Proof of stake is incapable of producing a consensus(yanmaani.github.io) |
Proof of stake is incapable of producing a consensus(yanmaani.github.io) |
I did not find this post convincing especially as many proof of stake systems have been running consistently for years now and with significant transaction and economic volume.
As an example Tezos has decentralized apps such as liquidity pools, collateral based stablecoin systems, nft ecosystems, coin bridges to other networks such as Ethereum (two way) I use these smart contracts on a weekly basis and have done for a long time now.
Tezos manages several orders of magnitude more transaction throughput based on opcode count count vs Bitcoin, transactions, even complex ones cost pennies the network has not been attacked, is worth billions and Tezos energy usage is easily a million times less than Bitcoin.
The author appears to be saying that "any decentralized consensus via proof of stake system is vulnerable to timing attacks"
The counter-argument that "This here proof of stake system has not been successfully attacked ... that we know of ... yet" does not seem to be watertight.
The main reason proof of work works so effectively is that it deals in physics with the actual expenditure of electricity as the punishment system for failing to produce the correct desired outcome.
Abstracting this away again, we have reality itself to content with. Evolutionarily we have evolved in respect to the dominance hierarchy (https://youtu.be/rUiG5_GcMyY) Where effort itself is a necessary precursor to ascending the ranks and being fit to lead.
Not to get too metaphysical, but essentially it boils down to:
- Social Status is based on real world implications and not self derived from the perceived ranking itself, that is if it is to be most stable across time. Being labeled the boss is essentially useless long term unless you truthfully represent the ideal or most capable individual. (Michael Scott from the television series The Office is a funny example of this)
- PoS offers reliability for the system based on its election of stake amount in the system that favors inventors, early adopters, and pre ordained position holders where distribution was not derived from effort in the real world with non-reversible consequences (burning electricity)
- Instead the selection mechanism its own value structure which may or may not accurately assess competence for reliable trust in a domain where zero-trust is key to consensus.
- Outsourcing consensus to something mediated by the laws of physics is more stable across time, and is yet another abstraction upon competence taking it outside the realm of US Dollars for social proof, but also adding in the component of physical consequences towards the chain of proof.
I'm also thinking as I write this that it would be important to consider changes in the environment as useful to the selection pressures. Why purely basing it upon success (stake) at one point in time is non-useful as the rules of the game may change, or reputation lost or abused in a PoS system would not accurately reflect changes in the need for rotation of positions of voting authority.
eg. Anything like "proof of latency"?
Distributed consensus is the problem of getting a bunch of computers to agree on some state when some of the computers can behave maliciously. In the case of cryptocurrency, the state is a log of transactions, which when replayed tells you who owns what. There are well-known algorithms for distributed consensus, such as Paxos and Raft, that are used in real-world applications, e.g., the Chubby lockservice.
Distributed consensus algorithms can be proven to reach consensus as long as at most a fixed percentage (e.g., 1/3) of the computers are behaving maliciously. This assumption is fine for applications like Chubby, where Google is running all 5 of the computers participating in the consensus, and no one can add additional computers. However, this assumption breaks down in the case of cryptocurrency, where anyone can spin up computers to participate. In fact, an adversary can effectively spin up an infinite number of computers. This form of attack is known as a sybil attack.
Proof-of-work and proof-of-stake add sybil-resistance to distributed consensus algorithms by requiring the adversary to commit a scarce resource in order to participate in the consensus process. In the case of proof-of-work, the scarce resource is computing power. For proof-of-stake, the resource is the currency secured by the system itself. This may seem a bit circular, but it's fine. In order to attack the system, the adversary would have to purchase or borrow a bunch of the currency on the open market, which has an economic cost. Proof-of-work permits the same attack, where the adversary buys or rents computing power instead.
From this perspective, the bitcoin consensus algorithm is in fact the odd one. Most distributed consensus algorithms (like Paxos and Raft) rely on some kind of voting system.
"Decentralized networks are a rare medium well-done."
For what it’s worth, this is how plenty of buildings are designed. Ignoring silly things like the inside not fitting in the outside, an architect may design the building and hand it off to a technical architect who works out how to make it stand up and has some back and forth with the architect modifying the design. At a later stage it goes to a structural engineer who will make sure that it really is likely to stand.
That, and the author has a wrong understanding of the Nothing at Stake problem. At the time, the argument was there was nothing stopping someone from staking on multiple forks to hedge their bet on the dominate chain, giving them nothing at stake on the forked branches since the get equal ownership on each chain.
Mind you, Nakamoto consensus is pretty awful and completely ignored these days. Why do you believe that nodes flagged for support of protocols and miners with dominate hashrate LOST the big block debate? Because of the nodes, and community consensus.
proof of work proves that not just one miner had sufficient hash power, but that the entire network had a certain aggregate hash power that was required to mine the block.
can't this be emulated by requiring all major stakers to sign the block? (so rather than one miner staking being enough, all the aggregate staked was required to mine the block)
the stickier issues are around maintaining the decentralized nature of pow mining and the random and decentralized election of who mines the next block. under pow, everybody does their own thing and when someone finds a block they are able to publish it without direct collaboration with other miners. the fact that the miner is chosen at random gives rise to all sorts of anti-censorship and anti-collusional properties.
proof of stake will have to emulate this, and possibly make a few targeted and carefully chosen compromises in order to emulate the decentralized nature of pow mining. it's not obvious how this will play out, but i don't think it's impossible and efforts to do so certainly aren't a "scam."
The article is also misleading in inferring that there is a very narrow range of ways to implement PoS; in reality, there are many ways and all of the 'drawbacks' mentioned only apply to certain (poorly designed) implementations which no modern PoS blockchain would ever use.
> What happens if you’re presented with two identical blocks, and have to decide which one to pick?
Easy, you can just have a vote on one of the block and choose the one with the majority votes; it can be chosen on the basis of any attribute of the block (E.g. commonly you can look at block IDs). This is what PoS blockchains like COSMOS do with the Tendermint protocol. Other blockchains like Lisk have a delayed voting so that consensus is reached after a certain number of blocks.
> The entire point of the consensus mechanism was to allow us to tell which transaction was first, without personally having seen it take place.
Anyone who understands distributed systems knows that the exact order of transactions (down to a few hundreds of millisecond) cannot be physically determined due to latency between the nodes and the unpredictable geography of participants. This is as true for PoW as it is for PoS. The most important thing (for certain use cases such as DeFi) is that transactions cannot be predictably front-run; using block ID ordering with voting as the basis for selecting between two valid blocks guarantees this. If the forger tried to cheat the system by producing multiple blocks, the network may not be able to reach consensus on the block vote and the forger would not receive any block rewards.
This is not true. You will have scratched far fewer tickets on average than one million.
If you have one million tickets, one of them guaranteed to be a winner, you will on average scratch exactly half of them (500 000) before finding the winning ticket. If you have an infinite supply of tickets, each with a 0.000,001 chance of winning, the number becomes higher, but the number of tickets scratched on average is still lower than one million.
Finding an error regarding something I know makes me skeptical about the rest of the article.
If you have an effectively infinite stream of tickets and each have a 1 in X probability of winning, you will indeed go through X on average.
That the author got this basic thing wrong doesn't inspire much confidence in the rest of his reasoning.
I have other issues with the article but this bit seems ok.
I'm not clear how "expected no. of attempts for X" is related to the probability of X. And I seem to be struggling to recall what little I used to know about probability.
I'd welcome a (link to a) clear unpacking of this scenario. I'm feeling rather stupid, as if I've had a stroke and lost a mental faculty. It seems to be a straightforward and obvious scenario, but I've lost confidence in my reasoning about it.
>>Therefore, once they have withdrawn their deposits, they are untouchable. This is the “nothing at stake” problem. There will inevitably come a point when a node is free to liquidate their entire stake and cash out.
And later concludes that, In order to know which is the valid staking, you have to already have a decentralized mechanism for ordering transactions, which was the problem to begin with.
To be clear, it wasn't delayed because miners complained, it was delayed because it wasn't ready yet.
The actual truth is that PoS is infinitely safer than PoW in the short to medium term, while theoretically weaker in the long term. A long-term attack would require first buying obsolete signing keys, which would stop nodes that sync starting from the pre-fork point from syncing - ie. a denial of service attack. Which is in a very weak threat, as online nodes wouldn't even notice it. A short to medium term attack would stop finalization for a while at an enormous cost of slashing. It's a denial of service attack because nodes would be able to see contradictory signing from the same keys - so while without out of band data they won't be able to decide which one is the commonly accepted chain, it's enough information to recognize than an attack is happening.
PoW is very weak in the short term to medium term because runtime cost of attack is equal to mining rewards + epsilon, which is negligible, meaning it's just a question of hardware. Contrary to PoS, mining hardware is an external resource - it's always possible to get enough of it, given enough money (single digit billions for bitcoin). Getting 2/3 stake of a long-running PoS system is impossible - it's a scarce internal resource and there isn't enough for sale.
Reverting years of blocks is indeed infeasible - but interestingly in practice it would also amount to a DoS attack, as everyone would notice it and pause all payments. Contrary to PoS, where it would only work on newly syncing nodes, it would stop everyone. However, while theoretically more expensive, it's still only a matter of money - while a long-run DoS attack against newly syncing nodes in PoS would require buying obsolete keys, which is very likely to be impossible in practice.
Is this even an advantage? I don't think so, but it's arguable. However, for this singular arguable point PoW pays with a 4 orders of magnitude higher cost and a much, much weaker short and medium term security.
Empirically, lower security of PoW is confirmed: multiple 51% attacks happened (most famously ETC), while even a much weaker DPoS coins never had a successful double spend attempt.
In terms of public trust, not many people are able or even interested in technical arguments - they just observe if something works. In reality, consensus-level attacks are very rare as it's currently very hard to profit from them regardless of the consensus method, and the biggest danger is from software bugs in nodes, most likely unrelated to consensus.
If any PoW blockchain became a foundation of global commerce, attacking it would become very profitable, or even a military target - but that's never going to happen. So I don't expect bitcoin to get 51% attacked in any near future - at best years in the future when value of block rewards is so low one person with lots of old mining hardware can attack it just for fun.
It's actually suspected that happened during the blocksize wars when proponents of forks like Bitcoin Cash may have been spamming Bitcoin with transactions to feed their narrative that it is too expensive to use.
You'll eventually go bankrupt if you do this long enough.
This is actually another reason unlimited blocksizes that can allow for very low to no cost transactions are risky, and DDOS protection is likely why Satoshi added the 1MB limit in bitcoin to begin with.
https://beincrypto.com/polygon-raise-network-fees-spam-trans...
you either dont pay enough and are ignored or you pay enough and... great?
Seems miners have been driving the price down for years and a new proposal just was written to give them only 10%, and 80 to stakeholders.
IMO PoW for the bigger chains produce far too much waste & none of the supposed PoS attacks have materialized even though hundreds of millions are up for grabs
Prof of stake is analogous to Wall Street institutions and probably modelled after them.
To be fair, I'd love to hear him chime in on this discussion, and tell his side of the story, relate his exploits and prosecution as a viagra spammer, and finally answer all those unanswered questions people have asked him, to which he replied "Dodge Dodge".
Not that he's unique or special: POS shills like him are a dime a dozen. But he hangs out here and shills on HN, and has won awards for his deceptive scams (and also lost court cases too), and claims to "help people" on his web site, so I hope to hear from him again.
His real name is actually Richard J Schueler, under which he is famously known as the "Spam King", for being one of the first people in the world to be successfully sued for online spam, specifically the Viagra spam scheme that he ran from Panama (which he lost).
Richard Hart (aka "Spam King" Richard J Schueler) wins the "Golden Pump Award" for "Best New Scam" for his POS shitcoin Ponzi scheme "HEX":
https://twitter.com/JuanSGalt/status/1233242355995750400
https://www.youtube.com/watch?time_continue=857&v=tf-lJu5iDh...
Peacefire.org beats spammers in court.
https://www.zdnet.com/article/peacefire-org-beats-spammers-i...
>Free-speech group Peacefire.org wins a legal round in its fight against unsolicited e-mail, invoking Washington state's anti-spam law.
>The King County District Court in Bellevue, Wash., on Monday granted Peacefire $1,000 in damages in each of three complaints filed by Peacefire Webmaster Bennett Haselton. The small-claims suit alleged that Red Moss Media, Paulann Allison and Richard Schueler [who now operates under the pseudonum "Richard Hart"] sent unsolicited commercial messages to Haselton that bore deceptive information such as a forged return e-mail address or misleading subject line.
Confronting Richard Heart of HEX - SPAM KING and Crypto Scammer
https://www.cointelligence.com/content/confronting-richard-h...
>During ANON Summit 2020, I participated in a “fireside chat” with Richard Heart, founder of HEX. HEX is one of the most sophisticated, if not THE most sophisticated scams I have ever seen.
>Why was I so aggressive with Richard? I have a lot of experience fighting with scammers, at events, and in online discussions. I’m familiar with their bullshit techniques. Richard is the sort of “master debater” who will answer a question without actually answering the content of the question. I watched more than 6 hours of his previous talks and learned how to tell when he was trying to avoid a real answer.
>If you don't want to sit through hours of interviews yourself, this 4 minute video not only sheds light on Heart's motivation for establishing HEX, but also shows just how abrasive and crude he can be. This video was not created or edited by Cointelligence.
https://www.youtube.com/watch?v=_MIdlXHedlU
>I want to draw your attention to the quote in the video above: "What am I going to make more money doing? Promoting my token, that I own a whole ton of? Or promoting bitcoin, where I own one-one zillionth of the available supply?" He's clearly in this to make money for himself in any way possible. [...]
>When asked why HEX was not categorized as a security, at around the 21 minute mark, Richard offered an explanation that has no legal grounding. On the website, HEX claims that it is "The first high interest blockchain certificate of deposit." However, HEX has no legal authority to issue CDs. Richard is illegally claiming to provide CDs when in fact the instruments are nothing but glorified savings accounts.
More quotes: "What's up now, fggot? What are you going to do now, you little btch? Get the fuck out of here! That's the dumbest piece of shit I've ever seen in my fucking life. [...] Let me give you some more bullshit, ok?" -Richard Heart aka Richard J Schueler
Richard Heart - Spam, ICOs, and Death Threats
https://imnotdead.co.uk/blog/richard-heart
Richard James Schueler - Friggin Spam King
https://web.archive.org/web/20190416235350/http://www.panama...
Why HEX is a Ponzi and not a solid investment (Part 2): Richard Heart
https://www.reddit.com/r/CryptoCurrency/comments/kwhjxa/why_...
>During the interview at ANON, Richard confirmed that he was one of the first people in the world to be sued for online spam, back in 2002. This shows us Richard has experience abusing unregulated markets, as he is doing with crypto these days.
Richard: this an accurate quote of your own words?
>When I pressed the matter and asked for a simple “yes” or “no” as to whether he, as the FOUNDER of HEX, knows who benefits from the funds sent to the “Origin Address” he flat-out said “I’m dodging your question.” Dodging the question! He proceeds to repeat “Dodge, dodge.”
Richard, your tag-line "Do you want to develop my new cryptocurrency?" is the new "Do you want to develop an app?"
https://www.youtube.com/watch?v=jVy0JWX5XEY&ab_channel=Adult...
"Dodge, dodge." -Richard Heart aka Richard J Schueler
PoW miners tend to spend more and more resources on finding blocks, until the cost approaches the rewards. But the rewards go up as the cryptocurrency becomes more popular, because the price and transaction fees go up. Therefore, a PoW cryptocurrency tends to "eat the world" as it becomes bigger.
That's why Bitcoin is already approaching 1% of global electricity consumption, if it hasn't passed that point already. If the price were to go up tenfold, then so would electricity usage (roughly). That's not sustainable, both technically for grids and economically because electricity prices go up.
Because of that, I foresee two possible futures for PoW cryptocurrencies:
1. The resource usage overshoots and PoW collapses because it gets banned everywhere. (This seems to be playing out now with China having banned crypto mining, Kazakhstan running into grid issues because of the miner influx, and Sweden arguing for a ban in the EU.)
2. The popularity of these currencies stops growing and only some niche applications remain. Speculators leave because there's no more money to be made. Prices go down.
The strongest point here is the strawman presentation of the altered security model that PoS can be proven to form consensus under. Reading the source he cites is far more informative: https://blog.ethereum.org/2014/11/25/proof-stake-learned-lov...
The majority of the article frames distributed consensus mechanisms in an extremely sophomoric understanding of asset value and the PoW security model. All of these topics (including valid ETH criticisms) are discussed in much better ways in many other places.
To be honest, I don't understand why it hasn't been banned already.
Sweden has recently called for a EU wide ban because it identified PoW mining as a threat to transition their economy to renewable energy.
https://www.fi.se/en/published/presentations/2021/crypto-ass...
1. For all consensus systems, at least a vast majority will rely on PFC for base consensus since they will not personally audit the client software they download, and thus will rely on PFC to determine which software distribution channel to trust to download the client software from. In other words, there is in practice no pure PFC-free consensus protocol, to be taking such a hard stance on Proof of Stake for its reliance on it.
2. The Schelling Point PFC in Proof of Stake will always be the real order of transactions, and therefore PFC will be highly reliable. Cases like Bitcoin's block size hard limit dispute, and Ethereum's DAO hack rollback dispute, dealt with something other than order of transactions, and in both cases, the dispute was severe enough to lead to a hard fork - which jettisonning PFC can't protect against - regardless.
The bitcoin reward also halves every 4 year, so even if price continues to appreciate, the effect is evened out by the fact that less is created every block over time.
Lastly, bitcoin mining to could sustained solely by using stranded energy, which would otherwise be unused. Flared gas in texas, for instance, could provide more power than the network currently uses. There is no reason bitcoin mining has to take power from anyone, and it will trend this way over time because the economics are in favor of finding the cheapest power source.
Your source says 0.2% on page 18, not 0.1%.
The New York Times says 0.5%. https://www.nytimes.com/interactive/2021/09/03/climate/bitco...
Add to that the rapid growth we've seen in the past, and I believe it is reasonable to say that we're rapidly approaching 1%.
While the amount of gas that is flared off is immense (25-30% of the actual consumption of the US and Europe), the problem is that it is only flared off because there are no pipelines to transport the gas away and the amount that the small oil wells produce is too low to justify the cost.
If it were for me I'd force oil well operators to either build a small secondary pipeline for flare gas alongside oil pipelines or place a small power generator to contribute to the electric grid, but unfortunately "regulation" of any kind is seen as a bad thing in wide parts of the US.
You can make that argument about any sort of waste of electricity, like blasting your A/C with the windows open. The problem is you can't guarantee that people are only using wasted energy. People don't mine Bitcoin to generously find a use for surplus energy. They do so for a profit. Also, people will require mining for Bitcoin transactions regardless of whether there happens to be surplus energy.
The amount of energy consumed now is not at its current level because of some fixed power requirement of the network. It’s there due to competition. If power was cheaper miners would run their ops using more power and the only thing that would change would be more energy would be wasted.
I do like the idea of using energy that would have otherwise gone to waste. Or the concept of putting mining hardware in remote areas where there is energy to be tapped, but no customers for it. I wonder about all the steam that emits from a nuclear plant's cooling tower. It seems like such a waste to let all that energy just go up into the air.
One thing that troubles me is the various reports of theft associated with mining. I occasionally see various stories of energy and CPU-time theft. Plus there was that truck full of GPUs that was recently stolen.
I wonder what parallels could be drawn to the California gold rush. Theft was probably rampant then too.
Hasn't that happened already a number of times? If everyone was still aboard the Bitcoin bandwagon, it would have stopped being profitable long ago; however you have plenty of other bandwagons to jump into. They are all technically practically interchangeable.
I assume this is also the reason PoS will never work. People will just stay with PoW until really forced to, and if forced it's highly likely they will just jump into another PoW bandwagon. Guess this is part of the resistance seen with Ethereum. The alternative is to find a PoS schema which is even more lucrative for speculators (possible what the article is describing), and then everyone will jump into that bandwagon en-masse, but it will not have fixed anything.
