Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 8FAE61EFC for ; Fri, 19 Jul 2019 05:10:34 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-pf1-f193.google.com (mail-pf1-f193.google.com [209.85.210.193]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 17501F8 for ; Fri, 19 Jul 2019 05:10:33 +0000 (UTC) Received: by mail-pf1-f193.google.com with SMTP id q10so13622331pff.9 for ; Thu, 18 Jul 2019 22:10:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=voskuil-org.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=prNwuwPNYWkK5F75fssBc05SLAHt4+6LzqfiltySEfU=; b=alTq+WNjmHdVY0UJsRdt7zw9biR/bztHPRZ8EZlZAkeiEamP21UpxKRFsYfbipTchY oEU/A0FcIznscs4ivpx85HjSWL/Pym5kevEMGDpYxM8ImqgMCqQ8wy0T1UzArm6AC3kH 7/f0ecirHTYZAHlBQQz3Z24gFYZbC7rkD1mrXbIrFdimzguNyejQb7eFQBYMvo8IETYa 8FLWGGy73LUmgXcNCSvjfVjCX+ABDlvq7KPVvE/4CH6rjOTWx5s9s/g9Zf8TJBGi43wH xYxCa3FKZOevNp6EJWVPiS+4obSGDS4W8l1W677xLEVEFNZ6Q6r6o3DDKNDxbQbjEM2v 77MQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=prNwuwPNYWkK5F75fssBc05SLAHt4+6LzqfiltySEfU=; b=aFl3TQ8iuyco10pFbKE4XdiGeMq/sMq+4VVUtw5eoJve1+kEE8tBT0Mk3CUduke8Ss RNuVggpSG9gyluF7/qcmr5nyxv/uWP1i7nCoEpDdEjNJRZRhmTqGK+xBif24c4TaqCqd f3cNbEkVjDNWQdvQYHcFemRyjVM5n+jCCZkUtB5BZHsOx3HQqsNSmMEG8wMX4SnbwU/B Z+yLodn4IZ9w/rdaY+mJS7PQx3QUeL8KpGmsMQRhIpEwMotO+p+lRcbEicTK8p4M/Lu0 KcWqLjAugiPZahMMoJSA0jZEBQz3ACyIXNpW8KOhgQEu14yYRYDU7StOFpXpoA/084pY ln6Q== X-Gm-Message-State: APjAAAXBg6HIpQzq1FxG9c0FP7ArekwSq/OnReNpqr0Wd6mHZjqJSEy3 E0F9v8HF0I0hmTaER+FGh1s= X-Google-Smtp-Source: APXvYqwNJgo0dacWsv/Y17nX/diT5q/OJgraNY417dlF07XsDvBbSo223nOOHWwsqyicuCov/LGyCA== X-Received: by 2002:a65:4189:: with SMTP id a9mr26085562pgq.399.1563513032466; Thu, 18 Jul 2019 22:10:32 -0700 (PDT) Received: from ?IPv6:2601:600:a080:16bb:9dcc:1cdf:f237:2001? ([2601:600:a080:16bb:9dcc:1cdf:f237:2001]) by smtp.gmail.com with ESMTPSA id m31sm35668537pjb.6.2019.07.18.22.10.31 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 18 Jul 2019 22:10:31 -0700 (PDT) Content-Type: multipart/alternative; boundary=Apple-Mail-32167C27-5C92-477F-95C2-1AAF1459D863 Mime-Version: 1.0 (1.0) From: Eric Voskuil X-Mailer: iPhone Mail (16F203) In-Reply-To: Date: Thu, 18 Jul 2019 22:10:30 -0700 Content-Transfer-Encoding: 7bit Message-Id: References: <207DBF48-E996-440D-ADDC-3AEC9238C034@voskuil.org> <-FVjDC_47DKPnkjAvcOAh3XMnIBIKspnLWrbpNlgE043OsEAJx9ZT5I3m7XWgwbsVps3QlwP7XSDu5yZ5JWSLxGiJM99T1ycjqqP7AUrtzo=@protonmail.com> To: ZmnSCPxj X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, HTML_MESSAGE, LOTS_OF_MONEY, MIME_QP_LONG_LINE, RCVD_IN_DNSWL_NONE, T_MONEY_PERCENT autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org X-Mailman-Approved-At: Fri, 19 Jul 2019 13:53:19 +0000 Cc: Bitcoin Protocol Discussion , "Kenshiro \[\]" Subject: Re: [bitcoin-dev] Secure Proof Of Stake implementation on Bitcoin X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Jul 2019 05:10:34 -0000 --Apple-Mail-32167C27-5C92-477F-95C2-1AAF1459D863 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable > On Jul 18, 2019, at 20:45, ZmnSCPxj wrote: >=20 > Good morning Kenshiro, >=20 >=20 > Sent with ProtonMail Secure Email. >=20 > =E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90 Original M= essage =E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90 >> On Thursday, July 18, 2019 11:50 PM, Kenshiro [] wr= ote: >>=20 >> Hi all, >>=20 >>>>> A 51% attack under proof-of-work is only possible, in general, if som= e singular entity were able to have physical control of almost 50%, or some s= uch close number, of the globe, simply due to the fact that energy availabil= ity is somewhat distributed over the globe. >>=20 >> Mining is not only about the energy sources, individual miners spread aro= und the globe can join big mining pools, and these mining pools could be hac= ked to participate in a 51% attack. Some governments (or other groups) could= plan this type of attack if it's in their interest.