Re: [bitcoin-dev] Opinion on proof of stake in future

[Billy Tetrud via bitcoin-dev]

>  proof of burn clearly solves this, since nothing is held online

Well.. the coins to be burned need to be online when they're burned. But
yes, only a small fraction of the total coins need to be online.

> your burn investment is always "at stake", any redaction can result in a
loss-of-burn, because burns can be tied, precisely, to block-heights

So you're saying that if say someone tries to mine a block on a shorter
chain, that requires them to send a transaction burning their coins, and
that transaction could also be spent on the longest chain, which means
their coins are burned even if the chain they tried to mine on doesn't win?
I'm fuzzy on how proof of burn works.

> proof of burn can be more secure than proof-of-stake

FYI, proof of stake can be done without the "nothing at stake" problem. You
can simply punish people who mint on shorter chains (by rewarding people
who publish proofs of this happening on the main chain). In quorum-based
PoS, you can punish people in the quorum that propose or sign multiple
blocks for the same height. The "nothing at stake" problem is a solved
problem at this point for PoS.



On Mon, May 24, 2021 at 3:47 AM Erik Aronesty  wrote:

> > I don't see a way to get around the conflicting requirement that the
> keys for large amounts of coins should be kept offline but those are
> exactly the coins we need online to make the scheme secure.
>
> proof of burn clearly solves this, since nothing is held online
>
> >  how does proof of burn solve the "nothing at stake" problem in your
> view?
>
> definition of nothing at stake: in the event of a fork, whether the
> fork is accidental or a malicious, the optimal strategy for any miner
> is to mine on every chain, so that the miner gets their reward no
> matter which fork wins.   indeed in proof-of-stake, the proofs are
> published on the very chains mines, so the incentive is magnified.
>
> in proof-of-burn, your burn investment is always "at stake", any
> redaction can result in a loss-of-burn, because burns can be tied,
> precisely, to block-heights
>
> as a result, miners no longer have an incentive to mine all chains
>
> in this way proof of burn can be more secure than proof-of-stake, and
> even more secure than proof of work
>
>
>
>
>
>
>
> >
>
> On Sun, May 23, 2021 at 3:52 AM Lloyd Fournier via bitcoin-dev
>  wrote:
> >
> > Hi Billy,
> >
> > I was going to write a post which started by dismissing many of the weak
> arguments that are made against PoS made in this thread and elsewhere.
> > Although I don't agree with all your points you have done a decent job
> here so I'll focus on the second part: why I think Proof-of-Stake is
> inappropriate for a Bitcoin-like system.
> >
> > Proof of stake is not fit for purpose for a global settlement layer in a
> pure digital asset (i.e. "digital gold") which is what Bitcoin is trying to
> be.
> > PoS necessarily gives responsibilities to the holders of coins that they
> do not want and cannot handle.
> > In Bitcoin, large unsophisticated coin holders can put their coins in
> cold storage without a second thought given to the health of the underlying
> ledger.
> > As much as hardcore Bitcoiners try to convince them to run their own
> node, most don't, and that's perfectly acceptable.
> > At no point do their personal decisions affect the underlying consensus
> -- it only affects their personal security assurance (not that of the
> system itself).
> > In PoS systems this clean separation of responsibilities does not exist.
> >
> > I think that the more rigorously studied PoS protocols will work fine
> within the security claims made in their papers.
> > People who believe that these protocols are destined for catastrophic
> consensus failure are certainly in for a surprise.
> > But the devil is in the detail.
> > Let's look at what the implications of using the leading proof of stake
> protocols would have on Bitcoin:
> >
> > ### Proof of SquareSpace (Cardano, Polkdadot)
> >
> > Cardano is a UTXO based PoS coin based on Ouroboros Praos[3] with an
> inbuilt on-chain delegation system[5].
> > In these protocols, coin holders who do not want to run their node with
> their hot keys in it delegate it to a "Stake Pool".
> > I call the resulting system Proof-of-SquareSpace since most will choose
> a pool by looking around for one with a nice website and offering the
> largest share of the block reward.
> > On the surface this might sound no different than someone with an mining
> rig shopping around for a good mining pool but there are crucial
> differences:
> >
> > 1. The person making the decision is forced into it just because they
> own the currency -- someone with a mining rig has purchased it with the
> intent to make profit by participating in consensus.
> >
> > 2. When you join a mining pool your systems are very much still online.
> You are just partaking in a pool to reduce your profit variance. You still
> see every block that you help create and *you never help create a block

Re: [bitcoin-dev] Reducing block reward via soft fork

[Billy Tetrud via bitcoin-dev]

Before we can decide on tradeoffs that reduce security in favor of less
energy usage, or less inflation, or whatever goal you might have for
reducing (or delaying) coinbase rewards, we need to decide as a community
how much security bitcoin *needs*.

Do we need to be secure against an attacker with a budget of $1
billion/year for an attack? $10 billion/year? More?

An upper limit would be the budget of the largest government: the US. The
US federal budget is almost $5 trillion/year. But they certainly couldn't
spend all that budget attacking bitcoin. About $3 trillion of that is
mandatory spending, which couldn't be allocated to such an attack. About
$1.5 trillion is discretionary, which includes the military budget. It
seems like an upper limit on the amount that could be siphoned from that
budget to attack bitcoin would be 5%. That would take massive political
cooperation and wheeling and dealing. Likely spending that much would not
be politically feasible, but it seems possible, since a 5% reduction in
other activities is something other departments would likely be able to
sustain with just a bit of downsizing. Or that money could simply come from
more borrowing. 5% of $1.5 trillion is $75 billion. So that seems like a
pretty solid upper limit on the amount the US could allocate to an attack
in a year, in that it seems incredibly unlikely that more money than that
could be allocated. Such an expenditure might be eventually seen as
justified since the federal reserve has been inflating the supply of
dollars by 17.5% on average every year, which would be $1 trillion next
year (and more the next, etc). A similar story is told if you calculate the
amount of seigniorage banks get access to by their ability to use
fractional reserve to inflate the supply of M2 money.  It should be
considered tho that this seigniorage doesn't give its beneficiaries that
full value, but rather some fraction of that value - say 5% earned by being
first to buy with that new money and earning interest on it. So 5% of a
trillion is $50 billion. Still, over just two years, that's enough to pay
for an attack of at least that size ($75 billion).

The budget for the government of China is about $3.6 trillion, the second
largest in the world. And since they're an authoritarian country, they can
basically do whatever they want with that money. It still seems unlikely
they would spend more than 5% of that budget on doing something like
attacking bitcoin. However, consider that China's M2 money supply has been
increasing at a rate of almost $3 trillion per year. Protecting the ability
to do this is seems like something worth spending some (printed) money on.
So perhaps at some point, spending 10 or 20% of their budget for a year or
two to attack bitcoin might seem like a good idea to some mickey mouse in
the government. That would be $720 billion/year.

So given the amount of seigniorage taken in every year by these central
banks, it would seem to justify large expenditures. I'm not sure how
realistic it would be, politically speaking, to gather $720 billion in a
single year to attack bitcoin. It seems far fetched, even if the
seigniorage they're protecting seems to justify it.

So is this the level of attack we want to be resilient to? Nearly a $1
trillion attack? I don't know. But we should figure that out as a
community. And keep in mind, the level of attack we need to defend against
depends on the size of bitcoin. The more valuable bitcoins are, the more
damaging, more lucrative, and more valuable an attack would be for
attackers. Its seems reasonable to assume that this is a linear
relationship - that if bitcoins are worth twice as much, we need twice as
much security (ie we want to make attacking bitcoin twice as costly).

The next step is figuring out a reasonable lower bound for how much it
takes to attack bitcoin. There are many attacks that can be done on
bitcoin, but the one relevant to the discussion here is a 51% attack.
Bitcoin's PoW basically is attackable buy buying about 25% of the existing
mining power (for reasons like the selfish economic attack

and
the economic mining monopoly attack
),
which is about 40 exahashes/second.

