Discussion of Proof of Stake (POS)

[Arcurus 331]

Hi All,

I try here to summarize Pro and Con of Proof of Stake (POS) feel free to participate!

UPDATE: here you can find a more detailed draft how pow in combination with pos could look like:

 

How could Prof of Stake (POS) in combination with proof of work (POW) look like?

For example the hash of the last block is used to draw one* unspent coin.

The owner of the coin could now create an POS transaction that referenced the block.

If the next block includes this POS transaction the needed difficulty is halved**.

 

*of course it would be possible also to draw X coins

** this is only an example, it could also be reduced by Y%

 

List of pro and cons, feel free to participate:

-- maaku: CON Stake voters can sign two chains without any cost

-- Arcurus PRO POS in combination with Proof of work (POW) as outlined for example in this paper[1] can make it costly to sign more chains

-- Arcurus PRO even in pure POS if an POS voter signs two blocks, other POS voters can ignore his blocks and exclude him for a certain time. This "exclusion" can be done offchain. also we could require a security for signing a POS transaction. If two chains are signed in a certain time frame the security will be lost

 

-- maaku: CON more complicated to proof

-- Arcurus: also in POW miners need to verify the hole chain, but of course verifying as non miner is still more complicated than in POW. Further implications must be looked into it.

 

 

-- Arcurus CON we would need other methods to distribute coins

-- Arcurus PRO we save energy

-- Arcurus PRO we could issue them with other methods, like frei republic

-- Arcurus PRO we can still combine with POW to issue some parts of the coins through POW

 

 

-- Arcurus PRO a lot more energy friendly. coins could be used to do something good instead of being burned for electricity

-- Arcurus CON not that easy to distribute coins in a fair way

 

 

-- Arcurus PRO currently we have no solution how to build something like freirepublic* (in short POS voting) on an POW chain. this could be solved in a POS chain

 

-- Arcurus CON: POS Technology is not that well tested and understood like POW

-- Arcurus CON: maybe problems with making Freicoin to a sidechain of a POW based chain???

UPDATE:

-- Phillip CON: Not secure: Unless delegated proof-of-stake is used, the stakers have to leave their private keys on network-connected machines

-- Phillip CON: risk-free delegation will lead to the centralization of staking;

-- Phillip CON: in case of low POS participation, stakeholders with small amounts could overpower the network.

-- Arcurus PRO: this depends on the implementation of POS, if POS is combined with POW this problem will not be that big. Also economic incentives could encourage an high POS participation

-- Arcurus PRO: As described here [2] "virtual miners" could be used instead of pure POS. How that would affect the above three arguments need to be looked into

 

-- Arcurus PRO: POW leads that in the end one company which can produce the cheapest asics controls the coins more and more

-- Arcurus PRO: POW currently is not really decentralised, because there are lot of economic benefits to have single big pools and mining facilities

see also here: https://steemit.com/bitcoin/@dantheman/who-really-controls-bitcoin

-- Arcurus PRO: Patents of energy efficient mining like asic boost create a de facto monopoly

-- Arcurus PRO: POW miners though energy consumption are much easier to trace and turn out in case of an external attack

 

Please add more

Here some interesting Blogpost from Vitalik about Proof of Stake:

https://blog.ethereum.org/2014/11/25/proof-stake-learned-love-weak-subjectivity/

https://medium.com/@VitalikButerin/parametrizing-casper-the-decentralization-finality-time-overhead-tradeoff-3f2011672735#.sysy5p4e9

 

[2] Proof of Activity: Extending Bitcoin’s Proof of Work via Proof of Stake

http://eprint.iacr.org/2014/452.pdf

 

 

news to proof of stake from an turing award winner: http://www.coindesk.com/scalable-blockchain-consensus-turing-award-winner-thinks-hes-got-solution

ALGORAND: The Efficient and Democratic Ledger: https://arxiv.org/abs/1607.01341

from Silvio Micali an turing award winner

Quote

Algorand is a truly decentralized, new, and secure way to manage a shared ledger. Unlike prior approaches based on {\em proof of work}, it requires a negligible amount of computation, and generates a transaction history that does not fork with overwhelmingly high probability. This approach cryptographically selects ---in a way that is provably immune from manipulations, unpredictable until the last minute, but ultimately universally clear--- a set of verifiers in charge of constructing a block of valid transactions. This approach applies to any way of implementing a shared ledger via a tamper-proof sequence of blocks, including traditional blockchains. This paper also presents more efficient alternatives to blockchains, which may be of independent interest.
Algorand significantly enhances all applications based on a public ledger: payments, smart contracts, stock settlement, etc. But, for concreteness, we shall describe it only as a money platform.

 

[Fabrizio 162]

In future, POW could & should become more decentralized when (or if? since big corps are making it hard to develop technologies) free energy devices become more available and community driven hardware development and mining operations start to pop up?

Cant really comment on the POS, since I dont totally understand the underlying technology 

[Arcurus 331]

Even with free energy we would heat up the planet or waste other precious resources to build miners.

As long as we have not learn't to materialize something out of mind only

But lets stay to the topic.

[phillipsjk 1]

I am a strong skeptic of PoS.

 

The fundamental problem is that it is not secure. Unless delegated proof-of-stake is used, the stakers have to leave their private keys on network-connected machines that are unlikely to be secure in the long-term.*

 

The paper linked in the OP claims that risk-free delegation will lead to the centralization of staking; much like the separation of hash-power from hosting a full node led to PoW centralization.

 

That paper claims that:

 

The purpose of the PoA protocol is to have a decentralized cyrptocurrency network whose security is
based on a combination of Proof of Work and Proof of Stake.

 

However, later in the paper (section 5), they admit:

 

With a PoW-based cryptocurrency, the security is sustained under the assumption that the majority of
the mining power that participates is honest. Similarly, the PoA network derives its soundness from the
assumption that the majority of the online stake is honest. Due to the amplification via the parameter N ,
the security of PoA deteriorates quickly when the majority of the online stake is under the control of a
malicious entity. In Section 2.1 we argue that for a cryptocurrecy to be attack-resistant over the long term,
relying on the assumption that the majority of the stake is honest is more conservative than to rely on the
assumption that the majority of the hashpower is honest.

 

I feel that the 50% paticipation rate (that is, 50% of coins are actively staked) advocated to be dangerously aggressive. I personally would not want to stake more than 5% of my coins. The reason is that: cold-storage effectively mitigates the risks of a computer compromise in the near future. However, by their very nature, "cold storage" coins can not be used for staking.

 

I am not alone in wanting to keep the majority of my coins in "cold storage". According to the CaVirtex Bitcoin exchange https://cavirtex.com/why_virtex, they "keep 98% of customer funds in cold storage at all times." This is very bad for the PoA proposal since any attacker, knowing they must only secure their machine for hours or months, is able to "stake" 100% of their coins.

 

The paper does not mention active (honest) stake below 10% because it makes their proposal look bad.

 

*I used to think that machines running from ROM could be reasonably secure.

http://arstechnica.com/security/2009/08/researchers-demonstrate-real-world-voting-machine-attack/

A total machine compromise with a harvard architecture (read-only program code) convinced me otherwise.

Now, I believe full-stack formal verification (including hardware verification) is needed to ensure a secure machine.

[Arcurus 331]

I am a strong skeptic of PoS.

 

The fundamental problem is that it is not secure. Unless delegated proof-of-stake is used, the stakers have to leave their private keys on network-connected machines that are unlikely to be secure in the long-term.*

for me delegated proof-of-stake does not sound that bad, as long as once after a while the delegation must be renewed.

So coins could be hold still in cold storage.

An alternative would be to use another variant, that simulates "virtual miners".

Instead of directly using proof of stake, you can buy "virtual miners" with destroying (or in case of Freicoin donating) coins.

With this "virtual miners" you can sign blocks similar like in the proof of stake proposal.*

* To guarantee fairness "virtual miners" loose their mining power after an certain time period counted in blocks.

* To guarantee no fast overpowering of the network "virtual miners" could need an certain time period to get their full mining power.

For example they need 100 days to get their full mining power, after that they loose their mining power in the next 100 days.

UPDATED the list with phills arguments. Please double check if I got the points right.

[Arcurus 331]

By the way, not long time ago Vitalik posted about prof of stake: https://blog.ethereum.org/2014/11/25/proof-stake-learned-love-weak-subjectivity/
 

Proof of stake continues to be one of the most controversial discussions in the cryptocurrency space. Although the idea has many undeniable benefits, including efficiency, a larger security margin and future-proof immunity to hardware centralization concerns, proof of stake algorithms tend to be substantially more complex than proof of work-based alternatives, and there is a large amount of skepticism that proof of stake can work at all, particularly with regard to the supposedly fundamental “nothing at stake” problem. As it turns out, however, the problems are solvable, and one can make a rigorous argument that proof of stake, with all its benefits, can be made to be successful – but at a moderate cost. The purpose of this post will be to explain exactly what this cost is, and how its impact can be minimized.

[Rik8119 242]

Hi everybody, although the topic is a little older recent events brings it into focus for me.

 

I am working on an simple Proof of Stake (SPOS) version for WLC / FRC. It also uses hot wallets for staking. In my opinion the higher risk is the price the staker has to pay (according to the price worker have to pay for miners).

In contrast to the other POS coins that are using coinage, the SPOS needs no coinage. A transaction is created every new block and the vin balance is used to determine the hashes allowed. The Proof of stake hash is generated by Time Nonce vin Address and bits, in this way a certain balance can only create a certain amount of hashes.

 

The branch is at: https://github.com/WorldLeadCurrency/WLC/tree/SPOS

 

However i thought maybe this is also intersting for Freicoin?

Rik

[Arcurus 331]

Hi risk, sounds interesting. didnt understand fully how your pos algorithm is functioning. yes using the coinage is dangerous if not done right and most likely there is no need for using it.

 

an easy suggestion for pos in combination with pow would be to draw n lets say one specific coin with the hash of the block like in a lottery.

if the owner of the coin signs the block, the needed difficulty of the block is reduced by x%, lets say 50%

 

the more take part in the pos / signing the more the pow difficulty is reduced.

 

of course the number n, through the hash drawn coins, could be increased to 10, 100 or maybe more. for each signature the needed  powDifficulty of the block would be reduced. by x%

[Arcurus 331]

UPDATE: here you can find a more detailed draft how pow in combination with pos could look like:

 

[Arcurus 331]

Nice post about mining power accumulation in Bitcoin:

https://steemit.com/bitcoin/@dantheman/who-really-controls-bitcoin

[Rik8119 242]

Great article, thanks a lot.

[Arcurus 331]

its really sad currently in Bitcoin, it seems that the main mining hardware provider doesnt like core and now tries to make a bitcoin fork with bitcoin unlimited.

Its really sad, that they block segwit, which would increase the blocksize 2 fold.

It's also really sad, that the core developer still don't have coded or even described an way beyond the current 1 mb limit as promised to the miners.

I more and more see no good reason for proof of work other than a coin distribution and the simplicity of it. But the problem is with time one single company will more and more dominate the mining and therefore destroy decentralisation. Only solution to that would be to switch the mining alg quite often or don't use mining at all.

Also mining facilities are more and more centralized and easy to attack.

I more and more look into other ways of securing the block chain:

Mainly i see these three different solutions out there, each of them could be implemented in an second tier:

 

Using Masternodes like dash:

https://dashpay.atlassian.net/wiki/display/DOC/Whitepaper

Using Forking / pure proof of stake (in the second layer) like nxt:

https://www.dropbox.com/s/cbuwrorf672c0yy/NxtWhitepaper_v122_rev4.pdf

Using delegated proof of stake like steem and bitshares:

https://bitshares.org/technology/delegated-proof-of-stake-consensus/

 

all three also have allready voting and budget systems.

Dash and steem have nearly instant transaction confirmation

nxt steem / bitshares allow allready decentralised exchanges

steem would provide even the possibility to use as decentralised forum.

 

Dos anybody know something about successful attacks against one of them? (I mean attacks like double spending)

NXT:

Simplified as far as I understood, next chooses one stakeholder that can then create the next block. the more coins you have the more likely he is chosen. 

If this stakeholder does not create a block, the next in line can create one.

Both problems could be solved or hardly reduced through using some kind of proof of work combination to elect the next forker. The proof of work could also be used to making it hard for an forker to sign two competing blockchains. 

 

Problems with NXT based forking:

As far as i know is that next had some problems, because their forking / block creation allows at no cost creating different blocks, but i have to research it.

Also I don't know yet how exactly the next stakeholder is chosen. It seem to me, that someone who created a block can try to choose again one account under his control.

 

Dash:

Dash uses the proof of work to elect 10 masternodes form the masternode list. A masternode node needs to have 1000 dash which is currently more then 40000 dollar.

These 10 elected master nodes then lock transactions. Blocks that double spent these locked transactions are simply ignored.

Problems with Masternodes:

Up to know i didnt hear about an successful attack, but i didnt research yet.

To me it lookes like if 1 elected masternode could block the locking of transactions. Therefore 10% to 20% masternodes could block most of the locking consens.

This would be easily solvable by requiring only 2/3 of the chosen masternodes to agree. 

Also i dont know yet how they exactly solve race conditions if one set of masternodes locked one transaction, and a set chosen in another created block locks the double spent transaction.

This race conditions could be reduced by using an older bock, lets say one hour ago to elect the next masternodes.

Another attack vector would be when the shift between the old elected masternode set and the new happens.

The old masternodes could lock one transaction while the new masternodes lock the double spent transaction.

This could be solved by electing / replacing only one of 10 masternodes in each block. 

In this case the new set of elected masternodes will know what the old sett locked and therefore dismiss double spent attacks.

 

bitshares / steem:

In short, each stakeholder can vote for up to X (30) block creators (they can even delegate their vote)

The top 21 are the new set of block creators. In each round each block creator can exactly create one block at an scheduled order.

Problems with delegated proof of stake:

Up to know i dont know about any attack vector other then 50% +1 of the elected block creators colluding, which would be similar to 50%+1 of the miners in bitcoin colluding.

For me it lookes at least more easy to attack then the masternode network, but still an attack doesnt look that easy.

 

Summary:

NXT- forking looks for me most easy to attack, but i didnt look fully into it up to know. Most of next problems seems to me solvable though combining it with some kind of proof of work.

Masternodes looks quite nice. Most of the problems as far as i see them looks solvable to me. The two tier implementation of proof of work and masternodes looks quite elegant.

Steems delegated proof of stake looks also quite elegant. In comparison to masternodes it looks more centralised, which has their pros and cons, currently i would favor a wider participation in block creation / transaction locking like masternodes have.

 

Then there is also ethereums proof of stake proposal which i didnt look into it yet:

https://medium.com/@VitalikButerin/parametrizing-casper-the-decentralization-finality-time-overhead-tradeoff-3f2011672735#.sysy5p4e9

And finally here also the Tendermint proposal:

https://cosmos.network/

[Skaro 129]

Okay  Arcurus, you seem to be deep into this. That's wonderful but I do have some difficulty understanding this stuff. Perhaps you could answer some very basic questions for me first:

1) what is POW for? While people like to say enthusiastic things like 'thermodynamics is securing our transaction', that's just enthusiasm. It seems to me that, POW is really only awarding the right to be the first to formally introduce a transaction to the blockchain. Otherwise the same transaction would be introduced at many points. Also, the 10 minutes allows the broadcast transaction to travel and get picked up by others. It's good for this process to be random, so that one person doesn't write all the transactions they want.

2) Script mining is then an attempt to stop the asics race to keep things more democratic and random.  (yes or no?)

3)  What really prevents double spending is the confirmations and the blockchain itself. Once the transaction history is there, the balance is known. (yes or no?)

4) Proof of stake favours rich people. The more a person is willing to stake the more he has the right to introduce new transactions to the blockchain?

 

 

 

[Arcurus 331]

Hi Sarko,

to 1) lol yea the thermodynamics ... it's both the thermodynamics / work securing the chain, and the right to include a transaction

to 2) attempt yes, success most likely not long.... by the way, also here dahs pow algorithm sound more promising than script mining.

to 3) confirmations currently is pow, therefore see 1) thermodynamics .

The balance is known? yes and no. No because it is not known to 100% if the balance stays like it is, because currently longer pow chain can undo the balance. And not necessarily 100% of the nodes agree on the same balance. And yes, because nodes could enforce an certain chain, like forexample steem or dash does it with their masternodes, or you can use the ripple / stellar protocol to come to a consens.

to 4) poof of stake and proof of work favor ¨rich¨ people. Therefore i want to go towards proof of member which is described here: (Currently im also working on an fair coin distribution on top of the masternode concept)

 

 

[Arcurus 331]

news to proof of stake from an turing award winner: http://www.coindesk.com/scalable-blockchain-consensus-turing-award-winner-thinks-hes-got-solution

[Arcurus 331]

here a link to ALGORAND: The Efficient and Democratic Ledger: https://arxiv.org/abs/1607.01341

from Silvio Micali an turing award winner

Quote

Algorand is a truly decentralized, new, and secure way to manage a shared ledger. Unlike prior approaches based on {\em proof of work}, it requires a negligible amount of computation, and generates a transaction history that does not fork with overwhelmingly high probability. This approach cryptographically selects ---in a way that is provably immune from manipulations, unpredictable until the last minute, but ultimately universally clear--- a set of verifiers in charge of constructing a block of valid transactions. This approach applies to any way of implementing a shared ledger via a tamper-proof sequence of blocks, including traditional blockchains. This paper also presents more efficient alternatives to blockchains, which may be of independent interest.
Algorand significantly enhances all applications based on a public ledger: payments, smart contracts, stock settlement, etc. But, for concreteness, we shall describe it only as a money platform.

An here the link to the coinbase article:

http://www.coindesk.com/scalable-blockchain-consensus-turing-award-winner-thinks-hes-got-solution