=20 >>=20 >> If you look at this graph you will see that controlling 4 mining pools co= uld be enough: >>=20 >> https://www.blockchain.com/en/pools >=20 > Pools only have short-term power in that they can only temporarily attack t= he coin until miners notice and then voluntarily leave. But also long term economic power, since leaving implies a lower proportiona= l hash power, until another comparably-sized pool exists, but this is not th= e case when there is a majority hash power pool, which is economically inevi= table until the majority miner starts censoring. https://github.com/libbitcoin/libbitcoin-system/wiki/Pooling-Pressure-Risk > Pools are themselves still subject to economic forces, and censored transa= ctions can raise their fee until competing pools arise which do not censor (= and which would have an economic advantage in taking the higher fee offered)= . > The invisible hand abides. This is why PoW is necessary, and why fee-based confirmation is necessary. I= t=E2=80=99s the only economically-rational way that the censor can be overpo= wered. But keep in mind the only net cost to the censor is the *premium* on c= ensored transactions. https://github.com/libbitcoin/libbitcoin-system/wiki/Censorship-Resistance-P= roperty > Further, the correct solution is to support the development and deployment= of better pool<->miner protocols, such as BetterHash. > So we should instead focus on helping Matt Corallo et al. in this work, th= an proposing a hard fork to proof-of-stake which will be strongly opposed ec= onomically. While this proposal may introduce engineering improvements, it does not chan= ge any of the economic forces at work and therefore does not mitigate this i= ssue. The pool controls the payout, and therefore retains power over tx sele= ction regardless of who selects and grinds on them. https://github.com/libbitcoin/libbitcoin-system/wiki/Decoupled-Mining-Fallac= y >>>>> Secondly: change of hashing algorithm is pointless in the highly unli= kely case of a 51% attack, because what matters is control of energy sources= . >>=20 >> As far as I know, if the PoW algorithm changes to an ASIC resistant algor= ithm that can only run in GPUs or CPUs, the hashing power would be much more= distributed at least until someone creates a new ASIC for that algorithm. T= here are many GPUs around the globe, but not so many ASIC miners right? >=20 > GPUs still require electricity to run, and are far easier to source. > Hash change simply means that those with control of energy sources can eas= ily purchase the needed hardware from many sources (as opposed to ASICs whic= h are only sourced from a few places). > So a hash change will only affect things temporarily, and it will still se= ttle to the existing distribution of mining hashpower. Yes https://github.com/libbitcoin/libbitcoin-system/wiki/Proof-of-Work-Fallacy >>>>> Nothing can be more efficient than proof-of-work, and the proof-of-sta= ke delusion is simply a perpetual motion machine that attempts to get someth= ing from nothing. >>=20 >> As time passes and more PoS coins appears, including big projects like Et= hereum, we will see if it's delusional or not =F0=9F=99=82 >>=20 >> I forgot one, if you do a 51% attack to a PoS coin you know that all your= staking funds will be burned. In a PoW coin you don't lose your miners and c= an use them to mine or attack another coin with the same algorithm.=20 >=20 > I already told you that it is always possible to get around this: leverage= by use of short options. > Short the coin to attack, then perform your attack by censorship. > Coin value will drop due to reduced utility of the coin, then you reap the= rewards of the short option you prepared beforehand. > By this, you can steal the entire marketcap of the coin. Yes, and of course stealing the value in the chain is not the only way to pr= ofit from the destruction of its usefulness. PoS offers no defense against t= he primary threat to permissionless money. https://github.com/libbitcoin/libbitcoin-system/wiki/Fedcoin-Objectives > Then you still have the economic power (plus what you managed to steal), w= hich you can then use to take over another proof-of-stake coin, regardless o= f