[nootropicat]

>This game of convincing people that your fork is the true fork is exactly what stake-grinding is

Stake grinding is something else, in coins like NXT the producer of the next block was set by the seed based on the previous block, so it was possible to bruteforce blocks until you were also the next generator.

>The article argues that the act of convincing you is, itself, a form of PoW.

He makes a much stronger claim that resources spent on that (+ staking) are equal to revenue. There's an additional assumption in the article: he writes about marginal cost and revenue, but what he actually assumes is a system where average cost is equal to marginal cost, as it is in PoW under perfect competition. It's even equated explicitly in "“Rent” always forces production costs (MC) to always equal sale prices (MR)". He starts from the assumption that PoS uses exactly same resources as PoW and then shows it's true based on the assumption.

>Given a choice, and no a priori knowledge, which history of the PoS chain is the true history? What would convince you that one is legitimate, and the other is not?

What does 'true' and 'legitimate' mean here? The whole point is to interact with other people, so naturally I'm going to use the same network that people I want to interact with use. Same whether it's PoW or PoS - no real difference between choosing forks from some block height vs choosing networks with completely different genesis blocks and names.

Once the network is chosen a node has to follow it. The question of 'how long it's safe to be offline to reproduce the behavior of being online all the time' has a complex answer of percentage of slashed stake if two conflicting histories exist. Currently I think it's about 16% for one month, which is about $2B.

>Without no 3rd party way to verify if that actually happened, you could go around trying to bribe people to accept that your subsequent transactions on this fork are the chain's "true" transactions.

PoW doesn't change anything here, it's an arbitrary fork like any other. People that ended up with coins from mining can receive coins on your fork too, made with a much smaller mining difficulty. Mining cost is irrelevant because that's destroyed wealth - nobody ends up with it. The reason it won't happen in reality is because of network effects - even if you have external wealth able to pay enough at once to everyone that has to be paid, no single person wants to be left alone on a new fork - they would all have to move at once.

[jude-]

> it was possible to bruteforce blocks until you were also the next generator.

This sounds exactly like a special case of the game of convincing people that your fork is the true fork. NXT stakers each have their own preferred forks (i.e. the ones in which they get the most tokens), and are willing to spend energy to make it so their fork is accepted by the network.

> He starts from the assumption that PoS uses exactly same resources as PoW and then shows it's true based on the assumption.

Maybe it's not well-written here, but his argument is that PoS ultimately will require the same energy commitments as PoW through the act of each staker trying to convince both other stakers and newcomers (i.e. with no a priori knowledge of how the chain evolved) that their preferred fork is the fork the network accepts. A PoS chain may not take the same initial resources as a PoW chain, but it will over time.

Source: I've spoken to the author at conferences.

> What does 'true' and 'legitimate' mean here? The whole point is to interact with other people, so naturally I'm going to use the same network that people I want to interact with use.

And how do we know which fork this is, out of all the alternatives? You either have to ask people (i.e. you need a priori knowledge obtained out-of-band), or you need a way to independently but deterministically choose the fork that the economic majority of people use (which is the problem PoW solves).

> PoW doesn't change anything here, it's an arbitrary fork like any other.

Except, this is not what's happening in real life. People follow the canonical chain, and PoW helps them all determine what the canonical chain is without having to ask around.

[nootropicat]

>You either have to ask people (i.e. you need a priori knowledge obtained out-of-band)

Again, the only reason blockchains need consensus is to allow people to interact with each other - consensus is between people. Computers are just tools to make that easier. It's a fundamental contradiction to assume you can use any blockchain to make any economic transactions without interacting with other people - because economic transactions require other economic entities.

Of course when you assume something false you can prove any absurd result, like that PoS wastes same resources as PoW.

PoW relies on social coordination in the short term, because short term attacks are cheaper, so in the case of a 51% attack people would have to organize fast. PoS is extremely safe in the short term, and only maybe falls back on social coordination in the long term (again, only in the case of an attack), which is the correct security model.

>deterministically choose the fork that the economic majority of people use (which is the problem PoW solves)

No it doesn't. Mining revenue is an insignificant part of what the real consensus in any PoW coin is. For a while BCH had biggest revenues after the fork (because of their difficulty algorithm). Ethereum has higher mining revenues than bitcoin for months now (last 24h: $49M ethereum, $31.3M bitcoin) - does that make ethereum the true bitcoin now?

[jude-]

> Again, the only reason blockchains need consensus is to allow people to interact with each other - consensus is between people. Computers are just tools to make that easier. It's a fundamental contradiction to assume you can use any blockchain to make any economic transactions without interacting with other people - because economic transactions require other economic entities.

Did I say otherwise?

> Of course when you assume something false you can prove any absurd result, like that PoS wastes same resources as PoW.

Well, no widely-used PoS system exists (so we have no real-world examples to learn from), but despite this, you're insisting that no PoS system will use more than PoW from now until the last blockchain goes offline, despite these systems (in expectation) driving essentially unbound amounts of revenue. That's quite an extraordinary claim!

Let's steel-man this. Let's assume that a PoS blockchain becomes so widely successful that its token becomes a major world currency. Then what? Controlling a PoS node would be like controlling a country's reserve banks and mints. So, what keeps these nodes safe from asshats breaking into them and using them print themselves money? Like, why can't an armed band of asshats show up at my server rack and physically steal my validators' keys?

The answer of course is that the building security and law enforcement officers keep this from happening. But, where do these people come from? Who pays them? Where do they get their equipment? What do they do with the asshats they catch? How do they deal with escalations from asshats, and stay ahead of the asshats' tactics? How much energy is going into keeping these PoS nodes secure?

It appears that there is energy involved in keeping the PoS system running in the face of asshattery, and that energy is proportional to how important it is that it remains usable for the societies that rely on it. It seems, then, that the more successful PoS becomes, the more it co-opts the very infrastructure that keeps today's financial systems secure. That's a lot of energy!

So, in the event of success, I have no reason to believe that PoS will take less energy to secure than PoW, once I think about what has to go into securing a successful PoS system. At least with PoW, I can rest assured that if the asshats hijack a mining rig to print money, they'll have to continuously out-mine the rest of the world in perpetuity in order for their coins to remain realized on the canonical chain. PoS doesn't have that resiliency, which necessitates building and maintaining an extrinsic security apparatus to keep the staked coins from getting stolen in the first place. This security apparatus -- including all the laws, supply chains, manufacturing, and so on to keep it going as it becomes a more and more valuable target to asshats -- is on the MC side of the equation.

> No it doesn't. Mining revenue is an insignificant part of what the real consensus in any PoW coin is. For a while BCH had biggest revenues after the fork (because of their difficulty algorithm).

You've completely misread my comment. Miners mine on the chain that is most profitable to them, and the blockchains they mine on encode the history of their activities. Even though during a chain split it's not immediately apparent which resulting chain will attract the most miners over time, it does become apparent quickly enough. The revenues (and thus profits) come from users actually demanding the coins.

> Ethereum has higher mining revenues than bitcoin for months now (last 24h: $49M ethereum, $31.3M bitcoin) - does that make ethereum the true bitcoin now?

I thought it was widely understood that Bitcoin and Ethereum are not the same thing? If there is contention between two forks of the same blockchain, then PoW provides you a way to determine which one has more demand. PoW doesn't tell you anything about two different blockchains with two different difficulty algorithms (but it might tell you something about two different blockchains with the same difficult algorithm, such as Bitcoin vs Bitcoin Cash).

[CryptoPunk]

>>Except, this is not what's happening in real life. People follow the canonical chain, and PoW helps them all determine what the canonical chain is without having to ask around.

In POW you still have to ask around, to find out what the canonical consensus protocol is. Having more POW alone is not enough to have your chain accepted, as it still needs to be valid according to the other rules of the protocol.

Both POS and POW depend on some level of subjectivity/trust, even while the latter relies on it less than the former.

https://blog.ethereum.org/2014/11/25/proof-stake-learned-lov...

[jude-]

> Both POS and POW depend on some level of subjectivity/trust, even while the latter relies on it less than the former.

No one is arguing that you don't have a trusted computing base.

What is being argued is, why make the TCB bigger when it doesn't need to be? Why trust someone to tell me what the current validator set or fork tip when I boot up my node, when there exists protocols whereby the node figures this out automatically?

Some people say that the energy cost of PoS justifies this, but that's not really true in the long run. This is the point Paul Sztorc was making in his article about MC = MR -- competing PoS forks will still spend the same amount of trying to convince you that their preferred fork is the canonical fork. PoW does this as well, but it gains you an in-band way to discover this, thereby making the TCB lower than it would be in PoS.

[CryptoPunk]

>>What is being argued is, why make the TCB bigger when it doesn't need to be?

That's the point of debate: of course PoS proponents argue you can get more security at a given economic cost than you can with PoW, and that more than makes up for the security loss from the TCB bigger.

Sztorc's argument is heavily disputed in this thread, and you can see the arguments against it in the critiques provided.

[jude-]

Making the TCB bigger makes PoS less secure overall. If you pick the wrong validator set when you boot your node up, you're fucked -- your node will never discover the chain history which represents actual user activity [1]. PoS is the blockchain equivalent of forcing users to pick out which TLS certificates they trust when they install their OS. PoW is the blockchain equivalent to your OS having a way to discover which TLS certificates the majority of the Internet currently trusts in-band, as well as a way to upgrade them to the newly-trusted set if the majority switches.

The sad part is, PoS doesn't even gain you anything -- it's not cheaper. It's just a feel-good measure that doesn't solve the underlying problem.

> Sztorc's argument is heavily disputed in this thread, and you can see the arguments against it in the critiques provided.

Other people not understanding the argument doesn't make the argument wrong.

[1] The proof is in the appendix of this paper: https://eprint.iacr.org/2016/919.pdf. The gist is that they show that two forks are indistinguishable without a priori knowledge of which validator set is not corrupt.

[CryptoPunk]

>>Making the TCB bigger makes PoS less secure overall.

That is a debatable point. The TCB amounts to a single hash, that the global Ethereum userbase has had at least three months to converge on, with extremely obvious ways of establishing its correctness. If that can't be securely established, it's unlikely a consensus on the correct software distribution channels can be established either, meaning new users would still be completely fucked.

And there are other factors that establish the security of the network besides how much subjectivity plays a role in consensus, like the economic incentives dissuading an attack, and the difficulty of acquiring the economic assets needed to attack the chain.