Hacker News new | comments | show | ask | jobs | submit login

I don't know why this paper needs to introduce so much already common terminology.

"Corrupt" is a re-org "stable transactions" are confirmed transactions

"Function maxvalid(C, C). Returns the longest chain from C ∪ {C} that does not fork from C more than k blocks."

This is the recipe for partitioning consensus. All you need to do is broadcast to anyone a lower-work chain and they will be on their own fork.

This is easy to do during a new sync in which the node has been offline for more than k blocks, or with a little more work you could stake grind and partition the network at the tip.

The former problem is covered in section 3.2.

Generally the nothing at stake problem will result in the problem of requiring some trusted source to not lie, regardless of the implementation, see https://download.wpsoftware.net/bitcoin/pos/




>Generally the nothing at stake problem will result in the problem of requiring some trusted source to not lie, regardless of the implementation, see https://download.wpsoftware.net/bitcoin/pos/

Which means infinitely better security than PoW. PoS is resistant to nothing at stake attack as long as at least one smallest stake is indefinitely honest in each block. It doesn't have to be the same, just so that there's no way for an attacker to achieve 100% at any one point. That's because the stakes of true owners have the same voting power, so they cancel.

To not cancel, the attacker has to own something in all histories, but now the cost is real. Even 0.1% of bitcoins is worth more than what ~17 days of mining power costs. He needs to own more than minimum stake of honest parties over all blocks.

The practicality of that is another matter, as is quality of existing implementations, but that's a much much more realistic requirement than using >half of all worldwide available energy for PoW.

If someone still thinks PoW is more secure, consider this: two countries are at war. One uses PoW currency, another one PoS, owned overwhelmingly by citizens from its creation. Which currency system gets destroyed by the enemy country, wrecking their economy as a result? Related point: which one is likely to be wealthier?

P.S. I think in practice all cryptocurrencies are driven purely by social consensus, with pow/pos/other as false rationalization for it. If bitcoin had serious problems due to the current pow algorithm (like: China nationalizes Chinese miners and starts enforcing some regulation worldwide, eg. only state-registered addresses allowed) users would fork fast, thus proving it's not really PoW. Same with PoS, but it's better as it avoids waste.


>PoS is resistant to nothing at stake attack as long as at least one smallest stake is indefinitely honest in each block.

You completely misunderstand the security model if you think one honest stakeholder can prevent these attacks.

There is no concept of an honest stake holder in the eyes of the network, best they can do is try to estimate which history is the "true" history, however it is free to write a new history.

>To not cancel, the attacker has to own something in all histories

Why do you think this is difficult?

>Which currency system gets destroyed by the enemy country, wrecking their economy as a result?

This is a question of whether attacking PoW through expending energy is more expensive than attacking PoS through designing a program that takes advantage of known PoS flaws.

>P.S. I think in practice all cryptocurrencies are driven purely by social consensus

I'm sorry, but you clearly don't understand even the basics of distributed consensus if you think only social consensus and not a blockchain is necessary. I recommend looking into

https://en.wikipedia.org/wiki/Byzantine_fault_tolerance#The_...

https://en.wikipedia.org/wiki/Sybil_attack


>You completely misunderstand the security model if you think one honest stakeholder can prevent these attacks.

Unfounded assertion. The security model is that the chain with most stake is valid. Whether it's stochastic or direct is only an implementation detail.

>There is no concept of an honest stake holder in the eyes of the network

Honest doesn't mean trusted. It just means he never uses that old stake to attack.

>Why do you think this is difficult?

Because owning enough to attack a large currency would be most likely impossible. A small one with few owners would cost at least orders of magnitude more than attacking pow for equivalent size.

>you think only social consensus and not a blockchain is necessary.

That's apples to oranges. Consensus here concerns order of data, not its organization as blockchain.

Regarding algorithm, in fact given how centralized bitcoin in practice is, you could replace all mining by a small set of signers - Gregory Maxwell. He timestamps blocks and everyone trusts him, as long as no contradictory or wrong blocks appear. If they appear, users are to go to r/bitcoin, r/btc and bitcointalk to find out what to do. Which is what happened and is going to happen in case of problems and major upgrades anyway.

There's no negative difference in security; miners' investment costs could be emulated by a collateral deposited in a Swiss bank by the bitcoin users. Which would be way safer than collateral in the form of hardware under direct control of Chinese government. Greg would get interest on that sum as long as he signs and not contradicts.

Actual bitcoin's energy costs are so small as to be worthless for security. 10 blocks cost at most $50k. Just multiply block reward by 10 and rationally assume miners don't mine at loss. 10 blocks is more than enough to deposit, exchange for something else and withdraw that. PoW's supposed energy-based security is so broken it's hilarious. Even shitty actually implemented PoS (ie. Nxt) are like aes to pow's rot13. Bitcoin is really proof-of-collateral, the collateral being asics.

There's a potential positive difference to timestamper-proof however - it's in principle possible to delete keys used for older blocks, so if they were really deleted, the chain upon that point would be eternally safe (assuming signing mechanism itself isn't broken).


> has been offline for more than k blocks

These systems require you to be online at regular intervals for proper security guarantees.


Yes, as I mentioned users who don't have to sync back up have their vulnerabilities limited to stake grinding attacks.


So new users don't have proper security guarantees? That seems like a somewhat serious flaw.


Yes, this is the weakness of POS systems. Of course, with a POW system new users still need to get a trusted copy of the genesis block.


They don't, however, need trust to determine which chain has had the most work done on it. An alternative genesis with much less work done on it is suspect immediately.


New Bitcoin users also need to rely on trust to find out Bitcoin's genesis block. Yes it's trivially solved, but the same is true for PoS as long as the epochs are long enough.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: