Jude C. Nelson sharply criticizes pure PoS consensus on HN

DecredDecred
$26.09
3.76%
1Y Ago
news.ycombinator.com
PoW is open-membership, because the means of coin production are not tied to owning coins already. All you need to contribute is computing power, and you can start earning coins at a profit.PoS is closed-membership with a veneer of open-membership, because the means of coin production are tied to owning a coin already. What this means in practice is that no rational coin-owner is going to sell you coins at a fast enough rate that you'll be able to increase your means of coin production. Put another way, the price you'd pay for the increased means of coin production will meet or exceed the total expected revenue created by staking those coins over their lifetime. So unless you know something the seller doesn't, you won't be able to profit by buying your way into staking. Overall, this makes PoS less resilient and less egalitarian than PoW. While both require an up-front capital expenditure, the expenditure for PoS coin-production will meet or exceed the total expected revenue of those coins at the point of sale. So, the system is only as resilient as the nodes run by the people who bought in initially, and the only way to join later is to buy coins from people who want to exit (which would only be viable if these folks believed the coins are worth less than what you're buying them for, which doesn't bode well for you as the buyer). One important difference in favour of PoS that isn't brought up often is the financial cost to pull off an attack. Pulling off an attack in most PoS protocols results in coin slashing for the attacker ("deletion" of coins used in the attack) and on top of that can (and likely will) result in coin devaluation as well. This makes a successful attack against a PoS system very very expensive. The resource is spent and actually burned.With PoW however the GPUs or ASICs don't disappear or lose value after the attack (caveat that the ASICs can lose value if networks switch away from the algorithm it is built for). The hardware can be used to attack "competitor" networks or used again in another attack against the network or other networks in the future. In this sense, I suspect that PoS networks are able to properly recover from successful attacks far easier as well as dissuade attacks from the offset. It's far easier to break a PoS chain -- you simply knock the coin-holding nodes offline. Knock enough offline, and you can no longer reach quorum. If offline nodes' coins get slashed in order to reach quorum and restart block production, and the system permits forking, then why would offline nodes rejoin the original fork? They're incentivized to only consider forks where they're not slashed. If the system does not permit forking, then the system breaks once the attackers (1) stake a nominal amount of coins, and (2) knock enough other nodes offline such that they are the majority staker. This isn't really an attack unique to Proof of Stake. If a node goes offline they can lose rewards or even in rare cases have their coins slashed to some extent but that isn't inherent to a Proof of Stake overall. A decent number of Proof of Stake systems instead place reward penalties on pools/nodes that go offline. The idea being that it is a penalty for not maintaining sufficient infrastructure while also not being so severe that it could be leveraged in such an attack.Most PoS algorithms I've seen instead reserve stake slashing as a penalty for malicious behaviour. Going offline isn't by any means inherently malicious. There are however plenty of actively malicious actions that can be detected and reacted against. Often for the more severe penalties it will require some level of community involvement in the recovery stage to limit opportunities for abuse. Additionally, it shouldn't be easy to take a block producer offline and Stake Pool(or node) Operators should be preparing for these types of attacks. I've been watching some of the work being done in the Cardano Stake Pool Operator community and the various SPO guilds have decently sophisticated architectures. "Nodes"/"Pools" are broken up into Relays, Producers, and sometimes additionally Key Generators. Key Generators produce the periodically expiring KES keys and pass them to the Producers on a schedule (to minimise potential attack surfaces). The Producers actually engage in the consensus using the keys provided by the key generators and communicate through the relays. The Relays handle the throughput and communication. This allows the producers (and by extension the key generators if used) to be largely shielded from the open net. This also allows producers and relays to have a certain amount of redundancy/failover. An architecture like that may cost more (and eat into rewards a bit more) however they are far more difficult to DDoS or compromise. Since the barrier for the hardware is so low, a 1x2x2 or 1x2x3 (keygen x producer x relay) architecture can still be more than profitable (retaining 25% to 75% of the SPO rewards as profit). Additionally this has the advantage that various other income streams can be integrated in (state channel operation, compute nodes, storage nodes, etc) over time and the operation can be scaled up without compromising security or requiring a significant re-architecture. Proof of Stake can be just as secure as Proof of Work but it requires that the incentives be structured properly and sufficiently hedged against potential risks. Okay, so instead of knocking your nodes offline, the attacker only has to commandeer them for just long enough to commit a slashable offense. That's usually easier anyway.This is fundamentally a double-edged sword -- the harsher your penalties are for bad behavior, the easier it is for someone to use a zero-day and kill your staking coins. But the laxer your penalties are, the more damage a buggy or malicious node can do with impunity. Either way, the resilience of PoS comes down to the resilience of the majority of its staking nodes, because once you lose that, the system is dead. Once you control majority stake, it doesn't matter how many other offline coins exist -- you, as the majority staker, simply never mine their transactions. This isn't true for PoW systems. A PoW system can always be brought back to life, even after an arbitrarily long amount of inactivity, and even if all the previous miners cease mining. All you need is one miner, somewhere, that has a copy of the chainstate, and the system makes forward progress. At least on Cardano, slashing is extraordinarily unlikely and only occurs during recovery from a successful attack. The idea being that the community forks from the moment before the attack and slashes the funds from the attacker. In the case of a zero-day or other attack where the stake pools are forced into being unwilling attackers due to circumstances excluding negligence, KES keys are invalidated/regenerated and the pools don't have their funds slashed. Additionally, delegators either end up taking a leap of faith with their existing pool or more likely move to uncompromised pools.Recovery is an inherently manual process as either stake pools or miners must actively choose to switch to the new fork (at least initially). This doesn't return to an automated process until the ball actually starts rolling again. I say this is inherently manual as all 51% attacks violate the proof (of work, stake, or any other resource) that allows untrusted collaboration. Instead the community is required to cooperate momentarily based on the collective investment and trust that has been built parallel to the operation of the network. The difference with PoS compared to PoW during this recovery process is that in a pure attack (i.e. one not due to a software bug/zero day), the resource is permanently burned (slashed) and the recovery can occur. With PoW however the resource doesn't disappear and can always either come back or come from another ecosystem for a second attack. Outside of the bootstrap and the recovery phase, PoS and PoW are effectively equivalent in security. PoS is slightly weaker in the bootstrap phase and PoW is slightly weaker in the recovery phase. This isn't inherently bad for either system, it's just a matter of trade-offs. Arguably I'd say this is why transitions from PoW to PoS will be much safer than a clean bootstrap. The existing network strength from the PoW era is able to protect the PoS segment while it works through the bootstrap phase. Hi, notice that I'm not proactively bringing up any specific cryptocurrencies, let alone the same cryptocurrency over and over in the same thread. This is because I'm not a bagholder.I have no interest in talking to bagholders. The science and engineering details of cryptocurrency design and implementation are by definition beyond a bagholder's comprehension. The act of holding bags precludes formulating a dispassionate understanding of cryptocurrencies -- as Upton Sinclair put it, "It is difficult to get a man to understand something when his salary depends on his not understanding it." You see, if I was a bagholder, I would have a hard time comprehending why it's a terrible idea to fall back to the "community" trying to decide which fork is valid. If the community members had high enough trust in one another that they don't need the blockchain (specifically, a fork-ranking protocol) to come to a valid majoritarian decision on which fork is the right fork, then we really don't need the blockchain in the first place! The same sinews of trust can be used to decide what everyone's balance is at all times, since after all, the community members already trust one another to decide which transaction histories (out of many) is the true ledger. But thankfully, I'm not a bagholder, which means I can see that this assumption about the community is not viable. Also, if I was a bagholder, I would have a hard time comprehending why attackers don't just try and buy 51% of the stake. It would be difficult for me to understand that attackers are going to take the path of least-effort, which would be the act of knocking nodes offline and/or exploiting zero-days on nodes hosting staking coins in a bid to get the network to slash enough of the honest coins that quorum can no longer be met. But thankfully, I'm not a bagholder, which means I understand this weakness. In addition, if I was a bagholder, I would have a hard time understanding that PoW and PoS security in their "happy paths" is irrelevant. The resilience of blockchains is determined by their unhappy path behaviors. PoW requires less proactive trust and coordination between community members than PoS -- and thus is better able to recover from both liveness and safety failures -- precisely because it both (1) provides a computational method for ranking fork quality, and (2) allows anyone to participate in producing a fork at any time. If the canonical chain is 51%-attacked, and the attack eventually subsides, then the canonical chain can eventually be re-established in-band by honest miners simply continuing to work on the non-attacker chain. In PoS, block-producers have no such protocol -- such a protocol cannot exist because to the rest of the network, it looks like the honest nodes have been slashed for being dishonest. Any recovery procedure necessarily includes block-producers having to go around and convince people out-of-band that they were totally not dishonest, and were slashed due to a "hack" (and, since there's lots of money on the line, who knows if they're being honest about this?). But thankfully, I'm not a bagholder, so I understand the difference. It's great to know that you, too, are not a bagholder, and you're continuously bringing up Cardano solely because it's a motivating but misguided example, and has nothing to do with how many Cardano tokens you own. Otherwise, I'd have nothing to say to you at all, and if HN had the feature, I'd have simply blocked you already. Thank you very much for this discussion It seems like your contention is that PoS coins are priced based on discounted cash flow, correct? I think that's a reasonable model, but it's hardly unique to PoS coins, and it doesn't really seem problematic.> the system is only as resilient as the nodes run by the people who bought in initially This point applies to any assets that generate cash flow, like stocks, yet they seem to have plenty of trading volume. And looking at some numbers on CoinMarketCap, it doesn't seem like PoS coins have lower trading volume than PoW coins. As one example, XTZ seems to have ~double BTC's turnover in the past 24h. > these folks believed the coins are worth less than what you're buying them for, which doesn't bode well for you as the buyer This could be said about most assets, even ones without cash flow like PoW coins. In practice there are other reasons for selling, like wanting to offset gains/losses for tax purposes, or wanting to buy food. > It seems like your contention is that PoS coins are priced based on discounted cash flow, correct? I think that's a reasonable model, but it's hardly unique to PoS coins, and it doesn't really seem problematic.It's very problematic if the system's liveness is tied to owning a coin. If I can knock PoS nodes offline, I can not only cause a quorum failure, but also I can cause the offline nodes's coins to get slashed (which is usually how PoS chains deal with this problem). Moreover, there's no recovery from this -- the temporarily-offline nodes are forever slashed, even if they come online later. (EDIT: I'm not limited to knocking nodes offline -- if I can commandeer them through a zero-day, the effect is the same: I make your nodes commit a slashable offense). Contrast this to PoW, where even if you manage to knock a majority of miners offline, you ultimately have to keep them offline in order to prevent them from later generating and broadcasting a better chain than the one you want to exist. Even if you can physically destroy the majority of miners, the chain still lives on, and new miners can be built and brought online elsewhere. > This point applies to any assets that generate cash flow, like stocks, yet they seem to have plenty of trading volume Trading volume is easily faked in crypto-land -- a whale just sends coins to themselves. I'd like to see some hard evidence that the volumes are not from wash-trading. Also, this isn't relevant at all to the system's resilience. > In practice there are other reasons for selling, like wanting to offset gains/losses for tax purposes, or wanting to buy food. I didn't say you don't sell coins. I said you don't sell enough of them that the buyer can use them to increase their rate of coin production. Open membership is arguably a worse problem than stake requirements, as PoW participants do not have a vested interest in preserving the integrity of the chain. Ethereum 2 actually throttles validator entries and exits for exactly this reason.As an example, any sufficiently powerful entity can temporarily and affordably commandeer computational resources with the intention of disrupting the chain. Under PoS doing so would devalue your (presumably enormous) stake, so participants are at least incentivized to act in the interest of the chain. Open membership means that the chain stays alive as long as anyone in the world wants it to. This isn't true for PoS chains -- you must to acquire tokens to keep the chain alive.> As an example, any sufficiently powerful entity can temporarily and affordably commandeer computational resources with the intention of disrupting the chain. A sufficiently powerful entity can DoS enough staked nodes that quorum can't be reached, and thereby force a PoS chain offline indefinitely for far less energy. If they're clever, they'll buy some PoS coins first, so that once the offline nodes all get slashed, they'll be the majority staker. If the means of coin production require owning coins, you have these problems that PoW does not have. Definitely true for Algorand. Owning coins is a means of validating the network and appending to the blockchain, not producing new coins. > If the means of coin production require owning coins, you have these problems that PoW does not haveProducing blocks != coin production If you're producing blocks, you're getting paid (otherwise what's the point). If the probability you get picked to produce a block is proportional to how many coins you own, then you're getting paid proportional to how many coins you own.I don't care for Algorand's shell game of trying to say that all tokens have been minted already, and are just being distributed. If it's the case that nodes who stake more coins are getting paid more coins, then all of my analysis holds. > If it's the case that nodes who stake more coins are getting paid more coins, then all of my analysis holdsThats fine, but it's an important clarification. All the tokens _have_ been minted already, and _are_ just being distributed. The mechanics are different. Owning 1 coin is one potential vote in a lottery to determine the validity of a proposed block. This is not the generation of new coins. In any case, regarding nodes and payment, that process is being phased out by their new governance model which was just released the other day: https://algorand.foundation/the-algo/algo-governance. I'm glad we agree, then, that Algorand is just as vulnerable as all the rest of the PoS systems. Staking rewards for new block generation is inflationary, so you are just not losing value by staking. Additional value is generated by fees and store of value.With PoW coin you are constantly devaluing your share of the blockchain by paying some third parties operating giant gpu farms and hydroelectric dams. > block generation is inflationary > store of value.I stopped reading at this point. Thanks for this little tangent, it was pretty informative. what's your opinions on nominated proof of stake? This is the best (and also approachable well-written) book on the topic that I've found: https://bitcoinbook.cs.princeton.edu/My (possibly incorrect) understanding is that POW is computationally expensive because that large investment of computation is what creates a chain of successive blocks (the blockchain). This prevents someone from rewriting history of transactions on the public chain (which would allow them to 'double-spend' or to take their money back). POW currencies are guaranteed to prevent this kind of abuse unless any individual entity is able to get more than 51%. There's an incentive in addition to this because corrupting the integrity of the network would also devalue the currency. Larger networks (like BTC) are harder to do a hostile take over of because it's harder to get that much compute (though mining centralization is a risk). POS relies on some variant individuals 'staking' coins to enable transactions, this means putting them up in escrow sort of in the network (they are paid small fees for this based on how much they stake) and if abuse is attempted, the system takes those staked coins away. There are no mathematical guarantees outside of this incentive. POS is not as standardized across different currencies so I may be missing important bits in my understanding. > POW currencies are guaranteed to prevent this kind of abuse unless any individual entity is able to get more than 51%. There's an incentive in addition to this because corrupting the integrity of the network would also devalue the currency. Larger networks (like BTC) are harder to do a hostile take over of because it's harder to get that much compute (though mining centralization is a risk).Couldn't this be re-written as: > POS currencies are guaranteed to prevent this kind of abuse unless any individual entity is able to get more than 51% of the staked currency. There's an incentive in addition to this because corrupting the integrity of the network would also devalue the currency. Larger networks (like ETH) are harder to do a hostile take over of because it's harder to get that much stake (though validator centralization is a risk). My (non-expert) interpretation is that staking is just an abstraction of mining, and they are secured by the same incentive system > PoS is closed-membership with a veneer of open-membership, because the means of coin production are tied to owning a coin already. What this means in practice is that no rational coin-owner is going to sell you coins at a fast enough rate that you'll be able to increase your means of coin productionIt seems to me like they're arguing that PoW is more egalitarian/decentralized, which may be a fair point. But using the same argument, attackers being forced to buy stake in the open market should make PoS even more secure against 51% attacks than PoW. I think this is a good post explaining the tradeoffs: https://vitalik.ca/general/2020/11/06/pos2020.html Why would they need to buy 51% stake? Just buy x% and then knock the remaining staking nodes offline so that less than 2x% stake remains participating. That's often much cheaper. PoW is anchored in some real-world value, the cost of electricity. PoS is not. Most of PoW’s security and tamper-resistance advantages derive from that characteristic. Ultimately, proof of stake has the same property. The value of the network that the stake protects is rooted in some kind of real world value. The tokens from the network can be traded for fiat money that is worth something. So, unless the value of the network being protected falls to zero, the stakes themselves are worth something. An attack on a proof of stake network still requires the resources to procure the attacking stakes. So, you still have a direct relationship between the item being protected and the cost of the protection. I would add - by focusing on using the economic value of electricity and stacks of special semiconductors to secure your network, you actually are making the network vulnerable to folks that can effectively create arbitrage on those specific narrow resources. In contrast, proof of stake can leverage a much broader range of economic resources that have far fewer arbitrage opportunities.

Related news