Hacker News new | comments | show | ask | jobs | submit login
A Provably Secure Proof-Of-Stake Blockchain Protocol (github.com)
93 points by xiamx 313 days ago | hide | past | web | 30 comments | favorite



I don't know why this paper needs to introduce so much already common terminology.

"Corrupt" is a re-org "stable transactions" are confirmed transactions

"Function maxvalid(C, C). Returns the longest chain from C ∪ {C} that does not fork from C more than k blocks."

This is the recipe for partitioning consensus. All you need to do is broadcast to anyone a lower-work chain and they will be on their own fork.

This is easy to do during a new sync in which the node has been offline for more than k blocks, or with a little more work you could stake grind and partition the network at the tip.

The former problem is covered in section 3.2.

Generally the nothing at stake problem will result in the problem of requiring some trusted source to not lie, regardless of the implementation, see https://download.wpsoftware.net/bitcoin/pos/


>Generally the nothing at stake problem will result in the problem of requiring some trusted source to not lie, regardless of the implementation, see https://download.wpsoftware.net/bitcoin/pos/

Which means infinitely better security than PoW. PoS is resistant to nothing at stake attack as long as at least one smallest stake is indefinitely honest in each block. It doesn't have to be the same, just so that there's no way for an attacker to achieve 100% at any one point. That's because the stakes of true owners have the same voting power, so they cancel.

To not cancel, the attacker has to own something in all histories, but now the cost is real. Even 0.1% of bitcoins is worth more than what ~17 days of mining power costs. He needs to own more than minimum stake of honest parties over all blocks.

The practicality of that is another matter, as is quality of existing implementations, but that's a much much more realistic requirement than using >half of all worldwide available energy for PoW.

If someone still thinks PoW is more secure, consider this: two countries are at war. One uses PoW currency, another one PoS, owned overwhelmingly by citizens from its creation. Which currency system gets destroyed by the enemy country, wrecking their economy as a result? Related point: which one is likely to be wealthier?

P.S. I think in practice all cryptocurrencies are driven purely by social consensus, with pow/pos/other as false rationalization for it. If bitcoin had serious problems due to the current pow algorithm (like: China nationalizes Chinese miners and starts enforcing some regulation worldwide, eg. only state-registered addresses allowed) users would fork fast, thus proving it's not really PoW. Same with PoS, but it's better as it avoids waste.


>PoS is resistant to nothing at stake attack as long as at least one smallest stake is indefinitely honest in each block.

You completely misunderstand the security model if you think one honest stakeholder can prevent these attacks.

There is no concept of an honest stake holder in the eyes of the network, best they can do is try to estimate which history is the "true" history, however it is free to write a new history.

>To not cancel, the attacker has to own something in all histories

Why do you think this is difficult?

>Which currency system gets destroyed by the enemy country, wrecking their economy as a result?

This is a question of whether attacking PoW through expending energy is more expensive than attacking PoS through designing a program that takes advantage of known PoS flaws.

>P.S. I think in practice all cryptocurrencies are driven purely by social consensus

I'm sorry, but you clearly don't understand even the basics of distributed consensus if you think only social consensus and not a blockchain is necessary. I recommend looking into

https://en.wikipedia.org/wiki/Byzantine_fault_tolerance#The_...

https://en.wikipedia.org/wiki/Sybil_attack


>You completely misunderstand the security model if you think one honest stakeholder can prevent these attacks.

Unfounded assertion. The security model is that the chain with most stake is valid. Whether it's stochastic or direct is only an implementation detail.

>There is no concept of an honest stake holder in the eyes of the network

Honest doesn't mean trusted. It just means he never uses that old stake to attack.

>Why do you think this is difficult?

Because owning enough to attack a large currency would be most likely impossible. A small one with few owners would cost at least orders of magnitude more than attacking pow for equivalent size.

>you think only social consensus and not a blockchain is necessary.

That's apples to oranges. Consensus here concerns order of data, not its organization as blockchain.

Regarding algorithm, in fact given how centralized bitcoin in practice is, you could replace all mining by a small set of signers - Gregory Maxwell. He timestamps blocks and everyone trusts him, as long as no contradictory or wrong blocks appear. If they appear, users are to go to r/bitcoin, r/btc and bitcointalk to find out what to do. Which is what happened and is going to happen in case of problems and major upgrades anyway.

There's no negative difference in security; miners' investment costs could be emulated by a collateral deposited in a Swiss bank by the bitcoin users. Which would be way safer than collateral in the form of hardware under direct control of Chinese government. Greg would get interest on that sum as long as he signs and not contradicts.

Actual bitcoin's energy costs are so small as to be worthless for security. 10 blocks cost at most $50k. Just multiply block reward by 10 and rationally assume miners don't mine at loss. 10 blocks is more than enough to deposit, exchange for something else and withdraw that. PoW's supposed energy-based security is so broken it's hilarious. Even shitty actually implemented PoS (ie. Nxt) are like aes to pow's rot13. Bitcoin is really proof-of-collateral, the collateral being asics.

There's a potential positive difference to timestamper-proof however - it's in principle possible to delete keys used for older blocks, so if they were really deleted, the chain upon that point would be eternally safe (assuming signing mechanism itself isn't broken).


