Re: [bitcoin-dev] Opinion on proof of stake in future

[Billy Tetrud via bitcoin-dev]

I've created a thread on reddit where we can continue the conversation:
https://www.reddit.com/r/BitcoinDiscussion/comments/o8dvlo/bitcoindev_opinion_on_proof_of_stake_in_future/

On Fri, Jun 25, 2021 at 9:59 AM greg m  wrote:

> Where do we go from here? reddit?
>
> Happy Friday everyone!
> gm
>
> On Jun 25, 2021 12:08, Ruben Somsen via bitcoin-dev <
> bitcoin-dev@lists.linuxfoundation.org> wrote:
>
> Hi all,
>
> Thanks for the lively discussion. On behalf of the bitcoin-dev moderators
> and with the readers of this mailing list in mind, we'd like to suggest
> finishing up this discussion. Of course there should be some room for
> exploring fringe ideas, but it should not dominate the mailing list either.
> Fun as it may be, perhaps it's time to get back to focusing on the topics
> that are more directly relevant to Bitcoin.
>
> Cheers,
> Ruben
>
> On Fri, Jun 25, 2021 at 9:29 AM yanmaani--- via bitcoin-dev <
> bitcoin-dev@lists.linuxfoundation.org> wrote:
>
> No, that's not how it works.
>
> PoS is constitutionally incapable of producing any further consensus
> from its starting point. If you start out by hardcoding the bitcoin
> ledger state at June 1, 2021, then your PoS system will be unable to
> reach a global consensus as to what the state was on June 2, 2021.
>
> To get global consensus in PoS, you have to know which block came first.
> To reach a consensus on which block was first, you need to solve the
> timestamp problem. And to solve the timestamp problem, you need a
> consensus system. You'll notice that at no point does PoS provide such a
> consensus system.
>
> Implementations of PoS sacrifice global consensus for 'weak
> subjectivity', meaning that each node has its own notion of when a
> certain block arrived. Astute observers will note that 'each node has
> its own notion of what happened' differs somewhat from 'all nodes agree
> on what happened', and that only one of these is a good description of
> what is commonly known as 'consensus'.
>
> Maybe a simpler way of looking at it is from the coder's perspective:
> how do you implement IBD? In PoW, the "longest chain" rule is used -
> "Nodes can leave and rejoin the network at will, accepting the
> proof-of-work chain as proof of what happened while they were gone.".
> Does PoS have this property?
>
> On 2021-06-24 21:50, Erik Aronesty wrote:
> >> PoS is not suitable for use as a consensus system, because
> > it is constitutionally incapable of producing a consensus.
> >
> > true - but only for a system that is starting from nothing.
> >
> > since bitcoin already exists, and we have a consensus, you can use
> > bitcoin's existing consensus to maintain that consensus using
> > references to prior state.  and yes, you simply have to limit reorgs
> > to not go back before PoW was abandoned in favor of PoS/PoB (assuming
> > all incentive problems are solved).
> >
> > ie: once you have uses PoW to bootstrap the system, you can "recycle"
> > that work.
> >
> > On Thu, Jun 24, 2021 at 4:41 PM yanmaani--- via bitcoin-dev
> >  wrote:
> >>
> >> No, 51% of the *coin holders* can't do diddly squat. 51% of miners
> >> can,
> >> but in PoW, that's a different set to the coin holders.
> >>
> >> The basic problem with PoS, anyway, is that it's not actually a
> >> consensus system ("weak subjectivity"). Either you allow long reorgs,
> >> and then you open the door to long-range attacks, or you don't, and
> >> then
> >> you're not guaranteed that all nodes agree on the state of the chain,
> >> which was the purpose of the system to begin with.
> >>
> >> To put it more plainly: for PoS to work, you need a consensus on which
> >> block was seen first. But if you had that, you could presumably apply
> >> that method to determine which *transaction* was seen first, in which
> >> case you could do away with the blockchain entirely. (Real-world
> >> implementations of PoS, such that they are, do away with this
> >> requirement, scrapping the global consensus on ordering in favor of
> >> having each node decide for itself which block came first.)
> >>
> >> In other words, even if you solved all the incentive problems, the
> >> fact
> >> remains that PoS is not suitable for use as a consensus system,
> >> because
> >> it is constitutionally incapable of producing a consensus.
> >>
> >> On 2021-06-24 00:14, Billy Tetrud via bitcoin-dev wrote:
> >> >>  This is not true in a Proof of Work system and this difference
> >> > absolutely should not be trivialized.
> >> >
> >> > That is in fact true of Proof of Work as well. If a colluding
> >> > coalition of miners with more than 50% of the hashrate want to censor
> >> > transactions, they absolutely can do that by orphaning blocks that
> >> > contain transactions they want to censor. This is not different in
> >> > proof of stake.
> >> >
> >> > On Wed, Jun 23, 2021 at 11:14 AM Keagan McClelland
> >> >  wrote:
> >> >
> >> >>> Premise: There is a healthy exchange market for PoS Coin X with
> >> >> tens of thousands of 

Re: [bitcoin-dev] Opinion on proof of stake in future

[Ruben Somsen via bitcoin-dev]

Hi all,

Thanks for the lively discussion. On behalf of the bitcoin-dev moderators
and with the readers of this mailing list in mind, we'd like to suggest
finishing up this discussion. Of course there should be some room for
exploring fringe ideas, but it should not dominate the mailing list either.
Fun as it may be, perhaps it's time to get back to focusing on the topics
that are more directly relevant to Bitcoin.

Cheers,
Ruben

On Fri, Jun 25, 2021 at 9:29 AM yanmaani--- via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:

> No, that's not how it works.
>
> PoS is constitutionally incapable of producing any further consensus
> from its starting point. If you start out by hardcoding the bitcoin
> ledger state at June 1, 2021, then your PoS system will be unable to
> reach a global consensus as to what the state was on June 2, 2021.
>
> To get global consensus in PoS, you have to know which block came first.
> To reach a consensus on which block was first, you need to solve the
> timestamp problem. And to solve the timestamp problem, you need a
> consensus system. You'll notice that at no point does PoS provide such a
> consensus system.
>
> Implementations of PoS sacrifice global consensus for 'weak
> subjectivity', meaning that each node has its own notion of when a
> certain block arrived. Astute observers will note that 'each node has
> its own notion of what happened' differs somewhat from 'all nodes agree
> on what happened', and that only one of these is a good description of
> what is commonly known as 'consensus'.
>
> Maybe a simpler way of looking at it is from the coder's perspective:
> how do you implement IBD? In PoW, the "longest chain" rule is used -
> "Nodes can leave and rejoin the network at will, accepting the
> proof-of-work chain as proof of what happened while they were gone.".
> Does PoS have this property?
>
> On 2021-06-24 21:50, Erik Aronesty wrote:
> >> PoS is not suitable for use as a consensus system, because
> > it is constitutionally incapable of producing a consensus.
> >
> > true - but only for a system that is starting from nothing.
> >
> > since bitcoin already exists, and we have a consensus, you can use
> > bitcoin's existing consensus to maintain that consensus using
> > references to prior state.  and yes, you simply have to limit reorgs
> > to not go back before PoW was abandoned in favor of PoS/PoB (assuming
> > all incentive problems are solved).
> >
> > ie: once you have uses PoW to bootstrap the system, you can "recycle"
> > that work.
> >
> > On Thu, Jun 24, 2021 at 4:41 PM yanmaani--- via bitcoin-dev
> >  wrote:
> >>
> >> No, 51% of the *coin holders* can't do diddly squat. 51% of miners
> >> can,
> >> but in PoW, that's a different set to the coin holders.
> >>
> >> The basic problem with PoS, anyway, is that it's not actually a
> >> consensus system ("weak subjectivity"). Either you allow long reorgs,
> >> and then you open the door to long-range attacks, or you don't, and
> >> then
> >> you're not guaranteed that all nodes agree on the state of the chain,
> >> which was the purpose of the system to begin with.
> >>
> >> To put it more plainly: for PoS to work, you need a consensus on which
> >> block was seen first. But if you had that, you could presumably apply
> >> that method to determine which *transaction* was seen first, in which
> >> case you could do away with the blockchain entirely. (Real-world
> >> implementations of PoS, such that they are, do away with this
> >> requirement, scrapping the global consensus on ordering in favor of
> >> having each node decide for itself which block came first.)
> >>
> >> In other words, even if you solved all the incentive problems, the
> >> fact
> >> remains that PoS is not suitable for use as a consensus system,
> >> because
> >> it is constitutionally incapable of producing a consensus.
> >>
> >> On 2021-06-24 00:14, Billy Tetrud via bitcoin-dev wrote:
> >> >>  This is not true in a Proof of Work system and this difference
> >> > absolutely should not be trivialized.
> >> >
> >> > That is in fact true of Proof of Work as well. If a colluding
> >> > coalition of miners with more than 50% of the hashrate want to censor
> >> > transactions, they absolutely can do that by orphaning blocks that
> >> > contain transactions they want to censor. This is not different in
> >> > proof of stake.
> >> >
> >> > On Wed, Jun 23, 2021 at 11:14 AM Keagan McClelland
> >> >  wrote:
> >> >
> >> >>> Premise: There is a healthy exchange market for PoS Coin X with
> >> >> tens of thousands of participants bidding to buy and sell the coin
> >> >> for other currencies on the market.
> >> >>
> >> >> The difference here though is that Proof of Stake allows the quorum
> >> >> of coin holders to block the exchange of said coins if they are
> >> >> going to a particular destination. Nothing requires these staking
> >> >> nodes to include particular transactions into a block. With that in
> >> >> mind, it isn't just that you 

Re: [bitcoin-dev] Opinion on proof of stake in future

[yanmaani--- via bitcoin-dev]

No, that's not how it works.

PoS is constitutionally incapable of producing any further consensus 
from its starting point. If you start out by hardcoding the bitcoin 
ledger state at June 1, 2021, then your PoS system will be unable to 
reach a global consensus as to what the state was on June 2, 2021.


To get global consensus in PoS, you have to know which block came first. 
To reach a consensus on which block was first, you need to solve the 
timestamp problem. And to solve the timestamp problem, you need a 
consensus system. You'll notice that at no point does PoS provide such a 
consensus system.


Implementations of PoS sacrifice global consensus for 'weak 
subjectivity', meaning that each node has its own notion of when a 
certain block arrived. Astute observers will note that 'each node has 
its own notion of what happened' differs somewhat from 'all nodes agree 
on what happened', and that only one of these is a good description of 
what is commonly known as 'consensus'.


Maybe a simpler way of looking at it is from the coder's perspective: 
how do you implement IBD? In PoW, the "longest chain" rule is used - 
"Nodes can leave and rejoin the network at will, accepting the 
proof-of-work chain as proof of what happened while they were gone.". 
Does PoS have this property?


On 2021-06-24 21:50, Erik Aronesty wrote:

PoS is not suitable for use as a consensus system, because

it is constitutionally incapable of producing a consensus.

true - but only for a system that is starting from nothing.

since bitcoin already exists, and we have a consensus, you can use
bitcoin's existing consensus to maintain that consensus using
references to prior state.  and yes, you simply have to limit reorgs
to not go back before PoW was abandoned in favor of PoS/PoB (assuming
all incentive problems are solved).

ie: once you have uses PoW to bootstrap the system, you can "recycle" 
that work.


On Thu, Jun 24, 2021 at 4:41 PM yanmaani--- via bitcoin-dev
 wrote:


No, 51% of the *coin holders* can't do diddly squat. 51% of miners 
can,

but in PoW, that's a different set to the coin holders.

The basic problem with PoS, anyway, is that it's not actually a
consensus system ("weak subjectivity"). Either you allow long reorgs,
and then you open the door to long-range attacks, or you don't, and 
then

you're not guaranteed that all nodes agree on the state of the chain,
which was the purpose of the system to begin with.

To put it more plainly: for PoS to work, you need a consensus on which
block was seen first. But if you had that, you could presumably apply
that method to determine which *transaction* was seen first, in which
case you could do away with the blockchain entirely. (Real-world
implementations of PoS, such that they are, do away with this
requirement, scrapping the global consensus on ordering in favor of
having each node decide for itself which block came first.)

In other words, even if you solved all the incentive problems, the 
fact
remains that PoS is not suitable for use as a consensus system, 
because

it is constitutionally incapable of producing a consensus.

On 2021-06-24 00:14, Billy Tetrud via bitcoin-dev wrote:
>>  This is not true in a Proof of Work system and this difference
> absolutely should not be trivialized.
>
> That is in fact true of Proof of Work as well. If a colluding
> coalition of miners with more than 50% of the hashrate want to censor
> transactions, they absolutely can do that by orphaning blocks that
> contain transactions they want to censor. This is not different in
> proof of stake.
>
> On Wed, Jun 23, 2021 at 11:14 AM Keagan McClelland
>  wrote:
>
>>> Premise: There is a healthy exchange market for PoS Coin X with
>> tens of thousands of participants bidding to buy and sell the coin
>> for other currencies on the market.
>>
>> The difference here though is that Proof of Stake allows the quorum
>> of coin holders to block the exchange of said coins if they are
>> going to a particular destination. Nothing requires these staking
>> nodes to include particular transactions into a block. With that in
>> mind, it isn't just that you require the permission of the person
>> who sold you the coins, which I can agree is a less dangerous form
>> of permission, but you must also require the permission of at least
>> 51% of the coin holders to even receive those coins in the first
>> place. This is not true in a Proof of Work system and this
>> difference absolutely should not be trivialized.
>>
>> Keagan
>>
>> On Wed, Jun 23, 2021 at 2:30 AM Billy Tetrud via bitcoin-dev
>>  wrote:
>>
>>> Barrier to entry in PoS is being given permission by the previous
>> owner of a token
>>
>> The idea that proof of stake is not permissionless is completely
>> invalid. It pains me to see such an argument here. Perhaps we can
>> come to an agreement by being more specific. I'd like to propose the
>> following:
>>
>> Premise: There is a healthy exchange market for PoS Coin X with tens
>> of 

Re: [bitcoin-dev] Opinion on proof of stake in future

[Erik Aronesty via bitcoin-dev]

> PoS is not suitable for use as a consensus system, because
it is constitutionally incapable of producing a consensus.

true - but only for a system that is starting from nothing.

since bitcoin already exists, and we have a consensus, you can use
bitcoin's existing consensus to maintain that consensus using
references to prior state.  and yes, you simply have to limit reorgs
to not go back before PoW was abandoned in favor of PoS/PoB (assuming
all incentive problems are solved).

ie: once you have uses PoW to bootstrap the system, you can "recycle" that work.

On Thu, Jun 24, 2021 at 4:41 PM yanmaani--- via bitcoin-dev
 wrote:
>
> No, 51% of the *coin holders* can't do diddly squat. 51% of miners can,
> but in PoW, that's a different set to the coin holders.
>
> The basic problem with PoS, anyway, is that it's not actually a
> consensus system ("weak subjectivity"). Either you allow long reorgs,
> and then you open the door to long-range attacks, or you don't, and then
> you're not guaranteed that all nodes agree on the state of the chain,
> which was the purpose of the system to begin with.
>
> To put it more plainly: for PoS to work, you need a consensus on which
> block was seen first. But if you had that, you could presumably apply
> that method to determine which *transaction* was seen first, in which
> case you could do away with the blockchain entirely. (Real-world
> implementations of PoS, such that they are, do away with this
> requirement, scrapping the global consensus on ordering in favor of
> having each node decide for itself which block came first.)
>
> In other words, even if you solved all the incentive problems, the fact
> remains that PoS is not suitable for use as a consensus system, because
> it is constitutionally incapable of producing a consensus.
>
> On 2021-06-24 00:14, Billy Tetrud via bitcoin-dev wrote:
> >>  This is not true in a Proof of Work system and this difference
> > absolutely should not be trivialized.
> >
> > That is in fact true of Proof of Work as well. If a colluding
> > coalition of miners with more than 50% of the hashrate want to censor
> > transactions, they absolutely can do that by orphaning blocks that
> > contain transactions they want to censor. This is not different in
> > proof of stake.
> >
> > On Wed, Jun 23, 2021 at 11:14 AM Keagan McClelland
> >  wrote:
> >
> >>> Premise: There is a healthy exchange market for PoS Coin X with
> >> tens of thousands of participants bidding to buy and sell the coin
> >> for other currencies on the market.
> >>
> >> The difference here though is that Proof of Stake allows the quorum
> >> of coin holders to block the exchange of said coins if they are
> >> going to a particular destination. Nothing requires these staking
> >> nodes to include particular transactions into a block. With that in
> >> mind, it isn't just that you require the permission of the person
> >> who sold you the coins, which I can agree is a less dangerous form
> >> of permission, but you must also require the permission of at least
> >> 51% of the coin holders to even receive those coins in the first
> >> place. This is not true in a Proof of Work system and this
> >> difference absolutely should not be trivialized.
> >>
> >> Keagan
> >>
> >> On Wed, Jun 23, 2021 at 2:30 AM Billy Tetrud via bitcoin-dev
> >>  wrote:
> >>
> >>> Barrier to entry in PoS is being given permission by the previous
> >> owner of a token
> >>
> >> The idea that proof of stake is not permissionless is completely
> >> invalid. It pains me to see such an argument here. Perhaps we can
> >> come to an agreement by being more specific. I'd like to propose the
> >> following:
> >>
> >> Premise: There is a healthy exchange market for PoS Coin X with tens
> >> of thousands of participants bidding to buy and sell the coin for
> >> other currencies on the market.
> >>
> >> If the premise above is true, then there is no significant
> >> permission needed to enter the market for minting blocks for PoS
> >> Coin X. If you make a bid on someone's coins and they don't like you
> >> and refuse, you can move on to any one of the other tens of
> >> thousands of people in that marketplace. Would you agree, Cloud
> >> Strife, that this situation couldn't be considered "permissioned"?
> >>
> >> If not, consider that participation in *any* decentralized system
> >> requires the permission of at least one user in that system. If
> >> there are thousands of bitcoin public nodes, you require the
> >> permission of at least one of them to participate in bitcoin. No one
> >> considers bitcoin "permissioned" because of this. Do you agree?
> >>
> >> On Thu, Jun 17, 2021 at 1:15 PM Cloud Strife via bitcoin-dev
> >>  wrote:
> >>
> >> Barrier to entry in PoW is matter for hardware and energy is
> >> permissionless and exist all over the universe, permissionless cost
> >> which exists for everyone no matter who because it's unforgeable.
> >>
> >> Barrier to entry in PoS is being given permission by the 

Re: [bitcoin-dev] Opinion on proof of stake in future

[yanmaani--- via bitcoin-dev]

No, 51% of the *coin holders* can't do diddly squat. 51% of miners can, 
but in PoW, that's a different set to the coin holders.


The basic problem with PoS, anyway, is that it's not actually a 
consensus system ("weak subjectivity"). Either you allow long reorgs, 
and then you open the door to long-range attacks, or you don't, and then 
you're not guaranteed that all nodes agree on the state of the chain, 
which was the purpose of the system to begin with.


To put it more plainly: for PoS to work, you need a consensus on which 
block was seen first. But if you had that, you could presumably apply 
that method to determine which *transaction* was seen first, in which 
case you could do away with the blockchain entirely. (Real-world 
implementations of PoS, such that they are, do away with this 
requirement, scrapping the global consensus on ordering in favor of 
having each node decide for itself which block came first.)


In other words, even if you solved all the incentive problems, the fact 
remains that PoS is not suitable for use as a consensus system, because 
it is constitutionally incapable of producing a consensus.


On 2021-06-24 00:14, Billy Tetrud via bitcoin-dev wrote:

 This is not true in a Proof of Work system and this difference

absolutely should not be trivialized.

That is in fact true of Proof of Work as well. If a colluding
coalition of miners with more than 50% of the hashrate want to censor
transactions, they absolutely can do that by orphaning blocks that
contain transactions they want to censor. This is not different in
proof of stake.

On Wed, Jun 23, 2021 at 11:14 AM Keagan McClelland
 wrote:


Premise: There is a healthy exchange market for PoS Coin X with

tens of thousands of participants bidding to buy and sell the coin
for other currencies on the market.

The difference here though is that Proof of Stake allows the quorum
of coin holders to block the exchange of said coins if they are
going to a particular destination. Nothing requires these staking
nodes to include particular transactions into a block. With that in
mind, it isn't just that you require the permission of the person
who sold you the coins, which I can agree is a less dangerous form
of permission, but you must also require the permission of at least
51% of the coin holders to even receive those coins in the first
place. This is not true in a Proof of Work system and this
difference absolutely should not be trivialized.

Keagan

On Wed, Jun 23, 2021 at 2:30 AM Billy Tetrud via bitcoin-dev
 wrote:


Barrier to entry in PoS is being given permission by the previous

owner of a token

The idea that proof of stake is not permissionless is completely
invalid. It pains me to see such an argument here. Perhaps we can
come to an agreement by being more specific. I'd like to propose the
following:

Premise: There is a healthy exchange market for PoS Coin X with tens
of thousands of participants bidding to buy and sell the coin for
other currencies on the market.

If the premise above is true, then there is no significant
permission needed to enter the market for minting blocks for PoS
Coin X. If you make a bid on someone's coins and they don't like you
and refuse, you can move on to any one of the other tens of
thousands of people in that marketplace. Would you agree, Cloud
Strife, that this situation couldn't be considered "permissioned"?

If not, consider that participation in *any* decentralized system
requires the permission of at least one user in that system. If
there are thousands of bitcoin public nodes, you require the
permission of at least one of them to participate in bitcoin. No one
considers bitcoin "permissioned" because of this. Do you agree?

On Thu, Jun 17, 2021 at 1:15 PM Cloud Strife via bitcoin-dev
 wrote:

Barrier to entry in PoW is matter for hardware and energy is
permissionless and exist all over the universe, permissionless cost
which exists for everyone no matter who because it's unforgeable.

Barrier to entry in PoS is being given permission by the previous
owner of a token for you to have it via transfer or sale, both
choices they never have to make since there are no continuous costs
with producing blocks forcing it. A permission is an infinitely high
barrier to entry if the previous owner, like the premining party,
refuses to give up the token they control.

You're skipping the part where you depend on a permission of a
central party in control of the authority token before you can
produce blocks on your rasberry Pi.

Proof of stake is not in any possible way relevant to permissionless
protocols, and thus not possibly relevant to decentralized protocols
where control must be distributed to independent (i.e.
permissionless) parties.

There's nothing of relevance to discuss and this has been figured
out long long ago.



https://github.com/libbitcoin/libbitcoin-system/wiki/Proof-of-Stake-Fallacy




https://medium.com/@factchecker9000/nothing-is-worse-than-proof-of-stake-e70b12b988ca


On 

Re: [bitcoin-dev] Opinion on proof of stake in future

[Carlo Spiller via bitcoin-dev]

The key difference here is that in PoS the seller of the coin might 
still have a vested interest in the network, where in PoW the person you 
aquire energy from to mine and mint has absolutely nothing to do with 
the network. Anyone with power supply can sell it to you and has no 
further interest in what you do with that power. If you don't find a 
powersupply, you can build your own.


That is not generically true for PoS. If the seller is still staked with 
more coins they hold, they are entrenched in the network and have 
"permissioned" you to partake only for what they sold to you. Even 
worse, if a super-majority decides to simply never sell, you cannot 
aquire significant stake and participate in minting.


Am 24.06.21 um 10:12 schrieb bitcoin-dev-requ...@lists.linuxfoundation.org:

Re: Opinion on proof of stake in future


Premise: There is a healthy exchange market for PoS Coin X with tens of
thousands of participants bidding to buy and sell the coin for other
currencies on the market.

If the premise above is true, then there is no significant permission
needed to enter the market for minting blocks for PoS Coin X. If you make a
bid on someone's coins and they don't like you and refuse, you can move on
to any one of the other tens of thousands of people in that marketplace.


___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev

Re: [bitcoin-dev] Opinion on proof of stake in future

[Keagan McClelland via bitcoin-dev]

> That is in fact true of Proof of Work as well. If a colluding coalition
of miners with more than 50% of the hashrate want to censor transactions,
they absolutely can do that by orphaning blocks that contain transactions
they want to censor. This is not different in proof of stake.

This power does not translate into them being able to block your
acquisition of hashpower itself, a property extremely different than in
proof of stake.

