
The Subjectivity / Exploitability Tradeoff - jrbedard
https://blog.ethereum.org/2015/02/14/subjectivity-exploitability-tradeoff/
======
lappa
Vitaliks games aren't amusing. A blockchain has fundamental limitations that
prevent PoS from working, namely it must be costly to make a fork[1].
Complexity is the enemy of security.

Bitcoin solved the consensus problem with it's relatively simple incentive
scheme. This post starts off by proposing a flawed system, making slight
changes to the flawed system (punish attackers, trust someone when downloading
the chain, assume economic incentives will cause people to update their
software after an attack, etc) and recursively point out ways to "fix" those
problems while at the same time either introducing more subproblems or more
centralization.

This is similar to what is being done with Ethereum. Instead of one clear
problem, there are many small unclear problems caused by trying to fix
problems caused by a fix of a fix of a fix of the fundamental problem.

In short, this is Vitaliks Fractal.

[1]
[https://download.wpsoftware.net/bitcoin/pos.pdf](https://download.wpsoftware.net/bitcoin/pos.pdf)

~~~
drcode
I see where your coming from, but I think you are wrong: The problem right now
is that Bitcoin is a very hard system to upgrade or expand, and because of
this cryptocurrency innovation is starting to stagnate (in a similar way that
the traditional banking system has stifled innovation in the last 50 years.)

The concerning part of Vitalik's posts is that right now they build unproven
ideas on top of other unproven ideas, because we lack empirical evidence to
test these kinds of things, because Bitcoin isn't a general-purpose
infrastructure for trying out new cryptoeconomic models... it seems kind of
unfair for knocking a guy though for trying to analyze them anyway.

However, in 2015, with the launch of Ethereum 1.0 and other competing systems,
we'll get a lot more hard data than ever to find out which of these kinds of
ideas are good- Both because these systems themselves test these ideas, and
because they allow ideas like this to be built on top of them.

So you may be right that there are bad ideas here (As a fan of POS I disagree
on that one with you, however) but they are not "fractal" and we will know in
the near future with empirical data which ones need to be tossed away.

~~~
lappa
>The concerning part of Vitalik's posts is that right now they build unproven
ideas on top of other unproven ideas

Not only are they unproven, but there are mounds of evidence that it isn't
possible.

>it seems kind of unfair for knocking a guy though for trying to analyze them
anyway.

I'm knocking him because he is dangerously misinformed and is implementing and
promoting broken cryptographic systems.

>However, in 2015, with the launch of Ethereum 1.0 and other competing
systems, we'll get a lot more hard data than ever to find out which of these
kinds of ideas are good- Both because these systems themselves test these
ideas, and because they allow ideas like this to be built on top of them.

We already have seen that amateur cryptographers cannot make their unworkable
ideas workable. You don't need another broken altcoin (Ethereum) to know this,
you need to understand what the blockchain accomplishes to know this. I'm sure
once Ethereum fails there will be a new next big thing and people will get
sucked into another broken system, but you can actually understand what is a
good idea if you try to understand the blockchain. You don't need to cross
items from the near-infinite list of possible bad ideas to know what's a bad
idea.

I'm not sure what you mean by "Ideas like this to be built on top of them." If
you already have Ethereums PoW consensus system, what the hell would having a
PoS consensus system on top of that accomplish?

>but they are not "fractal" and we will know in the near future with empirical
data which ones need to be tossed away.

They are certainly fractal. One could recursively say why each of those fixes
have problems, and eventually you would end up with a fully centralized system
that masquerades itself as being decentralized and PoS or a completely broken
system that is attackable for near-free.

~~~
drcode
> there are mounds of evidence that it isn't possible.

The paper you referenced from early 2014 isn't really considered very relevant
anymore, though I agree the proponents of "weak subjectivity" (the solution to
the problem listed in your paper) haven't made a strong case yet to defend
their position.

> I'm sure once Ethereum fails there will be a new next big thing and people
> will get sucked into another broken system

It's kind of hard to have an argument of this subject with you, given that you
seem to be complaining about PoS when ethereum 1.0 will be a 100% PoW system,
so I don't quite understand what your specific complaint is.

I think the near future is pretty clear though: The cryptocurrency community
is going to probably bitterly divided on the question of PoW vs PoS and two
primary currencies will arise around each approach (whatever they end up
being.) The PoW guys will keep complaining that the PoS systems "aren't secure
enough" and the PoS guys will happily use them anyway.

Of course, it's possible that the above scenario happens but that the PoS
currencies crash and burn for technical reasons- Clearly I'm a PoS fan and
don't think that'll happen.

~~~
lappa
>The paper you referenced from early 2014 isn't really considered very
relevant anymore

It is relevant and discusses fundamental problems with PoS, it is a very
strongly reasoned paper and there hasn't been anything reasonable countering
it so far.

It isn't considered relevant to scamcoiners, of course, since their goal isn't
making a secure cryptocurrency, rather transferring money from a fools hand to
theirs.

>t's kind of hard to have an argument of this subject with you, given that you
seem to be complaining about PoS when ethereum 1.0 will be a 100% PoW system

So because I complain about PoS, I cannot argue that software is broken for
any other reason? I don't have a specific complaint, they have such a
complicated system that I have a myriad of complaints including Ethereums
multiple consensus implementations, ASIC resistance, incredibly small block
times, using insecure crypto in their illegal IPO, their system being
basically useless, etc.

>The PoW guys will keep complaining that the PoS systems "aren't secure
enough" and the PoS guys will happily use them anyway.

Since "PoS guys" appear to be fine with centralization and the obvious harmed
security from that, they probably will be happy with other forms of broken
security.

