Hacker News new | ask | show | jobs
by Gosper 1684 days ago
I don't know why you were flagged, but if your question was in earnest:

Bitcoin almost certainly won't move. Because those touted energy efficient protocols come at the cost of much weaker security guarantees which undermine a key point of Bitcoin.

Proof of stake, the forerunner of energy efficient protocols, may work better for networks that have different aims, although smart contract oriented blockchains still need good security to be trusted.

The stupendous levels of complexity involved in trying to hammer out proof of stake into a viable method of energy efficient mining make the approach look ever more unpromising.

Ethereum keeps delaying the switch and the touted 2022 migration has once again been kicked into the long grass after this paper from a few weeks ago: https://arxiv.org/abs/2110.10086

Lead to: https://nvd.nist.gov/vuln/detail/CVE-2021-42764 https://nvd.nist.gov/vuln/detail/CVE-2021-42765 https://nvd.nist.gov/vuln/detail/CVE-2021-42766
3 comments
DennisP 1683 days ago
Here's one of Ethereum's lead researchers talking about the attacks in that paper. The fixes are simple and not expected to delay the merge.

https://blog.ethereum.org/2021/11/02/finalized-no-31/

link
Gosper 1683 days ago
Written for public consumption that post conveys a great deal of certainty while eliding over doubts:

"Change fork choice rule to mitigate balancing and reorging attacks"

https://ethresear.ch/t/change-fork-choice-rule-to-mitigate-b...

And more fundamentally at the heart of the matter

https://ethresear.ch/t/comment-on-three-attacks-on-proof-of-...

> Moreover, there is a general argument that the attacker will always be able to keep the consensus from finalizing nomatter what the fix is.

> The argument simply comes from the fact, that mathematically provable binary consensus algorithms known in this universe have n2 behavior, and ETH2 is linear in n .

> Therefore, the only way to really fix ETH2 is to make it n2 . Otherwise it is unfixable from the math point of view. There will always be another attack.

> It may be that by continuing patching a fix after a fix after a fix one can end up with something that will work from an engineering point of view.

> This will be security by obscurity.

> But it will not be secure from the math point of view.

So while bodging in patches might work one day, it's an immature approach and a scary place to try store value.

The sheer number of moving parts create a scary amount of emergent complexity and complexity is the enemy of security.

Disclosure: I'm an early but now uncomfortable ETH holder.

link
DennisP 1679 days ago
On the "fundamental" link, see this reply that appeared after you commented:

"The reason that Ethereum’s consensus can run in n time rather than n^2 is BLS signature aggregation. The attacks in the paper however aren’t attacks on signature aggregation. So I don’t think your argument is valid."

link
DennisP 1683 days ago
> mathematically provable binary consensus algorithms known in this universe have n^2 behavior

Is there a convenient way for an uneducated schmuck like me to read up on this? Just a comment without references isn't much to go on.

link
nanna 1684 days ago
It really was in earnest! I don't keep up with crypto news so just assumed this was something being worked on somehow.

Your answer would have fitted well with the thread that responded to my question!

As difficult as the vulnerabilities of PoS are to solve, at least there's nothing yet to say that they can't be solved given enough work; wheras, from what everyone is saying, the energy problem is essential to PoW as such?

link
aeternum 1683 days ago
With PoW all that burned energy creates a strong root of trust.

How do you establish that root of trust with PoS? Currently approaches are ultimately circular, IE trust it because the majority holders of the coin are continually voting to trust it.

link
Tepix 1683 days ago
You need a good initial distribution.

With Bitcoin mining pools it looks like there's just as much centralization (if not more) as with proof of stake.

link
atweiden 1683 days ago
The difference being you don’t need to ask existing Bitcoin miners for permission to begin mining Bitcoin yourself. Conversely, staking is inherently impossible without first obtaining “stake” — and how can you obtain stake without the approval of existing stakers?
link
Tepix 1683 days ago
You don't need permission, but you do need money to buy mining hardware. Might as well buy a stake for that money instead. Same thing, isn't it?
link
atweiden 1682 days ago
> Same thing, isn't it?

US dollar payments aren’t subject to the approval of stakers, and existing PoW miners have no on-chain mechanism to prevent new market entrants from competing against them for hashrate.

So, “no”.

To begin staking, you first need stake. But merely transfering a PoS coin from an exchange to your own wallet for subsequent staking is inherently impossible without the approval of existing stakers. Even this isn’t enough: existing stakers must also approve of your initial staking transactions.

Which is not how PoW mining works.

link
xorcist 1683 days ago
PoS is something fundamentally different from PoW. PoS-like ideas were around since before PoW, but such a system can never be used in a trustless way, which was what PoW enabled.

So it's fair to say that Bitcoin could never "transition" to PoS since the whole premise from the start was that it wasn't! It could not exist before. Now that it exist, and has been shown to work, it has caused a cambrian explosion of sorts of protocols with less reliance on trustlessness. But they solve a different problem.

link
baby 1683 days ago
> Because those touted energy efficient protocols come at the cost of much weaker security guarantees which undermine a key point of Bitcoin

That's FUD. Protocols like Bitcoin can fork, whereas others don't. Thus, Bitcoin, and proof-of-work, are less secure protocols.

link
Gosper 1683 days ago
You can fork endlessly and each fork won't matter one whit because they don't follow the longest chain secured with the most hashing power.

Or your fork can follow the longest chain and abide by the rules so your transactions are accepted by the rest of the network, in which case you're using Bitcoin and haven't forked.

link
baby 1683 days ago
The problem is that you never know if you’re on a fork, or if there’s going to be a reorg.
link
Gosper 1683 days ago
So you then follow that chain and try transact on it. If your counterparty is satisfied then cool, carry on separately in your own bubble.

As you continue to transact with the rest of the world you'll realize you were both on a fork as you eventually encounter a chain with a much greater block height and you figure out that's where the current consensus lies.

You will still have your your UTXOs on the main chain since the transaction won't exist there. You and your counterparty figure out which chain is subjectively valuable to you.

In reality you ascertain the provenance of the software you're using the same way as all other software. If you fall for a supply chain attack and use the wrong software then all bets are off, you're vulnerable to your attacker and anything can happen.

You don't know if there's going to be a reorg in as much as relying on quantum mechanics you don't know you're not going to fall through the floor. Nothing is certain, only somewhere on the scale of probable to improbable. Look at the available current hashpower and decide where the incentives lie.

Anyway this is getting into the epistemological weeds. How do you know the universe/simulation you think you're in wasn't created last Thursday? https://rationalwiki.org/wiki/Last_Thursdayism

link
baby 1683 days ago
It seems like you don’t know about double spending attacks and how many times 51% attacks actually happened.
link