[dane-pgp]

> only be made secure against a maximum of ⅓ byzantine actors

What is the threat model here, and in particular what is the outcome of a successful attack?

For example, if the only "power in the system" the attacker has is the ability to prevent transactions from occurring, then the attacker is damaging the value of their own coins. The honest majority could, as a last resort, also decide to manually fork the currency to invalidate the attacker's coins.

Assuming the ⅓ number is weighted by stake, the attacker is potentially risking billions of dollars in order to carry out this short-term attack. With that amount of money it would be cheaper to locate and destroy the major bitcoin mining farms.

[wmf]

There are concerns (or concern trolls) about an attacker buying old keys for almost nothing, trashing the chain, then profiting by shorting. And there are concerns that the honest majority can't figure out how to switch to the honest fork.

[gruez]

>And there are concerns that the honest majority can't figure out how to switch to the honest fork.

If that's always an option why bother with proof of stake in the first place? Just let it do whatever and switch to the "correct" fork once in a while!

[wmf]

Why not have the Supreme Court resolve every dispute? Because it's too expensive. Ultimately you can't exempt yourself from the judgement of society and the market. If you commit to a "most-work chain wins no matter what" policy it doesn't mean that chain will win economically.

[regisg]

That's why there are KES keys.

[wmf]

For people like me who haven't heard of this feature: https://docs.cardano.org/projects/cardano-node/en/latest/sta... It's true that this prevents an attacker from using current keys to perform a long-range attack but old keys can still be used for attacks.

[ilap]

Afaik, long range attack is eliminated by bootstrapping from genesis, where the densest chain is selected.