Additionally, the Lightning Network drastically cuts mining power consumption.
And this is the reason why I cannot take any climate change conversation seriously unless it includes the topic of cryptocurrencies.
Whatever the promises of cryptocurrencies were, now most (all?) degenerated into a mechanism for speculation, and effectively into a self-sustaining and self-promoting mechanism for transferring wealth from the poor to the rich. And, unfortunately, with the side effect of consuming vast amounts of energy.
Bitcoin's electricity use (or the electricity use of any other single application) is pretty much irrelevant when it comes to addressing climate change. Proof:
• Too much of what we does depends on electricity and has no even remotely feasible substitutes for it to be plausible to give up on electricity. In fact, switching more things to electricity, such as transportation and heating, is a large part of what we will have to do to address climate change.
• Therefore to address climate change we are going to have to switch to sources of electricity that are climate neutral, which cleans up Bitcoin (and all the other uses of electricity) from a climate standpoint.
EDIT: to clarify, of course Bitcoin's electricity use now has a climate impact. My point is that this will eventually be taken care of by the necessary switch to clean electricity for all our electricity production.
Until that happens we of course should be trying to clean up current electricity uses, but there are currently bigger fish to fry on that end than Bitcoin. To dismiss taking climate change plans seriously because most conversation is about things with bigger impact is not sensible.
If we take too long on the supply side and Bitcoin continues to grow it may move up the list to where it is one of those uses that we will need to address before we clean up the electricity supply.
Or maybe the equilibrium is that no country bans it, and PoW currencies don't die on their own due to lack of financial rewards, and PoW artificially inflates the demand and therefore price of energy, leading first to widespread economic issues, then widespread ecological issues, until there is no one left buy pizza from with your BTC. Very compelling equilibrium.
An equilibrium doesn't entail that it's a sustainable point, or that it's actually providing value when you properly account for all externalities.
E.g. if Bitcoin had no block rewards, then the income from transaction fees alone might provide a more reasonable ceiling for miner activity. Users will only pay fees that make sense vs the utility they get.
However, for Bitcoin that's not the case right now. The combination of high price and block rewards provide an enormous subsidy for miner activity. (Some back of the envelope numbers elsewhere in this thread[1].)
And if Bitcoin gets banned, all PoW will likely get banned, so it doesn't matter if other PoW systems can behave better.
3. cryptocurrencies stop the Austrian economics fetishism and index the coin reward to the mining difficulty. That means getting rid of the fixed coin supply.
That would stabilize the price of the token a lot (since price going up would increase the mining appeal, thus expanding the money supply, driving the price down) and also make it much more usable as a mean of payment (the number of token in circulation would grow in parallel with the growth in users).
Obviously it's not gonna happen, because those people have spent a decade convincing themselves that deflation is good and fixed money supply is the righteous way to manage a currency.
Imagine making a case for returning to the gold standard, when thousands of other choices for new precious metals, all with the same performance characteristics, were literally just lying around, and a network of drones would let you swap perfectly and instantly between those metals for pennies!
In that light, one can certainly understand the fervent contempt that Bitcoin maximalists hold for "shitcoins"; but a free-banking market cuts both ways. Barring a state blessing one chain and outlawing the rest, creating new cryptos and swapping between them won't go away. The proper way to measure the emergent "monetary policy" of crypto-currency is of the sum of all chains, not of Bitcoin itself.
It’s actually the opposite since the block reward goes down over time
It is true that 10 years ago block rewards were almost 10x what they are today in terms of BTC, but by USD value new rewards are worth several orders of magnitude more today.
See history of block reward in dollars[1]. This the miner's collective budget to find blocks.
It's about 350K USD per 10 minutes now, or 2.1M USD/hour. Pick an industrial electricity price, say 0.05 USD/kWh. That budget will then buy 42 GWh/hour, or 42 gigawatt of power continuously (roughly 2% of global power consumption). Of course, miners have other costs, and their growth is lagging this ceiling. But it gives you an idea.
That's why I think we're heading for overshoot, and future block reward halvings will come too late.
Why miners? Because their main source of income is not the transaction fee, but basecoin, the guaranteed bitcoin payout for each mined block.
Due to Bitcoin being such a huge amount of money, unethical players do anything to lure people in, including MLM-style marketing, artificially inflating volume traded, and overplaying coin stats (like market cap). Then there's also media / influencers who, without second thought, introduce inexperienced people to investing in high-volatility assets.
Pump more energy in! Because you haven't hit a coin yet. And it is getting forever more unlikely that you will… but at the same time, the payoff is even greater than it was last week! Maybe you won't even hit a coin. Your operation is not big enough. But if you do…! So, MOAR…
Loot box mechanic. Turns out it is not just for manipulating children.
Bitcoin difficulty adjusts dynamically with available hashpower, in other words if miners started to shut down the network would lower it's difficulty to keep blocktimes stable.
The chain will not collapse because someone somewhere will always keep it going.
As does the energy use by miners. So, energy use reacts to price, and then difficulty reacts to energy use. That's OP's point.
> if miners started to shut down...
Actually, that would be _very_ interesting. Then you'd have millions of dollars of hardware doing nothing. And doing nothing is losing money. Maybe at that point attacking the network is more profitable than watching your hardware depreciate.
Are Google and Facebook eating the world? They are processing petabytes of data on daily basis and every year there is more data and information being shared on the internet. Moore's law is our friend because as long we have better chips more data can be processed and analyzed.
Bitcoin's PoW is based on economy and game theory meaning if people do not find Bitcoin useful they will stop processing transactions or in reality they will stop investing and spending computation power and electricity.
However, people are starting up coal plants that have been previously shut down in order to mine bitcoin.
Bitcoin is causing massive harm.
You probably haven’t heard of this coin/network (invented by the inventor of bittorrent) b/c it doesn’t aim to be a speculative asset, but it does have a very sane programming model (in lisp)
The cause and effect is the other way around. Popularity of the cryptocurrency causes popularity of mining (the price goes up so mining is more profitable and more mining can happen).
Europe is a museum. China would have to open its capital account, and that’s not going to happen.
The answer is obvious by now.
You didn't take into account, that:
- Bitcoin price growth won't continue forever; it'll find a stable price
- Mining rewards halve every 4 years
Therefore, it seems that the heat demand of humans can run the Bitcoin network securely, even without block rewards. It won't "eat the world", but find a beautiful balance.There are far more energy-efficient ways of generating that heat than PoW. This is an (extremely) flawed argument.
PoW is roughly akin to resistive heating. Heat pumps are about three times as energy-efficient as resistive heating. This does not even begin to take into account that there is no practical way to transfer the heat generated in massive server farm installations to where it would actually be useful without incurring massive losses.
A carbon tax would effectively and immediately steer this search away from using fossil fuels for generation.
People who clutch their pearls over PoW are unwitting Malthusians lacking an appreciation for E=mc^2.
Where are all your posts pointedly taking apart the system you are surely heavily invested in?
You’re part of the problem by being part of human society. Collective economic inaction must be part of the solution.
Producing less superfluous junk at scale must be part of the solution. That means our individual narratives around value stores must change; traditional banking scales even worse than Bitcoin.
2. Bitcoin will decentralize more as the miners will move where electricity is cheaper and thus will cover geography of whole world hydro,thermal,solar,wind etc.. 3. Bitcoin can be the main chain and all side chains can rollup and commits. 4. The btc uses will be huge and there will be no dearth of transaction fees..
Bitcoin’s been around for what… 13 years now? Seems to be speculators, scammers, money launderers, and phishing/hacking rings still.
Everything that tries to accept bitcoin for payment seems to stop doing so relatively quickly.
It’s intentionally deflationary so anyone who holds a bitcoin is incentivized to hold it, not use it.
Just bizarre.
And no, renewable energy isn't generally the cheapest, coal is. (Until you factor in the health care and funeral service costs.)
Bitcoin is just China's way of exporting coal through the atmosphere.
The cheapest energy is the cheapest. It has nothing directly to do with it being renewable.
Or we could just have a surplus of green energy for everything else we need. And how can we even have a surplus of green energy when we're probably at a 90% of world energy production deficit?
This is one of those sentences that reads like it is saying a lot but might actually be nonsensical. Care to elaborate on this? i.e how exactly does the article 'frames distributed consensus mechanisms in an understanding of asset value'.
I read the article and I didn't see anything about asset value (whatever that is). As far as I can tell they point out that the article you cited pretty much agrees with what they're saying (about PoS by itself not being self-certifiable or irreversible) but disagree with the position that this can be acceptable in the real world. Whether you agree with that is subjective but the main criticism in the article seems to be directed at those who selling PoS as a sufficient distributed consensus algorithm to replace of PoW. There are blockchain projects raising literally Billions of dollars on this false guarantee so it is valid to criticize them.
In relation to that I was specifically referring to the misunderstandings present in "Nothing at stake".
You say:
"There are blockchain projects raising literally Billions of dollars on this false guarantee so it is valid to criticize them."
Are you not presupposing the correctness of the author's argument by calling it false? Have you already made up your mind?
I spent a lot of time talking about this topic with people. The article does have a point, that the security model of proof of stake is fundamentally different and relies on a key assumption (from the article you linked):
> any new node coming onto the network with no knowledge except... the set of all blocks and other "important" messages that have been published...
This is referenced in the OP as a point of security failure. The assumption is that we can rely on social interactions between nodes and that that is good enough. The criticism is that a new node can have no way of definitively knowing that their copy of the chain is the widely used canonical chain. An eclipse attack can occur, or as the OP stated new nodes may need to rely on authoritative sources to get current state which puts centralized power centers in the security model.
It is not a deal breaker (IMO), remember, PoW relies on the security assumption that it is prohibitively difficult for more than half the network to collude. I'd argue these assumptions are equally tenuous. I think as long as disparate, non colluding sources of the canonical chain are available (arguable if this is foregone, seeing as we need PoW to ensure consensus and resistance to collusion, probably not, but all it takes is one person to not collude and contention exists) it wouldn't be a problem.
Another big sticking point is the fact that no external resources must be invested, and/or that there is no ongoing cost. I find this to be the big problem with PoS schemes, I've had quite a number of discussions focused on these two particular issues (stemming from the same fundamental difference, that an internal capital stake is made) and I see benefits of not having ongoing cost and benefits of having it, and also of having a fully self contained system as well as having a system grounded in the outside world. All in all I have come to the conclusion that these differences make neither better nor worse, but that they are simply two completely different game theoretical environments with different security and incentive properties.
In practice social networks form a cornerstone of all of the unstated assumption of all consensus mechanisms. I'm more worried about supply chain compromise in wallet code than I am about an eclipse attack on a new node. At that point we know our models are too simple to make real world security comparisons.
- Director General at the Swedish Financial Supervisory Authority
- Director General at the Swedish Environmental Protection Agency
I’m not sure who you think is more qualified to have a stance that represents Sweden?
Or maybe you could just let people do what they like with the electricity they paid for
Right of ways are real, tweets are not.
I’m not sure if the people making the most money from crypto-mining’s energy usage, are to be believed?
PoW is throwing away electricity for the sake of it, and resists getting more efficient. If the goal is for the bitcoin network to cost $1M to do a single double spend, then PoW has to use $1M worth of electricity every 10 minutes.
Let's say we live in a future where we suddenly have 10x as much electricity. Due to supply and demand, electricity now costs 10% of what it did before.
Dryers etc all keep using the same amount of electricity with no issue, but bitcoin has a problem: it's now really cheap to double spend unless bitcoin uses 10x as much electricity. So of course, it does.
There's a similar proper with making things more efficient. If we make a christmas light more efficient (make it use an LED instead of an incandescent bulb or whatever), christmas lights will use less electricity.
If we make ASICs or GPUs more efficient, then people will just have to run more of them, or else bitcoin will be less secure.
I think this is a real and notable difference, and I think that's enough of a justification to consider a ban.
Even clothes dryer seem to be using less energy than Bitcoin. If you run the dryer for an hour each week, you're at 12-15kWh per month, which is 1-2% of your average household energy usage in the US, Canada or the EU. Now households at most around a third of the electricity in cold countries with a decent amount of electric heating for which dryers are much less, but let's run with it. That still sets the upper bound to 0.6%, which incidentally is the same as bitcoin.
And best of all, someone complaining that this is clearly a wasteful scam and being told back, "how much energy did videocassettes and magazines consume, huh?"
Well, let's see
>Bright lights strung on American trees, rooftops and lawns account for 6.63 billion kilowatt hours of electricity consumption every year [1]
>Bitcoin mining consumes around 91 terawatt-hours of electricity annually. [2]
Huh. That's at least the same order of magnitude, at any rate.
[1] https://phys.org/news/2015-12-christmas-energy-entire-countr... [2] https://www.businessinsider.com/bitcoin-mining-electricity-u...
If the amount of throughput and everything else remains constant while more and more computers are in a zero-sum arms race to waste electricity to solve a useless hash problem, then it is by definition not useful except for “securing the network”.
And if you can secure a network some other way, then it definitely becomes better by any arbitrary order of magnitude, assuming your utility function doesn’t place infinite value on securing 10 transactions a second with to over 99.9999% certainty and willing to waste all the world’s electricity to do it.
Literally even if you value all other uses of electricity put together as 1/100000 of securing Bitcoin then in a few years banning PoW becomes the right move.
But I imagine it will be like the war on drugs — impossible to totally eradicate, since mining rewards become more lucrative every year forever. Until bitcoin blackouts are frequent in the first world, msot people won’t care though.
Imagine if people asked how many emails (SMTP), conversations (VOIP) or websites (HTTP) the Internet can ever handle pet second and the answer was 10, no matter how many computers joined the network. Because every time you had to make progress, everything went through one bottleneck called a miner. Would this be the topology you want to reward with ever-more-valuable rewards?
Imagine if BitTorrent worked this way, and every computer would seed every file. And maximalists said that this was the ONLY AND BEST WAY.
Also aren't each of those used by significantly more people than Bitcoin? So the per capita use is less and they scale better?
Also how are you estimating cost of porn? Viewing cost? Generation cost?
These discussions should talk about the ratio between a certain measure of productivity (e.g. GDP generated for the country) to the energy use; energy on its own does not mean much. I'm sure worldwide food production consumes more energy than Bitcoin.
Other than that, a problem with POW (at least as implemented in Bitcoin) is that technological advances won't result in less energy consumption as it's mostly a function of (price of Bitcoin, price of energy).
Our legislators and regulators, because that's their job.
Just like we ban heroin, regulate over the counter drugs, and tax alcohol.
Mining BTC is a waste of everyone's time.
Electricity production is partly socialized - and - we're literally facing a kind of global crisis.
Ban it, and let the Cryto Warriers figure out other, better ways (of which there are numerous) for allocating magic numbers.
We can actually start with 1 question: If electricity demand from PoW mining spurs new renewable plants to be built, is that bad for the environment?
I (and many electricity companies) actually think PoW mining is good for the grid/renewable adoption in the long term. Let me explain why:
Some indisputable facts to get us started:
1. Most renewable electricity has unpredictable supply
2. Introducing marginal capacity of the same type gives diminishing returns. Eg: you're producing more during high supply times where electricity rate is low. During lower production periods all of the same type of renewable will be producing less so you can't even take advantage of the higher rates.
3. Rational bitcoin miners will turn off their machines when cost of power is greater than marginal return.
As a result, PoW mining will help the economics of building new wind/solar plants. Eg, currently it may not be profitable to build a new wind plant because base load is too low that the excess power generated would need to be sold off at 0 or even negative prices. However if bitcoin mining could be turned on during these times and off during periods of high demand, there will need to be fewer peaker plants in operation and it would positively affect the economics of opening a new wind plant.
Bitcoin mining only cares about the cost of electricity at a given time, it is not like most other electricity demands that are very time based. With the large variance of electricity generation by renewables, I think bitcoin can in the future help smooth demand according to the real supply/demand curve.
It's kind of like a different implementation of the Tesla utility grid batteries. Instead of deploying batteries, you force the grid to build more renewable capacity (that the miners are paying for) that miners use except in peak periods, where you turn off and effectively provide the grid with more power.
Yes, obviously.
Even if every single miner pool built its own solar/wind plant to power 100% of its energy needs, that would still be horrible for the environment: building the power plant itself produces harm to the environment; and the space and work and money used to create the Bitcoin miner's power plant could have gone into replacing (closing down) a non-renewable power plant.
Silly arguments about pricing volatile electricity only work if we assume maximizing profit is the ultimate good or that PoW is the only way to use that excess power. In reality, if we want to avoid the worse catastrophes that our current economy is pushing the world towards, we have to stop looking at profit, and choose less profitable but more useful ways of handling volatility - batteries, long-distance transmission, etc.
The raw figure it uses for gross power consumption (62 Twh) is also unsourced.
Meanwhile, the Cambridge Center for Alternative Finance puts the figure at around twice that - 110 Twh.
Not that we had any reason to grant credence to what a bitcoin "investment" company says about the matter, anyway.
Where is the use case?
Bitcoin already proved its use case years ago, it already won. The only question now is how far can it go.
It may be the case that coal is cheaper if you ignore the capital cost of the plant (e.g. running an old plant beyond its design life) but including capital costs amortised over the lifetime of the plant coal is not even cheaper than natural gas.
My understanding is that a major source of electricity used for bitcoin mining in China was hydro power during the wet season (when there is a natural power surplus because the level in the dam must be reduced)
The reason it's the cheapest is that you're negotiating with somebody who is desperate and has no options left. They have to sell the energy to you for bitcoin production because there's literally nowhere else they can turn.
The more green energy proliferates and climate change action expands, the more of these plants will be reduced to this desperation. The worst energy production is the cheapest, so long as it's been outlawed and the plant has no other options.
Don't get me wrong, I love the politics of decentralization. But it's worth remembering that decentralization tends to be a cost-center, not a profit-center, from the standpoint of efficiency and performance; and decentralized tech is no guarantee of decentralized results (see Amazon/Facebook/Google, who have quasi-monopolies in their niches, despite being delivered over open and federated web protocols).
Which then results in situations like miners buying up the majority of new GPU releases, leading to shortages for any other users, and still not having enough to keep up with the difficulty increases.
I have conquered [and seen others close to me] FOMO by stubbornly writing things off, and I suspect others have done the same thing: it's calorically inexpensive and cognitively frictionless. No one can reasonably assess everything that comes their way.
I am not saying that that's the reason with the writer, but it's surely the reason in some people, precisely because it's easy. And easier still to click upvote on a take that reinforces that stubbornness. It's this latter group whose motives are being questioned, as per the GP who asked why these takes get upvoted. I wasn't actually questioning the motive of the writer of the article, hence why I didn't engage in the arguments in the first place.
And of course you have the corollary of true believers who will support anything positive of X-thing-they-have-adopted.
It's seems to be only these two dichotomies we see, rarely balanced takes. And that's the real problem.
(alternatively, tax the electricity use beyond a certain per-person allocation).
I agree that there can be harms from PoW, but this is because of the electricity use, and so the thing to tax is the electricity use. Rather than the state deciding what things it considers valid for an individual to value and seek, it should put the restrictions on the thing that more directly causes negative externalities to others.
If there is a concern that this would harm things that we are sufficiently convinced is objectively valuable (e.g. making it more costly than is appropriate for people to heat their homes), so that we want to not significantly impact the finances of people who are like, using "reasonable" amounts of electricity, then we can, as I said, put some threshold amount of electricity use per person below which there's no tax on it, and increase the tax rate above that amount to account for this (and use the revenue to pay for CO2 removal and/or green energy development).
Or, like, I suppose in the most extreme case you could (on e.g. an annual basis) give everyone an initial amount of CO2 credits and no one is allowed to emit CO2 beyond the credits they have (but unused credits can be bought and sold).
... Oh.
