- It is not the power but the belief that supports the security of the POW;
- People seriously overestimate the safety of POW;
- The existence of POS only needs one reason: it can solve the hidden danger of POW 51% attack;
- Staking Economy is harmful to POS, it will reduce the security of the POS system;
- The problem that POS really has no solution is that there is no profit attack.
This article systematically analyzes the security advantages and disadvantages of POW and POS, and draws many different conclusions. The density of text information is very large. It takes a lot of patience to read it. I recommend reading it after you collect it. Most people use experience to understand POW and POS, and experience is often wrong.
Author: Maxdeath, Dr. Ren Jie, a senior fellow at the only chain block chain, the main research directions include block chain consensus algorithm, expansion, application, has published many papers in international academic block chain conference.
- Japanese financial giant SBI Cheng Ruibo publicity ambassador? Plan to send XRP to shareholders
- The ant blockchain behind the double 11 carnival: traces 400 million cross-border goods, copyright deposits help sellers defend rights
- BEPAL officially became a member of the Wanchain Galaxy Consensus Ecology, building a Wanwei Chain PoS node ecosystem
- Hainan sets up digital asset trading test area, STO falling from the altar may usher in the biggest turning point
- Lava open source opens a new era of PoC ecological development
- Blockchain faction: traditional giants, academics, political circles, startup companies
Recently, it happened to be the peak period for some star POW and POS projects to prepare for the main online line. Therefore, the comparison between the advantages and disadvantages of POW and POS is even worse. I have seen a lot of articles in this area before, I don't know why, there is always a feeling like licking in the throat, some things don't spit up – most people compare POW and POS is not a level of things .
POW is a more algorithm in reality, and POS, especially in the current sense of POS (rather than the early semi-finished products of peercoin) is a thing that only exists in theory at present; at the same time, POW is a kind of algorithm. POS is also a type of algorithm. Therefore, we can't take the POW of bitcoin when considering simplicity, practicality, and safety. Then, when considering efficiency and considering decentralization, we will come up with another different POW.
So here, I want to compare the two from a more fundamental perspective. In other words, what we want to compare is not the POW of Bitcoin and the casper of Ethereum, nor the POW and POS of the current stage, but the future and prospects of the two ideas of POW and POS, which is more suitable for the blockchain. Governance and operation.
Therefore, we must abandon all the limitations of the existing POW and the existing POS, in essence, or from an ideal state, the fundamental differences and limitations of the two.
The essence of POW and POS
So first, we need to define the POW and POS.
First, both try to achieve a kind of "randomly selected nodes out of the block, the probability of selection is proportional to some verifiable resource of the node, and then, because we adopt the longest chain consensus, we want to overthrow the blocks that have been confirmed need to master The state of more than 50% of resources, but the resources of the two are the workload, and the other is the possession of the currency.
From this perspective, let's see what the two are indispensable:
POW: A node that can provide evidence of some workload has gained block rights.
POS: A person who provides proof of possession of certain coins before a certain time gets a block right. That's it.
In this article, all the comparisons we make are based solely on the above definition, and the difference between the two, and then through logical reasoning.
Of course, I also don't intend to compare it purely from a theoretical point of view, because in fact both have the so-called theoretical "safety", but in fact they are based on some less realistic assumptions. Therefore, we also need to consider the advantages and disadvantages of the two in the reality, that is, in the society we are in, in the present and in the not too distant future.
In other words, we assume that, functionally, we can find such two ideal algorithms in recent years. If we want to use it for a public chain, then what better or worse?
POW and POS security
One of the most frequently criticized POS is that POS has not been tested in practice, and POW has proven to be safe in practice.
However, the opposite is true.
The truth is that POS has not been proven to be unsafe in practice, and POW has exposed a significant security risk in practice – 51% of attacks.
