
On blockchains and why secure ledgers don't require proof-of-work - tbv
http://pfrazee.github.io/blog/secure-ledgers-dont-require-proof-of-work
======
bmcusick
Ugh. He completely misunderstands what PoW (or PoS) are for. The _entire
point_ of PoW is deciding between two valid & correct blockchain states.

Alice owns a bitcoin. Alice validly signs a transaction transferring that
bitcoin to Bob. Alice also validly signs a transaction transferring that same
bitcoin to Charles.

WHICH IS CORRECT? Neither is a forgery. Both signatures are valid. If Dave
downloads the blockchain, or receives both transactions, he can't just look at
them and determine one of them is fake. Neither is fake. He needs a way of
arbitrating who actually has the bitcoin now - Bob or Charles.

PoW is that arbitration process. Dave looks at the competing blockchains (one
with Bob having received it, and one with Charles having received it) and can
trust that everyone in the world will respect the chain with greater PoW
behind it.

Paul's system has no way of addressing this other than "trust the central
authority to process transactions in the order they receive them". Thanks,
pal, that's called e-cash, and was invented by David Chaum in 1983.

~~~
pfraze
> Paul's system has no way of addressing this other than "trust the central
> authority to process transactions in the order they receive them". Thanks,
> pal, that's called e-cash, and was invented by David Chaum in 1983.

Flatly wrong. Decentralized consensus is not a necessity to create trustless
operation. Monitoring service operation via a secure ledger provides trustless
operation. As I said, the point of PoW is to provide strict transactional
consistency in a decentralized network. You're just describing that process
mechanically.

~~~
bmcusick
Hi Paul. I'm Brock.

I hope we're not talking at past each other, but I read your post as proposing
a system where there's a central party that computes transactions "in the
open" in a way that third party observers can verify.

That's hardly useless, but it's not a replacement for Proof of Work. PoW is
for decentralizing the ability to choose between competing valid blockchains.
It prevents double-spending by making the benefit of double-spending (the
value of the your transaction) far less than the cost of double-spending (the
electrical cost of 51% of the mining power for 1 hour or so).

Your system uses a centralized host (see "Services with Secure Ledgers",
paragraph 2), and (I presume) third-party observers can verify a "secure
ledger" by seeing which one has been more recently signed and time-stamped by
the single host.

I mean, sure, centrally hosted servers are more efficient than Proof of Work.
No one who know what they're talking about disputes that. But the _whole
point_ of PoW is to allow decentralization without a single host.

~~~
pfraze
Hey Brock.

My argument is that decentralized consensus is actually a political solution.
It has technical merits -- it makes it easier to deal with a host that breaks
the contract, because there are lots of nodes, so you just 'route around' the
faulty host's output. But that's a technical solution to a political problem:
how do you deal with a bad actor. And we deal with that every day with
existing services, by switching away from bad actors. You handle bad behavior
politically. If we can lower the cost of a switching, and we can build
accountability into the system, then we're getting the same kind of value that
decentralized consensus provides at substantially lower system cost.

~~~
bmcusick
How do you "switch" from a global shared ledger that everyone uses to a shared
ledger that no one uses? I mean, you an, you can fork Bitcoin and start your
own, but what does that get you? No one else will use your coin. There will be
no market for it and it will have no value.

I mean if you're REALLY lucky you'll start something that's as popular as
Litecoin and it will be worth 1% of what your Bitcoins were worth.

Bitcoins are only worth anything because you can go anywhere in the world and
people will accept that there is one and only one blockchain, and if you own
bitcoins on that blockchain then you own them, period.

Proof of Work allows you to solve bad actors without switching away to a new
network and losing all your Bitcoins. Your solution doesn't. If you have a
centralized system that centralized party could refuse to honor your bitcoin
holdings and wipe out your balance.

