45 comments

[ 2.8 ms ] story [ 92.4 ms ] thread
There's been a lot of FUD against PoW and some of it is warranted. The problem is saying "PoW is a bad solution to the problem" doesn't provide any path forward. PoS is not a solution, and neither is so called dPoS where block producers are nominated by or purchased from the development team. Lots of smart people are working on better PoW algorithms, more resistant to centralization and hopefully at least one succeeds. Otherwise a new model for trustless p2p exchange of money will need to be developed.

It seems to me a lot of so called "decentralized currencies" are moving away from the model that brought billions of dollars into the market, in favour of recreating shitty versions of what already exists. To do this they dance around terms and attempt to claim they're actually MORE decentralized for reasons blah blah blah. I have a feeling the anti-PoW is orchestrated FUD from teams building decentralized-in-name-only platforms like EOS and NEO. Yelling about electricity costs and how "trust is needed!" is getting old. People like the trustless idea, even if so far it hasn't turned out well. A platform that lets you run "unstoppable dApps" when stopping them only requires shutting down 21 known nodes isn't unstoppable at all and is frankly worthless.

> Yelling about electricity costs and how "trust is needed!" is getting old

It's still a valid concern, Pow has currently lots of difficulty to scale because of that, not to mention that the electricity needed is enormous to sustain the system.

PoW is a way to use computation as a substitute for human-based methods of generating truth.

I wonder how much electricity, energy, and emissions are represented by salaries for the lawyers and judges that are the current implementation of distributed social trust?

You have your causal chain reversed: enormous amounts of electricity are spent on proof-of-work because it is profitable. There is no minimum amount of work required to "sustain" the system. Of course you lose security with less work performed, but the system can be sustained.
Yeah of course but if you want Bitcoin to be used by everybody (that's the goal of a currency after all), it becomes thus very profitable to mine and therefore an enormous amount of electricity is used. That's what I meant by a scaling issue, it works as long as there's not too many users.
The energy cost of mining gold is proportional to the price of gold.
When discussing environmental damage, I’m not sure gold is the thing you want to be comparing to.
Just making a point about the economics. The environmental destruction is caused by the energy production in the case of Bitcoin mining. In the case of gold mining, it is done by the mining.
> Otherwise a new model for trustless p2p exchange of money will need to be developed.

That's the biggest assumption of all. The idea that there's a need for trustless p2p money, or that existing money doesn't work seems like nonsense to me.

People think it's cool. I wasn't commenting on whether it's needed for society. But the people developing it would need a better way to achieve their goals if PoW really should be abandoned.
You don't need it at all until you need it. Then you really, really need it. It kind of works like a seat belt. To this day I think I have only actually used my seat belt once in my entire lifetime! My family has literally never used theirs.
Why do you say PoS is not a solution? I agree with you about dPoS being a poor substitute.
Because the name is totally false. You aren't putting anything at stake and it ends up being traditional social trust. "Oh that guy he has a lot of ETH and is a trusted member, he wouldn't attack the network as its in his own best interest!"

Beyond that, it's simply a rich-get-richer scheme. Why are staked nodes rewarded? What is their sacrifice and what are they spending to get that reward? Nothing.

Their sacrifice is opportunity cost. Which is what TFA describes as the necessary ingredient for a consensus protocol.

> Practical impossibility can be reframed in terms of "opportunity cost": there are limited physical resources and those should have been largely allocated to X than to Y so we can see that X sucked in all resources from any alternatives.

There are a limited number of coins that can be staked at any time.

You fundamentally misunderstand PoS. There is no social trust involved. It will work entirely through economic incentivization, including 'group penalization' when enough validators are offline/byzantine at the same time in the case of Casper. Read more here and try to fully understand this document before you make blanket statements like 'PoS won't work': https://github.com/ethereum/wiki/wiki/Proof-of-Stake-FAQ
You lose ethers if you misbehave or stop supporting the network. Amount lost depends on what you did and whether your fault was correlated with faults of other validators.
"Nothing is Cheaper than proof of work"[1]. The best that can be said about Proof of Stake is that you get marginally better security while sacrificing liveliness / allowing the consensus layer to be captured by regulators [2]. PoW forces the machine to advance, if you refuse (or are forced to ignore) a block, the business dies but the network moves forward. If PoS was new and research was underfunded, you might have a plausible claim that it might turn into a workable solution. The fact of the matter is, it's been 6 years since PoS' proposal and millions of dollars in R&D funds have been pumped into trying to unsuccessfully obviate PoW.