This is not a fantasy, nor is it a worry, 51% of attacks are real threats to almost all digital currencies using the POW algorithm. That's why we are talking about the biggest reason for POS – not because POW wastes power, not because POS's economic model is more fair, not because POS sounds more cool, but because –
POW has exposed great security risks and problems, and POS can solve this problem. Although POS may not be better than POW in other respects, this is enough to justify our need for POS.
The core problem of the 51% attack is described as follows:
In an ideal blockchain, from the perspective of security, the interests of consensus participants should be consistent with the interests of the blockchain itself. Thus, 51% of attacks are not feasible, because participants who are dominant in the consensus will not be willing to attack the blockchain, otherwise they will lose their own interests.
However, this is true for POS and not for POW. Because the benefits of miners in the system are actually much smaller than the value of the entire system. In other words, when there is a conflict between the two, the POW miners are entirely likely to commit malicious acts for their own interests. Here, "their own interests" may be the dominant control of the blockchain, perhaps for the blockchain. The idea of developing the future, perhaps, is the benefit of a double payment attack.
If you agree with this, you don't have to look at the following long story. If you disagree, I will do some detailed analysis of this security risk of POW.
In fact, the security of POW is much smaller than the POW security in popular cognition.
In popular cognition, as long as most of the computing power is honest, bitcoin is safe, and controlling most of the computing power is impossible.
In fact, this assumption is also widely used in almost all consensus algorithms—whether it's POW, POS, BFT, or other POx—we are adopting similar assumptions—that is, if most nodes or resources Maybe 1/2, maybe 2/3, maybe power, maybe equity, or something else, be honest, then the system is safe.
However, this assumption is not natural in itself – so, in the Bitcoin white paper, Nakamoto does not directly say "we assume that more than 50% of the calculations are honest", but rather:
"If someone can control 51% of the computing power, then he does not need to carry out 51% of the attack, because it can get better income through mining, and 51% of the attack will make him the currency he dug and his The mining machine has become worthless."
In other words, it is not that POW will not be attacked by 51%, but a 51% attack on POW is not cost-effective.
So, isn’t it really worthwhile to make a 51% attack on the POW?
Someone might say of course – "Bitcoin has never been attacked, because the cost of attacking Bitcoin is so high that you can't imagine it."
However, in fact, a little attention to the security of some blockchains is clear, 51% of attacks on POW are too numerous to enumerate – more closely Verge, BTG, ETC … these have suffered 51% of attacks, and they have adopted The POW algorithm, and, is the same algorithm used by Bitcoin and Ethereum.
From this perspective, is the security bitcoin or POW?
Some people will say that I have stolen the concept: Can these altcoins be the same as Bitcoin (Ethereum)? The price of these altcoins is not enough to get the threshold of 51% attack – I just make a xx coin to use the bitcoin POW for mining, and then 51% attack, which also shows that POW is not safe?
But this explanation is not enough – because in the previous logic, we did not say that POW will not be attacked by 51%, but that 51% of attacks are not cost-effective. If I made a xx coin and then was attacked by 51%, the attacker couldn't benefit from it. But in the previous examples, the attacker actually benefited from the attack.
So what is wrong with this logic?
Are the miners of Verge, BTG, and ETC, do not know that they can make more money by mining? They don't know that if they attack these coins, they will cause the price of the coins to drop, so the mine they dug before will be worthless?
What is the difference between Bitcoin and these currencies? Is it only the price?
51% attack analysis of POW
"The security support of POW is not power, but faith."
Let us analyze the real situation of these attacks:
It doesn't exist to make more money by mining. 51% of attacks will cause the depreciation of their currency to be non-existent, because they don't need to have anything to do with this blockchain before they attack. The force is cut from the bitcoin's mining pool, and they don't own the currency themselves. They just need to buy some coins from the exchange, sell them, and then sell them once again when the exchange is not aware of it. .
So, in the final analysis, the logical problem with POW is that miners with more than 50% of computing power in the ideal should be consistent with the interests of the system. For example, for digital currency, the benefit of the system is safety, and the benefit of the miner is mining income, so the expected return of mining should be very rich, making the miners willing to maintain the security of the system, so they are not willing to conduct double payment attacks. .
