Work is Timeless

From UVOO Tech Wiki
Revision as of 20:21, 11 December 2018 by imported>Stay
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Copy of this article with room for rebuttals:

Work is Timeless

Much has been written about Proof-of-Stake (PoS).

There are many ways to slice and dice PoS and uncover its weaknesses. Mainly:

  • Evolutionary Psychology/History: “Collectibles” or “proto-money” in history all had one thing in common, unforgeable costliness [1] — or at least unforgeable costliness in the context of their times. From sea shells, furs, teeth, to precious metals to minted coins. As PoS merely involves the temporary lockup of existing capital and does not consume said capital, it does not satisfy the unforgeable costliness requirement that Nick Szabo identified as one of the 3 key properties of money.
    • Rebuttal: Fiat currency doesn't have unforgeable costliness. Most of the "money" issued by the US Gov't exists only electronically.
  • Economics: If an object has value, people will spend effort to chase it, up to whatever the object is worth (MC=MR). This effort is also “work”. Paul Sztorc correctly concluded that PoS is an obfuscated form of PoW. Work manifests in different ways in PoS, whether it is taking out a loan from the bank, running 24/7 staking servers, or attempting to steal online staking keys. Not only PoS is obfuscated PoW, it is inferior PoW. Any potential cost saving PoS gives you, it pays back in equal measure in the reduction in security. As we shall see below, a dollar [2] fleetingly locked up in staking creates nowhere near the same level of security as a dollar spent in mining.
    • Rebuttal: I agree that people will put in the effort when the reward is good enough, but there's no evidence in this bullet point for believing that PoS isn't secure.
  • Computer Science: Andrew Poelstra wrote one of the first formalized critiques of PoS, in which he coined the terms costless simulation (aka nothing-at-stake) and long-range attacks. A recent paper by Jonah Brown-Cohen, Arvind Narayanan & co. also showed surprising barriers to having a good and reliable source of randomness in PoS protocols [3].
    • Rebuttal (nothing at stake): It's true that the first PoS projects didn't require a bond, but bonding and slashing solve the nothing-at-stake problem.
    • Rebuttal (long range attack): The long range attack (a group of unbonded validators use their keys to form a parallel dag) is a threat worth addressing. Over time, the set of validators that have left have nothing at stake any more on the main dag. They may outweigh the set of validators that have stayed; if so, they can construct an alternate fork of the dag, eventually prompting the ones who stayed to abandon their work.

    We can fix the problem as follows: if a validator sees an unbonding request, it should keep adding that request to blocks until one of them gets finalized. This means that a validator can not unbond conditionally on some unfinalized transaction.

    In the case of a partition where the unbonding request is only seen on one side, when the partition ends, the unbonding request combined with transactions on the other fork will be evidence of equivocation. The fork that saw the unbonding request can still merge in the non-conflicting transactions from the alternate chain, but the validator will be slashed and won't receive any rewards for having produced those transactions.

    Clients who interact with the byzantine fork may want to provide real-world products or services in exchange for the eventually worthless coin, but because a fault-tolerant majority is needed to finalize, transactions will never clear. So in the presence of a network partition we lose liveness rather than safety.

    We already trust authors of client software; bitcoin software has exceptions for multiple hard forks. Making the time between unbinding and claiming funds something like a year would mean that validators would have to wait a year before mounting an attack, which is plenty of time for out-of-band evidence to accumulate that they unbonded. Other validators could update their software once a year and get access to a recent snapshot of the system, protecting them from the long-range attack.

    • Rebuttal (randomness): Randomness isn't needed except for key generation. Proper key generation is independent of proof of stake.
  • Engineering: I myself have written a 2-part series [Part 1] [Part 2] looking at PoS weaknesses from the practical engineering perspective, and listed specific worst-case scenarios where PoS is particularly vulnerable: network partition, private keys theft, or low rate of participation in staking.
    • Rebuttal (network partition): Using a DAG lets the two sides of the partition continue to make progress until the partition is resolved.
    • Rebuttal (private key theft): Duh, of course you have to protect your keys. Have a master key-signing key that signs a bunch of (precedence, key) pairs. If one key is compromised, use a key with higher precedence to force it to unbond. Or something similar---this is an easily-solved problem.
    But perhaps one of the simplest ways to look at PoS is through the lenses of Time, which I alluded to in my series, but want to expand on here.

Proof of Stake is Proof of Temporary Stake

Proof-of-Stake is a misnomer. The correct, fully descriptive name for Proof-of-Stake should be Proof-of-Temporary-Stake (PoTS). This name is more accurate because it captures the time element, or lack thereof, of PoS.

To understand the effects of Time, let’s first analyze how Time plays a role in PoW.