On Wed, Jun 23, 2021 at 6:14 PM Billy Tetrud  wrote:

> >  This is not true in a Proof of Work system and this difference
> absolutely should not be trivialized.
>
> That is in fact true of Proof of Work as well. If a colluding coalition of
> miners with more than 50% of the hashrate want to censor transactions, they
> absolutely can do that by orphaning blocks that contain transactions
> they want to censor. This is not different in proof of stake.
>
> On Wed, Jun 23, 2021 at 11:14 AM Keagan McClelland <
> keagan.mcclell...@gmail.com> wrote:
>
>> > Premise: There is a healthy exchange market for PoS Coin X with tens of
>> thousands of participants bidding to buy and sell the coin for other
>> currencies on the market.
>>
>> The difference here though is that Proof of Stake allows the quorum of
>> coin holders to block the exchange of said coins if they are going to a
>> particular destination. Nothing requires these staking nodes to include
>> particular transactions into a block. With that in mind, it isn't just that
>> you require the permission of the person who sold you the coins, which I
>> can agree is a less dangerous form of permission, but you must also require
>> the permission of at least 51% of the coin holders to even receive those
>> coins in the first place. This is not true in a Proof of Work system and
>> this difference absolutely should not be trivialized.
>>
>> Keagan
>>
>> On Wed, Jun 23, 2021 at 2:30 AM Billy Tetrud via bitcoin-dev <
>> bitcoin-dev@lists.linuxfoundation.org> wrote:
>>
>>> >  Barrier to entry in PoS is being given permission by the previous
>>> owner of a token
>>>
>>> The idea that proof of stake is not permissionless is completely
>>> invalid. It pains me to see such an argument here. Perhaps we can come to
>>> an agreement by being more specific. I'd like to propose the following:
>>>
>>> Premise: There is a healthy exchange market for PoS Coin X with tens of
>>> thousands of participants bidding to buy and sell the coin for other
>>> currencies on the market.
>>>
>>> If the premise above is true, then there is no significant permission
>>> needed to enter the market for minting blocks for PoS Coin X. If you make a
>>> bid on someone's coins and they don't like you and refuse, you can move on
>>> to any one of the other tens of thousands of people in that marketplace.
>>> Would you agree, Cloud Strife, that this situation couldn't be considered
>>> "permissioned"?
>>>
>>> If not, consider that participation in *any* decentralized system
>>> requires the permission of at least one user in that system. If there are
>>> thousands of bitcoin public nodes, you require the permission of at least
>>> one of them to participate in bitcoin. No one considers bitcoin
>>> "permissioned" because of this. Do you agree?
>>>
>>> On Thu, Jun 17, 2021 at 1:15 PM Cloud Strife via bitcoin-dev <
>>> bitcoin-dev@lists.linuxfoundation.org> wrote:
>>>
 Barrier to entry in PoW is matter for hardware and energy is
 permissionless and exist all over the universe, permissionless cost which
 exists for everyone no matter who because it's unforgeable.

 Barrier to entry in PoS is being given permission by the previous owner
 of a token for you to have it via transfer or sale, both choices they never
 have to make since there are no continuous costs with producing blocks
 forcing it. A permission is an infinitely high barrier to entry if the
 previous owner, like the premining party, refuses to give up the token they
 control.

 You're skipping the part where you depend on a permission of a central
 party in control of the authority token before you can produce blocks on
 your rasberry Pi.

 Proof of stake is not in any possible way relevant to permissionless
 protocols, and thus not possibly relevant to decentralized protocols where
 control must be distributed to independent (i.e. permissionless) parties.

 There's nothing of relevance to discuss and this has been figured out
 long long ago.


 https://github.com/libbitcoin/libbitcoin-system/wiki/Proof-of-Stake-Fallacy


 https://medium.com/@factchecker9000/nothing-is-worse-than-proof-of-stake-e70b12b988ca




 On Tue, Jun 15, 2021 at 7:13 AM James MacWhyte via bitcoin-dev <
 bitcoin-dev@lists.linuxfoundation.org> wrote:

>
> @Lloyd wrote:
>
> Of course in reality no one wants to keep their coin holding keys
>> online so in Alogorand you can authorize a set 

Re: [bitcoin-dev] Opinion on proof of stake in future

[Billy Tetrud via bitcoin-dev]

>  This is not true in a Proof of Work system and this difference
absolutely should not be trivialized.

That is in fact true of Proof of Work as well. If a colluding coalition of
miners with more than 50% of the hashrate want to censor transactions, they
absolutely can do that by orphaning blocks that contain transactions
they want to censor. This is not different in proof of stake.

On Wed, Jun 23, 2021 at 11:14 AM Keagan McClelland <
keagan.mcclell...@gmail.com> wrote:

> > Premise: There is a healthy exchange market for PoS Coin X with tens of
> thousands of participants bidding to buy and sell the coin for other
> currencies on the market.
>
> The difference here though is that Proof of Stake allows the quorum of
> coin holders to block the exchange of said coins if they are going to a
> particular destination. Nothing requires these staking nodes to include
> particular transactions into a block. With that in mind, it isn't just that
> you require the permission of the person who sold you the coins, which I
> can agree is a less dangerous form of permission, but you must also require
> the permission of at least 51% of the coin holders to even receive those
> coins in the first place. This is not true in a Proof of Work system and
> this difference absolutely should not be trivialized.
>
> Keagan
>
> On Wed, Jun 23, 2021 at 2:30 AM Billy Tetrud via bitcoin-dev <
> bitcoin-dev@lists.linuxfoundation.org> wrote:
>
>> >  Barrier to entry in PoS is being given permission by the previous
>> owner of a token
>>
>> The idea that proof of stake is not permissionless is completely invalid.
>> It pains me to see such an argument here. Perhaps we can come to an
>> agreement by being more specific. I'd like to propose the following:
>>
>> Premise: There is a healthy exchange market for PoS Coin X with tens of
>> thousands of participants bidding to buy and sell the coin for other
>> currencies on the market.
>>
>> If the premise above is true, then there is no significant permission
>> needed to enter the market for minting blocks for PoS Coin X. If you make a
>> bid on someone's coins and they don't like you and refuse, you can move on
>> to any one of the other tens of thousands of people in that marketplace.
>> Would you agree, Cloud Strife, that this situation couldn't be considered
>> "permissioned"?
>>
>> If not, consider that participation in *any* decentralized system
>> requires the permission of at least one user in that system. If there are
>> thousands of bitcoin public nodes, you require the permission of at least
>> one of them to participate in bitcoin. No one considers bitcoin
>> "permissioned" because of this. Do you agree?
>>
>> On Thu, Jun 17, 2021 at 1:15 PM Cloud Strife via bitcoin-dev <
>> bitcoin-dev@lists.linuxfoundation.org> wrote:
>>
>>> Barrier to entry in PoW is matter for hardware and energy is
>>> permissionless and exist all over the universe, permissionless cost which
>>> exists for everyone no matter who because it's unforgeable.
>>>
>>> Barrier to entry in PoS is being given permission by the previous owner
>>> of a token for you to have it via transfer or sale, both choices they never
>>> have to make since there are no continuous costs with producing blocks
>>> forcing it. A permission is an infinitely high barrier to entry if the
>>> previous owner, like the premining party, refuses to give up the token they
>>> control.
>>>
>>> You're skipping the part where you depend on a permission of a central
>>> party in control of the authority token before you can produce blocks on
>>> your rasberry Pi.
>>>
>>> Proof of stake is not in any possible way relevant to permissionless
>>> protocols, and thus not possibly relevant to decentralized protocols where
>>> control must be distributed to independent (i.e. permissionless) parties.
>>>
>>> There's nothing of relevance to discuss and this has been figured out
>>> long long ago.
>>>
>>>
>>> https://github.com/libbitcoin/libbitcoin-system/wiki/Proof-of-Stake-Fallacy
>>>
>>>
>>> https://medium.com/@factchecker9000/nothing-is-worse-than-proof-of-stake-e70b12b988ca
>>>
>>>
>>>
>>>
>>> On Tue, Jun 15, 2021 at 7:13 AM James MacWhyte via bitcoin-dev <
>>> bitcoin-dev@lists.linuxfoundation.org> wrote:
>>>

 @Lloyd wrote:

 Of course in reality no one wants to keep their coin holding keys
> online so in Alogorand you can authorize a set of "participation keys"[1]
> that will be used to create blocks on your coin holding key's behalf.
> Hopefully you've spotted the problem.
> You can send your participation keys to any malicious party with a
> nice website (see random example [2]) offering you a good return.
> Damn it's still Proof-of-SquareSpace!
>

 I believe we are talking about a comparison to PoW, correct? If you
 want to mine PoW, you need to buy expensive hardware and configure it to
 work, and wait a long time to get any return by solo mining. Or you can
 join a mining 

Re: [bitcoin-dev] Opinion on proof of stake in future

[Keagan McClelland via bitcoin-dev]

> Premise: There is a healthy exchange market for PoS Coin X with tens of
thousands of participants bidding to buy and sell the coin for other
currencies on the market.

The difference here though is that Proof of Stake allows the quorum of coin
holders to block the exchange of said coins if they are going to a
particular destination. Nothing requires these staking nodes to include
particular transactions into a block. With that in mind, it isn't just that
you require the permission of the person who sold you the coins, which I
can agree is a less dangerous form of permission, but you must also require
the permission of at least 51% of the coin holders to even receive those
coins in the first place. This is not true in a Proof of Work system and
this difference absolutely should not be trivialized.

Keagan

On Wed, Jun 23, 2021 at 2:30 AM Billy Tetrud via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:

> >  Barrier to entry in PoS is being given permission by the previous owner
> of a token
>
> The idea that proof of stake is not permissionless is completely invalid.
> It pains me to see such an argument here. Perhaps we can come to an
> agreement by being more specific. I'd like to propose the following:
>
> Premise: There is a healthy exchange market for PoS Coin X with tens of
> thousands of participants bidding to buy and sell the coin for other
> currencies on the market.
>
> If the premise above is true, then there is no significant permission
> needed to enter the market for minting blocks for PoS Coin X. If you make a
> bid on someone's coins and they don't like you and refuse, you can move on
> to any one of the other tens of thousands of people in that marketplace.
> Would you agree, Cloud Strife, that this situation couldn't be considered
> "permissioned"?
>
> If not, consider that participation in *any* decentralized system requires
> the permission of at least one user in that system. If there are thousands
> of bitcoin public nodes, you require the permission of at least one of them
> to participate in bitcoin. No one considers bitcoin "permissioned" because
> of this. Do you agree?
>
> On Thu, Jun 17, 2021 at 1:15 PM Cloud Strife via bitcoin-dev <
> bitcoin-dev@lists.linuxfoundation.org> wrote:
>
>> Barrier to entry in PoW is matter for hardware and energy is
>> permissionless and exist all over the universe, permissionless cost which
>> exists for everyone no matter who because it's unforgeable.
>>
>> Barrier to entry in PoS is being given permission by the previous owner
>> of a token for you to have it via transfer or sale, both choices they never
>> have to make since there are no continuous costs with producing blocks
>> forcing it. A permission is an infinitely high barrier to entry if the
>> previous owner, like the premining party, refuses to give up the token they
>> control.
>>
>> You're skipping the part where you depend on a permission of a central
>> party in control of the authority token before you can produce blocks on
>> your rasberry Pi.
>>
>> Proof of stake is not in any possible way relevant to permissionless
>> protocols, and thus not possibly relevant to decentralized protocols where
>> control must be distributed to independent (i.e. permissionless) parties.
>>
>> There's nothing of relevance to discuss and this has been figured out
>> long long ago.
>>
>>
>> https://github.com/libbitcoin/libbitcoin-system/wiki/Proof-of-Stake-Fallacy
>>
>>
>> https://medium.com/@factchecker9000/nothing-is-worse-than-proof-of-stake-e70b12b988ca
>>
>>
>>
>>
>> On Tue, Jun 15, 2021 at 7:13 AM James MacWhyte via bitcoin-dev <
>> bitcoin-dev@lists.linuxfoundation.org> wrote:
>>
>>>
>>> @Lloyd wrote:
>>>
>>> Of course in reality no one wants to keep their coin holding keys online
 so in Alogorand you can authorize a set of "participation keys"[1] that
 will be used to create blocks on your coin holding key's behalf.
 Hopefully you've spotted the problem.
 You can send your participation keys to any malicious party with a nice
 website (see random example [2]) offering you a good return.
 Damn it's still Proof-of-SquareSpace!

>>>
>>> I believe we are talking about a comparison to PoW, correct? If you want
>>> to mine PoW, you need to buy expensive hardware and configure it to work,
>>> and wait a long time to get any return by solo mining. Or you can join a
>>> mining pool, which might use your hashing power for nefarious purposes. Or
>>> you might skip the hardware all together and fall for some "cloud mining"
>>> scheme with a pretty website and a high rate of advertised return. So as
>>> you can see, Proof-of-SquareSpace exists in PoW as well!
>>>
>>> The PoS equivalent of buying mining hardware is setting up your own
>>> validator and not outsourcing that to anyone else. So both PoW and PoS have
>>> the professional/expert way of participating, and the fraud-prone, amateur
>>> way of participating. The only difference is, with PoS the
>>> 

Re: [bitcoin-dev] Opinion on proof of stake in future

[Billy Tetrud via bitcoin-dev]

>  Barrier to entry in PoS is being given permission by the previous owner
of a token

The idea that proof of stake is not permissionless is completely invalid.
It pains me to see such an argument here. Perhaps we can come to an
agreement by being more specific. I'd like to propose the following:

Premise: There is a healthy exchange market for PoS Coin X with tens of
thousands of participants bidding to buy and sell the coin for other
currencies on the market.

If the premise above is true, then there is no significant permission
needed to enter the market for minting blocks for PoS Coin X. If you make a
bid on someone's coins and they don't like you and refuse, you can move on
to any one of the other tens of thousands of people in that marketplace.
Would you agree, Cloud Strife, that this situation couldn't be considered
"permissioned"?

If not, consider that participation in *any* decentralized system requires
the permission of at least one user in that system. If there are thousands
of bitcoin public nodes, you require the permission of at least one of them
to participate in bitcoin. No one considers bitcoin "permissioned" because
of this. Do you agree?

On Thu, Jun 17, 2021 at 1:15 PM Cloud Strife via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:

> Barrier to entry in PoW is matter for hardware and energy is
> permissionless and exist all over the universe, permissionless cost which
> exists for everyone no matter who because it's unforgeable.
>
> Barrier to entry in PoS is being given permission by the previous owner of
> a token for you to have it via transfer or sale, both choices they never
> have to make since there are no continuous costs with producing blocks
> forcing it. A permission is an infinitely high barrier to entry if the
> previous owner, like the premining party, refuses to give up the token they
> control.
>
> You're skipping the part where you depend on a permission of a central
> party in control of the authority token before you can produce blocks on
> your rasberry Pi.
>
> Proof of stake is not in any possible way relevant to permissionless
> protocols, and thus not possibly relevant to decentralized protocols where
> control must be distributed to independent (i.e. permissionless) parties.
>
> There's nothing of relevance to discuss and this has been figured out long
> long ago.
>
> https://github.com/libbitcoin/libbitcoin-system/wiki/Proof-of-Stake-Fallacy
>
>
> https://medium.com/@factchecker9000/nothing-is-worse-than-proof-of-stake-e70b12b988ca
>
>
>
>
> On Tue, Jun 15, 2021 at 7:13 AM James MacWhyte via bitcoin-dev <
> bitcoin-dev@lists.linuxfoundation.org> wrote:
>
>>
>> @Lloyd wrote:
>>
>> Of course in reality no one wants to keep their coin holding keys online
>>> so in Alogorand you can authorize a set of "participation keys"[1] that
>>> will be used to create blocks on your coin holding key's behalf.
>>> Hopefully you've spotted the problem.
>>> You can send your participation keys to any malicious party with a nice
>>> website (see random example [2]) offering you a good return.
>>> Damn it's still Proof-of-SquareSpace!
>>>
>>
>> I believe we are talking about a comparison to PoW, correct? If you want
>> to mine PoW, you need to buy expensive hardware and configure it to work,
>> and wait a long time to get any return by solo mining. Or you can join a
>> mining pool, which might use your hashing power for nefarious purposes. Or
>> you might skip the hardware all together and fall for some "cloud mining"
>> scheme with a pretty website and a high rate of advertised return. So as
>> you can see, Proof-of-SquareSpace exists in PoW as well!
>>
>> The PoS equivalent of buying mining hardware is setting up your own
>> validator and not outsourcing that to anyone else. So both PoW and PoS have
>> the professional/expert way of participating, and the fraud-prone, amateur
>> way of participating. The only difference is, with PoS the
>> professional/expert way is accessible to anyone with a raspberry Pi and a
>> web connection, which is a much lower barrier to entry than PoW.
>> ___
>> bitcoin-dev mailing list
>> bitcoin-dev@lists.linuxfoundation.org
>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>
> ___
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev

Re: [bitcoin-dev] Opinion on proof of stake in future

[Cloud Strife via bitcoin-dev]

Barrier to entry in PoW is matter for hardware and energy is permissionless
and exist all over the universe, permissionless cost which exists for
everyone no matter who because it's unforgeable.

Barrier to entry in PoS is being given permission by the previous owner of
a token for you to have it via transfer or sale, both choices they never
have to make since there are no continuous costs with producing blocks
forcing it. A permission is an infinitely high barrier to entry if the
previous owner, like the premining party, refuses to give up the token they
control.

You're skipping the part where you depend on a permission of a central
party in control of the authority token before you can produce blocks on
your rasberry Pi.

Proof of stake is not in any possible way relevant to permissionless
protocols, and thus not possibly relevant to decentralized protocols where
control must be distributed to independent (i.e. permissionless) parties.

There's nothing of relevance to discuss and this has been figured out long
long ago.

https://github.com/libbitcoin/libbitcoin-system/wiki/Proof-of-Stake-Fallacy

https://medium.com/@factchecker9000/nothing-is-worse-than-proof-of-stake-e70b12b988ca




On Tue, Jun 15, 2021 at 7:13 AM James MacWhyte via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:

>
> @Lloyd wrote:
>
> Of course in reality no one wants to keep their coin holding keys online
>> so in Alogorand you can authorize a set of "participation keys"[1] that
>> will be used to create blocks on your coin holding key's behalf.
>> Hopefully you've spotted the problem.
>> You can send your participation keys to any malicious party with a nice
>> website (see random example [2]) offering you a good return.
>> Damn it's still Proof-of-SquareSpace!
>>
>
> I believe we are talking about a comparison to PoW, correct? If you want
> to mine PoW, you need to buy expensive hardware and configure it to work,
> and wait a long time to get any return by solo mining. Or you can join a
> mining pool, which might use your hashing power for nefarious purposes. Or
> you might skip the hardware all together and fall for some "cloud mining"
> scheme with a pretty website and a high rate of advertised return. So as
> you can see, Proof-of-SquareSpace exists in PoW as well!
>
> The PoS equivalent of buying mining hardware is setting up your own
> validator and not outsourcing that to anyone else. So both PoW and PoS have
> the professional/expert way of participating, and the fraud-prone, amateur
> way of participating. The only difference is, with PoS the
> professional/expert way is accessible to anyone with a raspberry Pi and a
> web connection, which is a much lower barrier to entry than PoW.
> ___
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev

Re: [bitcoin-dev] Opinion on proof of stake in future

[Lloyd Fournier via bitcoin-dev]

@James wrote:

On Tue, 15 Jun 2021 at 21:13, James MacWhyte  wrote:

>
> @Lloyd wrote:
>
> Of course in reality no one wants to keep their coin holding keys online
>> so in Alogorand you can authorize a set of "participation keys"[1] that
>> will be used to create blocks on your coin holding key's behalf.
>> Hopefully you've spotted the problem.
>> You can send your participation keys to any malicious party with a nice
>> website (see random example [2]) offering you a good return.
>> Damn it's still Proof-of-SquareSpace!
>>
>
> I believe we are talking about a comparison to PoW, correct? If you want
> to mine PoW, you need to buy expensive hardware and configure it to work,
> and wait a long time to get any return by solo mining. Or you can join a
> mining pool, which might use your hashing power for nefarious purposes.
>

A mining pool using your hashrate for nefarious purposes can easily be
observed since they send you the contents of the block you are mining
before your hardware starts working on it. This difference is crucial.
Mining pools exist just to reduce income variance.


> Or you might skip the hardware all together and fall for some "cloud
> mining" scheme with a pretty website and a high rate of advertised return.
> So as you can see, Proof-of-SquareSpace exists in PoW as well!
>

I'd agree that "cloud mining" pretty much is Proof-of-SquareSpace for PoW.
Fortunately these services make up a tiny fraction of hashrate.


> The PoS equivalent of buying mining hardware is setting up your own
> validator and not outsourcing that to anyone else. So both PoW and PoS have
> the professional/expert way of participating, and the fraud-prone, amateur
> way of participating. The only difference is, with PoS the
> professional/expert way is accessible to anyone with a raspberry Pi and a
> web connection, which is a much lower barrier to entry than PoW.
>

And yet despite this, the fraud-prone amteur way of participating accounts
for the majority of stake in PoS systems while the professional/expert way
of participating accounts for the overwhelming majority of hashpower in
Bitcoin. It looks like you have elegantly proved my point!

LL
___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev

Re: [bitcoin-dev] Opinion on proof of stake in future

[James MacWhyte via bitcoin-dev]

@Lloyd wrote:

Of course in reality no one wants to keep their coin holding keys online so
> in Alogorand you can authorize a set of "participation keys"[1] that will
> be used to create blocks on your coin holding key's behalf.
> Hopefully you've spotted the problem.
> You can send your participation keys to any malicious party with a nice
> website (see random example [2]) offering you a good return.
> Damn it's still Proof-of-SquareSpace!
>

I believe we are talking about a comparison to PoW, correct? If you want to
mine PoW, you need to buy expensive hardware and configure it to work, and
wait a long time to get any return by solo mining. Or you can join a mining
pool, which might use your hashing power for nefarious purposes. Or you
might skip the hardware all together and fall for some "cloud mining"
scheme with a pretty website and a high rate of advertised return. So as
you can see, Proof-of-SquareSpace exists in PoW as well!

The PoS equivalent of buying mining hardware is setting up your own
validator and not outsourcing that to anyone else. So both PoW and PoS have
the professional/expert way of participating, and the fraud-prone, amateur
way of participating. The only difference is, with PoS the
professional/expert way is accessible to anyone with a raspberry Pi and a
web connection, which is a much lower barrier to entry than PoW.
___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev

Re: [bitcoin-dev] Opinion on proof of stake in future

[Billy Tetrud via bitcoin-dev]

@SatoshiSingh PoLW sounds like a hybrid of PoW and proof of burn. I agree
with befreeandopen that proof of burn is basically a form of proof of
stake. My conclusion from this exploration
 is that hybrid
protocols are a dead end because hybrid protocols have one weaker link
that's easier to attack.

In this case, miners are burning coinbase rewards. The proof of stake is
the burn itself. However, a miner would only burn coins if doing so lead to
greater rewards in the future. So the burned coins are in fact actually
earned, and still have value. Therefore I would think that miners would
still do an amount of work totaling up to the full value of the block
reward, regardless of whether they burn it, because any burnt coins should
be expected to lead to more coins in the future than were burned. What am I
missing?

On Wed, Jun 2, 2021 at 10:30 PM SatoshiSingh 
wrote:

> Great conversation everyone. I'm happy we're still engaged with this
> discussion. To add food for thought I'm bringing back something that was
> introduced in this mailing list sometime ago, which is Proof of Less Work.
>
> PoLW may or may not be it but we can certainly get more ideas from it to
> keep the discussion going.
>
> https://raw.githubusercontent.com/alephium/research/master/polw.pdf
>
>
> Sent with ProtonMail Secure Email.
>
>
___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev

Re: [bitcoin-dev] Opinion on proof of stake in future

[SatoshiSingh via bitcoin-dev]

Great conversation everyone. I'm happy we're still engaged with this 
discussion. To add food for thought I'm bringing back something that was 
introduced in this mailing list sometime ago, which is Proof of Less Work.

PoLW may or may not be it but we can certainly get more ideas from it to keep 
the discussion going.

https://raw.githubusercontent.com/alephium/research/master/polw.pdf


Sent with ProtonMail Secure Email.

___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev

Re: [bitcoin-dev] Opinion on proof of stake in future

[Erik Aronesty via bitcoin-dev]

>  the classical debate with PoS supporters - I explain an attack and they 
> "patch it", creating problem elsewhere

i agree.   my original post was:

"assume that we can accurately mimic the investment in ASIC's and the
expenditure of electricity with "burns" of coin representing that
investment"

only given that assumption can i state with confidence:

- proof of burn is better than proof of stake

and only because

- your stake is sitting on a node somewhere, able to be stolen

everything else is speculation about my original assumption.

overall a good PoB would have a

- large, up front buy-in event (buying the ASIC)
- delay function (timing)
- block-specific burn (electricity use... lost if burn is not selected)
- burns linked to specific buy-ins (can only burn the ASIC's i bought in)
- max-burn === max-buy-in (ASICs have capacity)
- max-burn decays over time (ASIC's become less valuable over time)

block-height === sum of block-specific burn

On Tue, Jun 1, 2021 at 3:26 PM befreeandopen
 wrote:
>
> Comments inline.
>
>
>
> > > Could you explain what am I missing here, because this actually does not 
> > > seem better, but rather worse than some PoS schemes?
> >
> > Given your example, if !BTC is needed to burn, that's a $50k
> > investment in an ASIC needed to mine a block. That's not anywhere
> > near current levels. It's not even approaching the current PoW. A
> > $50k investment to be a large amount of hash power is ... well,
> > somewhere more than 10 years ago.
>
> This is +- true with todays prices, that was not my point. We all know that 
> today's total block revenue is nowhere near 1 BTC. If it is say 7 BTC, then 
> we would expect that the miners spend roughly just about 7 BTC to produce the 
> block - in long term, on average. Right? Today, this 7 BTC is supposed to be 
> some average of investment into the mining rig, the building in which the rig 
> exists (or its rent) and then some electricity. So when I said 1 BTC I meant 
> that amount of BTC that is the sum of the block subsidy and fees at the time 
> of this imagined switch to PoB. Use 7 BTC if you want to talk today. And yes, 
> that seems very weak. But can you explain why it is not the case after 
> switching to PoB that the cost of producing the block should roughly converge 
> to to the revenue? Because I do not see why would miners spend more than what 
> they can earn.
>
>
>
>
>
> > My original proof-of-burn concept was designed to mimic ASICs as much
> > as possible:
> >
> > 1.  large initial investment (burn to acquire power)
> > 2.  continued investment (burn to activate power in each block, lost if
> > block is not found)
> >
> > Ideally, the attacker would have to keep burning for each lottery
> > ticket, which can only be used once. Committing that burn to a
> > particular block for example.
> >
> > Any attack you propose for a "assumed well designed PoB" can also 
> > attack PoW.
> > Any attack you propose for a "assumed well designed PoB" can also 
> > attack PoS.
> >
> > But there are some things PoB can do that PoS can't... which is really
> > my original point.
>
> This is the problem that I wanted to avoid. You refer to some "my original 
> PoB", but I am strictly talking about the concept described in wiki because 
> nothing else was provided to me. If we do not have a reference description of 
> what you are talking about the debate will quickly turn into the classical 
> debate with PoS supporters - I explain an attack and they "patch it", 
> creating problem elsewhere. Then I explain an attack against that and they 
> patch it there. And this goes infinitely.
>
> So if there is some other version, better one than the one described in wiki, 
> please let me know. If there is not, there is nothing to talk about really. 
> You'd first need to define your model properly and describe very details of 
> how it should work and then we can analyze it. It does not make much sense to 
> me to analyze a ghost protocol that I always only see a tiny part of.
>
> For example here above in the quoted text you mention some continual lost (if 
> block is not found). If that is not the exponential decay as described in the 
> wiki, then I have no idea what it is. I do not say that I can't imagine for 
> myself what it could be, but it is up to you to define it, so we can be sure 
> we are talking about the same thing.
>
> Same with those early unblinding of burns - nothing about that in the wiki, 
> so that concept is alien to me and it can not be subject to a debate before 
> it is precisely described.
>
>
>
>
> >
> >
> > -   sunk costs/lost investment
> > -   "hashpower" is "offline", and cannot be seized.
> >
> > On Tue, Jun 1, 2021 at 4:21 AM befreeandopen
> > befreeando...@protonmail.com wrote:
> >
> >
> > > Erik, thanks for the link. So referring to 
> > > https://en.bitcoin.it/wiki/Proof_of_burn, I do not really understand how 
> > > this is supposed to be that much better over 

Re: [bitcoin-dev] Opinion on proof of stake in future

[befreeandopen via bitcoin-dev]

Comments inline.