However, to what extent is the return of mining to be sufficient to fully resist double payment attacks?
Let's take a closer look at the inputs and benefits of mining, as well as the investment and benefits of double payments. Here, we assume that the first condition has been established, that is, the mining machine has no other purpose than to dig the coin.
- Mining investment: mining machine cost + electricity fee * time.
- Mining revenue: the calculation unit counts the amount of currency obtained by mining and the interest brought by the income (real money or virtual currency)
- Double payment input: mining machine cost (purchase or lease) + transaction fee + acquisition of calculation power and currency fluctuation caused by double payment period
- Double payment income: double payment profit + interest – risk
First, let's put all the one-time costs aside – the cost of mining machines, the currency fluctuations during the calculation and double payment attacks, and the risk of double payment attacks.
Compared with the two, we found that when considering the long-term income, when a miner already has more than 50% of the calculation power, the profit of the currency or the investment currency is not the reason that hinders him from attacking 51% – because he can do it. 51% of the attack's profit to make other investments.
Therefore, the "high price of the currency" is not enough to resist the double payment attack. "The price of the currency continues to rise" is not enough to resist the double payment attack, because the number of rewards per unit of computing power will decrease with the increase of the total power, even "The continuous increase in unit computing power" is not enough, because it must be said that "the unit price of the currency is higher than other investment products, that is, the attacker can not find a more profitable investment than the investment power. "To fully resist double payment attacks." Otherwise, in theory, there is always a certain degree of benefit enough to induce 51% of the calculations to take the risk of double payment attacks.
However, if the expected mining revenue can outperform other investment products, if the system is sufficiently decentralized, then there should be more people to mine, resulting in lower unit revenue. Unless the people who are mining are not expecting the mining revenues and those who have not joined the mining – that is, “belief”.
Because there is a blessing of faith, plus the people who have not joined, they have obtained the "no faith" reduction, so the miners think that the investment power is cost-effective, and those who have not joined think that the investment power is not cost-effective, in such a scenario. Among them, miners who have more than 50% of their computing power do not engage in double payment attacks.
On the contrary, if the cryptocurrency becomes mainstream enough and the computing power becomes one of the normal investment products, then, just as everyone sees the currency price rise, take the money from the bank, the stock market, the fund, and the wealth management. Just like investing in virtual currency, when the return on mining is not good, what else can drive 51% of miners not to withdraw their money from the computing market into other industries? If this time, he found that he could make a 51% attack, and the profit of the attack would exceed the money he could sell by calculating his power. So, what reason does he have to do this?
This conclusion is already alarming enough, but the significance it reveals is far more profound: when miners have 51% of computing power, we wishfully believe that their interests have been tied to this blockchain. However, the fact is that the only difference that supports their reasons for continuing mining and the reasons for supporting them to make any investment is probably only faith.
And this "belief" is nothing more than just "mining money to make money." Whether the cryptocurrency becomes mainstream or eventually becomes weak, this belief will slowly fade away. At that time, as long as they found that mining is not cost-effective, it is their best choice to get off the bus. The only question is how much they can fish.
"Mineral machine costs are not part of the cost of attack"
So, the question is coming – how much can we borrow through a double payment? This value can't be too big, because: 1) you need to be able to buy so many coins from the market; 2) selling so many coins is not enough to cause the market to be alert immediately.
As a result, many things we have neglected before have become unnegligible, such as mining machine fees, transaction fees, currency fluctuations, and other risks…
Here, the cost of mining machine is actually the most easy to see threshold, and it is also the root of many people's confidence in POW – how easy is it to get 50% of the computing power? You can see the calculation power of these POW chains and then calculate them according to the market price of the corresponding mining machine.
But we don't really need to buy a mining machine. We only need to acquire the computing power. In other words, we only need to buy people who control the power. For those with computing power, don't forget our previous analysis – from the perspective of profit, they are not tied to the chain, they can get off at any time as long as there is enough return.