whether it uses the same proof-of-stake algorithm or not. >=20 > At least mining hardware are physical hardware and subject to deprecation o= ver time. Capital cost isn=E2=80=99t the source of this defense, it=E2=80=99s the abil= ity to introduce as much power as necessary to evict the censor, paid for by= the rising premium on censored txs. Without this the majority miner can min= e indefinitely and be the most profitable. This is of no consequence to conf= irmation until censorship begins. In PoS, once a miner achieves necessary stake (also profitably) it can censo= r indefinitely. It=E2=80=99s a big difference. https://github.com/libbitcoin/libbitcoin-system/wiki/Cryptodynamic-Principle= s >>>>> You must understand that removing the chain tip puts the transactions= in that block back in the mempool, before we ever start following the longe= r chain. >>=20 >> Yep but it could make double spend attacks very easy. People would know w= hat is happening and could send the money to themselves with a higher fee to= recover it. Many people would lose money with that. >>=20 >> To fix that problem with a PoS algorithm, some community-guided initiativ= e could get all transactions of both chains and create a merged chain with a= hard fork so double spends attacks would not be possible. This could be som= ewhat slow, maybe the network is stopped a few days, but in the end no one w= ill see money disappear from their wallet, much better than pray that your p= ayer doesn't send the money back ato himself. >=20 > This happens every day in Bitcoin, and nobody particularly cares. > You just wait for confirmations that in practice are impossible for some o= rphaned chain to persist. Yes, and of course the same scenario as described above can also occur with P= oW. Gather up the victims, invest in mining a stronger chain, get the profit= from the mining investment, and get your money back. >>>>> This solution is worse than the problem, and speeds up the dominance o= f large stakers over the coin, trivially letting someone with the largest st= ake in the coin grow their stake even faster. >>=20 >> I think it's very evident that the rich guy earn coins faster in both alg= orithms.=20 >>=20 >> In PoS if you have 51% of the coins and use them to stake, you make 51% o= f the blocks, I don't see any problem with that. If you decide to do a 51% a= ttack, stopping doing blocks in the main chain to force the others to follow= your "private" chain, well, you know for sure your funds will be burned in t= he next hard fork. >=20 > But your proposal of being non-linear on the size of the stake means that i= f you have 51% of the coins, if you put them in a single stake UTXO you pote= ntially get 99.999% of the blocks, which is ***much worse***. It=E2=80=99s sort of like Bitcoin=E2=80=99s nonlinear hash power to hash rat= e ratio, on steroids. The nonlinearity hasn=E2=80=99t been shown to be avoid= able, but certainly something to minimize. > Just admit that you have no real solution to knowing how much every entity= controls of your coin. >>>>> No, I think it will be very successful in ensuring that smart individ= uals will spend their time actually doing things that benefit the economy an= d technology instead of wasting their time being distracted with Ethereum an= d proof-of-stake. >>=20 >> Ok, we the PoS advocates will let the smart people to work in more diffic= ult issues like finding reasons to justify the energy waste and heat generat= ion of PoW when Bitcoin price reaches 1 million dollars =F0=9F=98=89 >=20 > We hope to see you back soon after having learned your lesson. Let=E2=80=99s all be nice. But WRT energy waste... see last paragraph for a c= onsideration of waste in relation to any other monetary options. https://github.com/libbitcoin/libbitcoin-system/wiki/Energy-Waste-Fallacy e > Regards, > ZmnSCPxj --Apple-Mail-32167C27-5C92-477F-95C2-1AAF1459D863 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable
On Jul 18, 2019, at 20:45, ZmnSCPxj <ZmnSCPxj@protonmail.com> wrote:
Good morning Kenshir= o,


