Is PoS a lie?

After the release of Fork It #22: PoW vs PoS on August 31st,   the Chinese podcast program Fork It, dubbed “Nian Geng” by everyone, recorded its 23rd issue just before the Ethereum merger: Is PoS a Lie?

This issue was co-hosted by Daniel and Terry, and invited Mr. A Jian, the content director of BTCStudy, to chat with you about the PoW vs PoS debate, his views and positions.

Mr. Ajian used to be a very hard-core researcher, translator, content contributor, and host in the Chinese community of Ethereum. The wish of the host is to explain the topic in simple terms, but Mr. Ajian’s strength does not allow it, so if you are interested in PoW/PoS and distributed If you have an understanding of the design ideas and basic concepts of the consensus algorithm, it will help you understand why PoW is better than PoS through Mr. A Jian’s analysis.

At the end of the interview, Mr. A Jian’s most moving part of the host is excerpted here: A technology paradigm should think that it should protect its users, it should protect consensus, it should cherish every hard-won consensus, it should To accommodate every possible individual to enter this ecology, to be able to use it to continue dreaming, and to strive for a distant future that I can imagine.

The following is a transcript compiled by community members (recommendations of good things unrelated to the topic have been deleted):


1. Introduction


Daniel: Hello everyone, welcome to the new episode of Fork It. I am Daniel, the host of the show who disappeared for a long time. Today, I will host together with Terry. We have invited Mr. A Jian as a guest.

Before I start, let me make an introduction to the current special point in time. This episode was recorded very close to a very big event in the Ethereum community, the so-called Ethereum Merge. Ethereum Merge will happen within 48 hours. When everyone listens to this episode, it should be the time when the merger has just been completed.

Okay, let’s introduce today’s guest, Mr. A Jian.

A Jian: Hello, listeners of the Fork It podcast, hello, my name is A Jian. I’m very happy to be invited by Daniel and Terry to be a guest at Fork It. Because I have heard many issues of Fork It myself before, I found that Fork It can always invite the most professional people to talk about some of the most professional topics, so I myself regard this as a kind of recognition for me by Terry and Daniel , I feel very happy.

I entered the industry in 2017 and have been working as a translator since then. From 2017 to 2021, I have been working as an Ethereum enthusiast , and now many friends may know that I am also an Ethereum enthusiast, because I have been doing translation and editing work in it. From this point in time, I guess now I may be a more senior person in the translation industry in this industry. Because I have been doing the same thing for so many years in the industry, I am also constantly learning during this process and doing some research. Although these studies may not be very important, they can be regarded as accumulating some understanding of blockchain.

I have been contributing to  BTCStudy since the end of 2021.  This is a very small website with no extra content. It is all about the technical principles of Bitcoin, some possible technical improvement directions, and what is going on in the ecosystem. Some interesting technical solutions that have emerged.

Daniel: Actually, I know that Mr. A Jian doesn’t seem to be involved in the front of the stage too much. You mainly do some content and article work behind the scenes. Some listeners may be unaware that Mr. Ajian is a pivotal figure in the core technology circle of domestic Ethereum enthusiasts. Why do you say that? Because whenever there is a major event in the Ethereum community, everyone talks about it. The real opinions we call KOLs can often play a very crucial role in the entire Chinese community. Mr. Ajian is one of the few KOLs in this small circle that I know who is truly a hard core of Ethereum.

Terry: There are many KOLs, but less hardcore.

A Jian: In the past, when I considered myself a member of the Ethereum ecosystem, the Ethereum ecosystem was also very exciting, and you could see a variety of characters and diverse viewpoints. What I think is relatively special among them is that maybe I have one thing in common with Terry and Daniel, including these guests who have been on Fork It, that is, we pay special attention to technology and the bottom layer. I feel like a lot of things about the application layer aren’t my greatest interest, or the most important thing for someone in what I call a community. So during this process, I paid a lot of attention to the protocol layer of Ethereum, including its ins and outs and its direction. I think maybe that’s what might lead you to think that I’ll have some understanding of these issues. I think it’s really just that.


