Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 451B0142B for ; Thu, 18 Jul 2019 14:15:15 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mail-40130.protonmail.ch (mail-40130.protonmail.ch [185.70.40.130]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id E9EE271C for ; Thu, 18 Jul 2019 14:15:13 +0000 (UTC) Date: Thu, 18 Jul 2019 14:15:05 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=default; t=1563459311; bh=yIIAIrse/qcs/+ixQDE3+ABZ4wPcXzGlfw1+ci3GL1s=; h=Date:To:From:Cc:Reply-To:Subject:In-Reply-To:References: Feedback-ID:From; b=ezegondKFQGkkevlmcsn4ow8MgfUcVwEGM/hJbk2iku8HjKwuYkZ1vZA0StcPn35U s//6oL6Edj5w0VI/RKpb7ugO5b2u5yUK6fngrnvovG9dF7x13tKFrUN28HuMQV9dva +3XPzO8iAc8jfFxO/t9Jy4FGqtHFTEV+vJ5DZFzA= To: "Kenshiro []" From: ZmnSCPxj Reply-To: ZmnSCPxj Message-ID: <-FVjDC_47DKPnkjAvcOAh3XMnIBIKspnLWrbpNlgE043OsEAJx9ZT5I3m7XWgwbsVps3QlwP7XSDu5yZ5JWSLxGiJM99T1ycjqqP7AUrtzo=@protonmail.com> In-Reply-To: References: <207DBF48-E996-440D-ADDC-3AEC9238C034@voskuil.org>, Feedback-ID: el4j0RWPRERue64lIQeq9Y2FP-mdB86tFqjmrJyEPR9VAtMovPEo9tvgA0CrTsSHJeeyPXqnoAu6DN-R04uJUg==:Ext:ProtonMail MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-2.2 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, FROM_LOCAL_NOVOWEL, RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org X-Mailman-Approved-At: Thu, 18 Jul 2019 15:21:53 +0000 Cc: Bitcoin Protocol Discussion Subject: Re: [bitcoin-dev] Secure Proof Of Stake implementation on Bitcoin X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Jul 2019 14:15:15 -0000 Good morning, > I think there is some misunderstanding here. A single node can be isolate= d from the rest of the network any time and when it reconnects it only has = to follow the longest chain as always. Checking with a block-explorer or a = friend's node is only required under the extreme situation of being under a= 51% attack, but that is also a problem for Proof Of Work. Both protocols r= equire manual intervention: > > -PoS: Burn the funds of the attacker with a hard fork > -PoW: Change the PoW algorithm with a hard fork Again: under proof-of-work, 51% attacks are a lot less feasible than under = proof-of-stake. You really should have researched this by this point, but in any case. The primary source of energy on Earth is the formation of the solar system. Some areas were seeded with radioactive materials. Later on, some areas were seeded with carbohydrates from dying biological p= rocesses. Regardless, continuously the sun shines upon the just and unjust alike. Thus, while there is significant variance in energy availability, it is sti= ll reasonably spread out. A 51% attack under proof-of-work is only possible, in general, if some sing= ular entity were able to have physical control of almost 50%, or some such = close number, of the globe, simply due to the fact that energy availability= is somewhat distributed over the globe. Looking into latest human political maps, I cannot find any singular entity= that can claim this. Secondly: change of hashing algorithm is pointless in the highly unlikely c= ase of a 51% attack, because what matters is control of energy sources. In case of hashing algorithm change, the exact same sources of energy can b= e utilized with whatever hardware is most efficient, and distribution of ha= shpower will still be the same. The fact that proof-of-work is strongly bound to physical limitations is a = feature, not a bug. Economic incentives imply simply that market forces will move hashpower tow= ards efficient usage. Nothing can be more efficient than proof-of-work, and the proof-of-stake de= lusion is simply a perpetual motion machine that attempts to get something = from nothing. > > The other extreme situation would be if the network or internet itself is= splitted more than N blocks. If that happens, it should require manual int= ervention to merge both chains. But in PoW it's much worse because the long= est chain wins and it erases all history of the losing chain. Are you sure = that's better? All transactions of one day (or more) could be erased foreve= r. Yes, that is better. You must understand that removing the chain tip puts the transactions in th= at block back in the mempool, before we ever start following the longer cha= in. Thus, transactions on the shorter chain will simply find themselves in the = mempool waiting to be confirmed again. Of course, they are still subject to replacement since they become unconfir= med, and there is still some risk involved. > >>>To expand on this: by censoring ***all*** transactions one is able to = prevent spending of all funds. > This will crash the value of the staked funds also, but note that the sta= ker could use techniques like short options to leverage this and potentiall= y earn more than the value of their staked funds, effectively stealing the = entire marketcap of the attacked coin. > > Yes but I think this can be solved in PoS, because there should be only 2= possible cases: > > 1 - The attacker doesn't stop making blocks in the main chain an he only = censors transactions in his blocks: in this case, there is always some hone= st block so he can only slow the network > 2 - The attacker does a 51% attack stopping doing blocks in the main chai= n, so the longest chain is his "private" chain which only has his blocks: t= hen he can censor every transaction, but that attack is very evident and a = hard fork could burn his funds. Do note the comment of "political money". Hard forks are very difficult to coordinate as the user set increases in si= ze. > > >>>=C2=A0Aside from that, this is possible to evade by running 10000 mast= ernodes and splitting your staking funds among them. > > It's possible to give more staking weight to coins together in a single a= ddress than splitted coins like with this formula (or some improved version= ) > > stakingWeight =3D numberOfCoins ^ 1000 This solution is worse than the problem, and speeds up the dominance of lar= ge stakers over the coin, trivially letting someone with the largest stake = in the coin grow their stake even faster. > >>>=C2=A0Another thing is that Ethereum itself is going to PoS next year,= but with a different implementation that I'm proposing here. > > >>>Just another nail in the coffin. > > Do you think Ethereum PoS will fail? > No, I think it will be very successful in ensuring that smart individuals w= ill spend their time actually doing things that benefit the economy and tec= hnology instead of wasting their time being distracted with Ethereum and pr= oof-of-stake. Regards, ZmnSCPxj