The problems are the basic ones, how to avoid colluding stakers, how to neuter the market for consumed stakes, how to deter chain splits. There is a constant flow of new coins that try various approaches, but the ones that have survived have all had to resort to some variant of checkpoints where a trusted third party decides on regular intervals which chain is valid. This has obvious implications for a supposedly trustless digital currency, where you don't really need that complicated blockchain anymore.
This Ethereum PoS FAQ is much like other documentation from the Ethereum Foundation quite dense where most paragraphs introduce terms not seen elsewhere (economic finality? slashing? weak subjectivity?). If you want the interesting bit, the TL;DR, then skip to the part about weak subjectivity. Read it, and then read it again and bear in mind how other coins solved this problem.
Tell me I'm wrong, but I think this bit with the key part being that the node "authenticate out of band", involve a certain third party with a Very Important Key. In which case the rest of the theory in the document doesn't matter much, does it?
Furthermore it's insane that miners are just going along with this plan. They think since they hold Ethereum now that they will receive greater future rewards - but this is literally a parable that we warn our children about - "The Goose That Laid The Golden Eggs".
If these changes were simply switched on then they would have absolutely no chance of standing, there would be an immense backlash. VB is exploiting social-engineering to push these changes with the whole "Ice Age" scheme. Gotta boil that frog slowly.
It's unfair and inaccurate to describe the execution of a long-established plan that has been part of Ethereum since the beginning as some sort of nefarious plot being pushed through using manipulation.
If there was an ounce of sanity here you'd at least have a 12 month trial period in an altcoin to iron out the kinks.
Individuals would likely use different means of arriving at this consensus, from public forums, to having personal lists of trusted nodes that their node polls, to referring to well known public blockchain explorers. And of course, if their own node was online three months ago, it wouldn't have to trust anyone.
I personally would not want to use social consensus to determine the result of chain turbulence caused by a weakness in the consensus code. If we are going to fall back on social strategies, haven't we forgone the biggest advantage of blockchain in the first place? (the ability to know the state of consensus without needing to trust anyone)
Cryptocurrencies are a platform attempting to solve the very human issue that value transfer systems are social and emotional. The original concept with Bitcoin was that your money could go from A -> B and no one could stop it -- except for those people who can actually stop it because they have vast amounts of network influence for whatever reason. Notwithstanding, even if you have millions of dollars in cryptocurrency, if someone really wants it badly enough they can probably hit you with a wrench until you reveal your keys. The only thing stopping this is a strong system of property law enforced by someone capable of physically removing you from the rest of society if they deem you to be in violation of social pacts.
The only major advantage offered by cryptocurrencies is that at least you can know the numbers appearing in your bank account aren't completely made up by a bureaucrat in an office somewhere. Regardless of your feelings about fiat, you can generally rest assured of this if you buy equities, which are well tracked and actually represent a corporeal stake in some company. So, aside from being a geeky toy and new market for gambling, where has cryptocurrency actually succeeded?
With Etherum's social consensus, you have to re-choose your platform every time someone creates an alternate history. It's an ongoing process which can cause a lot of confusion and disruption in the future. It's a lot worse than a system you can be confident will not change once you have gotten set up.
The value of Bitcoin is that it is very difficult to manipulate. In this, we have already seen it succeed repeatedly. The inflation is the same, legacy nodes all still work, nobody has ever invalidated addresses or taken money they didn't have the keys to.
Yes, with bitcoin you lose your money if someone can find you and decides to hit you with a wrench repeatedly, and then somehow they get away without conviction of assault. In PayPal, you can lose access to your account simply because some low salary moderator flagged your account as violating their restrictive terms of service.
Just because bitcoin hasn't solved the problem entirely doesn't mean that it's not a big step forward. It's a big step forward!
A government with sufficient means can freely create a new history for Bitcoin and make that history canon. The work in blocks originating earlier in the chain is exponentially less than the blocks succeeding it.
>The value of Bitcoin is that it is very difficult to manipulate. In this, we have already seen it succeed repeatedly. The inflation is the same, legacy nodes all still work, nobody has ever invalidated addresses or taken money they didn't have the keys to.
The value of Bitcoin is whatever people believe it's worth. Control of the hashing power is trivial, and actually free, for the government of China. All they have to do is march their army into the mining warehouses and seize the means of production. Then there's nothing to stop Bitcoin from becoming the PBOCoin, with blacklists, inflation, and so on.
You could argue that, "Wait, it has the most work but it's not the valid chain! People elsewhere will continue the original chain." Okay, so which is the real chain? The answer is: whatever people believe is the real chain! And it comes back to being 100% established socially and emotionally by human beings.