If you bought 400,000 WhatsMiner M30S+ rigs
 at current market
price, you'd need $1 billion to buy them all (which doesn't include the
cost of setting up all that equipment, powering it, building the network
infrastructure for it, etc etc). Let's say all that infra doubles the price
to $2 billion. Even then, you couldn't simply buy half a million mining
rigs from the market. That many just aren't available. An attacker would
have to spend year and years building up their mining operation before they
could actually perform the attack. They'd 

Re: [bitcoin-dev] Opinion on proof of stake in future

[Erik Aronesty via bitcoin-dev]

> I don't see a way to get around the conflicting requirement that the keys for 
> large amounts of coins should be kept offline but those are exactly the coins 
> we need online to make the scheme secure.

proof of burn clearly solves this, since nothing is held online

>  how does proof of burn solve the "nothing at stake" problem in your view?

definition of nothing at stake: in the event of a fork, whether the
fork is accidental or a malicious, the optimal strategy for any miner
is to mine on every chain, so that the miner gets their reward no
matter which fork wins.   indeed in proof-of-stake, the proofs are
published on the very chains mines, so the incentive is magnified.

in proof-of-burn, your burn investment is always "at stake", any
redaction can result in a loss-of-burn, because burns can be tied,
precisely, to block-heights

as a result, miners no longer have an incentive to mine all chains

in this way proof of burn can be more secure than proof-of-stake, and
even more secure than proof of work







>

On Sun, May 23, 2021 at 3:52 AM Lloyd Fournier via bitcoin-dev
 wrote:
>
> Hi Billy,
>
> I was going to write a post which started by dismissing many of the weak 
> arguments that are made against PoS made in this thread and elsewhere.
> Although I don't agree with all your points you have done a decent job here 
> so I'll focus on the second part: why I think Proof-of-Stake is inappropriate 
> for a Bitcoin-like system.
>
> Proof of stake is not fit for purpose for a global settlement layer in a pure 
> digital asset (i.e. "digital gold") which is what Bitcoin is trying to be.
> PoS necessarily gives responsibilities to the holders of coins that they do 
> not want and cannot handle.
> In Bitcoin, large unsophisticated coin holders can put their coins in cold 
> storage without a second thought given to the health of the underlying ledger.
> As much as hardcore Bitcoiners try to convince them to run their own node, 
> most don't, and that's perfectly acceptable.
> At no point do their personal decisions affect the underlying consensus -- it 
> only affects their personal security assurance (not that of the system 
> itself).
> In PoS systems this clean separation of responsibilities does not exist.
>
> I think that the more rigorously studied PoS protocols will work fine within 
> the security claims made in their papers.
> People who believe that these protocols are destined for catastrophic 
> consensus failure are certainly in for a surprise.
> But the devil is in the detail.
> Let's look at what the implications of using the leading proof of stake 
> protocols would have on Bitcoin:
>
> ### Proof of SquareSpace (Cardano, Polkdadot)
>
> Cardano is a UTXO based PoS coin based on Ouroboros Praos[3] with an inbuilt 
> on-chain delegation system[5].
> In these protocols, coin holders who do not want to run their node with their 
> hot keys in it delegate it to a "Stake Pool".
> I call the resulting system Proof-of-SquareSpace since most will choose a 
> pool by looking around for one with a nice website and offering the largest 
> share of the block reward.
> On the surface this might sound no different than someone with an mining rig 
> shopping around for a good mining pool but there are crucial differences:
>
> 1. The person making the decision is forced into it just because they own the 
> currency -- someone with a mining rig has purchased it with the intent to 
> make profit by participating in consensus.
>
> 2. When you join a mining pool your systems are very much still online. You 
> are just partaking in a pool to reduce your profit variance. You still see 
> every block that you help create and *you never help create a block without 
> seeing it first*.
>
> 3. If by SquareSpace sybil attack you gain a dishonest majority and start 
> censoring transactions how are the users meant to redelegate their stake to 
> honest pools?
> I guess they can just send a transaction delegating to another pool...oh wait 
> I guess that might be censored too! This seems really really bad.
> In Bitcoin, miners can just join a different pool at a whim. There is nothing 
> the attacker can do to stop them. A temporary dishonest majority heals 
> relatively well.
>
> There is another severe disadvantage to this on-chain delegation system: 
> every UTXO must indicate which staking account this UTXO belongs to so the 
> appropriate share of block rewards can be transferred there.
> Being able to associate every UTXO to an account ruins one of the main 
> privacy advantages of the UTXO model.
> It also grows the size of the blockchain significantly.
>
> ### "Pure" proof of stake (Algorand)
>
> Algorand's[4] approach is to only allow online stake to participate in the 
> protocol.
> Theoretically, This means that keys holding funds have to be online in order 
> for them to author blocks when they are chosen.
> Of course in reality no one wants to keep their coin holding keys online so 
> in Alogorand you