2. PoW is better than PoS


Daniel: In fact, Mr. Ajian does not participate in very frequent discussions, but every time there is a very critical discussion, whenever there is any of your remarks, I will send it out and read it carefully. Long before the Ethereum merge took place, the entire community started to debate PoW and PoS again. I believe that Mr. A Jian may have participated in this discussion many times. Could you please introduce your position or your opinion to this protracted discussion, which is based on years.

A Jian: First of all, regarding the position, I have no doubt that PoW is an all-round thing that is better than PoS, and it is all-round.

I also think that this debate may have existed since a long time ago, when the idea of ​​PoS first appeared, about 10-12 years, and maybe 14 years at the latest. Because 14 years of research on Ethereum, including its development, has already started. From that time to now, my biggest feeling may be that in this process, with the development or further research of the PoS mechanism proposed by Ethereum and other projects, there will be some new ideas or new opinions. .

But in the whole process, the PoS party’s argument on the PoS superiority theory actually I think contains a lot of impurities, and even I think most of them contain lies. They actually use an argument based on selective presentation of facts, that is, when you present facts only in part, not in full, although the part you present seems to be fact, but your argument Can’t be called arguments, and in that sense I call them lies.

Let me give you a simple example. For example, a voice that often appears is that PoS is a new thing. Since it is a new thing and has improved on the old thing, it must be a new trend. new future. For another example, they think that PoS has abandoned the computationally intensive block-producing process of PoW, and can produce blocks without wasting these energy, and it will become so-called greener. Or because the process does not need to consume so much computation, the scalability seems to be improved. These are missing comparisons.

To give the simplest example, is PoS a new thing? This is a very interesting topic. Many people think that Bitcoin first proposed PoW before someone proposed the idea of ​​PoS. Actually, technically, I think it’s a category error. Because if you have an understanding of the consensus algorithm in the distributed field, you will know that the research on the consensus mechanism in the distributed field originated from Lambert, and the paper published by Leslie Lamport in 1987 was about the Byzantine generals problem. What he envisions is a voting-based mechanism with unforgeable proof of identity, aka a digital signature scheme. Under this premise, a key conclusion of the Byzantine generals problem is that 1/3 is an insurmountable upper limit. If more than 1/3 of the people are malicious and do not want to reach a consensus, then this distributed system has no method to reach a consensus.

Then came the so-called Byzantine fault-tolerant algorithm, that is, in the case where no more than 1/3 of the participants are malicious, do we have an algorithm that can reach this consensus? In fact, these Byzantine fault-tolerant algorithms are based on identity and digital signature systems, so you can think that the Byzantine fault-tolerant algorithm at that time is the predecessor of the so-called PoS algorithm.

It appeared much earlier than PoW, but in the earliest form of using the Byzantine fault-tolerant algorithm, it defaults that the signature weights of all participants are the same, and it will not have different voting weights of participants. The conceptual improvement of PoS to the Byzantine fault-tolerant algorithm is that it relaxes this, so that the signatures of different participants have different weights. However, in fact, we can say that  PoS is an older thing, and it does not actually bring us a consensus mechanism that does not require permission and that everyone can participate in like Bitcoin. This is a very important feature.

Going back to the technology itself, there are actually quite a few points that can be discussed. For example, based on a well-known model, to compare it in three dimensions of security, scalability and decentralization, in fact, a lot of content can be compared.

3. Security

Terry: I think it is very appropriate to talk from the direction of the impossible triangle.

One of the more common claims I see now of PoS is that it is more secure in terms of security. If that’s the case, they’ll point out that PoS is more secure at the same cost. In terms of censorship resistance, I think it is the obvious disadvantage of PoS, but at this time they usually compare badly together, saying that PoW is not much better in censorship resistance. In terms of decentralization, they said at the earliest that PoS would not have a mining pool and would not have stake, but later found that this is a very professional thing, and there must be a stake.