Sent with ProtonMail Se= cure Email.

=E2=80=90=E2=80=90=E2=80=90=E2=80= =90=E2=80=90=E2=80=90=E2=80=90 Original Message =E2=80=90=E2=80=90=E2=80=90=E2= =80=90=E2=80=90=E2=80=90=E2=80=90
On Thursday, July 18, 2019= 11:50 PM, Kenshiro [] <tensiam@ho= tmail.com> wrote:

Hi all,

 A 51% attack unde= r proof-of-work is only possible, in general, if some singular entity were a= ble to have physical control of almost 50%, or some such close number, of th= e globe, simply due to the fact that energy availability is somewhat distrib= uted over the globe.

Mining is not only about the energy sources, individual m= iners spread around the globe can join big mining pools, and these mining po= ols could be hacked to participate in a 51% attack. Some governments (or oth= er groups) could plan this type of attack if it's in their interest. 

If you look at this graph you will see tha= t controlling 4 mining pools could be enough:

<= span>https://www.blockchain.= com/en/pools

Pools only ha= ve short-term power in that they can only temporarily attack the coin until m= iners notice and then voluntarily leave.
<= br>
But also long term economic power, since leaving implies a low= er proportional hash power, until another comparably-sized pool exists, but t= his is not the case when there is a majority hash power pool, which is econo= mically inevitable until the majority miner starts censoring.

=

Pools are themselves still subject to economic forces, and censored t= ransactions can raise their fee until competing pools arise which do not cen= sor (and which would have an economic advantage in taking the higher fee off= ered).
The invisible hand abides.

This is why PoW is necessary, and why fee-based confi= rmation is necessary. It=E2=80=99s the only economically-rational way that t= he censor can be overpowered. But keep in mind the only net cost to the cens= or is the *premium* on censored transactions.


Further, the correct solution is to support the development and dep= loyment of better pool<->miner protocols, such as BetterHash.So we should instead focus on helping Matt Corallo et al. in this wo= rk, than proposing a hard fork to proof-of-stake which will be strongly oppo= sed economically.

While this pr= oposal may introduce engineering improvements, it does not change any of the= economic forces at work and therefore does not mitigate this issue. The poo= l controls the payout, and therefore retains power over tx selection regardl= ess of who selects and grinds on them.

 Secondly: change of hashing algorithm is pointless i= n the highly unlikely case of a 51% attack, because what matters is control o= f energy sources.

As far as I know, if the PoW algorithm changes to an ASIC re= sistant algorithm that can only run in GPUs or CPUs, the hashing power would= be much more distributed at least until someone creates a new ASIC for that= algorithm. There are many GPUs around the globe, but not so many ASIC miner= s right?

GPUs still require el= ectricity to run, and are far easier to source.
Hash change s= imply means that those with control of energy sources can easily purchase th= e needed hardware from many sources (as opposed to ASICs which are only sour= ced from a few places).
So a hash change will only affect th= ings temporarily, and it will still settle to the existing distribution of m= ining hashpower.


Nothing can be more efficient than pr= oof-of-work, and the proof-of-stake delusion is simply a perpetual motion ma= chine that attempts to get something from nothing.
=
As time passes and more PoS= coins appears, including big projects like Ethereum, we will see if it's de= lusional or not =F0=9F=99=82

I forgot one= , if you do a 51% attack to a PoS coin you know that all your staking funds w= ill be burned. In a PoW coin you don't lose your miners and can use them to m= ine or attack another coin with the same algorithm. 