Here are two more cases:
1. Their mining machine has other uses besides dig this chain.
2. Their mining machine has no other use than to dig this chain.
Usually, we think the latter is safer. In the actual example, if we want to send a new POW coin, then the same algorithm as the mainstream currency is not safe, and the special POW algorithm is more secure.
However, in reality both are equally unsafe –
First of all, the judgment of "there is no other use" is completely subjective, because the judgment of "whether the attacker adopts the attack" is subjective. If we judge that the mine has other uses after the attack, the cost of the mine does not need to be included in the cost of the attack. If they judge that the mining machine has no other use after the attack, then since the premise of the attack is that they judge that the investment of the mining machine has not been cost-effective to prepare to get off the vehicle in the long run, then at this time, the mining machine is already sunk cost and does not need Included in the cost of attack.
Some people may say that I am stealing the concept – even if you continue to mine does not make money, it does not mean that the mining union sells the computing power to the attacker!
But the truth is, the miners are selling their calculations to the mining pool. So, who knows that the mines that give you more rewards than other mines are not attackers? This point, we will expand in the following text.
"In POW, the cost of a 51% attack is only 1/100,000 of its market value."
Now, let's go back to the previous conclusions – we seriously overestimate the security of POW.
1. First of all, people think that 51% of attacks need to buy a mining machine that can provide these computing powers. In fact, it is not necessary. It only needs to acquire the corresponding computing power from the computing power owner, and the cost and mining machine of the acquisition computing power. The cost of itself is irrelevant and only related to the expected return of the power owner. This acquisition may be quite easy, as it is only necessary to create a mine that is slightly higher than other mines.
2, Secondly, people think that taking 51% of the attack is not worthwhile because mining can also get a more lucrative return, in fact, it is not, because after the attack you can get cash at one time, and then you can go to other investments, the same You can get a good return. Therefore, don't say that the price of the currency is falling or not rising. As long as the investment in mining does not win other investments, its safety will decline. At the same time, whether the bear market causes the value of the miners’ beliefs to decline, or whether the bull market leads to a rise in the beliefs of the people’s investment in mining, its safety will decline – only when the miners feel that they are particularly profitable and do not mine. When you are willing to come in, the benefits of mining are the biggest, and the safety is also the highest.
3. Again, the only security left by POW is the fluctuations in currency prices, handling fees and security risks – in other words, the risk of redeeming these currencies, however, these risks are actually borne by the exchange. It is. Because exchanges compete for each other, they will provide lower fees, better liquidity, and faster transfer, that is, reduce the cost of double payment attacks and reduce the security of POW.
Therefore, after subtracting these, we have come to a conclusion: In fact, the security of POW is basically equal to the cost of obtaining 50% of computing power, and this cost is only related to the income, and has nothing to do with the cost of the computing power itself.
If the power has a relatively open and transparent market, then as long as you go to crypto51.app to see, the cost of renting one hour of computing power is almost the cost of attacking each currency. If the power is not available through the open market and needs to be acquired from the power controller, then considering the premium that needs to be paid to the owner, this value may be higher than the estimate on crypto51. But in any case, it is very insignificant compared to the total market value of this currency, about 1/100,000. The fluctuations caused by such a small transaction amount are almost negligible.
Based on these analyses, it's not hard to understand why Verge, BTG, and ETC are attacked, and we can even figure out what currency is more vulnerable:
1. The computing power is easy to obtain and the cost of acquisition is low: all three currencies use the same POW as the mainstream currency, and the computing power of enough attacks can be easily obtained from the website of the computing lease.
2. The currency value is not rising well.
3. Received by many exchanges.
So why is POS able to withstand 51% of attacks?
In fact, it's very easy to say – we don't have to do a detailed analysis like POW. POS is also naturally immune to 51% of attacks in the form of POW, because the cost of 51% attack can't be avoided more than 50%. Holding the currency, and any currency damage caused by the attack on this currency, the biggest loss will only be more than 50% of the holder himself.
