[DINKDINK]

Paxos https://en.wikipedia.org/wiki/Paxos has existed for more than 30 years. If it were easy or simple to issue a money with distributed signing, it'd have been done before Bitcoin's PoW<->Difficulty Adjustment<->Fixed Money Issuance novel art was published.

Ethereum has been "about to release PoS" for almost 6 years now and all of the initial critiques (By issuing X units of value, you incentivize ~<X units of energy to be expended) Summarized here: https://www.truthcoin.info/blog/pow-cheapest/

If the curious reader is interested in reading more about the scope of fraud that the ethereum protocol has fueled read the post here: https://web.archive.org/web/20201214170136if_/https://www.re...

Why link to the archive.org copy and not the original? Ethereum people got mod access to the subreddit and deleted everything pointing out the fraud.

[nootropicat]

>https://www.truthcoin.info/blog/pow-cheapest/

By the logic of that article asymmetric cryptography doesn't, because the value equal to what's protected by the key is magically wasted somewhere. Of course, that isn't true, because it's not possible to break asymmetric cryptography by brute force with expenditure equal to whatever is protected. Same applies to PoS.

It's maliciously created nonsense, which is most visible when he slyly equates locked tokens to wasted glucose. Wasted glucose is _real_ energy, while locked tokens are inherently worthless patterns of bits. Locking them is just a _trick_ to convince people to cooperate with each other - a game theory setting where everyone finds it most beneficial to cooperate. The whole point of the economy is to manipulate real resources - various forms of matter and energy [1] and locking tokens is just a different way of social organization. "Liquidity" (of digital tokens) isn't a real resource. "Money" isn't a real resource. If there's less _real_ energy wasted, the new social organization system is more efficient. That's the objective metric underneath it all, and clearly PoS is a more efficient way of organizing massive human cooperation than PoW.

[1] theoretically matter is a different form of energy, but at the current technological level they are separate inputs to the human economy, except for nuclear power

[jude-]

> By the logic of that article asymmetric cryptography doesn't, because the value equal to what's protected by the key is magically wasted somewhere. Of course, that isn't true, because it's not possible to break asymmetric cryptography by brute force with expenditure equal to whatever is protected. Same applies to PoS.

Not quite. He's arguing that MC = MR implies that PoS is really PoW through obscure means. There's more to securing PoS than asymmetric cryptography -- namely, you have to convince everyone that your keys (and the coins attached to them) are legitimate, and not the next guy's keys and coins on a fork. Convincing people of this isn't a cost-free task, especially if there's wealth to be accumulated through convincing more and more people that your coins are legitimate, and everyone else's conflicting coins on different forks are not.

This game of convincing people that your fork is the true fork is exactly what stake-grinding is. Given a choice, and no a priori knowledge, which history of the PoS chain is the true history? What would convince you that one is legitimate, and the other is not? The article argues that the act of convincing you is, itself, a form of PoW. After all, without PoW, looking at the chainstate isn't convincing -- if you have staked coins today, you could easily create a fork of the chain history where everyone else stopped spending except for you. Without no 3rd party way to verify if that actually happened, you could go around trying to bribe people to accept that your subsequent transactions on this fork are the chain's "true" transactions. There's many tactics for doing this -- you could go on Twitter and spam everyone; you could organize events and rallies; you could even take malicious actions and disable your rivals. You and everyone trying to do the same thing would be in competition to convince everyone else that your fork is the "true" fork. But regardless of the tactics, all of them require expenditures on your part in the forms of time, energy, health, stress, etc. Hence the "PoW by obscurity" argument. But at the end of the day, you'd be unwise spend any more than you'd expect to receive in return because of MC = MR.

Here's a concrete example. The reason you can tell that there's a lot more belief that ETH is the true Ethereum fork, and not ETC, is because ETH has a much higher PoW score than ETC. Miners can choose between ETH and ETC to mine, and they mine the one whose tokens are worth more. ETH is worth more because more people value it. Therefore, PoW is a proxy measurement of the social consensus -- more people believe in ETH than ETC.

If ETH were PoS at the time of the split, it would be a lot less obvious from the chainstate which one people would choose to use. Both chains' participants would try to make it look like their chains had more users by some other means. But the point in the article is that those "other means" are not only costly actions, but also the marginal cost each fork can afford for these actions is, in equilibrium, equal to their respective marginal revenues.