The ongoing energy expenditure in PoW contributes to network security in 2 ways:

  • Energy expended per block not only secures the UTXOs belonging in that block but also retroactively secures all global UTXOs that occurred in past blocks. The reason for this is because it would be impossible to revert past UTXOs without reverting the current block first. Each new block effectively “buries” all existing UTXOs under its weight.
    • Rebuttal: This is metaphorical at best. Even in a sybil attack on Bitcoin, you don't need any work to "revert" existing transactions; you only need work to produce the new blocks.
  • Investment in specialized mining equipment, in essence, represents the potential stream of rewards earned in the future, discounted back to the present. When a miner invests in a new piece of mining equipment, it is akin to buying a share of stock that pays regular dividends. What that means is that mining hardware in totality roughly represents potential energy expenditure of future blocks.

One way to visualize this is to imagine a timeline. Units of work expended in the past accumulate in the ledger. Units of work expended in the future accumulate in the current mining hardware.

Ledger accumulates past work; Mining hardware accumulates future work.

As time moves forward, units of work on the right side materialize and move to the left side. Mining hardware can also be seen as a “buffer”, a place where units of work deposit before making their way to their final destination: the ledger [4].

The official term to describe this sort of time-based accumulation phenomenon is stock & flow, which occurs often in nature. Bitcoin is essentially protected by high stock-to-flow ratios in 2 areas: the ledger, and the mining hardware. (Go here for a detailed discussion of stock & flow.)

In contrast, PoS has no equivalent of this.

  • Rebuttal: On the contrary, this sounds exactly like what we're planning to do with Casanova; there will be validators that will produce blocks and get rewarded; the ledger or UTXOs are past work and the "miners" or validators are an embodiment of future work. There's nothing in this description that requires proof of work or prevents proof of stake.

Past stakes (left side of the timeline) do not accumulate in the ledger, as stake is released after some arbitrary bonding period [5]. Long-range attack is the manifestation of this weakness: it works because of PoS’s inability to secure the past. Long range attack is at the heart of the problems with PoS, because it shows that in the long run PoS fails to guarantee the integrity of the ledger — the most important asset of all this innovation.

  • Rebuttal: We addressed long-range attacks above.

Future stakes (right side of the timeline) also do not accumulate in the validators in the present time, as again the act of staking only has meaning within the short window that it occurs — what happens in the future does not count today. Current-private-keys-theft is the manifestation of this weakness: it works because of PoS’s inability to secure the future. Keys theft sidesteps altogether the financial cost supposedly required to acquire controlling stake — whereas in PoW there’s no sidestepping the fact that an attacker needs to overcome the mining hardware and ongoing energy costs to pull off and sustain a majority attack [6].

(There is one form of accumulation in PoS. That is, the periodic staking rewards that accrue to the validators. However, unlike accumulation in PoW, rewards accumulation is only beneficial to the individual PoS validators, not to overall network security.)

In summary: the further one moves away from the present time in PoS, the faster stake loses its meaning, until stake becomes meaningless.

Work is robust against the ravages of time [7]. Stake is not.

The fact that the cost of PoW mining is irretrievably sunk and accumulates both in the ledger and the mining hardware, is an important feature, not a bug. PoS research is often based on the fundamental misconception that this is a bug and a source of inefficiency.

  • Rebuttal: perhaps the versions of PoS that had been proposed when this article was written didn't work, but I think our version is secure. Proofs forthcoming.

Acknowledgments

Special thanks to Vijay Boyapati, Bob McElrath, LaurentMT, Nic Carter and Steve Lee for their valuable feedback.

  • Note: Another major criticism of PoS is that PoS pretty much guarantees a plutocracy system (rich getting richer). That is not discussed here as it is not related to security strength per se, and deserves its own separate discussion.

[1] Some might confuse unforgeable costliness with the labor theory of value, but they are not the same thing. Energy cost alone is not enough, the asset must be unforgeable.

[2] Dollar is only used as a unit here for convenience, it could be any other unit of account.

[3] For a PoS currency, relying on an external source of randomness involves circular reasoning fallacy. Therefore it is highly desirable that PoS generates randomness internally, using the content of its own ledger. However, this proves to be a difficult problem that has its own trade-offs.

[4] Not all units of work make it all the way to the ledger. Some are thrown away, but even thrown-away work are necessary to keep the network decentralized.

[5] The concept of “finality” does not change the (lack of) accumulation aspect of PoS, as new/long-dormant/partitioned nodes can see different “finalities”.

[6] Hardware seizure (e.g. by a state actor) is a risk in PoW, however this risk can be mitigated as long as mining is sufficiently decentralized. Disperse hardware, however, is not a defensive option for PoS, as PoS validators are just software nodes — which can be targeted from anywhere remotely. More importantly, even with seized hardware, an attacker still can’t avoid ongoing energy costs.

[7] Work is timeless / robust in terms of number of hashes, not energy required. New hardware technologies could improve mining efficiency — although at some point the efficiency gains will slow down as we run into hard physical limits. The robustness of Bitcoin’s PoW also relies on SHA256 not being broken.

Retrieved from "https://tech.uvoo.io/index.php?title=Work_is_Timeless&oldid=49"