But what we haven't considered here is Staking Economy, which means that the future POS will also form the same "equity pool" as POW, that is, the holders who are not willing to spend energy to participate in the consensus will entrust the block right to some larger ones. Holders or more prestigious institutions, and then only collect mining rewards (of course, the client will receive a part of the reward). Thus, a 51% attack on the POS eliminates the need to acquire these coins, and only needs to temporarily control the mining pool with a probability of more than 50%.
However, even then, the cost of a POS attack will be much higher than the POW.
Because, first of all, with the POW need to continue to invest in electricity, so that small miners must join the pool to obtain a continuous income difference, the server maintenance costs of continuous investment in the POS are much smaller than the POW, so the possibility of focusing on the large pool will be Less than POW. In other words, even if Staking Economy really appears in the POS chain, there may not be a few monopoly of the mining pool.
And, most importantly, a node with a certain amount of currency is also fully and willing to maintain a node by itself, without relying on the mine pool. Especially for some big money holders – you can hardly imagine that they are not willing to maintain the whole node, which means they don't care about the blocks in the chain. Another most important reason is that different POS out of the POW is required to be signed by the holder, so the POS pool may pay a greater social cost when doing evil, but for the POS mine, because of their actual The equipment investment required for mining is much smaller than the POW, so in reality, the cost of social status and reputation is the highest.
Of course, in fact, these points can't change a conclusion, that is, Staking Economy's practice of entrusting consensus will indeed weaken the security of POS.
Therefore, my personal perception of Staking Economy is not positive. At the same time, many POS projects are also aware of the safety implications of Staking Economy, so they will regulate the relevant institutions, such as requiring certain currency holdings. the amount. But in any case, just like the POW mine pool, the POS Staking Economy is unavoidable, but if the agency is a large holder, then the attack cost will only change from 50%. It becomes a smaller proportion, such as 10%, but it is never like POW, it is a level of 1/100,000.
Above, we have shown that the cost of a 50% attack in a POS is high – then on the other hand, if such a high cost is spent, can an attacker make a profit? The answer is that there is almost no possibility, because you have to find a big deal that is willing to make such a big deal with you – it is almost impossible for an exchange to pay for such a big deal. So the only possibility is that you find two big heads that don't understand virtual currency, and then carry out a real "off-line payment" off-site…
But if there is such a person, it seems that we have a much simpler way to fool them.
However, this is not enough to explain the security advantages of POS for POW, because we only said that the 51% attack applied in POW cannot be copied to POS, but the POS itself will be attacked by two other attacks that do not exist in POW. Threats: Long range attack and Nothing-at-stake attack.
Let's analyze the two attacks separately.
Long-distance attack analysis of POS
The concept of a long-range attack is that a node with no more than 50% of the equity can generate a longer chain in some way, replacing the current longest chain – the so-called "some method" usually takes a long time. time. It involves an important difference between POW and POS – POW actually can not only generate random numbers, but also can generate a random number in an asynchronous system at regular intervals. This property is not available in POS, so POS must be introduced. The concept of certain time. However, this gives the malicious node an opportunity to take advantage of, because the honest node gets the block right is time-limited, while the malicious node does not.
This point itself, in fact, should not belong to our discussion, because we want to compare the nature of POW and POS, and this problem is not the essential flaw of POS. In other words, POS can be done in some way, for example VDF, to solve this problem. However, in view of the fact that the algorithm for solving this problem with VDF is still immature, and I personally think that the current solution is completely sufficient, I will talk about this in detail here.
There are currently three known long-range attack methods:
1. Posterior Corruption Attack : When former equity holders sell their rights, they are no longer constrained by the depreciation of the currency they hold, however, if more than 50% of the early holders sell If you lose your hand, the attacker can buy them and regenerate a history in which they have not sold their rights, and then it is possible to create a longer chain.