This really isn't a new solution. I was serious before when I said David
Chaum's ecash (from 25 years ago) was an approximation of this .

~~~
pfraze
I think you're right that handling catastrophic failure is the key question
for a hosted ledger. You have to find a way for the network to agree on who
will rehydrate the balances, so to speak, into a replacement host, and you
need to do it quickly. The whole network has to agree on this.

This isn't impossible to solve. You can establish, in the ledger itself, the
process for migration after a catastrophic failure. You can set a party which
will mediate the issue and decide on the solution. You set up rules for how to
reconfigure the network, and trigger them when a corruption proof is
published.

I agree it's less elegant than what decentralized consensus provides for
handling bad nodes, but you really have to balance this against the
expenditure of proof-of-work. The cost of a handling every ledger failure ever
will almost certainly be less than the cost of proof-of-work.

Part of my point is also that it's a gamble, which I find questionable, that
Bitcoin will become "the blockchain" in the future, because it still has a
political reality, and that political reality has involved plenty of forks.
So, my point is, between the cost and the political instability, PoW doesn't
sustain it's claim.

------
wmf
The catch is at the end: "There are some downsides to losing decentralized
consensus. A ledger-backed service could manipulate the order in which it
handles requests, or reject some requests altogether, and clients would have a
hard time proving it." Calling that a "secure ledger" is kind of a stretch.

~~~
pfraze
There's aaalways a catch.

See my response to hagreet. Neither of those problems are unfixable.

~~~
kybernetikos
Incidentally, I think there may be a product here that could be sold to
financial institutions. Check out

[https://www.hyperledger.org/](https://www.hyperledger.org/)
[https://www.r3.com/](https://www.r3.com/)

There are lots of other 'private blockchain' distributed ledgers being pitched
right now to financial institutions and to me the distributed aspect of them
seems like a bit of an inconvenient and unnecessary complication for those use
cases.

------
karl_gluck
Security can be extremely simple and efficient when you just have to trust a
third party. The author is describing Linked Timestamping [1], which has been
detailed since the early 90's.

Removing the need for trust is what takes all the energy.

[1]
[https://en.wikipedia.org/wiki/Linked_timestamping](https://en.wikipedia.org/wiki/Linked_timestamping)

~~~
pfraze
Well, no, I'm not describing Linked Timestamping (hereafter LT), because LT is
a system for creating trustable timestamps, and I'm talking about a system for
auditing the state and operation of a service. Hash/block chains are common
and going to get more common. LT, Git, Certificate Transparency, Bitcoin, and
now what I'm describing.

And, further, I'm not suggesting you trust a third party, but if you feel I
am, please point specifically at where.

------
kybernetikos
It's fun to see this here after I've just spent some of the afternoon
'pitching' 'Centralised Ledger Technology'. Single source of truth,
verifiable, secure, permissioned, efficient, scalable, the advertising copy
writes itself (or would if you needed it to, rather than just taking any of
the copy from hyperledger or simlar and fixing it up a bit). Any of the people
selling private block chain solutions will generally tell you that there needs
to be a strong political actor within a 'business network' that can insist on
the use of the distributed ledger. The truth of course is that Mr Car Loader
or Mr Fruit Picker who is lent on to run a node on the distributed ledger
really couldn't care less about whether they are verifying other peoples
transactions or not, they'd be just as happy with a web site that they fill
the details in, or a signed email system. Indeed, they might ask - why should
I be expected to run computation to secure bits of the value chain I never
see, I just care about confirming what I've received and what I've passed on,
and I can do that by digitally signing a transfer note.

I don't particularly think that using a central secure ledger is surprising or
new, but I do think that politically the furor around DLT (and who knows,
maybe one day CLT too) has provided us with a fantastic political opportunity
to actually fix some of the horrendousness in financial software systems.

To my mind, even if the relevant technological change is pretty minor or
nonexistent, this is an opportunity for us to replace a bunch of miserable
systems duct taped together with more modern systems that have externally
accessible APIs baked in from the start.

------
hagreet
So if there is no proof of work how do you avoid forks? The author says
something about splits being detectable but that doesn't really help us decide
on which side of the split is correct.

~~~
EGreg
I think this obsession with consensus is a fad.

Forks are ok as long as they can be merged in the short term.

If something forks for a long time and stays forked, there is hardly any
reason to establish a total order during the merge!

Think of an IRC netsplit for example. One that happens for a few seconds may
attempt to merge back the chats in some fair order they were made, in diff
forks.

But if the netsplit happens for a whole day, or month, no one really gives a
crap about ordering messages across forks. The merge is too complex! In fact,
the resulting conversation would be MORE nonsensical than if you correctly
rendered the split conversations as a DAG in the client.

Similarly, if bitcoin forks into bitcoin cash or whatever, and enough
validators accept it, I get to "double-spend" my new money now. Proof-of-work
is no panacea. If we religiously want consensus then no transaction can ever
be truly confirmed - there is always a chance some larger fork comes along and
undoes all transactions on my fork going back a whole month. Interplanetary
File System has to deal with this.

The problem is that we still haven't evolved our thinking about currencies as
DAGs and keep worrying about the double spend problem and turn to global
consensus to fix it.

~~~
rocqua
In the specific case of currency, practical double spends are a real issue.
'Merging' the state after a double spend requires either forcing the double
spender to pony-up, or taking back money from those who received it without
being aware of any wrongdoing. That is, unless you are fine with people
printing their own currency.

This is rather unique to the case of currency though. Specifically, the
history of transactions determines which future transactions are possible.
Instead a system that only records promises (but doesn't allow transfer of
such promises) would work without centralization. If I promise something to 2
different people I remain on the hook for that promise. The fact that I am
effectively 'in debt' on the system isn't an issue because the system gives no
guarantees on people meeting their promises.

~~~
neilwilson
Everybody prints their own currency all the time. Currency is just promises
made. Double spend is when you duplicate somebody else's promises that you are
holding as an asset.

------
75dvtwin
I would agree that _many_ use cases that imply a distributed ledger, do not
need a proof-of-work.

Perhaps cryptocurrency still need it, but not many of the 'non-cryptocurrency'
use cases.

My argument is centered around a following nuance:

If the use case allows to assume that 'originator' of a particular event is
trusted, then the distribution of that event across multiple untrusted
servers/access points, _does not_ require a proof-of-work.

The example of how this works is explained in paper " Balloon: A Forward-
Secure Append-Only Persistent Authenticated Data Structure

by Tobias Pulls and Roel Peeters

Abstract: We present Balloon, a forward-secure append-only persistent
authenticated data structure. Balloon is designed for an initially trusted
author that generates events to be stored in a data structure (the Balloon)
kept by an untrusted server, and clients that query this server for events
intended for them based on keys and snapshots.

" [https://eprint.iacr.org/2015/007](https://eprint.iacr.org/2015/007)

------
dozzie
The author apparently doesn't understand sh&t about the computer science
background of blockchain, since he constantly throws "decentralized consensus"
term to mean as a wrong thing. Blockchain does not do that (consensus problem,
as stated by computer science, requires the protocol to actually terminate
with an output; then, Lamport et al. in their original paper over thirty years
ago _proved_ an impossibility theorem that blockchain would break if it was
solving the stated consensus problem).

All that blockchain does is to timestamp documents (transactions), the purpose
of which is to tell which of the two documents was earlier. Then, the only
purpose of proof of work and its derivatives is to artificially slow down
signing the documents (transactions), so everybody would have about the same
processing speed. This single assumption (that no single entity has computing
power comparable to a significant portion of all the others combined) is what
allows to choose longer chain in the case of double-spend incidents. When this
one breaks, the whole protocol breaks.

There are also other dumb ideas, like that "blockchain is supposed to have a
single linear history of transactions". It's not. It would if there was only
one party that issues the transactions, so of every two transactions one would
be marked as earlier than the other. It's wrong, since there can be
incomparable transactions (usually concerning unrelated wallets).

> With proof-of-work, you can have multiple computers make additions to a
> blockchain without having them trust each other. That’s decentralized
> consensus.

No. That's distributed timestamping. Again, consensus is totally different
problem (and well-defined at that), but author apparently doesn't know that.

> Instead of a network of miners, you use a single host. That host maintains a
> secure ledger which contains the host state and its activity log, including
> all requests and their results. That ledger is then published for clients to
> actively sync and monitor.

Congratulations, you have developed a centralized timestamping service and you
have discovered that centralized service is functionally equivalent to a
distributed one. Mind you, you're not the first to think about those.

------
DINKDINK
>it would be profitable for Bitcoin miners to burn through over 24 terawatt-
hours of electricity annually

So 0.02%[1] of the global per annum energy consumption? <snore> I'll gladly
trade that to run an economy without violence and bring financial inclusion to
6 billion unbanked people.

[1] 24/109613*100
[https://en.wikipedia.org/wiki/World_energy_consumption](https://en.wikipedia.org/wiki/World_energy_consumption)

>Because you don’t need permission to buy hashing power and participate in
Bitcoin, there’s no way a “51% attack” can be stopped, except by outbuying
your competitors

Incorrect, this author doesn't understand the miner<->node relationship.
Miners do what users value or else users change the consensus system they
value. DoubleSHA256->Script or Equihash etc etc

>In Bitcoin, acceptance of a change is signaled by the miners - once some
percent of the miners agree, the change is accepted. This means that hashing
power is used as a measure of voting power, and so the political system is
essentially plutocratic.

Incorrect again. The author is mistaking how consensus-level changes, that
users want, are coordinated among miners. BIP 9 was a method where users said
"we'll wait for you all miners to coordinate amongst yourself a consensus
change" which was used to delay. In the future Bitcoin will use BIP 8 which is
"Miners prepare to have your old consensus rejected at flag point X or else
your blocks will be orphaned.

>Bitcoin has been wildly unstable, with controversies and forks happening
quarterly.

The bitcoin network is stable as a table. Bitcoin can't deny anyone from
creating their own fork from consensus. This is a critical feature not bug, to
be able to easily exit from the system. It prevents lock in that plague
trusted third parties.

>I’d explain proof-of-stake here, except that I don’t totally understand it
yet.

If you don't understand the second most prominent proposal for decentralized
consensus, why are you writing a critique about blockchains? PoS is inherently
broken from an economic perspective because it is no more "efficient" than
PoW. Marginal Cost = Marginal Revenue.

If you have an incentive mechanism that says, "Do X and you get Y money"
you're going to spend X<Y amount of economic work to get Y money.
[http://www.truthcoin.info/blog/pow-
cheapest/](http://www.truthcoin.info/blog/pow-cheapest/)

PoW = destroy X value in fiat space to gain Y value in Bitcoin space PoS =
destroy X value in Ethereum-PoS space (via TVoM, meat-space work) to gain Y
value in Ethereum-PoS

The value in PoW is that it's very hard to 'more efficiently' consume
electricity than your competitor. All that PoS does is push that wasted work
into hidden area or human space.

>Instead of a network of miners, you use a single host. That host maintains a
secure ledger which contains the host state and its activity log, including
all requests and their results. That ledger is then published for clients to
actively sync and monitor.

Ah, So digicash. Which when it went out of business the market died because
there was no coordinator any more to check double spends. Let's assume that
the business never can go out of business. If I want to destroy the network, I
can compromise one system and control the entire state of the database. Ok
let's assume the system is uncompromisible. Oops the state just censored your
'secure' ledger because someone did something with it that the political class
didn't like. "We'll host it in a country with 'just' laws" There is no such
thing as "the public good" where all people benefit from a certain action.
There will always be winners and losers in any policy decision. Now value is
sapped from the system by constantly having to pay lawyers to defend your
rights from encroachment by the state.

The author is right to question if everyone application needs to run on a
blockchain (hint: they don't). But if you need trustless, robust,
decentralized, uncensorable state to be agreed on by multiple parties, you're
gonna need a blockchain

~~~
neilwilson
"If you have an incentive mechanism that says, "Do X and you get Y money"
you're going to spend X<Y amount of economic work to get Y money."

That assumes you know what Y money is worth, when in reality you don't.

If you do X then Y money is worth X by definition because you won't let go of
Y money for any less than X value in exchange unless you are forced to.

------
EGreg
Straw man. Blockchain consensus algorithms don't only use proof of work. We
have proof of stake, delegated proof of stake like LISK, proof of Correctness
like Ripple (my personal favorite), and so on.

No need for a wasteful arms race just to elect a leader who can be DDOSed.

~~~
pfraze
I absolutely _do_ respond to alternatives to proof of work in my post, thank
you very much! And I agree that they may be valuable, but I'm skeptical, and
you can reread my post to see why. And, by the by, the DDOS argument _is_ a
strawman, because we already survive DDOSes in services every day.

~~~
EGreg
You're right, you do mention proof of stake and dismiss it quickly. There is
also delegated proof of stake, where validators can elect a leader without
needing a proof of work arms race.

But you should really look at Ripple's consensus and study it:

[https://ripple.com/build/xrp-ledger-consensus-
process/](https://ripple.com/build/xrp-ledger-consensus-process/)

As well as HashGraph. Both of these do NOT require proof of work!

But in any case I think consensus is the wrong long term goal for technology
powering currencies and other things. See my other comment in this thread
regarding that
([https://news.ycombinator.com/item?id=15646385](https://news.ycombinator.com/item?id=15646385))

