As for using it for Layer 1 systems, Andrew Poelstra nailed it in his conclusion :
"We showed that by depending only on resources within the system, proof of stake cannot be used to form a distributed consensus, since it depends on the very history it is trying to form to enforce loss of value."
Proof of Stake might be useful at Layer 2 (becoming equivalent to voting stock in a company), but not as a base-layer consensus mechanism.
> Proof of Stake not only replicates the same dynamics that Bitcoin was designed to eliminate (more wealth -> more power in system)
There is no legitimate sense in which PoS _is_ an instance of "rich have more power and get richer" but PoW is not. In fact, PoW is _worse_ than PoS in this regard, because PoW has economies of scale (if someone with a $100k investment earns $10k/year, someone with a $100m investment can earn significantly more than $10m/year). PoS on the other hand is much closer to a clean "what you earn is proportional to what you put in" design, which is realistically the best that you can do in an anonymous system where users can generate as many independent identities as they want.
> can only be made secure against a maximum of ⅓ byzantine actors, compared to Proof of Work's superior ½.
This is also not true. The 1/3 bound is for safety-under-asynchrony (a form of safety for which PoW's security margin is zero). If you assume synchrony, then PoS protocols' safety approaches 50% much like PoW does. Protocols like Casper FFG combine the "best of both worlds", giving you both of those security guarantees (50% BFT if the network is good, 33% BFT if the network is terrible) at the same time.
In PoW, miners must sell their tokens to buy capital-intensive mining equipment and power to stay competitive. In PoS, stakers have no incentive to sell enough tokens to anyone who could turn around and stake them as a competitor, since that would cut into the seller's future staking rewards.
> The 1/3 bound is for safety-under-asynchrony (a form of safety for which PoW's security margin is zero). If you assume synchrony, then PoS protocols' safety approaches 50% much like PoW does.
First, consensus protocols can be trivially safe regardless of the network's behavior -- you simply require a majority vote for any proposed agreement. Second, any consensus protocol can only remain live as long as there are no more than f faults out of 3f+1 replicas. This is again irrespective of the network model -- Leslie Lamport's proofs do not make any assumptions about the network.
We actually know of consensus protocols that require synchrony including between participants and clients that go up to 99% fault tolerance for both liveness and safety; in fact Lamport himself described one in his original paper (remember that it's "written messages" and not "oral messages" in his vocab that's the relevant category; these days public key cryptography is cheap and uncontroversial so there's no need to care about the "oral" case). There's also a table on page 291 in the 1988 DLS paper (see https://groups.csail.mit.edu/tds/papers/Lynch/jacm88.pdf, the "authenticated byzantine" row and the "synchronous" column) that gives an overview of the fault tolerance levels in various different cases.
The original definition of consensus did not have a notion of passive clients needing to learn the result, so the "active participants synchronous, passive clients asynchronous" model common in blockchain land was not really analyzed well back then. It turns out that with a synchronous network, the passive client requirement is what brings safety and liveness down from 99% to 50%. And it also happens that the 50% fault tolerance protocols are less fragile in the case that the synchrony assumption breaks temporarily.
The "written messages" protocol does not tell the whole story. If you go back and re-read Lamport '82 , the assumptions that make the SM(m) algorithm ("written messages") work at all also make it a practically useless result. In particular, assumption A4(b) (top of page 391) requires that anyone can authenticate any general's messages at all times. How the generals are supposed to learn each other's public keys _without_ an instance of SM(m) is not addressed, but presumably they would need to fall back to OM(m) ("oral messages") to do so. So if you take a BFT system as a whole, where you can't assume the existence of a magical fool-proof way for generals to learn each other's keys a priori, my original claim stands.
> The original definition of consensus did not have a notion of passive clients needing to learn the result, so the "active participants synchronous, passive clients asynchronous" model common in blockchain land was not really analyzed well back then.
Prior literature doesn't consider "passive clients" because they're not protocol participants in the first place. Clients do not participate in deciding agreement; otherwise they wouldn't be called clients.
Last I checked this is very much still the case in blockchain-land. Your wallet (client) does not do anything to help miners/stakers determine the best chain tip or the next block, for example.
So, I'm not sure what you're trying to say here?
> It turns out that with a synchronous network, the passive client requirement is what brings safety and liveness down from 99% to 50%. And it also happens that the 50% fault tolerance protocols are less fragile in the case that the synchrony assumption breaks temporarily.
Unless you're assuming the existence of the magic fool-proof public-key distribution mechanism required for SM(m) to work, you're not going to get liveness unless you're either (a) assuming nodes do not exhibit arbitrary failure modes, or (b) requiring at least 2/3+e nodes are honest.
EDIT: wrong date for Lamport
Curious about what you think about ourboros/cardano! Pros cons vs eth?
PoW by design leads to centralization and we can see it happening live with bitcoin mining. At least with proof of stake there's no economy of scale. Everyone can participate fairly easily.
But you can centralize ownership of energy production.
TSMC, Samsung and GlobalFoundries are the centralization points of all of mining because they produce the chips.
Good thing they like money and they are global corporations.
You also have to factor in the fact that the latest GPUs are not necessarily the best ROI. If you can get lower speed GPUs for a fraction of the cost, then your return on that is much faster. Of course, that is starting to change now that mining is becoming so profitable again. But regardless, you are still tied to GPUs, so anything you can get there is good.
Ahh I guess all the people making/buying ETH mining ASICs must be out of their minds then? First result I found: https://www.coindesk.com/linzhi-rollout-long-awaited-ethereu...
If you did the research into that one, it also only has 4.4gigs of ram. It will also slow down (aka: zombie mode) starting early November 2021 once the DAG gets large enough.
It takes about an hour of running it, just to start mining because the DAG generation takes so long.
By the way, Linzhi only sells to large customers because they've taken so long to produce this thing (years now) that they don't have enough money to front the production run.
They are also a super sketchy company. You should have seen the stuff they pulled during the ProgPoW debate.
Disclosure: I'm a very very large GPU miner and I'm deeply involved in this business.
What is the threat model here, and in particular what is the outcome of a successful attack?
For example, if the only "power in the system" the attacker has is the ability to prevent transactions from occurring, then the attacker is damaging the value of their own coins. The honest majority could, as a last resort, also decide to manually fork the currency to invalidate the attacker's coins.
Assuming the ⅓ number is weighted by stake, the attacker is potentially risking billions of dollars in order to carry out this short-term attack. With that amount of money it would be cheaper to locate and destroy the major bitcoin mining farms.
If that's always an option why bother with proof of stake in the first place? Just let it do whatever and switch to the "correct" fork once in a while!
Bitcoin may have been _aimed_ at eliminating the "rich get richer" system, but in fact it failed at it, as others comment below. It has been formally shown  that investors who have enough money to buy the most efficient ASICs out there earn disproportionately more, compared to smaller investors who can only afford less efficient ASICs/GPUs; in contrast, in PoS every investor has a fixed ROI for each one of their $ (regardless of their total investment); as also shown in that paper, this is the best you can hope for in an anonymous system. In other words, unless you can authenticate users and distribute rewards in a democratic (and possibly egalitarian) manner, the rich will always get richer, and the rate with which this happens is actually worse in PoW than PoS.
Fundamentally Proof-of-Stake relies on a high-level abstract game theory of social interactions between selfish players.
One of these is not like the other.
Or do you want to believe that's still true because it would be very inconvenient to your biases (we all have our own biases) otherwise?
Sorry, I really did not want to be rude, just tried to find out whether you're trying to seek for the truth or just want to be right.
If you're a no-coiner or Bitcoin maximalist, none of this really matters. But if you accept the premise that the future of financial infrastructure is moving towards decentralized, blockchain based systems, then a secure, scalable, performant, and energy efficient approach like this is pretty darn awesome.
It will be much longer than a year. 2-3, at best.
There's software engineering to merge the client software, but from a research perspective it's not a big deal at all.
One major hard part, imho, is the zkSNARKs. Nobody is talking about the fact that they are hardware dependent because they are so computationally expensive. My guess right now is that we're going to need (or they will get developed some how)... ASIC's. Talk about kicking the puck down the road.
The other hard part is that this is a decentralized development project managed by humans. What happens when someone wants to flip the switch on billions of value? The ProgPoW debate proved how contentious decisions turn into a total clusterf*ck. You want to trust your funds to that?
Finally, the best one. There is insane pressure to rush eth2 out now that billions of value is locked up. 737 max levels of pressure.
I love ETH and ETH2. More than anything I want to see it happen. I'm just in the camp that we should have worked on ETH 1.5 first.
I'm not worried about the social aspects at all, but in the context of an Ouroboros discussion I don't really want to get into a broad Ethereum debate.
Why yikes? If its a legacy transition, with a flight plan and testing, then it should be fine.
Second, the technical complexity involved seems challenging. I'm not a dev, and I'm not saying it's impossible, but making substantial core changes on a live, decentralized system running all sort of layer two infrastructure seems really dicey.
This is really the beauty of ethash being asic resistant and gpu friendly. I have so much computational power built up, that someone will always be available to buy it. It isn't e-waste. We already run on older generation GPU's because they are higher ROI, which proves that they have useful life, even as they age.
The project as a whole (Cardano) has some other notable advantages. Personally, it has a built in governance system which actively funds projects / improvement proposals paid for by some of the block rewards & fees. Cardano just had their first round of voting and funding which gave in aggregate $250k to a variety of projects . Funding batch sizes are expected to grow to $10 million dollars a year in 2021 (at current prices). This is where I'd draw the largest difference between ETH 2.0 and Cardano (the project which developed and uses Ouroboros)
With slashing, even if someone finds it advantageous to attack, you quickly take away their ability to attack.
(I haven't yet read past the abstract, so for all I know they do address this.)
Pgs 19 and 20.
In addition IOTA's focus on micro-transactions / the machine economy seems like a no brainer and something that cryptocurrencies generally neglect..
Have they figured out how to stop spamming from making the network unusable?
IOTA is a scam.