Babbitt Column | Why do I need PoS with PoW?

Some people think that only PoW can reliably open up the value of the real world and the virtual world; PoS is coinlessly distributed in an unfair manner, destined to cause monopoly and so on. There is also a more straightforward view: all PoS chains are scammers. These arguments cannot be refuted, or they can neither prove nor falsify. I think PoS has some properties that PoW does not have. These properties are at least very important for some encryption protocol applications. This paper attempts to present some of the characteristics of PoS with non-technical prophecies.

PoW and PoS, which we often say, refer to the Nakamoto consensus based on the proof of workload, and the BFT consensus based on the proof of equity, which is also referred to as PoW and PoS. The design consensus agreement is not intended to send the currency fairly, but to maintain the security of the blockchain network. The blockchain mentioned in this article refers to the public chain, not including the alliance chain and the private chain. What is blockchain network security? This problem seems to be very basic and actually very complicated. But the reverse is a lot easier to explain. What is an insecure blockchain? Or what kind of security incidents may occur in the blockchain, what will happen if it happens?

Blockchain is a distributed ledger technology that is a machine for producing trust. The data structure and network protocol design of the blockchain are designed to be securely and verifiably booked under the condition of no central coordination, in a Byzantine environment where the network is unreliable and the participating nodes are unreliable. It can be said that the blockchain is naturally safer than other types of network architectures. Regardless of software defects, there are only two types of security incidents that can occur in the blockchain. One is the DDOS distributed denial of service attack, and the other is the double-flower attack. DDOS attacks are to disrupt the network, so that the network as a whole or part of the network can not work properly, but the chaos can not directly profit. For traditional networks, the profit model of DDOS attacks is to blackmail or collect money. Either someone spends money to hire a hacker to give a competitor, or a network he doesn't like. Either the attacker first messes up, then asks the operator for money, and continues to mess with the money. Blockchain is a decentralized network, and blackmail does not know who to ask for money. Moreover, the blockchain is a distributed self-organizing network. If the scale is large and the design is good, it is difficult and costly to make it invalid. Therefore, blockchain security should consider DDOS service attacks, but it is not the point.

The focus is on the double-flower attack, which is a real threat to the blockchain network. According to the literal meaning, double flower is a sum of money spent twice. So how can a sum of money be spent twice? Successful double-flower attacks have occurred, which are as follows:

  1. Transfer money into the exchange;
  2. Sell ​​the coin and make the money;
  3. Launching an attack forked blockchain, the new chain does not include the first round of currency trading. The equivalent of the coin is returned to the attacker's address.

Double-flower attacks require careful preparation in advance, not a temporary initiative. Moreover, it is costly to fork the blockchain and start to fork from the block before a certain period of time. For PoW, it is necessary to calculate the power. You have to dig the forked chain into the longest chain and accept it by others. Row. The so-called successful double-flower attack is that the attack gains more than the cost, and the attacker profites from it. If you are tossing for a long time, the cost of buying computing power is higher than the income of double flowers, it is still a category of trouble. Therefore, it is not easy to implement a double-flower attack, and there are not many successful cases.

Two successful double-flower attacks in the history of blockchain are particularly noteworthy. The first is that the PoW chain is successfully attacked. I hope that those who say that PoS is not safe every day pay attention to the fact that the PoS chain is not attacked by double flowers even if it is an early mature PoS. This is not to say that the PoS chain can't be attacked. It is not profitable to attack the PoS chain. I will talk about it later. Therefore, the research on the PoS attack mode is a theory, and no one is doing in the real environment. The second point is the impact of the double flower attack on the price of the currency. Many people may be like me. The double-flower attack proves that the chain is not safe, so it is sure that the price of the currency has plummeted. The reality is not the case, everyone to check ETC, Bit Gold, Verge suffered a double flower attack, the price of the currency only fell a little. why? Because the double-loss is the exchange, the equivalent of the attacker defrauded the currency that should belong to the exchange. Most holders will think: What is the relationship with me? The coins in my hand are not diluted and not diluted. The exchange earned so much money and he should be bleeding. Therefore, if you invest in the currency, if you are attacked by double flowers, don't think that the sky is falling, run immediately. But be careful, don't run right away, wait for the wind to pass, or should run. why? Because of the security of encrypted assets, it is the most important capability of the blockchain. It is him who is unlucky in this attack. It may be me who will be unlucky next time. So a blockchain is labeled as unsafe, basically going on a slow return to zero, unless it can prove that the security problem is solved, but it is very difficult. You can check the changes in the market value rankings of ETC, Bit Gold, and Verge after being attacked. Because price changes are related to the overall market, market value rankings reflect the position within the industry.