> has been offline for more than k blocks

These systems require you to be online at regular intervals for proper security guarantees.


Yes, as I mentioned users who don't have to sync back up have their vulnerabilities limited to stake grinding attacks.


So new users don't have proper security guarantees? That seems like a somewhat serious flaw.


Yes, this is the weakness of POS systems. Of course, with a POW system new users still need to get a trusted copy of the genesis block.


They don't, however, need trust to determine which chain has had the most work done on it. An alternative genesis with much less work done on it is suspect immediately.


New Bitcoin users also need to rely on trust to find out Bitcoin's genesis block. Yes it's trivially solved, but the same is true for PoS as long as the epochs are long enough.


Some earlier discussion of the protocol itself: https://www.reddit.com/r/ethereum/comments/52qfwl/provably_s...


Interesting! Great to see people working on a more environmentally friendly blockchain.

What are the weak points of this cryptocurrency compared to Bitcoin? The white paper is very technical. Is it required that majority of stakeholders stay online and constantly take part in the network for it to function correctly?


Usually the main weakness of "Proof of Stake" protocols is something called "weak subjectivity" which means that nodes that connect to the internet at a regular basis (i.e. once per month or something) have strong correctness guarantees, but nodes that go offline for long periods of time reach a situation where they can no longer distinguish the "real" from a fraudulent blockchain. Nodes that reach this state need to be manually reconnected to the correct chain.

I think this is arguably an acceptable tradeoff, given the other advantages of POS.


...and what is the "correct" chain may be a highly contentious subject. For instance, this is likely to be contentious if a big theft happens, yet the same theft also makes it possible for the thieves to not only control the chain going forward, but also rewrite existing history as a theft can give control of private keys relevant in the past.


> what is the "correct" chain may be a highly contentious subject

But this can be true in POW blockchains as well. If the user disconnects his node for some arbitrarily long period of time during which there are durable forks created, said user also has to "reconnect manually to the correct chain" and the user may have to decide for him/herself what constitutes a valid chain under contentious circumstances. The user's preferred chain may have become a minority fork, for example.


In the case of the bitcoin blockchain, I think there is an extremely simple protocol: just use the longest (most work) chain among the various contenders for "correct".


That's fine if you simply want to find the chain with the most proof-of-work behind it and join that herd, but what if that chain violates your conditions for validity - perhaps it has different inflation, less anonymity, or higher transaction costs than the minority fork that you were originally following as "valid."

In POW the onus is on everyone who runs a node or miner to understand the consensus rules they are choosing, and to be on their toes in the event of a fork (hard or soft). I see this as no different from the POS problem described above.


Only if you have trusted the right person to give you the correct genesis block.


In the case of bitcoin, I don't believe anyone could mine their own genesis block and build a chain even remotely approaching the length of the "standard" bitcoin chain. In fact, this applies more generally: after a blockchain has been in existence even a short time, it becomes infeasible for anyone to replace it entirely; at best they can hope to produce a fork from a fairly recent point as anything else would be a DRASTICALLY shorter chain.


POS in general is a highly contentious subject in the cryptocurrency community and many people disagree vehemently about the tradeoffs. Peter, for instance, is a strong critic of POS- There are smart people on both sides of the debate.


Rather than replying to my comment by talking about who I am, I'd suggest you reply to the content of my comment instead.


OK sure, though I'm no expert on this subject.

Well, first of all your example makes it hard to tell if you're describing a percentage-based attack (i.e. 51% attack or 34% attack etc) or a long range attack.

In your example, how much % the currency are you claiming a thief has stolen? Are you saying you're using private keys to rewrite history that is based on staking deposits that predate recent chain synchronizations by the node who's view of the history is being compromised? I can respond better if I understand what you're trying to say.


Is this even intended to be a working cryptocurrency? Seems more likely to be a PoS protocol which more established coins will build upon.

There are plenty of people working on a move away from energy intensive PoW. PoS is an open problem in cryptography. Some coins claim it, but none have come under any real scrutiny. Yet to see a secure implementation.

They don't say much in the readme here, the whitepaper offers all the info, if they have actually solved the outstanding problems with PoS this is huge news.

Not holding my breath though.


Agreed, probably the best data we have so far on modern POS systems is NXT, and that isn't really a battle-tested project yet.


Peercoin qualifies, too.


Is anyone actually mining this cryptocurrency? It seems a bit odd to say this is a proof of concept, without proving the concept by actually running the code. It might be happening somewhere, the topic just seemed avoided by the README.


Did you mistake Proof-of-Stake for Proof-of-Concept?

The Satoshi whitepaper that introduced Bitcoin was released before any running code and the code was in development for a while before the currency launched.

At this point in the development of cryptocurrencies there is room for experimental cryptocurrencies that aren't immediate attempts to get a production system running but provide research which currently adopted cryptocurrencies can draw from. Inventing a better jet engine should not require starting an aerospace company that builds and sells complete airplanes.


The is no mining in a proof of stake blockchain. Atleast not in the traditional proof-of-work sense.


Where does it say proof of concept? The repo describes itself as a first implementation of the model described in the paper.


They provide the code so you can prove the concept by running it yourself.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: