questions:
Is NXT’s Transparent Forging vulnerable to attacks by old private keys in the way that normal PoS is? Or does one have to control 51% of the current forging stake in order to attack it? If this is not vulnerable, then getting control of 1% of the stake seems as hard as controlling 51% of bitcoin hash power, and the person controlling this stake would not wish to harm their own stake. (The risk in the attack is if one can sell coins and then still attack).
Is Bitshares’ DPoS vulnerable to such attacks? It seems that in order to attack the network you would need to compromise 51 out of 101 delegates, who produce the blocks. The delegates are voted on by shareholders, and you can vote again at any time. So if someone held stake, used it to vote in delegates that would attack the network, and sold their stake, the new buyer could vote in different delegates right away (if they were paying attention).
I suppose that you could social engineer your way into a position to attack by building a reputation and then getting 51 delegates elected without people realizing they were all part of the attacking group. Is it harder to fool everyone, or to get 51% of mining hash power?
As long as these systems are at least ‘almost’ as hard to attack as bitcoin, then they seem useful as a low cost alternative for applications where absolute security is not required. That is, maybe you arent trying to be the ultimate store of value like Bitcoin is. For many applications, high security at a low cost would be a better choice than perfect security at a high cost.
Or you can just buy / steal the private keys to coins that have already been spent, and then simulate alternate histories.
The trouble with these schemes is that it is quite easy to make them more difficult to review, without actually adding any security. In both cases I saw earlly versions that were criticized for being entirely insecure, then there were some iterations that added no security, until it got complex and the people involved learned to not provide free consulting, which I won’t do here either: the objections to proof of stake schemes are general. It can be shown that any proof of stake scheme must be broken by simulation. It’s just a matter of showing what the necessary procedure is for a given scheme, which can be made arbitrary difficult to review. One of the guys I work with quiped that this “cryptographic security against review.” That shouldn’t be mistake for actual security.
There are general results showing that the security being advertised is not possible, the perpetual motion sense. It’s a waste of time for credible people to spend their time disproving perpetual motions machines, particularly when their proponents can make them arbitrarily difficult to review. Do not mistake a lack of review for an indication of security.
While basic Proof of Stake may be ‘broken’, that does not necessarily mean that every variant of it is similarly broken. Several variations on proof of stake are more secure than the original.
But it is possible for Proof of Stake to be useful even if its NOT as secure as Proof of Work, because it is MUCH less expensive. This means that if you have a blockchain application that doesnt need to be absolutely 100% ultra secure, but it needs to make a profit/spend less money securing the network, then Proof of Stake (or an improved variation) is probably better for that application than Proof of Work.
For the ultimate store of value (Gold 2.0), Bitcoin with Proof of Work and the high level of security it provides is probably best. This is why Bitcoin has a place, and will survive, imo. For application that need slightly less security, Proof of Stake might be better. For example, lets say you want to run a prediction market, which is something that LessWrong seems to love. Its useful that your prediction market is not subject to 3rd party risk of a centralized source, and is instead secured by the blockchain. But maybe you dont need quite as much security as bitcoin provides. Maybe you need to run your prediction market at low cost, so that fees are low. Maybe a Proof of Stake variant is enough security, and provides better value. From what I’ve read, both Ethereum and BitShares will in the future allow you to run such a prediction market, and both will not require massive mining costs to secure the network.
Regarding ASICs, the problem is that the large mining pools that have developed as a result of the need to be maximally efficient in bitcoin mining have resulted in increased centralizaiton. Right now if you controlled or compromised the top two mining pools, you could attack the network. There is much more centralization in bitcoin mining now in the ASIC era than there was several years ago.
No, the argument I was making does indeed fully generalize to the entire category of Proof of Stake solutions. The goal is to create a dynamic membership set signature, meaning that people can come and go by some mechanism. But that requirement enables simulations because if the future membership set can’t be predicted, then neither can alternative past histories be differentiated. Then no matter the construct used, with enough sybil identities anyone can grind variations on history until one is found which benefits the one doing the work. In this way any proof of stake system devolves into proof of work, only with worse properties (since if you’re going to have proof of work anyway, double-SHA256 is about as good as it gets).
Furthermore, because the incentives are structured such that grinding histories is profitable behavior (and it needs to be for the system to be secure, since it is the same incentive that protects proof of stake when people follow the rules), you can be assured that unscrupulous people will grind histories, and others will too because the alternative is losing out. So proof of stake is NOT any less expensive than proof of work, because any proof of stake system becomes proof of work.
The solution to the mining centralization issue has nothing to do with proof of work algorithms or ASICs. The solution is things like smart property miners, coinbase-only mining, and delegated transaction selection. These are being worked on.