
Proof-of-Work is the only solution to Byzantine Generals' problem - hudon
https://gist.github.com/oleganza/8cc921e48f396515c6d6
======
deft
There's been a lot of FUD against PoW and some of it is warranted. The problem
is saying "PoW is a bad solution to the problem" doesn't provide any path
forward. PoS is not a solution, and neither is so called dPoS where block
producers are nominated by or purchased from the development team. Lots of
smart people are working on better PoW algorithms, more resistant to
centralization and hopefully at least one succeeds. Otherwise a new model for
trustless p2p exchange of money will need to be developed.

It seems to me a lot of so called "decentralized currencies" are moving away
from the model that brought billions of dollars into the market, in favour of
recreating shitty versions of what already exists. To do this they dance
around terms and attempt to claim they're actually MORE decentralized for
reasons blah blah blah. I have a feeling the anti-PoW is orchestrated FUD from
teams building decentralized-in-name-only platforms like EOS and NEO. Yelling
about electricity costs and how "trust is needed!" is getting old. People like
the trustless idea, even if so far it hasn't turned out well. A platform that
lets you run "unstoppable dApps" when stopping them only requires shutting
down 21 known nodes isn't unstoppable at all and is frankly worthless.

~~~
realusername
> Yelling about electricity costs and how "trust is needed!" is getting old

It's still a valid concern, Pow has currently lots of difficulty to scale
because of that, not to mention that the electricity needed is enormous to
sustain the system.

~~~
clarkmoody
You have your causal chain reversed: enormous amounts of electricity are spent
on proof-of-work because it is profitable. There is no minimum amount of work
required to "sustain" the system. Of course you lose security with less work
performed, but the system can be sustained.

~~~
realusername
Yeah of course but if you want Bitcoin to be used by everybody (that's the
goal of a currency after all), it becomes thus very profitable to mine and
therefore an enormous amount of electricity is used. That's what I meant by a
scaling issue, it works as long as there's not too many users.

~~~
hndamien
The energy cost of mining gold is proportional to the price of gold.

~~~
moomin
When discussing environmental damage, I’m not sure gold is the thing you want
to be comparing to.

~~~
hndamien
Just making a point about the economics. The environmental destruction is
caused by the energy production in the case of Bitcoin mining. In the case of
gold mining, it is done by the mining.

------
DINKDINK
"Nothing is Cheaper than proof of work"[1]. The best that can be said about
Proof of Stake is that you get marginally better security while sacrificing
liveliness / allowing the consensus layer to be captured by regulators [2].
PoW forces the machine to advance, if you refuse (or are forced to ignore) a
block, the business dies but the network moves forward. If PoS was new and
research was underfunded, you might have a plausible claim that it might turn
into a workable solution. The fact of the matter is, it's been 6 years since
PoS' proposal and millions of dollars in R&D funds have been pumped into
trying to unsuccessfully obviate PoW.

[1] [http://www.truthcoin.info/blog/pow-
cheapest/](http://www.truthcoin.info/blog/pow-cheapest/) [2]
[https://twitter.com/NickSzabo4/status/956461360161935361](https://twitter.com/NickSzabo4/status/956461360161935361)
"Conjectured governance under proof-of-stake seems to involve programmers &
other amateurs making legal & accounting decisions. Bitcoin governance does
not. Even when lawyers & accountants properly take over PoS governance, PoW
governance will likely be far more socially scalable."

~~~
nootropicat
>allowing the consensus layer to be captured by regulators

The opposite. You can't hide mining at the required scale. Miners must have a
registered companies to get access to cheap electricity, employ workers etc.
Any mining business that doesn't register is going to be outcompeted by those
that do.

PoS can work over Tor/I2p with anonymous validators.

~~~
DINKDINK
PoS creates a system by which block nomination and chain-tip extension is an
elective procedure. Meaning companies could censor transaction at effectively
0 marginal cost. Under a legal mandate, that method of consensus is untenable.
See Szabo's tweet.

~~~
nootropicat
If by elective you mean that validators can easily ignore past blocks, that
can be solved by a commit/reveal algorithm or multi party computation.

~~~
DINKDINK
>commit/reveal algorithm or multi party computation

Which is out-of-band work that erodes the claimed 'savings' of PoS, relative
to PoW, and would have been better spent increasing the security of all
transactions on the chain. It also means that I have to be online see those
orphaned blocks and to ensure those solutions algorithms acted.

Example:

US Government to Coinbase: "Thou Shalt never honor a block that originates
from an 'IP out of' Iran"

Coinbase to miners: "Hey Sorry we can't sell any eth from blocks that
originate out of Iran"

Miners: "Ok well if you promise to use the new chain, I'll create a costless
alternate version, But you have to promise!!"

Business A to Business B: "Wait I just got two chains, Which one is the real
one? _Has to check news_ hmmm this USGOV edict is bad. So which chain are you
going to go with? Hmm I dunno Coinbase is so important, I Dunno maybe the
coinbase chain. Ok I'll go with the coinbase chain if you go with the coinbase
chain, But you have to promise!!"

 _Move social consensus churn that erodes social scalability_

Business B: "Well, we're going to have to compensate the miners for this roll
back some how"

Business C: "Hey wait I accepted a transaction (15 blocks deep), shipped my
products and then went offline and now had my payment rolled backed!"

Total Not Centralizing Foundation: "The Foundation will cover all
losses....again"

~~~
nootropicat
It's not possible to orphan blocks that are already in the chain you
confirmed, as that's a contradictory vote. So at best one generator could
orphan a few blocks, but then, what if the next block generator doesn't ignore
them? Anything longer than a few blocks would require cooperation among
majority and that's a failure mode in PoW too.

~~~
DINKDINK
>It's not possible to[...]

Because there is no time-value trade off associated with delaying block create
in PoS you can play games in the interim period of time. In PoW you pay a
penalty for not building on a block. PoS basically tells network participants
that there is 0 cost to not building on a block. See the lecture: Formal
Barriers to Proof-of-Stake Protocols[1] for other failings of PoS.

[1]
[https://www.youtube.com/watch?v=PGrWGMRbdvw](https://www.youtube.com/watch?v=PGrWGMRbdvw)

------
erdevs
Boy, the logic in this article is bad.

PoW is not the _only_ solution to the BFT. PBFT PoS, DPoS, etc are all
"solutions", in that they represent a series of tradeoffs to achieve consensus
in the presence of faults, just as PoW does.

Further, PoW itself as implemented in large part today is vulnerable to attack
via selfish mining.

Finally, purely empirically speaking, PoW in most systems like Bitcoin today
is highly centralized and far from trustless. Consensus authority has
accumulated in the hands of large mining operations. Many people foresaw this
outcome. In the author's analogy, you are not provided any certainty of
consensus on your bunker, rather, massively resourced authorities controlled
by a handful of people are dictating state to you and you have nowhere near
enough resources to change that.

------
cesarb
> Imagine you are sitting in a bunker. You have no idea what people are out
> there and what are their intentions. You only receive some incoming messages
> from strangers that may contain anything. They can be just random garbage or
> deliberately crafted messages to confuse you or lie to you. [...] When two
> propositions arrive into your bunker, "X" and "Y", we have no trusted
> reference point to figure out which one is supported by the majority of
> other people. We only have "data in itself" to judge which one we should
> choose as the main one.

What if the true answer is "neither", and both have been forged by an
attacker? If he's sitting in a bunker with no contact to the outside, and an
attacker can intercept and manipulate his every communication, how can he
"estimate how expensive it is to produce an alternative"? Was the difficulty
too low because it's a forgery, or because everybody's abandoned that PoW
chain?

IIRC, Bitcoin's answer to that situation is that somehow word of the correct
chain will get to him (perhaps smuggled by a carrier pigeon), instantly
invalidating all of the attacker's work. That makes sense in real life, but
not in imagined scenarios where there are no alternative communication
channels.

------
foxhill
not only is this not a proof, but also implicitly sweeps many issues with the
implementation of the current system under-the-rug, which is the more
insidious part of this argument.

> Proof that Proof-of-Work is the only solution to Byzantine Generals' problem

this is an argument for PoW's validity as a solution, for starters. in no way
is this a proof, let alone one of uniqueness.

> In case of Bitcoin mining farms, such an alternative would require a very
> expensive and complex production chain, requring either outcompeting other
> firms that use chip foundries or building single use datacenters in the most
> cost-effective locations on the plane

that is exactly what we have right now! SHA256 has become so optimised in
these chips that the whole issue of "consensus" has been almost diluted to
"consensus between a _very_ small number of people".

it might appear as though i'm identifying a 51% attack, and whilst that is
entirely un-addressed in this "proof", that's not what i mean.

bitcoin was created to decentralise money. there are so few actors in the
mining business now as to negate the benefit of requiring trust in a small
number of centralised entities. which, by the way, happen to be well-known,
non-anonymous, and culpable when mistakes are made/crimes are committed.

sure, the majority of the resources must be used to create a "message", but it
certainly does not necessarily represent the consensus.

bitcoin, in its current implementation, has failed. that largely stems from
the fact that SHA256 PoW as a means of proof, has failed.

~~~
deft
100% correct, but bitcoin isn't centralized because of PoW, more because of a
bad implementation of PoW that was too soon and too easily optimized (if you
had the cash). Existing algos will all be eaten in the same way SHA256 was,
but why does that mean PoW as a concept is a failure?