The above talked about the unsafe blockchain. Bitcoin is very secure, everyone agrees, but Bitcoin security does not represent PoW security. The next time I hear someone say that PoW is safer than PoS, you can use facts to refute him. Why are the same PoW chains, some are safe and some are not safe? Because the premise of PoW chain security is: block rewards are higher than the cost of renting 51% of computing power during the same period. (It should be block reward + transaction fee, but the transaction fee is usually two orders of magnitude lower than the block reward, which is ignored here, the same below). Very short premise, but the actual situation is very complicated and needs to be explained in several cases. The first is the general computer mining, or the special mining machine. If it is a general-purpose computer mining, it is theoretically unsafe. why? Because the general purpose computer that digs cryptocurrency is only a small part of the Internet computer. If an attacker-controlled botnet (similar to renting a large number of general-purpose computers at a very low cost) is more computationally intensive than an honest mining network, a double-flower attack can be launched.

The special mining machine is a mining machine that cures certain Hash algorithms, such as SHA256. All chains with SHA256 can be dug. For the same type of special mining machine, the chain with the largest ratio of computing power is the safest. The calculation of the power is determined by the amount of the block award. Assuming that the BTC/BCH/BSV three chains provide the block rewards of 100 yuan, 3 yuan, and 2 yuan per hour, then the power will be distributed in a ratio of 100:3:2. If it is profitable, an attacker may rent a small portion of the total power to attack the BSV, but it is very difficult to rent most of the computing power to attack the BTC.

There are two problems here. First, why should renting power, can the miners not attack directly? Generally not, because miners and mines do double-flower attacks, it may be profitable alone. But the chain is not safe, the currency will depreciate, and the corresponding mining machine will also depreciate. Therefore, people with a large number of professional mining machines will not attack the chain, at least will not attack the block to reward the largest chain. The second problem is that in most cases, mining is profitable, so the cost of renting is high and the attack is not established. However, the special case is that the currency price has plummeted, and the pre-expansion has too much computing power, and a large number of mining machinery. At this time, the price of renting a mining machine is only higher than the operating cost, that is, the electricity bill. It is very dangerous to reward the low currency. Based on the above sharing, the security premise of PoW can be roughly changed into: mining of special mining machines, and the calculation power is the highest.

1

Nic Carter, a well-known cryptocurrency researcher, uses the above diagram to illustrate that the A chain accounts for a small portion of the same type of computing power. The B chain accounts for a large part of the same type of computing power. Although the absolute value of the A chain's computational power (ie, the Hash Rate) is higher than the B chain, the B chain is safer than the A chain.

At this point, we can go back to the topic and talk about why PoS is needed. A pre-post question is: Is there any need for other chains besides BTC? Bitcoin maximists believe that bitcoin is the only useful cryptocurrency, and other blockchains, including Ethereum, are all in the box. If you agree with this point of view, of course, PoS is not necessary. Others (including me) believe that decentralized encryption protocols define an efficient market and can reduce transaction costs. The world needs a lot of encryption protocols, a lot of blockchains.

A new blockchain is run. If the PoW protocol is used, it will encounter difficulty in cold booting. In fact, not only the new PoW chain, but also the bitcoin has encountered a cold start problem. That is, the currency is not worth the money, no one mines, so the network is not safe, the network is not safe, so the currency can't appreciate. In the three years after Bitcoin, the price of the currency is low, the network is fragile, and there are few people concerned. Due to mining revenue = market value * increase rate. PoW coins must have high market capitalization and increase rate to attract mining machine manufacturers to design ASIC mining machines (one-time high cost), and miners purchase large quantities of mining machines. This is caught in the cold start problem of chickens or eggs first: the new network is not safe, the application is small; and the rate of high issuance is not stored as value; the market value is difficult to expand. The market value of low mining income is low, and the calculation power cannot be increased.

