[apo]

Initial reactions:

1. Sybil-resistance (faking strong consensus by deploying cheap replica nodes you control) in a protocol like this is crucial. All I could find is this:

To prevent Sybil attacks, it uses a mechanism like proof-of-stake that assigns weights to participants in committee selection based on the money in their accounts.

2. Every non-proof-of-work protocol I've seen, including Ripple Consensus Process and proof-of-stake creates a problem of initial coin distribution. PoW systems have a clean distribution mechanism based on external resource consumption. Non-PoW systems produce an airdrop situation. Players start with no funds, and so can't stake. The creator of the network manually assigns ownership, with important long-term political consequences (e.g., Ripple).

3. The lack of an incentive structure around fees in protocols like Ripple creates bizarre economic consequences. For example, Ripple is guaranteed to lose money stock because fees are simply burned, rather than given to the consensus leader as in Bitcoin.

4. So far, I haven't seen anything in the paper regarding denial of service attacks on nodes. In other words, I see no negative incentives levied on those who can sign transactions from flooding the network with useless spam, bogging everything down.

[woah]

Is PoW really a “clean distribution mechanism”? Economically, it’s like proof of stake, but all stake is divided up among the small set of people who have the electrical connections and equipment to mine profitably.

[KirinDave]

This statement is not always true.

May deployed PoW implementations are provably worse than most modern proposals for Proof of Stake. PoW mining opens selfish mining strategies, whereas Proof of Stake fixes the set of actors opens to scrutiny the mechanism for "who gets to mine the next block."

This doesn't mean that proof-of-stake is magical, but it's certainly less prone to issues than Proof of Work. It's also less inundated by religious zeal; PoS proposals face healthy skepticism and more vetting BEFORE they tend to be deployed. PoW is the axiomatic and beloved sacred "nakamoto consensus" in (incorrectly, but to many in the space) a platonic form.

[api]

I have two issues with PoS that I've never seen addressed?

(1) Isn't it Plutocratic? PoW can be too in that capital and energy costs money, but PoS seems to directly reward the largest stakeholders with more stake.

(2) Removing money from circulation is not free. It reduces monetary velocity and has other detrimental effects on the currency's economic system.

[KirinDave]

1. That's a process question. It's quite possible to rotate stakeholders, audit stakeholders, and challenge stakeholders.

2. If a network can hold back some currency, but actually scale to meet global transactional demand, it'll be better in this regard anyways.

[brian_cloutier]

> PoW mining opens selfish mining strategies

This isn't really true. It's true of Bitcoin but selfish mining is an artifact of Bitcoin's sloppy way of estimating how much work is being done, not an artifact of PoW. An enhancement like Bobtail [1] eliminates the incentive to selfishly mine by improving the network's ability to estimate the network hash strength.

[1] https://arxiv.org/abs/1709.08750

[KirinDave]

I've read it, but my concern with this approach is it actually slows bitcoin down substantally. Bitcoin already can't scale, and moving transactions off-chain to Lightning doesn't really address this concern. What's more, the slower the basis blockchain gets, the more prone Lightning networks are to malicious actors.

[brian_cloutier]

I'll admit I haven't read it for a few months, but I don't remember anything which would cause Bitcoin to slow down. What do you mean?

It does require a larger block header and more network traffic but Bitcoin's scalability is currently limited by politics, not network bandwidth.

[shepardrtc]

> PoW systems have a clean distribution mechanism based on external resource consumption.

Unless the creators are the only ones mining for a time.

[Shoue]

Even without that it's still not fair because of ASICs not being widely available to consumers. It's not as fair as simply selling tokens/coins which grows linearly with how much money you have, which is what you'd be spending on electricity and hardware anyway, you're just taking the shortcut of not using them and is one of the more popular arguments for PoS.

[apo]

True, this has been one of the consistent criticisms of Bitcoin - Satoshi solo mined coins and therefore distribution wasn't fair.

OTOH, consider the alternative. Satoshi gave himself all the money in the system, then divvied it up among his friends.

However, given the availability of multiple multi-billion dollar cryptocurrency economies, another option might be possible. Airdrop to the current holders of some other cryptocurrency. Or maybe a basket of cryptocurrencies. Key owners could then claim their money on the newly-created network. This idea really started to take off in 2018 with Bitcoin hard forks.

The problem is that the network creator will face intense pressure to withhold just a little currency to fund a war chest. Yielding to that pressure creates the very political problems I alluded to earlier (e.g., Ethereum).

[gtrubetskoy]

Add to that - I do not see any mention of the source of timing or "timestamp server" as the Nakamoto paper refers to it. The details of why it is important are in my blog post here https://grisha.org/blog/2018/01/23/explaining-proof-of-work/ (which was once at the top of HN).

[zodiac]

I don't think your post shows that any public ledge must provide a timestamp server (which I think is your claim?). For instance PBFT (with a fixed validator set) works perfectly fine without providing a timestamp server since it's asynchronously safe - you can take as long as you want to complete every PBFT round.

Basically, PoW provides consensus by providing an absolute timestamp (we know that at the difficulty adjustment equilibrium, a certain block header must have taken 10 minutes to produce), but this does not imply that a consensus algorithm that all public ledger consensus algorithms must produce an absolute timestamp (the later claim is stronger).

[gtrubetskoy]

My post merely shows that PoW is the mechanism via which this absolute timestamp (I like this terminology, BTW) is provided and seems very important, but I think the real question (to which I do not know the answer) is: can it be proven that an absolute timestamp is essential or non-essential, because it would answer the question of whether a distributed ledger without PoW (timelock puzzle) is fundamentally possible.

[zodiac]

Yeah, I'll have to think a lot harder about full PoS to maybe answer that question. One thing to note us that there are certain hidden timing assumptions (eg in casper-ffg, there is the 4 month unbonding period, and the timescale over which an inactivity leak occurs) that are necessary for security (they seem to correspond to the time scales needed for weak subjectivity social consensus and hard forks respectively)

I think the most precise name might be something like "affine timestamp"; you don't actually need timestamp wrt the big bang but being able to measure the rate-of-time is stronger than merely being able to order events

[wmf]

These days you can just auction the coins in an ICO.

[KirinDave]

You might even sell ICO financing for a lottery system to help randomize the in-currency return.

[DennisP]

Why do you think that's an inadequate Sybil defense? It clearly prevents someone with x% percent of coins from getting more than x% of the selection by making more accounts.

[j0hnM1st]

>To prevent Sybil attacks, it uses a mechanism like proof-of-stake that assigns weights to participants in committee selection based on the money in their accounts.

Isn't this already implemented by STEEM ?

[ancapalex]

That line in the paper is actually describing Algorand in the "related works" section. Full quote:

"Algorand [26] uses a verifiable random function to select a committee of nodes that participate in a novel Byzantine consensus protocol. It achieves over 360 tps with 50 second latency on an emulated network of 2000 committee nodes (500K users in total) distributed among 20 cities. To prevent Sybil attacks, it uses a mechanism like proof-of-stake that assigns weights to participants in committee selection based on the money in their accounts."

[wildbunny]

Agree completely. Nice paper, utterly useless in practice due to sybil attack.

edit: not only that, but it will be vulnerable to all kinds of history attacks for bootstrapping nodes

[snissn]

And it's very odd that the paper doesn't acknowledge or anticipate those concerns.