
Ethereum Foundation Releases Alpha Casper Proof of Stake Testnet - sethbannon
http://notes.eth.sg/MYEwhswJwMzAtADgCwEYBM9kAYBGJ4wBTETKdGZdXAVmRvUQDYg=?view
======
dmix
For people who don't know what this is (like me), they have a good FAQ
explaining "Proof of Stake" vs "Proof of Work":

> In proof of work (PoW) based public blockchains (e.g. Bitcoin and the
> current implementation of Ethereum), the algorithm rewards participants who
> solve cryptographic puzzles in order to validate transactions and create new
> blocks (i.e. mining). In PoS-based public blockchains (e.g. Ethereum's
> upcoming Casper implementation), a set of validators take turns proposing
> and voting on the next block, and the weight of each validator's vote
> depends on the size of its deposit (i.e. stake). Significant advantages of
> PoS include security, reduced risk of centralization, and energy efficiency.

[https://github.com/ethereum/wiki/wiki/Proof-of-Stake-
FAQ](https://github.com/ethereum/wiki/wiki/Proof-of-Stake-FAQ)

~~~
ehsankia
Wouldn't sites like Coinbase which "hold" a huge amount of stake, basically
have a huge control over these currencies?

~~~
stouset
Yes, but the simplistic version of the argument is that any entity with such a
large stake would be inherently incentivized to preserve the value of the
currency and act in good faith.

My intuition is that this is a risky proposition. If an entity can benefit
themselves $x by making a bad-faith transaction, but it only costs them $y
such that $y < $x, it’s rational to do it even if the costs to others are
orders of magnitude greater. As a concrete example, if Coinbase double-spent a
transaction for $10m and had enough stake to make the network accept this,
would it _necessarily_ devalue the currency through loss of trust by enough to
make this unprofitable? Is this true for _all_ possible actions by a 51%
stakeholder?

~~~
Sir_Substance
>Yes, but the simplistic version of the argument is that any entity with such
a large stake would be inherently incentivized to preserve the value of the
currency and act in good faith.

This logic is, as you say, simplistic. Anyone with such a large stake can cash
out, and then use their former large stake to fabricate an alternative chain
in which they did not cash out, forking the blockchain at the block just
before they cashed out. Commonly proposed defenses against this
(checkpointing) are limited because when new nodes enter the network, they are
in a naive state where they do not know who to trust.

In a proof of work system, the entire blockchain can be validated by a naive
node. Fraudulent blockchains could be constructed and fed to naive nodes, but
they would be obvious forgeries because they would have to be constructed at
lower network difficulties in order to generate blocks faster than the real
network and become the longest chain.

In a proof of stake system, people who formerly had stake in the system can
simulate fraudulent alternative histories forked at the point before they
cashed out, and feed those histories to naive nodes. If enough naive nodes
accept the alternative history, it becomes the accepted chain. The possibility
exists that these former stakeholders might use some of their cashed out money
to start up many nodes in the cloud and feed their alternative chains to those
nodes.

The only real way to defend against this is to have trusted nodes coded into
the protocol provide bootstrapping data to naive nodes. Once you do that, your
network is no longer trustless.

Read more here:
[http://www.cs.cornell.edu/~iddo/CoAslides.pdf](http://www.cs.cornell.edu/~iddo/CoAslides.pdf)

~~~
rrggrr
> Anyone with such a large stake can cash out, and then use their former large
> stake to fabricate an alternative chain in which they did not cash out,
> forking the blockchain at the block just before they cashed out.

A trade this large is likely to crater the currency before it can be filled in
the absence of trade volume so large its practically impossible for one
stakeholder to act in the manner you describe.

~~~
inimino
But if the theory allows the attack, even if it seems impractical, there is
likely to be a practical attack that is slightly different.

~~~
enord
This does not follow. Please elaborate. Theory allows a brute force attack on
aes-256, no?

~~~
inimino
Of course. Theory also allows us to exactly model the probability of such an
attack succeeding.

The difference between a system that is provably secure and a system that is
theoretically insecure but with no known practical attack is a pretty big
difference. In the former case, your proof has to be wrong before you lose, in
the latter, someone just has to think of something you didn't.

------
castratikron
I've been trying to understand why PoS is an improvement over PoW. To me PoS
seems like a weaker requirement on network control than PoW. Since PoW
requires possession of actual physical hardware and electricity it should be
more difficult to obtain than a virtual currency. To me moving from PoW to PoS
is analogous to moving off of the gold standard and placing trust in the value
of the currency with whomever possesses it.

~~~
PretzelPirate
It isn't a core tenant of PoW that the resources needed to participate are
hard to get, it just so happens that if it is profitable to 'mine', the
hardware needed will become scarce. That actually creates a problem, much like
in the Bitcoin PoW algorithm, that its easy for the hardware production and
ownership to become centralized.

