The real difference between PoW and PoS: the quality of the decision determines who is better suited to build the currency

This article is based on the invitation of Li Yang@Orange Book. The origin is the debate on the length of PoW and PoS in the WeChat group “New Economist” organized by Orange Book.

This article also thanks Jan@Nervos and Henry-civilian @dForce, both of whom provided a beautiful and in-depth argument for their respective positions. The author also got a lot of inspiration from their argument.

Finally, another purpose of this article is to express a respect for a philosopher who invented a prototype that we can keep talking about, and the more we talk to it, the more we understand the ingenuity of the prototype. The so-called "big and dirty", the need to be extremely simple and systematic thinking, and he can be regarded as the "master" title.

I. Introduction

In the first half of May 2019, the theme of the “New Economist” debate was the short length of PoW (Proof of Work) and PoS (Proof of Stake). But in my opinion, the discussion in the WeChat group is difficult to focus on, so everyone is actually discussing two different issues: (1) the technical limitations of PoS (PoW), that is, whether they can achieve a certain technology (2) The health of the PoS (PoW) system, such as whether it will form a concentration of the holder/miner/equipment manufacturer in the political or income class, and whether this concentration will occur. It has an adverse effect, although there is no consistent definition of what is “healthy” or “bad”.

On the previous question, I think the best argument is provided by Jan. He pointed out that participating in the PoW system is completely permission-less (this "participation" means "out of the box"), and you can purchase a miner/formation pool to participate in the PoW system without having to apply to anyone; the PoS system is for security. Sacrifice this exemption: if someone wants to join the system as a verifier, he must first pledge, and the pledge as a transaction must be packaged to be effective, which means that he has to at least get some of the existing verifiers. Agree to become a verifier (blocker). (This makes sense. The easiest way for PoS to solve the “Nothing-at-Stake” problem is to arrange a “pledge-penalty” system, and the funds entering the equity pool must be confirmed by trading on the chain).

On the latter issue, the best argument is provided by the people. He pointed out that for the purpose of diversifying risks, large holders of coins will not hold the coins in their hands. When the price of the currency rises, the proportion of such assets in the total assets of the holder will also increase. This process is also a process of increasing risk, so the holders will tend to sell their own coins, thus focusing on wealth. The fear is unnecessary.

As far as the latter is concerned, many problems I think are almost impossible to study/compare. For example, there is a concentration of coins in PoS, but is there no difference in the size of mines in PoW? Say PoS has no money to participate, but is it not necessary to pay for the mining machine in PoW? As for the size of the concentration, although I don't think that this kind of statistics has much meaning at a certain moment, it is better to take statistics. No one can propose an optimal distribution, so how to compare Is it even better on average?

A round of laps you will find that although it is not acceptable to discuss the former without discussing the latter, in the former discussion we have a clearer way to rely on, and only the one that Jan said is the most accurate.

In the process of discussing with the people, I found that the difference between PoW and PoS is not in common in the general way: because both methods are “Sybil Control Mechanism” (Witch attack is a single participant) Unrestricted access to system resources), both methods must require participants to invest money (otherwise it is impossible to achieve the purpose of resisting witches), both ways can complete the currency distribution (miners want to sell coins, the verifier must also Selling coins), both ways may form a certain degree of concentration (just as some regions have lower electricity prices, there must be some regions or certain groups of people with lower capital costs). More importantly, from a very abstract point of view, both systems are supported by the purchase of participants in currency issuance, PoW is issued to miners, and PoS is issued to the verifier. These angles can only compare the difference between the quantities, and it is impossible to compare the qualitative differences.

These questions forced me to choose another path, and I started thinking about a question: Which of PoW and PoS is more suitable for building currency? What is the core of Moneyness?

2. Why is there money?

Why is there money? Why are scarce items like diamonds not becoming money? Is oil a good currency?

In the transaction behavior, both parties to the transaction are inevitably judged the cost of the goods or services provided by the opponent, and the transaction costs paid in the process of judging the quality of the goods are called “criminal fees”. The size and frequency of transactions are of course subject to the transaction costs as a whole ("information fees", "contracting fees", "judgment costs"), but as long as we focus on the following scenarios, the problem will change. Be clearer: When people have decided to trade with each other, why is it better to have something that both parties accept? What are the conditions for this kind of goods (or why is a certain product more suitable for this condition than other goods)?

