I'd be happy respond to this comment if it was a bit more fleshed out and didn't sound like an attempt at trolling, for instance why you don't consider existing POS currencies like NXT to be "evidence".
Example: You come back online after your node had been off.
You receive updates to the blockchain in a PoS world. This is literally no cost to someone trying to commit fraud against you by staking their coins and creating fraudulent blocks.
You receive updates to the blockchain in a PoW world. You start receiving blocks with roughly the same amount of PoW included in previous blocks. You know that an attacker would have had to completely duplicate the entire PoW hashrate to create this clone of the blockchain. Since this would be extraordinarily costly, you can assume that after 6 blocks (or whatever is the expedience to transaction value trade of you're willing to make) it would be economically infeasible to commit.
Creating the implementation of PoS doesn't take an inordinate amount of time. The reason it hasn't been released is because it's a vaporware of a consensus system. The Ethereum foundation won't publicize this because they can continue to convince new ethereum buyers that Ethereum will solve that pesky Byzantine General's problem. https://en.wikipedia.org/wiki/Byzantine_fault_tolerance
>You receive updates to the blockchain in a PoS world. This is literally no cost to someone trying to commit fraud against you by staking their coins and creating fraudulent blocks.
Ethereum proposes to prevent this by including "slashing conditions" that inflict large penalties on the type of fraudster you're talking about [0].
Okay, that is true. I am just not satisfied with proof-of-work as a solution there. It makes Sybil attacks unreasonably expensive, by making the entire operation of the chain even more unreasonably expensive.
I do like the math behind Bitcoin but I wish it had just remained as a proof of concept.
Because those all require a trusted third party to make regular checkpoints of the blockchain. The argument is not that it is impossible but that no one has been able to design it trustless.
It is a reasonable argument and while you may not agree with the desire to avoid trusted third parties but there's no reason to dismiss it as trolling.
Well, the precise criticism you're making is a bit unclear to me but I'll try to respond:
Modern proof of stake systems have a concept of "finality" which I think is what you're referring to when you say "checkpoint" (older POS systems also had a more traditional checkpoint concept, but I assuming you're arguing against modern implementations)
In order to determine whether a block has "finality" in a POS system you need to either (A) have a computer running regularly on the network to determine finality on your own or (B) trust a third party to give you a valid finality designator.
So it is true that you have to trust a third party with these systems if (1) you haven't connected to the network for a year or so or (2) you are launching a brand new node.
Of course, with bitcoin #2 is also an issue since there's no way you can install bitcoin software on a new node without getting it from a trusted party.
I have never heard of "finality" being used outside Ethereum, but maybe you can point me at which existing PoS systems use the term? Or is it Ethereum specifically which is the modern PoS system?
The Ethereum PoS system, which is still a prototype and may change before the final version, uses checkpoints to guard against chain re-orgs. It is not trustless in the same sense as the Ethash system is. It's not exactly a secret but a calculated tradeoff.
The question here however was about how "currencies like NXT" work, which can hardly be described as modern seeing it was one of the first together with PPC. I believe they never fixed the fact that the optimum mining strategy is not the altruistic one the reference client uses. As long as all participants use the reference client they're safe, but it's not something you would want to base a trillion dollar economy on.
In general the challenges with proof-of-stake systems are how to avoid collusion, how to avoid exploratory mining on every possible chain, and variants thereof. (There's also the related problem how to bootstrap a node from scratch in face of equally probable views of history.) Different blockchains have tried different ways to mitigate this, including hard coded re-org limits and coin weights, but the only ones that have proven at scale are the ones that regularly checkpoint the chain. But please correct me if you know of any exceptions.
Tendermint and Ethereum are the ones I'm most familiar with- Both use the term "finality" frequently.
In Ethereum POS, an arbitrary PC can use a deterministic algorithm to exactly calculate the checkpointed/finalized block- There is no magical signature used by the ethereum foundation that "blesses" blocks as being checkpoints.
> how to avoid exploratory mining on every possible chainges with proof-of-stake systems are how to avoid collusion
In both Ethereum POS and tendermint this is a solved problem, anyone can earn a reward by providing proof that a user is mining multiple histories.
> There's also the related problem how to bootstrap a node from scratch in face of equally probable views of history
Yes, this is still an existing theoretical limitation of POS that is not shared by POW and is a valid criticism of POS- But even on a POW chain you still have to trust software from a third party to some degree in order bootstrap your node.
"Solved problem" is perhaps a bit strong. There's no reason to assume every possible chain is visible to every client. An attacker would not release a chain until they are certain to profit from it. There are likely bribes to be taken for reversing transactions, and these add up at scale. There is the suggestion that penalizing non-cooperating miners would be sufficient to prevent this, but this has never been shown to hold theoretically and cover all externalities such as the mentioned bribes.
If a such a blockchain is under the control of a mining cartel, it would be rational to join that cartel instead of fighting it. When every participant knows this it should be possible to bootstrap such cartels from scratch.
And Ethereum absolutely plans to implement some sort of checkpoints. As you say, it's required to bootstrap new nodes anyway. The straightforward way to do this would be to sign them, but I'm not sure what they're planning to do.
> An attacker would not release a chain until they are certain to profit from it.
There are two scenarios: If they release a new chain after they have released a previous signature, their entire deposit gets slashed in both chains. If instead they withhold all chains then this would only work if they are able to mine multiple blocks in quick succession on different chains (since they would lose the opportunity to validate a block within the timeout window) and this is exactly equivalent to a POW selfish mining attack.
Right, and there are many variants of this scenario that other people can think of. It all stems from the same basic problems above. Punishing cheaters is necessary, but not necessarily sufficient.
The difference from a PoW model is that when mining is essentially free the incentives are different. If it doesn't cost you anything to try it makes game theoretical sense to do it speculatively.
>But even on a POW chain you still have to trust software from a third party to some degree in order bootstrap your node.
You really don't have to trust the software with POW. The POW is encoded in the blockchain itself and can be independently verified by performing a series of hash operations.
With only the blockchain data, and a description of the blockchain layout, one can independently confirm the total amount of "work" done.
This is true decentalization & a huge benefit of POW over POS.
There is an alternative if you (a staking validator, or even a full node) does need want to trust any third party: just stay online all the time. This has its own set if downsides but it's inaccurate to say that a third party is required for Pos.
