Date: Fri, 19 Jul 2019 03:45:03 +0000
To: "Kenshiro []" <tensiam@hotmail.com>
From: ZmnSCPxj <ZmnSCPxj@protonmail.com>
Reply-To: ZmnSCPxj <ZmnSCPxj@protonmail.com>
Message-ID: <hv2EyhKHfNd-TmH2j-8jLFWw6nUMYHOsNF_5Vy-eZLQLessR9Quy4uXn8ZVYLK4dZrwcVq3QeCcEXdCHPOJ0tgya5P34S1seEAGSRyPYpks=@protonmail.com>
In-Reply-To: <DB6PR10MB1832C21C602126F797132A4AA6C80@DB6PR10MB1832.EURPRD10.PROD.OUTLOOK.COM>
References: <DB6PR10MB183264613ED0D61F2FBC6524A6F30@DB6PR10MB1832.EURPRD10.PROD.OUTLOOK.COM>
	<Hyx4PP6c5-kzdKTCrIQLO1W3Hve-bm5gDiY5pBq8wi6ry2J-1KPO4TDJrRxk7rwq-3aEIUIkkYdKqmPwTzlQZBU-3xUf-fru_drJ9PM4yRI=@protonmail.com>
	<DB6PR10MB1832BAAB9D194B6AA61C2573A6C90@DB6PR10MB1832.EURPRD10.PROD.OUTLOOK.COM>
	<207DBF48-E996-440D-ADDC-3AEC9238C034@voskuil.org>,
	<brBQhROvRWwcPjdOBU0_7e0_dpBN4Noy1gP9TaEB6bEiOWTa3Huumz242_pjVI27u_G_edcTX7Ko6aD6pi6ta1vdQMzHCAli5Q_-55HD2SU=@protonmail.com>
	<DB6PR10MB183268A7D3C744B1269E46EAA6C80@DB6PR10MB1832.EURPRD10.PROD.OUTLOOK.COM>,
	<-FVjDC_47DKPnkjAvcOAh3XMnIBIKspnLWrbpNlgE043OsEAJx9ZT5I3m7XWgwbsVps3QlwP7XSDu5yZ5JWSLxGiJM99T1ycjqqP7AUrtzo=@protonmail.com>
	<DB6PR10MB1832C21C602126F797132A4AA6C80@DB6PR10MB1832.EURPRD10.PROD.OUTLOOK.COM>
Feedback-ID: el4j0RWPRERue64lIQeq9Y2FP-mdB86tFqjmrJyEPR9VAtMovPEo9tvgA0CrTsSHJeeyPXqnoAu6DN-R04uJUg==:Ext:ProtonMail
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Cc: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] Secure Proof Of Stake implementation on Bitcoin
Precedence: list

Good morning Kenshiro,


Sent with ProtonMail Secure Email.

=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90 Original Me=
ssage =E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90
On Thursday, July 18, 2019 11:50 PM, Kenshiro [] <tensiam@hotmail.com> wrot=
e:

> Hi all,
>
> >>>=C2=A0A 51% attack under proof-of-work is only possible, in general, i=
f some singular entity were able to have physical control of almost 50%, or=
 some such close number, of the globe, simply due to the fact that energy a=
vailability is somewhat distributed over the globe.
>
> Mining is not only about the energy sources, individual miners spread aro=
und the globe can join big mining pools, and these mining pools could be ha=
cked to participate in a 51% attack. Some governments (or other groups) cou=
ld plan this type of attack if it's in their interest.=C2=A0
>
> If you look at this graph you will see that controlling 4 mining pools co=
uld be enough:
>
> https://www.blockchain.com/en/pools

Pools only have short-term power in that they can only temporarily attack t=
he coin until miners notice and then voluntarily leave.
Pools are themselves still subject to economic forces, and censored transac=
tions can raise their fee until competing pools arise which do not censor (=
and which would have an economic advantage in taking the higher fee offered=
).
The invisible hand abides.

Further, the correct solution is to support the development and deployment =
of better pool<->miner protocols, such as BetterHash.
So we should instead focus on helping Matt Corallo et al. in this work, tha=
n proposing a hard fork to proof-of-stake which will be strongly opposed ec=
onomically.