Can you analyze the current common views from these three dimensions as a whole, and your evaluation of these wrong views of them.

A Jian: I may ask the audience of Fork It to be patient with me, because I will be very long. I have said above that in all the arguments I have come across about PoS being better, there are a lot of missing comparisons, or selective comparisons.

I can put the conclusion here first: PoS cannot be argued to be better than PoW in any dimension. I am responsible for this statement.

First let’s talk about security. Existing security research on PoS basically mentions a very basic attack: Stake Grinding Attack, equity grinding attack or rational fork.

PoS is not to use PoW to compare who is lucky and fast enough to come up with the proof-of-work mechanism for the next block. It is not to compare who is faster to find a random number that meets the difficulty requirements. One way of generating blocks in PoS is to divide a period of time into 12 segments and 36 segments according to time, and assign a block producer to each segment.

Another way, such as the earliest PPCoin, is that everyone has a UTXO, each UTXO has a face value, and the length of time it has not been spent, which is called Coin age. Two factors determine whether you can use UTXO as a block producer for the next block. Some calculations still need to be done in the middle, but the most interesting point is that the block generation property of PoW is non-procedural, Progress Free. What does that mean? It is assumed that the block is out now, no matter how the hash value of this block is adjusted, no matter how many times it is tried, it will not affect the probability of mining the next block. The block producer of the next block still has to go through a lot of calculations. Affecting the hash value of the current block does not actually help the block difficulty of the next block.

But in PoS, everyone has to use the past historical blocks as the source of random numbers, that is, use a source of random numbers to generate a random number, and use this random number to decide who will generate the next block, or Whoever produces the next ten blocks, it loses its no-procedural feature.

what does that mean? It means that whoever has dug out the block and the characteristics of the block data can decide the block producer of the next block or even ten blocks.

So what will you do? Yes, although I can only have one block within ten seconds at this point in time, but in fact I am secretly mining, I have already counted 100 blocks, I will see which block can let me in the next block. Still the block producer, or which block to find, can maximize my chances of generating blocks in the next chain, which is called equity grinding attack. It will constantly try to mine at any block point and try to interfere with the choice of future block producers.

Stake grinding attacks were very common at the time and were deadly. Because although we see this time point, it seems that there is only one block on the network, but in fact everyone has secretly mined hundreds of thousands of blocks. Just wait for him to dig out a super long chain by himself, and then wait for a moment to show it to you, and everyone jumps over it because of the longest chain consensus.

But is the longest chain consensus stable? It’s also unstable, and then someone snaps you a longer chain. This was the equity grinding attack that appeared at that time. Later, everyone attributed it to an attribute called  Nothing at Stake, which had nothing to do with equity or interest. What does that mean? That is, although you only arrange for me to generate blocks, I am secretly mining N blocks, which will not have any impact on my interests, it has only advantages and no disadvantages.

The equity grinding attack directly led to the introduction of a penalty mechanism in almost all of the later PoS mechanisms. Everyone has found that this reward-based, random block generation method does not work, so it needs to be constrained by a punishment mechanism to prevent everyone from doing rational forks. What is its logic? That is, when people have proposed a block, if they are found to have proposed this block on another chain, they need to be punished, so as to restrict the fork chain from being mined and ensure that only one chain is mined. This principle basically runs through the design of all subsequent PoS chains since 2014.

But we will find that this problem is not so simple, because the punishment mechanism we just talked about seems to be only one-way in the dimension leading to the future, so as to prevent everyone from digging a large number of forked chains, and can constrain everyone to one chain, Go straight ahead for the block. Does this mean there are no problems? no. Because a chain not only has the dimension leading to the future, it also has the dimension of history, and we even think that the dimension of history is more important.

Why? Because if the history of the chain can be tampered with at will, how can it play the role of the ledger, how can it play the role of everyone’s basic trading system, and build various application functions on it? This is what I think is the more critical element. If the blockchain can form an immutable ledger, an immutable history, then I can be afraid of nothing. As a regular user, I have absolutely no fear of losing my money because all history is pretty much reliable. And cryptographic schemes such as private keys and digital signatures have given me a property attribute that is comparable to, or even better than, any other property system so far.

Next, you will find another situation called Long Range Attack.  Long-range attack means that although it seems that everyone can generate blocks on a chain, this does not solve the problem, why? Because I can dig out another chain from the founding state, this chain is not necessarily longer, but the point is that we do not have any form of effective method to compare this newly mined chain with the history that everyone has been using What’s the difference in the chain.

This is the most critical attribute, why? For example, as an ordinary PoS chain user, when my node synchronizes the previous chain, I actually do not know whether this chain is a chain that everyone has always participated in through the PoS consensus, and I do not know whether it is It was not dug up by some people. Some say we can observe the signature because every block carries the signature of the PoS participant.

But here it happens to be related to another thing. Everyone found a very interesting thing. All PoS verifiers need to lock the coins in, but why are they locked in? It’s about making money, right? When you make money, you have to spend it one day, and it will always be unlocked. If it can’t be unlocked, it becomes a one-way process and no one would want to participate in such an algorithm because it means absolutely no benefit.

The validator’s coins will have a release time point. Once the release time point, all the penalties set at the consensus level in this chain will no longer have any meaning to you. Because my money has been withdrawn, what are you punishing me for? My money has been withdrawn, and there is no way to impose any punishment on me at this time. The kind of punishment mentioned above that makes a person only sign a block on one chain is not true in itself.

This is the process of combining a long-range attack with a special form of attack that people have discovered before, called the old private key attack. That is, once the PoS participant leaves the constraint scope of the consensus layer, you can actually have no constraints on his private key behavior. Then at this time, someone can completely buy some old private keys. It may be very cheap to buy old private keys, because it is just a private key, and no property is required.

With the old private key, we can forge a chain that is exactly the same as the previous chain, all transactions can be replayed, and all signatures can be replayed. So which chain is the real one? In the case of such a long-range attack, we will find that all existing PoS algorithms cannot technically solve this problem, including Ethereum.

Ethereum’s Casper algorithm has undergone many evolutions, and its core concept is based on punishment constraints, allowing people to produce blocks on the same chain to ensure that consensus is reached on a regular basis. Based on the entire concept of the penalty algorithm, the complexity and sophistication of its design should be listed as the number one PoS mechanism. It’s pretty neat, and it makes the most of its punishment-based concept.

For example, if someone proposes two conflicting blocks, they will be punished; for example, Casper voting, which is not a vote for a block, but a vote for past historical block checkpoints. A checkpoint is equivalent to periodically refreshing its founding state. The original state of creation may be the zeroth block chain. Now after block 100, everyone has 2/3 of the approval votes, then everyone will turn block 100 into a new starting point for all state construction. , then block 100 becomes a new founding block.

The mechanism of Casper punishment is that whenever there is some misconduct in checkpoint voting, including double voting and wraparound voting, specifically whether you will vote for two competing checkpoints, and when voting for checkpoints , Have you jumped to another fork point? For example, the checkpoint that was cast at the beginning was on the A chain, but a later checkpoint actually jumped to the B chain, which means that there is a problem.

And what is a more interesting punishment? It is when the entire chain cannot reach a consensus, it will punish all participants. The attention is to all participants, not just those who are not online, but to punish all participants. If you understand game theory, you can think about why you should stop these offline participants and frame others by not forwarding their blocks and signatures?

The consensus algorithm itself punishes offline participants more severely. Being offline is confirmed by the presence of your signature within a certain period of time. If there is no penalty, then I can keep the chain in a state where there is no way to confirm consensus for a long time by not forwarding your signature. On the one hand, it will be fined On the one hand, the weight of oneself becomes higher. In order to prevent this from happening, a penalty is imposed for such behavior, which is then used to continuously weed out participants who are not online and make them resync. But even adding all of this up, there’s still no way to deal with what we call long-range attacks and old-key attacks.