~~~
Animats
_because of a bad implementation of PoW_

See yesterday's YC article from a cryptocoin ASIC designer.[1] It's possible
to design an ASIC for any proof of work algorithm that will be more cost-
effective than a general purpose CPU.

Monero was supposed to be resistant to special-purpose ASIC approaches. It
isn't. Someone quietly built an ASIC for Monero about a year ago and made a
ton of money.

[1]
[https://news.ycombinator.com/item?id=17059858](https://news.ycombinator.com/item?id=17059858)

~~~
deft
I know. A flexible ASIC is a GPU. Optimized hardware will always be more cost
effective, but like I said elsewhere in the thread, algos that are hard(er) to
optimize than even cryptonight are being worked on. People didn't notice
monero had asics because no one was paying attention. Looking back on the
hashrate graphs and price make it very clear.

Monero has since forked and removed the ASIC threat temporarily, and they will
continue to fork to keep them at bay. Anti-ASIC is a cat and mouse game where
the coin developers have the upperhand at all times. Do you really believe
there's no conceivable algorithm that will reduce the cost-effective
difference between general purpose and specialized hardware? The goal isn't to
prevent someone from optimizing, it's to prevent the difference from being so
large that no one else can compete. Monero managed to do that for years, and
that was using an algo that claimed ASIC resistance solely on memory prices.

------
bpicolo
This does not at all seem like a rigorous proof

------
mamon
My conclusion about cryptocurrncies is: they can never take over traditional
payments. People want payment methods to be:

\- secure

\- fast

\- cheap

While traditional payments do relatively well on all three accounts Bitcoin
cannot. Yes, we might argue that it’s (in theory) more secure, but it’s also
slow and expensive. What’s worse, as the article just proves Bitcoin cannot
fix those flaws because its security relies on mining (and therefore
transaction processing) being slow and expensive - that’s the very concept of
PoW.

~~~
chrisco255
There's nothing secure about traditional payments. I have to give away the
keys to my account (routing & checking number) in order to transact with my
checking account. Similarly, I have to hand over all my information to a 3rd
party to process a credit card transaction. The fraud and theft is merely
subsidized by the banking institutions themselves, who more than make up for
the costs in high interest fees.

There's also nothing fast about traditional payments. The actual transferring
of money between banks and accounts still takes 24-72 hours, if not longer in
some cases.

It's also not cheap. The hidden costs are rolled into the banking system,
credit card interest and merchant processing fees (which are rolled into the
price of products).

~~~
mamon
>> I have to give away the keys to my account (routing & checking number) in
order to transact with my checking account.

What a strange country you live in! :) I do a lot of payments and I had to
google what a routing or checking number even is because I never needed one
for making a payment. Also, I can't see how giving up your account number
would mean giving away control of it. But that might be because in Europe we
do not use such a peculiar payment methods as checks.

~~~
chrisco255
All that's necessary in order to forge a transaction is routing & checking
account number. Similarly, with credit card numbers. This is why
cryptographically signed transactions make so much more sense and are much
more secure.

------
nabla9
PoW is not a solution and they are not even discussing the problem.

Author is mixing Byzantine Generals' problem to completely different set of
trust and consensus problems.

------
nootropicat
If every participant is online and all messages are public, then only a
majority vote is necessary, as time itself becomes exclusive (only earlier
votes matter). There's no need for PoW here.

For participants that join later both PoW and PoS are probabilistic, but PoS
can be much better: if everyone has to vote the maximum possible classical
security is 1-of-n, ie. one eternally honest party exists in all past blocks,
so no attacker can obtain 100%, ever. This model can stall but it can't lie.

The 100% model is not practical and by itself requires everyone to be online,
but for some m in m-of-n, it is. Another variable is how long do the honest
assumption must hold: it's relatively easy to construct a scheme that makes
honesty for eg. four months nearly certain.

Combined with the fact that money is inherently a social thing, it works. It's
not an abstract consensus for people in bunkers, but people that want to
interact. So if you return after a long time, it's enough to check in several
places that accept a specific cryptocurrency what chain is wanted by them.

------
lowbloodsugar
That was a nice article which may or may not be true. How does that solve the
Byzantine General's Problem [1]?

[1]
[https://en.wikipedia.org/wiki/Byzantine_fault_tolerance#Byza...](https://en.wikipedia.org/wiki/Byzantine_fault_tolerance#Byzantine_Generals%27_Problem)