[bhaak]

> If ETH were PoS at the time of the split, it would be a lot less obvious from the chainstate which one people would choose to use. Both chains' participants would try to make it look like their chains had more users by some other means. But the point in the article is that those "other means" are not only costly actions, but also the marginal cost each fork can afford for these actions is, in equilibrium, equal to their respective marginal revenues.

You forget that when the ETH/ETC split happened, the hashrate fluctuated immensely after the Poloniex listed ETC (and ETCs price skyrocketed) and many miners switched to mine ETC.

Now in hindsight it is obvious but during the chaotic days, it wasn't obvious which chain would be worth more in the future. That ETH had more POW done at that moment was unimportant. You had to use other means to decide which chain to use.

[jude-]

In other words, the PoW scores on ETH and ETC after the fork ultimately were predictive of how much one token was valued versus another. You are right that there was uncertainty at first -- and it was reflected in how much PoW each chain got! -- but for someone who's just now coming into crypto with no a priori knowledge of the event, the higher PoW score on ETH is indicative of higher market demand. Which is exactly my point.

[nootropicat]

>This game of convincing people that your fork is the true fork is exactly what stake-grinding is

Stake grinding is something else, in coins like NXT the producer of the next block was set by the seed based on the previous block, so it was possible to bruteforce blocks until you were also the next generator.

>The article argues that the act of convincing you is, itself, a form of PoW.

He makes a much stronger claim that resources spent on that (+ staking) are equal to revenue. There's an additional assumption in the article: he writes about marginal cost and revenue, but what he actually assumes is a system where average cost is equal to marginal cost, as it is in PoW under perfect competition. It's even equated explicitly in "“Rent” always forces production costs (MC) to always equal sale prices (MR)". He starts from the assumption that PoS uses exactly same resources as PoW and then shows it's true based on the assumption.

>Given a choice, and no a priori knowledge, which history of the PoS chain is the true history? What would convince you that one is legitimate, and the other is not?

What does 'true' and 'legitimate' mean here? The whole point is to interact with other people, so naturally I'm going to use the same network that people I want to interact with use. Same whether it's PoW or PoS - no real difference between choosing forks from some block height vs choosing networks with completely different genesis blocks and names.

Once the network is chosen a node has to follow it. The question of 'how long it's safe to be offline to reproduce the behavior of being online all the time' has a complex answer of percentage of slashed stake if two conflicting histories exist. Currently I think it's about 16% for one month, which is about $2B.

>Without no 3rd party way to verify if that actually happened, you could go around trying to bribe people to accept that your subsequent transactions on this fork are the chain's "true" transactions.

PoW doesn't change anything here, it's an arbitrary fork like any other. People that ended up with coins from mining can receive coins on your fork too, made with a much smaller mining difficulty. Mining cost is irrelevant because that's destroyed wealth - nobody ends up with it. The reason it won't happen in reality is because of network effects - even if you have external wealth able to pay enough at once to everyone that has to be paid, no single person wants to be left alone on a new fork - they would all have to move at once.

[jude-]

> it was possible to bruteforce blocks until you were also the next generator.

This sounds exactly like a special case of the game of convincing people that your fork is the true fork. NXT stakers each have their own preferred forks (i.e. the ones in which they get the most tokens), and are willing to spend energy to make it so their fork is accepted by the network.

> He starts from the assumption that PoS uses exactly same resources as PoW and then shows it's true based on the assumption.

Maybe it's not well-written here, but his argument is that PoS ultimately will require the same energy commitments as PoW through the act of each staker trying to convince both other stakers and newcomers (i.e. with no a priori knowledge of how the chain evolved) that their preferred fork is the fork the network accepts. A PoS chain may not take the same initial resources as a PoW chain, but it will over time.

Source: I've spoken to the author at conferences.

> What does 'true' and 'legitimate' mean here? The whole point is to interact with other people, so naturally I'm going to use the same network that people I want to interact with use.

And how do we know which fork this is, out of all the alternatives? You either have to ask people (i.e. you need a priori knowledge obtained out-of-band), or you need a way to independently but deterministically choose the fork that the economic majority of people use (which is the problem PoW solves).

> PoW doesn't change anything here, it's an arbitrary fork like any other.

Except, this is not what's happening in real life. People follow the canonical chain, and PoW helps them all determine what the canonical chain is without having to ask around.

[nootropicat]

>You either have to ask people (i.e. you need a priori knowledge obtained out-of-band)

Again, the only reason blockchains need consensus is to allow people to interact with each other - consensus is between people. Computers are just tools to make that easier. It's a fundamental contradiction to assume you can use any blockchain to make any economic transactions without interacting with other people - because economic transactions require other economic entities.

Of course when you assume something false you can prove any absurd result, like that PoS wastes same resources as PoW.

PoW relies on social coordination in the short term, because short term attacks are cheaper, so in the case of a 51% attack people would have to organize fast. PoS is extremely safe in the short term, and only maybe falls back on social coordination in the long term (again, only in the case of an attack), which is the correct security model.

>deterministically choose the fork that the economic majority of people use (which is the problem PoW solves)

No it doesn't. Mining revenue is an insignificant part of what the real consensus in any PoW coin is. For a while BCH had biggest revenues after the fork (because of their difficulty algorithm). Ethereum has higher mining revenues than bitcoin for months now (last 24h: $49M ethereum, $31.3M bitcoin) - does that make ethereum the true bitcoin now?

[jude-]

> Again, the only reason blockchains need consensus is to allow people to interact with each other - consensus is between people. Computers are just tools to make that easier. It's a fundamental contradiction to assume you can use any blockchain to make any economic transactions without interacting with other people - because economic transactions require other economic entities.

Did I say otherwise?

> Of course when you assume something false you can prove any absurd result, like that PoS wastes same resources as PoW.

Well, no widely-used PoS system exists (so we have no real-world examples to learn from), but despite this, you're insisting that no PoS system will use more than PoW from now until the last blockchain goes offline, despite these systems (in expectation) driving essentially unbound amounts of revenue. That's quite an extraordinary claim!

Let's steel-man this. Let's assume that a PoS blockchain becomes so widely successful that its token becomes a major world currency. Then what? Controlling a PoS node would be like controlling a country's reserve banks and mints. So, what keeps these nodes safe from asshats breaking into them and using them print themselves money? Like, why can't an armed band of asshats show up at my server rack and physically steal my validators' keys?

The answer of course is that the building security and law enforcement officers keep this from happening. But, where do these people come from? Who pays them? Where do they get their equipment? What do they do with the asshats they catch? How do they deal with escalations from asshats, and stay ahead of the asshats' tactics? How much energy is going into keeping these PoS nodes secure?

It appears that there is energy involved in keeping the PoS system running in the face of asshattery, and that energy is proportional to how important it is that it remains usable for the societies that rely on it. It seems, then, that the more successful PoS becomes, the more it co-opts the very infrastructure that keeps today's financial systems secure. That's a lot of energy!

So, in the event of success, I have no reason to believe that PoS will take less energy to secure than PoW, once I think about what has to go into securing a successful PoS system. At least with PoW, I can rest assured that if the asshats hijack a mining rig to print money, they'll have to continuously out-mine the rest of the world in perpetuity in order for their coins to remain realized on the canonical chain. PoS doesn't have that resiliency, which necessitates building and maintaining an extrinsic security apparatus to keep the staked coins from getting stolen in the first place. This security apparatus -- including all the laws, supply chains, manufacturing, and so on to keep it going as it becomes a more and more valuable target to asshats -- is on the MC side of the equation.

> No it doesn't. Mining revenue is an insignificant part of what the real consensus in any PoW coin is. For a while BCH had biggest revenues after the fork (because of their difficulty algorithm).

You've completely misread my comment. Miners mine on the chain that is most profitable to them, and the blockchains they mine on encode the history of their activities. Even though during a chain split it's not immediately apparent which resulting chain will attract the most miners over time, it does become apparent quickly enough. The revenues (and thus profits) come from users actually demanding the coins.

> Ethereum has higher mining revenues than bitcoin for months now (last 24h: $49M ethereum, $31.3M bitcoin) - does that make ethereum the true bitcoin now?

I thought it was widely understood that Bitcoin and Ethereum are not the same thing? If there is contention between two forks of the same blockchain, then PoW provides you a way to determine which one has more demand. PoW doesn't tell you anything about two different blockchains with two different difficulty algorithms (but it might tell you something about two different blockchains with the same difficult algorithm, such as Bitcoin vs Bitcoin Cash).

[CryptoPunk]

>>Except, this is not what's happening in real life. People follow the canonical chain, and PoW helps them all determine what the canonical chain is without having to ask around.

In POW you still have to ask around, to find out what the canonical consensus protocol is. Having more POW alone is not enough to have your chain accepted, as it still needs to be valid according to the other rules of the protocol.

Both POS and POW depend on some level of subjectivity/trust, even while the latter relies on it less than the former.

https://blog.ethereum.org/2014/11/25/proof-stake-learned-lov...

[jude-]

> Both POS and POW depend on some level of subjectivity/trust, even while the latter relies on it less than the former.

No one is arguing that you don't have a trusted computing base.

What is being argued is, why make the TCB bigger when it doesn't need to be? Why trust someone to tell me what the current validator set or fork tip when I boot up my node, when there exists protocols whereby the node figures this out automatically?

Some people say that the energy cost of PoS justifies this, but that's not really true in the long run. This is the point Paul Sztorc was making in his article about MC = MR -- competing PoS forks will still spend the same amount of trying to convince you that their preferred fork is the canonical fork. PoW does this as well, but it gains you an in-band way to discover this, thereby making the TCB lower than it would be in PoS.

[Andrew_nenakhov]

By the way, I believe that ETC is the 'true' Ethereum, and ETH was forever compromised by Buterik after that DAO fiasco. Code is Contract, but only until somebody decides otherwise.

(I fully understand that this belief of mine is not shared by the majority of Ethereum users.)

[eloff]

Paxos solves a different consensus problem than PoW or PoS.

The former is for when you control and trust all nodes in your network. The latter is for the more difficult problem of consensus when you don't trust the nodes - otherwise known as the Byzantine Generals problem in distributed systems research.

[Vervious]

Pretty sure Paxos is easily extended to the byzantine setting with digital signatures (i.e. Byzantine Paxos has also been around forever). Also PBFT has been around since the 1980s.

Only distinction is classical consensus is permissioned whereas blockchains are typically permissionless.

[xtracto]

Exactly. And paxos is not the best algorithm at it. There is Raft which is an alternative that is easier to understand.

[tlamponi]

Best in what metric?

raft and paxos are basically the same, besides leader election, which raft's take makes it simply easier and possible even more efficient[0]. I say "possible" because that depends very much on the consensus state over time, which in most actual workloads can be pretty stable, so at least in some practice, e.g., with hypervisor-cluster like we do, they perform almost the same. The simpler approach of raft can help if you create a library for it from scratch, or for easier understanding when coming into that space, otherwise the differences does not matter too much (in practice), IMO.

[0]: https://arxiv.org/abs/2004.05074

[eloff]

I gather OP means best because it's understandable and easier to implement. Paxos has a tough reputation and even Google fucked it up in the beginning according to their Chubby distributed lock paper.

[moralestapia]

I went through that as it was happening.

Vitalik Buterin & co. have no integrity.

Most people should be aware about how they defrauded everybody with the DAO and subsequent fork of Ethereum. But, of course, it has been conveniently sweeped under the rug.

[vvillena]

In a PoW chain, Vitalik Buterin can talk, propose, and make patches to an Etherum client, but it means nothing unless miners approve the changes by running the updated client. He is the most important voice in that coin's ecosystem, but miners are the ones who decided to approve the fork.

Switching consensus to a different set of rules is entirely within the scope of a PoW system, and it's based on the same mechanism that gives legitimacy to the rest of the blockchain. The original Bitcoin paper explains this perfectly, so I won't replicate it here.

[rcxdude]

> In a PoW chain, Vitalik Buterin can talk, propose, and make patches to an Etherum client, but it means nothing unless miners approve the changes by running the updated client. He is the most important voice in that coin's ecosystem, but miners are the ones who decided to approve the fork.