I already told you that it is always possible to= get around this: leverage by use of short options.
Short th= e coin to attack, then perform your attack by censorship.
Co= in value will drop due to reduced utility of the coin, then you reap the rew= ards of the short option you prepared beforehand.
By this, y= ou can steal the entire marketcap of the coin.
=


http= s://github.com/libbitcoin/libbitcoin-system/wiki/Fedcoin-Objectives
Then you still have th= e economic power (plus what you managed to steal), which you can then use to= take over another proof-of-stake coin, regardless of whether it uses the sa= me proof-of-stake algorithm or not.

At leas= t mining hardware are physical hardware and subject to deprecation over time= .

Capital cost isn=E2=80=99t th= e source of this defense, it=E2=80=99s the ability to introduce as much powe= r as necessary to evict the censor, paid for by the rising premium on censor= ed txs. Without this the majority miner can mine indefinitely and be the mos= t profitable. This is of no consequence to confirmation until censorship beg= ins.

In PoS, once a miner achieves necessary stake (= also profitably) it can censor indefinitely. It=E2=80=99s a big difference.<= /div>


 You m= ust understand that removing the chain tip puts the transactions in that blo= ck back in the mempool, before we ever start following the longer chain.

Yep but= it could make double spend attacks very easy. People would know what is hap= pening and could send the money to themselves with a higher fee to recover i= t. Many people would lose money with that.

To fix that problem with a PoS algorithm, some community-guided initiative= could get all transactions of both chains and create a merged chain with a h= ard fork so double spends attacks would not be possible. This could be somew= hat slow, maybe the network is stopped a few days, but in the end no one wil= l see money disappear from their wallet, much better than pray that your pay= er doesn't send the money back ato himself.

This happens every day in Bitcoin, and nobody particularly car= es.
You just wait for confirmations that in practice are imp= ossible for some orphaned chain to persist.
Yes, and of course the same scenario as described above can als= o occur with PoW. Gather up the victims, invest in mining a stronger chain, g= et the profit from the mining investment, and get your money back.

=
 This solution is worse than the problem, and speeds up the dominance o= f large stakers over the coin, trivially letting someone with the largest st= ake in the coin grow their stake even faster.

<= /blockquote>
I think it's very evident that t= he rich guy earn coins faster in both algorithms. 

In PoS if you have 51% of the coins and use them to stake, you m= ake 51% of the blocks, I don't see any problem with that. If you decide to d= o a 51% attack, stopping doing blocks in the main chain to force the others t= o follow your "private" chain, well, you know for sure your funds will be bu= rned in the next hard fork.

Bu= t your proposal of being non-linear on the size of the stake means that if y= ou have 51% of the coins, if you put them in a single stake UTXO you potenti= ally get 99.999% of the blocks, which is ***much worse***.
<= /blockquote>

It=E2=80=99s sort of like Bitcoin=E2=80=99s nonlinear hash pow= er to hash rate ratio, on steroids. The nonlinearity hasn=E2=80=99t been sho= wn to be avoidable, but certainly something to minimize.

Just admit that you have no re= al solution to knowing how much every entity controls of your coin.

 No, I think it will be very successful in ensurin= g that smart individuals will spend their time actually doing things that be= nefit the economy and technology instead of wasting their time being distrac= ted with Ethereum and proof-of-stake.

Ok, we the PoS advocates will let t= he smart people to work in more difficult issues like finding reasons to jus= tify the energy waste and heat generation of PoW when Bitcoin price reaches 1= million dollars =F0=9F=98=89

= We hope to see you back soon after having learned your lesson.

Let=E2=80=99s all be nice. But WRT energ= y waste... see last paragraph for a consideration of waste in relation to an= y other monetary options.

e

Rega= rds,
ZmnSCPxj
= --Apple-Mail-32167C27-5C92-477F-95C2-1AAF1459D863--