[bitcoin-dev] Secure Proof Of Stake implementation on Bitcoin

Kenshiro [] tensiam at hotmail.com
Sat Jul 20 13:00:51 UTC 2019


Hi all,

>>> Miners cannot feasibly take over 50% of energy sources in the world.

As I said in other e-mail, you don't need 50% of energy sources of the world, you only need to hack the biggest mining pools to execute a 51% attack.

>>> Thus it is immaterial that each tiny stake of the evil whale is tiny: only the tiny stakes of the evil whale are in play during the time that the singular big UTXO by the honest whale is banned.

Sorry but you are wrong because there are always plenty of small stakers, and dividing your coins in 100.000 you suffer a strong penalty in your staking weight. Remember, the formula is this, or some improved version of it:

utxoStakingWeight = numberOfCoins ^ 1000


To simplify the calculations, imagine there is a total supply like 200.000 coins (just a little more to include some small stakers), and you have 100001 coins splitted in 100001 addresses:

stakingWeightPerAddress = 1 ^ 1000 = 1
stakingWeightPerAddress * numberOfAddresses = 1 * 100001 = 100001   (this is the total staking weight of the evil whale)

Now we have a little, honest staker, with only TWO coins in one staking address:

stakingWeightPerAddress = 2 ^ 1000 = 1,0715×10³⁰¹

So the evil whale, with 51% of the coins splitted one coin per address lose against the small stakers, even if they stake 2 coins each one.

With this rule, you don't have other choice that put your coins together, and wait the wait time after creating a block. The rest of the blocks are created by many other stakers, the wait time enforce that big stakers have to wait a number of blocks, which are created by the little stakers.

>>> Now again, consider that the situation indicates that there are in fact only two actual stakers, each of whom have 50% of the staked funds, thus there are no other stakers

There is always plenty of little stakers. You only can have 2 stakers if the rest of the world is not interested in the coin.

>>> I did indicate "each of them owns 50% of the total staked value", did I not?

Sure, but I didn't understood that as exact numbers, because if its so then only few people are interested in the coin, and then it's not a problem for the rest of the world.

Again, there is always plenty of little stakers.

>>> You have demonstrated no such thing, merely demonstrated your own willful incompetence in designing protocols.

I'm sorry but it's you who don't understand the protocol I'm proposing. Of course I could be wrong but I didn't saw any numbers that demonstrate that. Just do the math and forget extreme situations where there are only 2 stakers, because there is always plenty of little stakers, even if all the small stakers together have only 1% of coins or less.

Regards,


________________________________
From: ZmnSCPxj <ZmnSCPxj at protonmail.com>
Sent: Saturday, July 20, 2019 13:07
To: Kenshiro []
Cc: Eric Voskuil; Bitcoin Protocol Discussion
Subject: Re: [bitcoin-dev] Secure Proof Of Stake implementation on Bitcoin

Good morning Kenshiro,


>
> >>> For example, if you are capable of disrupting a coin such that its value is very likely to drop, you can buy short options as leverage.
> Suppose you hold a large stake of coins and know you control a significant fraction, enough that a censorship attack by you will be so disruptive that the coin price will drop.
> You take out a short contract with the contract price at the "hopium" level others have (say 10% higher), buying enough options that you can cover the current price of your owned stake, plus some more options.
> Suppose you buy, a number of options equal to twice your stake.
>
> Thank you for the explanation, I understand it now. But what percent of BTC trades are short options? If everyone is doing short options, the attack is very dangerous as you say, but if only a small percent of trades is done in short options, then it's not a big problem.

It is immaterial, because this is just *one* possible economic attack.
Further leverage can always be had as Bitcoin does not exist in isolation.

>
> And this type of attack could also be done in PoW by evil miners. It's only one step more, they have to purchase a lot of BTC before the attack, buy many short options and execute the attack. Purchasing 50% of BTC is a problem because of the price, but that's the same for PoW or PoS.

Miners cannot feasibly take over 50% of energy sources in the world.

>
> >>> Let's suppose there are two big whales in your coin.
> Each of them owns 50% of the total staked value.
> Let's say "wait many blocks" parameter is 100 blocks.
>
> >>>One whale puts all his coin in a single UTXO.
> The other has distributed his stake in 100,000 different UTXOs.
>
> I think there is a misunderstanding here, you forgot to divide the 50% staking weight of the evil whale by 100.000.

No, you have a misunderstanding of your ***own*** system.
You forgot that you indicated that a staking UTXO is banned from adding a new block for "wait many blocks", as you indicated.
Thus it is immaterial that each tiny stake of the evil whale is tiny: only the tiny stakes of the evil whale are in play during the time that the singular big UTXO by the honest whale is banned.
Thus it has 100% of the stake during those 100 blocks.
The honest whale gets 1 block (with very high probability) and then the evil whale gets the rest of the blocks for 100 blocks.

?Now again, consider that the situation indicates that there are in fact only two actual stakers, each of whom have 50% of the staked funds, thus there are no other stakers (even though the evil whale appears to be multiple separate stakers) because 50% + 50% = 100%.
I did indicate "each of them owns 50% of the total staked value", did I not?

The rest of your counterargument ***completely forgets*** this, so I will ignore it.
A whale composed of many tiny fishes is still a whale.
It is immaterial that there may exist many small stakers who individually can overpower a tiny stake of the evil whale: the evil whale will still dominate during those times that the honest whale is banned because of your additional rule that "a staker who creates a block is banned from creating another block for many blocks": the evil whale simply dominates from having many tiny stakes, each of which can be banned with little effect on the actual power of the evil whale over the coin.

> >>> We already know that miners are setting up mines at locations where energy is being wasted (e.g. oil well gas flares, putting up solar panels instead of just letting sunshine pointlessly heat up their roofs, etc.), and channeling the wasted energy into productive activity.
>
> I'm sure a big percent of mining will be done in this way, but if there is still dirty energy like nuclear energy or others is because we can't get all the energy we need from clean sources (and that's excluding bitcoin mining). So even being very optimistic about bitcoin mining, it will steal clean energy sources from other human needs which will make us keep using dirty energy. So PoW makes use dirty energy sources in a direct or indirect way.

It is immaterial: what matters is the economics.
Dirty energy is dirty because it causes damage to the economy by creating sickness and preventing people from surviving long lives and producing for the economy, destroys ecology and reduces biodiversity (and many products are derived from the variety of lifeforms available) and so on.
Thus, all energy uses will inevitably move towards cleaner energy sources as competition arises.

>
> >>> Thus, adding more rules is rarely the optimal thing to do.
>
> Proof of Stake is more complex than PoW, so you need to add a few more rules. Of course the rules must be well designed and tested, but as I explained above there is no problem with the extra rule of giving a great increase in staking weight to coins together in a single UTXO, because there is wait time for each staking deposit.

You have demonstrated no such thing, merely demonstrated your own willful incompetence in designing protocols.

I will no longer respond.

Regards,
ZmnSCPxj
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20190720/e3748e47/attachment-0001.html>


More information about the bitcoin-dev mailing list