2. Stake Bleeding Attack : Less than 50% of the nodes can conduct long-chain attacks in a very simple way by "hiding a chain of their own chains", because in their own chains, because of the block Only their own nodes, so they will always get mining rewards. Although the chains they generated at the beginning must be shorter than the outer chains, as long as they are kept long enough, their rights will eventually exceed 50%, and slowly get faster out of the chain than the outer chain.
3. Stake Grinding Attack : This type of attack has different forms in different POSs, but in general, nodes with less than 50% of the benefits can take advantage of their own power, or they can Feel free to change the advantage of block timestamps, get more out of the box than honest nodes, and then use this advantage to generate a longer chain than honest nodes over a longer period of time.
The usual response to these three types of attacks is Checkpoint, which means that a block that has been authenticated by some nodes needs to be generated for a period of time to ensure that the chain before this block will not be changed.
"If you can accept the download client, why can't you download the checkpoint?"
For many more idealistic blockchain proponents, the checkpoint mechanism is a less "elegant" expedient because it commits several sins that blockchain supporters cannot accept:
1. In an ideal blockchain, no one needs to believe that anything other than algorithms and creation blocks can independently verify the legitimacy of any transaction. However, checkpoints are equivalent to introducing an additional thing that requires trust. Even if this checkpoint is signed by all the holders, this is theoretically unacceptable, because for the nodes joining the system, they need to trust the former holders;
2. The checkpoint needs to introduce a signature, and the signature will destroy the anonymity.
As for the issue of anonymity, we will also discuss it in depth later. Here we will first talk about the first question.
Here I want to explain my point of view on the mechanism of checkpoints – from a realistic point of view, is this really unacceptable?
To be honest, if you are a node that has just entered the network – downloading the creation blocks and algorithms, and downloading and downloading the creation blocks, algorithms and history, what is the essential difference? The latter is nothing more than a possibility that a malicious node can forge a history through a long-chain attack, so even if you know the correct algorithm and the creation block, you actually don't get the real chain.
But the question is, for the average user, how do you know that the client you downloaded is using the correct algorithm? Although in theory we only need to trust the algorithm. But in fact, whether it is reality or the future, I have reason to believe that no one will do the algorithm from scratch – in fact, everyone still needs to trust some trusted nodes to provide a secure client, also It's the software, and no one will open the code to see if the software matches the paper.
Well, we assume that we need to rely on trusted nodes to get the history of the block, which is not a sinister thing.
"The out-of-chain consensus is objective."
Then, there is a second problem – indeed, long-range attacks are possible, just as 51% of attacks are possible, we should not only consider the theoretical possibility of this attack, but also discuss it in practice. conditions of.
When we demonstrated the danger of 51% attack on POW in the first place, we first analyzed its theoretical possibility, and then analyzed the conditions of its attack in reality, and found that in fact, in theory or in fact, The conditions are much lower than the public perception, so I came to the conclusion that POW has security risks.
Then, we also analyze the conditions that the above long-range attacks are effective in reality.
First, whether it is an equity smuggling attack or an equity smash attack, the probability of success depends on the proportion of equity you have. In other words, although the attacker does not have more than 50% of the equity, it is not possible to generate a longer chain normally, but if they own, for example, 40% of the equity, then they can use the above two means, and a comparison Long time to attack long distances.
So, everyone has seen that this kind of attack is not practical – when the rights of malicious nodes are relatively small, they will not be realistic when they launch a long-range attack. If they have more rights, they have no reason to attack the system. The cost of attacking the system is not much lower than the 50% equity. This is the advantage of POS itself.
The only troublesome long-range attack is the “forward corruption attack” and, in particular, the case where the former holders themselves are attackers. Because if these attackers themselves have not thought of attacking, they can only be bought by a person who has bought the currency and can be solved by something called Key-Evolving Signature. Therefore, they must start preparing for the attack from the time they hold the currency, that is, secretly start to hide a chain.
This is actually equivalent to a long-term 51% attack, that is, the former big equity owner (more than 50%) while hiding a chain, while slowly selling the rights, after the equity is sold out, the private The Tibetan chain tells everyone: "My Hu Hansan is back, you ate me and spit it out!"