>Clearly I'm a PoS fan and don't think that'll happen.

There is basically no debate among cryptocurrency researchers that PoS doesn't
work, it is mostly promoted among noobies and scammers. You can be a "fan" of
it all you want, but it isn't like being a fan of Republicans or a fan of C++,
it's like being a fan of md4 for cryptography.

~~~
drcode
> Since "PoS guys" appear to be fine with centralization...

Ah I see, you consider the current PoS systems that rely on getting the
initial state for a new client from some trusted source to be "centralized".
Yes, this is going to be the big debate in the cryptocurrency space for the
near future I think. (Though you'd probably argue there's no debate, because
someone disagreeing with your position isn't a "real researcher".)

~~~
lappa
>Ah I see, you consider the current PoS systems that rely on getting the
initial state for a new client from some trusted source to be "centralized".

No, that component is just broken. If anyone trusted is a bad actor and gives
you a bad blockchain, you are not in consensus, thus any system using this
cannot be considered a consensus system. The centralization I was referring to
was other mechanisms commonly employed by PoS systems.

>Though you'd probably argue there's no debate, because someone disagreeing
with your position isn't a "real researcher".

No, someone not doing real research isn't a real researcher. Someone who
understands consensus and security (not Vitelik) and creates a paper
describing a system and its security model clearly is a real researcher.

It isn't my fault that that hasn't happened yet.

~~~
drcode
> If anyone trusted is a bad actor and gives you a bad blockchain, you are not
> in consensus, thus any system using this cannot be considered a consensus
> system.

If anyone trusted is a bad actor and gives you a bad [BITCOIN WALLET CLIENT],
you are not in consensus, thus [BITCOIN] cannot be considered a consensus
system.

~~~
lappa
Bitcoin wallets can have their source code audited. A blockchain that you
accept regardless of the fact that there is a taller one is not audited by
definition.

------
kanzure
> The key argument is this: proof of work, at the core, can be seen in two
> different ways

Neither of those ways are how anyone describes proof of work. I can offer two
explanations. First is the explanation of the Byzantine Generals' Problem from
bitcoin.org:

[http://web.archive.org/web/20090309175840/http://www.bitcoin...](http://web.archive.org/web/20090309175840/http://www.bitcoin.org/byzantine.html)

 _A number of Byzantine Generals each have a computer and want to attack the
King 's wi-fi by brute forcing the password, which they've learned is a
certain number of characters in length. Once they stimulate the network to
generate a packet, they must crack the password within a limited time to break
in and erase the logs, lest they be discovered. They only have enough CPU
power to crack it fast enough if a majority of them attack at the same time._

 _They don 't particularly care when the attack will be, just that they agree.
It has been decided that anyone who feels like it will announce an attack
time, which we'll call the "plan", and whatever plan is heard first will be
the official plan. The problem is that the network is not instantaneous, and
if two generals announce different plans at close to the same time, some may
hear one first and others hear the other first._

 _They use a proof-of-work chain to solve the problem. Once each general
receives whatever plan he hears first, he sets his computer to solve a
difficult hash-based proof-of-work problem that includes the plan in its hash.
The proof-of-work is difficult enough that with all of them working at once,
it 's expected to take 10 minutes before one of them finds a solution and
broadcasts it to the network. Once received, everyone adjusts the hash in
their proof-of-work computation to include the first solution, so that when
they find the next proof-of-work, it chains after the first one. If anyone was
working on a different plan, they switch to this one, because its proof-of-
work chain is now longer._

 _After about two hours, the plan should be hashed by a chain of 12 proofs-of-
work. Every general, just by verifying the difficulty of the proof-of-work
chain, can estimate how much parallel CPU power per hour was expended on it
and see that it must have required the majority of the computers to produce in
the allotted time. At the least, most of them had to have seen the plan, since
the proof-of-work is proof that they worked on it. If the CPU power exhibited
by the proof-of-work is sufficient to crack the password, they can safely
attack at the agreed time._

Second is a more general understanding:

 _Proof-of-Work (PoW) works because of the economic restriction provided by
the second law of thermodynamics. Even though you can 't know you're in the
consensus set, you can put a raw economic cost on the probability of you being
tricked. Bitcoin uses proof-of-work to tie Bitcoin consensus to a
fundamentally scarce resource, namely negentropy. It is possible to use
another physically scarce resource instead, but there is no alternative to the
universal scarcity of negentropy. As maaku puts it, "I could be an AI trapped
in a simulation with no knowledge of the outside world other than the
foundational laws of physics, and from that be able to assert the validity of
proof-of-work."._

(Really it has nothing to do with currency. Sorry folks.)

~~~
Adlai
This explanation doesn't cover how Bitcoin determines difficulty. I tried to
come up with a rewrite that does, but the original example has the _"
password, which they've learned is a certain number of characters in length"_,
and Bitcoin has no such fixed target; rather, it simply requires reaching
consensus on transaction ordering, with the _first-in-consensus_ transaction
moving some funds being the _only_ valid one (subsequent transactions are
double-spends). This consensus is achieved through a game-theoretic setup,
involving a PoW chain, which endeavors to:

1) make an attack _as expensive as physically possible_ , and to

2) provide a rational actor with access to a given amount of computational
power a stronger incentive to collaborate, than to attack

Evidence in favor of Bitcoin's setup achieving the second goal is that the
system is still alive despite individuals _repeatedly_ having access to
sufficient power to perform double spends; in fact, they already have, yet the
system as a whole keeps running:

[https://bitcointalk.org/index.php?topic=321630.0](https://bitcointalk.org/index.php?topic=321630.0)