> > Could you explain what am I missing here, because this actually does not 
> > seem better, but rather worse than some PoS schemes?
>
> Given your example, if !BTC is needed to burn, that's a $50k
> investment in an ASIC needed to mine a block. That's not anywhere
> near current levels. It's not even approaching the current PoW. A
> $50k investment to be a large amount of hash power is ... well,
> somewhere more than 10 years ago.

This is +- true with todays prices, that was not my point. We all know that 
today's total block revenue is nowhere near 1 BTC. If it is say 7 BTC, then we 
would expect that the miners spend roughly just about 7 BTC to produce the 
block - in long term, on average. Right? Today, this 7 BTC is supposed to be 
some average of investment into the mining rig, the building in which the rig 
exists (or its rent) and then some electricity. So when I said 1 BTC I meant 
that amount of BTC that is the sum of the block subsidy and fees at the time of 
this imagined switch to PoB. Use 7 BTC if you want to talk today. And yes, that 
seems very weak. But can you explain why it is not the case after switching to 
PoB that the cost of producing the block should roughly converge to to the 
revenue? Because I do not see why would miners spend more than what they can 
earn.





> My original proof-of-burn concept was designed to mimic ASICs as much
> as possible:
>
> 1.  large initial investment (burn to acquire power)
> 2.  continued investment (burn to activate power in each block, lost if
> block is not found)
>
> Ideally, the attacker would have to keep burning for each lottery
> ticket, which can only be used once. Committing that burn to a
> particular block for example.
>
> Any attack you propose for a "assumed well designed PoB" can also attack 
> PoW.
> Any attack you propose for a "assumed well designed PoB" can also attack 
> PoS.
>
> But there are some things PoB can do that PoS can't... which is really
> my original point.

This is the problem that I wanted to avoid. You refer to some "my original 
PoB", but I am strictly talking about the concept described in wiki because 
nothing else was provided to me. If we do not have a reference description of 
what you are talking about the debate will quickly turn into the classical 
debate with PoS supporters - I explain an attack and they "patch it", creating 
problem elsewhere. Then I explain an attack against that and they patch it 
there. And this goes infinitely.

So if there is some other version, better one than the one described in wiki, 
please let me know. If there is not, there is nothing to talk about really. 
You'd first need to define your model properly and describe very details of how 
it should work and then we can analyze it. It does not make much sense to me to 
analyze a ghost protocol that I always only see a tiny part of.

For example here above in the quoted text you mention some continual lost (if 
block is not found). If that is not the exponential decay as described in the 
wiki, then I have no idea what it is. I do not say that I can't imagine for 
myself what it could be, but it is up to you to define it, so we can be sure we 
are talking about the same thing.

Same with those early unblinding of burns - nothing about that in the wiki, so 
that concept is alien to me and it can not be subject to a debate before it is 
precisely described.




>
>
> -   sunk costs/lost investment
> -   "hashpower" is "offline", and cannot be seized.
>
> On Tue, Jun 1, 2021 at 4:21 AM befreeandopen
> befreeando...@protonmail.com wrote:
>
>
> > Erik, thanks for the link. So referring to 
> > https://en.bitcoin.it/wiki/Proof_of_burn, I do not really understand how 
> > this is supposed to be that much better over many proof of stake proposals. 
> > If there is more research on PoB, please note I'm not commenting on that as 
> > I only read this wiki article and my comments are purely related to this 
> > only.
> > I hope we can agree that the idea with manual insertion of entropy every 
> > week can be discarded, but at the same time I don't think it is a crucial 
> > point of the whole idea. So we can just focus on the rest of it.
> > Then the whole idea seems just like certain proof of stake implementations 
> > with just small differences, which I try to summarize:
> >
> > -   in PoB, in order to use the coin for block production, you burn it in 
> > the past and wait some time -- in the certain PoS I'm talking about, in 
> > order to use the coin, you do not move the coin for some time - so in both 
> > there is the same idea - you somehow make the coin eligible for the block 
> > creation process by first doing some action followed by some inaction for 
> > some time; the difference here is that if later you use such coin in PoS, 
> > then after waiting more time, you can use the coin again (for whatever 
> > purpose), while in PoB the coin is gone forever (it is 

Re: [bitcoin-dev] Opinion on proof of stake in future

[befreeandopen via bitcoin-dev]

Erik, thanks for the link. So referring to 
https://en.bitcoin.it/wiki/Proof_of_burn, I do not really understand how this 
is supposed to be that much better over many proof of stake proposals. If there 
is more research on PoB, please note I'm not commenting on that as I only read 
this wiki article and my comments are purely related to this only.

I hope we can agree that the idea with manual insertion of entropy every week 
can be discarded, but at the same time I don't think it is a crucial point of 
the whole idea. So we can just focus on the rest of it.

Then the whole idea seems just like certain proof of stake implementations with 
just small differences, which I try to summarize:

- in PoB, in order to use the coin for block production, you burn it in the 
past and wait some time -- in the certain PoS I'm talking about, in order to 
use the coin, you do not move the coin for some time - so in both there is the 
same idea - you somehow make the coin eligible for the block creation process 
by first doing some action followed by some inaction for some time; the 
difference here is that if later you use such coin in PoS, then after waiting 
more time, you can use the coin again (for whatever purpose), while in PoB the 
coin is gone forever (it is burned); this does not seem to be fundamentally 
different

- in PoB, the author suggests there is an exponential decay of the power of the 
coin to create a block; in some PoS schemas, there historically was an era of 
so called CoinAge mechanism, which was somewhat inverse to this exponential 
decay, it was that the coin gets more power the older it is untouched, some 
implementations were for linear increase in the power, some exponential. 
Usually there was a certain limit - i.e. a maximum power the coin may have 
reached. It turned out quite quickly that such property is making attacks 
easier. PoB reverses the idea, but I don't think that helps that much. In any 
case, there seems to be an optimal period of time for each used coin, in both 
PoS and PoB, where the coin is most suitable for block production. I admit PoB 
version is better, but the crucial property here is that some coins are more 
powerful than other.

- in both PoB and PoS it seems there is linear increase of the ability of the 
coin to produce blocks with the size of the coin (more BTC you burn/stake, the 
better your chance)

This characteristic of PoB does not suggest that it would have that much 
different properties than PoS. So it should suffer from same problems as PoS. 
Namely, the problems I see now, with the given proposal from wiki, are:

- there seems to be lack of definition of the heaviest chain and difficulty 
adjustment - this seems crucial, but likely solvable, I'm just saying it is 
importantly missing in the description

- there seems to be a problem with nothing at stake (nothing at burn maybe?) - 
How that can be? Again, it seems that every burned coin can be used for free 
checks at any time after the initial waiting period. These free checks are 
indeed free and are the core of the nothing at stake problem in PoS. You seem 
to make those checks for free and you seem to be able to use those burned coins 
to create arbitrary number of forks build on any parent blocks of your choice, 
not just the last block of the heaviest chain. I can't see at the moment how is 
this different from PoS nothing at stake problem. Maybe you can explain?

- it seems to me that there is a trivial attack against the scheme by a wealthy 
attacker. Suppose a common size of the burn is 1 BTC per block, suppose you 
define the heaviest chain rule somehow in relation to total number of burned 
coins or the cumulative "strength" of the "lowest" hashes, then you can just 
burn 20 UTXOs, each being 10 BTC in value, so you spent 200 BTC on this attack, 
but you are in very strong position because after you wait the needed time, you 
should be able to do pretty nasty reorg. Suppose that the main chain is 
A-B-C-D-E-F, so what you do at that point is that you just "try for free" all 
your 20 UTXOs, whether or not they can build on top of block A (which has 5 
confs on top, F is the tip of the main chain). Since you have big UTXOs, your 
chances should be good, of course you can always try many times because you 
have a "lottery ticket" for every timestampt t. So with this you should be 
able, with good chance, to find such B' and then you have 19 UTXOs remaining to 
try to build on B' in the same way. I can't see what prevents this attack in 
the described scheme.

- the ability to retroactively try all different kids of timestamp t seems 
devastating - you again get super easy and somewhat cheap attack (due to 
nothing at burn problem) that allows you to rewrite even long chains at will.


Could you explain what am I missing here, because this actually does not seem 
better, but rather worse than some PoS schemes?




Sent with ProtonMail Secure Email.

‐‐‐ Original Message ‐‐‐
On Friday, 

Re: [bitcoin-dev] Opinion on proof of stake in future

[Billy Tetrud via bitcoin-dev]

@befreeandopen   "If you want to make some arbitrary very narrow
definitions of what nothing at stake is so that you can claim your false
statement that it is a solved problem"

Wow, you are really unnecessarily hostile. This isn't r/bitcoin my friend.
Please assume some good faith. I simply pointed out my misunderstanding.
But it sounds like you're not willing to explain yourself clearly nor
actually have a reasoned discussion and prefer to insult me. So I think our
conversation is indeed over.

On Fri, May 28, 2021 at 10:06 AM Erik Aronesty  wrote:

> best writeup i know of is here:
>
> https://en.bitcoin.it/wiki/Proof_of_burn
>
> no formal proposals or proofs that i know of.
>
> On Fri, May 28, 2021 at 10:40 AM befreeandopen
>  wrote:
> >
> > Erik, I am sorry, I have little knowledge about proof-of-burn, I never
> found it interesting up until now. Some of your recent claims seem quite
> strong to me and I'd like to read more.
> >
> > Forgive me if this has been mentioned recently, but is there a full
> specification of the concept you are referring to? I don't mean just the
> basic idea description (that much is clear to me), I mean a fully detailed
> proposal or technical documentation that would give me a precise
> information about what exactly it is that you are talking about.
> >
> >
> > Sent with ProtonMail Secure Email.
> >
> > ‐‐‐ Original Message ‐‐‐
> > On Wednesday, May 26, 2021 11:07 PM, Erik Aronesty  wrote:
> >
> > > note: the "nothing at stake" problem you propose is not broken for
> > > proof-of-burn, because the attacker
> > >
> > > a) has no idea which past transactions are burns
> > > b) has no way to use his mining power, even 5%, to maliciously improve
> > > his odds of being selected
> > >
> > > On Wed, May 26, 2021 at 9:12 AM befreeandopen
> > > befreeando...@protonmail.com wrote:
> > >
> > > > @befreeandopen I guess I misunderstood your selfish minting attack.
> Let me make sure I understand it. You're saying it would go as follows?:
> > > >
> > > > 1.  The malicious actor comes across an opportunity to mint the next
> 3 blocks. But they hold off and don't release their blocks just yet.
> > > > 2.  They receive a new block minted by someone else.
> > > > 3.  The malicious actor then chooses to release their other 2 blocks
> on on the second from the top block if it gives them more blocks in the
> future than minting on the top block. And instead lets the top block
> proceed if it gives them more blocks in the future (also figuring in the 3
> blocks they're missing out on minting).
> > > > 4.  Profit!
> > > >
> > > > The problem with this attack is that any self respecting PoS system
> wouldn't have the information available for minters to know how blocks will
> affect their future prospects of minting. Otherwise this would introduce
> the problem of stake grinding. This can be done using collaborative
> randomness (where numbers from many parties are combined to create a random
> number that no individual party could predict). In fact, that's what the
> Casper protocol does to decide quorums. In a non quorum case, you can do
> something like record a hash of a number in the block header, and then have
> a second step to release that number later. Rewards can be given can be
> used to ensure minters act honestly here by minting messages that release
> these numbers and not releasing their secret numbers too early.
> > > > Yes, you misunderstood it. First, let me say that the above thoughts
> of yours are incorrect, at least for non-quorum case. Since the transition
> in the blockchain system from S1 to S2 is only by adding new block, and
> since stakers always need to be able to decide whether or not they can add
> the next block, it follows that if a staker creates a new block locally,
> she can decide whether the new state allows her to add another block on
> top. As you mentioned, this COULD introduce problem of staking, that you
> are incorrect in that it is a necessity. Usual prevention of the grinding
> problem in this case is that an "old enough" source of randomness applies
> for the current block production process. Of course this, as it is typical
> for PoS, introduces other problems, but let's discard those.
> > > > I will try to explain in detail what you misunderstood before. You
> start with a chain ending with blocks A-B-C, C being the top, the common
> feature of PoS system (non-quorum), roughly speaking, is that if N is the
> total amount of coins that participate in the staking process to create a
> new block on top of C (let's call that D), then a participant having K*N
> amount of stake has chance K to be the one who will create the next stake.
> In other words, the power of stakers is supposed to be linear in the system
> - you own 10 coins gives you 10x the chance of finding block over someone
> who has 1 coin.
> > > > What i was claiming is that using the technique I have described,
> this linearity is violated. Why? Well, it works for honest 

Re: [bitcoin-dev] Opinion on proof of stake in future

[Erik Aronesty via bitcoin-dev]

best writeup i know of is here:

https://en.bitcoin.it/wiki/Proof_of_burn

no formal proposals or proofs that i know of.

On Fri, May 28, 2021 at 10:40 AM befreeandopen
 wrote:
>
> Erik, I am sorry, I have little knowledge about proof-of-burn, I never found 
> it interesting up until now. Some of your recent claims seem quite strong to 
> me and I'd like to read more.
>
> Forgive me if this has been mentioned recently, but is there a full 
> specification of the concept you are referring to? I don't mean just the 
> basic idea description (that much is clear to me), I mean a fully detailed 
> proposal or technical documentation that would give me a precise information 
> about what exactly it is that you are talking about.
>
>
> Sent with ProtonMail Secure Email.
>
> ‐‐‐ Original Message ‐‐‐
> On Wednesday, May 26, 2021 11:07 PM, Erik Aronesty  wrote:
>
> > note: the "nothing at stake" problem you propose is not broken for
> > proof-of-burn, because the attacker
> >
> > a) has no idea which past transactions are burns
> > b) has no way to use his mining power, even 5%, to maliciously improve
> > his odds of being selected
> >
> > On Wed, May 26, 2021 at 9:12 AM befreeandopen
> > befreeando...@protonmail.com wrote:
> >
> > > @befreeandopen I guess I misunderstood your selfish minting attack. Let 
> > > me make sure I understand it. You're saying it would go as follows?:
> > >
> > > 1.  The malicious actor comes across an opportunity to mint the next 3 
> > > blocks. But they hold off and don't release their blocks just yet.
> > > 2.  They receive a new block minted by someone else.
> > > 3.  The malicious actor then chooses to release their other 2 blocks on 
> > > on the second from the top block if it gives them more blocks in the 
> > > future than minting on the top block. And instead lets the top block 
> > > proceed if it gives them more blocks in the future (also figuring in the 
> > > 3 blocks they're missing out on minting).
> > > 4.  Profit!
> > >
> > > The problem with this attack is that any self respecting PoS system 
> > > wouldn't have the information available for minters to know how blocks 
> > > will affect their future prospects of minting. Otherwise this would 
> > > introduce the problem of stake grinding. This can be done using 
> > > collaborative randomness (where numbers from many parties are combined to 
> > > create a random number that no individual party could predict). In fact, 
> > > that's what the Casper protocol does to decide quorums. In a non quorum 
> > > case, you can do something like record a hash of a number in the block 
> > > header, and then have a second step to release that number later. Rewards 
> > > can be given can be used to ensure minters act honestly here by minting 
> > > messages that release these numbers and not releasing their secret 
> > > numbers too early.
> > > Yes, you misunderstood it. First, let me say that the above thoughts of 
> > > yours are incorrect, at least for non-quorum case. Since the transition 
> > > in the blockchain system from S1 to S2 is only by adding new block, and 
> > > since stakers always need to be able to decide whether or not they can 
> > > add the next block, it follows that if a staker creates a new block 
> > > locally, she can decide whether the new state allows her to add another 
> > > block on top. As you mentioned, this COULD introduce problem of staking, 
> > > that you are incorrect in that it is a necessity. Usual prevention of the 
> > > grinding problem in this case is that an "old enough" source of 
> > > randomness applies for the current block production process. Of course 
> > > this, as it is typical for PoS, introduces other problems, but let's 
> > > discard those.
> > > I will try to explain in detail what you misunderstood before. You start 
> > > with a chain ending with blocks A-B-C, C being the top, the common 
> > > feature of PoS system (non-quorum), roughly speaking, is that if N is the 
> > > total amount of coins that participate in the staking process to create a 
> > > new block on top of C (let's call that D), then a participant having K*N 
> > > amount of stake has chance K to be the one who will create the next 
> > > stake. In other words, the power of stakers is supposed to be linear in 
> > > the system - you own 10 coins gives you 10x the chance of finding block 
> > > over someone who has 1 coin.
> > > What i was claiming is that using the technique I have described, this 
> > > linearity is violated. Why? Well, it works for honest stakers among the 
> > > competition of honest stakers - they really do have the chance of K to 
> > > find the next block. However, the attacker, using nothing at stake, 
> > > checks her ability to build block D (at some timestamp). If she is 
> > > successful, she does not propagate D immediately, but instead she also 
> > > checks whether she can build on top of B and on top of A. Since with 
> > > every new timestamp, usually, there is 

Re: [bitcoin-dev] Opinion on proof of stake in future

[befreeandopen via bitcoin-dev]

Erik, I am sorry, I have little knowledge about proof-of-burn, I never found it 
interesting up until now. Some of your recent claims seem quite strong to me 
and I'd like to read more.

Forgive me if this has been mentioned recently, but is there a full 
specification of the concept you are referring to? I don't mean just the basic 
idea description (that much is clear to me), I mean a fully detailed proposal 
or technical documentation that would give me a precise information about what 
exactly it is that you are talking about.


Sent with ProtonMail Secure Email.

‐‐‐ Original Message ‐‐‐
On Wednesday, May 26, 2021 11:07 PM, Erik Aronesty  wrote:

> note: the "nothing at stake" problem you propose is not broken for
> proof-of-burn, because the attacker
>
> a) has no idea which past transactions are burns
> b) has no way to use his mining power, even 5%, to maliciously improve
> his odds of being selected
>
> On Wed, May 26, 2021 at 9:12 AM befreeandopen
> befreeando...@protonmail.com wrote:
>
> > @befreeandopen I guess I misunderstood your selfish minting attack. Let me 
> > make sure I understand it. You're saying it would go as follows?:
> >
> > 1.  The malicious actor comes across an opportunity to mint the next 3 
> > blocks. But they hold off and don't release their blocks just yet.
> > 2.  They receive a new block minted by someone else.
> > 3.  The malicious actor then chooses to release their other 2 blocks on on 
> > the second from the top block if it gives them more blocks in the future 
> > than minting on the top block. And instead lets the top block proceed if it 
> > gives them more blocks in the future (also figuring in the 3 blocks they're 
> > missing out on minting).
> > 4.  Profit!
> >
> > The problem with this attack is that any self respecting PoS system 
> > wouldn't have the information available for minters to know how blocks will 
> > affect their future prospects of minting. Otherwise this would introduce 
> > the problem of stake grinding. This can be done using collaborative 
> > randomness (where numbers from many parties are combined to create a random 
> > number that no individual party could predict). In fact, that's what the 
> > Casper protocol does to decide quorums. In a non quorum case, you can do 
> > something like record a hash of a number in the block header, and then have 
> > a second step to release that number later. Rewards can be given can be 
> > used to ensure minters act honestly here by minting messages that release 
> > these numbers and not releasing their secret numbers too early.
> > Yes, you misunderstood it. First, let me say that the above thoughts of 
> > yours are incorrect, at least for non-quorum case. Since the transition in 
> > the blockchain system from S1 to S2 is only by adding new block, and since 
> > stakers always need to be able to decide whether or not they can add the 
> > next block, it follows that if a staker creates a new block locally, she 
> > can decide whether the new state allows her to add another block on top. As 
> > you mentioned, this COULD introduce problem of staking, that you are 
> > incorrect in that it is a necessity. Usual prevention of the grinding 
> > problem in this case is that an "old enough" source of randomness applies 
> > for the current block production process. Of course this, as it is typical 
> > for PoS, introduces other problems, but let's discard those.
> > I will try to explain in detail what you misunderstood before. You start 
> > with a chain ending with blocks A-B-C, C being the top, the common feature 
> > of PoS system (non-quorum), roughly speaking, is that if N is the total 
> > amount of coins that participate in the staking process to create a new 
> > block on top of C (let's call that D), then a participant having K*N amount 
> > of stake has chance K to be the one who will create the next stake. In 
> > other words, the power of stakers is supposed to be linear in the system - 
> > you own 10 coins gives you 10x the chance of finding block over someone who 
> > has 1 coin.
> > What i was claiming is that using the technique I have described, this 
> > linearity is violated. Why? Well, it works for honest stakers among the 
> > competition of honest stakers - they really do have the chance of K to find 
> > the next block. However, the attacker, using nothing at stake, checks her 
> > ability to build block D (at some timestamp). If she is successful, she 
> > does not propagate D immediately, but instead she also checks whether she 
> > can build on top of B and on top of A. Since with every new timestamp, 
> > usually, there is a new chance to build the block, it is not uncommon that 
> > she finds she is indeed able to build such block C' on top of B. Here it is 
> > likely t(C') > t(C) as the attacker has relatively low stake. Note that in 
> > order to produce such C', she not only could have tried the current 
> > timestamp t(D), but also all previous timestamps 

Re: [bitcoin-dev] Opinion on proof of stake in future

[Erik Aronesty via bitcoin-dev]

Problems with proof-of-stake:

 - A single CVE can tear down the network and hacked nodes can result
in transferring all mining power to one group
 - PoS is vulnerable to DOS attacks (increasing latency reduces the
cost of mining attacks)
 - PoS is vulnerable to stakers colluding to punish/drive out others

This *cannot* happen in PoW (or PoB), because "pulling the plug" is
sufficient to stop a hacked mining rig.  (I should know, my first rig
was hacked, day 1, until i learned how to secure it properly!)

**The value of a base layer is tied tightly to its "risk of default",
thus PoW will always be superior, harder money.**

Bitcoin has very, very low risk of default:

- proof model ties to real-world energy
- core devs that are risk averse and will never hard fork to reverse
transactions
- extremely decentralized, priority given to decentralization and
security over every other feature in every PR
- fees kept high enough to financially secure the network - allowing
billions in value to move safely for dollars in fees

PoW is harder money than PoS, and Bitcoin is, foremost, hard money.

PoS has no sunk-investment, no replication and requires stake to be
online (and attackable), and I think has no business being considered
as an alternative to PoW for a base-layer system like Bitcoin.

These are problems.that cannot be overlooked or swept under the rug.

If you cannot "pull the plug" on stake, then you cannot defend the
network from an attack.