PoW also requires large energy consumption as participants will inevitably
enter a race to compute the fastest.

PoS has the benefit that you still lock away capital, much like in PoW, but
rather than backing that capital by money put into hardware and electricity,
you cut out the middle man and base the capital off of the value of the
network token.

Pos also has added security benefits. Vitalik Buterin explains this very well:
If someone attacks a PoW blockchain by getting 51+% of the hashing power, the
network's only response to recover from the attack is to change the hashing
algorithm. This will likely force the network to abandon ASICs since hardware
wouldn't exist, and move (at least temporarily) to general-purpose CPUs/GPUs.
As soon as the hashing can be done with general purpose computers, the game is
over, and the attacker can attack forever without any extra loss of capital,
other than electricity.

PoS has the benefit that the network can simply cause the attacker to lose
their funds and no longer have a stake. If the attacker wants to continue the
attack, they have to buy more of the network token to be equal to 51% of the
staked value. This will cause a price increase. Each time the attacker
attacks, the network will force them to lose their stake, and their money. The
attacker won't be able to keep this going forever.

~~~
toolz
Who gets to choose who is an attacker? Are there limits in place that ensure
only once someone owns 51% the can steal their funds? Who gets to decide what
a single entity is? Sounds like a pretty huge centralized point of failure in
my mind, but I'm admittedly pretty ignorant on the subject.

~~~
RoboTeddy
You're hitting on a critical point about cryptocurrencies that isn't widely
understood yet.

Ultimately, the community of users and businesses at large decides.
Cryptocurrencies are social contracts that are encoded in software. If
everyone agrees that a rule should change, and updates their software in
concert, then the rule de-facto changes.

In the absence of total agreement, the decision is made by whoever wins the
political fight for user/business mindshare. It's also possible for the
question to be answered two different ways (a longstanding fork occurs).

~~~
konschubert
> Ultimately, the community of users and businesses at large decides.
> Cryptocurrencies are social contracts that are encoded in software. If
> everyone agrees that a rule should change, and updates their software in
> concert, then the rule de-facto changes.

That's called a chain split, isn't it? Usually there are people who follow the
new protocol and people who follow the old protocol, so the currency splits
into two.

Bitcoin Cash is an example.

~~~
RoboTeddy
If everyone updates, then there isn't a longstanding chain split (e.g.
[https://en.bitcoin.it/wiki/Value_overflow_incident](https://en.bitcoin.it/wiki/Value_overflow_incident)).

But yeah if there's longstanding disagreement, there are two ways for it to
go:

* Peaceable fork with replay protection, like Bitcoin Cash

* Fork that seriously fights for the same brand/userbase --- we haven't seen one of these in Bitcoin. Segwit2x would've worked that way, but was canceled

~~~
Shorel
I don't think BCC has replay protection.

I bought something with BTC after the fork, and all my BCC was emptied within
minutes.

~~~
hndamien
It does. You must have screwed up somewhere else. Segwit 2x had no replay
protection, and hence was contentious.

------
runeks
The usual explanation for how proof-of-stake works — compared to proof-of-work
— is that it uses the scarce resource that is the chain’s own token, as
opposed to the scarce resource that is electricity. The fundamental problem
with this approach is that, in the absence of consensus, a token is not scarce
at all — but rather its supply is unlimited — since infinitely many tokens
exist on an infinite number of valid chains.

So, in order for a token to be limited in supply, consensus on which chain is
the canonical one must already exist. Thus, proof-of-stake reaching consensus
depends on consensus existing beforehand.

Scarcity of a digital decentralized token requires consensus on which chain to
view as the truth. Therefore scarcity cannot be used as a requirement for
reaching consensus.

~~~
aoeusnth1
Doesn’t having a long lock-in period fix that problem?

------
Agebor
In case it does not handle HN traffic well, alternative:

[https://hackmd.io/s/Hk6UiFU7z](https://hackmd.io/s/Hk6UiFU7z)

------
ilaksh
Besides the lack of transaction scaling, the other slightly tough thing for me
about cryptocurrencies is downloading many GB of data. If my Casper node is
not a validator, does it still have to download the whole blockchain? Or can
it operate on a smaller dataset?

Also does anyone know what the timeframe is supposed to be for sharding to be
implemented or end up in an Alpha release? It seems that will probably also
reduce the minimum storage requirements for most nodes in addition to
increasing network transaction rates. Thanks.

~~~
stri8ed
You can prune the chain after you sync. As for the general issue of storing
the state, there is research being done on "stateless clients".
[https://ethresear.ch/t/the-stateless-client-
concept/172](https://ethresear.ch/t/the-stateless-client-concept/172)

Instead of storing entire state, Validator just needs to the current state
root, and transactions must prove the state that they access.

~~~
coolspot
You cannot prune in official geth client.

Source: having 300+Gb geth node and researched prunning recently. Only parity
can do that.

------
joeblau
I can't wait for this to be fleshed out and implemented on Mainnet. I'm
working on a smart contract that I want to integrate with Casper's API.

The site is having a hard time loading, but does anyone know where the
official Casper solidity interface is hosted?

~~~
stri8ed
[https://github.com/ethereum/casper](https://github.com/ethereum/casper)

~~~
joeblau
Ah thanks. I was looking for the Solidity API, but I guess there isn't one
yet. I guess I'll have to write my own interface.

------
anonfunction

        First, you will need to have enough testnet ETH to become a validator.
        ...
        Replacing 2000 with whatever amount of ETH you want to deposit (min 1500).
    

Is this minimum just for the Testnet or ingrained into the final spec?

~~~
acoye
I'm reading the paper looking for an answer. (as I'm hopping to be able to run
a PoS node in the future)

As I understand PoS, for security to be achieved, you need to be able to lose
a non trivial amount of ether. I guess the 1K5 ETH is designed to stay roughly
above 1 million USD of stake.

------
angel_j
Proof of Stake should mean running the software.

If it's not good enough for that little bit of a stake, you must provide
incentives for others* to run it, and this is going create imbalances
somewhere.

* - in a real sense, this is users, not-using, and offloading the work to those who would probably not actually use without incentive; the only difference between a PoW and a "put your money" type of stake, is that now you've added an entry fee that is hardly different than licensing (as in professional licenses, for various trades).

------
kruhft
Will there be a 'fork' when PoS is released such that there will be 2 types of
Ethereum after the split (one PoW and the other PoS), much like Ethereum and
Ethereeum Classic?

------
dausama
NEM chain has a modified POS algorithm that not only takes in account the
stake, but also the network effect of a node. For instance a node with a high
stake would need to move a lot of its stake around to overtake the network. I
believe it uses an algorithm called EigenTrust++ and it has been working great
for the last 2-3 years, since it was first coded into the chain.

------
ukd1
If you want to checkout a PoS system that's been around for longer,
[https://decred.org](https://decred.org) has a hybrid PoW / PoS system which
seems to get around a bunch of the issues listed here.

------
jv22222
A very interesting project that aims to get high value from proof of stake is
Omise Go

"We're looking to build the thing that will finally change the way money is
handled the whole world over for the better, and leave a legacy that can
sustain itself through all kinds of social and cultural changes. We're looking
at accomplishing the spirit of the original Nakamoto vision of Bitcoin, the
original Ripple vision (pre-blockchain Ripplepay), the original Paypal
vision."

[https://medium.freecodecamp.org/the-definitive-omisego-
begin...](https://medium.freecodecamp.org/the-definitive-omisego-beginners-
guide-f95dcdf8635c)

------
itoenocha
Once the node is running and validating, how do we get our account balance?

eth.services.accounts.accounts[0]
<Account(address=55029b23a9b2ca77ac012e184452b682edc82a67, id=None)>

~~~
coolspot
Try

web3.eth.getBalance(web3.eth.accounts[0], console.log);

------
1_over_n
This page isn’t working notes.eth.sg didn’t send any data. ERR_EMPTY_RESPONSE

:)

------
karlmcguire
I wonder if we will finally see more than ~13 transactions per second in 2018.

~~~
snissn
Plan is for ethereum sharding to occur in the proof of work chain.

~~~
tehlike
didn't ethereum pass 100 recently?

Also, DAG based coins are seemingly the better in terms of efficiency.

~~~
stri8ed
And unproven security models. E.g. IOTA has as of now, is completely
centralized.

~~~
tehlike
IOTA has other issues which smell big scam to me.

Can you expand on unproven (for my education?). Thank you.

~~~
wslh
Unproven means there is no research available on adversarial attacks.

------
itoenocha
web3 =
Web3(HTTPProvider('[http://52.87.179.32:8545')](http://52.87.179.32:8545'\)))

Stuck at this step, since the host 52.87.179.32 appears to be off-line

------
lostmsu
Have they completed scientific and adversarial review of the proposed
guarantees and their respective proofs already? If I'd knew a flaw in Casper,
I'd wait until the final release and deployment.

Without respective proofs, what is the point?

~~~
drcode
They have a series of formal proofs written by a mathematician to verify the
staking algorithm, though that is only a small part of what is needed to
secure a modern consensus system.

~~~
runeks
> They have a series of formal proofs written by a mathematician to verify the
> staking algorithm […]

Under what assumptions?

WPA2 was also formally proven secure, but it turned out that the assumptions
of the proof didn’t hold in the real world.

~~~
drcode
I already said formal proofs are not sufficient, what more do you want me to
say?

~~~
runeks
I'm interested in knowing which assumptions these formal proofs rely on.

My general point is that, without stating which assumptions lay ground to a
formal proof, the statement that something has been "formally proven" conveys
no useful information at all, since the assumptions in question can either
make or break the proof (as in the case of WPA2).

~~~
drcode
Ok, in that case apologies for snapping back at you :) sounds like you are
genuinely interested in the details

I'm no expert on ethereum POS, but afaik the proofs guarantee that when two
conflicting blocks reach the "finalised" state then two thirds of stake are
owned by parties that failed to follow a rule in the staking protocol and
therefore their deposit can be forfeited. There are also proofs relating to
validator cycling and long range attacks (which can never be completely
prevented with POS, clients need to sync periodically to make sure they aren't
receiving bad data)

~~~
lostmsu
I am also interested in the details. The critics in my comment was basically
targeted towards them not releasing the technical details on their progress on
Casper.

We already know there were problems with proof of stake consensus algorithms
before. I would like to see them telling, that they solved them.

------
DINKDINK
"Nothing is Cheaper than Proof of Work" \-
[http://www.truthcoin.info/blog/pow-
cheapest/](http://www.truthcoin.info/blog/pow-cheapest/)

I'm glad they're finally launching there PoS fork so it can have its
inevitable outcome.

~~~
1053r
This article is full of problems, but the biggest one is failing to look at
the global perspective:

While it is true that an individual miner/validator will be indifferent to
spending money on electricity and mining equipment vs. purchasing coin to
stake with, the difference between the two is a meaningful to non-miners/non-
validators.

In the mining case, the miner is purchasing equipment and electricity that
divert real resources away from the production of other goods and services.

In the validating case, the validator purchases coin, which causes prices of
that coin to adjust upward. The economy keeps producing the exact same goods
and services as if the validation activity did not exist (after a short
dislocation, which would be very short in this case because few contracts are
denominated in cryptocurrency).

So "nothing is cheaper than proof of work" is a true statement if you are a
miner/validator. However, it is a false statement if you are cryptocurrency
designer.

Obviously, it is easy to design a coin which is MORE wasteful globally than
BTC. Instead of running on electricity and hashing, make it run on proof of
extinction (verified in major newspapers) of critically endangered animals.
The miners will spend time and energy doing terrible things to the planet, but
they will spend no more money time or energy on it than they would have spent
on electricity and ASICs. Why should it be impossible to design a currency
that is LESS wasteful than proof of work?

I recommend against reading the truthcoin.info blog in general. This kind of
wooly headedness is widespread, and the writing style is obtuse enough to make
it hard to figure out exactly why the author is correct or incorrect.

Edited for grammar/clarity.

~~~
CryptoPunk
>>In the mining case, the miner is purchasing equipment and electricity that
divert real resources away from the production of other goods and services.

>>In the validating case, the validator is purchasing coin which simply causes
prices to adjust and the economy keeps producing the exact same goods and
services as if the validation activity did not exist (after a short
dislocation, which would be very short in this case because few contracts are
denominated in cryptocurrency).

The value diverted to coin purchases ultimately has a cost in goods and
services. It diverts economic activity to non-economically productive activity
in cycling capital into and out of deposits, which results in less liquidity.

I think Proof of Stake could potentially be better than Proof of Work, but the
point about cost being equal across validation methods is correct in general
in my opinion. There are specific circumstances where it is not true, like if
producing the mining resource creates negative externalities.

Where I think the article is wrong is in neglecting other aspects of consensus
algorithm efficacy, like the potential security benefits from Proof of Stake
totally aligning the incentives of owners of mining capital (which in the case
of PoS is the network coins) with the success of the network.

~~~
1053r
>>The value diverted to coin purchases ultimately has a cost in goods and
services

This is incorrect, or rather it is incorrect that it is different from the
Proof of Work example, so it should be discarded from the analysis.

Scenario 1) I work a paper route to purchase ASICs and electricity to
bootstrap my mining business. The world got paper delivery out of me, and
consumed some strained silicon and electricity for mining, which raised the
costs of electricity and mining for other uses.

Scenario 2) I work a paper route to earn ETH to validate. The world is the
same as in Scenario 1, but the strained silicon, fab time, expertise,
electricity, etc. all went to work on other projects instead of mining
equipment, leaving the world slightly richer. (Perhaps a startup was able to
purchase microcontrollers for their new widget at slightly lower cost,
improving the return on investment for their founders.)

Again, from a miner/validator perspective, PoW and PoS are the same, but from
a global perspective, they are not.

~~~
CryptoPunk
>>Scenario 2) I work a paper route to earn ETH to validate. The world is the
same as in Scenario 1, but the strained silicon, fab time, expertise,
electricity, etc. all went to work on other projects instead of mining
equipment, leaving the world slightly richer.

I provided a counterargument to this:

>>It diverts economic activity to non-economically productive activity in
cycling capital into and out of deposits, which results in less liquidity.

