In this article I want to dig a bit deeper into how secure PoW and PoS really are. I start with PoW and describe why decentralized mining is important. Then I move onto PoS and will show it’s a fundamentally unsafe system to run a decentralized cryptocurrency.
Proof of Work – importance of the decentralization of mining
In general, PoW makes sure that the network selects a validator of a block at random. This is a desirable feature so joining the network is permisionless which ensures decentralization. It’s also important for censorship resistance: if everybody has the ability to create blocks, then it’s very difficult for governments to forbid everyone to create a block which includes a certain undesirable transaction.
In this sense it’s also important to note that mining decentralization is desirable. the “1 CPU = 1 Vote” Satoshi envisioned is the only real guarantee that mining stays decentralized and thus censorship resistant. Sadly mining centralization is happening in most cryptocurrencies. There is still ongoing research for so called “asic-resistant” algo’s. ZCash uses Equihash (but as far as I know it’s mainly GPU mined) and Monero uses Cryptonite, which is partly CPU partly GPU mined due to optimizations for CPU AESNI operations (CPUs still have a decent hashrate compared to GPU’s).
So in my opinion, decentralization of mining is very important to avoid blacklists of txo’s. At the moment, just a handful of pools and mining farms are responsible for the large majority of the hashrate. These companies can easily be compelled to enforce blacklists. In this sense, botnet mining is a net positive for a currency: it makes it extremely hard to force miners to enforce blacklists or shut down the network.
I saw your counterargument in some older video: the hashrate increase per chip will slow down so ASIC chips will become more distributed again. Even if that happens, there is still the issue that only a few companies produce those chips. Peter Todd alluded to this in an interview a 2 years ago: he said the following: “The most fundamental way is for[governments] to regulate ASIC manufacturing, e.g. by forcing [manufacturers] to add ‘kill switches’ to the hardware, and/or require end-users to have licenses.”
I tend to agree with Todd on this: governments will find a way to regulate ASIC chips (either the production or the users) as long as chip production is centralized. If ASIC production would become more distributed in the future, this problem can become less important. But creating ASICs is a very specialized business, so I don’t see this happening any time soon.
Proof of stake – General thoughts on the weakness
With PoW, the hash puzzle is generated by the network. The difficulty is set by consensus rules and the randomness is set by the data in the previous block. The miner needs to generate a random nonce to find a solution to the hash puzzle.
The only way to do a double spend is by withholding blocks and secretly mining a longer chain than the entire network. this requires 51% of the hashrate (or a bit less if you’re lucky).
With PoS, there is no hash puzzle. This means that the validator whose turn it is to sign a block can easily create multiple blocks (and thus forks) to try to doublespend coins. Also there is no objective way to determine which chain is “the real chain”. With PoW this is determined by the chain with the most accumulative PoW, but this option (obviously) isn’t available with PoS.
There is also no real randomness. So it’s deterministic based on data in the blockchain which user/address will be allowed to sign the next block based on blockchain data which means that a signer can know in advance which user/address will be allowed to sign the next block based on the block data he is signing.
PoS reverts back to an unsafe version of PoW
If a signer knows which address will be picked as the next validator, it is (at least theoretically) possible for the current validator to manipulate the data in the block he’s currently signing in such a way that he’ll be the next signer.
Some examples on how block data can be manipulated:
* transaction malleability
* sending transactions to oneself
* dropping transactions from the block
* changing the order of the transactions within the block
This leads to a very dangerous attack: when a validator is picked by the network, he can then calculate (Proof of Work!) a lot of possible blocks and try to find a new block that will enable him to be the new validator. He can even try to find a series of blocks that will make him the validator for (for example) the next 10 blocks. Meanwhile he can publish another block for which he won’t be the next validator. By doing this, he has the abiity to double spend. Once he managed to pull of the double spend, he releases his other chain for which he’s the only validator. This chain will then become the longest chain and the attacker doubled spent successfully.
Note that if the validator didn’t manage to “attack” the network, he can try again when it’s again his turn to sign a block. One does not need 51% of the coins to be able to attack. This assumption made by proponents of PoS is -imho- false.
Also the cost of attacking is significantly lower compared to PoW. While for a 51% on PoW you need to spend a lot of money on electricity and you need to continuously spend that money, an attack on PoS can be done with a minimal amount of energy.
Reverting a transaction retroactively is nearly impossible with a PoW system, because you’ll need to have a lot of hashing power to “go back in time”. If you want to revert a transaction that has 1 confirmation, you need to mine 2 blocks while the whole network is searching for 1 block.
h^2 = (1-h) => h = 61.8%
You need 61.8% of the total hashrate to change a transaction with 1 confirmation, on average. Note that if a transaction has more confirmations, you need a larger share of the total hashrate of the network.
In the case of PoS, you can easily try to revert every transaction from a block height in the chain where you were a validator and you don’t need spend substantially more to revert a transaction that has more confirmations.
PoS attacks can be “solved” by centralization
This attack can be “solved” by having a limited number of “trusted” witnesses that keep track of which blocks they received first. If they then detect an alternative version of a block, it indicates a attempt to attack the chain. Then these witnesses can flag the attacker and he may be punished by loosing a part of his stake.
The problem with this is that this group of witnesses/people/nodes/validators/… need to be trusted. It’s not decentralized. Once the witnesses are in power, they can collude to attack the chain.
This witness system also raises a lot of questions surrounding reaching consensus: what is a few witnesses disagree with the others? Who is right? The majority? It’s not as easy as it looks because an attacker can try to submit his block with the double spend to a majority of the witness nodes and the ‘fair’ block to a minority of the nodes. If he succeeds, the attacker “legitimately” double spend!
It is pretty obvious a currency doesn’t want to have anonymous witnesses. If they are anonymous, they have a very big incentive to attack the chain themselves and perform double spends. After all, there is no objective way to determine who “is telling the truth” when a double spend happens. So there will usually exist a process to appoint these witnesses. This will in practice often look like elections.
In Bitshares it’s quite literally that. they use “Delegated proof of stake” (DPOS) in which people need to be trusted community members to be able to raise enough stake votes to become a witness. In DASH the requirement to be a witness (aka masternode) is currently owning 1000 DASH, but this will change once the “evolution savings account” goes live which will be a variant of DPOS. The Casper system proposed by Ethereum will likely also be a variant of DPOS with a limited number of witnesses. So for currencies who have some kind of witness election, these public people who act as witnesses can be forced by governments to censor or even revert certain transactions.
Proof of stake – the choice between a constant forking blockchain or centralized witnesses
To conclude, the a naive implementation of PoS will lead to a blockchain that is able to fork and do reorgs constantly, which is completely unworkable. Why didn’t we see this yet? My guess is because the on chain value never was high enough to be worthy of an attack.
The “solution” by centralization depends not on decentralized hash puzzles but on trusting individuals to not cheat. This is certainly not permisionless. These solutions aren’t decentralized and the government can thus easily try to force witnesses to censor certain transactions.
This leads me to the conclusion that PoS currencies can’t guarantee censorship free transactions, which is -imho- the only value behind a cryptocurrency. If we accept censorship, we can just start using Paypal. No need for an inefficient blockchain at all.