However, my consistent view of the core role of the blockchain is that the meaning of blockchain is to replace “human consensus” with “machine consensus”, but at this stage, some “people’s consensus” is ours. If you can't explain it now, you can't replace it. At this time, it is impractical and meaningless to blindly pretend that this "out-of-chain consensus" does not exist and rudely wants to use an algorithm to achieve absolute security without abandoning all-chain consensus.
So, I agree with Professor Elaine Shi of Cornell University on this issue—in fact, if this happens, something that is called “social common knowledge” will naturally correct it. it. To put it more simply, for any POS chain, suppose its early equity owner suddenly comes back with a longer chain one day. For the current owner, say: Give me your money, now the equity is all Even, say, don't say the current owner of the rights, probably all the stakeholders in this chain will create a new rule with the enemy to not recognize the legitimacy of the chain, even if it is algorithmically this chain is indeed more "legitimate".
So, what is the difference between a chain that is not accepted by most of the chain users and a newly created chain of forks? Or, after a few upgrades in Ethereum, can a chain that is legal according to the original rules, such as ETC, count as a long-range attack?
Therefore, in the final analysis, the so-called "social consensus" is objectively present both now and in the future we can see. Therefore, whether it is such a long-range attack or other long-range attacks, even if there is a theory The possibility is actually, as long as it still takes a long time to carry out, such as months or years, then its threat is actually very limited.
Then, whether it is the introduction of checkpoints, or the introduction of a “committee list”, or the introduction of “social consensus”, it is actually introducing a hypothesis that “some credible extra-existing information exists”. In my opinion, in reality, whether it is the present or the future, this is not a problem for the security of POS.
POS non-interest attack analysis
The real problem is that there is no interest attack.
POS has no solution for non-interest attacks, which is the same in any POS, because according to the principle of POS, it is very low for the nodes that have no interest or little interest in this system.
In an extreme situation, for example, the benefits of 100 million node owners in the entire system are very small, then any POS algorithm is not safe, because the loss of profits caused by malicious node behavior is too small, so we have no reason to think that 50% The above nodes are honest. On the contrary, if they can benefit from malicious behavior, according to the Tragedy of the Commons, they will certainly do evil.
The punishment mechanism does not solve this problem, because the punishment must be equal to the benefit, and in such a system where all nodes have little interest, the punishment must be neglected, or the punishment is too high, so no one is willing to enter this. system.
Therefore, almost all POSs need to introduce an additional access mechanism—either through collateral or a threshold for holding money. All participating nodes must ensure that they have enough rights to care for them and constrain their behavior.
This is not the same in the POW, because no matter how much your computing power in the POW, your lost electricity bill can't escape. And, because the only way you can benefit is to double pay—so, when your computing power is no more than 50%, it is strictly uneconomical to do evil.
In other words, in fact, for POW, the behavior of small miners (miners who have a small chance of dig into the block) will be severely punished because it is almost impossible to return while wasting the power; Miners (miners who have a high chance of dig into the block) may benefit from their evil behavior, because the benefits of their combined 50% attack can far exceed the cost.
However, for POS, the punishment of the small miners’ behavior is very slight. Therefore, as long as evil can benefit, they have the motivation to do evil; however, POS’s punishment for the work of large mines is extremely serious, because the bigger miners represent them. The more equity, the greater the damage caused by malicious behavior.
These two points are the fundamental difference between POW and POS.
If we compare the pros and cons of the two, we can clearly see:
- In a more distributed and more averaging system of computing power, POW is more appropriate.
- In a system where computing power (equity) is more concentrated and more unequal, POS is more appropriate.
We have compared the security issues of POW and POS, and have come to some conclusions – but unfortunately, in an unlicensed public chain environment, in fact, POW and POS will eventually tend to be a computing power ( Equity) A system that is more concentrated, more centralized, and more unequal.