>
> >>>=C2=A0Secondly: change of hashing algorithm is pointless in the highly=
 unlikely case of a 51% attack, because what matters is control of energy s=
ources.
>
> As far as I know, if the PoW algorithm changes to an ASIC resistant algor=
ithm that can only run in GPUs or CPUs, the hashing power would be much mor=
e distributed at least until someone creates a new ASIC for that algorithm.=
 There are many GPUs around the globe, but not so many ASIC miners right?

GPUs still require electricity to run, and are far easier to source.
Hash change simply means that those with control of energy sources can easi=
ly purchase the needed hardware from many sources (as opposed to ASICs whic=
h are only sourced from a few places).
So a hash change will only affect things temporarily, and it will still set=
tle to the existing distribution of mining hashpower.

>
> >>> Nothing can be more efficient than proof-of-work, and the proof-of-st=
ake delusion is simply a perpetual motion machine that attempts to get some=
thing from nothing.
>
> As time passes and more PoS coins appears, including big projects like Et=
hereum, we will see if it's delusional or not =F0=9F=99=82
>
> I forgot one, if you do a 51% attack to a PoS coin you know that all your=
 staking funds will be burned. In a PoW coin you don't lose your miners and=
 can use them to mine or attack another coin with the same algorithm.=C2=
=A0

I already told you that it is always possible to get around this: leverage =
by use of short options.
Short the coin to attack, then perform your attack by censorship.
Coin value will drop due to reduced utility of the coin, then you reap the =
rewards of the short option you prepared beforehand.
By this, you can steal the entire marketcap of the coin.

Then you still have the economic power (plus what you managed to steal), wh=
ich you can then use to take over another proof-of-stake coin, regardless o=
f whether it uses the same proof-of-stake algorithm or not.

At least mining hardware are physical hardware and subject to deprecation o=
ver time.

>
> >>>=C2=A0You must understand that removing the chain tip puts the transac=
tions in that block back in the mempool, before we ever start following the=
 longer chain.
>
> Yep but it could make double spend attacks very easy. People would know w=
hat is happening and could send the money to themselves with a higher fee t=
o recover it. Many people would lose money with that.
>
> To fix that problem with a PoS algorithm, some community-guided initiativ=
e could get all transactions of both chains and create a merged chain with =
a hard fork so double spends attacks would not be possible. This could be s=
omewhat slow, maybe the network is stopped a few days, but in the end no on=
e will see money disappear from their wallet, much better than pray that yo=
ur payer doesn't send the money back ato himself.

This happens every day in Bitcoin, and nobody particularly cares.
You just wait for confirmations that in practice are impossible for some or=
phaned chain to persist.


>
> >>>=C2=A0This solution is worse than the problem, and speeds up the domin=
ance of large stakers over the coin, trivially letting someone with the lar=
gest stake in the coin grow their stake even faster.
>
> I think it's very evident that the rich guy earn coins faster in both alg=
orithms.=C2=A0
>
> In PoS if you have 51% of the coins and use them to stake, you make 51% o=
f the blocks, I don't see any problem with that. If you decide to do a 51% =
attack, stopping doing blocks in the main chain to force the others to foll=
ow your "private" chain, well, you know for sure your funds will be burned =
in the next hard fork.

But your proposal of being non-linear on the size of the stake means that i=
f you have 51% of the coins, if you put them in a single stake UTXO you pot=
entially get 99.999% of the blocks, which is ***much worse***.

Just admit that you have no real solution to knowing how much every entity =
controls of your coin.

>
> >>>=C2=A0No, I think it will be very successful in ensuring that smart in=
dividuals will spend their time actually doing things that benefit the econ=
omy and technology instead of wasting their time being distracted with Ethe=
reum and proof-of-stake.
>
> Ok, we the=C2=A0PoS advocates will let the smart people to work in more d=
ifficult issues like finding reasons to justify the energy waste and heat g=
eneration of PoW when Bitcoin price reaches 1 million dollars =F0=9F=98=
=89

We hope to see you back soon after having learned your lesson.

Regards,
ZmnSCPxj