[jude-]

> it was possible to bruteforce blocks until you were also the next generator.

This sounds exactly like a special case of the game of convincing people that your fork is the true fork. NXT stakers each have their own preferred forks (i.e. the ones in which they get the most tokens), and are willing to spend energy to make it so their fork is accepted by the network.

> He starts from the assumption that PoS uses exactly same resources as PoW and then shows it's true based on the assumption.

Maybe it's not well-written here, but his argument is that PoS ultimately will require the same energy commitments as PoW through the act of each staker trying to convince both other stakers and newcomers (i.e. with no a priori knowledge of how the chain evolved) that their preferred fork is the fork the network accepts. A PoS chain may not take the same initial resources as a PoW chain, but it will over time.

Source: I've spoken to the author at conferences.

> What does 'true' and 'legitimate' mean here? The whole point is to interact with other people, so naturally I'm going to use the same network that people I want to interact with use.

And how do we know which fork this is, out of all the alternatives? You either have to ask people (i.e. you need a priori knowledge obtained out-of-band), or you need a way to independently but deterministically choose the fork that the economic majority of people use (which is the problem PoW solves).

> PoW doesn't change anything here, it's an arbitrary fork like any other.

Except, this is not what's happening in real life. People follow the canonical chain, and PoW helps them all determine what the canonical chain is without having to ask around.

[nootropicat]

>You either have to ask people (i.e. you need a priori knowledge obtained out-of-band)

Again, the only reason blockchains need consensus is to allow people to interact with each other - consensus is between people. Computers are just tools to make that easier. It's a fundamental contradiction to assume you can use any blockchain to make any economic transactions without interacting with other people - because economic transactions require other economic entities.

Of course when you assume something false you can prove any absurd result, like that PoS wastes same resources as PoW.

PoW relies on social coordination in the short term, because short term attacks are cheaper, so in the case of a 51% attack people would have to organize fast. PoS is extremely safe in the short term, and only maybe falls back on social coordination in the long term (again, only in the case of an attack), which is the correct security model.

>deterministically choose the fork that the economic majority of people use (which is the problem PoW solves)

No it doesn't. Mining revenue is an insignificant part of what the real consensus in any PoW coin is. For a while BCH had biggest revenues after the fork (because of their difficulty algorithm). Ethereum has higher mining revenues than bitcoin for months now (last 24h: $49M ethereum, $31.3M bitcoin) - does that make ethereum the true bitcoin now?

[jude-]

> Again, the only reason blockchains need consensus is to allow people to interact with each other - consensus is between people. Computers are just tools to make that easier. It's a fundamental contradiction to assume you can use any blockchain to make any economic transactions without interacting with other people - because economic transactions require other economic entities.

Did I say otherwise?

> Of course when you assume something false you can prove any absurd result, like that PoS wastes same resources as PoW.

Well, no widely-used PoS system exists (so we have no real-world examples to learn from), but despite this, you're insisting that no PoS system will use more than PoW from now until the last blockchain goes offline, despite these systems (in expectation) driving essentially unbound amounts of revenue. That's quite an extraordinary claim!

Let's steel-man this. Let's assume that a PoS blockchain becomes so widely successful that its token becomes a major world currency. Then what? Controlling a PoS node would be like controlling a country's reserve banks and mints. So, what keeps these nodes safe from asshats breaking into them and using them print themselves money? Like, why can't an armed band of asshats show up at my server rack and physically steal my validators' keys?

The answer of course is that the building security and law enforcement officers keep this from happening. But, where do these people come from? Who pays them? Where do they get their equipment? What do they do with the asshats they catch? How do they deal with escalations from asshats, and stay ahead of the asshats' tactics? How much energy is going into keeping these PoS nodes secure?

It appears that there is energy involved in keeping the PoS system running in the face of asshattery, and that energy is proportional to how important it is that it remains usable for the societies that rely on it. It seems, then, that the more successful PoS becomes, the more it co-opts the very infrastructure that keeps today's financial systems secure. That's a lot of energy!

So, in the event of success, I have no reason to believe that PoS will take less energy to secure than PoW, once I think about what has to go into securing a successful PoS system. At least with PoW, I can rest assured that if the asshats hijack a mining rig to print money, they'll have to continuously out-mine the rest of the world in perpetuity in order for their coins to remain realized on the canonical chain. PoS doesn't have that resiliency, which necessitates building and maintaining an extrinsic security apparatus to keep the staked coins from getting stolen in the first place. This security apparatus -- including all the laws, supply chains, manufacturing, and so on to keep it going as it becomes a more and more valuable target to asshats -- is on the MC side of the equation.

> No it doesn't. Mining revenue is an insignificant part of what the real consensus in any PoW coin is. For a while BCH had biggest revenues after the fork (because of their difficulty algorithm).

You've completely misread my comment. Miners mine on the chain that is most profitable to them, and the blockchains they mine on encode the history of their activities. Even though during a chain split it's not immediately apparent which resulting chain will attract the most miners over time, it does become apparent quickly enough. The revenues (and thus profits) come from users actually demanding the coins.

> Ethereum has higher mining revenues than bitcoin for months now (last 24h: $49M ethereum, $31.3M bitcoin) - does that make ethereum the true bitcoin now?

I thought it was widely understood that Bitcoin and Ethereum are not the same thing? If there is contention between two forks of the same blockchain, then PoW provides you a way to determine which one has more demand. PoW doesn't tell you anything about two different blockchains with two different difficulty algorithms (but it might tell you something about two different blockchains with the same difficult algorithm, such as Bitcoin vs Bitcoin Cash).

[CryptoPunk]

>>Except, this is not what's happening in real life. People follow the canonical chain, and PoW helps them all determine what the canonical chain is without having to ask around.

In POW you still have to ask around, to find out what the canonical consensus protocol is. Having more POW alone is not enough to have your chain accepted, as it still needs to be valid according to the other rules of the protocol.

Both POS and POW depend on some level of subjectivity/trust, even while the latter relies on it less than the former.

https://blog.ethereum.org/2014/11/25/proof-stake-learned-lov...

[jude-]

> Both POS and POW depend on some level of subjectivity/trust, even while the latter relies on it less than the former.

No one is arguing that you don't have a trusted computing base.

What is being argued is, why make the TCB bigger when it doesn't need to be? Why trust someone to tell me what the current validator set or fork tip when I boot up my node, when there exists protocols whereby the node figures this out automatically?

Some people say that the energy cost of PoS justifies this, but that's not really true in the long run. This is the point Paul Sztorc was making in his article about MC = MR -- competing PoS forks will still spend the same amount of trying to convince you that their preferred fork is the canonical fork. PoW does this as well, but it gains you an in-band way to discover this, thereby making the TCB lower than it would be in PoS.

[CryptoPunk]

>>What is being argued is, why make the TCB bigger when it doesn't need to be?

That's the point of debate: of course PoS proponents argue you can get more security at a given economic cost than you can with PoW, and that more than makes up for the security loss from the TCB bigger.

Sztorc's argument is heavily disputed in this thread, and you can see the arguments against it in the critiques provided.

[jude-]

Making the TCB bigger makes PoS less secure overall. If you pick the wrong validator set when you boot your node up, you're fucked -- your node will never discover the chain history which represents actual user activity [1]. PoS is the blockchain equivalent of forcing users to pick out which TLS certificates they trust when they install their OS. PoW is the blockchain equivalent to your OS having a way to discover which TLS certificates the majority of the Internet currently trusts in-band, as well as a way to upgrade them to the newly-trusted set if the majority switches.

The sad part is, PoS doesn't even gain you anything -- it's not cheaper. It's just a feel-good measure that doesn't solve the underlying problem.

> Sztorc's argument is heavily disputed in this thread, and you can see the arguments against it in the critiques provided.

Other people not understanding the argument doesn't make the argument wrong.

[1] The proof is in the appendix of this paper: https://eprint.iacr.org/2016/919.pdf. The gist is that they show that two forks are indistinguishable without a priori knowledge of which validator set is not corrupt.

[CryptoPunk]

>>Making the TCB bigger makes PoS less secure overall.

That is a debatable point. The TCB amounts to a single hash, that the global Ethereum userbase has had at least three months to converge on, with extremely obvious ways of establishing its correctness. If that can't be securely established, it's unlikely a consensus on the correct software distribution channels can be established either, meaning new users would still be completely fucked.

And there are other factors that establish the security of the network besides how much subjectivity plays a role in consensus, like the economic incentives dissuading an attack, and the difficulty of acquiring the economic assets needed to attack the chain.

[jude-]

> That is a debatable point. The TCB amounts to a single hash, that the global Ethereum userbase has had at least three months to converge on, with extremely obvious ways of establishing its correctness. If that can't be securely established, it's unlikely a consensus on the correct software distribution channels can be established either, meaning new users would still be completely fucked.

Sure, let's use Ethereum 2.0 as an example (but note that both myself and the linked paper talk about PoS in general.). Suppose I'm a newcomer to Ethereum 2.0 well after it launches. Suppose that, sometime after the launch but before my arrival on the scene, there's another DAO-like event where there's been a contentious chain split, and lots of bad blood on both sides of the split between developers, users, and exchanges. If I'm only interested in using the chain with the most economic activity, then why should I trust you and your servers to tell me who the initial validators are, especially now that you have a financial reason to tell me your preferred fork? It's like a bank asking me to choose between multiple sets of TLS certificates for all the banks I could conceivably use without giving me a chance to vet them -- why would I ever do this? And how would I even do this reliably?

In PoS, all I have to go on is your word against the others (this is the proof the paper makes) -- there is no way around this. In PoW, I can compare the hashpower between forks and use that to determine on my own which fork has the more valuable coin (and thus the larger economy for it). This, by itself, is a strictly more resilient system design.

What Paul Sztorc is saying is that in the event of contention between competing validator sets, both validators will spend resources equivalent to PoW trying to convince all these newcomers that their validators represent the most economic activity. This includes, but is not limited to, spending energy keeping your validator nodes from getting stolen or hijacked in a bid to change the validator set without consent. So, not only are the energy savings that TFA touts expected to disappear in the long run, but also the energy spend won't even help make the protocol more resilient.