On Thu, May 27, 2021 at 6:09 AM Billy Tetrud  wrote:
>
> >  using nothing at stake
>
> I see from the way you're using this term now that you mean something 
> completely different by it than I usually understand the phrase. You seem to 
> mean it as that minters can check whether they can mint a block without any 
> cost. By contrast, I generally understand the phrase to mean the problem 
> where there is no cost to broadcasting blocks on many different chains.
>
> > she gained an extra block over the honest strategy which would only give 
> > her block D
>
> I think I see what you're saying now. It actually sounds quite similar to the 
> selfish mining attack in proof of work. However I do acknowledge that the 
> ability to secretly mint on both your secret chain(s) and the public chain 
> makes it worse in PoS. How much worse is something that should be quantified. 
> This is also a solvable problem. Designing a secure system can be kind of 
> like whack a mole. You fix the weakest link in the chain, and there is 
> inevitably now a new weakest link that is stronger than the link you fixed. 
> Bitcoin is no different, as development continues, more security improvements 
> are implemented.
>
> In this case, there's a number of possible solutions, some of which can be 
> combined. Eg you can program all honest clients to mint selfishly. You'd 
> likely need to lengthen the number of blocks that constitute a finalized 
> transaction, but you can probably reduce the block time to compensate, so 
> finalization doesn't actually take longer. You could also require many 
> additional signatures on each block from outside validators.
>
> > How is that relevant to our discussion?
>
> It is relevant because the benefits of proof of stake must be compared to an 
> alternative, and the alternative of reference here is clearly PoW. I'm 
> pointing out that the vulnerability you're describing in the type of PoS 
> you're talking about also exists in what its being compared against. To know 
> whether PoS or PoW is better on this particular aspect, you need to compare 
> the levels of advantage that can be obtained in each, and how this affects 
> the cost of attacking the system. Its not as straight forward as saying "PoS 
> is bad because it has this vulnerability" when the system you compare it to 
> also has a very similar vulnerability. You need to quantify the difference at 
> that point.
>
> > the list of producers for next epoch is known up front and you confirmed 
> > that this is what you meant with "quorum" system
>
> Known by public key, not by IP address.
>
> > (CREATE PROBLEM ELSEWHERE) OR (NOT SOLVE IT COMPLETELY)
>
> I agree that claiming that Y is a solved problem would be misleading if the 
> solution creates problems that are of greater significance than the original 
> problem. I would also agree that if the solution creates significant problems 
> that are substantially less significant than the problem it solves, it would 
> be misleading to say its a "solved problem" - saying "partially solved" would 
> be more accurate there.
>
> However, I do not agree that it is at all misleading to say "nothing at stake 
> is a solved problem" just because solving that specific problem doesn't solve 
> all the problems with proof of stake. Its unreasonable to expect that when 
> someone claims problem X is solved, that it also implies all problems related 
> to X are solved.
>
> I maintain that nothing at stake is a solved problem. There are solutions 
> that do not 

Re: [bitcoin-dev] Opinion on proof of stake in future

[Billy Tetrud via bitcoin-dev]

>  using nothing at stake

I see from the way you're using this term now that you mean something
completely different by it than I usually understand the phrase. You seem
to mean it as that minters can check whether they can mint a block without
any cost. By contrast, I generally understand the phrase to mean the
problem where there is no cost to broadcasting blocks on many different
chains.

> she gained an extra block over the honest strategy which would only give
her block D

I think I see what you're saying now. It actually sounds quite similar to
the selfish mining attack in proof of work. However I do acknowledge that
the ability to secretly mint on both your secret chain(s) and the public
chain makes it worse in PoS. How much worse is something that should be
quantified. This is also a solvable problem. Designing a secure system can
be kind of like whack a mole. You fix the weakest link in the chain, and
there is inevitably now a new weakest link that is stronger than the link
you fixed. Bitcoin is no different, as development continues, more security
improvements are implemented.

In this case, there's a number of possible solutions, some of which can be
combined. Eg you can program all honest clients to mint selfishly. You'd
likely need to lengthen the number of blocks that constitute a finalized
transaction, but you can probably reduce the block time to compensate, so
finalization doesn't actually take longer. You could also require many
additional signatures on each block from outside validators.

> How is that relevant to our discussion?

It is relevant because the benefits of proof of stake must be compared to
an alternative, and the alternative of reference here is clearly PoW. I'm
pointing out that the vulnerability you're describing in the type of PoS
you're talking about also exists in what its being compared against. To
know whether PoS or PoW is better on this particular aspect, you need to
compare the levels of advantage that can be obtained in each, and how this
affects the cost of attacking the system. Its not as straight forward as
saying "PoS is bad because it has this vulnerability" when the system you
compare it to also has a very similar vulnerability. You need to quantify
the difference at that point.

> the list of producers for next epoch is known up front and you confirmed
that this is what you meant with "quorum" system

Known by public key, not by IP address.

> (CREATE PROBLEM ELSEWHERE) OR (NOT SOLVE IT COMPLETELY)

I agree that claiming that Y is a solved problem would be misleading if the
solution creates problems that are of greater significance than the
original problem. I would also agree that if the solution creates
significant problems that are substantially less significant than the
problem it solves, it would be misleading to say its a "solved problem" -
saying "partially solved" would be more accurate there.

However, I do not agree that it is at all misleading to say "nothing at
stake is a solved problem" just because solving that specific problem
doesn't solve all the problems with proof of stake. Its unreasonable to
expect that when someone claims problem X is solved, that it also implies
all problems related to X are solved.

I maintain that nothing at stake is a solved problem. There are solutions
that do not create other problems of anywhere near the same level of
significance.

> Since the optimal scenario with all existing coins participating is just
theoretical, the attacker's position will ever so improve. It seems we are
in agreement here, great

I don't believe we're in agreement there. I don't know how what you said
refutes my point.

> I'm afraid you've not realized the burden of proof is on your side if you
vouch for a design that is not believed and trusted to be secure.

You were the one that claimed proof of stake cannot be made secure. The
burden of proof is on you to support your own claims.

> You have not described a system that would solve it

I would be curious to hear a full critique from you about this protocol
.

On Wed, May 26, 2021 at 3:12 AM befreeandopen 
wrote:

>
>
> @befreeandopen I guess I misunderstood your selfish minting attack. Let me
> make sure I understand it. You're saying it would go as follows?:
>
> 1. The malicious actor comes across an opportunity to mint the next 3
> blocks. But they hold off and don't release their blocks just yet.
> 2. They receive a new block minted by someone else.
> 3. The malicious actor then chooses to release their other 2 blocks on on
> the second from the top block if it gives them more blocks in the future
> than minting on the top block. And instead lets the top block proceed if it
> gives them more blocks in the future (also figuring in the 3 blocks they're
> missing out on minting).
> 4. Profit!
>
> The problem with this attack is that any self respecting PoS system
> wouldn't have the information available for minters to know how 

Re: [bitcoin-dev] Opinion on proof of stake in future

[Erik Aronesty via bitcoin-dev]

note: the "nothing at stake" problem you propose is not broken for
proof-of-burn, because the attacker

a) has no idea which past transactions are burns
b) has no way to use his mining power, even 5%, to maliciously improve
his odds of being selected

On Wed, May 26, 2021 at 9:12 AM befreeandopen
 wrote:
>
>
>
> @befreeandopen I guess I misunderstood your selfish minting attack. Let me 
> make sure I understand it. You're saying it would go as follows?:
>
> 1. The malicious actor comes across an opportunity to mint the next 3 blocks. 
> But they hold off and don't release their blocks just yet.
> 2. They receive a new block minted by someone else.
> 3. The malicious actor then chooses to release their other 2 blocks on on the 
> second from the top block if it gives them more blocks in the future than 
> minting on the top block. And instead lets the top block proceed if it gives 
> them more blocks in the future (also figuring in the 3 blocks they're missing 
> out on minting).
> 4. Profit!
>
> The problem with this attack is that any self respecting PoS system wouldn't 
> have the information available for minters to know how blocks will affect 
> their future prospects of minting. Otherwise this would introduce the problem 
> of stake grinding. This can be done using collaborative randomness (where 
> numbers from many parties are combined to create a random number that no 
> individual party could predict). In fact, that's what the Casper protocol 
> does to decide quorums. In a non quorum case, you can do something like 
> record a hash of a number in the block header, and then have a second step to 
> release that number later. Rewards can be given can be used to ensure minters 
> act honestly here by minting messages that release these numbers and not 
> releasing their secret numbers too early.
>
>
> Yes, you misunderstood it. First, let me say that the above thoughts of yours 
> are incorrect, at least for non-quorum case. Since the transition in the 
> blockchain system from S1 to S2 is only by adding new block, and since 
> stakers always need to be able to decide whether or not they can add the next 
> block, it follows that if a staker creates a new block locally, she can 
> decide whether the new state allows her to add another block on top. As you 
> mentioned, this COULD introduce problem of staking, that you are incorrect in 
> that it is a necessity. Usual prevention of the grinding problem in this case 
> is that an "old enough" source of randomness applies for the current block 
> production process. Of course this, as it is typical for PoS, introduces 
> other problems, but let's discard those.
>
> I will try to explain in detail what you misunderstood before. You start with 
> a chain ending with blocks A-B-C, C being the top, the common feature of PoS 
> system (non-quorum), roughly speaking, is that if N is the total amount of 
> coins that participate in the staking process to create a new block on top of 
> C (let's call that D), then a participant having K*N amount of stake has 
> chance K to be the one who will create the next stake. In other words, the 
> power of stakers is supposed to be linear in the system - you own 10 coins 
> gives you 10x the chance of finding block over someone who has 1 coin.
>
> What i was claiming is that using the technique I have described, this 
> linearity is violated. Why? Well, it works for honest stakers among the 
> competition of honest stakers - they really do have the chance of K to find 
> the next block. However, the attacker, using nothing at stake, checks her 
> ability to build block D (at some timestamp). If she is successful, she does 
> not propagate D immediately, but instead she also checks whether she can 
> build on top of B and on top of A. Since with every new timestamp, usually, 
> there is a new chance to build the block, it is not uncommon that she finds 
> she is indeed able to build such block C' on top of B. Here it is likely 
> t(C') > t(C) as the attacker has relatively low stake. Note that in order to 
> produce such C', she not only could have tried the current timestamp t(D), 
> but also all previous timestamps up to t(B) (usually that's the consensus 
> rule, but it may depend on a specific consensus). So her chance to produce 
> such C' is greater than her previous chance of producing C (which chance was 
> limited by other stakers in the system and the discovery of block C by one of 
> them). Now suppose that she found such C' and now she continues by trying to 
> prolong this chain by finding D'. And again here, it is quite likely that her 
> chance to find such D' is greater than was her chance of finding D because 
> again there are likely multiple timestamps she could try. This all was 
> possible just because nothing at stake allows you to just try if you can 
> produce a block in certain state of block chain or not. Now if she actually 
> was able to find D', she discards D and only publishes chain 

Re: [bitcoin-dev] Opinion on proof of stake in future

[befreeandopen via bitcoin-dev]

> @befreeandopen I guess I misunderstood your selfish minting attack. Let me 
> make sure I understand it. You're saying it would go as follows?:
>
> 1. The malicious actor comes across an opportunity to mint the next 3 blocks. 
> But they hold off and don't release their blocks just yet.
> 2. They receive a new block minted by someone else.
> 3. The malicious actor then chooses to release their other 2 blocks on on the 
> second from the top block if it gives them more blocks in the future than 
> minting on the top block. And instead lets the top block proceed if it gives 
> them more blocks in the future (also figuring in the 3 blocks they're missing 
> out on minting).
> 4. Profit!
>
> The problem with this attack is that any self respecting PoS system wouldn't 
> have the information available for minters to know how blocks will affect 
> their future prospects of minting. Otherwise this would introduce the problem 
> of stake grinding. This can be done using collaborative randomness (where 
> numbers from many parties are combined to create a random number that no 
> individual party could predict). In fact, that's what the Casper protocol 
> does to decide quorums. In a non quorum case, you can do something like 
> record a hash of a number in the block header, and then have a second step to 
> release that number later. Rewards can be given can be used to ensure minters 
> act honestly here by minting messages that release these numbers and not 
> releasing their secret numbers too early.

Yes, you misunderstood it. First, let me say that the above thoughts of yours 
are incorrect, at least for non-quorum case. Since the transition in the 
blockchain system from S1 to S2 is only by adding new block, and since stakers 
always need to be able to decide whether or not they can add the next block, it 
follows that if a staker creates a new block locally, she can decide whether 
the new state allows her to add another block on top. As you mentioned, this 
COULD introduce problem of staking, that you are incorrect in that it is a 
necessity. Usual prevention of the grinding problem in this case is that an 
"old enough" source of randomness applies for the current block production 
process. Of course this, as it is typical for PoS, introduces other problems, 
but let's discard those.

I will try to explain in detail what you misunderstood before. You start with a 
chain ending with blocks A-B-C, C being the top, the common feature of PoS 
system (non-quorum), roughly speaking, is that if N is the total amount of 
coins that participate in the staking process to create a new block on top of C 
(let's call that D), then a participant having K*N amount of stake has chance K 
to be the one who will create the next stake. In other words, the power of 
stakers is supposed to be linear in the system - you own 10 coins gives you 10x 
the chance of finding block over someone who has 1 coin.

What i was claiming is that using the technique I have described, this 
linearity is violated. Why? Well, it works for honest stakers among the 
competition of honest stakers - they really do have the chance of K to find the 
next block. However, the attacker, using nothing at stake, checks her ability 
to build block D (at some timestamp). If she is successful, she does not 
propagate D immediately, but instead she also checks whether she can build on 
top of B and on top of A. Since with every new timestamp, usually, there is a 
new chance to build the block, it is not uncommon that she finds she is indeed 
able to build such block C' on top of B. Here it is likely t(C') > t(C) as the 
attacker has relatively low stake. Note that in order to produce such C', she 
not only could have tried the current timestamp t(D), but also all previous 
timestamps up to t(B) (usually that's the consensus rule, but it may depend on 
a specific consensus). So her chance to produce such C' is greater than her 
previous chance of producing C (which chance was limited by other stakers in 
the system and the discovery of block C by one of them). Now suppose that she 
found such C' and now she continues by trying to prolong this chain by finding 
D'. And again here, it is quite likely that her chance to find such D' is 
greater than was her chance of finding D because again there are likely 
multiple timestamps she could try. This all was possible just because nothing 
at stake allows you to just try if you can produce a block in certain state of 
block chain or not. Now if she actually was able to find D', she discards D and 
only publishes chain A-B-C'-D', which can not be punished despite the fact that 
she indeed produced two different forks. She can not be punished because this 
production was local and only the final result of A-B-C'-D' was published, in 
which case she gained an extra block over the honest strategy which would only 
give her block D.

> Fun fact tho: there is an attack called the "selfish mining attack" for proof 
> of 

Re: [bitcoin-dev] Opinion on proof of stake in future

[Billy Tetrud via bitcoin-dev]

@befreeandopen I guess I misunderstood your selfish minting attack. Let me
make sure I understand it. You're saying it would go as follows?:

1. The malicious actor comes across an opportunity to mint the next 3
blocks. But they hold off and don't release their blocks just yet.
2. They receive a new block minted by someone else.
3. The malicious actor then chooses to release their other 2 blocks on on
the second from the top block if it gives them more blocks in the future
than minting on the top block. And instead lets the top block proceed if it
gives them more blocks in the future (also figuring in the 3 blocks they're
missing out on minting).
4. Profit!

The problem with this attack is that any self respecting PoS system
wouldn't have the information available for minters to know how blocks will
affect their future prospects of minting. Otherwise this would introduce
the problem of stake grinding. This can be done using collaborative
randomness (where numbers from many parties are combined to create a random
number that no individual party could predict). In fact, that's what the
Casper protocol does to decide quorums. In a non quorum case, you can do
something like record a hash of a number in the block header, and then have
a second step to release that number later. Rewards can be given can be
used to ensure minters act honestly here by minting messages that release
these numbers and not releasing their secret numbers too early.

Fun fact tho: there is an attack called the "selfish mining attack" for
proof of work, and it reduces the security of PoW by at least 1/3rd

.

>   the problem is not as hard as you think

I don't claim to know just how hard finding the IP address associated with
a bitcoin address is. However, the DOS risk can be solved more completely
by only allowing the owner of coins themselves to know whether they can
mint a block. Eg by determining whether someone can mint a block based on
their public key hidden behind hashes (as normal in addresses). Only when
someone does in fact mint a block do they reveal their hidden public key in
order to prove they are allowed to mint the block.

> I agree that introduction of punishment itself does not imply introducing
a problem elsewhere (which I did not claim if you reread my previous
message)

I'm glad we agree there. Perhaps I misunderstood what you meant by "you
should not omit to mention that by doing so, typically, you have introduced
another problem elsewhere."

> As long as the staker makes sure (which is not that hard) that she does
not miss a chance to create a block, her significance in the system will
always increase in time. It will increase relative to all normal users who
do not stake

Well, if you're in the closed system of the cryptocurrency, sure. But we
don't live in that closed system. Minters will earn some ROI from minting
just like any other financial activity. Others may find more success
spending their time doing things other than figuring out how to mint coins.
In that case, they'll be able to earn more coin that they could later
decide to use to mint blocks if they decide to.

> Just because of the above we must reject PoS as being critically insecure

I think the only thing we can conclude from this is that you have come up
with an insecure proof of stake protocol. I don't see how anything you've
brought up amounts to substantial evidence that all possible PoS protocols
are insecure.


On Tue, May 25, 2021 at 11:10 AM befreeandopen 
wrote:

>
> @befreeandopen " An attacker can calculate whether or not she can prolong
> this chain or not and if so with what timestamp."
>
> The scenario you describe would only be likely to happen at all if the
> malicious actor has a very large fraction of the stake - probably quite
> close to 50%. At that point, you're talking about a 51% attack, not the
> nothing at stake problem. The nothing at stake problem is the problem where
> anyone will mint on any chain. Its clear that if there's a substantial
> punishment for minting on chains other than the one that eventually wins,
> every minter without a significant fraction of the stake will be honest and
> not attempt to mint on old blocks or support someone else's attempt to mint
> on old blocks (until and if it becomes the heaviest chain). Because the
> attacker would need probably >45% of the active stake (take a look at the 
> reasoning
> here
> 
> for a deeper analysis of that statement), I don't agree that punishment is
> not a sufficient mitigation of the nothing at stake problem. To exploit the
> nothing at stake problem, you basically need to 51% attack, at which point
> you've exceeded the operating conditions of the system, so of course its
> gonna have problems, just like a 51% attack would cause with PoW.
>
>
> This is not at 

Re: [bitcoin-dev] Opinion on proof of stake in future

[befreeandopen via bitcoin-dev]

> @befreeandopen " An attacker can calculate whether or not she can prolong 
> this chain or not and if so with what timestamp."
>
> The scenario you describe would only be likely to happen at all if the 
> malicious actor has a very large fraction of the stake - probably quite close 
> to 50%. At that point, you're talking about a 51% attack, not the nothing at 
> stake problem. The nothing at stake problem is the problem where anyone will 
> mint on any chain. Its clear that if there's a substantial punishment for 
> minting on chains other than the one that eventually wins, every minter 
> without a significant fraction of the stake will be honest and not attempt to 
> mint on old blocks or support someone else's attempt to mint on old blocks 
> (until and if it becomes the heaviest chain). Because the attacker would need 
> probably >45% of the active stake (take a look at the [reasoning 
> here](https://github.com/fresheneesz/ValidatedProofOfStake#security-the-minimum-cost-of-attack)
>  for a deeper analysis of that statement), I don't agree that punishment is 
> not a sufficient mitigation of the nothing at stake problem. To exploit the 
> nothing at stake problem, you basically need to 51% attack, at which point 
> you've exceeded the operating conditions of the system, so of course its 
> gonna have problems, just like a 51% attack would cause with PoW.

This is not at all the case. The attacker benefits using the described 
technique at any size of the stake and significantly so with just 5% of the 
stake. By significantly, I do not mean that the attacker is able to completely 
take control the network (in short term), but rather that the attacker has 
significant advantage in the number of blocks she creates compared to what she 
"should be able to create". This means the attacker's stake increases 
significantly faster than of the honest nodes, which in long term is very 
serious in PoS system. If you believe close to 50% is needed for that, you need 
to redo your math. So no, you are wrong stating that "to exploit nothing at 
stake problem you basically need to 51% attack". It is rather the opposite - 
eventually, nothing at stake attack leads to ability to perform 51% attack.

>> I am not sure if this is what you call quorum-based PoS
>
> Yes, pre-selected minters is exactly what I mean by that.
>
>> it allows the attacker to know who to attack at which point with powerful 
>> DDOS in order to hurt liveness of such system
>
> Just like in bitcoin, associating keys with IP addresses isn't generally an 
> easy thing to do on the fly like that. If you know someone's IP address, you 
> can target them. But if you only know their address or public key, the 
> reverse isn't as easy. With a quorum-based PoS system, you can see their 
> public key and address, but finding out their IP to DOS would be a huge 
> challenge I think.

I do not dispute that the problem is not trivial, but the problem is not as 
hard as you think. The network graph analysis is a known technique and it is 
not trivial, but not very hard either. Introducing a large number of nodes to 
the system to achieve very good success rate of analysis of area of origin of 
blocks is doable and has been done in past. So again, I very much disagree with 
your conclusion that this is somehow secure. It is absolutely insecure.

> Note, tho, that quorum-based PoS generally also have punishments as part of 
> the protocol. The introduction of punishments do indeed handily solve the 
> nothing at stake problem. And you didn't mention a single problem that the 
> punishments introduce that weren't already there before punishments. There 
> are tradeoffs with introducing punishments (eg in some cases you might punish 
> honest actors), but they are minor in comparison to solving the nothing at 
> stake problem.

While I agree that introduction of punishment itself does not imply introducing 
a problem elsewhere (which I did not claim if you reread my previous message), 
it does introduce additional complexity which may introduce problem, but more 
importantly, while it slightly improves resistance against the nothing at stake 
attack, it solves absolutely nothing. Your claim is based on wrong claim of 
needed close to 50% stake, but that could not be farther from the truth. It is 
not true even in optimal conditions when all participants of the network stake 
or delegate their stake. These optimal conditions rarely, if ever, occur. And 
that's another thing that we have not mention in our debate, so please allow me 
to introduce another problem to PoS.

Consider what is needed for such optimal conditions to occur - all coins are 
always part of the stake, which means that they need to somehow automatically 
part of the staking process even when they are moved. But in many PoS systems 
you usually require some age (in terms of confirmations) of the coin before you 
allow it to be used for participation in staking process and that is for a good 

Re: [bitcoin-dev] Opinion on proof of stake in future

[Billy Tetrud via bitcoin-dev]

@befreeandopen " An attacker can calculate whether or not she can prolong
this chain or not and if so with what timestamp."

The scenario you describe would only be likely to happen at all if the
malicious actor has a very large fraction of the stake - probably quite
close to 50%. At that point, you're talking about a 51% attack, not the
nothing at stake problem. The nothing at stake problem is the problem where
anyone will mint on any chain. Its clear that if there's a substantial
punishment for minting on chains other than the one that eventually wins,
every minter without a significant fraction of the stake will be honest and
not attempt to mint on old blocks or support someone else's attempt to mint
on old blocks (until and if it becomes the heaviest chain). Because the
attacker would need probably >45% of the active stake (take a look at
the reasoning
here

for a deeper analysis of that statement), I don't agree that punishment is
not a sufficient mitigation of the nothing at stake problem. To exploit the
nothing at stake problem, you basically need to 51% attack, at which point
you've exceeded the operating conditions of the system, so of course its
gonna have problems, just like a 51% attack would cause with PoW.

> I am not sure if this is what you call quorum-based PoS

Yes, pre-selected minters is exactly what I mean by that.

> it allows the attacker to know who to attack at which point with powerful
DDOS in order to hurt liveness of such system

Just like in bitcoin, associating keys with IP addresses isn't generally an
easy thing to do on the fly like that. If you know someone's IP address,
you can target them. But if you only know their address or public key, the
reverse isn't as easy. With a quorum-based PoS system, you can see their
public key and address, but finding out their IP to DOS would be a huge
challenge I think.

Note, tho, that quorum-based PoS generally also have punishments as part of
the protocol. The introduction of punishments do indeed handily solve the
nothing at stake problem. And you didn't mention a single problem that the
punishments introduce that weren't already there before punishments. There
are tradeoffs with introducing punishments (eg in some cases you might
punish honest actors), but they are minor in comparison to solving the
nothing at stake problem.

So I don't think it is at all misleading to claim that "nothing at stake"
is a solved problem. I do in fact mean that the solutions to that problem
don't introduce any other problems with anywhere near the same level of
significance.

On Tue, May 25, 2021 at 3:00 AM Erik Aronesty  wrote:

> > > you burn them to be used at a future particular block height
>
> > This sounds exploitable. It seems like an attacker could simply focus
> all their burns on a particular set of 6 blocks to double spend, minimizing
> their cost of attack.
>
> could be right.   the original idea was to have burns decay over time,
> like ASIC's.
>
> anyway the point was not that "i had a magic formula"
>
> the point was that proof of burn is almost always better than proof of
> stake - simply because the "proof" is on-chain, not sitting on a node
> somewhere waiting to be stolen.
>
> On Mon, May 24, 2021 at 9:53 PM Billy Tetrud 
> wrote:
> >
> > Is this the kind of proof of burn you're talking about?
> >
> > >   if i have a choice between two chains, one longer and one shorter, i
> can only choose one... deterministically
> >
> > What prevents you from attempting to mine block 553 on both chains?
> >
> > > miners have a very strong, long-term, investment in the stability of
> the chain.
> >
> > Yes, but the same can be said of any coin, even ones that do have the
> nothing at stake problem. This isn't sufficient tho because the chain is a
> common good, and the tragedy of the commons holds for it.
> >
> > > you burn them to be used at a future particular block height
> >
> > This sounds exploitable. It seems like an attacker could simply focus
> all their burns on a particular set of 6 blocks to double spend, minimizing
> their cost of attack.
> >
> > > i can imagine scenarios where large stakeholders can collude to punish
> smaller stakeholders simply to drive them out of business, for example
> >
> > Are you talking about a 51% attack? This is possible in any
> decentralized cryptocurrency.
> >
> >
> > On Mon, May 24, 2021 at 11:49 AM Erik Aronesty  wrote:
> >>
> >> > > your burn investment is always "at stake", any redaction can result
> in a loss-of-burn, because burns can be tied, precisely, to block-heights
> >> > I'm fuzzy on how proof of burn works.
> >>
> >> when you burn coins, you burn them to be used at a future particular
> >> block height: so if i'm burning for block 553, i can only use them to
> >> mine block 553.   if i have a choice between two chains, one longer
> >> and one shorter, i can only choose one... deterministically, for 

Re: [bitcoin-dev] Opinion on proof of stake in future

[Erik Aronesty via bitcoin-dev]

> > you burn them to be used at a future particular block height

> This sounds exploitable. It seems like an attacker could simply focus all 
> their burns on a particular set of 6 blocks to double spend, minimizing their 
> cost of attack.

could be right.   the original idea was to have burns decay over time,
like ASIC's.

anyway the point was not that "i had a magic formula"

the point was that proof of burn is almost always better than proof of
stake - simply because the "proof" is on-chain, not sitting on a node
somewhere waiting to be stolen.