Why? Because all participants will quit the system one day, after quitting the system, the old private key attack becomes an incentive, which is a feasible attack on the incentive mechanism. Just buying an old private key can create a super long chain.

This attribute has been fully discussed by everyone, and there are many related materials on the market. There is a very important paper, the original version of which was published in 2014, and the author later revised the paper in 2015, called On Stake and Consensus, “On Stake and Consensus”. This article is very important, it summarizes all the attacks I have talked about above. The final conclusion is that this long-range attack actually represents the ultimate form of PoS attack, and it can be superimposed.

For example, I also heard a friend come up with a very interesting attack called scattered coins. It is to airdrop these people while matching the long-range attack, so that these people can support my chain, not the original chain. For example, if I am going to fork Ethereum now, I will not only let you have so many coins, but also give you a little more coins. In this process, it can even be matched with some other attacks on social consensus, such as launching a propaganda war and telling others that the Ethereum Foundation gang broke our chain, and they can’t, so we want to revolutionize and punish them Coins are distributed to everyone. Our coins do not have any inflation, and their value is still strong in the market, but we punish the bad guys.

I remember a few years ago, including Jan also mentioned that the entire model of PoS is a bit like ouroboros, which is a snake biting its own tail. If your ledger is to be secure, then the consensus mechanism must be secure, but if the consensus mechanism must be secure, then the ledger must be secure, so it constitutes an Ouroboros.

The author of Stake and Consensus also came to the same conclusion, why is the consensus mechanism of Proof of Stake insecure? Because it depends on the ledger it wants to form to impose its growth. You can jump to another ledger and launch a long-range attack to fork the chain. On this forked chain, all the punishment measures of the original chain do not work. In this case, how can you say that your consensus mechanism is secure? So everyone boils it down to a circular argument: if the ledger needs to be secure, the consensus algorithm needs to be secure, the consensus algorithm is secure, and your ledger is required to be secure.

Note that I use two “safeties” here, assuming the two are exactly the same by definition, what does this mean? Means it is a circular argument. But in fact, the current Ethereum PoS algorithm, including Vitalik himself, believes that this is not a circular argument, why? Because the two definitions of “security” before and after this sentence are different, he believes that the definition of the latter ledger must be secure is different from the definition that the consensus algorithm must be secure. He believes that the security of this ledger is based on the so-called social consensus, which is a social process. This social consensus determines that we all recognize that this chain is Ethereum. So based on this, we will form a process of Ethereum PoS consensus participation on this basis, and further decide which transactions will be processed by this chain next.

But what he can’t deny is that if everyone is not synchronizing this chain all the time, if not the whole process has been synchronizing this blockchain since its creation block, then there is really no way to distinguish between the two The same chain in the same form, which chain is the real Ethereum. There is no way to do this technically, and there is no way to reach a consensus.

Therefore, he proposed the concept of weak subjectivity , that is, the node must be guaranteed to go online every four months. Once it goes offline for more than four months, it must be synchronized with a node you trust. Note that it is the node you trust to synchronize for you. That is to say, no matter who you are synchronizing with, the chain that was broken four months ago, in fact, needs to trust the node that provides you with blockchain data. This is weak subjectivity.

It has no way to achieve the same objectivity as PoW. There is no need to trust any node that provides blockchain data on PoW. Why? Because I can independently verify from the genesis block, and it is a lightweight verification to the latest block, it is useless for anyone who wants to deceive me. The entire consensus model of PoW through competition makes everyone condense on only one chain in the end, which is the proof of PoW’s security.

However, it cannot be done in the operation of the entire consensus algorithm of the PoS chain, and ultimately depends on social consensus and the so-called trust. As long as you are offline for a long time, you will suffer from weak subjectivity and must trust a node that provides you with blockchain data. Why is this important? Because it means that the consensus will continue to weaken, and ultimately everyone’s source of information will tend to focus on those who have not been disconnected for a long time.