Also the difficulty scaling is important even if you don't take security into account: if you don't raise it, then the block mining frequency rise progressively, and then you end up with more and more orphaned blocks, until you end up with parallel chains that don't really converge to a single coherent one.
So your statement ends up being incorrect over a period of time.
In terms of a kettle or cooking you're right, but you also can't cook/boil using mining hardware as they're heat limited to ~100C. For hot water heat pumps work great.
> Also, heat pumps don't really work in colder climates as the only heat source.
Ground source heat pumps work just fine in cold climates and have been rapidly getting cheaper.
2. do you agree that nuclear is a sustainable and necessary solution?
3. do you agree that mining provides massive incentives, on huge scale, to nuclear power developers?
Power generation is a social concern, and states provide plenty of incentive to build power plants, especially nuclear - crypto mining is a profit chasing wasteful afterthought.
It's like claiming that if I steal a percentage of your paycheck for a few years and until the government stops me, leaving you with more disposable income than when I was stealing it, I've actually helped you by encouraging you to work really hard.
And yes majority of people behave according to game theory because if they do not then they lose or in extreme cases die.
Majority of people are not addicts but those who are lose or in extreme cases die like for example alcohol addicts, drug addicts even casino gambling addicts who tend to suicide when losses amass and loans come due.
And that still destroys the environment and enriches Jeff Bezos.
Forget stealing data — these hackers hijacked Amazon cloud accounts to mine bitcoin:
https://www.businessinsider.com/hackers-broke-into-amazon-cl...
>A report from the security intelligence group RedLock found at least two companies which had their AWS cloud services compromised by hackers who wanted nothing more than to use the computer power to mine the cryptocurrency bitcoin. The hackers ultimately got access to Amazon's cloud servers after discovering that their administration consoles weren't password protected.
Did I miss something or is your comment factually incorrect?
Meanwhile, I'd reckon that the US accounts for the majority of Christmas lights.
>If it were for me I'd force oil well operators to [....]
Maybe it's too costly for a reason? Building power lines or pipelines to the middle of nowhere has economic and environmental costs as well, so top down legislation forcing every single well to do it might result in worse overall outcomes. For instance, the resources it takes to construct a pipeline/power line to the nearest town might be more than the electricity/methane that can be generated from the well.
Well, there already is a pipeline for the oil product (so the additional overhead for a small gas pipe isn't that huge) and an electric grid hookup for the pump. That can be used even for a small-scale electrical generator.
not every oil well is hooked up to a pipeline. Some (many? most? not sure) are only serviced by trucks, presumably because they're too remote to profitably operate a pipeline for.
> but unfortunately "regulation" of any kind is seen as a bad thing in wide parts of the US.
So you would have them be regulated out of business? Most of us in the U.S. do indeed see that as a bad thing.
If you want you can build a generator near those wells. It's just cheaper to get the energy from somewhere else, because energy is fungible. A watt is not good or evil, it's the same as any other watt. Which means crypto energy consumption can be offset just like anything else, and is exactly as evil as any other convenience - driers, for instance, or flood lights, or inefficient heating, or anything else.
Focusing on crypto in particular says more about the author than anything else.
no it's not. A watt that's in the middle of south dakota, with no power lines in sight, is worth much less than a watt in southern california and is connected to the power grid.
If we're going to start legislating how we're all allowed to use energy that civilization has made available, who gets to decide what's allowed?
Numbers I've seen suggest that global PC gaming alone (excluding consoles) currently uses about as much electricity as bitcoin. Should we ban that too since playing cards are readily available and use almost no energy? Maybe we can make a concession and only allow low powered handheld consoles?
If bitcoin mining actually becomes problematic, then by all means we can definitely ban it or add some sin taxes to it, and we probably will in a lot of jurisdictions. I'm actually kind of eager for that to happen, because it will force miners to actually become novel/stranded energy ventures. They'll be the capital drive that builds out energy sources that not enough humans live around to justify tapping and/or we can't economically justifying building without expensive transmission infrastructure. And once it's built out and paid off, it may be a lot easier to justify investing in building out long distance transmission infrastructure so the rest of civilization can also tap into these sources.
We already legislate different pricing for different applications. Household electricity has a different price than industrial usage. A 1000x price of electricity for certain applications is just a small extension of what we currently have.
it's called "we the people" or democracy if you will. We as a society decide that cryptocurrency aren't worth destroying the world over, and that's about it.
If bitcoin mining uses co2 producing power (because the economics supports it), is that the fault of bitcoin or the government for not sufficiently taxing the negative externalities of that means of production?
It's curious how much agitation there is concerning the energy consumption of PoW. I don't see nearly as many articles calling for restricting AWS & co. Coincidentally Bitcoin is the base layer of a decentralized finance world completely out of the control of traditional elites and banks.
x = x
As if that's insightful. But in the spirit of HN, can you say more? My understanding is that renewables are the cheapest and will likely continue to trend in that direction, causation or not. So are you suggesting maybe there's a chance of a super inexpensive non-renewable overtaking this trend?
I broke this chain of logic by pointing out that renewable is an unnecessary consideration and that mining activities will choose the cheapest option regardless of its renewability.
Furthermore I claim that renewable is not the cheapest. Various subsidies aside, renewable is often many times more expensive to deliver where and when required. The total system cost is many times higher.
To be clear, I think:
- having surplus (or cheaper) energy is good
- generating relatively more energy through renewable resources is good
- renewable energy is cheaper and so lower energy prices promote renewable energy more (but also reduce the supply in general)
- Current bitcoin mining increases demand and therefore generation and, to some extent, prices while supply catches up
- a drop in bitcoin mining would lead to a surplus of (renewable) energy which I think would be good
Can you help me find what the source of confusion is?
Unless we believe that Bitcoin has some use, its power consumption would be problematic even if it weren't so monstrously large. And vanishingly few people believe Bitcoin has any value beyond a get rich quick scheme.
There is no market in the world where you are going to decrease consumption by increasing the demand. That's just not how economics works.
It's also a new finance world completely under the control of an even smaller elite of devs and mining pool owners (see the hard fork of Ethereum that happened a long time ago, and the upcoming fork of Ethereum that will move it to PoS; sure, Ethereum isn't Bitcoin, but there is nothing fundamentally different to prevent Bitcoin taking a similar step whenever the devs and miners decide).
What Bitcoin definitely is not is a new currency where the people have any kind of control. It is actively opposed to that goal, and takes away even the slight chance of a benevolent leader that exists with central bank controlled currencies.
You forgot a (perhaps even more) crucial part: the exchanges/stablecoins!
They're the whole reason this clown show is considered "finance" rather than funbux.
And they're all extremely suspicious. And by suspicious I mean obviously fraudulent. The value of Bitcoin (!) is propped up by Tether printing fake dollars backed by nothing.
- electricity is the only part where Bitcoin produces emissions (emissions of mining hardware)
- wasting climate neutral energy does not matter (it does: it's harder, takes more time and resources to switch to climate neutral sources; iirc studies estimate Germany needs to cut 50% of energy consumption to achieve 1.5° conformity)
- Bitcoin miners don't bypass widely adopted regulations somehow
Even if BTC and every other POW cryptocurrency converted this afternoon to 100% renewable energy use (and we ignore the carbon cost of manufacturing the hardware), it is STILL a huge climate problem.
Why?
1) Because that ~1% of total energy consumption is being squandered on maintaining the cryptocurrency instead of any other use. Thus, it prevents those clean energy sources from displacing CO2-generating sources which would otherwise be taken offline.
2) Even if the BTC energy is entirely derived from some power source that could not be used by others, perhaps all geothermal generation on a remote volcanic island, it will still add net heat to the atmospheric system. and, of course, we still have the energy use and CO2 spewage of fabricating and moving the mining equipment into location.
So, no, this problem is NOT taking care of itself.
Obviously, if the mining is done off-earth anywhere, it will not contribute to the CO2 problem, =ASSUMING= that it does not require on-earth energy resources to put the power generation there.
Crypto mining also stops being a problem when 100% of on-Earth power generation is de-carbonized — in that situation, it is no longer diverting energy generation that could be used to displace/reduce remaining CO2-spewing energy generation.
The problem is: While CO2 power generation is still active, and especially when it dominates, every kW of electricity used for crypto mining either directly generates CO2, or it uses clean generation that could otherwise (but now does NOT) displace a kW of CO2-based generation capacity.
Even if 99% of the rest of the world is also running on renewables, Crypto is still diverting energy generation that could be decarbonized.
Once the world energy generation is fully de-carbonized, then it is a non-issue.
Btw Satoshi introduced blockchain checkpoint so no attacker can fork the existing Bitcoin chain and make a competing one.
It really sounds like you're rationalizing banning Bitcoin because you don't see any value in it. That's a dangerous way to decide who gets to use electricity.
LED was a technological innovation. Nothing says Bitcoin can't have those. If you want more light, you need more lamps and you need to spend more energy. I don't really see the difference here.
About every 4 years the reward for mining a block will be halved. I don't see LED lights getting two times more efficient every 4 years.
It would only be benefitial if after a certain level of efficiency were achieved, PoW got banned and all that efficiency increase could actually benefit consumers of energy that did not have to keep increasing spend to keep up (though even that's not sure, because if energy becomes 10x cheaper, it's just a matter of time for people to invent new creative ways to use all that cheap energy that's prohebitevely expensive right now).
There is a lot of resources getting wasted in the real life. For example I'm from East Europe and we do not have good water pipes' infrastructure and lots of water gets leaked every month.
Speaking of wasting and leaking electricity I did a quick Google search and this is what I found:
"Are your appliances leaking electricity? Some of you might not be familiar with what this means. Not only do we have more small- and medium-sized appliances than ever before, but many of these never really stop using electricity. For example, if the television has a remote, then part of the TV is always on, waiting for a signal from the remote. If there is a clock on the microwave then the microwave is always using some electricity. Experts call this usage "standby consumption" or "leaking electricity" because people are often not aware that the appliance is using electricity.
A single appliance usually leaks only a small amount of electricity each hour (see Leaking Watts Chart below). Since these appliances leak electricity whenevery they are not turned on, and since people have a lot of these appliances, the amount of leaking electricity is significant. The average household spends about $40 a year on leaking electricity. The federal government works with appliance manufacturers to reduce the amount of electricity that leaks out of new appliances[1]."
Also here is another good resource on electricity leak which is related to the first web document I linked[2].
And then how much food is getting wasted every month globally? Probably billions of dollars of food is getting thrown away every month.
[1] https://www.uwsp.edu/cnr-ap/KEEP/nres633/Pages/Unit3/Section...
[2] https://www.teachengineering.org/content/cla_/activities/cla...
All uses of energy incentivize the search for cheaper energy.
Not all energy uses are optimized to increase usage over time, to cancel efficiencies. Proof of work, whatever it's merits, is anti-efficiency with respect to itself.
This is a significant difference.
This is just like saying: let's burn as much coal and oil as fast as we can, so we can accelerate the need to develop alternative fuel sources.
https://futurism.com/bitcoin-mining-company-buys-entire-coal... https://grist.org/technology/bitcoin-greenidge-seneca-lake-c... https://arstechnica.com/tech-policy/2021/09/old-coal-plant-i...
If Bitcoin disappeared tomorrow, it would give a small reduction in energy use, but at best it buys you 6 months extra to decarbonize electricity production.
Also what does btc and crypto replace? The carbon footprint of traditional finance, banking and the military actions to preserve it are massive polluters. Even at its infancy, pow crypto is already a good direction to improve sustainability.
6 months can be a tipping point happening or not.
Additionally, each produced ton of green house gases is contributing to climate change right now
The more electricity to decarbonize the more difficult.
As OP mentioned this issue is already getting addressed and in process to become more debated
If anything, solving existing real problems ought be priority rather than such a niche thing
What you do is buy up the dirtiest plants, run them until they break, bribe or evade any authorities (if they even exist) who would stop you, and if the plant is being shut down because it's failing to comply with pollution regulation (again, if such even exists) that just puts it in a weaker negotiating position. As such they HAVE to deal with you at whatever price you're willing to pay because they can't go anywhere else because they have to run illegally. But they're powering bitcoin, so it stops mattering if they're running illegally, because bitcoin is the currency in which it doesn't matter if you're being paid for crimes, only that the coin exists.
I consider that powerful motivation to arbitrage the energy system and exploit cases where energy suppliers are running out of options because they are too dirty. And this can be happening anywhere. Climate's global. If all the dirtiest coal burners are huddled together on a secret island for warmth and to eke out the last pennies (of real money) they can earn, they'll do that for bitcoin if they can't operate any other way.
And it'll still matter. It'll just be happening in secret, because bitcoin don't care.
Why push around everyone to consume differently while distributing vast amount of tax money that immediately go into more wasteful crypto ? It will not stay at 1% and I agree with the OP that it's going to be difficulty to reduce electricity wastage on one end while ignore the elephant baby in the crib taking over the room.
I'm a random internet person in Hong Kong. I have a friend mining half his rent in a hotel room who decided that he doesn't need to pay rent the "normal way" anymore, he can just sleep next to a cluster of mining machines in a hotel room. Is he the stupid one, or am I, paying 3000 USD of my own money monthly ? I have another friend who lost half his saving in shitcoin speculation, I have colleagues who made a 10x profit this year, I mean it's all fucking around me and it's very hard to say it's just a 1% part of an important problem.
I feel sometimes it's going to become the main problem. I can't wait for a mega crash to calm down all this excess. I can't accept I'm the idiot working the traditional way to make traditional money paying for traditional things while the futuristic gamblers mine their hotel room fees on a bet I'm going to eventually be forced into using their tokens at whatever cost when it becomes legal tender, locking the future price into making them billionaires.
For your own sanity I suggest you stop taking the process of getting rich so seriously. It doesn't make sense, nor is the fact that it doesn't make sense a singularity in the grand scheme of time, it has been known since ancient days (I'm not religious, this is just evidence of it's timelessness): "I returned, and saw under the sun, that the race is not to the swift, nor the battle to the strong, neither yet bread to the wise, nor yet riches to men of understanding, nor yet favour to men of skill; but time and chance happeneth to them all"
I'm assuming the large nation states would attack these tokens before allowing this to happen and I don't think any token ecosystem could withstand a strong nation state attack
Reality matters :)
I think crypto has a lot of socially useful potential, beyond mere speculative gambling and Austrian-school value storage, but that's in addition to the centuries of momentum in our real-world political economy; crypto-currencies are unlikely to replace that entirely, anymore than the internet replaced the New York Times.
Bitcoin has merits. So proof of work, being a part that is currently necessary for it to work has merits.
But the argument that proof-of-work has the merit of incentivizing cheaper energy sources does not stand up.
1. All uses of energy already incentivize the search for cheaper energy. This isn't a novel incentive that proof-of-work provides.
2. But proof-of-work does have a relatively novel disadvantage. It won't just incentivize greater energy uses as prices come down, as in normal supply-demand curves, but must keep up the original and even grow the amount spent on energy.
This would not be a problem in a market without negative externalities, but energy is famously a huge industry that will be struggling with negative externalities for quite some time and at great cost.
For example, if the Texas grid became ~100% wind and other clean-source-powered, then BTC mining in that grid would not in any practical sense consume clean power that could otherwise displace dirty power. The 100kW you use to feed your miners could in theory be used to reduce production from a nearby coal plan in Oklahoma, but in practice, since the grids are not connected, they aren't, so that is probably the right scale.
That said, if it gets big and the miners are consuming enough production of solar panels and wind turbines to slow clean energy buildout on other grids, that's the second order of the same problem.
So, maybe everyone with crypto should, instead of convening to buy the constitution or a basketball team, go fund the takeover and conversion of an entire grid to clean energy, and build all the miners there.
Agreed.
> That said, if it gets big and the miners are consuming enough production of solar panels and wind turbines to slow clean energy buildout on other grids, that's the second order of the same problem.
True, but even that's not zero-sum: demand drives investment in production which increases supply leading to commoditization. Commoditization, in turn, makes the solution (solar, wind components) more accessible to a broader range of the economy.
GPUs for machine learning wouldn't be where they are today if it wasn't for gamers creating a demand floor that subsidized the research into better hardware.
I mean, if Doctor Evil suddenly decided to spend tens of billions of dollars to destroy the three main credit card networks, he could probably do it. In fact, it might be easier and cheaper than attempting to degrade or bring down a distributed block chain network. The credit card networks are built upon many layers of ancient, pre-Internet technology, full of discoverable vulnerabilities and critical points-of-failure.
But we all know that it wouldn't happen. Doctor Evil would never want to do so, because even him, the most evil person in the world, would still want to be able to use his credit cards to eat out, go to the movies, and order stuff online. Also, he would never want to do something that would make him enemy #1 of every other person in the planet, including every other super-criminal!
What Doctor Evil actually wants to be able to do is figure out ways to steal or get balances from participants in the network without destroying the network: steal poorly protected wallets, hack into poorly secured exchanges, find ways to get blackmail payments on the network (e.g., by launching DoS attacks on the web), etc. The network itself is too useful to everyone for anyone to want to destroy it.
--
PS. For the record: I have no economic connection to Algorand the block chain nor to Algorand the company, but I'm (superficially) familiar with some of Silvio Micali's past work and also, I know one of the company's top executives. In my judgement, the Algorand block chain has great technology, and Algorand the company has really great people. Their main challenge, as I see it, is overcoming the powerful network effects already accruing to other block chains.
At the end of the day, Dr. Evil will gladly spend 10s of billions to destroy the network if doing so nets him 100s of billions. Stop listing reasons people won't attack the network and start listing reasons they would.
Therefore, the formal proof of security provided in the Algorand white paper does not resolve the nothing-at-stake problem, which is inherent to all PoS systems.
> about 30-45 accounts _which had stake at that time
The this is stated makes it sound difficult. But if this is false history presented by a malicious node, surely they could make up anything, as it the data does not need to line up with any official history at any point. (Without a trusted party, no history line is really offical anyway, is't it?). Constructing a history with 30 accounts with stake at any given point in time isn't any harder or easier than constructing 3 or 3000.
In practice, among the people who once staked large amounts of a proof-of-stake currency, most of them will probably continue being invested in its ecosystem moving forward. Even if they can't be personally punished for lying about the past, a successful history split would likely reduce the community's confidence in the currency, and thus its market value. Most of those people are also emotionally invested in the ecosystem and would not want to dishonestly subvert it. There will be exceptions. But to create an alternate history you need to subvert not just one validator, but most validators (or rather, validators who together control most of the currency being staked).
Unsure how pure PoS chains work, maybe they hard code an early block's hash? Like, it's not a legit xorcist-chain unless block #10 has hash #deadbeef
Or if a nation state or the central banks see it as an existential threat, they could consider it the cost of doing business? Maybe $30B to take out Algo or Solana and destroy trust in all PoS networks? That's a rounding error for them.
While you are correct that burning $30 billion dollars to destroy trust in PoS blockchains isn't that much money, I disagree that such an action would actually destroy trust in PoS blockchains. We have seen serious attacks on a number of blockchains, Ethereum for instance had enormous amounts of money stolen or destroyed via weaknesses in the blockchain. Yet Ethereum is still going strong. Bitcoin suffered 51% attacks that were used to perform double spends and Bitcoin is more valuable than ever.
It might be cheap to burn $30B to destroy a blockchain, but what if you burn $30B and the blockchain recovers 12 hours later.
It's _possible_ that a government might choose to attack a random small coin just to discredit the notion of PoS cryptocurrencies, but it's hard to picture a government gaining consensus to do it, and it would be obvious to knowledgeable onlookers that larger coins are immune (or anyway, much better protected), so the resulting disruption would probably be temporary.
> Proof-of-Stake attacks aren't about having 51% of the CPU that overwhelms a Proof-of-Work system, but about having 60-70% of the _value_ in the network.
If a nation buys 2/3 of the coin and destroys the network, investors (as a whole) take a 1/3 loss. Then they can (re)start another PoS coin.
Ironically the nation would be up against the old saying that the market can stay irrational longer than you can remain solvent.
You've outlined only one, the most obvious and least probable, mode of failure.
The more subtle and wildly prevalent failure mode is that the consensus will be set by the few whales, who will maximize their rent extraction at the expense of numerous small players, which will include most later adopters, aka the entire population of Earth.
It's already visible on smaller scale in DAOs, every vote resembles a banana republic: "90% voted, 90% in favour". No matter what smaller stakeholders do/say, the early big investors and dev team always win. Why would they structure it otherwise? The same dynamics exist in PoS, just not as grotesque.
Perhaps that's OK for a private company governance, but for a global currency?
You want the multibillionaires to dictate the properties of the medium of exchange that serves the entire globe? Seems rather strange that so many have such a burning desire to be governed by someone much richer than them.
Unless you have a citizenship based voting of some short where a single person gets a single vote and they actually vote (automatically I guess and assuming without delegating to the big whale because "I am bored") what do you think agreement via resource scarcity implies?
P.S. Also lobbying...
It gets a lot more complicated than that because setting up competing systems is cheap. It is like saying "nobody would write this piece of software for free". What we learned with open source is if the cost of distribution gets low enough then there needs to be just one person somewhere on earth willing to maintain it and it can work.
If the cost of creating trustworthy local (or international) monetary systems is basically 0 then it isn't obvious that plutocrats have an advantage beyond the one they already have by virtue of being powerful. If they can force you to use their system they already control the government so didn't need any technical help.
And that's where competition between currencies provides checks and balances against such pathological behaviours.
I've been wondering about that recently - for all of the excitement about DAOs and Governance Tokens, are there any good examples of interesting decisions being made via their voting mechanisms?
What are some places I can go to see recent votes and their outcomes?
People will opt out of currency regimes that are abusive. This is not like a terrestrial government where you are fucked for life because a bureaucracy controls the land you live on. You don’t have to immigrate to escape a corrupt currency. And you don’t have to all-in in one currency.
If you own dozens of coins, you liquidate the shitcoin that is controlled by corrupt tycoons.
Somebody tell him about the r-family.
Just how it works.
Aren't you just describing capitalism here? The people that created the system and own the biggest share of it have gigantic influence on it. Matter of fact, isn't that exactly what happened in ethereums PoW network, too? The developers decided to switch to PoS regardless of what the current participants want.
In general, isn't the idea of using PoS that if you aren't happy with the current system, you can easily fork into a competitor? If enough people think the current system is unjust, then you can switch to the new one, where you will be part of the development. At the beginning of the fork you also wouldn't need that much compute, as PoS is more efficient and you aren't going to have many users/transactions in the first place.
Since it's easy to switch currency (at least easier than privately setting up a Dollar 2.0), members of the original currency have to behave fairly, else people are going to switch. Note: The thing people are switching to doesn't even have to be better in any way than the original currency. It just has to have different controllers to influence the members of the original system.
The way I see it, is that there's no meaningful way in which PoS based currencies are worse than the current monetary system: large stakeholders in current global currencies also have gigantic leverage (think of money printing during the pandemic or bailouts after the 2008 financial crisis). The real advantage I see with PoS systems is not the system itself, but the tooling that comes with it and allows for the development of competitor currencies that check the power of each other. With current global currencies there's no checks-and-balances system inside the monetary decision making process, while a fleet of independent PoS has the chance for checks and balances to be induced through competitive pressure.
Isn’t the whole point that by that time he would have withdrawn from the network so he would sink it without losing anything himself.
Not if he’s undetected and does it for years while extracting value at key points in time.
There are numerous people who could put up $50B with the ability to get very high returns.
It’s not even worrying about Buffet. I worry about hedge funds and sovereign wealth funds that would definitely manipulate PoS if it earned enough for them.
Is this a problem in practice? As the article says, no ... but only because there is a sort of vaguely specified "proof of authority" that backs the current chain, which actually just reintroduces centralization. The author cites the Bitcoin Cash and DAO/ETH Classic forks as cases where that proof of authority gets tested and shows the actual centralization.
It's my understanding that Algorand has something on top of pure PoS that ensures the consensus (which the article says is necessary) so I'm not sure the same criticism is applicable there, but can't comment further until I get more familiar.
I don't mean to be rude here, but none of what you have said refutes my point.
The attack here is that you control keys that (1) once held 67% of the value, and (2) no longer do. Because they did hold value once, they are dangerous to consensus. Because they no longer hold value, nothing is sunk into the network, so the attacker bears no cost or risk.
To apply your analogy: I don't have to be Warren Buffet, I just have to riffle through his trash.
You can't do that with PoW without "additional" consensus rules, which is that slippery slope to PoS!
In PoW all hashrate is always voting and security is paid for external expenditure, not something virtual within the system.
PoS is a scam and you should stop supporting it.
As long as a sufficient number of people believe some currency has value - it has value. If they don't believe, it doesn't have value, and the stakes are worthless too.
The problem eventually reduces to Ken Thompson's "Trusting Trust" [1] problem. There's no way to externally validate the honesty of any system (cryptocurrency, or otherwise).
[1] https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_Ref...
But this attack has never been performed because the reality of all these cryptocurrencies is that the security depends only relatively weakly on proof of work. Instead it relies on trust between the main stakeholders: miners, big nodes and developers. This is just like any other human organisation. That trust is only reinforced by proof of work, making it easier for new parties to become trusted.
The whole point of proof of stake is that you can only sign blocks or messages while you have something staked. When you withdraw you are no longer allowed to sign anything.
He also didnt need to spend 1000 words going on about the history of bitcoin and proof of work.
This is literally just a filler piece with a provocative clickbait title to stir up the anti cryptocurrency folks here
> That key is valid to sign any number of versions of, let’s say, block #200, and there is no objective, system-internal standard for which version is legitimate, other than “the one that was published first”.
The real block #200 will have hundreds of attestations courtesy of randomly-selected validators, each of those signatures attesting to its validity and finality.
But I'll try to explain here, why the author thinks that PoW is magical. It's still bound to the readers, or philosophers, to pull whatever they want from this.
Proof of Work creates time. In a decentralized system, you don't have time. If time was provable, the double-spending problem would not happen. You would sign a transaction and broadcast it; a second transaction that you would sign later, will have a higher timestamp. Obviously, you can sign a transaction later and have a lower timestamp, there is nothing that prevents you from that.
What Proof of Work does, is create an arrow of time. Using this arrow of time, the nodes create a ledger (the blockchain).
The OP is arguing that PoS cannot create an arrow of time; and as a result, the PoS is still liable to the double-spending problem.
Can't you sign two transactions at the same time? If yes then you could double-spend even without faking timestamps.
The timestamp of a transaction in the bitcoin blockchain is the block height. The actual timestamp is merely informative.
Ok. Go break one of the many existing systems that operates using proof of stake then. If you've done this, you should be leading your article with it. If you haven't, you shouldn't be speaking.
Proof of stake is not some theoretical thing being proposed in the abstract. Many systems operate on it as we speak.
We should not confuse the two topics. It's entirely possible to have a chain where the consensus is established by PoW, yet the monetary base is created by decree without any wasted resources, for example gifted to some charities or dropped by helicopter to anyone who has a Twitter account.
While the security PoW chains create is proportional to the amount of resources spent, there is absolutely no reason to think the current level of burn in Bitcoin is optimal - and strong reason to think that there is massive waste, that is, Bitcoin protects against double spend to a degree orders of magnitude harder than what a credible attacker might be willing to spend. What results is wasted energy that brings no tangible security to the users of the currency.
PoW is apparently bad for the environment. So it leaves us in an interesting situation.
The Ethereum project has shown that the concept of decentralization only applies when it's on their terms. It's not a true principle.
But one thing that's extremely apparent, is that for the past 10 years, the crypto community has been 95% greed, 5% innovation. With the innovation part having picked up speed only the past few years.
At first, it was the an-cap dream. Decentralized, trustless, govt free internet money. No longer were you a prisoner to slow bank-transfers, expensive middle-men (PayPal, etc.), and could purchase whatever you wanted.
Then the price shot up, and everyone wanted to become rich. So people "agreed" that BTC is no longer a coin made for spending, but rather a storage of value. Like gold. Use altcoins if you actually want to spend your crypto. But who wants to spend any, with the rising prices?
Meanwhile, centralized banks, 3rd party businesses, etc. have solved all the personal finance issues that plagued us 10 years ago. In most countries today, you can transfer money pretty much instantaneously, without getting anxiety every time you press "send".
I'll give DeFi, Dapps, etc. credit - they've finally managed to roll out usable things, but it's still way, way too hard for regular users. And most regular people do not give two shits whether something is decentralized and trustless.
I can think of multiple legit uses for the blockchain technology - but I'm gonna be honest, I'm having a harder and harder time seeing how cryptocurrencies will replace any national currency. As of right now, it's almost purely speculation and get-rich-quick schemes.
We're still in the wild west, but it's not gonna stay that for long. With regulations looming around, it's just a mater of time.
But I digress
Now if a proof of stake includes a VDF that needs to be computed for every block, then a long-range attack needs to recompute the VDF outputs as well. This is infeasible as it will take a long time given the correct choice of VDF parameters.
Notably, the Chia blockchain mentioned in the article would succumb to long-range attacks as well were it not for their usage of VDFs [2, p. 17].
[1] https://eprint.iacr.org/2018/601.pdf [2] https://www.chia.net/assets/ChiaGreenPaper.pdf
this...sounds exactly like proof of work?
It looks like the author read about PoS circa 2014 and hasn't read anything written or done since then. It's true that the "nothing at stake" problem exists, but there are tons of practical solutions and mitigations that work, many of which are already deployed and protecting >$100M. Soon ETH will be securing trillions with such mitigations.
To address the specific points the author makes:
1. If a node signs another version of the same block within a reasonably short time period, “slash” their deposits (e.g. punish them inside of the system)
You don't have to know which came first, just like in BTC. You just need a longest chain rule with the property that the longest chain is final after a certain point (subject to certain assumptions about the % of stake that is honest). This is how nearly every blockchain works and it's not special in proof of stake. 2. If a node signs another version of the same block, like, a year later, just ignore it.
Yes, that's fine. Lots of chains do this. It's called a "finality mechanism". Even ETC has one called MESS while still using proof of work (although MESS is probably broken). Bitcoin could add one too. This is orthogonal to PoS vs PoW.---
Somebody has a stake in a PoS crypto currency. They can now do two things: 1) sell their stake 2) sign something fraudulent (like a double spend).
Since there is no decentralized timestamp service, a node validating those two actions doesn't know how to order them, so different validating nodes come to different conclusions, and no global consensus is reached.
---
Is that what the article is trying to say?
And if yes, isn't the solution fairly easy? Within the same "chain link" of the block chain, require each action singed by the same private key to have a strictly monotonic sequence number, and if two actions appear with the same sequence number, discard both these two and all actions signed by that private key.
> you can sign a transaction later and have a lower timestamp, there is nothing that prevents you from that.
Then you lose decentralized property.
This only means that each holder of a private key must have some sort of synchronization mechanism (if they use several agents/clients), but it doesn't centralize the whole network.
Yes both PoW, PoS solve the double-spend problem, but in a brute-force way. And they never really get rid of the ambiguity of which chain is the one to go by. They just aggregate all the little ambiguities into one or another consistent version of history (a chain) and let them duke it out by massive electricity or stake or whatever. But at any moment, someone could have been mining a chain in “secret” and will emerge to thwart the rest of the network for a while.
There is a better way. Blockchains are actually quite centralized since to make any progress every N seconds you need to send all transactions in the entire world to one miner, and the block is limited in size. Actually it’s worse than that in Proof of Work — because you don’t know who will solve the silly problem, you have to gossip every transaction to every miner!
Oh yeah, and if you store UTXOs then you have to store the history of everything. And even if you didn’t, you have to store the current state of everything. Oh how nice and decentralized! LMAO
I don't get your criticism. Why does requiring gossip to every node cause centralization? Why does everyone having the current state of everything cause centralization?
There are various aspects of centralization. This is one major aspect: a bottleneck. Just like when all Web 2.0 conversations in the world would have to go through a centralized server. Even if it was a different server each time, it’s still an extremely centralized topology for that state transition.
It means that there can only be one transaction at a time for the whole world, no matter how many computers join the network. No concurrency — it is also why you can have flash loans. This is why Ethereum is called “the world computer” and why Bitcoin failed at being a peer to peer cash system and became a store of value.
It’s very astonishing that the HN crowd still doesn’t understand blockchain after 13 years.
The article is complete nonsense because:
1. The author thinks that PoS is about having computing power. If someone thinks that they seriously don’t know anything about PoS and haven’t done any research
2. Proof of Work is 100x more centralized because 2 companies control the majority of mining equipment production and 4 companies control the hashpower including all kinds of attack vectors, instead of the around 200 entities in PoS.
3. There are many attack vectors for the PoW model of which many only require malicious behaviour of 1 person, be it the CEO of one of these companies or a disgruntled worker that is bribed with a couple of million dollars.
3. The cost of taking over consensus for a PoS network, such as Solana or Ethereum 20 requires billions or trillions of dollars worth of coins that then all would rank heavily in value
That’s why PoS is around 1,000x -1,000,000x more secure than PoW depending on how big the market cap of the PoS network is.
> If the broad masses of people disagree with the platform landlord, their opinion will be altered to conform with the rules, or else they will no longer have a voice.
We really need to fix that problem.
I know GitHub were only following the DMCA but it shows they have the capability to not only remove the project but also all of its forks.
Reminds me a bit of the "free speech zones". It's a poor facsimile of true freedom of speech.
Seeing as the new public squares are, by and large, digital spaces controlled by megacorps, we need to expand the first amendment to apply to private enterprise.
Not sure if these quips are meant to be jokes or serious, but nonsense like this detracts from the credibility of the argument. Nobody believes the data corresponding to an NFT cannot be copied.
Am I wrong? Would gladly read counter arguments.
Who personally verifies every contract they use? Wallet implementation? Cold wallets are closed-source, trust-me devices, maybe with a security certificate from a centralised, government-linked security org.
The strongest link in any security chain is not irrelevant, but the whole system is really not perfectly trustless anyway.
Personally, I think this kind of "quiescent" knowledge, letting you differentiate the real chain from the fake chain on long enough timescales (which basically amounts to knowledge of a single hash, when you get right down to it), is perfectly reasonable to assume under realistic circumstances, for the same reason that synchronized time is not a remotely difficult problem on long enough timespans. The only problem lies in new nodes (that enter the system when there's not a quiescent state, and the longer chain is being withheld) being exposed to fake chains.
By using a VDF as mentioned below to make sure it takes just as long to construct a new chain as it took to construct the old one, one can ensure that as long as at the time the stakers held their keys (rather than for all time) a majority were trustworthy, then the probability that they were able to maintain a longer chain becomes vanishingly small. Therefore, nodes will be able to reliably choose the longer chain on reconnecting to the system. This trust model seems pretty realistic to me, and it's not like Bitcoin can handle the case of a continuous partition to begin with.
So this just reduces to "once a majority is not trustworthy, the chain can't be trusted anymore" which is the actual security tradeoff of PoW vs. PoS (PoW puts trust in hashpower rather than staked coins, so by definition it's immune to this sort of issue; if your private key is stolen you "only" lose your coins, not any voting power). I don't think this is news to anyone who's done much research into cryptocurrency.
It's 100% green, and based purely on sustainable renewable resources.
NFTHC: Burn Weed, Not Coal!
So long as you have a general idea of how much hash power is being used currently for the network, or even just how efficient ASIC computing is in general at your point in history, you can work out how great the hashing difficulty should be. You can trivially verify that the block hash with a large number of preceding zeros, e.g. 0000000000000000000b98dd8e7504793c0644cb0c27eb98f06aab9ea93c4ec2, is the hash of block it's attached to, and that a hash value that small would require a huge amount of energy to find. And every block beneath it also required a huge amount of energy, creating a huge real world economic cost to produce. You can't fake that chain without equivalent sacrifice of energy and compute resources.
Anyone trying to deceive you with a false chain would have to expend approximately as much energy as the entire legitimate bitcoin network does, and then keep doing it for as long as they want to deceive you. Sure, that theoretically could happen, but the economic incentives to do it just aren't there.
However, that presumes all forks are soft forks; that you are presented a correct chain; that you want the soft fork with consensus rules accepted by most miners. (If verifying with an old bitcoin client the BCH BCT split will be resolved for you without you having a say.
In summary, PoW has less need for Phone a Friend than PoS. But it still has some problems.
What if Bitcoin and Bitcoin cash had the exact same amount of hashing? Which is the true Bitcoin and why?
And you assume that attackers will never have enough computing resources to execute a 51% attack – which could happen because the currency’s value falls enough that people stop mining it, because an extraordinarily well-funded entity decides to attack it, or because someone manages to hack the miners…
Then you do gain the security guarantee that if you see multiple competing branches of the blockchain, you’ll know which branch is the correct one (namely, whichever is longest). However, you’re still relying on phoning your “friends” (nodes you’re aware of) to tell you what blocks exist! If they all keep the true longest branch a secret from you (or, say, someone blocks your Internet connection to the nodes that aren’t willing to do so), then you will think the next longest branch is the correct one.
To be fair, that isn’t the most practical attack. But none of the risks being discussed here are remotely practical. In practice, nobody wants to connect an outdated client to a blockchain network because it risks (a) getting yourself exploited through known vulnerabilities in the client, (b) not working due to backwards incompatible protocol changes or bugs, or (c) missing a hard fork that might have happened over disagreements in policy changes (because there are always policy changes). So you update your client, and that means you have to rely on a “friend” to tell you which software you should be running.
It's called "Eclipse Attack". But it's a threat for single nodes not for the network as a whole.
For PoW, you'd have to know the hash of the start of the chain (the "genesis block") in advance to verify you downloaded the correct chain. That's true, but this hash doesn't change during operation. You could get that hash from a history book if you will.
For PoS, the hash is from the end of the chain and therefore constantly changing. This means the challenge of finding out whether the hash is the right one is a lot more real than in the PoW case, because there is no "common knowledge" to go by which hash is right.
Nope. You could fork the chain at a period of low difficulty and it would still stem from the genesis block. It would either be a short chain, or have clearly low difficulty though, so it wouldnt fool anyone knowledgeable. Im not sure how you would leverage that chain for fraud.
No. For Bitcoin you can accept a chain with an arbitrary starting point and you would still arrive at the same chain everyone else uses.
Although you do need to have an idea of the earliest acceptable starting point-in-time — e.g. verifying a low-difficulty chain starting the year 200,000 BC (with one block every 10 minutes) would take quite a while
With PoW you don't care about the software code. The rules are dominated by the PoW because it literally proves to you which is the chain where most people are interested in, because literally no single entity could burn that much electricity.
With PoS on the other hand you kind of need these checkpoints in the actual software and then you have to activate this entire new trust model where you have to trust the client code, and where it came from etc. I could literally come up with an entire fake chain on my computer and present it to you and without client-checkpoints there would be no way for you to not accept my chain compared to your current one.
With PoW I don't have to trust anything. If the majority next year decides to change the rules, so be it. The majority has spoken.
Bitcoin for example still relies on a list of hardcoded nodes for bootstrapping clients. Not to mention very few people actually bother to verify the full chain (360GB and counting) from genesis.
As for auditing the the integrity of the code or binary, it is signed by GPG keys hosted on public key servers accessed using X509 certificates pinned by a a couple of trust anchors preloaded in your OS. So much for distributed consensus...
You can literally validate the entire chain with a simple python script. Millions of those on github.
>Not to mention very few people actually bother to verify the full chain (360GB and counting) from genesis.
Absolutely wrong. The chain is validated in its entirety upon first sync. 100% from genesis to tip.
>Bitcoin for example still relies on a list of hardcoded nodes for bootstrapping clients.