On Mon, May 24, 2021 at 9:53 PM Billy Tetrud  wrote:
>
> Is this the kind of proof of burn you're talking about?
>
> >   if i have a choice between two chains, one longer and one shorter, i can 
> > only choose one... deterministically
>
> What prevents you from attempting to mine block 553 on both chains?
>
> > miners have a very strong, long-term, investment in the stability of the 
> > chain.
>
> Yes, but the same can be said of any coin, even ones that do have the nothing 
> at stake problem. This isn't sufficient tho because the chain is a common 
> good, and the tragedy of the commons holds for it.
>
> > you burn them to be used at a future particular block height
>
> This sounds exploitable. It seems like an attacker could simply focus all 
> their burns on a particular set of 6 blocks to double spend, minimizing their 
> cost of attack.
>
> > i can imagine scenarios where large stakeholders can collude to punish 
> > smaller stakeholders simply to drive them out of business, for example
>
> Are you talking about a 51% attack? This is possible in any decentralized 
> cryptocurrency.
>
>
> On Mon, May 24, 2021 at 11:49 AM Erik Aronesty  wrote:
>>
>> > > your burn investment is always "at stake", any redaction can result in a 
>> > > loss-of-burn, because burns can be tied, precisely, to block-heights
>> > I'm fuzzy on how proof of burn works.
>>
>> when you burn coins, you burn them to be used at a future particular
>> block height: so if i'm burning for block 553, i can only use them to
>> mine block 553.   if i have a choice between two chains, one longer
>> and one shorter, i can only choose one... deterministically, for that
>> burn: the chain with the height 553.   if we fix the "lead time" for
>> burned coins to be weeks or even months in advance, miners have a very
>> strong, long-term, investment in the stability of the chain.
>>
>> therefore there is no "nothing at stake" problem.   it's
>> deterministic, so miners have no choice.  they can *only* choose the
>> transactions that go into the block.  they cannot choose which chain
>> to mine, and it's time-locked, so rollbacks and instability always
>> hurt miners the most.
>>
>> the "punishment" systems of PoS are "weird at best", certainly
>> unproven.   i can imagine scenarios where large stakeholders can
>> collude to punish smaller stakeholders simply to drive them out of
>> business, for example.   and then you have to put checks in place to
>> prevent that, and more checks for those prevention system...
>>
>> in PoB, there is no complexity.  simpler systems like this are
>> typically more secure.
>>
>> PoB also solves problems caused by "energy dependence", which could
>> lead to state monopolies on mining (like the new Bitcoin Mining
>> Council).   these consortiums, if state sanctioned, could become a
>> source of censorship, for example.   Since PoB doesn't require you to
>> have a live, well-connected node, it's harder to censor & harder to
>> trace.
>>
>> Eliminating this weakness seems to be in the best interests of
>> existing stakeholders
>>
>>
>>
>>
>> On Mon, May 24, 2021 at 4:44 PM Billy Tetrud  wrote:
>> >
>> > >  proof of burn clearly solves this, since nothing is held online
>> >
>> > Well.. the coins to be burned need to be online when they're burned. But 
>> > yes, only a small fraction of the total coins need to be online.
>> >
>> > > your burn investment is always "at stake", any redaction can result in a 
>> > > loss-of-burn, because burns can be tied, precisely, to block-heights
>> >
>> > So you're saying that if say someone tries to mine a block on a shorter 
>> > chain, that requires them to send a transaction burning their coins, and 
>> > that transaction could also be spent on the longest chain, which means 
>> > their coins are burned even if the chain they tried to mine on doesn't 
>> > win? I'm fuzzy on how proof of burn works.
>> >
>> > > proof of burn can be more secure than proof-of-stake
>> >
>> > FYI, proof of stake can be done without the "nothing at stake" problem. 
>> > You can simply punish people who mint on shorter chains (by rewarding 
>> > people who publish proofs of this happening on the main chain). In 
>> > quorum-based PoS, you can punish people in the quorum that propose or sign 
>> > multiple blocks for the same height. The "nothing at stake" problem is a 
>> > solved problem at this point for PoS.
>> >
>> >
>> >
>> > On Mon, May 24, 2021 at 

Re: [bitcoin-dev] Opinion on proof of stake in future

[befreeandopen via bitcoin-dev]

> FYI, proof of stake can be done without the "nothing at stake" problem. You 
> can simply punish people who mint on shorter chains (by rewarding people who 
> publish proofs of this happening on the main chain). In quorum-based PoS, you 
> can punish people in the quorum that propose or sign multiple blocks for the 
> same height. The "nothing at stake" problem is a solved problem at this point 
> for PoS.

This misleading statement. Nothing at stake problem is just about as solved for 
PoS as scaling. Of course you can always change the rules in a way that a 
certain specific attack is not doable, but you should not omit to mention that 
by doing so, typically, you have introduced another problem elsewhere, or you 
have not solved it completely.

In case of punishment, it is the latter case - it does not solve nothing at 
stake problem, it only reduces some instances of it, but the core problem 
persists. It does because the minter (the one who stakes) is not forced to 
publish his block and can stake selfishly. This matters because such an 
attacker can stake selfishly on any prior history of the chain. Imagine there 
is a new block coming from what is called main chain. An attacker can calculate 
whether or not she can prolong this chain or not and if so with what timestamp. 
Usually she can perform this calculation for not just one block ahead, but two, 
three ... So she knows the time schedule for the chain she can built on the 
top. But not only she can do that on the top of the main chain, but on the top 
of the second block from the top on the main chain. Should she find that 
building on shorter chain gives her more blocks in the nearest future, she will 
avoid to prolong the longest chain - and this is where she avoids the 
punishment - and instead she creates two or more blocks on a historic block and 
thus she successfully executes nothing at stake attack.

This shows that while the punishment requires the attack to be slightly 
modified, and this modification does slightly lower the expected profit of it, 
it is still a viable attack that is profitable and is not at all prevented by 
punishment logic. On the downside of punishment logic you have the complexity 
of implementation of such code, which is non-trivial. So it is an open question 
whether the punishment mechanism is even worth implementing at all. If it is, 
the benefit is small and does not mitigate nothing at stake attack.

Another way to "prevent" nothing at stake attack is to have "rounds" or 
"epochs" for which minters are pre-selected, usually in random order and so it 
is obvious who can mine at which time upfront and no one else can. I am not 
sure if this is what you call quorum-based PoS. Anyway, this setup mitigates 
nothing at stake, but - as per my claim above - it introduces a problem 
elsewhere. Here it allows the attacker to know who to attack at which point 
with powerful DDOS in order to hurt liveness of such system. In systems where 
anyone can come up with the next block, it is difficult to perform such DDOS 
because you need to perform it against everyone. In this setup, however, you 
have one target at the time. Moreover, when it is your turn to act, you can 
delay your block creation up to the end of the slot, creating a race condition 
in the consensus that is hard to solve. Again, this is not trivial to get right 
and is often vulnerable to attacks.

So while you can claim that the "naive nothing at stake attack" is solved 
today, in general, it is not solved and claiming it is very misleading. It is a 
natural problem to PoS that each system that exists today tries to tackle 
somehow and I am not aware of any system that would actually solve it without 
not introducing a problem elsewhere (this could include DoS, centralization, 
and other kinds). It is all about choosing your tradeoffs but there is no 
solution to nothing at stake I am aware of that would be without critical 
tradeoffs.

‐‐‐ Original Message ‐‐‐
On Monday, May 24, 2021 9:43 PM, Billy Tetrud via bitcoin-dev 
 wrote:

>> proof of burn clearly solves this, since nothing is held online
>
> Well.. the coins to be burned need to be online when they're burned. But yes, 
> only a small fraction of the total coins need to be online.
>
>> your burn investment is always "at stake", any redaction can result in a 
>> loss-of-burn, because burns can be tied, precisely, to block-heights
>
> So you're saying that if say someone tries to mine a block on a shorter 
> chain, that requires them to send a transaction burning their coins, and that 
> transaction could also be spent on the longest chain, which means their coins 
> are burned even if the chain they tried to mine on doesn't win? I'm fuzzy on 
> how proof of burn works.
>
>> proof of burn can be more secure than proof-of-stake
>
> FYI, proof of stake can be done without the "nothing at stake" problem. You 
> can simply punish people who mint on shorter chains (by rewarding people who 
> 

Re: [bitcoin-dev] Opinion on proof of stake in future

[Billy Tetrud via bitcoin-dev]

Is this  the kind of proof of
burn you're talking about?

>   if i have a choice between two chains, one longer and one shorter, i
can only choose one... deterministically

What prevents you from attempting to mine block 553 on both chains?

> miners have a very strong, long-term, investment in the stability of the
chain.

Yes, but the same can be said of any coin, even ones that do have the
nothing at stake problem. This isn't sufficient tho because the chain is a
common good, and the tragedy of the commons holds for it.

> you burn them to be used at a future particular block height

This sounds exploitable. It seems like an attacker could simply focus all
their burns on a particular set of 6 blocks to double spend, minimizing
their cost of attack.

> i can imagine scenarios where large stakeholders can collude to punish
smaller stakeholders simply to drive them out of business, for example

Are you talking about a 51% attack? This is possible in any decentralized
cryptocurrency.


On Mon, May 24, 2021 at 11:49 AM Erik Aronesty  wrote:

> > > your burn investment is always "at stake", any redaction can result in
> a loss-of-burn, because burns can be tied, precisely, to block-heights
> > I'm fuzzy on how proof of burn works.
>
> when you burn coins, you burn them to be used at a future particular
> block height: so if i'm burning for block 553, i can only use them to
> mine block 553.   if i have a choice between two chains, one longer
> and one shorter, i can only choose one... deterministically, for that
> burn: the chain with the height 553.   if we fix the "lead time" for
> burned coins to be weeks or even months in advance, miners have a very
> strong, long-term, investment in the stability of the chain.
>
> therefore there is no "nothing at stake" problem.   it's
> deterministic, so miners have no choice.  they can *only* choose the
> transactions that go into the block.  they cannot choose which chain
> to mine, and it's time-locked, so rollbacks and instability always
> hurt miners the most.
>
> the "punishment" systems of PoS are "weird at best", certainly
> unproven.   i can imagine scenarios where large stakeholders can
> collude to punish smaller stakeholders simply to drive them out of
> business, for example.   and then you have to put checks in place to
> prevent that, and more checks for those prevention system...
>
> in PoB, there is no complexity.  simpler systems like this are
> typically more secure.
>
> PoB also solves problems caused by "energy dependence", which could
> lead to state monopolies on mining (like the new Bitcoin Mining
> Council).   these consortiums, if state sanctioned, could become a
> source of censorship, for example.   Since PoB doesn't require you to
> have a live, well-connected node, it's harder to censor & harder to
> trace.
>
> Eliminating this weakness seems to be in the best interests of
> existing stakeholders
>
>
>
>
> On Mon, May 24, 2021 at 4:44 PM Billy Tetrud 
> wrote:
> >
> > >  proof of burn clearly solves this, since nothing is held online
> >
> > Well.. the coins to be burned need to be online when they're burned. But
> yes, only a small fraction of the total coins need to be online.
> >
> > > your burn investment is always "at stake", any redaction can result in
> a loss-of-burn, because burns can be tied, precisely, to block-heights
> >
> > So you're saying that if say someone tries to mine a block on a shorter
> chain, that requires them to send a transaction burning their coins, and
> that transaction could also be spent on the longest chain, which means
> their coins are burned even if the chain they tried to mine on doesn't win?
> I'm fuzzy on how proof of burn works.
> >
> > > proof of burn can be more secure than proof-of-stake
> >
> > FYI, proof of stake can be done without the "nothing at stake" problem.
> You can simply punish people who mint on shorter chains (by rewarding
> people who publish proofs of this happening on the main chain). In
> quorum-based PoS, you can punish people in the quorum that propose or sign
> multiple blocks for the same height. The "nothing at stake" problem is a
> solved problem at this point for PoS.
> >
> >
> >
> > On Mon, May 24, 2021 at 3:47 AM Erik Aronesty  wrote:
> >>
> >> > I don't see a way to get around the conflicting requirement that the
> keys for large amounts of coins should be kept offline but those are
> exactly the coins we need online to make the scheme secure.
> >>
> >> proof of burn clearly solves this, since nothing is held online
> >>
> >> >  how does proof of burn solve the "nothing at stake" problem in your
> view?
> >>
> >> definition of nothing at stake: in the event of a fork, whether the
> >> fork is accidental or a malicious, the optimal strategy for any miner
> >> is to mine on every chain, so that the miner gets their reward no
> >> matter which fork wins.   indeed in proof-of-stake, the proofs are
> >> published on the very chains 

Re: [bitcoin-dev] Opinion on proof of stake in future

[Erik Aronesty via bitcoin-dev]

> > your burn investment is always "at stake", any redaction can result in a 
> > loss-of-burn, because burns can be tied, precisely, to block-heights
> I'm fuzzy on how proof of burn works.

when you burn coins, you burn them to be used at a future particular
block height: so if i'm burning for block 553, i can only use them to
mine block 553.   if i have a choice between two chains, one longer
and one shorter, i can only choose one... deterministically, for that
burn: the chain with the height 553.   if we fix the "lead time" for
burned coins to be weeks or even months in advance, miners have a very
strong, long-term, investment in the stability of the chain.

therefore there is no "nothing at stake" problem.   it's
deterministic, so miners have no choice.  they can *only* choose the
transactions that go into the block.  they cannot choose which chain
to mine, and it's time-locked, so rollbacks and instability always
hurt miners the most.

the "punishment" systems of PoS are "weird at best", certainly
unproven.   i can imagine scenarios where large stakeholders can
collude to punish smaller stakeholders simply to drive them out of
business, for example.   and then you have to put checks in place to
prevent that, and more checks for those prevention system...

in PoB, there is no complexity.  simpler systems like this are
typically more secure.

PoB also solves problems caused by "energy dependence", which could
lead to state monopolies on mining (like the new Bitcoin Mining
Council).   these consortiums, if state sanctioned, could become a
source of censorship, for example.   Since PoB doesn't require you to
have a live, well-connected node, it's harder to censor & harder to
trace.

Eliminating this weakness seems to be in the best interests of
existing stakeholders




On Mon, May 24, 2021 at 4:44 PM Billy Tetrud  wrote:
>
> >  proof of burn clearly solves this, since nothing is held online
>
> Well.. the coins to be burned need to be online when they're burned. But yes, 
> only a small fraction of the total coins need to be online.
>
> > your burn investment is always "at stake", any redaction can result in a 
> > loss-of-burn, because burns can be tied, precisely, to block-heights
>
> So you're saying that if say someone tries to mine a block on a shorter 
> chain, that requires them to send a transaction burning their coins, and that 
> transaction could also be spent on the longest chain, which means their coins 
> are burned even if the chain they tried to mine on doesn't win? I'm fuzzy on 
> how proof of burn works.
>
> > proof of burn can be more secure than proof-of-stake
>
> FYI, proof of stake can be done without the "nothing at stake" problem. You 
> can simply punish people who mint on shorter chains (by rewarding people who 
> publish proofs of this happening on the main chain). In quorum-based PoS, you 
> can punish people in the quorum that propose or sign multiple blocks for the 
> same height. The "nothing at stake" problem is a solved problem at this point 
> for PoS.
>
>
>
> On Mon, May 24, 2021 at 3:47 AM Erik Aronesty  wrote:
>>
>> > I don't see a way to get around the conflicting requirement that the keys 
>> > for large amounts of coins should be kept offline but those are exactly 
>> > the coins we need online to make the scheme secure.
>>
>> proof of burn clearly solves this, since nothing is held online
>>
>> >  how does proof of burn solve the "nothing at stake" problem in your view?
>>
>> definition of nothing at stake: in the event of a fork, whether the
>> fork is accidental or a malicious, the optimal strategy for any miner
>> is to mine on every chain, so that the miner gets their reward no
>> matter which fork wins.   indeed in proof-of-stake, the proofs are
>> published on the very chains mines, so the incentive is magnified.
>>
>> in proof-of-burn, your burn investment is always "at stake", any
>> redaction can result in a loss-of-burn, because burns can be tied,
>> precisely, to block-heights
>>
>> as a result, miners no longer have an incentive to mine all chains
>>
>> in this way proof of burn can be more secure than proof-of-stake, and
>> even more secure than proof of work
>>
>>
>>
>>
>>
>>
>>
>> >
>>
>> On Sun, May 23, 2021 at 3:52 AM Lloyd Fournier via bitcoin-dev
>>  wrote:
>> >
>> > Hi Billy,
>> >
>> > I was going to write a post which started by dismissing many of the weak 
>> > arguments that are made against PoS made in this thread and elsewhere.
>> > Although I don't agree with all your points you have done a decent job 
>> > here so I'll focus on the second part: why I think Proof-of-Stake is 
>> > inappropriate for a Bitcoin-like system.
>> >
>> > Proof of stake is not fit for purpose for a global settlement layer in a 
>> > pure digital asset (i.e. "digital gold") which is what Bitcoin is trying 
>> > to be.
>> > PoS necessarily gives responsibilities to the holders of coins that they 
>> > do not want and cannot handle.
>> > In Bitcoin, large 

Re: [bitcoin-dev] Opinion on proof of stake in future

[Billy Tetrud via bitcoin-dev]

>  proof of burn clearly solves this, since nothing is held online

Well.. the coins to be burned need to be online when they're burned. But
yes, only a small fraction of the total coins need to be online.

> your burn investment is always "at stake", any redaction can result in a
loss-of-burn, because burns can be tied, precisely, to block-heights

So you're saying that if say someone tries to mine a block on a shorter
chain, that requires them to send a transaction burning their coins, and
that transaction could also be spent on the longest chain, which means
their coins are burned even if the chain they tried to mine on doesn't win?
I'm fuzzy on how proof of burn works.

> proof of burn can be more secure than proof-of-stake

FYI, proof of stake can be done without the "nothing at stake" problem. You
can simply punish people who mint on shorter chains (by rewarding people
who publish proofs of this happening on the main chain). In quorum-based
PoS, you can punish people in the quorum that propose or sign multiple
blocks for the same height. The "nothing at stake" problem is a solved
problem at this point for PoS.



On Mon, May 24, 2021 at 3:47 AM Erik Aronesty  wrote:

> > I don't see a way to get around the conflicting requirement that the
> keys for large amounts of coins should be kept offline but those are
> exactly the coins we need online to make the scheme secure.
>
> proof of burn clearly solves this, since nothing is held online
>
> >  how does proof of burn solve the "nothing at stake" problem in your
> view?
>
> definition of nothing at stake: in the event of a fork, whether the
> fork is accidental or a malicious, the optimal strategy for any miner
> is to mine on every chain, so that the miner gets their reward no
> matter which fork wins.   indeed in proof-of-stake, the proofs are
> published on the very chains mines, so the incentive is magnified.
>
> in proof-of-burn, your burn investment is always "at stake", any
> redaction can result in a loss-of-burn, because burns can be tied,
> precisely, to block-heights
>
> as a result, miners no longer have an incentive to mine all chains
>
> in this way proof of burn can be more secure than proof-of-stake, and
> even more secure than proof of work
>
>
>
>
>
>
>
> >
>
> On Sun, May 23, 2021 at 3:52 AM Lloyd Fournier via bitcoin-dev
>  wrote:
> >
> > Hi Billy,
> >
> > I was going to write a post which started by dismissing many of the weak
> arguments that are made against PoS made in this thread and elsewhere.
> > Although I don't agree with all your points you have done a decent job
> here so I'll focus on the second part: why I think Proof-of-Stake is
> inappropriate for a Bitcoin-like system.
> >
> > Proof of stake is not fit for purpose for a global settlement layer in a
> pure digital asset (i.e. "digital gold") which is what Bitcoin is trying to
> be.
> > PoS necessarily gives responsibilities to the holders of coins that they
> do not want and cannot handle.
> > In Bitcoin, large unsophisticated coin holders can put their coins in
> cold storage without a second thought given to the health of the underlying
> ledger.
> > As much as hardcore Bitcoiners try to convince them to run their own
> node, most don't, and that's perfectly acceptable.
> > At no point do their personal decisions affect the underlying consensus
> -- it only affects their personal security assurance (not that of the
> system itself).
> > In PoS systems this clean separation of responsibilities does not exist.
> >
> > I think that the more rigorously studied PoS protocols will work fine
> within the security claims made in their papers.
> > People who believe that these protocols are destined for catastrophic
> consensus failure are certainly in for a surprise.
> > But the devil is in the detail.
> > Let's look at what the implications of using the leading proof of stake
> protocols would have on Bitcoin:
> >
> > ### Proof of SquareSpace (Cardano, Polkdadot)
> >
> > Cardano is a UTXO based PoS coin based on Ouroboros Praos[3] with an
> inbuilt on-chain delegation system[5].
> > In these protocols, coin holders who do not want to run their node with
> their hot keys in it delegate it to a "Stake Pool".
> > I call the resulting system Proof-of-SquareSpace since most will choose
> a pool by looking around for one with a nice website and offering the
> largest share of the block reward.
> > On the surface this might sound no different than someone with an mining
> rig shopping around for a good mining pool but there are crucial
> differences:
> >
> > 1. The person making the decision is forced into it just because they
> own the currency -- someone with a mining rig has purchased it with the
> intent to make profit by participating in consensus.
> >
> > 2. When you join a mining pool your systems are very much still online.
> You are just partaking in a pool to reduce your profit variance. You still
> see every block that you help create and *you never help create a block

Re: [bitcoin-dev] Opinion on proof of stake in future

[Erik Aronesty via bitcoin-dev]

> I don't see a way to get around the conflicting requirement that the keys for 
> large amounts of coins should be kept offline but those are exactly the coins 
> we need online to make the scheme secure.

proof of burn clearly solves this, since nothing is held online

>  how does proof of burn solve the "nothing at stake" problem in your view?

definition of nothing at stake: in the event of a fork, whether the
fork is accidental or a malicious, the optimal strategy for any miner
is to mine on every chain, so that the miner gets their reward no
matter which fork wins.   indeed in proof-of-stake, the proofs are
published on the very chains mines, so the incentive is magnified.

in proof-of-burn, your burn investment is always "at stake", any
redaction can result in a loss-of-burn, because burns can be tied,
precisely, to block-heights

as a result, miners no longer have an incentive to mine all chains

in this way proof of burn can be more secure than proof-of-stake, and
even more secure than proof of work







>

On Sun, May 23, 2021 at 3:52 AM Lloyd Fournier via bitcoin-dev
 wrote:
>
> Hi Billy,
>
> I was going to write a post which started by dismissing many of the weak 
> arguments that are made against PoS made in this thread and elsewhere.
> Although I don't agree with all your points you have done a decent job here 
> so I'll focus on the second part: why I think Proof-of-Stake is inappropriate 
> for a Bitcoin-like system.
>
> Proof of stake is not fit for purpose for a global settlement layer in a pure 
> digital asset (i.e. "digital gold") which is what Bitcoin is trying to be.
> PoS necessarily gives responsibilities to the holders of coins that they do 
> not want and cannot handle.
> In Bitcoin, large unsophisticated coin holders can put their coins in cold 
> storage without a second thought given to the health of the underlying ledger.
> As much as hardcore Bitcoiners try to convince them to run their own node, 
> most don't, and that's perfectly acceptable.
> At no point do their personal decisions affect the underlying consensus -- it 
> only affects their personal security assurance (not that of the system 
> itself).
> In PoS systems this clean separation of responsibilities does not exist.
>
> I think that the more rigorously studied PoS protocols will work fine within 
> the security claims made in their papers.
> People who believe that these protocols are destined for catastrophic 
> consensus failure are certainly in for a surprise.
> But the devil is in the detail.
> Let's look at what the implications of using the leading proof of stake 
> protocols would have on Bitcoin:
>
> ### Proof of SquareSpace (Cardano, Polkdadot)
>
> Cardano is a UTXO based PoS coin based on Ouroboros Praos[3] with an inbuilt 
> on-chain delegation system[5].
> In these protocols, coin holders who do not want to run their node with their 
> hot keys in it delegate it to a "Stake Pool".
> I call the resulting system Proof-of-SquareSpace since most will choose a 
> pool by looking around for one with a nice website and offering the largest 
> share of the block reward.
> On the surface this might sound no different than someone with an mining rig 
> shopping around for a good mining pool but there are crucial differences:
>
> 1. The person making the decision is forced into it just because they own the 
> currency -- someone with a mining rig has purchased it with the intent to 
> make profit by participating in consensus.
>
> 2. When you join a mining pool your systems are very much still online. You 
> are just partaking in a pool to reduce your profit variance. You still see 
> every block that you help create and *you never help create a block without 
> seeing it first*.
>
> 3. If by SquareSpace sybil attack you gain a dishonest majority and start 
> censoring transactions how are the users meant to redelegate their stake to 
> honest pools?
> I guess they can just send a transaction delegating to another pool...oh wait 
> I guess that might be censored too! This seems really really bad.
> In Bitcoin, miners can just join a different pool at a whim. There is nothing 
> the attacker can do to stop them. A temporary dishonest majority heals 
> relatively well.
>
> There is another severe disadvantage to this on-chain delegation system: 
> every UTXO must indicate which staking account this UTXO belongs to so the 
> appropriate share of block rewards can be transferred there.
> Being able to associate every UTXO to an account ruins one of the main 
> privacy advantages of the UTXO model.
> It also grows the size of the blockchain significantly.
>
> ### "Pure" proof of stake (Algorand)
>
> Algorand's[4] approach is to only allow online stake to participate in the 
> protocol.
> Theoretically, This means that keys holding funds have to be online in order 
> for them to author blocks when they are chosen.
> Of course in reality no one wants to keep their coin holding keys online so 
> in Alogorand you 

Re: [bitcoin-dev] Opinion on proof of stake in future

[Billy Tetrud via bitcoin-dev]

I made a couple typos and mistakes in my couple previous emails:

* "People repeat this often, but the facts support this" -> "the facts *don't
*support this"
* "Together, both of these things reduce PoW's security by a factor of
about 83% (1 - 50%*33%)." -> "factor of about 83% (1 - 50%**(50% - 33%)/50%*)."
(I made a mistake that happened to come out to an almost identical result
coincidentally).
* "And pools could simply require full custody of the coins." -> "*But *pools
could..."

