
A Provably Secure Proof-Of-Stake Blockchain Protocol - xiamx
https://github.com/input-output-hk/pos-haskell-prototype
======
lappa
I don't know why this paper needs to introduce so much already common
terminology.

"Corrupt" is a re-org "stable transactions" are confirmed transactions

"Function maxvalid(C, C). Returns the longest chain from C ∪ {C} that does not
fork from C more than k blocks."

This is the recipe for partitioning consensus. All you need to do is broadcast
to anyone a lower-work chain and they will be on their own fork.

This is easy to do during a new sync in which the node has been offline for
more than k blocks, or with a little more work you could stake grind and
partition the network at the tip.

The former problem is covered in section 3.2.

Generally the nothing at stake problem will result in the problem of requiring
some trusted source to not lie, regardless of the implementation, see
[https://download.wpsoftware.net/bitcoin/pos/](https://download.wpsoftware.net/bitcoin/pos/)

~~~
drcode
> has been offline for more than k blocks

These systems require you to be online at regular intervals for proper
security guarantees.

~~~
benchaney
So new users don't have proper security guarantees? That seems like a somewhat
serious flaw.

~~~
drcode
Yes, this is the weakness of POS systems. Of course, with a POW system new
users still need to get a trusted copy of the genesis block.

~~~
lappa
They don't, however, need trust to determine which chain has had the most work
done on it. An alternative genesis with much less work done on it is suspect
immediately.

------
gwern
Some earlier discussion of the protocol itself:
[https://www.reddit.com/r/ethereum/comments/52qfwl/provably_s...](https://www.reddit.com/r/ethereum/comments/52qfwl/provably_secure_proof_of_stake_algorithm/)

------
vesinisa
Interesting! Great to see people working on a more environmentally friendly
blockchain.

What are the weak points of this cryptocurrency compared to Bitcoin? The white
paper is very technical. Is it required that majority of stakeholders stay
online and constantly take part in the network for it to function correctly?

~~~
drcode
Usually the main weakness of "Proof of Stake" protocols is something called
"weak subjectivity" which means that nodes that connect to the internet at a
regular basis (i.e. once per month or something) have strong correctness
guarantees, but nodes that go offline for long periods of time reach a
situation where they can no longer distinguish the "real" from a fraudulent
blockchain. Nodes that reach this state need to be manually reconnected to the
correct chain.

I think this is arguably an acceptable tradeoff, given the other advantages of
POS.

~~~
petertodd
...and what _is_ the "correct" chain may be a highly contentious subject. For
instance, this is likely to be contentious if a big theft happens, yet the
same theft also makes it possible for the thieves to not only control the
chain going forward, but also rewrite existing history as a theft can give
control of private keys relevant in the past.

~~~
riprowan
> what is the "correct" chain may be a highly contentious subject

But this can be true in POW blockchains as well. If the user disconnects his
node for some arbitrarily long period of time during which there are durable
forks created, said user also has to "reconnect manually to the correct chain"
and the user may have to decide for him/herself what constitutes a valid chain
under contentious circumstances. The user's preferred chain may have become a
minority fork, for example.

~~~
mcherm
In the case of the bitcoin blockchain, I think there is an extremely simple
protocol: just use the longest (most work) chain among the various contenders
for "correct".

~~~
drcode
Only if you have trusted the right person to give you the correct genesis
block.

~~~
mcherm
In the case of bitcoin, I don't believe anyone could mine their own genesis
block and build a chain even remotely approaching the length of the "standard"
bitcoin chain. In fact, this applies more generally: after a blockchain has
been in existence even a short time, it becomes infeasible for anyone to
replace it entirely; at best they can hope to produce a fork from a fairly
recent point as anything else would be a DRASTICALLY shorter chain.

------
lacker
Is anyone actually mining this cryptocurrency? It seems a bit odd to say this
is a proof of concept, without proving the concept by actually running the
code. It might be happening somewhere, the topic just seemed avoided by the
README.

~~~
EthanHeilman
Did you mistake Proof-of-Stake for Proof-of-Concept?

The Satoshi whitepaper that introduced Bitcoin was released before any running
code and the code was in development for a while before the currency launched.

At this point in the development of cryptocurrencies there is room for
experimental cryptocurrencies that aren't immediate attempts to get a
production system running but provide research which currently adopted
cryptocurrencies can draw from. Inventing a better jet engine should not
require starting an aerospace company that builds and sells complete
airplanes.