No, it means nothing unless users use, buy, and sell the coin. The miners' are subservient to them, assuming the miners are trying to make money. Miners do not decide or approve which set of consensus rules people decide to use, though they can, at a potentially quite significant loss, disrupt the functioning of the network somewhat.

[incrudible]

> Miners do not decide or approve which set of consensus rules people decide to use, though they can, at a potentially quite significant loss, disrupt the functioning of the network somewhat.

Miners are users. If they don't mine the blocks, the system literally doesn't work. Suppose that a large majority of miners refuses to upgrade for some reason. One part of the users can upgrade and wait for new blocks for a long time, while the users that don't upgrade can actually use the system as if nothing happened. Who is going to throw in the towel first? Maybe it's the miners, maybe it's the ETH holders, you can't know.

[CryptoPunk]

No, other users can easily institute a new lower difficulty in the upgrade to counteract the drop in POW from the defection of miners.

The subservience of miners to users at large in the determination of the market leading fork is best exemplified in the scenario of users switching to a PoS chain. In this case the miners have no power to sabotage the upgraded chain.

[incrudible]

> No, other users can easily institute a new lower difficulty in the upgrade to counteract the drop in POW from the defection of miners.

Sure, you can alternatively anticipate that your fork will not get miner support and give it low difficulty, leaving it vulnerable to spam instead.

It doesn't change the fact that this fork now only has a tiny share of the hashrate, no better than some random altcoin. Why should it be considered the "real" chain? Because it has Vitalik Buterin's face on it? Maybe that works for Ethereum, but it wouldn't work for Bitcoin.

> The subservience of miners to users at large in the determination of the market leading fork is best exemplified in the scenario of users switching to a PoS chain.

...which hasn't happened yet. Of course, if your users don't care about hashrate or PoW, you can transition the software to anything. Maybe that's true for Ethereum. That doesn't make miners subservient. Either they're highly influential (PoW) or they're not part of the picture at all (PoS). There's no scenario in which you can force miners to adopt some change.

[didericis]

I don't see how switching consensus from a proof of work system to proof of stake system "is entirely within the scope of a PoW system". If the majority of the network decides to do that, I understand why that makes it valid, and this is intentionally hyperbolic/don't think proof of stake is properly viewed like this, but to me that reads like "voting in a dictatorship is entirely within the scope of a democratic system". Technically it might be true, but the moment you make that valid democratic decision a decision like that can't happen the same way again.

[programmarchy]

Creating a fork is not a fraud. That was and is always a possibility, people were free to disagree, and Ethereum Classic represents that disagreement. If you went through that, then you would have ETH and ETC, and a choice of what to use, develop, mine, etc.

[moralestapia]

If I had created the DAO and I was the one going to lose 50 million, no fork would have happened, and Buterin (and you probably) would have told me, from their high horses, "though luck pal, you see, that's the beauty of smart contracts, they're final and no one should be able to do anything about it".

If you preach a set of principles and then backtrack on them when it's convenient for you, you're a hypocrite and have no integrity. If you do this on purpose, to deceive people, and there's money involved then you arrived at the definition of fraud, +- some extra words.

[npip99]

That's because the $50M were owned by a large percentage of the users of Ethereum, not a single person. It represented 15% of the total ETH in circulation, back when the currency was in a very nascent state and the flagship product that ETH provided that BTC didn't, was the DAO. When the DAO break happened ETH lost 60% of its value, so not only did 15% of people have their money stolen, but everyone across the board lost 60% of their ETH value. There was simply immense demand for people to get their money back, so people much preferred the fork that kept their money than the fork where the robber stole their money.

Simple as that, it's decentralized, that's the whole point, you fundamentally can't tell people which fork to believe, people use whatever fork they want. And the people mostly wanted the fork with their money in the DAO preserved. People who wanted the unaltered chain stayed there, no big deal.

[tornato7]

Exactly. Ethereum users and miners legitimized the patched chain and that's what continued forward.

A hacker minted free Bitcoin in 2010 and the chain forked to remove that transaction. But nobody's talking about that being a scam. How is the Dao hack any different?

[short]

When a pretty well known main ethereum developer lost $ 250 million due to a smart-contract bug, nothing was reverted

https://news.bitcoin.com/parity-calls-for-ethereum-hard-fork...

[boublepop]

If you had been the creator there would still be absolutely nothing you could do to prevent a fork. You could throw a hissyfit and scream all you want on Twitter, but the fork would still happen.

[short]

can you be more specific? on blockchains, differences of opinion are always solved with forks - and users follow the chain they agree with which makes it the most valuable chain.

[sktrdie]

Didn’t he just donate a billion to India?

[yaa_minu]

He donated a billion dollar worth of an illiquid shitcoin[0] sent to him by the scammers who created.

0. https://shibatoken.com/

[tornato7]

Plus millions of dollars worth of ETH

[boruto]

That's a very simplistic way of putting it.

[Matthias1]

> Without mining, less electricity is used in mining, and less silicon is used in mining chips. Are these resources available for extra production? Yes. However, these “non-wasted” resources are offset by other resources which are “wasted”.

This would seem to be the main argument of that second article you posted summarizing the economics around PoS. The idea is that if you’re backing your crypto with itself (like in a PoS), the value that is locked in the staking system could be doing something else. (This is a very real point in that it doesn’t help decentralization—the same people that would stake their coin could spend that money mining Bitcoin.)

But it doesn’t seem to address any points in the conversation around the ethics of using electricity as a basis for proof of work.

[fredfoobar]

Electricity is the best form of energy to use as the basis for Proof of Work, because there is no pre-requisite on how to generate the required electricity.

compare: electric cars vs ice cars, electric cars can also end up consuming "dirty" electricity from coal fired plants, but that's an option vs. ice cars.

[Reason077]

Could the concept of proof-of-work be extended to prove that work was done cleanly, ie: using only renewable electricity rather than that produced from fossil fuels?

Perhaps renewable electricity producers could issue some sort of signed token which is then incorporated into the blockchain as proof that renewable electricity was purchased?

[runeks]

A digital signature can never prove anything about the world. And this doesn’t change by putting it in a blockchain.

[rcxdude]

You've now introduced a set of trusted entities validating something for consensus. Why bother with proof of work at that point? You only need it because you can't agree on a trusted subset of participants with the rest of the network.

[fredfoobar]

If we had a way to do this, why would we just limit it to crypto?

[paul_f]

I translate PoW as Proof of Waste.

[fredfoobar]

This is a great comment paul_f, keep it up. You're adding a lot of value on HN.

[jkhdigital]

What is ethically wrong with using electricity? Or have you skipped a few steps in your argument?

[Matthias1]

There are serious environmental concerns being raised about the amount of electricity being used to mine Bitcoin (see, e.g.: https://news.ycombinator.com/item?id=27135776). My comment does assume that less electricity use is good, because that's the context in which Ethereum posted this.

I'm mining crypto (very small amounts) as I as I type this, so I'm definitely not going to make the case that all crypto mining is an immoral waste of electricity. But I remain very interested in transition to a PoS system, so as to reduce the strain of crypto on the environment.

[jkhdigital]

All human economic activity that uses electricity should be judged by the same standard then. I think the unstated premise of most of these arguments is that crypto provides no meaningful economic benefit to society, and thus the use of real resources (that sometimes produces pollution as a byproduct, depending on the source) is immoral.

[elif]

"about to release" nothing

We use Eth 2.0 since December. Staking is even available with insurance on coinbase.

If you keep your copy pasta up to date, your FUD will be more believable.

[kordlessagain]

Energy usage and price are related. Should be interesting.

[hanniabu]

If there's no other utility than speculation like is the case with BTC, then yes I agree.

[kolinko]

Paxos requires multiple parties to vote on what’s the correct result. The killer issue there is that it doesn’t solve a sybil attack - you either need a central authority in Paxos that chooses which machines run it, or you will end up with an attacker setting up a million machines in a cloud and overvoting everyone.

[gnramires]

I think it's hypocritical to call this fraud: this contract itself was exploited for a loophole; if you declare it valid as allowed by the protocol, then simply changing the protocol (which is what was done temporarily) is also valid and according to the working of the system. I think it was within the spirit of the system to work this way.

[jude-]

The same people who loudly proclaimed "Code is Law" also wrote The DAO. Therefore, any action the code takes is legitimate.