On Sun, May 23, 2021 at 9:10 AM Billy Tetrud  wrote:

> @Lloyd
>
> >  Proof-of-SquareSpace
>
> I agree with your points about delegated proof of stake. I wrote my own
> critique about that
> 
>  as
> well. And your point, that other forms of PoS devolve to DPoS by virtue of
> people wanting to actively mint blocks without exposing their coins in hot
> wallets, is an interesting one.
>
> > how are the users meant to redelegate their stake to honest pools?
>
> This could be mitigated partially if delegation didn't require any kind of
> blockchain transaction. For example, users could simply send a signed
> message saying "this other key can mint blocks with my coins", and then
> minting a block using those coins would require presenting the delegation
> signature. This only partially mitigates the problem since the dishonest
> pool would still be able to use those coins as well, so it would be a race
> at that point. Still better than nothing. And pools could simply require
> full custody of the coins.
>
> From what you mentioned, it sounds like maybe Algorand does something
> similar to this.
>
> > I don't see a way to get around the conflicting requirement that the
> keys for large amounts of coins should be kept offline but those are
> exactly the coins we need online to make the scheme secure.
>
> There are a couple solutions you didn't mention. One is your "traditional"
> locked-stake kind of systems, where participants are required to lock their
> stake for long periods of time. Since normal users aren't likely to want to
> do this, it will likely be left to more sophisticated stakers likely
> staking very large amounts.
>
> Both mechanisms you mentioned allow delegation, and it might seem like
> maybe there'd be a way to disallow delegation, however since users can
> always give custody of their coins to trusted pools, that would be a
> delgation mechanism of last resort that can't be removed. So you can do
> things that make it hard (for both users and pool operators) to delegate
> trustlessly, but you can't get rid of the ability to delgate entirely.
>
> In general, the situations where I see people not pooling are:
>
> A. They are entirely prevented by technical means. It seems reasonably
> clear that this is impossible.
> B. The downsides are more than unsophisticated users are willing to incur
> (eg stake locking).
> C. The rewards are so small that it isn't worth it for people to put in
> much effort to gain them.
> D. The rewards are so frequent that pooling is unnecessary.
>
> B excludes a lot of people from being able to help secure the chain, but
> this is not materially different from PoW mining in that regard. D is a bit
> border line. With 1 billion people attempting to participate and 10 minute
> blocks, 232 people would need to share the block reward in order to expect
> a payout on average once per month. With 8 billion people that would turn
> into more like 1700 people. This seems potentially doable (eg via cosigner
> requirements on minted blocks), but it is a lot of participants per block.
>
> I think options C and D combined would be an ideal approach here. Because
> minting uses very few real resources, minting could be pretty much have
> arbitrarily low ongoing costs. This means fees can be low and blocks can
> have low payouts. If the reward was low and people could expect to see it
> once every couple years, people could simply treat it like a lottery. Great
> if they win it now, but nothing that anyone needs to rely on (which would
> incentivize the pools to reduce variance that we want to avoid). If there
> is no locked stake or other major barriers in place to minting blocks, that
> would also help avoid the compultion to use a pool.
>
> In any case, you bring up good points, and they certainly complicate the
> issue. By the way, if you were confused as to what VPoS was in the section
> from my above link, this might satisfy your curiosity
> .
>
> Cheers
>
>
>
>
> On Sat, May 22, 2021 at 5:41 PM Lloyd Fournier 
> wrote:
>
>> Hi Billy,
>>
>> I was going to write a post which started by dismissing many of the weak
>> arguments that are made against PoS made in this thread and elsewhere.
>> Although I don't agree with all your points you have done a decent job
>> here so I'll focus on the second part: why I think Proof-of-Stake 

Re: [bitcoin-dev] Opinion on proof of stake in future

[Billy Tetrud via bitcoin-dev]

@Lloyd

>  Proof-of-SquareSpace

I agree with your points about delegated proof of stake. I wrote my own
critique about that

as
well. And your point, that other forms of PoS devolve to DPoS by virtue of
people wanting to actively mint blocks without exposing their coins in hot
wallets, is an interesting one.

> how are the users meant to redelegate their stake to honest pools?

This could be mitigated partially if delegation didn't require any kind of
blockchain transaction. For example, users could simply send a signed
message saying "this other key can mint blocks with my coins", and then
minting a block using those coins would require presenting the delegation
signature. This only partially mitigates the problem since the dishonest
pool would still be able to use those coins as well, so it would be a race
at that point. Still better than nothing. And pools could simply require
full custody of the coins.

>From what you mentioned, it sounds like maybe Algorand does something
similar to this.

> I don't see a way to get around the conflicting requirement that the keys
for large amounts of coins should be kept offline but those are exactly the
coins we need online to make the scheme secure.

There are a couple solutions you didn't mention. One is your "traditional"
locked-stake kind of systems, where participants are required to lock their
stake for long periods of time. Since normal users aren't likely to want to
do this, it will likely be left to more sophisticated stakers likely
staking very large amounts.

Both mechanisms you mentioned allow delegation, and it might seem like
maybe there'd be a way to disallow delegation, however since users can
always give custody of their coins to trusted pools, that would be a
delgation mechanism of last resort that can't be removed. So you can do
things that make it hard (for both users and pool operators) to delegate
trustlessly, but you can't get rid of the ability to delgate entirely.

In general, the situations where I see people not pooling are:

A. They are entirely prevented by technical means. It seems reasonably
clear that this is impossible.
B. The downsides are more than unsophisticated users are willing to incur
(eg stake locking).
C. The rewards are so small that it isn't worth it for people to put in
much effort to gain them.
D. The rewards are so frequent that pooling is unnecessary.

B excludes a lot of people from being able to help secure the chain, but
this is not materially different from PoW mining in that regard. D is a bit
border line. With 1 billion people attempting to participate and 10 minute
blocks, 232 people would need to share the block reward in order to expect
a payout on average once per month. With 8 billion people that would turn
into more like 1700 people. This seems potentially doable (eg via cosigner
requirements on minted blocks), but it is a lot of participants per block.

I think options C and D combined would be an ideal approach here. Because
minting uses very few real resources, minting could be pretty much have
arbitrarily low ongoing costs. This means fees can be low and blocks can
have low payouts. If the reward was low and people could expect to see it
once every couple years, people could simply treat it like a lottery. Great
if they win it now, but nothing that anyone needs to rely on (which would
incentivize the pools to reduce variance that we want to avoid). If there
is no locked stake or other major barriers in place to minting blocks, that
would also help avoid the compultion to use a pool.

In any case, you bring up good points, and they certainly complicate the
issue. By the way, if you were confused as to what VPoS was in the section
from my above link, this might satisfy your curiosity
.

Cheers




On Sat, May 22, 2021 at 5:41 PM Lloyd Fournier 
wrote:

> Hi Billy,
>
> I was going to write a post which started by dismissing many of the weak
> arguments that are made against PoS made in this thread and elsewhere.
> Although I don't agree with all your points you have done a decent job
> here so I'll focus on the second part: why I think Proof-of-Stake is
> inappropriate for a Bitcoin-like system.
>
> Proof of stake is not fit for purpose for a global settlement layer in a
> pure digital asset (i.e. "digital gold") which is what Bitcoin is trying to
> be.
> PoS necessarily gives responsibilities to the holders of coins that they
> do not want and cannot handle.
> In Bitcoin, large unsophisticated coin holders can put their coins in cold
> storage without a second thought given to the health of the underlying
> ledger.
> As much as hardcore Bitcoiners try to convince them to run their own node,
> most don't, and that's perfectly acceptable.
> At no point do their personal decisions affect the underlying consensus --
> it only affects their 

Re: [bitcoin-dev] Opinion on proof of stake in future

[Lloyd Fournier via bitcoin-dev]

Hi Billy,

I was going to write a post which started by dismissing many of the weak
arguments that are made against PoS made in this thread and elsewhere.
Although I don't agree with all your points you have done a decent job here
so I'll focus on the second part: why I think Proof-of-Stake is
inappropriate for a Bitcoin-like system.

Proof of stake is not fit for purpose for a global settlement layer in a
pure digital asset (i.e. "digital gold") which is what Bitcoin is trying to
be.
PoS necessarily gives responsibilities to the holders of coins that they do
not want and cannot handle.
In Bitcoin, large unsophisticated coin holders can put their coins in cold
storage without a second thought given to the health of the underlying
ledger.
As much as hardcore Bitcoiners try to convince them to run their own node,
most don't, and that's perfectly acceptable.
At no point do their personal decisions affect the underlying consensus --
it only affects their personal security assurance (not that of the system
itself).
In PoS systems this clean separation of responsibilities does not exist.

I think that the more rigorously studied PoS protocols will work fine
within the security claims made in their papers.
People who believe that these protocols are destined for catastrophic
consensus failure are certainly in for a surprise.
But the devil is in the detail.
Let's look at what the implications of using the leading proof of stake
protocols would have on Bitcoin:

### Proof of SquareSpace (Cardano, Polkdadot)

Cardano is a UTXO based PoS coin based on Ouroboros Praos[3] with an
inbuilt on-chain delegation system[5].
In these protocols, coin holders who do not want to run their node with
their hot keys in it delegate it to a "Stake Pool".
I call the resulting system Proof-of-SquareSpace since most will choose a
pool by looking around for one with a nice website and offering the largest
share of the block reward.
On the surface this might sound no different than someone with an mining
rig shopping around for a good mining pool but there are crucial
differences:

1. The person making the decision is forced into it just because they own
the currency -- someone with a mining rig has purchased it with the intent
to make profit by participating in consensus.

2. When you join a mining pool your systems are very much still online. You
are just partaking in a pool to reduce your profit variance. You still see
every block that you help create and *you never help create a block without
seeing it first*.

3. If by SquareSpace sybil attack you gain a dishonest majority and start
censoring transactions how are the users meant to redelegate their stake to
honest pools?
I guess they can just send a transaction delegating to another pool...oh
wait I guess that might be censored too! This seems really really bad.
In Bitcoin, miners can just join a different pool at a whim. There is
nothing the attacker can do to stop them. A temporary dishonest majority
heals relatively well.

There is another severe disadvantage to this on-chain delegation system:
every UTXO must indicate which staking account this UTXO belongs to so the
appropriate share of block rewards can be transferred there.
Being able to associate every UTXO to an account ruins one of the main
privacy advantages of the UTXO model.
It also grows the size of the blockchain significantly.

### "Pure" proof of stake (Algorand)

Algorand's[4] approach is to only allow online stake to participate in the
protocol.
Theoretically, This means that keys holding funds have to be online in
order for them to author blocks when they are chosen.
Of course in reality no one wants to keep their coin holding keys online so
in Alogorand you can authorize a set of "participation keys"[1] that will
be used to create blocks on your coin holding key's behalf.
Hopefully you've spotted the problem.
You can send your participation keys to any malicious party with a nice
website (see random example [2]) offering you a good return.
Damn it's still Proof-of-SquareSpace!
The minor advantage is that at least the participation keys expire after a
certain amount of time so eventually the SquareSpace attacker will lose
their hold on consensus.
Importantly there is also less junk on the blockchain because the
participation keys are delegated off-chain and so are not making as much of
a mess.

### Conclusion

I don't see a way to get around the conflicting requirement that the keys
for large amounts of coins should be kept offline but those are exactly the
coins we need online to make the scheme secure.
If we allow delegation then we open up a new social attack surface and it
degenerates to Proof-of-SquareSpace.

For a "digital gold" like system like Bitcoin we optimize for simplicity
and desperately want to avoid extraneous responsibilities for the holder of
the coin.
After all, gold is an inert element on the periodic table that doesn't
confer responsibilities on the holder to maintain the quality of all the

Re: [bitcoin-dev] Opinion on proof of stake in future

[Billy Tetrud via bitcoin-dev]

@Erik
>  it also solves the "nothing at stake" problem

A. the "nothing at stake" problem can be and has been solved by PoS
consensus mechanisms (unless you mean it more broadly than I'm taking it),
and B. Proof of Burn should have just as much "nothing at stake" issues as
PoS. Both consensus mechanisms depend on the current state of the chain to
determine whether someone's stake or burn would allow the creation of a
block. But I am curious, how does proof of burn solve the "nothing at
stake" problem in your view?

On Fri, May 21, 2021 at 10:58 AM Erik Aronesty  wrote:

> proof of burn has all the benefits of proof of stake (if there are any)
>
> but it also solves the "nothing at stake" problem
>
> the incentive in POB is that you're making a long-term investment in
> mining, and you want a stable protocol, quality network, etc to
> pay off your investment.
>
> On Thu, May 20, 2021 at 8:04 PM Billy Tetrud 
> wrote:
> >
> > I think there is a lot of misinformation and bias against Proof of
> Stake. Yes there have been lots of shady coins that use insecure PoS
> mechanisms. Yes there have been massive issues with distribution of PoS
> coins (of course there have also been massive issues with PoW coins as
> well). However, I want to remind everyone that there is a difference
> between "proved to be impossible" and "have not achieved recognized success
> yet". Most of the arguments levied against PoS are out of date or rely on
> unproven assumptions or extrapolation from the analysis of a particular PoS
> system. I certainly don't think we should experiment with bitcoin by
> switching to PoS, but from my research, it seems very likely that there is
> a proof of stake consensus protocol we could build that has substantially
> higher security (cost / capital required to execute an attack) while at the
> same time costing far less resources (which do translate to fees on the
> network) *without* compromising any of the critical security properties
> bitcoin relies on. I think the critical piece of this is the disagreements
> around hardcoded checkpoints, which is a critical piece solving attacks
> that could be levied on a PoS chain, and how that does (or doesn't) affect
> the security model.
> >
> > @Eric Your proof of stake fallacy seems to be saying that PoS is worse
> when a 51% attack happens. While I agree, I think that line of thinking
> omits important facts:
> > * The capital required to 51% attack a PoS chain can be made
> substantially greater than on a PoS chain.
> > * The capital the attacker stands to lose can be substantially greater
> as well if the attack is successful.
> > * The effectiveness of paying miners to raise the honest fraction of
> miners above 50% may be quite bad.
> > * Allowing a 51% attack is already unacceptable. It should be considered
> whether what happens in the case of a 51% may not be significantly
> different. The currency would likely be critically damaged in a 51% attack
> regardless of consensus mechanism.
> >
> > > Proof-of-stake tends towards oligopolistic control
> >
> > People repeat this often, but the facts support this. There is no
> centralization pressure in any proof of stake mechanism that I'm aware of.
> IE if you have 10 times as much coin that you use to mint blocks, you
> should expect to earn 10x as much minting revenue - not more than 10x. By
> contrast, proof of work does in fact have clear centralization pressure -
> this is not disputed. Our goal in relation to that is to ensure that the
> centralization pressure remains insignifiant. Proof of work also clearly
> has a lot more barriers to entry than any proof of stake system does. Both
> of these mean the tendency towards oligopolistic control is worse for PoW.
> >
> > > Energy usage, in-and-of-itself, is nothing to be ashamed of!!
> >
> > I certainly agree. Bitcoin's energy usage at the moment is I think quite
> warranted. However, the question is: can we do substantially better. I
> think if we can, we probably should... eventually.
> >
> > > Proof of Stake is only resilient to ⅓ of the network demonstrating a
> Byzantine Fault, whilst Proof of Work is resilient up to the ½ threshold
> >
> > I see no mention of this in the pos.pdf you linked to. I'm not aware of
> any proof that all PoS systems have a failure threshold of 1/3. I know that
> staking systems like Casper do in fact have that 1/3 requirement. However
> there are PoS designs that should exceed that up to nearly 50% as far as
> I'm aware. Proof of work is not in fact resilient up to the 1/2 threshold
> in the way you would think. IE, if 100% of miners are currently honest and
> have a collective 100 exahashes/s hashpower, an attacker does not need to
> obtain 100 exahashes/s, but actually only needs to accumulate 50
> exahashes/s. This is because as the attacker accumulates hashpower, it
> drives honest miners out of the market as the difficulty increases to
> beyond what is economically sustainable. Also, its been shown that the 

Re: [bitcoin-dev] Opinion on proof of stake in future

[Erik Aronesty via bitcoin-dev]

proof of burn has all the benefits of proof of stake (if there are any)

but it also solves the "nothing at stake" problem

the incentive in POB is that you're making a long-term investment in
mining, and you want a stable protocol, quality network, etc to
pay off your investment.

On Thu, May 20, 2021 at 8:04 PM Billy Tetrud  wrote:
>
> I think there is a lot of misinformation and bias against Proof of Stake. Yes 
> there have been lots of shady coins that use insecure PoS mechanisms. Yes 
> there have been massive issues with distribution of PoS coins (of course 
> there have also been massive issues with PoW coins as well). However, I want 
> to remind everyone that there is a difference between "proved to be 
> impossible" and "have not achieved recognized success yet". Most of the 
> arguments levied against PoS are out of date or rely on unproven assumptions 
> or extrapolation from the analysis of a particular PoS system. I certainly 
> don't think we should experiment with bitcoin by switching to PoS, but from 
> my research, it seems very likely that there is a proof of stake consensus 
> protocol we could build that has substantially higher security (cost / 
> capital required to execute an attack) while at the same time costing far 
> less resources (which do translate to fees on the network) *without* 
> compromising any of the critical security properties bitcoin relies on. I 
> think the critical piece of this is the disagreements around hardcoded 
> checkpoints, which is a critical piece solving attacks that could be levied 
> on a PoS chain, and how that does (or doesn't) affect the security model.
>
> @Eric Your proof of stake fallacy seems to be saying that PoS is worse when a 
> 51% attack happens. While I agree, I think that line of thinking omits 
> important facts:
> * The capital required to 51% attack a PoS chain can be made substantially 
> greater than on a PoS chain.
> * The capital the attacker stands to lose can be substantially greater as 
> well if the attack is successful.
> * The effectiveness of paying miners to raise the honest fraction of miners 
> above 50% may be quite bad.
> * Allowing a 51% attack is already unacceptable. It should be considered 
> whether what happens in the case of a 51% may not be significantly different. 
> The currency would likely be critically damaged in a 51% attack regardless of 
> consensus mechanism.
>
> > Proof-of-stake tends towards oligopolistic control
>
> People repeat this often, but the facts support this. There is no 
> centralization pressure in any proof of stake mechanism that I'm aware of. IE 
> if you have 10 times as much coin that you use to mint blocks, you should 
> expect to earn 10x as much minting revenue - not more than 10x. By contrast, 
> proof of work does in fact have clear centralization pressure - this is not 
> disputed. Our goal in relation to that is to ensure that the centralization 
> pressure remains insignifiant. Proof of work also clearly has a lot more 
> barriers to entry than any proof of stake system does. Both of these mean the 
> tendency towards oligopolistic control is worse for PoW.
>
> > Energy usage, in-and-of-itself, is nothing to be ashamed of!!
>
> I certainly agree. Bitcoin's energy usage at the moment is I think quite 
> warranted. However, the question is: can we do substantially better. I think 
> if we can, we probably should... eventually.
>
> > Proof of Stake is only resilient to ⅓ of the network demonstrating a 
> > Byzantine Fault, whilst Proof of Work is resilient up to the ½ threshold
>
> I see no mention of this in the pos.pdf you linked to. I'm not aware of any 
> proof that all PoS systems have a failure threshold of 1/3. I know that 
> staking systems like Casper do in fact have that 1/3 requirement. However 
> there are PoS designs that should exceed that up to nearly 50% as far as I'm 
> aware. Proof of work is not in fact resilient up to the 1/2 threshold in the 
> way you would think. IE, if 100% of miners are currently honest and have a 
> collective 100 exahashes/s hashpower, an attacker does not need to obtain 100 
> exahashes/s, but actually only needs to accumulate 50 exahashes/s. This is 
> because as the attacker accumulates hashpower, it drives honest miners out of 
> the market as the difficulty increases to beyond what is economically 
> sustainable. Also, its been shown that the best proof of work can do is 
> require an attacker to obtain 33% of the hashpower because of the selfish 
> mining attack discussed in depth in this paper: 
> https://arxiv.org/abs/1311.0243. Together, both of these things reduce PoW's 
> security by a factor of about 83% (1 - 50%*33%).
>
>  > Proof of Stake requires other trade-offs which are incompatible with 
> Bitcoin's objective (to be a trustless digital cash) — specifically the 
> famous "security vs. liveness" guarantee
>
> Do you have a good source that talks about why you think proof of stake 
> cannot be used for a 

Re: [bitcoin-dev] Opinion on proof of stake in future

[vizeet srivastava via bitcoin-dev]

It is difficult to understand how energy usage is a bad thing.
At one end we talk about energy usage as a bad thing and we also talk about
global warming.
If Earth is receiving extra energy which is causing global warming
shouldn't we use extra energy to do something useful.


On Fri, May 21, 2021 at 2:52 PM Billy Tetrud via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:

> I think there is a lot of misinformation and bias against Proof of Stake.
> Yes there have been lots of shady coins that use insecure PoS mechanisms.
> Yes there have been massive issues with distribution of PoS coins (of
> course there have also been massive issues with PoW coins as well).
> However, I want to remind everyone that there is a difference between
> "proved to be impossible" and "have not achieved recognized success yet".
> Most of the arguments levied against PoS are out of date or rely on
> unproven assumptions or extrapolation from the analysis of a particular PoS
> system. I certainly don't think we should experiment with bitcoin by
> switching to PoS, but from my research, it seems very likely that there is
> a proof of stake consensus protocol we could build that has substantially
> higher security (cost / capital required to execute an attack) while at the
> same time costing far less resources (which do translate to fees on the
> network) *without* compromising any of the critical security properties
> bitcoin relies on. I think the critical piece of this is the disagreements
> around hardcoded checkpoints, which is a critical piece solving attacks
> that could be levied on a PoS chain, and how that does (or doesn't) affect
> the security model.
>
> @Eric Your proof of stake fallacy seems to be saying that PoS is worse
> when a 51% attack happens. While I agree, I think that line of thinking
> omits important facts:
> * The capital required to 51% attack a PoS chain can be made substantially
> greater than on a PoS chain.
> * The capital the attacker stands to lose can be substantially greater as
> well if the attack is successful.
> * The effectiveness of paying miners to raise the honest fraction of
> miners above 50% may be quite bad.
> * Allowing a 51% attack is already unacceptable. It should be considered
> whether what happens in the case of a 51% may not be significantly
> different. The currency would likely be critically damaged in a 51% attack
> regardless of consensus mechanism.
>
> > Proof-of-stake tends towards oligopolistic control
>
> People repeat this often, but the facts support this. There is no
> centralization pressure in any proof of stake mechanism that I'm aware of.
> IE if you have 10 times as much coin that you use to mint blocks, you
> should expect to earn 10x as much minting revenue - not more than 10x. By
> contrast, proof of work does in fact have clear centralization pressure -
> this is not disputed. Our goal in relation to that is to ensure that the
> centralization pressure remains insignifiant. Proof of work also clearly
> has a lot more barriers to entry than any proof of stake system does. Both
> of these mean the tendency towards oligopolistic control is worse for PoW.
>
> > Energy usage, in-and-of-itself, is nothing to be ashamed of!!
>
> I certainly agree. Bitcoin's energy usage at the moment is I think quite
> warranted. However, the question is: can we do substantially better. I
> think if we can, we probably should... eventually.
>
> > Proof of Stake is only resilient to ⅓ of the network demonstrating a
> Byzantine Fault, whilst Proof of Work is resilient up to the ½ threshold
>
> I see no mention of this in the pos.pdf
>  you linked to. I'm not
> aware of any proof that *all *PoS systems have a failure threshold of
> 1/3. I know that staking systems like Casper do in fact have that 1/3
> requirement. However there are PoS designs that should exceed that up to
> nearly 50% as far as I'm aware. Proof of work is not in fact resilient up
> to the 1/2 threshold in the way you would think. IE, if 100% of miners are
> currently honest and have a collective 100 exahashes/s hashpower, an
> attacker does not need to obtain 100 exahashes/s, but actually only needs
> to accumulate 50 exahashes/s. This is because as the attacker accumulates
> hashpower, it drives honest miners out of the market as the difficulty
> increases to beyond what is economically sustainable. Also, its been shown
> that the best proof of work can do is require an attacker to obtain 33% of
> the hashpower because of the selfish mining attack
> 
>  discussed
> in depth in this paper: https://arxiv.org/abs/1311.0243. Together, both
> of these things reduce PoW's security by a factor of about 83% (1 -
> 50%*33%).
>
>  > Proof of Stake requires other trade-offs which are incompatible with
> Bitcoin's objective (to be a trustless digital cash) — 

Re: [bitcoin-dev] Opinion on proof of stake in future

[Billy Tetrud via bitcoin-dev]

I think there is a lot of misinformation and bias against Proof of Stake.
Yes there have been lots of shady coins that use insecure PoS mechanisms.
Yes there have been massive issues with distribution of PoS coins (of
course there have also been massive issues with PoW coins as well).
However, I want to remind everyone that there is a difference between
"proved to be impossible" and "have not achieved recognized success yet".
Most of the arguments levied against PoS are out of date or rely on
unproven assumptions or extrapolation from the analysis of a particular PoS
system. I certainly don't think we should experiment with bitcoin by
switching to PoS, but from my research, it seems very likely that there is
a proof of stake consensus protocol we could build that has substantially
higher security (cost / capital required to execute an attack) while at the
same time costing far less resources (which do translate to fees on the
network) *without* compromising any of the critical security properties
bitcoin relies on. I think the critical piece of this is the disagreements
around hardcoded checkpoints, which is a critical piece solving attacks
that could be levied on a PoS chain, and how that does (or doesn't) affect
the security model.