It doesn't. Longest valid chain with most work is the canonical chain. Hardcoded seed nodes exist to speed up the discovery.
All network participants are forced to verify the full chain from genesis. Some might be OK with validating block header signatures only, and not the full transaction set. It's a tradeoff.
You don't need to use those public key servers if you somehow distrust the CA certificates in your OS. Feel free to contact the repository maintainers or whatever else floats your boat.
Anyway, bitcoin is an open source protocol, not a particular client implementation. If you distrust everything and everyone, no one can stop you from building your own client that works with the rest of the network.
It does, but it doesn't have to. You can use any mechanism you want to obtain one initial node and take it from there. You will still be connected to the network just as well, and you will be guaranteed to obtain the same results. This differs from Proof of Stake, where the quality of the results will be influenced by the quality of the bootstrap.
If your chain tip is on the dead side of a hard fork (i.e. if the majority of the network will predictably soon finish switching away from software which considers your chain tip valid, to software which considers your chain tip invalid), then nobody cares if your chain tip is the longest in the interrim, or how long you still hold out running the software that considers your chain tip valid. Your side of the fork no longer holds any economic value as a platform for transactions, so nobody will participate in it. You'll just be out there mining blocks all alone, blocks that say you earn all the virtual tokens, but where those tokens are worthless on your side of the fork.
It's a bit like how, in old pre *serv IRC networks, in cases of netsplits, you could end up on a partition of the network where you were the only one in a previously-moderated channel; and so you could effectively do whatever you wanted in that channel. But it didn't really matter, because nobody could hear you.
You could follow the consensus rules set out from the beginning and you would still end up on today's majority chain.
I believe there were a couple of early bug fixes along the way, which makes this not strictly true. As in the original first release of the software not actually capable of downloading all of the chain, which some people love to point to as a proof of it being a fallible system. This is probably true but doesn't really detract from the original point of guaranteed ownership by never relaxing the consensus rules.
also, hi, long time! maksym here =)
You mention “POW forks”, but Bitcoin’s POW has never been hard forked: you’d need to trust a Bitcoin expert to tell you if it was a good idea.
And with proof of work a lawsuit could force the distributor to change the consensus rule so that a particular transaction is invalid - just as Ethereum did voluntarily with the original DAO.
> You mention “POW forks”, but Bitcoin’s POW has never been hard forked
Instead it’s been soft forked, which turns the consensus rules into a popularity contest. If a soft fork produces two competing branches of the blockchain, old clients will go with whichever branch has more mining power. Which means you open yourself up to interesting attacks like convincing 51% to literally steal the funds of the other 49% (which is much worse than a mere double spend). Or, more realistically, in the case of a contentious soft fork that ends up roughly fifty-fifty, you could ‘just’ end up on a different side of the fork from the people you want to transact with. Either way, soft forks don’t make the downsides of policy changes go away.
In Proof of Work, a lawsuit could force the distributor of the software to hard-code a transaction that reverses the coin theft. But in both the PoS case and the PoW case, anyone using that client would be partitioned off from the honest network majority.
> You mention “POW forks”, but Bitcoin’s POW has never been hard forked: you’d need to trust a Bitcoin expert to tell you if it was a good idea.
Bitcoin's PoW forked in 2013, when a database upgrade to the software made it incompatible between two recent versions. The Bitcoin developers had to jump in and tell people which PoW fork to follow and which one to abandon.
Proof of work networks with the same hash algorithm are a threat to one another, particularly, if a network exists that is profitable enough to have exorbitant resources dedicated to mining, those resources are available to attack a much smaller network if that becomes more profitable for some period than just continuing to mine the bigger one.
Proof of work then only protects the largest projects using unique hash algorithms.
Edit: I was lookimg for the artivle I was referring to and saw that Ethereoum Classic (ETC) has been attacked simce via just that method. https://www.coindesk.com/markets/2020/08/29/ethereum-classic...
To execute a double spend, you the one sending the transaction and the miner must coordinate.
For large transactions, it is recommended to wait for six confirmations. (six blocks that agree with the transaction and have not been 51%ed.)
The 1 hour 51% cost of Bitcoin is 1.9m$. However, you would need much more time than that to find six consecutive blocks alone, without the help of the network. So, while the network is 6 blocks ahead, you need to find 7 blocks. The network moves forward a block, you must move forward more than one block to catch up. This could take a long time, and longer the more confirmations required- each confirmation makes each previous transaction exponentially more secure. Simply controlling the mining power momentarily only puts recent transactions vulnerable.
However, that much hardware is available for rent-see “Nicehashable.”
In other words, it relies not on one central authority but on a small clique of central authorities.
It’s not a flaw if it’s only theoretical. In practice, no miner with billions of dollars of capital bound in mining hardware would rent it out to someone who might do something that would significantly depreciate this capital (e.g. attack the Bitcoin network).
The obvious argument here is "the one that was signed first will then have other blocks built on top of it". But since there's no PoW, building a parallel blockchain is trivial to compute, the only restriction is being able to produce something that's actually convincing enough. That and having people say "well, I was there at the time and I saw a different block than this", but that's just relying on authority rather than something that can be proven within the system.
Basically, PoS requires something external to the system to prove that history hasn't been changed. PoW technically does too, but what it relies on is "physics" and "provable historical fact" (i.e. approximate computing power available in the past).
You certainly can build a system that depends on something external to itself to ensure its consistency, but this challenges its claim to being "decentralized" and limits the amount of trust you can place in the system (and consequently the power of what it can do).
In short:
If you take the pbkdf2 key derivation function: its job is to slow down hashing a thousand fold or so, so that hashing an entire search space becomes impractical. You give your secret in input, and it gives you a hash, let's say, in 1 second. You'll have to spend the time again to recompute the hash. With a faster machine, you can compute in maybe 100ms, but still, there is a limit in how fast you can obtain the result.
Now change the cryptographic properties of pbkdf2, so that you can go back from the output to the input in constant time, so you can find the secret from the hash in O(1). Then, it becomes useless for actual secrets, but you now have an instantly verifiable proof that a certain amount of time (or serial computation) had to pass to get from the input to the output. Plug the input to the previous block hash, and embed the result in the next block, and you have your clock, based on physics and provable historical facts.
But I didn't withdraw my stake. I have a whole chain of blocks saying I never withdrew anything and it's perfectly valid because I signed it, and I still have a stake. Oh, you have another chain that says I did withdraw? Who are we going to believe? Who was first?
And then produce a big fake chain from 10,002 (in the middle of the time you were staking) -> 10,000,000 later, with an alternate history in which you didn't stop staking.
I don't think this attack is particularly realistic for a lot of reasons, but PoW does have some small amounts of additional strength against these scenarios.
Allowed to by whom?
Who's to punish me if I disobey them?
After withdrawal is completed, your node would no longer be in the set of active validators and from that time could not validly propose a block or submit an attestation (or, more accurately, be selected as a block proposer, etc.)
That's what PoW provides that PoS just doesn't. Immutability.
In fact, I would argue that one of the most important products of bitcoin, is providing the hardest, most immutable database human civilization has ever created. We could theoretically lose it and we could control and manipulate what goes into it going forward, but once a piece of data gets confirmed and buried under a few days worth of bitcoin's PoW, it can never be changed or removed from the blockchain. This is a severely undervalued use case in my mind.
I suspect that most PoS coins will eventually decide to periodically peg themselves into bitcoin's blockchain to timelock their blockchains and provide some immutability to their users.
Having said that, humanity probably only needs one PoW blockchain. Bitcoin.
> If you compromise or coerce enough validators, you can rewrite the history for no cost.
If you can. You would need to compromise thousands of randomly selected validators just to forge one block. That impossible task nonwithstanding, the validators are selected with maybe five minutes’ warning.
PoW doesn’t even offer absolute immutability, it’s just longest fork wins. Which is secure because of the economics, not because of a notion of perfect immutability.
Likewise, ETH2 provides a definition of finality that’s backed by economics.
But it can, in the exact same manner as described in this article: have an 51% attacker build up a long chain and hide it from the world; then publish it.
PoW is vulnerable to exactly the same type of attack described in this article. In order to build a longer chain with non-negligible probability, you need to stake at least 51% of the pool.
Could someone put child porn in the blockchain? Would that have legal consequences for anyone using Bitcoin in places that have laws about such porn?
This is not FUD, it's the most obvious PoS flaw, called long range attack, and the reason PoS chains often need more checks to be more trustworthy (e.g. keeping hardcoded checkpoints, choosing the first received block as valid, introducing penalties and so on).
It was voted for by 8000+ validators. Many of them have been validating since beacon chain genesis a year ago. There are like 260k validators active right now.
I find it highly unlikely some entity is going to come along and try to pretend their alternate history, with a whole new set of hundreds of thousands of validators (which wouldn’t be supported by any ETH1 deposits) and millions of signatures signed by 260k freshly generated public keys, is in any way legitimate.
about 40% in:
"Because of all the arguments above, we can safely conclude that this threat of an attacker building up a fork from arbitrarily long range is unfortunately fundamental, and in all non-degenerate implementations the issue is fatal to a proof of stake algorithm’s success in the proof of work security model. However, we can get around this fundamental barrier with a slight, but nevertheless fundamental, change in the security model." —Vitalik Buterin, saying the quiet part out loud
Security model in PoS = trust the rich. Some like having masters, whatever floats your boat.
I skimmed it. It made no serious arguments. If it had a serious argument, it would have exploited one of the many existing proof of stake systems.
> Security model in PoS = trust the rich. Some like having masters, whatever floats your boat.
You mean...exactly like PoW mining?
Same for PoW.
Crypto currency weather PoW or PoS boils down to "give the few rich all the power while giving the many less rich a illusion of security".
In PoW it just slightly tweaks "richness of money" into "richness of computation resources (which you get through money)".
This difference has complicated effects like:
- benefits anyone with cheap electricity (i.e. either places with no environmental protection, government support in some way, or the few places with cheap clean power)
- benefits anyone with good connections to chip factories
- the investment needed for gaining power being less bound to the currency itself but computation power instead
But it’s easier for most people to delegate to another party. This is where decentralized staking pools for ETH2[1] built around smart contract interactions could be a good alternative for many users, and may compete with centralized staking platforms.
The mere fact that these peer-to-peer and decentralized alternatives exist, and that some portion of users will prefer to use them, is what makes this technology distinct.
[1] - https://rocketpool.net/
I can imagine projects that can run on cheap hardware thriving but what happens when you put the weight of exchanges like Coinbase and their users against the hobbyst node count?
Rocketpool [1] also recently launched which is a decentralized service that makes it super easy to setup your own node, and more profitable than staking anywhere else.
My node is generating the normal staking rewards (~5.5%), plus another 12% bonus (from ETH from individuals being paired with my node), plus another 50% in RPL rewards. That 50% will surely drop, but it will always be better than just staking by itself.
RocketPool also allows individuals to stake as little as 0.01 ETH, the same as centralized exchanges, but it's decentralized, and they get rETH in return, which they can use in Decentralized Finance, giving them even better returns.
Put together Rocketpool gives better returns in a more decentralized way than any centralized exchange does, and unless you're really new and don't want to move off your exchange, it's a no brainer better alternative.
Is that supposed to be a lot? I look at the node requirements for these new chains and they mention monstrous amounts of cpu and storage power.
> In Bitcoin, nodes can't stop a 51% attack and I don't know if the software would even alert you when a 51% attack is likely going on.
My question was about regulated exchanges dominating huge percentage of PoS validators. What are you going to do when, due to regulatory pressure, Coinbase and Binance start to implement blackists and OFAC based validators into those PoS chains?
this...sounds exactly like proof of work?
Indeed, you can probably fix plutocracy with some PoW.
The tradeoff is fundamental: because VDFs don't benefit from throwing computational resources at them, there is no disadvantage to computing a bunch of them in parallel. So if you had bad intentions from the getgo (and you had a majority of stake at the time), you could still secretly compute a fake bad chain starting at time t, and then release an alternative at time t+n that was as long or longer than the real chain; the security they provide is that if someone compromises your keys later (after you already lost your majority), they can't do this. Since in practice proof of stake chains start very centralized and then distribute over time, this is a useful practical thing to care about!
With PoW, on the other hand, computing a fake chain requires you to not use all your hashpower, which opens you up to economic attacks from someone else who is willing to use that hashpower. When someone uses more hashpower than you were, they'll be able to make a longer chain faster (before the difficulty readjusts again), so now all your secret chains have been made useless (and in cases of equal chain length, people tiebreak by hashpower, so you can't just maintain a little side network that eventually catches up when hashpower decreases, either). That's the theory, anyway: it's heavily based on economic incentives, so if some government decided that they didn't really care about the economics and just wanted to screw over chain users by pumping out hashpower, they could do so quite easily. Note that by contrast, proof of stake is not susceptible to this: you actually do have to compromise a majority of the active stakers no matter how much money you have.
Personally, I think this is a distinction without a difference because I don't think any cryptocurency can stand up to sustained attacks by large nation-states (which is part of why I don't think it's very useful). But like I said, that's an assessment of the threat model, so it's subjective and up to you to decide.
Uh... great! Glad you agree that this is a solution?
Let's switch to this new "some PoW" system as soon as possible, because it uses less than a megawatt to calculate proofs. Total, for the entire network.
congrats, you've reinvented central banking and plutocracy.
It fairly describes every political system and economic system that has ever existed or will ever exist. What's being described is how humans always organize systems in regards to political and economic power.
See: Socialism, Communism, Fascism. It applies just the same to those. Except in those systems they'll murder you and your entire family, then burn your village/town to the ground, if you attempt to compete with the rulers or party (Chavez, Castro, Stalin, Lenin, Mao, Hitler, Mussolini, Pol Pot, Kim, Putin, Erdogan, Lukashenko, etc.).
Whereas I can freely compete with Coca Cola, Tesla, Salesforce, Splunk, DigitalOcean, Cloudflare, Starbucks, 3M and most other companies if I'm able to. Nobody is stopping me from inventing a new coffee drink and going after Starbucks with it, or setting up a better coffee chain on the corner. Nobody is stopping me from inventing a better soda-competing drink (see: Monster or Red Bull or 5hour Energy; those people weren't assassinated by the soda cartel). Nobody is preventing me from starting the next great convenience store (ask 7-11 how they feel about upcoming Sheetz; or ask KFC how they feel about Chic-fil-A).
https://web.archive.org/web/20170720143148/https://www.reddi...
For transacting indeed you need to trust the various clients, but that's easy and can be done once. With the consensus isn't being tampered with, and, more importantly that others are using other types of rules.
Except the people you bought something real-world from, once they figure out that their "tipcoin" is worthless. So now it's a question of convincing some people that your technobabble is valid enough. How hard is that?
Not when the protocol actively encourages decentralization by cutting off staking rewards to larger pools, like what Cardano does (as one example). Sure, the exchanges can (and probably do) run multiple pools, but so can anyone else, and for far less expense than is required for mining.
This irrational fear of short selling is such a modern midwit view. There is way more value to fraud on the upside then there is on the downside, and we see that everyday.
What kind of short-selling? For naked short selling I quickly found evidence: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=273488 That's the predecessor of a paper cited from 2003 SEC testimony of Robert J. Shapiro published at https://www.sec.gov/rules/proposed/s72303/rshapiro122403.htm..., which in turn may have been a related source for the Shapiro citation in a 2008 Time magazine article at https://web.archive.org/web/20080424032340/http://www.time.c..., which I found via the Wikipedia article on naked short selling at https://en.wikipedia.org/wiki/Naked_short_selling#Claimed_ef...
That first paper describes a scheme whereby investors bought convertible warrants, used naked short selling to drive the stock price down, then covered by exercising their warrants. And apparently in many cases, as documented by the paper, this resulted in a delisting or even bankruptcy of the targeted firms.
If it were legal to take a short position in a company and then take actions which blew the company up AND there existed cost-effective ways to do so, then you would definitely have seen more legitimate companies taken down by short-attacks. In contrast, here you have an entity where (a) there isn't the same legal safeguards and (b) there exists a claimed cost-effective way to tank the entity after taking a short position
If you disagree with (a) or (b) empirically then cool but it's clearly a totally different scenario to regular companies
Actually in PoS if you try to attack and you don't have a majority you will lose all your coins. in PoW if you try to attack and somehow you miscalculated you will lose a couple of hours worth of electricity after which you can go back to mining normally so much lower stakes for an attack.
All transactions are not gathered in one place, ever. All nodes receive all transactions independently. All nodes are capable of providing a copy of the ledger for verification.
Transactions don't go through a server. Historical record gets finalized by any one participating node. These two things are not the same thing. The transactions that will be mined are publicly known by all nodes before they are mined. Mining only ensures that nobody can change them after the fact.
There is no concurrency, this is true. The systems we have currently are single threaded systems, and from a classical standpoint, hugely inefficient single threaded systems. But this is not the same thing as centralization.
https://medium.com/@VitalikButerin/the-meaning-of-decentrali...
“Blockchains are politically decentralized (no one controls them) and architecturally decentralized (no infrastructural central point of failure) but they are logically centralized (there is one commonly agreed state and the system behaves like a single computeR”
I think you’re mistaken that I don’t know how Bitcoin works. Not only do I know, but I have spoken to many teams doing work in the last 10 years in various alternative systems, and I have even designed alternatives myself.
I used the word server in my analogies. The transactions are, however, all going through one COMPUTER which receives them, puts them in a envelope, and finds the right PoW input to “seal” the envelope, and sends it out to everyone. Whoever does that first, gets the rewards on that chain. If the transactions do not make it into the block, they don’t count on-chain.
Therefore, every 10 minutes, ALL TRANSACTIONS IN THE WORLD must be gathered by one computer, the one that will happen to mint the next block. This is a bottleneck, and it is the cause of the skyrocketing fees whenever the system sees any on-chain adoption.
But it’s actually worse than centralized — because we don’t know who will mint the next block so we have to send everything to on everyone. Imagine if all BitTorrent nodes seeded every file in the world. Bitcoin failed as a peer to peer cash system because of this topology and people on the group were telling Satoshi this back in the day.
That doesn't make the network centralized, since the server that acts as the centralized state transitioner will be randomly selected from a very large pool of servers with equal authority.
Innovations that Rollups and Sharding further extend the scalability that is achievable with Ethereum's Proof of Stake consensus protocol, mostly by debundling tasks to create modular components, so that the consensus layer has to handle far less load per transaction.
The exact formula is given in the Bitcoin whitepaper <https://bitcoin.org/bitcoin.pdf>, see page 6 and on.
Soft forks don't force you to download and run new clients just to be able to use the network, which is an important difference. You can use your existing client, you just don't have the new features and don't run validations on them.
The greatest risk on soft forks is that chain split you mention. That's why any reasonable soft fork deployment requires a long time window with a large majority of hashrate signaling support (like 95%).
Why would Doctor Evil attack a block chain network when he could attack global/national/regional credit card/wire transfer/ACH networks, many of which are built upon ancient pre-Internet technology, are full of discoverable vulnerabilities and critical points-of-failure, and are operated by cash-rish financial institutions with liquid, easy-to-short stocks?
Now, if you think such an attack is an important problem for block chains, then you must also think it is an important problem for all legacy transaction networks. Yet we're all comfortable using our credit cards and bank accounts every day, and for virtually all practical purposes, we don't worry about a "Doctor Evil scenario." Why should we think and behave differently for block chain networks?
Moreover, as I wrote before, in practice, legacy transaction networks (like, say, regional VISA networks run by 100-year-old banks) are easier and cheaper to attack. If the Doctor Evil scenario were a real threat, it would be more profitable for him to target one of the legacy networks!
Fundamentally, if there are off-chain incentives to destroy the value of a given blockchain, much of our reasoning about the game theory doesn’t hold up.
If you attack the blockchain, well ... uh ... the owners will ... be really unhappy with you?
Realistically you're only in trouble for doing that if you're pissing off someone else with "the means to violence". If you screw up money laundering operations for a cartel, then what you're likely looking at is acts of violence between two criminal organizations, but if one of them has the upper hand, they can basically act with impunity.
When you're looking at the "small fry" – individual people with their own bitcoin/whatever stakes? They're just fucked. It's true if someone steals your wallet, but it's also true if someone torpedoes the whole system. That's the cardinal problem with all of these blockchain technologies — by deliberately designing the whole thing to disintermediate the authorities; they accomplished exactly that: there are no authorities to deal with systemic problems.
Despite that, PoS has the benefit of offering decentralized staking pools like RocketPool, and the fact that they are growing may indicate that the chain will over time become more decentralized and less able to be centrally attacked[1]. The PoS mechanism itself is also perhaps more resilient to these kind of attacks, see [2].
None of this mechanism is as simple as PoW (which has worked quite well for BTC and ETH so far), but the environmental cost makes it worth exploring an alternative mechanism.
[1] - https://uk.style.yahoo.com/valid-points-ethereum-2-0-1130005...
With PoS exactly the same works. Most of the holders should be honest, and a successful attack would require spending at least 50% of the market cap of the coin to successfully execute - and then losing that stake as the reputation of the coin is soiled.
I challenge you to present a "simple python script" that implements the exact bitcoin consensus rules (as codified in bitcoin core). Bitcoin is not all that simple and there's a nontrivial amount of complexity in bitcoin script alone [1].
> The chain is validated in its entirety upon first sync. 100% from genesis to tip.
The default behavior is to skip signature verification for all signatures before some relatively recent block [2].
[1] https://github.com/bitcoin/bitcoin/blob/master/src/script/in...
> Assuming ancestors of block %s have valid signatures.
when using -assumevalid. I agree it's imprecise, but it's not exactly wrong, since skipping scripts implies skipping signatures.
You can't even fork a stablecoin. in case of a split in a PoS chain, the correct fork will be decided for you by USDC and Coinbase.
Unless we're going to pretend that there is only one way on and off networks and only in one currency denomination…
In practice the value of the forked collateral is likely to be low, leaving the stablecoins insolvent.
Warren Buffet buys up 70% of the network, induces a network partition, and then double spends it all, signing both transaction histories.
By the time he’s caught, he’s converted 2x the value of the POS network to POW bitcoins.
Replace “warren buffet” with “crypto exchanges selling bundled securities”, and the above is not just plausible, it’s inevitable.
The same scam has been run over and over again with conventional banks (who are inevitably bailed out on top of getting to take the money and run), POS just changes the nature of the obscure underlying financial instruments.
This risk can be mitigated:
1. The network should halt if a fork is detected. A fork with more than 66% of the stake behaving maliciously means a fundamental trust assumption of the network has been violated. Stop everything! Let humans figure out what is going on. I'm not saying every PoS system WILL halt under these circumstances, but as a countermeasure they SHOULD be designed to halt and value safety over partition resilience. Thus, an attacker forking a PoS must never allow parties to see either side of the fork. If a party notices a fork occurs, they will halt and can't be double spent against.
2. Following from 1, how do you prevent parties from communicating and discovering that a fork is occurring? Are you a tier-1 ISP and can control all internet traffic? You can defend against such attacks by making it very hard to hide the presence of a fork via redundant communication mechanisms. For instance the Bitcoin blockchain is broadcasted via satellite, a PoS blockchain could do that as well.
3. Additionally you can require that stakers lock their stake for long periods of time e.g., 6 months. This means that if an attacker wants to perform this attack and truly have nothing at stake they must cause a fork in the chain before the 6-months ago mark. Parties who are up to date with the latest chain are not vulnerable since they have already accepted the consensus history of chain. New parties who are syncing for the first time would be vulnerable, however clients could be programmed to have hardcoded 6th month checkpoints or clients could check block explorers and halt if a fork is detected.
Yeah, but you're glossing over an important detail: It's not 66% of the stake that has to be good, it's 66% of anyone who has ever staked. In PoW, I only need to trust the miners of today to tell me the truth about what happened today. In PoS, I need that, plus the miners of yesterday, plus the miners of a year ago, plus ..., in perpetuity.
> New parties who are syncing for the first time would be vulnerable, however clients could be programmed to have hardcoded 6th month checkpoints or clients could check block explorers and halt if a fork is detected.
Right, maybe you can elaborate on this. Is checking block explorers a decentralized or trustless solution to, well, anything?
What does this mean in practice? Who are these humans? When can the network get going again? Would a consensus rule change be part of it, and what type of changes would be allowed in that situation?
It sounds hard to manage this type of maintenance breaks in a trustless way. Surely consensus rule changes during outages should not be handled any differently than changes when under normal operations.
> clients could be programmed to have hardcoded 6th month checkpoints
Who signs these checkpoints? Once you have established the trust required for checkpointing the entire blockchain regularly, wouldn't it be much easier to checkpoint every block instead and in an instant do away with all the hard problems of blockchain networks?
so, proof of work?
The global CPU and power use for the VDF calculations doesn't need to exceed what you could fit into a single server rack.
This is just evidence that this particular slope isn't as slippery as some thought.
The repo is back up, but the project is dead. I suspect the developers got nasty letters from lawyers behind the scenes. I believe yt-dlp is the future of this project, but it's presently lesser known than youtube-dl so the lawyers got what they wanted in the end.
Copyright should just be a contract between seller and buyer. You promise not to redistribute this. If you didn't buy something, you have no contract with the seller and you can be free to download whatever you want or build whatever software or service you want.
The onus of finding who is the buyer breaking the contract and dragging them to court is on the seller.
We shouldn't have things like DMCA which allow you to censor anything tangentially related or being able to scare people off, but that's what you get when you have a corrupted government that does the bidding of Big Business.
Similarly, patents shouldn't be a thing.
You came up with something, you already have first mover advantage. If someone comes along and does the same thing better, too bad, they were better than you. If you have a manufacturing secret, protect it with contracts and sue for damage if they get broken.
https://twitter.com/vitalikbuterin/status/760232885483806720
Ethereum Classic is the fork that refused to rewrite the blockchain to void the hack, and the linked tweet is VB affirming that he’s only working on the main (reneging) Ethereum fork (which goes by ETH), not Classic (goes by ETC).
Not sure why the parent linked that tweet, maybe Twitter just makes it too hard it identify what tweet you actually want.
Indeed, but the same is true for attacks on "weak subjectivity" proof-of-stake. They're only a threat for nodes that have been disconnected for a long time (months) before they try to reconnect.
My understanding is that the attack you describe involves a cabal of "evil" validators signing some alternate chain (call it the "fake" chain) long after their stake is withdrawn, creating a fork in the distant past. Before they did this, they pretended to be good validators, which meant they signed the "real" chain's blocks and then signed the withdraw transaction. So after the attack, there are two conflicting sets of signatures signed using the evil cabal's private keys; those on the fake chain, and those on the real chain. So anyone in possession of both of these sets of signatures can conclude that the validators in the cabal are "evil", and then they can see that once the cabal's support is removed from consideration, the real chain had more valid validator support (at the time of the fork, in the distant past). If this line of reasoning is correct, that suggests that anyone who is aware of both sets of signatures can identify the real chain?
For other people: https://news.ycombinator.com/item?id=29367857
VDFs are far too new, at best bleeding edge research, nobody is going to gamble serious money on the robustness of such new constructions.
You would need unanimous agreement from the entire cryptology field.
However, yes, there are some workshops on quantum and implications for mining, and some other fanciful stuff that are also just research at this point.
The current setup of PoW relies on rather well understood, battle hardened primitives, that have been in actual usage under adversarial conditions for decades.
Do you think any major central bank will hold any asset that's secured by a paper written last year?
Thounsands of buttcoiners would gamble their entire life savings on shitcoin, pisscoin, asscoin, PonziCoin, whatever. When there's enough of them, it gets big enough so institutional investors start gambling on that too. It really doesn't seem like "serious money" is spending anything on actual technological research, the management of big money is also often done by idiots who follow any kind of hype.
I can still propose blocks invalidly, you see. And then someone who doesn't already have the consensus (e.g. trying to sync) will have no way to tell which is legitimate.
This is the problem - you can't look at what the system does when everything's working as it should, you have to look at what happens when it's outside of the comfort zone.
[1] one such: https://github.com/ethereum/annotated-spec/blob/master/phase...
Miners do not set the rules, they are merely a service that provides immutability to a ledger, with a nuclear option that will bankrupt all the billions they have invested, should they misbehave.
Large stakers can rent-seek and extract your wealth, PoS is the same system we have now, plus some code.
You are quite literally being exploited right this minute, by the same methods outlined in the article.
Stakers do not set the rules any more than do large mining pools.
> Large stakers can rent-seek and extract your wealth, PoS is the same system we have now, plus some code.
You know MEV is a thing in PoW too, right?
Their contribution is what makes the currency work.
They are some of the main profiteers from the currency.
You can't do a fork or rule change without enough miners going along (I mean you can but it would not have much value).
So in practice have all the governing/decision making power (as a group not a single person).
Sure they might not come up with changes, but they do decide weather any change do take effect in the end.
To demystify what a VDF is, consider the delay function (i.e., the majority of the work done to compute a VDF) used by the most prominent proposals:
Let N = p*q be a product of two large primes (so an RSA modulus) and assume that the primes p and q have been immediately thrown away/forgotten after initialization. Then, computing
f(x) = x^(2^T) mod N
is believed (dating back to a paper by Rivest, Shamir and Wagner in 1996) to take T sequential steps provided that T is large enough. For a large T, the only feasible approach seems to be repeated squaring modulo N. That is, compute y = x^2 mod N, y' = y^2 mod N, ... for T times.
If you want to use coinbase to buy crypto and tokens, that's on you.
And if by some chance your subreddit manages to become popular, the admins and power mods will conspire to take it from you. Reddit sucks.
What you are arguing for requires either an amendment to the constitution or nationalization of those private enterprises.
"More" of it isn't going to make any of those things go away.
"Freedom of speech" isn't a guarantee that your prefered brand of rational discourse is going to have an audience of millions. If anything, it's a guarantee that it won't, because someone with a self-serving profit motive is far more incentivized to shout over you.
Freedom of speech does not entitle you to broadcast to anyone else's audience.
These weaknesses weren’t due to consensus failures or protocol failures, but bugs in applications running on Ethereum. If Ethereum’s protocol allowed arbitrary funds to be stolen, that could certainly cause a loss of trust.
So two of the Bitcoin examples I gave was a consensus failure which already establishes the point, but lets do a very recent example from Ethereum:
A few months ago in August 2021 when Ethereum had a serious consensus failure and about three quarters of the clients in the network and some miners [0] forked off from the miners. How many people even noticed? [1]
> "Ethereum has weathered a bug that split the world’s most-used blockchain and opened up the risk of counterfeit Ether tokens." [2]
The issue at play is that the ability to cripple the consensus of a blockchain for the most part only impacts its availability not its security or the trust placed in that blockchain. Social consensus can just reset the bad transactions. If the theft or doublespend is big enough. We've seen that happen time and time again. They are somewhat robust but highly resilient.
Now it is possible that perhaps someone could perform an action that can not be so easily reset. For instance a huge doublespend where both parties receiving the funds are honest and have traded an object of extreme value for the doublespent funds. That is very hard to pull off. For instance how do you non-reversibly send something of that much value before the fork/doublespend/consensus bug is discovered? If you are moving something worth say 1 billion dollars in a single transaction you should probably be using an escrow service. Perhaps someone will invent a better technique for turning consensus failures into blockchain killers but so far I'm not aware of such a technique.
[0]: https://twitter.com/TimBeiko/status/1431278258222338056
[1]: https://www.theblockcrypto.com/post/115822/bug-impacting-ove...
[2]: https://www.bloomberg.com/news/articles/2021-08-30/ethereum-...
You said there were “enormous amounts of money stolen or destroyed” as a result of “ weaknesses in the [Ethereum] blockchain.”
The consensus issue where one client forked off isn’t evidence of that at all. Even the article you link to says it seems that the network was stable and the impact was minimal. Even in this particular attack, doing a double spend would be rather difficult.
Spend $X billion, then just bleed everyone without power. Sort of like what we do now.
We have a bunch of examples of this happening in practice. The humans are usually a mix of the developers, parties important to consensus (miners, stakers) and big ecosystem players.
> It sounds hard to manage this type of maintenance breaks in a trustless way.
When solving a problem that violates your core security assumption you are only longer in the world of security definitions. It doesn't really make sense to talk about "trustlessness". If the protocol is busted, you need to find a solution and get enough people on board with that solution that you can upgrade the protocol.
> Once you have established the trust required for checkpointing the entire blockchain regularly, wouldn't it be much easier to checkpoint every block instead and in an instant do away with all the hard problems of blockchain networks?
The checkpoints aren't trusted for safety but instead for availability. Instead you should think of them like alarms that "something has gone horribly horribly wrong, stop everything, don't transact, don't move, don't touch anything, pull the ebrake."
tl;dr Much like the fuse box in your house, my view is that checkpoints should turn safety failures (electrical fires) into availability failures (electricity is shut off).
Person A buys a movie and agrees to not distribute it, but goes ahead and does it anyway to Person B. Person B hosts it for everyone, and Persons C through Z get it and also host it. You're suggesting Person A is liable, but the cat's out of the bag and Persons B through Z can continue redistributing it forever because they never agreed to anything.
If this is the desired goal, you don't need copyright at all, you can already get Person A on violating Terms of Service or whatever.
all bitcoin miners could be owned by one person and you would have no way of knowing....
>it's effectively centralised
so your argument is not that it is not possible to have security AND decentralisation with POS, but that it currently is not the case, right?
Sure, it's entirely possible that BTC is also centralised and controlled by wales. I was merely suggesting that the reason PoS systems haven't been hacked (much) yet is because the validators are controlled by project owners, so they are really centralised payment systems in disguise.
There's a difference though: buying initial stake in PoS may be similar to buying an ASIC in PoW, but mining a chain has a real cost (electricity) in PoW. In PoS there's no cost to mining, so validators have an incentive to stake all possible forks. There's no way to have consensus on the correct chain, because real resources haven't gone into building one up.
Or rather it has shown that decentralization isn't aligned with the political or economic goals of those who conceive the monetary policy.
Compare it to a boat. Central banking gives you the ability to steer, sure someone might be bad at it and lead you into dangerous waters. But decentralized currency is like shooting the helmsman and ripping out the rudder because someone did a bad job of it once.
However, I’m not sure I understand how this is supposed to help. Proving that a few seconds passed just slows down block generation a little, but this cannot be a significant barrier to block generation or else you just have a full PoW system again. And if it’s not a significant barrier then it’s not clear to me what this is supposed to do, beyond preventing me from generating and signing a new block within milliseconds of some event happening.
But since the “nano scale” PoW doesn’t define the rate of block generation, it just establishes a lower bound, it feels like it’s just a speed bump for anyone trying to attack the system. If it only takes 10 seconds to rebuild the last 100 minutes worth of blocks, then it doesn’t establish a universal clock and therefore cannot prove which block came first.
Of course, nothing can stop anyone from creating parallel 100-minute long branches if that was the only thing, as, unlike PoW, it does not cost anything (except time) to create branches.
So you still need a consensus mechanism, a way to, as an agent of the network, decide what is the right branch. On bitcoin, it is very simple: go to the longest chain, it's where the majority of mining power went, so that is clearly the consensus (with 1 joule = 1 vote).
On ethereum, it's much more complex, involving promises with money at stake locked somewhere, so that anyone can detect cheaters, automatically unlock and take their money as punishment, and reward the whistle-blower with it. So, unless everyone is foolish enough to watch their money seized by the network, it does not happen.
The exact way the correct branch is decided is by random election of one staker, where the randomness is proved to be actually random. After all, using a VDF, you can now prove that its output won't be known until x seconds have passed, if you put the most recent block hash as input. So during that time, you can agree on an fair pseudo-random election algorithm that will take this VDF output as a seed when it becomes available.
The thing though is that this doesn't prove that X seconds have passed. It proves that X seconds have passed on whatever baseline hardware has been used to calibrate it. I don't know who actually computes the VDF in the proposed proof-of-stake schemes, though I would assume it's "whoever is proposing a block" (is this the same as the staker? Does this mean every single staker is picking a block and computing their own VDF, meaning everyone is still burning CPU?). And this means the VDF can only establish a minimum CPU requirement. It can say "X seconds have passed on the minimum hardware we're requiring at the moment", but anyone with faster hardware can still compute it faster.
And also because this PoW scheme cannot require more than X seconds for any participant to compute, it means an attacker that starts computing their alternative blockchain at the same time as the block they want to replace faces no difficulty. All this does is interferes with the ability to decide after the fact that you want to attempt to replace history. And even then, if you have hardware faster than the baseline, you can still reach back in time to recalculate a block, you just have to wait longer to do so. And by that I mean if you want to edit a block from 100 minutes ago, and you've got a CPU that's twice as fast as whatever the VDF is tuned for, then it just takes you 100 minutes to compute the replacement blockchain (50 minutes to compute the past 100 minutes, and 50 minutes to compute the new blocks that have been added since you started the attack). So after 100 minutes you now have an alternative chain that everyone thinks took 200 minutes to compute.
Which means now we're just back at the problem of "attacking consensus", where nobody can look at the two blockchains and see within the system which one was calculated first.
---
I suppose the VDF could be calculated by some volunteer with the fastest hardware, though this requires rewarding them for doing so (which means you basically have a monopolist sucking up all of the VDF rewards and no real incentive for nearly all participants to even try and compete). And this is still attackable by someone who can put together hardware that is even just slightly faster than then volunteer. It just takes longer. If the security of the system relies on a volunteer being assumed to have the fastest hardware on the planet, then the system isn't secure. I also question what happens in this scenario when the volunteer goes offline and nobody else has hardware that's as fast. Now the next block isn't ready in X seconds. I assume there's some protocol for "oops nobody has finished computing the VDF in time", but this does provide another avenue of attack for anyone in a position to disrupt the volunteer's connection to the network. Of course, anyone in a position to do that is likely to have access to unusually fast hardware already, but the point is that you cannot rely on the idea that "nobody can possibly calculate this block faster than the VDF is tuned for".
This attack is possible in Bitcoin too, except because Bitcoin is parallelizable, the defense there is that this attack requires spending more money than it is worth as the computing power used to calculate blocks is roughly a function of the value of the network. The danger there is generally in centralizing too much of the computing power among too few participants rather than an outsider breaking the scheme. This attack does work on smaller PoW coins of course, generally by folks who control a chunk of Bitcoin computing power and just redirect it temporarily (if the value in attacking the coin is greater than the expected bitcoin mining rewards for the time it takes to do the attack, then this makes sense).
Honestly, it really seems like we should only have one global PoW network, and everything else should use other systems. Perhaps they should satisfy security by doing things like VDFs for short-term security and storing their blockchain hashes into Bitcoin for long-term security. Bitcoin using up a ton of power is still a problem of course, but maybe there's some sort of approach that can be used to solve the problem of "PoW to establish a global distributed clock" once you remove the "and we want to use this as a currency" part that doesn't invoke a massive arms race. This may involve ditching the idea of "anyone can participate", which also then allows you to change the incentives for running the PoW scheme.
---
Edit: I suppose the VDF's input might not be "the block being computed" but instead "the previous block", and the output then used to elect participants who are then trusted to build the new block. This would allow the new block to indicate whether the VDF actually took longer than expected. But then we're back at a probabilistic function with PoS, where those with the highest stake are now most likely to be trusted and therefore are in a position to abuse that trust.
I suppose reading up more on PoS systems might answer this question. But I really don't want to do that. I've already spent far longer on this than I intended to.
Said randomness is needed to elect the new quorum who will build the new block.
This does absolutely nothing with the fact that you need 66% honest stakers in the system for it to remain secure.
I’m not the parent, but – no, I don’t. But that’s exactly the point. The need to bootstrap from centralized authorities is what’s supposedly so bad about weak subjectivity in proof-of-stake. Yet in practice, it’s needed with proof-of-work as well.
Bitcoin is an open source permissionless protocol, so you have multiple clients to chose from, each with their own list of bootstrapping nodes, many open source where you can submit a PR to add your node too. You can even build your own client and point to whatever you want. You can also just ignore them and just point directly to nodes in a list from a public forum, a private chat, whatever.
Also, you're not just connected to those bootstrapping nodes: you use them to find the rest of the peers in the network.
I characterized this as relying on centralized authorities (albeit several of them), but sure, it can also be considered decentralized to some extent.
The point is that it's a mechanism outside of the proof-of-work network itself. Instead of relying on a machine to reach consensus via a formal protocol, you the human are probing for a social consensus by evaluating statements made by other humans (via GitHub, public forums, or private chats, or just talking to people in person).
In both proof-of-work and proof-of-stake, you need to find social consensus in order to initially obtain the software, after which point you can rely on the network's consensus.
The difference with proof-of-stake is that you have to redo this if you disconnect from the network for months on end.
In practice, for a variety of reasons, practically all users of cryptocurrencies download regular software updates, and thus continue to rely on social consensus, regardless of whether the currency is proof-of-work or proof-of-stake.
Satoshi tried to convince us that we could decentralise trust by doing honest work instead of relying on authority. It turns out that doing work is actually pretty hard, people are lazy, and security is still the nemesis of efficiency.
In IPv4 a client might have a chance at auto-discovering peers.
It's also not necessary to rely on a single centralized authority. There are many things (DNS, Encyclopedias, Linux kernel mirrors, etc.) where the majority of existing centralized authorities agree with each other.
What part of DNS do you feel is possible without a centralized authority?
This 'long range attack' is different from a 50% attack because it doesn't affect nodes that were running before the attack happened. But a situation where new entrants into the network are uncertain of the 'true' fork is not tenable in the long term.
This seems more viable for a value destruction attack than for a double spend. But value destruction can be lucrative for blackmail. It means a coalition of stakers could withdraw their stakes and state "increases the blocksize or suffer a long-range attack".
This is an important point to consider, but it can be mitigated with exit delays. E.g. with Eth2's current settings, if an attacker had 2/3 stake at one point, I believe it would take them 6-7 months to exit all those validators. So while it's true that new entrants must sync from a trusted checkpoint, the checkpoint can be quite old.
Let's say my client has a hardcoded list of checkpoints, with a new one added once a month. The client would only accept forks containing all of those checkpoints in their history.
It seems like there are two ways an attacker with commit access might try to corrupt this checkpoint list. First, they could try to add bad checkpoints over a period of 6-7 months, until they've fully exited and can safely perform a long-fork attack. This seems impractical, since the bad checkpoints would be noticed by existing node operators (who would get stuck after upgrading their clients), and 6-7 months seems like plenty of time to raise the alarm.
Alternatively, an attacker could just delete 6+ good checkpoints, and replace them with 6+ bad ones, all at once. This would violate the convention of adding monthly checkpoints, so it should be easily recognized as a malicious change. One could argue that it might go unnoticed anyway, but sneaking in such a change seems roughly as hard as sneaking in any other clearly-malicious client change.
In PoW miners risk going bankrupt overnight for egregious behaviour like that.
I'd like to see how one defines "slashing" programmatically that is impartial, works algorithmically, and does not have edge cases that can lead to catastrophic failures without handwavy assumptions that every single PoS network has today.
But my understanding was that you can only have enough stake in the network to make decisions...by having that stake in the network. If you un-stake your crypto and cash out, by definition, you no longer have any stake in the network. If you no longer have any stake, how do you have a controlling stake?
Amazing breakthrough, realy. Now ddos blackmail can be actually measured in money.
At least you could point to avalanche or something else that's better constructed. Eth is a dinosaur at this point, albeit with the fattest treasury.
But-- there's nothing to preclude you making big steps up in difficulty at the end of the chain. It means that one evaluating the length of the chain for authenticity really needs to integrate the difficulty over the entire chain and not just look at the number of blocks.
Suppose I'm a new node and want to verify the blockchain. How do I verify that each block was mined with the correct difficulty?
I'd need some record about the actual real-world timestamps for each block. Then I could say something like "duration between block x and block x+1 was > 10 min, so the down-adjustment in block x+5 is justified".
But if those timestamps were stored on-chain, an attacker could simply lie about them and keep difficulty artificially low on its alternative chain.
On the other hand, if we had some un-forgeable record of block timestamps, wouldn't this solve the double-spend problem all on its own? Would we even need PoW at this point?
Edit:
Ok, sibling comment seems to suggest bitcoin has solved this problem differently: https://news.ycombinator.com/item?id=29368166
However, if you are only forking the vm and allowing for people de deploy other protocols (or forks of other protocols), this is not the case (they just start off at lower total supply relative to the native collateral available on that network from a lower demand base).
I think id agree for things like ZCash/Dash etc compared to BTC, but I'm not sure I'd agree when it comes to the all contracts deployed on all EVM networks and none of this has anything to do with decentralized stablecoins.
For example, you can mint MIM (a decentralized stablecoin) on both avalanche c-chain and ethereum (as well as polygon, fantom, bsc and arbitrum), and they are both worth $1, but have different collateral backing it on both networks. If users wanted to leave one or the other, they could just redeem their mim for the underlying, sell it and buy the collateral on another network and mint it on the other network. The collateral might trade lower on one network based on market factors (like if the narrative shifted to that the chain became too centralized or w/e, and this assumes that even the price movement of the underlying overwhelms the over collateralization ratio, it might not) but it would just mean that there would be more or less mim on that particular network as assets are liquidated and not that the MIM itself would be worth less.
About VDFs, there is a tolerance, you need to be in the same ballpark as the fastest, not _the_ absolute fastest. The more tolerance you need, the less snappy the PoS blockchain will be. They plan to make a low-power asic for that task, to be as close as the theoretical max speed for that, and have the lowest tolerance margin as a result.
Also, there is a way to reduce all VDFs results so that only one of the whole set of VFS-ers need to be honest.
So it's not one volunteer, but a pool of volunteers, using low powered asics so close to the theoretical max (ie speed of transistor switching) that you couldn't outrun them enough to profit from that speed up. I am not sure if they are incentivized, because it's not costing a lot, but maybe.
> Edit: I suppose the VDF's input might not be "the block being computed" but instead "the previous block", and the output then used to elect participants who are then trusted to build the new block. This would allow the new block to indicate whether the VDF actually took longer than expected.
Indeed, that's what I thought I was saying, but maybe I was not clear enough.
I don't quite get that. As far as I understand it the "nothing at stake" problem works by a malicious party inducing a fork, one of which they double-spend in. Since it's in the best interest for everyone else to mine both forks, you can force your double-spend fork to become the longest chain by only validating the double-spend fork.
This means you have to trust that nobody part of your current chain has double-spent in this way. But isn't this the same as in PoW where you have to trust that nobody has launched a 51% attack to disrupt the network in the past?
Also, can't you just prevent people from mining all forks? I.e. for becoming a validator you have to deposit X as a security beforehand and you can only earn at most X via staking (so it is in the history before you can attack with nothing at stake). If it is recognised that you mine on more than one fork at a time, you lose the security deposit you gave before the fork. X goes to the person who found the fork, incentivising that the mallicious fork is identified on all forks (miners on competing forks are incentivised to look at all forks and quickly add the mallicious fork detection for their own benefit). If you want to retrieve your security and money earned, you have to announce this on all forks (you immediatly seize to be a validator). You are only allowed to retrieve the funds, if it is confirmed on all forks, or the forks are sufficiently behind the longest chain. This allows everybody ample time to look for dual-fork work and also incentivizes rapid solution of forks.
Yes, modern proof-of-stake algorithms work this way. The caveat is that at some point (on the order of months later) the security deposit is refunded, and at that point you can lie about the past without consequence. But this is a limited attack: you can only successfully lie to someone who has been offline since you were a staker, or else they would already have a record of the real successor chain (which now has a new set of stakers, who themselves still have their security deposit deposited).
Like, this is trivially solved with a central authority (e.g. have some trusted core developer every day publish a signed message saying "this is the real successor chain"), but it does enable that central authority to arbitrarily bless a fake ex-staker's fork.
Right now, it seems to be one of the best protected PoS chains. It's still fairly new, with novel mitigations, so it still doesn't stand the test of time against all possible attack vectors.
In that sense, it still can't be considered as secure as a PoW chain with high hashrate, which is protected by thermodynamics (you can't produce more hashes than the physical energy you have access to allows).
Not "unsafe standard" but
"dangers/unsafe to bootstrap".
But there are ways to mitigate the bootstrapping issue to some degree.
And PoW chains tend to have a low cost at the beginning making them similar not easy to bootstrap safely (through more easy then PoS).
In the end I don't think what theoretically is better matters, what only really matters is what practically matters for big crypto currencies (and smaller ones can during bootstrap (and potentially later one) interlink with the large chains).
(Both would be vulnerable to Shor's but post-quantum signatures would fix that.)
It might be, in the future, if you replaced the keys, but it isn't now. Words mean things, and it really is important to use them correctly.
(Also, wouldn't the network respond by just raising the difficulty, miners respond by buying quantum computers, and the world to spin as usual?)
Which parts of this are checked by the client software, and which parts are just checked by interested humans in the block explorer?
There's a trade-off here. If you require 8000 guys to all vote in favor of your block, what does the client do if it only sees 7999?
> which wouldn’t be supported by any ETH1 deposits ... signed by 260k freshly generated public keys
You misunderstand. What happens if some of those private keys get compromised? In Bitcoin, if I sell my miners to someone else, it's not like they're radioactive waste that has to be buried. In PoS, someone can cause quite a bit of damage with keys that ostensibly don't contain any money. And because I've already withdrawn, I have no reason to care.
Those private keys are useless unless you had something like 50% of all the active validators' keys. So, hundreds of thousands of private keys hacked. You're not going to be able to damage consensus using a few old leaked private keys. The best you could do would be to slash some active validators and get them ejected, but the chain would carry on finalizing without them.
The 8k are randomly selected from this pool of 260k validators via RanDAO every 12 seconds.
Whereas in ETH PoS, validation happens in the consensus layer, following strict self-imposed rules. With each new block, one validator is chosen to propose the block, and thousands of validators are asked to back the proposer. The proposer and attestors are chosen randomly but specifically with no freedom to mix and match; the chosen validators must attest (and receive a reward) or else be penalized. Validators don't know each other and they don't need to cooperate to create a shared key ahead of time, all they have to do is deposit and follow the rules. The signatures are agglomerated by [BLS ellipical curve stuff idk it's magic] and help to form the consensus chain itself.
Note that in Bitcoin you can have a fork in which both chains have equal length. The idea is that eventually the longest chain will be established, but if say 90% of the mining is malicious that malicious miner could ensure that most of the time both chains are of equal length.
With a PoS fork you can ask, which fork has the most amount of stake voting for it. An attacker that controls enough stake might be able to balance the total stake vote in the same way as a malicious miner could on Bitcoin.
In both cases if the core security assumption of the blockchain is violated, that blockchain should halt until that assumption is made sound again. If someone orphans the last two years of Bitcoin's blockchain something has gone horribly wrong. The fact that Bitcoin now switches to the longest chain doesn't actually address the problem that two years of transactions may have been rendered invalid.
The hard fork reversed those transactions.
No matter what fancy spin you put on it, that was absolutely a violation of the blockchain's integrity, as it violated the principle that accepted transactions can't be reversed after the fact, even if you call it an "irregular state-change" that just keeps things secure.
You can absolutely defend the position that this was best for the ETH ecosystem. But it was absolutely a reneging on the blockchain rules.
I think this is where you get the problem - if you just have two sets of signatures, how do you tell which is legitimate and which one isn't? How do you conclude in which set the cabal was lying?
An eclipse attack is so named because it requires you to keep all the light out so they're kept in the dark. But here, since there's no internal mechanism to tell the two chains apart, you don't only need the accurate information, but also outside information about which one is accurate.
I feel like you should be able to deduce it from the distribution of participation after the fork, right?
The “fake” chain would lose all honest verifiers (and all transactions from honest wallets?) which seems like it would be pretty detectable with simple statistical analysis. Staked nodes not participating (and active wallets not transacting) becomes less and less likely the longer the post-fork chain is.
But you don't know who's honest - you may as well be saying the real chain lost all the dishonest verifiers.
Where proof-of-work really does have an advantage is that you can more easily distinguish that scenario from the scenario where either one of the chains is actually a Sybil attack, i.e. a single attacker pretending to be a large number of people. Similarly, if you only see a single chain, with proof-of-work you can try to detect an eclipse attack (which implies a Sybil attack) by seeing if the hashrate has gone down dramatically.
That's a real advantage. I don't think it's even close to enough to mitigate proof of work's disadvantages, especially since the circumstances where it would practically come into play are extremely unlikely, but it's not nothing.
However, it's undermined by the fact that proof of work naturally encourages centralization. Bitcoin is centralized enough that it's not completely impossible for the vast majority of the hashrate to end up on one side of a fork (either soft or hard), while the vast majority of users and developers end up on the other side. (To be clear, this is very, very unlikely to actually happen, but so are all of the attacks we're talking about.) If this happens, the objective proof-of-work standard will side with the miners, but not with the people you actually want to transact with.
Of course, a proof of stake currency can also suffer a schism, but there is (probably) less tendency for stakers to be centralized, and if a schism did occur, at least the client wouldn't provide a false sense of objectivity.
Is it even true? Steemit had the exchanges do a hostile takeover, because everyone was staking through them.
1. X is a problem?
2. But Y is also a problem, in my opinion.
3. X and Y are both the same, I think.
4. Therefore X is not a problem.
We can - theoretically - verify the correctness of PoW software by downloading the source code, reading it over, etc. We can also refuse to update, reducing ourselves to SPV security. We can internally verify the checkpoints using 100% objective standards. There are other things as well. This is not the case for PoS, where our "signature A existed at time B" has to be taken as faith, or evidence of things unseen. There is no internal way to verify the veracity of such a statement.
The fact that users aren't personally doing this, is not the same as saying it makes no difference whether they are able to or not. I'm not personally going to withdraw all the money in my bank account - that would be ridiculous - but if the bank informed me I was no longer able to withdraw the money in my account, that would not be suitable at all. The assurance that I can do it makes it so that I don't have to.
It seems like you reject this premise, maintaining that PoW networks are objectively verifiable? But you didn't really refute the parent's point there, which was that there are no "objective standards" in deciding which bootstrap nodes to use; it's ultimately a matter of trust. If I trust the wrong bootstrap nodes, I can be eclipsed from the real network.
Granted, I only have to trust that a single bootstrap node from the list will faithfully connect me to the honest network. But PoS involves a very similar 1-of-n trust model; I can request checkpoints from n semi-trusted sources and check that they match.
Also, granted, if I pick bad bootstrap nodes, I can still detect if I'm being eclipsed by looking at the hash rate. But how do I know what hash rate to expect? I could check n websites with hash rate charts, but that brings us back to 1-of-n trust.
> 4. Therefore X is not a problem.
IMO it's a manageable problem. Users just need to be cognisant of these trust assumptions they're relying on, and be thoughtful about picking semi-trusted peers (whether bootstrap nodes or checkpoint providers).
Right, but it's not about trust in the same way. I can add an infinite list of bootstrap nodes. Quantity matters, not quality.
> But PoS involves a very similar 1-of-n trust model; I can request checkpoints from n semi-trusted sources and check that they match.
"Very similar," not the same. You need "semi-trusted sources", and there's no objective standard in case they disagree.
Which means that large stakeholders suddenly stop verifying blocks. Long-term active wallets stop transacting.
The same might be true for both chains after the fork, but I would imagine the fake one would have a larger change in participation (weighting older wallets and larger stakes) than the real one.
For each chain you'd be able to look at the age, stake & historical participation level of the post-fork participants and get a pretty good idea which (if either) of the chains is real. The absence of honest participants should look a lot different than the absence of dishonest ones.
Granted, this method is not nearly as simple as checking the number of 0s on a hash, but I would imagine it to be quite difficult to circumvent.
If sufficiently powerful quantum computers become readily available to anyone, sure, everybody will upgrade. Given the exotic hardware they typically require, it seems likely that for a while only a few large organizations will have them.
Shor's is faster but more specific. It works on factoring and elliptic curves, but not on hashes. The advantage of Shor's is that if you have enough qubits, you can get the answer immediately. Grover's only offers quadratic speedup, effectively halving the number of bits in the hash function.
So for signatures we just need to switch to something like a hash-based signature algorithm, with keys having twice as many bits as we'd want against classical attackers. But we don't have hash functions that keep Grover's from working, so a quantum miner be way faster than classical miners.
Proof of Work does not get you any votes at all.
PoW is a service to the network, to create an immutable ledger. It comes with a very real nuclear option that will bankrupt miners if you misbehave and get fired by hashing algo change.
It's just a boring industrial business, like smelting aluminum or iron.
It's a system with an immutable monetary policy. Literally unprecedented in human history.
You get compensated for your service, it may seem like a lottery, but if you do it for a long enough time, you'll get fairly steady returns as in theory it should be random and proportional to your hashrate.
I don't mine, and I think it's definitely overhyped at the moment, but maybe it will settle in the future and actually provide a useful service to us folk. It doesn't seem to be going away for now, and it is really easy to send money to friends and family, whether they're nextdoor or in another country.
If you work with software development - which you probably do - I'd suggest checking what you do for a living, how much energy it consumes and how much physical product it generates.
Or some AI because humans are prone to bribery to some extent.
Or we could make it democratic. "Jeff Bezos asserts that he provided useful work for society and that he therefore deserves $1B this year. Please cast your votes".
PoS staking is simply committing a portion of your capital to the task of validating transactions. You benefit by receiving a reward in the form of additional tokens.
In a PoW system, the same exact thing can be accomplished by using your tokens to purchase a stake in a mining pool. You will similarly be unable to access your capital, be rewarded with additional tokens, and at the end of a period of your choice, you can liquidate your position in the mining pool to reclaim your tokens.
[edit] PoW in this context is a bit worse because PoW miners can rent out their hash power maliciously without being slashed.
In this world, the "nothing at stake" problem also manifests in proof of work, where I believe ownership in the mining pool makes you agnostic to the outcome of any chain splits - although I'm still working this bit through in my head. Opinions welcome!
Sounds wrong. Slashing is a means to prevent people from staking on multiple chains. In PoW, computing power is scarce, so if you allocate some compute time to one chain then you have less of it on another chain. You automatically get slashed. The difficulty in designing a PoS chain is in artificially re-creating this slashing and thereby solving the "nothing at stake" problem.
Within protocol, no. But when weighing a fork, those with the gold choose the rules.
Status quo will be incredibly difficult to overcome for attackrs, even with a large chunk of industry, exchanges, miners and whales against the status quo, it prevailed.
Hmm, maybe I’m ignorant, but in practice, don’t miners (socially, not technically) have substantial say in issues like the block size debate?
If you want to create a hard fork of the chain for any reason, whether people accept your fork as legitimate will in part reflect the total hashing power of that forked chain, right? So in practice what miners choose to follow will have a big impact.
Maybe not quite the same as PoS in-chain voting, but it still seems to give large miners outsized power, no?
Changing the hashing algo isn’t a realistic punishment for targeting misbehaving miners.
You end up with two choices:
1. Change to an algorithm that uses gpu/cpu instead of ASICs (and is ASIC-resistant), but then your algo runs on general-purpose computing and you can’t fork miners off ever again.
2. Move to another algo that benefits from ASICs. This has the extra overhead that you need to spin up manufacturing and distribution of these ASCIs to honest miners, which takes quite a long time to do and while you’re waiting, your network is being attacked.
In either case, you aren’t just punishing a misbehaving miner, you’re punishing *all* miners who now all need to get funding to buy and rack new hardware. You’re making a big assumption that the misbehaving miner won’t be able to get financing or sufficient capital while the honest ones will. If the dishonest miner’s attack was profitable while waiting for the fork, they get to keep all of that money and can spend it on new hardware.
In PoS, the attacker will lose their stake, meaning they lose the money they had before, and earned as a result of, the attack. It may be much more difficult for that validator to get access to capital and lenders will be hesitant to lend to an entity that now has a history of burning capital.
You mean Proof of Work algorithm. Which is not quite the same as hashing function [1].
[1] https://cryptorials.io/beyond-hashcash-proof-work-theres-min...
...just re-using the terms for continuity and simplicity sake.
yes, a PoW algo is probably better generic term, although I am not confident complex algos would be accepted as first-line replacements by the wider community.
am I wrong in that assessment?
It only buys you the right to append a block of transactions to the ledger, which is the same thing as having 100% of the votes.
Nodes decide if they will append your block to their chain.
A miner that decides to mine out of consensus blocks is just burning money, and will be on their own fork with their “100% votes” that nobody else uses.
Give it a try, spend a few million on mining equipment and then try forcing something on the network.
It’s not a democratic system, never was.
With PoS, the coin creators can assign themselves an arbitrary fraction of the coins, concentrating the wealth. Even if there is a public record of all the funds raised in a public sale and all expenditures made (which is rarely the case), it's possible for the creators to participate in the public sale and recover large parts of funds used to buy their own token by generous expenditures on software development and such.
There are plenty of PoW coins with unfair or absurd distributions, and plenty of PoS coins with somewhat equitable distributions.
In my opinion a fixed block subsidy would be most equitable, but that's a very slow emission, taking 100 years to reach a yearly supply inflation under 1%.
Who is the top researcher on this subject these days?
Anyway, I'd also be interested to know if there's existing or active research along these lines.
I don't see much difference between a PoW mining setup that does $1000/day gross, $990/day expense, $10/day profit and a PoS staking setup that does $12/day gross, $2/day expense, $10/day profit. Both earn $10/day, both require maintenance, and both are run not at a net cost but at a net profit.
Additionally mining isn’t always profitable. There is financial risk and miners can go bust and take financial risk. Staking is basically always profitable if you don’t misbehave.
Just as an aside, when you move a newspaper or a magazine from print to only existing as a web page, you certainly have 'dematerialized' it to a degree. However you still need hardware to keep and display the data and energy to move it around and light up the screens. In so far it does not stop being physical. The 'intangible' is somewhat of a red herring. Yes, it is less haptic, but it's still physics, physical all the way down. Other than that, currencies, freedom, equality, education, entertainment—we've been having intangibles all the time, at least from the dawn of human culture onward. Cryptomining does not bring anything genuinely new to the table in this respect. It's not even new in being a fraudulent, volatile scheme that betrays traits of a cult, one that benefits a few and hurts the many.
You're right that Bitcoin will never accept a change of PoW. At least not until SHA256 shows signs of being broken.
The problems start, of course, when you take a concept to its logical extreme.
The splitting is unavoidable and happens constantly. Multiple competing future states are constantly being created, and the network has to eventually arrive at a consensus about which possible future is the true one.
> Where is the difficulty in making miners expend their tokens (i.e. in a way that is irrevocable) instead of merely depositing them somewhere?
Figuring out how to make spending your tokens irrevocable is the whole point of PoW/PoS. Your question reads to me like "In trying to solve problem x, why don't you assume that you've already solved problem x, and use that to solve problem x."
Maybe I'm missing something... if miners are required to send the tokens to an invalid address, are these tokens not lost irrevocably?
The proposed block must comply with the rules your node enforced, or it will not be accepted. It’s not just work, but also the entire consensus-set they must abide by.
Miners cannot force new rules, if there is no consensus.
If 51% of miners decide to, after block #N, not include any transaction that doesn't satisfy the predicate P in any block they produce, nor mine on any chain which has a block after block #N which has a transaction that doesn't satisfy predicate P, then the longest chain will have all the transactions after block #N be ones which satisfy P, and furthermore, if the other 49% of miners are aware that this is happening, if they want their blocks to be in the longest chain, they have incentive to follow the same rules when mining.
This is the logic behind soft forks, is it not?
The leader can even opt to put no transactions in the current block, something that has actually happened on many occasions: https://www.theblockcrypto.com/post/67928/bitcoin-miners-are.... Obviously, the leader was making a decision here, there were not actually zero transactions to process :)
So probably more than 1 guy. maybe 5-10.
It's probably not renewable (well, neither is the Sun on large enough timescale), but do you believe nuclear, either fission or fusion, will play a large role in the future?
> Do you consider nuclear energy sustainable?
Low-carbon, yes. Sustainable, yes. Renewable, not until we productionize extraction of uranium from seawater. [1]
> ... but do you believe nuclear, either fission or fusion, will play a large role in the future?
Fusion if we can crack it, totally. Seems like a clear winner. Fission probably will if there's some political will behind it, but not unless there's a change in sentiment.
[1] https://www.forbes.com/sites/jamesconca/2016/03/24/is-nuclea...
> of which the following sources are considered to be renewable
in other words, it attempts to define the world "renewable" along favoured political ideologies.
From Wikipedia:
> Advances in breeder reactor technology could allow the current reserves of uranium to provide power for humanity for billions of years, thus making nuclear power a sustainable energy
TL;DR: nuclear is just as renewable as solar (beyond any likely duration of the human civilisation).
The trick is to enforce it in such a way that it can't be easily dodged via e.g. offshoring.
Is it though? It seems minor protocol tweaks aren't uncommon and hard forks managing to eclipse the original protocol in popularity are also conceivable.
Personally, I think people will value bitcoin as good money if fiat money fails. And because they are seeking good money, will value the fork(s) that preserve bitcoin's prior monetary policy.
A fork that changes the monetary policy drastically (particularly, changing the 21M cap) would obviously make for bad money in practical terms.
So literally the same as every monetary policy change involving every currency that didn't use PoW in history...
If we do not bound the growth of PoW energy usage, I think it could easily destroy itself in a roundabout way: by destroying the fragile global order that keeps humanity going.
Hardly unprecedented, considering that until very recently nations did not have a monetary policy.
No, there is no voting and there is no leader election. Miners construct blocks with transactions and if they manage to find a signature - that block is appended to the chain. If somebody does it faster - they append their block.
Please at least get the basics before you start arguing with people.
I know far more about Bitcoin than I ever wanted to, believe me. You really should not be making these kinds of ad hominem arguments when you don't understand terms like "consensus" or "leader election."
No, the hash that you win with, deterministically points to the only possible block that you can “propose”. Your understanding is completely backwards. You seriously don’t know how bitcoin works.
Every 10 minutes a miner wins the right to append a block to the chain, by guessing a secret number. The chances of winning are proportional to the amount of money each miner has expended in the process of guessing the secret number. This is equivalent to holding a vote every 10 minutes in order to choose who gets to append the transaction block. Therefore, you're wrong. There's a vote. And if you can't understand this obvious fact about bitcoin, you have no business discussing bitcoin.
As I said in a sibling thread, it’s like arguing the earth is flat by proposing a very special metric of space. Feel free of course, I just don’t accept it.
The vast majority of mining today uses sustainable energy (70%+), because it is actually cheaper.
Dishwashers and heated swimming pools use WAY more energy globally, but because pleasant luxuries are quite enjoyable, nobody seems to attack them.
You don't think those get very wasteful in the real world? And there's no equivalent to a real war situation. You can set it up so you don't need to defend against the equivalent of enemy armies.
> The vast majority of mining today uses sustainable energy (70%+), because it is actually cheaper.
What kind of sustainable?
When miners locate next to hydro, and buy it up, that doesn't help anything. That hydro could have been sold as somewhat less cheap power elsewhere, after going over long wires, and then it would have reduced the load on coal plants.
Miners that eat up excess solar can theoretically do a lot to encourage the installation of solar, but they need to be happy letting their machines be turned off a large fraction of the time. If it's still profitable to run 20 hours a day, then they're still encouraging fossil power plants.
> Dishwashers and heated swimming pools use WAY more energy globally, but because pleasant luxuries are quite enjoyable, nobody seems to attack them.
Dishwashers are better than hand-washing, aren't they? Having plates is a lot more important than running cryptocurrencies in a particular way.
If heated swimming pools use that much, then sure let's go after that and use some kind of billing or taxes so they pay extra and encourage sustainable power sources.
It is of course not 100% perfect analogy, nothing is, but I believe you understood the point I tried to get across: it's a security service, and that costs money. Blackwater stationary guard roles are 180-220k a year for someone with years of experience. I'd imagine monetary networks use a lot of physical security, some central banks are literally located in bunkers under mountains, with a backup site in a similar setup on a different geological plate.
I have not seen any PoS schemes so far that provide anything other than plutocracy as a service. There is a reason why ETH with a 100mil R&D budget is still on PoW, Vitalik is not a dummy.
as for the cheap sources of sustainable energy, those are usually stranded hydro and wind that's too remote to be economic, and stranded natgas (for natgas "green" might be a better term, i've used sustainable in the sense that CH4 is far more damaging that CO2. I've been told by regulators it is actually better to burn off CH4 from stranded wells)
Balancing of the grid also does happen, but I believe primarily with wind and hydro.
I, of course, agree that we should not pollute the Earth we live on. High energy usage in itself is not bad, only if it's a harmful polluter. I've only pointed out dishwashers and pools (don't have the stats handy, but they do indeed use a lot more, like a magnitude more), as a common hypocrisy.
We must rapidly scale up non-polluting energy sources, as it seems unlikely humanity can become a spacefaring species on a self-imposed tight energy budget, and this self-imposed handicap coupled with an unexpected asteroid impact can end us.
Or they need batteries. Or some other means of energy storage, for that matter; at the scale of a large mining farm, thermal (e.g. heating water) or kinetic (e.g. spinning a flywheel) might be practical.
Do you have an source for this? I remember the same number being flaunted before but it turned out not to be true. What was true was that 70%+ of miners use any amount of renewables in their energy mix.
Armies have to practice. Smart generals don't let their armies do nothing; to be any good at warfighting, they have to fight wars. Effective standing armies have to constantly be finding new wars to fight.
BTC is also getting smart contracts soon, which makes ETH redudant as well, but it will take a while before it catches up in terms of possible complexity of the contracts.
This has a clear answer in PoW, but not in your scheme
An equivalent attack wouldn't work on a PoW chain. If you do the equivalent of "staking" on chain 2, then you're computing hashes, which is costing real-life resources. In the PoS case, without slashing, staking on chain 2 is free. In fact, this is the rational move to make every time you spend a token; stake on competing chains to get your token back.
It's also hard to see how push button Armageddon has possibly made us more safe than nobody having nukes. We are only more safe than if only our enemies had them. The same could even be said of armies.
This has happened multiple times with attempted hard forks of Bitcoin which have failed because once you change the monetary policy once, the promise of hard money effect disappears. So the original monetary policy remains in place and the original network continues as the reigning champion.
If this happens I can technically stay on the original protocol, but that would be rather pointless if a sufficient majority abandons it.
The only real problem with that is that with a small hash rate, bitcoin can be attacked more easily.
If bitcoin is the monetary backbone for many nations, they will subsidize miners to maintain the balance of power. That is the actual scenario that I'm optimistically predicting.
If bitcoin isn't the monetary backbone for many nations, by then, then it's probably a failure, and should probably be allowed to die.
It's also very possible that transactions fees alone actually will be sufficient to support a high enough amount of hash power to secure the network.
Still plenty of scaling left in the Bitcoin ecosystem.
Do you have some source for this? I see random numbers being thrown around a lot, would be nice to have a citation for yours.
There was a PoS mechanism that makes people who cheat lose all their coins? I wonder if it is relevant here
... Aha, that's "slashing" -- the other members in the network would look at the two chains, and notice that you were misbehaving, and add transactions that remove parts of your coins? (They'd add to both chains? Or just the winning one?)
When attacking a neighbor state costs more (because your neighbors have arms too), it’s less likely to happen.
The cold war had plenty of awful hot action with proxies and third parties but the entirely hot version obviously would have been far more calamitous.
I suggest reading Herodotus’ Histories, or you can read up on Genghis Khan, Napoleon, Hitler, Alexander, the Crusades, or the myriad other conquerors and conflicts that have occurred.
Here is my question to you: if the node that wins the election (and the ones that accept its mined block, of course) is not the one voting on which transactions get to go into the chain, rather than be stuck in the mempool somewhere, who is? Do you genuinely think there is no decision being made there?
There is no "voting" and no "leader" except in the most abstract sense and I'm not sure why you're so determined to use those terms.
All miners “vote” by hashing and one of them wins. They don’t win because somebody voted for them, they win because they happened to find a satisfactory hash. The chance to win that hash faster than other miners is proportional to hashrate. The hash is determined by the block of transactions entirely, so once you win the race, you don’t get to propose anything other than that one predetermined block.
Which transactions go into a block is decided before any mining for that transaction happens.
Just read, please.
You're coming off worse in this argument because you seem to realize on some level they're just using different (possibly wrong) terms in their accurate description of the mechanisms, but then you keep making snide remarks that imply they don't understand the mechanisms.
Yes, they do get to choose the block. Transactions to include in the block are (usually) chosen from the mempool, which is unique per node (it’s similar but never exactly the same between any two nodes). Miners can also choose to include transactions that were never publicly broadcasted, and therefore never appeared in another mempool. Typically the transactions with highest fees are chosen, although fees can also be paid (or bumped) outside the mempool.
The miner of a block doesn’t get to choose the contents of every transaction, but they do choose which transactions to include when they win a block.
It seems like you’re hung up on terms that aren’t commonly used in the context of bitcoin mining, but are valid and are commonly used in the broader context of distributed systems.
Of course, they have a choice. If didn't, miners would serve no purpose. We would just have one block and that would be the block that would be appended. The consensus would be achieved automatically, without any need of guessing secret numbers.
> And if it was an election, wouldn’t the result always be the same with largest miner always winning because they have most votes?
No, because the miner is elected at random. The crucial point to understand is that their chances of getting elected are proportional to the money they spent. That doesn't mean the largest miner will get elected 100% of the time.
lol, no they don't.
a certain hash wins, every ~10 minutes. that hash is calculated from sha(block, nonce), where nonce is the randomized part that miner mutates to get different hashes. once a hash that satisfies the protocol is found - that's it, you can't choose a different block to append to the chain.
it is just laughable that i have to explain this level of basics.
Maybe this article will help you understand just how nonessential the fact that the block is part of the SHA actually is: https://www.usenix.org/system/files/conference/nsdi16/nsdi16.... Please read the whole article, and then come back so we can have a discussion on equal footing.
A miner can choose which block to build on. At any given moment Bitcoin can have several competing "in progress" forks. This is why most exchanges require... 7, I think?... blocks on top of yours to consider the transaction more or less confirmed.
> And if it was an election, wouldn’t the result always be the same with largest miner always winning because they have most votes?
Yes, this is a 51% attack in Bitcoin. If you have a majority of votes, you can disregard the current chain, fork from behind, and catch up.
This is expanded upon in the peer-reviewed Bitcoin-NG paper that both of you are refusing to read, which breaks down the Bitcoin protocol into distinct parts (which was why I linked it--not because I am proposing that it replace the Bitcoin protocol, but because I thought it would be useful for you to understand how Bitcoin performs leader election already). Specifically, it analyzes the effects of splitting up leader election and block commit parts of the protocol. As it turns out, it has essentially no effect on Bitcoin's security guarantees, which is not surprising--because the fact that block selection and leader election happen at the same time is an implementation detail that doesn't actually matter! Once you realize this detail that you are obsessing over (the block being decided at the same time the leader is) is not important for the protocol, you will also see that the leader election is in fact the critical part.
I have to admit that I have no idea how much work is actually needed to secure the network. My point of view is that the current rate of energy expenditure outweighs whatever benefit Bitcoin does or could provide to society. But if this rate is a transient result of still-significant minting going on, things could definitely look different in the future.
Do you know of any analyses on how much work really has to be continuously expended in order for Bitcoin to remain reasonably secure at a given market capitalization?
Each nation would love to be able to manipulate the supply itself—why not, if people will let you get away with it?—but the fact that other nations can't do the same could be seen as a feature.
I think your analogy to flat earth was better. Because sure, treating the earth as flat isn't correct, but it's often a perfectly good approximation, and arguing about whether a big field is flat or not is a giant waste of time. Don't completely dismiss someone because they use those terms.
"Leader" or not, it's basically equivalent. And the process of letting miners input yes/no values for whether they support a proposal into their block, averaged over thousands of blocks, gives you the same result as "voting". So talk about whether those results are useful.
If Bitcoin does eventually become a common instrument of trade at this level it will fill the same niche currently occupied by gold and other precious metals.
well certainly not the winner of the "election", because by the time that "election" starts, the block is already constructed.
and i'm not going to read any of your links until you actually start understanding the basics of bitcoin protocol. though your lack of understanding explains perfectly why you fall for scammy bells and whistles of competing bitcoin-wannabes. "bitcoin new generation". lol, give me a break.
Again, I'll ask you, since you keep dodging the question: if the node elected as leader is (according to you) not choosing the block, who is choosing the block? Why are you so obsessed with whether the value was chosen "before" or "after" the election, which is an irrelevant detail of the protocol? If you can't answer these things and won't read the paper, I don't really see any reason to keep talking to you, because all you've done is make the same irrelevant point over and over.
Presumably if the price went down by a substantial chunk and stayed down for a while, the hashpower would also decrease, and so the difficulty would also decrease.
Also, if electricity prices went up, or if CO2 emissions were taxed, then hashpower would decrease, and the difficulty would go down in turn.
As for the rest... so what? It uses a lot of electricity and there is some pollution---but a lot of bitcoin mining is done with hydro or geothermal (and will be nuclear if bitcoin continues to grow), so, so what about some pollution?
So there's a simple question: how much value do we get out of this tech per CO2e it emits and per ton of e-waste it creates. And AFAICT the answer is: not enough to keep tolerating it in a time where humanity as a whole is seriously worried about climate change for the first time ever.
If you can magically move _all_ the miners to sites with excess renewable electricity and permanently slash the hash rate by 99.9% then maybe it can be tolerated. Until then I would welcome more China-style crackdowns on mining activity across the world.
Mining doesn’t use a fixed amount of energy. As it becomes more economical more people will mine.
Niagara Falls is not what I had in mind. There is lots of untapped hydro power in extremely remote parts Canada where nobody lives, for example.
If you aren't upset about this, you probably haven't studied it. I say that in a spirit of helpfulness. Fiat money grossly distorts all of humanity's economic output and therefore retards our progress on all things, including fixing climate problems. Just one example: The US is becoming a nation of renters because enormous funds are buying up the houses with fiat money they borrow nearly for free.
Fortunately, with bitcoin, we can do something about that, without (eventually) harming the environment.
1. once the "leader" is "elected" 2. do they have a choice of what block to append?
you said they do, which is fundamental lack of understanding of how bitcoin works.
> when the leader is elected every 10 minutes, do they get a choice of what block they append to the chain?
and the answer is yes, the miner that gets elected chooses which transactions to append to the chain. Do they pick the transactions after getting elected? No, they pick them before getting elected. In fact, it doesn't matter whether they pick the transactions before or after getting elected, because their chances of getting elected are unaffected by which transactions they picked. Therefore, it makes absolutely no difference. The fact that you think it makes a difference tells me you're very confused about the role miners have in the bitcoin network.
Maybe they act like all the other rational miners and optimize by mining fees.
Maybe they include no transactions and only take the miner reward.
Maybe they they don't like the Dutch so all their transactions are excluded.
It really doesn't matter as all y'all have been arguing over is what to call the person who won the current round.
You really don’t see how this terminology is completely incoherent for this scenario?