[1] http://www.truthcoin.info/blog/pow-cheapest/ [2] https://twitter.com/NickSzabo4/status/956461360161935361 "Conjectured governance under proof-of-stake seems to involve programmers & other amateurs making legal & accounting decisions. Bitcoin governance does not. Even when lawyers & accountants properly take over PoS governance, PoW governance will likely be far more socially scalable."

>allowing the consensus layer to be captured by regulators

The opposite. You can't hide mining at the required scale. Miners must have a registered companies to get access to cheap electricity, employ workers etc. Any mining business that doesn't register is going to be outcompeted by those that do.

PoS can work over Tor/I2p with anonymous validators.

PoS creates a system by which block nomination and chain-tip extension is an elective procedure. Meaning companies could censor transaction at effectively 0 marginal cost. Under a legal mandate, that method of consensus is untenable. See Szabo's tweet.
If by elective you mean that validators can easily ignore past blocks, that can be solved by a commit/reveal algorithm or multi party computation.
>commit/reveal algorithm or multi party computation

Which is out-of-band work that erodes the claimed 'savings' of PoS, relative to PoW, and would have been better spent increasing the security of all transactions on the chain. It also means that I have to be online see those orphaned blocks and to ensure those solutions algorithms acted.

Example:

US Government to Coinbase: "Thou Shalt never honor a block that originates from an 'IP out of' Iran"

Coinbase to miners: "Hey Sorry we can't sell any eth from blocks that originate out of Iran"

Miners: "Ok well if you promise to use the new chain, I'll create a costless alternate version, But you have to promise!!"

Business A to Business B: "Wait I just got two chains, Which one is the real one? Has to check news hmmm this USGOV edict is bad. So which chain are you going to go with? Hmm I dunno Coinbase is so important, I Dunno maybe the coinbase chain. Ok I'll go with the coinbase chain if you go with the coinbase chain, But you have to promise!!"

Move social consensus churn that erodes social scalability

Business B: "Well, we're going to have to compensate the miners for this roll back some how"

Business C: "Hey wait I accepted a transaction (15 blocks deep), shipped my products and then went offline and now had my payment rolled backed!"

Total Not Centralizing Foundation: "The Foundation will cover all losses....again"

It's not possible to orphan blocks that are already in the chain you confirmed, as that's a contradictory vote. So at best one generator could orphan a few blocks, but then, what if the next block generator doesn't ignore them? Anything longer than a few blocks would require cooperation among majority and that's a failure mode in PoW too.
>It's not possible to[...]

Because there is no time-value trade off associated with delaying block create in PoS you can play games in the interim period of time. In PoW you pay a penalty for not building on a block. PoS basically tells network participants that there is 0 cost to not building on a block. See the lecture: Formal Barriers to Proof-of-Stake Protocols[1] for other failings of PoS.

[1] https://www.youtube.com/watch?v=PGrWGMRbdvw

This does not at all seem like a rigorous proof
My conclusion about cryptocurrncies is: they can never take over traditional payments. People want payment methods to be:

- secure

- fast

- cheap

While traditional payments do relatively well on all three accounts Bitcoin cannot. Yes, we might argue that it’s (in theory) more secure, but it’s also slow and expensive. What’s worse, as the article just proves Bitcoin cannot fix those flaws because its security relies on mining (and therefore transaction processing) being slow and expensive - that’s the very concept of PoW.

You missed a fourth requirement.

- free of government influence

That's where the real power of cryptocurrency comes in. No longer are you tied to the decisions of your government with regard to your money. Venezuela, etc. Governments can't just print money for wars if the populace keeps all their money in cryptocurrency, which is borderless.

That isn't requirement for most people. Furthermore, ordinary people consider "government influence" a good thing, because they trust their government more than some random piece of technology such as Bitcoin.
Quite the contrary - for the majority of people and businesses doing online transactions, it's very important that the transactions are reversible and can be overriden by their legal system in case of a dispute. Things like CC chargebacks and the ability to reverse fraudulent transfers are highly valued by most users. There definitely are some markets where this isn't the case, but those are niche markets not similar to most of our economics.

In order for cryptocurrency payments to be competitive, the full service has to include not only actual transfer of money but things like a reputable escrow service that answers to local contract law.

There's nothing secure about traditional payments. I have to give away the keys to my account (routing & checking number) in order to transact with my checking account. Similarly, I have to hand over all my information to a 3rd party to process a credit card transaction. The fraud and theft is merely subsidized by the banking institutions themselves, who more than make up for the costs in high interest fees.

There's also nothing fast about traditional payments. The actual transferring of money between banks and accounts still takes 24-72 hours, if not longer in some cases.

It's also not cheap. The hidden costs are rolled into the banking system, credit card interest and merchant processing fees (which are rolled into the price of products).

>> I have to give away the keys to my account (routing & checking number) in order to transact with my checking account.

What a strange country you live in! :) I do a lot of payments and I had to google what a routing or checking number even is because I never needed one for making a payment. Also, I can't see how giving up your account number would mean giving away control of it. But that might be because in Europe we do not use such a peculiar payment methods as checks.

All that's necessary in order to forge a transaction is routing & checking account number. Similarly, with credit card numbers. This is why cryptographically signed transactions make so much more sense and are much more secure.
Debit cards are nearly instant and quite cheap. There's no cryptocurrency on the planet that comes close. And good-old-fashioned cash scales practically infinitely.
They're not nearly instant. The transaction is registered as pending in your checking account nearly instantly, however, it settles later in the day when the merchant closes out their daily transactions. The actual transfer of funds takes 24-72 hours from your account to the merchant.

And no, paper cash is not very scalable at all.

With a layer 2 protocol like lightning network, we can have individual transactions be fast and cheap, and only the net settlement of a payment channel on the blockchain slow and expensive. Which is okay because it would happen infrequently.
PoW is not a solution and they are not even discussing the problem.

Author is mixing Byzantine Generals' problem to completely different set of trust and consensus problems.

not only is this not a proof, but also implicitly sweeps many issues with the implementation of the current system under-the-rug, which is the more insidious part of this argument.

> Proof that Proof-of-Work is the only solution to Byzantine Generals' problem

this is an argument for PoW's validity as a solution, for starters. in no way is this a proof, let alone one of uniqueness.

> In case of Bitcoin mining farms, such an alternative would require a very expensive and complex production chain, requring either outcompeting other firms that use chip foundries or building single use datacenters in the most cost-effective locations on the plane

that is exactly what we have right now! SHA256 has become so optimised in these chips that the whole issue of "consensus" has been almost diluted to "consensus between a very small number of people".

it might appear as though i'm identifying a 51% attack, and whilst that is entirely un-addressed in this "proof", that's not what i mean.

bitcoin was created to decentralise money. there are so few actors in the mining business now as to negate the benefit of requiring trust in a small number of centralised entities. which, by the way, happen to be well-known, non-anonymous, and culpable when mistakes are made/crimes are committed.

sure, the majority of the resources must be used to create a "message", but it certainly does not necessarily represent the consensus.

bitcoin, in its current implementation, has failed. that largely stems from the fact that SHA256 PoW as a means of proof, has failed.

100% correct, but bitcoin isn't centralized because of PoW, more because of a bad implementation of PoW that was too soon and too easily optimized (if you had the cash). Existing algos will all be eaten in the same way SHA256 was, but why does that mean PoW as a concept is a failure?
because of a bad implementation of PoW

See yesterday's YC article from a cryptocoin ASIC designer.[1] It's possible to design an ASIC for any proof of work algorithm that will be more cost-effective than a general purpose CPU.

Monero was supposed to be resistant to special-purpose ASIC approaches. It isn't. Someone quietly built an ASIC for Monero about a year ago and made a ton of money.

[1] https://news.ycombinator.com/item?id=17059858

I know. A flexible ASIC is a GPU. Optimized hardware will always be more cost effective, but like I said elsewhere in the thread, algos that are hard(er) to optimize than even cryptonight are being worked on. People didn't notice monero had asics because no one was paying attention. Looking back on the hashrate graphs and price make it very clear.

Monero has since forked and removed the ASIC threat temporarily, and they will continue to fork to keep them at bay. Anti-ASIC is a cat and mouse game where the coin developers have the upperhand at all times. Do you really believe there's no conceivable algorithm that will reduce the cost-effective difference between general purpose and specialized hardware? The goal isn't to prevent someone from optimizing, it's to prevent the difference from being so large that no one else can compete. Monero managed to do that for years, and that was using an algo that claimed ASIC resistance solely on memory prices.

of course, specialised hardware will always outperform general purpose hardware. all that is indicative of is the question you’re trying to ask in malformed.

suppose, for instance, you could parameterise a merkle-damgard construction, such that a fixed physical network for calculating hashes could not exist (of course, there are many avenues of pitfalls with that suggestion, my gut tells me they are soluable). something that could be calculated from previous block values, somehow.

now you have an ever changing hash function that lives for 10 minutes, requires strictly general purpose hardware to operate, and would solve (one of the) issues i identified in my opening reply.

sorry, i wasn’t clear there - for reference, i don’t believe PoW as a concept is a failure. only this current implementation focused on SHA256.

the reason for this is because, unlike bitcoin’s beginning, one bitcoin network participant is no longer comparable to an equal share of the resources required to reach consensus on the network.

Boy, the logic in this article is bad.

PoW is not the only solution to the BFT. PBFT PoS, DPoS, etc are all "solutions", in that they represent a series of tradeoffs to achieve consensus in the presence of faults, just as PoW does.

Further, PoW itself as implemented in large part today is vulnerable to attack via selfish mining.

Finally, purely empirically speaking, PoW in most systems like Bitcoin today is highly centralized and far from trustless. Consensus authority has accumulated in the hands of large mining operations. Many people foresaw this outcome. In the author's analogy, you are not provided any certainty of consensus on your bunker, rather, massively resourced authorities controlled by a handful of people are dictating state to you and you have nowhere near enough resources to change that.

If every participant is online and all messages are public, then only a majority vote is necessary, as time itself becomes exclusive (only earlier votes matter). There's no need for PoW here.

For participants that join later both PoW and PoS are probabilistic, but PoS can be much better: if everyone has to vote the maximum possible classical security is 1-of-n, ie. one eternally honest party exists in all past blocks, so no attacker can obtain 100%, ever. This model can stall but it can't lie.

The 100% model is not practical and by itself requires everyone to be online, but for some m in m-of-n, it is. Another variable is how long do the honest assumption must hold: it's relatively easy to construct a scheme that makes honesty for eg. four months nearly certain.

Combined with the fact that money is inherently a social thing, it works. It's not an abstract consensus for people in bunkers, but people that want to interact. So if you return after a long time, it's enough to check in several places that accept a specific cryptocurrency what chain is wanted by them.

> Imagine you are sitting in a bunker. You have no idea what people are out there and what are their intentions. You only receive some incoming messages from strangers that may contain anything. They can be just random garbage or deliberately crafted messages to confuse you or lie to you. [...] When two propositions arrive into your bunker, "X" and "Y", we have no trusted reference point to figure out which one is supported by the majority of other people. We only have "data in itself" to judge which one we should choose as the main one.

What if the true answer is "neither", and both have been forged by an attacker? If he's sitting in a bunker with no contact to the outside, and an attacker can intercept and manipulate his every communication, how can he "estimate how expensive it is to produce an alternative"? Was the difficulty too low because it's a forgery, or because everybody's abandoned that PoW chain?

IIRC, Bitcoin's answer to that situation is that somehow word of the correct chain will get to him (perhaps smuggled by a carrier pigeon), instantly invalidating all of the attacker's work. That makes sense in real life, but not in imagined scenarios where there are no alternative communication channels.