@Eric Your proof of stake fallacy seems to be saying that PoS is worse when
a 51% attack happens. While I agree, I think that line of thinking omits
important facts:
* The capital required to 51% attack a PoS chain can be made substantially
greater than on a PoS chain.
* The capital the attacker stands to lose can be substantially greater as
well if the attack is successful.
* The effectiveness of paying miners to raise the honest fraction of miners
above 50% may be quite bad.
* Allowing a 51% attack is already unacceptable. It should be considered
whether what happens in the case of a 51% may not be significantly
different. The currency would likely be critically damaged in a 51% attack
regardless of consensus mechanism.

> Proof-of-stake tends towards oligopolistic control

People repeat this often, but the facts support this. There is no
centralization pressure in any proof of stake mechanism that I'm aware of.
IE if you have 10 times as much coin that you use to mint blocks, you
should expect to earn 10x as much minting revenue - not more than 10x. By
contrast, proof of work does in fact have clear centralization pressure -
this is not disputed. Our goal in relation to that is to ensure that the
centralization pressure remains insignifiant. Proof of work also clearly
has a lot more barriers to entry than any proof of stake system does. Both
of these mean the tendency towards oligopolistic control is worse for PoW.

> Energy usage, in-and-of-itself, is nothing to be ashamed of!!

I certainly agree. Bitcoin's energy usage at the moment is I think quite
warranted. However, the question is: can we do substantially better. I
think if we can, we probably should... eventually.

> Proof of Stake is only resilient to ⅓ of the network demonstrating a
Byzantine Fault, whilst Proof of Work is resilient up to the ½ threshold

I see no mention of this in the pos.pdf
 you linked to. I'm not
aware of any proof that *all *PoS systems have a failure threshold of 1/3.
I know that staking systems like Casper do in fact have that 1/3
requirement. However there are PoS designs that should exceed that up to
nearly 50% as far as I'm aware. Proof of work is not in fact resilient up
to the 1/2 threshold in the way you would think. IE, if 100% of miners are
currently honest and have a collective 100 exahashes/s hashpower, an
attacker does not need to obtain 100 exahashes/s, but actually only needs
to accumulate 50 exahashes/s. This is because as the attacker accumulates
hashpower, it drives honest miners out of the market as the difficulty
increases to beyond what is economically sustainable. Also, its been shown
that the best proof of work can do is require an attacker to obtain 33% of
the hashpower because of the selfish mining attack

discussed
in depth in this paper: https://arxiv.org/abs/1311.0243. Together, both of
these things reduce PoW's security by a factor of about 83% (1 - 50%*33%).

 > Proof of Stake requires other trade-offs which are incompatible with
Bitcoin's objective (to be a trustless digital cash) — specifically the
famous "security vs. liveness" guarantee

Do you have a good source that talks about why you think proof of stake
cannot be used for a trustless digital cash?

> You cannot gain tokens without someone choosing to give up those coins -
a form of permission.

This is not a practical constraint. Just like in mining, some nodes may
reject you, but there will likely be more that will accept you, some
sellers may reject you, but most would accept your money as payment for
bitcoins. I don't think requiring the "permission" 

Re: [bitcoin-dev] Opinion on proof of stake in future

[Michael Dubrovsky via bitcoin-dev]

Ah sorry, I didn't realize this was, in fact, a different thread! :)

On Wed, May 19, 2021 at 10:07 AM Michael Dubrovsky  wrote:

> Folks, I suggest we keep the discussion to PoW, oPoW, and the BIP itself.
> PoS, VDFs, and so on are interesting but I guess there are other threads
> going on these topics already where they would be relevant.
>
> Also, it's important to distinguish between oPoW and these other
> "alternatives" to Hashcash. oPoW is a true Proof of Work that doesn't alter
> the core game theory or security assumptions of Hashcash and actually
> contains SHA (can be SHA3, SHA256, etc hash is interchangeable).
>
> Cheers,
> Mike
>
> On Tue, May 18, 2021 at 4:55 PM Erik Aronesty via bitcoin-dev <
> bitcoin-dev@lists.linuxfoundation.org> wrote:
>
>> 1. i never suggested vdf's to replace pow.
>>
>> 2. my suggestion was specifically *in the context of* a working
>> proof-of-burn protocol
>>
>> - vdfs used only for timing (not block height)
>> - blind-burned coins of a specific age used to replace proof of work
>> - the required "work" per block would simply be a competition to
>> acquire rewards, and so miners would have to burn coins, well in
>> advance, and hope that their burned coins got rewarded in some far
>> future
>> - the point of burned coins is to mimic, in every meaningful way, the
>> value gained from proof of work... without some of the security
>> drawbacks
>> - the miner risks losing all of his burned coins (like all miners risk
>> losing their work in each block)
>> - new burns can't be used
>> - old burns age out (like ASICs do)
>> - other requirements on burns might be needed to properly mirror the
>> properties of PoW and the incentives Bitcoin uses to mine honestly.
>>
>> 3. i do believe it is *possible* that a "burned coin + vdf system"
>> might be more secure in the long run, and that if the entire space
>> agreed that such an endeavor was worthwhile, a test net could be spun
>> up, and a hard-fork could be initiated.
>>
>> 4. i would never suggest such a thing unless i believed it was
>> possible that consensus was possible.  so no, this is not an "alt
>> coin"
>>
>> On Tue, May 18, 2021 at 10:02 AM Zac Greenwood  wrote:
>> >
>> > Hi ZmnSCPxj,
>> >
>> > Please note that I am not suggesting VDFs as a means to save energy,
>> but solely as a means to make the time between blocks more constant.
>> >
>> > Zac
>> >
>> >
>> > On Tue, 18 May 2021 at 12:42, ZmnSCPxj  wrote:
>> >>
>> >> Good morning Zac,
>> >>
>> >> > VDFs might enable more constant block times, for instance by having
>> a two-step PoW:
>> >> >
>> >> > 1. Use a VDF that takes say 9 minutes to resolve (VDF being subject
>> to difficulty adjustments similar to the as-is). As per the property of
>> VDFs, miners are able show proof of work.
>> >> >
>> >> > 2. Use current PoW mechanism with lower difficulty so finding a
>> block takes 1 minute on average, again subject to as-is difficulty
>> adjustments.
>> >> >
>> >> > As a result, variation in block times will be greatly reduced.
>> >>
>> >> As I understand it, another weakness of VDFs is that they are not
>> inherently progress-free (their sequential nature prevents that; they are
>> inherently progress-requiring).
>> >>
>> >> Thus, a miner which focuses on improving the amount of energy that it
>> can pump into the VDF circuitry (by overclocking and freezing the
>> circuitry), could potentially get into a winner-takes-all situation,
>> possibly leading to even *worse* competition and even *more* energy
>> consumption.
>> >> After all, if you can start mining 0.1s faster than the competition,
>> that is a 0.1s advantage where *only you* can mine *in the entire world*.
>> >>
>> >> Regards,
>> >> ZmnSCPxj
>> ___
>> bitcoin-dev mailing list
>> bitcoin-dev@lists.linuxfoundation.org
>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>
>
>
> --
> Michael Dubrovsky
> Founder; PoWx
> www.PoWx.org 
>


-- 
Michael Dubrovsky
Founder; PoWx
www.PoWx.org 
___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev

Re: [bitcoin-dev] Opinion on proof of stake in future

[Michael Dubrovsky via bitcoin-dev]

Folks, I suggest we keep the discussion to PoW, oPoW, and the BIP itself.
PoS, VDFs, and so on are interesting but I guess there are other threads
going on these topics already where they would be relevant.

Also, it's important to distinguish between oPoW and these other
"alternatives" to Hashcash. oPoW is a true Proof of Work that doesn't alter
the core game theory or security assumptions of Hashcash and actually
contains SHA (can be SHA3, SHA256, etc hash is interchangeable).

Cheers,
Mike

On Tue, May 18, 2021 at 4:55 PM Erik Aronesty via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:

> 1. i never suggested vdf's to replace pow.
>
> 2. my suggestion was specifically *in the context of* a working
> proof-of-burn protocol
>
> - vdfs used only for timing (not block height)
> - blind-burned coins of a specific age used to replace proof of work
> - the required "work" per block would simply be a competition to
> acquire rewards, and so miners would have to burn coins, well in
> advance, and hope that their burned coins got rewarded in some far
> future
> - the point of burned coins is to mimic, in every meaningful way, the
> value gained from proof of work... without some of the security
> drawbacks
> - the miner risks losing all of his burned coins (like all miners risk
> losing their work in each block)
> - new burns can't be used
> - old burns age out (like ASICs do)
> - other requirements on burns might be needed to properly mirror the
> properties of PoW and the incentives Bitcoin uses to mine honestly.
>
> 3. i do believe it is *possible* that a "burned coin + vdf system"
> might be more secure in the long run, and that if the entire space
> agreed that such an endeavor was worthwhile, a test net could be spun
> up, and a hard-fork could be initiated.
>
> 4. i would never suggest such a thing unless i believed it was
> possible that consensus was possible.  so no, this is not an "alt
> coin"
>
> On Tue, May 18, 2021 at 10:02 AM Zac Greenwood  wrote:
> >
> > Hi ZmnSCPxj,
> >
> > Please note that I am not suggesting VDFs as a means to save energy, but
> solely as a means to make the time between blocks more constant.
> >
> > Zac
> >
> >
> > On Tue, 18 May 2021 at 12:42, ZmnSCPxj  wrote:
> >>
> >> Good morning Zac,
> >>
> >> > VDFs might enable more constant block times, for instance by having a
> two-step PoW:
> >> >
> >> > 1. Use a VDF that takes say 9 minutes to resolve (VDF being subject
> to difficulty adjustments similar to the as-is). As per the property of
> VDFs, miners are able show proof of work.
> >> >
> >> > 2. Use current PoW mechanism with lower difficulty so finding a block
> takes 1 minute on average, again subject to as-is difficulty adjustments.
> >> >
> >> > As a result, variation in block times will be greatly reduced.
> >>
> >> As I understand it, another weakness of VDFs is that they are not
> inherently progress-free (their sequential nature prevents that; they are
> inherently progress-requiring).
> >>
> >> Thus, a miner which focuses on improving the amount of energy that it
> can pump into the VDF circuitry (by overclocking and freezing the
> circuitry), could potentially get into a winner-takes-all situation,
> possibly leading to even *worse* competition and even *more* energy
> consumption.
> >> After all, if you can start mining 0.1s faster than the competition,
> that is a 0.1s advantage where *only you* can mine *in the entire world*.
> >>
> >> Regards,
> >> ZmnSCPxj
> ___
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>


-- 
Michael Dubrovsky
Founder; PoWx
www.PoWx.org 
___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev

Re: [bitcoin-dev] Opinion on proof of stake in future

[Erik Aronesty via bitcoin-dev]

1. i never suggested vdf's to replace pow.

2. my suggestion was specifically *in the context of* a working
proof-of-burn protocol

- vdfs used only for timing (not block height)
- blind-burned coins of a specific age used to replace proof of work
- the required "work" per block would simply be a competition to
acquire rewards, and so miners would have to burn coins, well in
advance, and hope that their burned coins got rewarded in some far
future
- the point of burned coins is to mimic, in every meaningful way, the
value gained from proof of work... without some of the security
drawbacks
- the miner risks losing all of his burned coins (like all miners risk
losing their work in each block)
- new burns can't be used
- old burns age out (like ASICs do)
- other requirements on burns might be needed to properly mirror the
properties of PoW and the incentives Bitcoin uses to mine honestly.

3. i do believe it is *possible* that a "burned coin + vdf system"
might be more secure in the long run, and that if the entire space
agreed that such an endeavor was worthwhile, a test net could be spun
up, and a hard-fork could be initiated.

4. i would never suggest such a thing unless i believed it was
possible that consensus was possible.  so no, this is not an "alt
coin"

On Tue, May 18, 2021 at 10:02 AM Zac Greenwood  wrote:
>
> Hi ZmnSCPxj,
>
> Please note that I am not suggesting VDFs as a means to save energy, but 
> solely as a means to make the time between blocks more constant.
>
> Zac
>
>
> On Tue, 18 May 2021 at 12:42, ZmnSCPxj  wrote:
>>
>> Good morning Zac,
>>
>> > VDFs might enable more constant block times, for instance by having a 
>> > two-step PoW:
>> >
>> > 1. Use a VDF that takes say 9 minutes to resolve (VDF being subject to 
>> > difficulty adjustments similar to the as-is). As per the property of VDFs, 
>> > miners are able show proof of work.
>> >
>> > 2. Use current PoW mechanism with lower difficulty so finding a block 
>> > takes 1 minute on average, again subject to as-is difficulty adjustments.
>> >
>> > As a result, variation in block times will be greatly reduced.
>>
>> As I understand it, another weakness of VDFs is that they are not inherently 
>> progress-free (their sequential nature prevents that; they are inherently 
>> progress-requiring).
>>
>> Thus, a miner which focuses on improving the amount of energy that it can 
>> pump into the VDF circuitry (by overclocking and freezing the circuitry), 
>> could potentially get into a winner-takes-all situation, possibly leading to 
>> even *worse* competition and even *more* energy consumption.
>> After all, if you can start mining 0.1s faster than the competition, that is 
>> a 0.1s advantage where *only you* can mine *in the entire world*.
>>
>> Regards,
>> ZmnSCPxj
___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev

Re: [bitcoin-dev] Opinion on proof of stake in future

[Zac Greenwood via bitcoin-dev]

Hi ZmnSCPxj,

Please note that I am not suggesting VDFs as a means to save energy, but
solely as a means to make the time between blocks more constant.

Zac


On Tue, 18 May 2021 at 12:42, ZmnSCPxj  wrote:

> Good morning Zac,
>
> > VDFs might enable more constant block times, for instance by having a
> two-step PoW:
> >
> > 1. Use a VDF that takes say 9 minutes to resolve (VDF being subject to
> difficulty adjustments similar to the as-is). As per the property of VDFs,
> miners are able show proof of work.
> >
> > 2. Use current PoW mechanism with lower difficulty so finding a block
> takes 1 minute on average, again subject to as-is difficulty adjustments.
> >
> > As a result, variation in block times will be greatly reduced.
>
> As I understand it, another weakness of VDFs is that they are not
> inherently progress-free (their sequential nature prevents that; they are
> inherently progress-requiring).
>
> Thus, a miner which focuses on improving the amount of energy that it can
> pump into the VDF circuitry (by overclocking and freezing the circuitry),
> could potentially get into a winner-takes-all situation, possibly leading
> to even *worse* competition and even *more* energy consumption.
> After all, if you can start mining 0.1s faster than the competition, that
> is a 0.1s advantage where *only you* can mine *in the entire world*.
>
> Regards,
> ZmnSCPxj
>
___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev

Re: [bitcoin-dev] Opinion on proof of stake in future

[ZmnSCPxj via bitcoin-dev]

Good morning Zac,

> VDFs might enable more constant block times, for instance by having a 
> two-step PoW:
>
> 1. Use a VDF that takes say 9 minutes to resolve (VDF being subject to 
> difficulty adjustments similar to the as-is). As per the property of VDFs, 
> miners are able show proof of work.
>
> 2. Use current PoW mechanism with lower difficulty so finding a block takes 1 
> minute on average, again subject to as-is difficulty adjustments.
>
> As a result, variation in block times will be greatly reduced.

As I understand it, another weakness of VDFs is that they are not inherently 
progress-free (their sequential nature prevents that; they are inherently 
progress-requiring).

Thus, a miner which focuses on improving the amount of energy that it can pump 
into the VDF circuitry (by overclocking and freezing the circuitry), could 
potentially get into a winner-takes-all situation, possibly leading to even 
*worse* competition and even *more* energy consumption.
After all, if you can start mining 0.1s faster than the competition, that is a 
0.1s advantage where *only you* can mine *in the entire world*.

Regards,
ZmnSCPxj
___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev

Re: [bitcoin-dev] Opinion on proof of stake in future

[Zac Greenwood via bitcoin-dev]

VDFs might enable more constant block times, for instance by having a
two-step PoW:

1. Use a VDF that takes say 9 minutes to resolve (VDF being subject to
difficulty adjustments similar to the as-is). As per the property of VDFs,
miners are able show proof of work.

2. Use current PoW mechanism with lower difficulty so finding a block takes
1 minute on average, again subject to as-is difficulty adjustments.

As a result, variation in block times will be greatly reduced.

Zac


On Tue, 18 May 2021 at 09:07, ZmnSCPxj via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:

> Good morning Erik,
>
> > Verifiable Delay Functions involve active participation of a single
> > verifier. Without this a VDF decays into a proof-of-work (multiple
> > verifiers === parallelism).
> >
> > The verifier, in this case is "the bitcoin network" taken as a whole.
> > I think it is reasonable to consider that some difficult-to-game
> > property of the last N blocks (like the hash of the last 100
> > block-id's or whatever), could be the verification input.
> >
> > The VDF gets calculated by every eligible proof-of-burn miner, and
> > then this is used to prevent a timing issue.
> >
> > Seems reasonable to me, but I haven't looked too far into the
> > requirements of VDF's
> >
> > nice summary for anyone who is interested:
> > https://medium.com/@djrtwo/vdfs-are-not-proof-of-work-91ba3bec2bf4
> >
> > While VDF's almost always lead to a "cpu-speed monopoly", this would
> > only be helpful for block latency in a proof-of-burn chain. Block
> > height would be calculated by eligible-miner-burned-coins, so the
> > monopoly could be easily avoided.
>
> Interesting link.
>
> However, I would like to point out that the *real* reason that PoW
> consumes lots of power is ***NOT***:
>
> * Proof-of-work is parallelizable, so it allows miners consume more energy
> (by buying more grinders) in order to get more blocks than their
> competitors.
>
> The *real* reason is:
>
> * Proof-of-work allows miners to consume more energy in order to get more
> blocks than their competitors.
>
> VDFs attempt to sidestep that by removing parallelism.
> However, there are ways to increase *sequential* speed, such as:
>
> * Overclocking.
>   * This shortens lifetime, so you can spend more energy (on building new
> miners) in order to get more blocks than your competitors.
> * Lower temperatures.
>   * This requires refrigeration/cooling, so you can spend more energy (on
> the refrigeration process) in order to get more blocks than your
> competitors.
>
> I am certain people with gaming rigs can point out more ways to improve
> sequential speed, as necessary to get more frames per second.
>
> Given the above, I think VDFs will still fail at their intended task.
> Speed, yo.
>
> Thus, VDFs do not serve as a sufficient deterrent away from
> ever-increasing energy consumption --- it just moves the energy consumption
> increase away from the obvious (parallelism) to the
> obscure-if-you-have-no-gamer-buds.
>
> You humans just need to get up to Kardashev 1.0, stat.
>
> Regards,
> ZmnSCPxj
> ___
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev

Re: [bitcoin-dev] Opinion on proof of stake in future

[ZmnSCPxj via bitcoin-dev]

Good morning Erik,

> Verifiable Delay Functions involve active participation of a single
> verifier. Without this a VDF decays into a proof-of-work (multiple
> verifiers === parallelism).
>
> The verifier, in this case is "the bitcoin network" taken as a whole.
> I think it is reasonable to consider that some difficult-to-game
> property of the last N blocks (like the hash of the last 100
> block-id's or whatever), could be the verification input.
>
> The VDF gets calculated by every eligible proof-of-burn miner, and
> then this is used to prevent a timing issue.
>
> Seems reasonable to me, but I haven't looked too far into the
> requirements of VDF's
>
> nice summary for anyone who is interested:
> https://medium.com/@djrtwo/vdfs-are-not-proof-of-work-91ba3bec2bf4
>
> While VDF's almost always lead to a "cpu-speed monopoly", this would
> only be helpful for block latency in a proof-of-burn chain. Block
> height would be calculated by eligible-miner-burned-coins, so the
> monopoly could be easily avoided.

Interesting link.

However, I would like to point out that the *real* reason that PoW consumes 
lots of power is ***NOT***:

* Proof-of-work is parallelizable, so it allows miners consume more energy (by 
buying more grinders) in order to get more blocks than their competitors.

The *real* reason is:

* Proof-of-work allows miners to consume more energy in order to get more 
blocks than their competitors.

VDFs attempt to sidestep that by removing parallelism.
However, there are ways to increase *sequential* speed, such as:

* Overclocking.
  * This shortens lifetime, so you can spend more energy (on building new 
miners) in order to get more blocks than your competitors.
* Lower temperatures.
  * This requires refrigeration/cooling, so you can spend more energy (on the 
refrigeration process) in order to get more blocks than your competitors.

I am certain people with gaming rigs can point out more ways to improve 
sequential speed, as necessary to get more frames per second.

Given the above, I think VDFs will still fail at their intended task.
Speed, yo.

Thus, VDFs do not serve as a sufficient deterrent away from ever-increasing 
energy consumption --- it just moves the energy consumption increase away from 
the obvious (parallelism) to the obscure-if-you-have-no-gamer-buds.

You humans just need to get up to Kardashev 1.0, stat.

Regards,
ZmnSCPxj
___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev

Re: [bitcoin-dev] Opinion on proof of stake in future

[Erik Aronesty via bitcoin-dev]

Verifiable Delay Functions involve active participation of a single
verifier.   Without this a VDF decays into a proof-of-work (multiple
verifiers === parallelism).

The verifier, in this case is "the bitcoin network" taken as a whole.
 I think it is reasonable to consider that some difficult-to-game
property of the last N blocks (like the hash of the last 100
block-id's or whatever), could be the verification input.

The VDF gets calculated by *every* eligible proof-of-burn miner, and
then this is used to prevent a timing issue.

Seems reasonable to me, but I haven't looked too far into the
requirements of VDF's

nice summary for anyone who is interested:
https://medium.com/@djrtwo/vdfs-are-not-proof-of-work-91ba3bec2bf4

While VDF's almost always lead to a "cpu-speed monopoly", this would
only be helpful for block latency in a proof-of-burn chain.  Block
height would be calculated by eligible-miner-burned-coins, so the
monopoly could be easily avoided.

There has been some decent earlier work on blind/uncensorable burns:
https://eprint.iacr.org/2019/1096.pdf

A miner could then reveal A) the VDF and B) proof-of-burn as a part of
a block.  Nodes would simply select the block with A) a valid VDF and
B) the highest "qualified" POB.

With most burns running at a loss, and no way to predict the next
"winning burn", and the VDF providing timing, I'm not sure how this is
worse than Bitcoin's existing system.

On Mon, May 10, 2021 at 5:51 PM Jeremy  wrote:
>
> re: 2, there's been some promising developments with Verifiable Delay 
> Functions that make me think that the block regulation problems are solvable 
> without requiring brute-force search proof of work. Are those inapplicable 
> for some reason?
>
___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev

Re: [bitcoin-dev] Opinion on proof of stake in future

[LORD HIS EXCELLENCY JAMES HRMH via bitcoin-dev]

Good Afternoon,

Proof-of-stake sounds like an altcoin fork. There is no consideration that 
proof-of-work is insufficient or that it can be improved upon, only that it 
should be regulated. Imagine, you are a gold miner with larger hands so you 
start a mining race and mine plenty more than everyone. Pretty soon everybody 
is employing all their available resources just to keep up in the mining race 
since there are only so many carts instead of just to leisurely utilise surplus 
resources for an opportune find. Each block is a new gold mine. It is enough 
for everybody to use leisurely resources.