To design a new PoW chain, choose which Hash algorithm to use. If you choose an algorithm that already has a special mining machine, then in the early initial period, the currency price is low and the chain is not safe. If you choose an algorithm that does not have a dedicated mining machine, it will take a period of general hardware mining, and the network is not safe during this period. When I just said difficulties, it is not that it is not feasible. For example, Nervos, their team has a good reputation and made a lot of innovations. Therefore, when the main online line, CKB has a relatively high market value, the block reward is very high, can attract a lot of computing power to mine. Nervos designed a unique Hash algorithm, and due to the high block rewards, dedicated mining machines may soon appear, which the Nervos community is happy to see. Because the Hash algorithm is new, the new mining machine can only be used to dig CKB, and the security of the network is greatly improved. However, Nervos should be considered a special case, and its startup process just proves that it is very difficult to adopt PoW in the new chain. It is hard to imagine that there will be more than a dozen, dozens or even more PoW chains in the next few years, which will be able to complete the bootstrapping.

The PoS chain can be safe even in the early days. Because of the double-flower attack on the PoS chain, you need to master at least 1/3 of the Staking coins. There are so many coins in your hand that you should be one of the best in the world. The double-flower attack has caused the price of the currency to fall. The biggest loss is yourself. It is a truth to not attack the bitcoin with the biggest miners. Is it possible that the attacker sells double-flowered coins twice and quickly profit-taking? Let's look at an example:

2

Assuming a PoS chain, the total market capitalization is only $10 million, and the Staking ratio is very low, only 30%. Compared with the PoS chain with a market capitalization of more than tens of millions of dollars and a Staking ratio of 50% or higher, it is obviously easier to be attacked. The attacker is ready for the conditions, he controls 1/3 of Staking (10% of the total), and also has a circulation of 10% of the total. The attacker then first transferred 10% of the circulation to the exchange 1, and raised the money after the sale. Then launched an attack to reverse the deposit transaction. In order not to bear the loss of the currency damage caused by the attack, he quickly saved 10% of his address to the exchange 2, and then withdrew the money after the sale. If the price of the currency does not fall during the entire process. The cost of the attacker (10% Staking is fined) and the proceeds (10% of the circulating chips sold twice) are exactly the same. The above is the most favorable situation for the attacker, but it is impossible in the real world. Because the attacker's selling is limited by market liquidity. Let's not mention the impact of the first 10% on the price of the currency. The professional security company found that the BFT chain forked and issued a warning, only a few minutes. It is impossible for an attacker to sell a second 10% without causing the exchange to pay attention and not affect the price of the currency.

Therefore, the chain of PoS, regardless of the value of the currency, as long as the software is not defective, is safe. To put it more, the software defect has nothing to do with the protocol itself, and it is an implementation problem. However, it is undeniable that the new generation of PoS chains is too short to be online, and there may be hidden defects that take time to verify their security.

In addition to safe booting, PoS has an advantage over PoW in that it is fast and final. The final result is that the block will not be abandoned by the chain and become a lone block. The PoW chain has only probabilistic finality, and the newly emerging block is not reliable and may be discarded (recombined). As the block continues to be added behind the block (increase in depth), the possibility of being abandoned is getting lower and lower. When the depth increases by a certain amount, the user can be sure that the block will not be abandoned, and the transactions in the block will not be reversed. The BFT consensus based on PoS usually has a fast finality, and it is legal (the mixed consensus for the block and finalization refers to being finalized). The block is final when it comes out. If it is reversed, it means that something is big, and 1/3 Staking's coins were fined by the system. Comparing fast finality with probabilistic finality, you need to find dimensions that can be compared. Like pears and apples, some people like to eat pears, some people like apples, and comparing their tastes will not be accepted by everyone. If it is easier to compare prices, in a market, which one is cheaper and clearer.

It is also written by Nic Carter, " This is called transaction settlement guarantee, little fool ". This article was originally a comparison of PoW chains. But the concept of settlement guarantee he proposed is equally applicable to comparing PoW and PoS chains.

3

As shown in the above figure, the settlement guarantee of PoW is stepped, and for each additional block, the settlement guarantee amount of the block (all transactions) is increased by one block. The current price of the BTC is $8,000, and each block rewards 12.5 BTCs, or about $100,000. Bitcoin has an average of 10 minutes and a settlement guarantee of $100,000. Roughly speaking, the PoS chain settlement guarantee can be considered not to change over time. A PoS chain has a market capitalization of $10 million and a Staking ratio of 30%. It uses a BFT protocol (such as Tendermint) that is finalized. As long as the transaction is included in the legal block, it will immediately receive a settlement guarantee of 10 million * 30% * 1/3 = 1 million US dollars. Quickly obtain quantifiable settlement guarantees, which makes sense for many encryption protocol applications. This is the second reason why I think PoS is necessary. In addition, based on PoS, you can develop an efficient cryptographic protocol community governance. For an analysis of this, see " Improving the Encryption Protocol Governance. "