Fun history of Bitcoin/cryptocurrency forks:
1. Value overflow bug in Bitcoin creates two Bitcoin chains, one with a person with 2 billion Bitcoins and one without. Which chain is the real Bitcoin chain? This is the first incident where 'the code is the contract except when no wait it's not'.
2. Berkeley DB bug makes two Bitcoins, just pick one and roll with it.
3. Ethereum DAO bug fiasco inadvertently creates two socially constructed versions of Ethereum, Ethereum Spicy Rollback Edition and Ethereum Classic. Which is the real Ethereum?
4. Bitcoin people can't agree with one another on anything, so one group of Bitcoin people make 8 MB Malleable Cash Bitcoin and another group makes Segwit2X Bitcoin, but some other people don't agree with the 2X part so maybe they'll make Segwit-not-2x Bitcoin too.
Which is the 'real' cryptocurrency that merits 2000 cheeseburgers of purchasing power today? Why, whatever we believe it to be!
IIUC to get to the "every time" you're talking about just once, more money would need to be invested by attackers than it would cost to 51% attack bitcoin.
It is not in their power to affect consensus rules such as making money out of thin air or stealing other people's money. In that sense Bitcoin and many other cryptocurrency systems are trustless.
It is tempting to trivialize the creation of value in Bitcoin but there is are many diverse interests with an economic incentive to keep each other in check.
Of course, to economists the concept of a "Sybil attack" is nonsense. Imagine if tomorrow the US Congress voted to give every citizen a billion dollars. Would this be a Sybil attack on the US dollar? Or would it be democracy at work? There's no difference. At the end of the day the majority (of the authority) sets the rules and does literally decide what happens.
> So, aside from being a geeky toy and new market for gambling, where has cryptocurrency actually succeeded?
A better question is -- why are there so many currencies to begin with? Why isn't there a single currency that everybody uses?
Once you understand the answer to this question the value of cryptocurrencies become clear. You said it yourself: currency is inherently a contextual and social value construct. Different communities have different values. Communities that develop currency power will always triumph over communities that don't because they can collaborate more effectively. Currencies don't "succeed," communities succeed -- and they do this partly by leveraging currency power. The answer to your question is right in front of you but you just don't want to see it: the cryptocurrency development communities themselves are already wildly successful and have demonstrated the ability to raise enormous funds and collaborate effectively.
Groups of people live in bordered countries and like to have their own currencies for their own countries. There is, it's the United States Dollar. Why everyone uses USD, either directly or as a metric, is outside of the scope of this discussion.
Your argument about communities is where this all falls apart -- as I already stated, at some level you need the threat of violence to enforce the property rights necessary for any kind of personal wealth to flourish. Cryptocurrency doesn't solve this issue, or even approach it. It just creates a new virtual asset, backed by nothing and valued by faith, on top of an established system of community and law.
For determining the state of the blockchain at some point in the past, it is probably effective, because the fact unambiguously revealed itself at some point in the past.
The trusted sources can even be Trusted Execution Environments that automatically output the state at t minus 3 months. There is very little room for factionalism, given deviating from the truth is so obvious when the whole interested world could see the objective truth three months prior and would have trusted sources they can rely on to relay that fact to them.
This of course resulted in two factions, one that disagreed with the change and one that agreed with the change.
If you are using Etherum and your client complains that there are two valid histories and then asks you to use social consensus to pick the 'true' history, do you feel confident in the platform? Especially if you know that you have thousands of millions of dollars that you wanted to put into the system.
That being said, depending social consensus to determine what happened could make it more likely that a faction will use it to determine what should have happened. I personally don't think it will make it very likely, given the inertia of the original chain, but we'll see.
My understanding was that programs are limited to a finite number of steps in the Etherium virtual machine.
Ethereum makes the assumption that given a user-defined algorithm and a user-defined input, that within the limitations of the EVM whether or not the algorithm will halt can be determined. We know that that this can not be the case due to the halting problem. It may always be possible for there to be an implementation specific EVM-escape which could result in a catastrophic failure and loss of Ethereum for the end user.
This hack sidesteps the halting program entirely. Now, we can not know if a program can halt with a theoretical unlimited ether, but as there's no unlimited ether, all programs will halt.
This isn't the first time PoS has been used to secure a coin, either. (With the number of altcoins out there that's not even surprising). Eth shifting to it would just represent the first major coin to use it.
No, it does not make that assumption. It simply limits the algorithm to a finite number of steps (opcodes in EVM) based on the amount of ether that was paid for.
Imagine an actual Turing machine - a symbol based ticker tape. Each operation of the machine is one step. You can run it for a given number of cycles and stop without knowing or needing to know whether the algorithm expressed through the Turing machine will halt or not.
See this explanation of what "gas" is on the ethereum network: https://ethereum.stackexchange.com/questions/3/what-is-meant...
edit: Haha okay, so I guess I'm not the only person who stumbled on this.
I'd be happy to help clarify these concepts if I can, but I don't understand what you see is the tension between the halting problem and Ethereum.
Imagine that I run a processor for a certain amount of time, like 10 seconds. We start a stopwatch when we begin executing an algorithm, and then we pause the processor after 10 seconds pass. The processor performs a fixed number of operations each second, e.g., a 1 MHz processor does a million instructions.
If we decide to run a program and stop it after 10 seconds or 10 million instructions, that has no bearing on whether the processor's computational model (or a VM simulating the processor) is Turing complete. Deciding to stop the processor after 10 seconds is an analogy for an Ethereum transaction with "gas" for 10 million instructions.
If you wish, you can think of it as an "external" force is stopping the computation.
The talk that you linked claims that Ethereum isn't Turing complete, but that talk is either: wrong, making a nonsensical distinction, or making an extremely nitpicky distinction (depending on how you want to look at it). By the talk's reasoning, a general personal computer is not Turing complete either. The Turing model specifies a machine with infinite tape, so by the standard of the talk, no machines that humanity has ever made are Turing machines, and none of their execution models are Turing complete, because all of our machines have bounded memory. For similar reasons, the fact that Ethereum executes transactions with a bounded number of computations doesn't influence whether it is Turing complete in a useful sense of the term.
If this hasn't clarified things, then I'd suggest articulating the reason why you think the halting problem matters for Ethereum. The halting problem states that one cannot design an algorithm that determines whether all other algorithms will halt or not. So what? Ethereum does not depend on the existence of such an algorithm. Ethereum doesn't try to predict or analyze whether a program will halt - it simply runs the program and finds out! Since these programs are executed for a finite number of steps, then we know that all programs will halt, either by choosing to halt, or by exhausting their number of allowed steps.
The reason I say that it's wrong that "Ethereum is not Turing complete" is because the amount of "gas" for a transaction, and therefore the number of allowed steps, is arbitrary. You pay for gas when submitting a transaction, and so you can supply as much gas as is needed for any program that you wish to run. Because the user chooses how large the fixed bound is (and pays for it), Ethereum is Turing complete in a practical sense. If you make a mistake and submit a transaction with insufficient gas, then you can try again with a larger amount of gas. Most of the time, you can probably simulate the program yourself locally to determine how much gas it requires ... or you can just provide far more gas than the program is likely to need, since excess gas is returned.
PoW is only wasteful if either a) you consider distributed consensus worthless or b) there’s a cheaper way to achieve the same result. I think we all agree that distributed consensus is not worthless, and you spend the rest of your post arguing that there is currently no known way to achieve the same result while consuming fewer resources. So how can we say it’s wasteful?
In many areas of work, human beings spend time and energy to produce valuable information, which they later sell (that’s what consultants do, basically). A proof of work spent is also valuable information, because it can be used to prevent double spending, and miners sell these proofs in exchange for bitcoins.
If consultants spend a month on producing information that is later sold at a price that exceeds what they spent on producing it, we say they have provided value. I would argue that, likewise, when a miner spends a day to produce information that is later sold at a profit (in bitcoins), it has provided value to the market — otherwise there’d be no one willing to pay for this information.
Ethereum uses a lot of handwaving to justify what is ultimately a pump program to make insiders and large ETH holders richer.
I agree with this, but I think the real problem with PoW is the mining pools centralizing. People seem to think the recent swift soft fork is something to be celebrated, but I think it's kind of scary how swift it was. It just means that the mining pools are so centralized that the transition was so easy.
Then again, this is something even PoS will probably suffer from.
There's no disputing power bills.
Um, pretty sure it was a solved problem from the start? You could always submit a non halting contract, it'd just burn through your gas and stop.
It is a much older implementation that works on Bitcoin's UTXO model (rather than the account model in Ethereum) and without smart contracts. It doesn't have a solution to the nothing at stake long-term attack, but it thwarts all known short-term attacks. Personally, CASPER's solution to the nothing at stake problem is concerning. In an ideal world, it is ideal, but in a more practical world, I can definitely foresee someone doing something wrong or making a mistake (either developer bugs, or consumer running two wallets, etc), unintentionally making a block on another chain, and losing their $1M worth of ETH as a result. It only takes that happening once, maybe twice, to get people to think twice about staking, and when less people are staking with less coins, the network is much easier to attack
(disclaimer: I work on a blockchain project that is somewhat a competitor to Ethereum)
Also, running two wallets would not cause one to lose money. Running two instances of the validator code might - but why anyone would do that is unclear.
Edit: It looks like your post was edited to answer the second question. I'll check it out.
Am I missing something? Or is this people just being optimistic?
PoS provides real value - the maintenance of a blockchain - so it makes sense to reward the capital required for such maintenance accordingly.
Only online nodes provide value to blockchains. In a PoS blockchain an online node with 100,000 credits is generating equal value to a node with .03 credits.
The capital-weighted PoS system prevents this because if you want 51% to the network to be able to do abusive things, you have to risk devaluing your enormous PoS investment by destroying trust in the Ethereum network.
I don't understand your first point, could you clarify?
I have a hypothetical scenario I'm curious about. Let's say the Bitcoin network becomes so valuable that a huge chunk of the world economy depends on it, believing that it can't be manipulated. Most people would rather play nice with this than sabotage the network, but since the whole point of this consensus mechanism is assuming the worst case, let's say there's an entity (it could be a terrorist group or a nation) whose interest is to mess this up regardless of how much money they lose as a consequence.
This is an unlikely event but I think it's possible in some special cases that we can't foresee at the moment (just like nobody could predict that people will come up with ASICS for mining, or like people would form a pool to mine things) The only condition required is:
1. Get a hold of enough money to terrorize the network
2. Be at a position where you indirectly can gain more by losing all your money that's worth 51% of the network.
In this case, this entity can decide to attack the network without any consequences due to the pseudonymous nature of the blockchain. People will see this happen in daylight but won't be able to easily figure out who this was if this was based on proof of stake, because all you need to do this is to secure your fund in the bitcoin network.
However if Bitcoin was using proof of work, you will have to buy whole bunch of mining rigs (or build them yourself in some secret bunker) which is much more traceable than if you simply used money for this terrorism.
I'm not making up some convoluted scenario just to troll, I'm genuinely curious how this will work out and hope to be proven wrong because I also want to live in a world where proof of stake works.
1. The terrorists use their 51% stake to interfere with the network.
2. People begin to notice that their transactions aren't going through as expected.
3. Some panic and try to pull out.
4. The price drops due to the rising supply.
5. The resulting feedback loop causes a crash.
6. The uncooperative nodes are identified.
7. The blockchain is forked to revoke the stake of those nodes.
8. Business continues as usual.
The only way I see the terrorists cause any long term damage is if they buy when the price is lowest and then repeat their attack. (Assuming balances aren't reset to pre-crash levels.) If it happens often enough, that would certainly erode the trust people place in the currency. On the other hand, if balances aren't reset, the second crash would be much less severe, since nobody will want to lose money selling when the price is down.
Essentially, no proof-of-X scheme can ensure that malicious interference doesn't happen, but it can make it costly enough that it happens only rarely. Then the occasional event can be handled manually (see also the DAO hack).
Do you think they will keep forking whenever major events like this happen? I worry that a couple of these attacks will be enough to drain all the trust from the network. Ethereum may have saved itself once by forking but a lot of people think this is not sustainable and think a couple more of these and people will leave.
Traceability is one such example, but there can be many other cases. Proof of work is pretty straight forward because the vulnerabilities are mostly technical issues, whereas proof of stake I think can have a lot of social vulnerabilities.
I bring this up because I feel like every discussion about blockchain security seems to mention "effectiveness" but the world is not perfect and there are plenty of cases where certain parties act in unintuitive manners.
Something something "temporarily embarrassed millionaire".
The richer you are, the smaller percentage of your net worth that investment likely is, so the rich get richer, with little risk to their total net worth.
Are you expecting some sort of magical system where people with less at stake earn more than those with more at stake?
The author works out the math and it doesn't look that bad, especially compared to some proof-of-work centralization scenarios:
If that is the case, this user should control 50% of the stake in about 1,015 years and 90% of the stake in 1,275 years. In reality, it is probably less because not everyone stakes but that gives a rough idea about how long NXT can potentially last.
It also means locking up the supply of ethereum draining liquidity and thus pumping the price.
Technologically it is not good for security:
But as a pump and dump, it's an excellent thing to do.
If someone asked "how safe is proof of work?" ten years ago, everyone would have laughed and thought you're joking.
I'm only saying this because you're making a snarky comment while pretending to know exactly how it will play out. Nobody knows how it will work. Who knows? Maybe some unexpected human behavior like mining pools will happen in proof of stake approaches and it may end up going in a completely unexpected direction.
I see PoW and PoS as nearly analogous in this regard - the rich can dominate both and so on - except that PoS is far less wasteful.
I'm excited to see where this goes.
- The thing that they are wasting, capital, was created out of thin air by the act of switching to PoS
- There are large negative externalities to burning power by mining with hashes, which increase the cost to society of using PoW vs. PoS.
- Liquidity and capital-over-time that you have to “burn” (which makes PoS just another type of PoW) is actually capital that was fabricated from thin-air. So while PoS is not less wasteful, the act of switching-to-PoS is a gigantic act of wealth-creation.
- A much bigger point, relevant to the future of humanity on Earth: there are externalities to PoW which makes mining cost more to society than its $ cost to the miners. Instead of lobbying to include those externalities in the mining cost via various pollution taxes, we can sidestep it entirely by doing PoW with something that doesn't do physical damage to the earth: PoS.
And many people are "hodling" cryptocurrency as a long-term store of value anyway so presumably they aren't concerned with the velocity of money.
If your staking period is just a couple of weeks, this is probably less significant than owning a mining farm. But if your staking period is several months, the opportunity cost probably is greater than mining or hodling, because you sacrifice a lot in terms of flexibility.
Which, if you can still sell your staked coins, what is the point of locking them up in the first place?
Large existing expendable cash has a greater advantage to mine and mint. Mining pool operators are also in a position to manipulate minting and transactions in the network.
If doing so decreases the native assets velocity (for the sake security, finality, ease of sharding, etc), so be it.
So with lower fees, lower inflation, and higher throughput the velocity is more likely to grow significantly than decrease.
Using purchasing power (or more specifically an artificially constructed and highly manipulated bag of goods measure called the CPI in the USA) is a switch to obscure the rate of inflation, as if it couldn't be measured directly.
But Inflation always has been issuance, not purchasing power. Pretending otherwise isa tactic used by people who engage in inflation to try and obscure its effects (because purchasing power is affected by things like growth in productivity.)
Pretending like it's a measure of the price of goods is a political (not economics) tactic used by governments to obscure it-- because the price of goods are affected by other things--like increases in productivity, lower cost goods from overseas and the like.
Currency issuance is related. Is not the same thing
Economic models so far, however, suggest the reward needs to only be a tenth of POW reward.
The code is the contract ... except when it isn't.
I agree with you in theory, but the BTC/BCH split would be a better example of the majority splitting off of profiteers rather than the other way around.
If separate groups end up with incompatible consensus rules, there's a network split.
Miners, exchanges, developers, etc. don't have any more power than anybody else. Everybody's power is limited by the extent to which other people want to trade with them.
Have they got a proof of concept as yet, or is this all still vaporware that nobody on this thread should be talking about in the present tense?
Ethereum switching to proof of stake is a threat to billions of dollars in annual revenue. Miners should be rallying against this, and the budget they have for lobbying and pr could reasonably be nine figures.
Ethereum miners are not the only ones affected. If two million gpus suddenly flood the market, either the resale value of hardware will nosedive, or the difficulty of all other coins will skyrocket. Miners who do not even mine ethereum should still be actively opposed to ethereum switching to proof of stake.
The generalization of your argument is that rapidly increasing productivity of any good is bad, because it decreases the relative power of existing capital holders.
If all the miners on all proof-of-work currencies lost all their revenue and the currency was equally secure, I would consider this a good thing since the electricity could be allocated elsewhere.
People who make billions of dollars from the status quo have great power to maintain the status quo.
While it may be rational to lobby for the continued use of proof-of-work from a short-sighted and egocentric point of view, the switch to proof-of-stake seems absolutely appealing from a long-term or holistic perspective.
Moreover, if the 51% dislike the one fork, or the version before the fork, it's too easy to validate correctly in the part of the fork they like and launch a 51% attack to the other fork. This would have killed ETC and BCC instantly. (I'm not sure if this is a bug or a feature.)
This is one of the main innovations in modern POS algorithms.
staking coins are locked for for a minimum 6 months.
Academic Byzantine fault tolerance is insufficient, because you cannot naively assume that most participants will behave honestly. They have to have an incentive to behave honestly, and there can be no room for dishonest behavior that would be more rewarding.
There's a reason that it took so long to get a working digital cash - a new breakthrough was needed and that breakthrough ended up being Proof of Work.
To trust a new system for decentralized money, I would want to see peer review not just from academics, but also from the leading bitcoin experts, who in my opinion are the only ones that really understand cryptocurrency.
Perhaps a few academic collaborations could generate peer-reviewed papers that leverage those decades of research alongside the practical experience of bitcoin experts.