I have initiated conversation previously regarding a method to regulate mining, 
and believe whole heartedly it should happen. That is necessary for the future 
stability of Bitcoin as it is clear the rate of work cannot be allowed to 
increase at such a rate. If you search the bitcoin-dev archives you will find 
discussion there under my email as we search for a solution.

KING JAMES HRMH
Great British Empire

Regards,
The Australian
LORD HIS EXCELLENCY JAMES HRMH (& HMRH)
of Hougun Manor & Glencoe & British Empire
MR. Damian A. James Williamson
Wills

et al.


Willtech
www.willtech.com.au
www.go-overt.com
and other projects

earn.com/willtech
linkedin.com/in/damianwilliamson


m. 0487135719
f. +61261470192


This email does not constitute a general advice. Please disregard this email if 
misdelivered.

From: bitcoin-dev  on behalf of 
Keagan McClelland via bitcoin-dev 
Sent: Tuesday, 11 May 2021 1:01 AM
To: Bitcoin Protocol Discussion ; Erik 
Aronesty 
Cc: SatoshiSingh 
Subject: Re: [bitcoin-dev] Opinion on proof of stake in future

To reiterate some of the points here. My problem with proof of stake is twofold.

1. It requires permission of coin holders to enter into the system. This is not 
true of proof of work. You may even attempt (though not successfully) a proof 
of work with pencil and paper and submit the block from a regular laptop if you 
so choose. Whether this level of permissionlessness is necessary is up to 
individual risk tolerance etc. but it is definitely the default preference of 
Bitcoin.

2. Proof of stake must have a trusted means of timestamping to regulate 
overproduction of blocks. This introduction of trust is generally considered to 
be a nonstarter in Bitcoin. Proof of Work regulates this by making blocks 
fundamentally difficult to produce in the first place.

Like Jeremy, I’m always interested to learn about new attempts in consensus 
algorithms, but the bar to clear is very high and proof of stake to date has 
not proposed much less demonstrated a set of properties that is consistent with 
Bitcoins objectives.

Keagan

On Mon, May 10, 2021 at 8:43 AM Erik Aronesty via bitcoin-dev 
mailto:bitcoin-dev@lists.linuxfoundation.org>>
 wrote:
personally, not speaking for anyone else, i think that proof-of-burn
has a much higher likelihood of being a) good enough security and b)
solving the nothing-at-stake problem

 the only issue i see with a quality PoB implementation is a robust
solution to the block-timing problem.

https://grisha.org/blog/2018/01/23/explaining-proof-of-work/

i do think there *could* be other low-energy solutions to verifiable
timing, just haven't seen one


On Fri, May 7, 2021 at 6:50 PM SatoshiSingh via bitcoin-dev
mailto:bitcoin-dev@lists.linuxfoundation.org>>
 wrote:
>
> Hello list,
>
> I am a lurker here and like many of you I worry about the energy usage of 
> bitcoin mining. I understand a lot mining happens with renewable resources 
> but the impact is still high.
>
> I want to get your opinion on implementing proof of stake for bitcoin mining 
> in future. For now, proof of stake is still untested and not battle tested 
> like proof of work. Though someday it will be.
>
> In the following years we'll be seeing proof of stake being implemented. 
> Smaller networks can test PoS which is a luxury bitcoin can't afford. Here's 
> how I see this the possibilities:
>
> 1 - Proof of stake isn't a good enough security mechanism
> 2 - Proof of state is a good security mechanism and works as intended
>
> IF PoS turns out to be good after battle testing, would you consider 
> implementing it for Bitcoin? I understand this would invoke a lot of 
> controversies and a hard fork that no one likes. But its important enough to 
> consider a hard fork. What are your opinions provided PoS does work?
>
> Love from India.
> ___
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
___
bitcoin-dev mailing list

Re: [bitcoin-dev] Opinion on proof of stake in future

[Jeremy via bitcoin-dev]

re: 2, there's been some promising developments with Verifiable Delay
Functions that make me think that the block regulation problems are
solvable without requiring brute-force search proof of work. Are those
inapplicable for some reason?
___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev

Re: [bitcoin-dev] Opinion on proof of stake in future

[Keagan McClelland via bitcoin-dev]

To reiterate some of the points here. My problem with proof of stake is
twofold.

1. It requires permission of coin holders to enter into the system. This is
not true of proof of work. You may even attempt (though not successfully) a
proof of work with pencil and paper and submit the block from a regular
laptop if you so choose. Whether this level of permissionlessness is
necessary is up to individual risk tolerance etc. but it is definitely the
default preference of Bitcoin.

2. Proof of stake must have a trusted means of timestamping to regulate
overproduction of blocks. This introduction of trust is generally
considered to be a nonstarter in Bitcoin. Proof of Work regulates this by
making blocks fundamentally difficult to produce in the first place.

Like Jeremy, I’m always interested to learn about new attempts in consensus
algorithms, but the bar to clear is very high and proof of stake to date
has not proposed much less demonstrated a set of properties that is
consistent with Bitcoins objectives.

Keagan

On Mon, May 10, 2021 at 8:43 AM Erik Aronesty via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:

> personally, not speaking for anyone else, i think that proof-of-burn
> has a much higher likelihood of being a) good enough security and b)
> solving the nothing-at-stake problem
>
>  the only issue i see with a quality PoB implementation is a robust
> solution to the block-timing problem.
>
> https://grisha.org/blog/2018/01/23/explaining-proof-of-work/
>
> i do think there *could* be other low-energy solutions to verifiable
> timing, just haven't seen one
>
>
> On Fri, May 7, 2021 at 6:50 PM SatoshiSingh via bitcoin-dev
>  wrote:
> >
> > Hello list,
> >
> > I am a lurker here and like many of you I worry about the energy usage
> of bitcoin mining. I understand a lot mining happens with renewable
> resources but the impact is still high.
> >
> > I want to get your opinion on implementing proof of stake for bitcoin
> mining in future. For now, proof of stake is still untested and not battle
> tested like proof of work. Though someday it will be.
> >
> > In the following years we'll be seeing proof of stake being implemented.
> Smaller networks can test PoS which is a luxury bitcoin can't afford.
> Here's how I see this the possibilities:
> >
> > 1 - Proof of stake isn't a good enough security mechanism
> > 2 - Proof of state is a good security mechanism and works as intended
> >
> > IF PoS turns out to be good after battle testing, would you consider
> implementing it for Bitcoin? I understand this would invoke a lot of
> controversies and a hard fork that no one likes. But its important enough
> to consider a hard fork. What are your opinions provided PoS does work?
> >
> > Love from India.
> > ___
> > bitcoin-dev mailing list
> > bitcoin-dev@lists.linuxfoundation.org
> > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
> ___
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev

Re: [bitcoin-dev] Opinion on proof of stake in future

[Erik Aronesty via bitcoin-dev]

personally, not speaking for anyone else, i think that proof-of-burn
has a much higher likelihood of being a) good enough security and b)
solving the nothing-at-stake problem

 the only issue i see with a quality PoB implementation is a robust
solution to the block-timing problem.

https://grisha.org/blog/2018/01/23/explaining-proof-of-work/

i do think there *could* be other low-energy solutions to verifiable
timing, just haven't seen one


On Fri, May 7, 2021 at 6:50 PM SatoshiSingh via bitcoin-dev
 wrote:
>
> Hello list,
>
> I am a lurker here and like many of you I worry about the energy usage of 
> bitcoin mining. I understand a lot mining happens with renewable resources 
> but the impact is still high.
>
> I want to get your opinion on implementing proof of stake for bitcoin mining 
> in future. For now, proof of stake is still untested and not battle tested 
> like proof of work. Though someday it will be.
>
> In the following years we'll be seeing proof of stake being implemented. 
> Smaller networks can test PoS which is a luxury bitcoin can't afford. Here's 
> how I see this the possibilities:
>
> 1 - Proof of stake isn't a good enough security mechanism
> 2 - Proof of state is a good security mechanism and works as intended
>
> IF PoS turns out to be good after battle testing, would you consider 
> implementing it for Bitcoin? I understand this would invoke a lot of 
> controversies and a hard fork that no one likes. But its important enough to 
> consider a hard fork. What are your opinions provided PoS does work?
>
> Love from India.
> ___
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev

Re: [bitcoin-dev] Opinion on proof of stake in future

[Cloud Strife via bitcoin-dev]

Proof of stake is permissioned by coins, an internal, permissioned, and
already owned resource.

You cannot gain tokens without someone choosing to give up those coins - a
form of permission. Permission can also be thought of as an infinite
barrier to entry.

PoW forces giving up control through both permissionless to enter mining
via EXTERNAL permissionless resources and unforgeable costliness for the
miners.

Without unforgeable costliness there's no reason to ever give up control in
PoS.

In fact, staking quite literally incentivizes keeping control by rewarding
those in control with more coins and control in perpetuity at no cost - the
incentives on PoS are completely backwards from decentralizing control.

Since no mechanism forces control to be permissionlessly distributed to
others, parties in control cannot be considered independent parties nor can
control be considered decentralized.

PoS solves nothing that's relevant to permissionless decentralized networks.


> In the following years we'll be seeing proof of stake being implemented


It has been implemented since 2014 but it doesn't meet criteria for a
permissionless network. There's nothing new about implementing permissioned
networks.

You could try to replace proof of work with proof of bitcoin burn (not well
studied) on blockchains other than Bitcoin, but there's no known
replacement for proof of work for Bitcoin right now.

PoS has been considered and studied since then many times since then and
dismissed repeatedly for irrelevance to decentralized permissionless
technology, examples:

   - https://nakamotoinstitute.org/research/on-stake-and-consensus/
   -
   
https://medium.com/@factchecker9000/nothing-is-worse-than-proof-of-stake-e70b12b988ca
   - https://www.truthcoin.info/blog/pow-cheapest/
   -
   https://hugonguyen.medium.com/work-is-timeless-stake-is-not-554c4450ce18
   - https://arxiv.org/abs/1809.06528



On Sat, May 8, 2021 at 10:49 AM Karl via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:

> What is more important;
>> Bitcoin mining introduces the first free-market demand for the cheapest
>> energy source.
>
>
> This is a really great idea but I think access to technologically advanced
> hardware is a stronger component than energy here.
>
> Making open community chip fabs might change that.  Then anybody could get
> on the bandwagon.  But right now the hardware barrier keeps the common
> person out.
>
> If you can build a chip fab, you may also be able to build a powerplant.
> Not many others can do that to compete with you.  The energy economy still
> has more supply than competition or renewable energy would quickly
> outcompete nonrenewable as the price dropped.
>
> ___
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev

Re: [bitcoin-dev] Opinion on proof of stake in future

[R E Broadley via bitcoin-dev]

According to this paper:
https://www.cs.umd.edu/projects/coinscope/coinscope.pdf

PoW is also only resilient to 1/3rd of the network.

On Sat, 8 May 2021 at 14:46, Eric Martindale via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:
>
> Mr. Singh,
>
> Proof of Stake is only resilient to ⅓ of the network demonstrating a
Byzantine Fault, whilst Proof of Work is resilient up to the ½ threshold.
You can explore prior research here:
https://download.wpsoftware.net/bitcoin/pos.pdf
>
> Independent of the security thresholds, Proof of Stake requires other
trade-offs which are incompatible with Bitcoin's objective (to be a
trustless digital cash) — specifically the famous "security vs. liveness"
guarantee.  Digital cash is not useful if it must be globally halted to
ensure its security, and Proof of Work squarely addresses this concern.
>
> Above and beyond any security consideration, Proof of Stake incentivizes
the accumulation of wealth within a small set of actors, which is
undesirable for the long-term health of any such network.  If we are to
free humanity from the tyranny of the State, we must do so by protecting
the rights of every individual to hold and preserve their own value,
without trusting any third party.  Entrusting the health of the network to
the "economic elite" is the paramount evil with respect to Bitcoin's
objectives, nevermind that Proof of Work relies on energy expenditure to
provide its security.
>
> Sincerely,
>
> Eric Martindale, relentless maker.
> Founder & CEO, Fabric, Inc.
> +1 (919) 374-2020
>
>
> On Fri, May 7, 2021 at 6:50 PM SatoshiSingh via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:
>>
>> Hello list,
>>
>> I am a lurker here and like many of you I worry about the energy usage
of bitcoin mining. I understand a lot mining happens with renewable
resources but the impact is still high.
>>
>> I want to get your opinion on implementing proof of stake for bitcoin
mining in future. For now, proof of stake is still untested and not battle
tested like proof of work. Though someday it will be.
>>
>> In the following years we'll be seeing proof of stake being implemented.
Smaller networks can test PoS which is a luxury bitcoin can't afford.
Here's how I see this the possibilities:
>>
>> 1 - Proof of stake isn't a good enough security mechanism
>> 2 - Proof of state is a good security mechanism and works as intended
>>
>> IF PoS turns out to be good after battle testing, would you consider
implementing it for Bitcoin? I understand this would invoke a lot of
controversies and a hard fork that no one likes. But its important enough
to consider a hard fork. What are your opinions provided PoS does work?
>>
>> Love from India.
>> ___
>> bitcoin-dev mailing list
>> bitcoin-dev@lists.linuxfoundation.org
>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
> ___
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev

Re: [bitcoin-dev] Opinion on proof of stake in future

[Karl via bitcoin-dev]

On Sun, May 9, 2021, 6:21 AM R E Broadley <
rebroad+linuxfoundation@gmail.com> wrote:

> On Sat, 8 May 2021 at 15:36, Karl via bitcoin-dev
>  wrote:
> > Bitcoin would get better mainstream public reputation if the block
> reward were reduced to reduce mining.  This would quickly and easily reduce
> energy expenditure.
>
> You're in luck then, as the block reward is being reduced by 50%, every 4
> years.
>

I'm aware of that and it is why I mentioned "block reward termination" in
the next paragraph... did you receive the rest of my message?  Or why do
you say this?

>
___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev

Re: [bitcoin-dev] Opinion on proof of stake in future

[R E Broadley via bitcoin-dev]

On Sat, 8 May 2021 at 15:36, Karl via bitcoin-dev
 wrote:
> Bitcoin would get better mainstream public reputation if the block reward 
> were reduced to reduce mining.  This would quickly and easily reduce energy 
> expenditure.

You're in luck then, as the block reward is being reduced by 50%, every 4 years.
___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev

Re: [bitcoin-dev] Opinion on proof of stake in future

[Karl via bitcoin-dev]

Bitcoin would get better mainstream public reputation if the block reward
were reduced to reduce mining.  This would quickly and easily reduce energy
expenditure.

A system would be needed to do that with consensus, to make it political.
For example, making a norm of extending the block reward termination
farther into the future, spreading the remaining coins out more thinly, but
never doing the opposite.

PoS can be made to work but it's hard to do so amid such disagreement.  It
is so hard to express one's relevant information concisely and effectively.

I recommended earlier finding or hiring an experienced facilitator who
could make sure all concerns around the chain are included by engaging all
the dialog more productively.  Somebody would need to be available to do
the work of finding such a person and any compensation they might need.

On Fri, May 7, 2021, 7:05 PM Eric Voskuil via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:

> https://github.com/libbitcoin/libbitcoin-system/wiki/Proof-of-Stake-Fallacy
>

This wiki states things as impossible but does not at all demonstrate them
to be so.

The assumption that something is impossible always relies on many other
assumptions, and the reader may have different ones from the author.

Quote from Proof-of-Stake-Fallacy
> In Other Means Principle it is shown that censorship resistance depends
on people paying miners to overpower the censor.
> Overcoming censorship is not possible in a PoS system, as the censor has
acquired majority stake and cannot be unseated.

If the link in that text is followed you get,

Quote from Other Means Principle:
> Given that mining is necessarily anonymous, there is no way for the
economy to prevent state participation in mining.

The article then goes on to assume this, but "no way" is a circular link
back to Proof-of-Stake-Fallacy!

Never is it demonstrated that a censor will always be able to have majority
stake.  In a PoS system, they would have to be able to form false chain
histories to do that.  In a PoW system, they would have to outcompete the
work.

These are not inherent limitations.  The whole world is open.  Consider a
proof of work algorithm that requires the freeing of prisoners: a state a
very different state if it does this.  Or a communication protocol that
already cannot be intercepted.  These things are exotically hard, but not
impossible, and show that the logic of the articles is not valid.

Another random idea: incentivising out-of-band channels, for example.
Mining blocks based on finding and uniting illegitimate forks.  Now a chain
functions by defeating its own censorship.
___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev

Re: [bitcoin-dev] Opinion on proof of stake in future

[Prayank via bitcoin-dev]

My opinion:

1.I don't consider PoS to be a better consensus mechanism compared to PoW used 
in Bitcoin. So any proposal related to PoS in Bitcoin is not an improvement for 
me.
 
2.Bitcoin is a protocol for decentralized network that creates consensus 
without needing a central authority to provide trust. Bitcoin with PoS will be 
a protocol for a network that creates consensus based on bitcoin holdings.

3.Experiments with PoS can work in trust minimized applications that use 
Bitcoin or LN or Bitcoin sidechains. However, PoW works better for base layer 
or Bitcoin protocol.

4.Bitcoin protocol should not be changed based on mainstream media articles, 
new buzzwords or trends, altcoins, governments etc. 

5.Everything involves trade-offs. Not everything needs to be online. Not 
everything needs to be on a chain of blocks. There are things that you would 
prefer to save in a spreadsheet offline or write on a paper. Similarly PoS is 
not the best consensus mechanism for a 'decentralized network' but it may work 
for projects(not decentralized) that want to use Bitcoin for few things.

6.Most of the Bitcoin users and devs consider PoW used in Bitcoin as the best 
consensus mechanism. Few people experimenting with PoS will result in another 
altcoin with nothing much to contribute in improving Bitcoin. I think there are 
better things to focus on and one of them is privacy.

Few things related to Bitcoin mining that I consider improvements:

-Stratum v2
-More countries started mining bitcoin recently
-Recycling ASIC heat: 
https://braiins.com/blog/green-innovation-in-bitcoin-mining-recycling-asic-heat

I would love to see people in India researching about creating better ASICs and 
more involved in Bitcoin mining. 

Related links:

https://bitcoin.stackexchange.com/questions/95356/why-doesnt-bitcoin-migrate-to-proof-of-stake

https://download.wpsoftware.net/bitcoin/asic-faq.pdf (Andrew Poelstra)

https://medium.com/@dsl_uiuc/fake-stake-attacks-on-chain-based-proof-of-stake-cryptocurrencies-b8b05723f806


-- 
 Prayank
___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev

Re: [bitcoin-dev] Opinion on proof of stake in future

[honest69abe via bitcoin-dev]

And to address your energy usage concern:

Energy usage, in-and-of-itself, is nothing to be ashamed of!! It's the 
composition of that energy usage that could be shameful. There is much debate 
currently about what that composition is for Bitcoin, but those estimates range 
from between 20-80% renewable. However, where it currently stands is largely 
irrelevant...

What is more important;
Bitcoin mining introduces the first free-market demand for the cheapest energy 
source.

I think most people are unaware of how impactful this is.

Renewable energies have crossed over into being the cheapest forms of energy 
and are still declining at steep rates. Estimates from the International 
Renewable Energy Agency breakdown the Levelized Cost of Energy as such: 
Geothermal ($0.05-0.1/kWh), Coal (0.06-0.07), natural gas (0.04-0.07), wind 
(0.02-0.05), solar (0.03-0.04), hydro (0.01-0.04).

Thus, Bitcoin is the first intrinsic incentive for humans to invest in cheapest 
energy, which happen to be the cleanest forms of energy.

Bitcoin as a free-market energy generation incentive that doesn't also optimize 
for human habitability will be civilizationally changing. E.g. solar farms in 
deserts, high-altitude wind.

Welcome to any thoughts and criticisms of my thinking here

Sent from ProtonMail mobile

 Original Message 
On May 7, 2021, 7:19 PM, Jeremy via bitcoin-dev wrote:

> Proof-of-stake tends towards oligopolistic control, which is antithetical to 
> bitcoin.
>
> Proof-of-stake also has some other security issues that make it a bad 
> substitute for Proof-of-work with respect to equivocation (reorgs).
>
> Overall you'll find me personally in the camp that it's OK to explore non-PoW 
> means of consensus long term that can keep the network in consensus in a more 
> capital efficient manner, but that proof-of-stake is not such a substitute. 
> Other Bitcoiners will disagree with this invariably, but if you truly have a 
> novel solution for Byzantine Generals, it would be a major contribution to 
> not just Bitcoin but the field of computer science as a whole and would 
> likely get due consideration.
>
> What's difficult is that Bitcoin PoW has some very specific properties that 
> may or may not be desirable around e.g. fairness that might be difficult to 
> ensure in other systems, so there is probably more to the puzzle than just 
> consensus.
> --
> [@JeremyRubin](https://twitter.com/JeremyRubin)https://twitter.com/JeremyRubin
>
> On Fri, May 7, 2021 at 3:50 PM SatoshiSingh via bitcoin-dev 
>  wrote:
>
>> Hello list,
>>
>> I am a lurker here and like many of you I worry about the energy usage of 
>> bitcoin mining. I understand a lot mining happens with renewable resources 
>> but the impact is still high.
>>
>> I want to get your opinion on implementing proof of stake for bitcoin mining 
>> in future. For now, proof of stake is still untested and not battle tested 
>> like proof of work. Though someday it will be.
>>
>> In the following years we'll be seeing proof of stake being implemented. 
>> Smaller networks can test PoS which is a luxury bitcoin can't afford. Here's 
>> how I see this the possibilities:
>>
>> 1 - Proof of stake isn't a good enough security mechanism
>> 2 - Proof of state is a good security mechanism and works as intended
>>
>> IF PoS turns out to be good after battle testing, would you consider 
>> implementing it for Bitcoin? I understand this would invoke a lot of 
>> controversies and a hard fork that no one likes. But its important enough to 
>> consider a hard fork. What are your opinions provided PoS does work?
>>
>> Love from India.
>> ___
>> bitcoin-dev mailing list
>> bitcoin-dev@lists.linuxfoundation.org
>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev

Re: [bitcoin-dev] Opinion on proof of stake in future

[Jeremy via bitcoin-dev]

Proof-of-stake tends towards oligopolistic control, which is antithetical
to bitcoin.

Proof-of-stake also has some other security issues that make it a bad
substitute for Proof-of-work with respect to equivocation (reorgs).

Overall you'll find me *personally* in the camp that it's OK to explore
non-PoW means of consensus long term that can keep the network in consensus
in a more capital efficient manner, but that proof-of-stake is not such a
substitute. Other Bitcoiners will disagree with this invariably, but if you
truly have a novel solution for Byzantine Generals, it would be a major
contribution to not just Bitcoin but the field of computer science as a
whole and would likely get due consideration.

What's difficult is that Bitcoin PoW has some very specific properties that
may or may not be desirable around e.g. fairness that might be difficult to
ensure in other systems, so there is probably more to the puzzle than just
consensus.
--
@JeremyRubin 



On Fri, May 7, 2021 at 3:50 PM SatoshiSingh via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:

> Hello list,
>
> I am a lurker here and like many of you I worry about the energy usage of
> bitcoin mining. I understand a lot mining happens with renewable resources
> but the impact is still high.
>
> I want to get your opinion on implementing proof of stake for bitcoin
> mining in future. For now, proof of stake is still untested and not battle
> tested like proof of work. Though someday it will be.
>
> In the following years we'll be seeing proof of stake being implemented.
> Smaller networks can test PoS which is a luxury bitcoin can't afford.
> Here's how I see this the possibilities:
>
> 1 - Proof of stake isn't a good enough security mechanism
> 2 - Proof of state is a good security mechanism and works as intended
>
> IF PoS turns out to be good after battle testing, would you consider
> implementing it for Bitcoin? I understand this would invoke a lot of
> controversies and a hard fork that no one likes. But its important enough
> to consider a hard fork. What are your opinions provided PoS does work?
>
> Love from India.
> ___
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev

Re: [bitcoin-dev] Opinion on proof of stake in future

[Eric Voskuil via bitcoin-dev]

https://github.com/libbitcoin/libbitcoin-system/wiki/Proof-of-Stake-Fallacy

> On May 7, 2021, at 15:50, SatoshiSingh via bitcoin-dev 
>  wrote:
> 
> Hello list,
> 
> I am a lurker here and like many of you I worry about the energy usage of 
> bitcoin mining. I understand a lot mining happens with renewable resources 
> but the impact is still high.
> 
> I want to get your opinion on implementing proof of stake for bitcoin mining 
> in future. For now, proof of stake is still untested and not battle tested 
> like proof of work. Though someday it will be.
> 
> In the following years we'll be seeing proof of stake being implemented. 
> Smaller networks can test PoS which is a luxury bitcoin can't afford. Here's 
> how I see this the possibilities:
> 
> 1 - Proof of stake isn't a good enough security mechanism
> 2 - Proof of state is a good security mechanism and works as intended
> 
> IF PoS turns out to be good after battle testing, would you consider 
> implementing it for Bitcoin? I understand this would invoke a lot of 
> controversies and a hard fork that no one likes. But its important enough to 
> consider a hard fork. What are your opinions provided PoS does work?
> 
> Love from India.
> ___
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev