consequences of using proof of stake.

Previous topic - Next topic


There is an inefficiency in POW truthcoin. If more than one person learn the same valuable piece of information in the same block period, assuming they are both rich enough to completely leak the information, then only one of them can collect the prize for leaking this information.
They both try to bribe the miner, so that they can take the prize. Whoever offers more money to the miner will get their tx included first. The result being that the miner gets 90%+ of the prize, even though he did not leak any information.

Using a good proof of stake system, this money would not go to the miner. Instead it would get burned.

I will outline the mechanism of how it gets burned:

A block is only valid if more than 50% of the signers sign on it. Signers cannot sign on competing blocks.
So at every block height, there is at most 1 valid block.
Usually, cost to produce that block is small, about 10 cents.
But if there are no valid blocks at a particular height, then it costs R as much to skip it and make a block at the next height. (where R is a number > 1)

Skipping N blocks makes the next block cost R^N times as much as usual.

So it would cost (10 cents)*R^(block depth) to double-spend a transaction.

When 2 people are competing to leak information first, they will repeatedly skip each other's blocks, paying a higher and higher fee. Eventually the fee would exceed the reward. At that point, they stop skipping more blocks. If R=1.1, then then one of them ends up taking 5% of the reward on average, and the rest of the reward is burned.

of course, if the 2 people decided to work together instead of competing, they could have split the full reward 50/50.


Proof of stake is defective...I have been drafting the blog post about this for a few weeks, but I only have an hour or two each day to work on all things Truthcoin, and writing comes very slowly to me.

Just one example among many:
Quote from: zack on November 05, 2014, 07:16:36 PM
Signers cannot sign on competing blocks.

This is obviously untrue. It is obvious to me that you are referring to the Slasher hodgepodge being sewn together by Vitalik et al, so you meant: "Signers are discouraged from signing on competing blocks".

I know how Slasher intends to discourage this, and it won't work. People will still sign on other blocks for lots of reasons, the most obvious of which is that a double-spend is way more valuable than some lost block rewards.

In the meantime you can re-read Poelstra's paper, as I constantly suggest.
Nullius In Verba


Yes, you are correct it is mathematically feasible that they could sign both chains.
Besides sacrificing their reward, they would also lose a large safety deposit on both chains.
The safety deposit is 50 times bigger than the reward.

If they fail to sign on any chain, then they get the safety deposit back, but no reward.

So an attacker who is willing to spend 50x more money per block than the real chain costs would be able to bribe signers to make his chain look valid.

Many of the signers will be unbribeable. The attacker will have to pay much more than 50x, since he will have to skip a lot of blocks.

This attack only works for transactions that are less than 100 or so deep. Beyond that the ESS (exponential subjective scoring) makes forks impossible.

So for very small txs, you can trust it after 5-10 confirmations. For high-value transactions you should wait for 100 confirmations.

ESS means that you tell your software a recent block hash, and your software dislikes chains which do not end in your goal. Forks which leave the expected path further ago in history are punished higher exponentially.


Sorry, but some of your premises are false ("ESS makes forks impossible") and others are Not-Even-Wrong ("signers will be unbribeable"), and even the true premises you introduced do not support your implied conclusion ("that proof of stake is an alternative to proof of work for distributed consensus").

I don't really have time to explain it to you.  I'm afraid you'll just have to figure it out yourself or wait for my blog post, which I am in really in no hurry to write (having not a lot of free time, and spending it on friends/family/full-time-job/hobbies).

Anyway, it would probably be better for you to do your own thinking on this matter.
Nullius In Verba


We only need >1/3rd of the signers to be unbribeable. If I personally maintain ownership of 1/3rd of the coins, then I can be sure it is secure.

I understand that you don't have time, I excuse your inability to talk further on the subject.
Truthcoin is the only thing I talk to my friends or family about. It is my only means of employment. It is also my only hobby.
So I can afford to go on some pretty deep tangents.

If I find anything interesting, you will catch up quickly soon enough.

If proof of stake doesn't work, then I will have wasted two months of my labor.
If proof of stake does work, then I will be a billionaire.


I think that you should try anything you are passionate about, and report back to others with what you learned (#science),  but I would keep in mind that..

Quote from: zack on November 07, 2014, 04:19:33 AM
If proof of stake doesn't work, then I will have wasted two months of my labor.
If proof of stake does work, then I will be a billionaire.

..has been true of many, many, bad ideas.
Nullius In Verba


Just read Poelstra's paper.

Why can't truthcoin work with merged mining? I think proof of work is the only way which works.


Truthcoin could work with merged mining. That is another alternative that we have been considering.
We could also build it on top of Ethereum.

If I launch a bitcoin fork, how are you supposed to tell whether my fork is bitcoin or whether bitcoin is bitcoin?
Block time is a lot faster in Dogecoin than in bitcoin, so technically dogecoin has more blocks of depth. How do you decide to store your wealth in bitcoin instead of dogecoin?
If someone sends you dogecoin, how are you to know that it isn't bitcoin?
Just to install bitcoin you have to trust a github page, or a link from a friend, or a website or something.

Since you can ask anyone for the link, this is an example of a decentralized protocol.
This decentralized protocol is maintaining a consensus of the basic software needed to download the bitcoin blockchain.
It is a simpler consensus protocol that is used to bootstrap POW.

Do you trust this decentralized consensus protocol which is not POW?


Well I have the signing keys of the bitcoin devs and use that to verify that packages have been released by the core team. So the distribution mechanism in this way is centralized for me. I store wealth in the btc blockchain as opposed to dogecoin because it isn't how many blocks exist but the hashing power used to create them, plus the network effects of bitcoin make it *the one*. :)


Trapped as I am in the Ft Lauderdale Airport, I finished my blog post about "alternatives" to proof of work / mining:
Nullius In Verba


From your blog post:
"Whatever "it" is, if it creates $100 worth of value, but costs <$100, everyone will be doing it as fast as possible. Applied to blockchains, if X dollars of coins are being released by each new block, then X dollars are going to be spent mining that block."
I cannot agree more. That is why my versions of slasher don't ever allow for the creation of money. In my slasher the total number of coins can only decrease.

Later you talk about why proof of work is effective, and against I completely agree. POW does work to maintain consensus.
If there was a cheaper alternative to POW, it would eventually out compete. $1/2 a million per day is very expensive.

Thirdly you talked about how it needs to be expensive to create blocks.
I agree with you. That is why my POS scheme charges a big fee for creating a new block. You have to burn a bunch of money.
You could think of it as a negative block reward.
The total number of coins has a half-life.

Do you have any evidence that proof of stake cannot work? If it is truly ineffective, I would like to find out soon so that I don't waste any more time on it.


I think it would be more appropriate to post in the comments section of the blog, don't you? Otherwise things will become less-organized.
Nullius In Verba


Just to support Zack:

Some implementation will of PoS will clearly be the long term solution for cryptocurrencies. POW was good for the initial coin distribution but it is way too expensive for the consensus mechanism when block rewards converges to 0. (And if it would not be too expensive it would be to insecure) The incentive scheme has serious flaws.
I have given a talk on this meanwhile twice: (I guess the slides are not self explaining and I have not found the time yet to write it all down)

For Truthcoin I see 3 possivle solutions:
1. as a sidechain on Bitcoin (but sidechains make the POW incentive flaws even worse: compare:

2. on Ethereum

3. An own PoS solution


By the way, I just agreed to give a presentation on POS here:
Would be great to have you there...


I've already responded to your points on Twitter..PoS IS PoW. They're the same thing, except that one is cumulative. One is not "more expensive" than the other...that is economically impossible (as I explain on my blog).

I feel that the PoS question is separate from the long-term Fees/Coinbase question. I've expressed my views on the comments section of ( ).

I would be happy to attend the presentation this Tuesday.
Nullius In Verba