PoW will continue to accumulate consensus, and everyone will continue to accumulate workloads on the same chain, and all participating nodes do not need to trust others. They only need to use a computer to verify all the data, verify its formal validity, and be able to conclude that this is a valid chain. Therefore, PoW is a process of continuous accumulation and continuous cohesion in terms of social consensus.

What exactly do these two mean? I think you can think about it carefully, what problem do we want the blockchain to solve? Do we just need a machine that everyone frequently overhauls, or do we hope to find the most basic principle. On the basis of the most basic principle, the blockchain can be used as a 24/7 processing system, and blocks will continue to come to us. Provide the most basic services and continue to build consensus in the process. This is what we want the blockchain to do.

Therefore, PoS has no way to compare with PoW in terms of security. The lie I hate the most and the most common lie is an argument put forward by Vitalik himself why PoW is not safe, because as long as 51% of the computing power is rented, Can launch 51% attack. But attacking PoS requires buying 51% of the coins, or buying 51% of the deposits in the hands of PoS participants.

Isn’t this a blatant missingness comparison? What is this comparing? The comparison is the cost of launching a short-lived PoW, such as a temporary review of a few hours or dozens of blocks, with the cost of permanently destroying a PoS chain. This is a clear comparison of two different things.

If only 51% of the mining machines are rented, it is equivalent to only temporarily launch a censorship attack, or briefly launch a double-spend attack. So what we’re asking is what’s next?

First of all, the fact that 51% of the computing power can be rented is not true in reality. We can see a 51% attack cost website 2, which shows how much it costs to rent a 51% miner, ranging from a few thousand dollars to tens of thousands of dollars. If the cost of an attack is really that cheap, why isn’t anyone doing it? Because he still has many insurmountable difficulties, such as the difficulty of network realization and so on.

Assuming it can be rented, what is the result of the attack? Everyone went through a few hours of chaos and then it was over. PoW longest chain consensus will promote everyone to continue to condense on the same chain. The PoW system is not broken, not completely destroyed. Unless you can ensure that you can permanently master 51% of the mining machines, there is no way to continuously launch a 51% attack. This is an obvious truth.

What can you do if you do buy a 51% stake in PoS? The answer is that you can do whatever you want. Because if it occupies 51% of the equity, then it can completely dominate the process of block generation. It also means that newcomers who want to participate in the PoS process must also get your consent. Because they have to lock their deposit into the system through a transaction, if he can’t lock the funds into the system, there is no way to become a staker, there is no way to participate in the block generation, his signature is invalid and meaningless of. As long as you have a 51% stake in PoS, you can permanently destroy a PoS chain.

Some people will say, don’t we still have a social consensus? If that happens, we’ll just fine him. This is a ridiculous statement, not to mention that it is a missing comparison. If you want to compare at this level, you cannot compare that PoS is better than PoW. The second is that if you really think it’s a viable solution, it’s ridiculous. Because what we need is a 24/7 system that requires the participation of all people, and it is often checked for problems. And when something goes wrong, are you sure you can gather so much social consensus to punish it? Or from the point of view of the consensus mechanism, is this kind of social consensus a way that can be exploited?

Because if someone passes the propaganda war to make people believe that we have a consensus now, we want to punish a group of people, and that group of people will be punished. Think about whether it is safe to be a participant and user of a PoS consensus chain. sense? This means that the security of your assets is completely subject to that illusory social consensus, and there is no mechanism to protect you. And the point is that everyone’s ability to mobilize social consensus is different, which is an obvious fact. Are you going to put the safety of your assets under the will of that small group of people? The fact that a small group of people can initiate social consensus means they can attack your property at any time, is this a system you want? Is this a system you want to put your own assets in? This is a very absurd and ridiculous statement.

Posted by:CoinYuppie,Reprinted with attribution to:
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.

Like (0)
Donate Buy me a coffee Buy me a coffee
Previous 2022-09-23 11:33
Next 2022-09-23 11:34

Related articles