Soon you will realize that this is basically irrelevant to the “contracting fee”. The use of a certain commodity (“currency”) that you like each other does not change the contracting fee; the relationship with the “information fee” is not so close because After forming a large-scale market, the currency as a commodity, its information cost (the cost of discovering the market price) may not be too different from other commodities. Therefore, the key lies in the “cost of judgment”. That is, if both parties exchange goods, both parties must pay a lot of cost to determine the quality of the things given by the opponent. Sometimes the quality test is consumable (such as testing the quality of oil), but there may be some kind of goods. The quality change is small and it is easy to check the quality, so you can easily trade this kind of thing, at least one of them does not have to pay so much for the cost of judgment. Because the quality of different products is different, the advantages of being suitable for currency are also different.

There have been countless kinds of currencies in human history: gold, silver, stone, even cigarettes and eggs; but all of these currencies have a clear characteristic in the corresponding society: under certain technological conditions, their judgment costs are the lowest, Gold and silver have only one dimension of purity, and the inspection cost is very low, melting can be; American-made cigarettes are standardized products, so in Germany after a war was used as a currency by the private sector.

Therefore, judging the strength of Moneyness is tantamount to determining the cost of the judgment. The lower the cost of judgment, the more suitable it is for currency.

This is the insight of the master of property rights economics, Alchin. (In other words, the descendants of this monetary theory are rare, and even Mr. Zhang Wuchang, the acquaintance of Alchin, has more inherited the concept of Fisher's currency basket, but did not take the views of Alchin.)

Ok, I understand the truth. What does this have to do with PoW and PoS?

The real difference between PoW and PoS

What is the quality of the cryptocurrency?

The cryptocurrency currency is not a metal, there is no physical entity, so there is no concept of “purity”. However, because of the open book attribute of the blockchain, UTXO has a concept of “cleanliness” – some bitcoins have flowed into the black market. Some people may mind.

But in fact, this difference is extremely small and does not constitute an important consideration at all. The real quality is actually "book security." It is also a pure number stored on countless computers across the network, but there is still a difference between "different books" between different numbers.

Not finished yet. As mentioned above, the focus is not on quality (90% of gold and 95% of gold are only the difference in market prices), but the level of quality of judgment (the cost of gold is lower than that of diamonds). Therefore, it is not the level of security that determines which distributed ledgers are suitable for carrying money, but the cost of determining the security of the books determines their Moneyness.

In PoW, the work of determining the security of the ledger is extremely simple, verifying the block hash and checking the difficulty requirements of the whole network; although the difficulty requirement cannot directly reflect how difficult it is to rewrite the account book, it directly shows how many times it needs to be presented. Hash calculation.

In PoS, at least as far as I know, there is no way to verify the security of the books so easily:

(1) In the non-pledge PoS system, the check of the validity of the outbound block depends on the state data, because only the state data can tell you which address has any money in which address, whether the TA can be out of the block, but every time One block will have more state data; in the worst case, this difficulty can make PoS completely lose the role of witches (the attacker can attack the node with a high-altitude fork chain without any cost);

(2) In the pledged PoS system, the block-out process is completed by the verifier through "initiation-pre-investment-voting (signature)", and one step in verifying the security of the account is to verify the signature of the verifier. Moreover, regardless of the aggregation signature, the amount of computation required for verification is hard to come down.

The point is, even if the check is simple, you can't directly see how safe these nodes are. You only know that these 80 nodes are signed, and that's it.

(The empirical research on the verification performance of different schemes should be the research topic of cryptographers. I have not studied it, can't make a conclusion)

In summary, I think that the real difference between PoW and PoS (and "bad PoW") is not whether they provide security, but whether it provides security and makes it easy to verify security. Objectively speaking, I am comparing the PoS system I have seen here. I can't deductively derive PoW. It must be better than PoS. It can only prove that some PoWs are better than some PoS, but I can get there. I am also satisfied, and I am not willing to discuss solutions that do not exist yet.

Next I want to discuss another concept.

4. "Calculation – verifying asymmetry"

“Computation-verification asymmetry” refers to finding a specific solution in a certain type of mathematical problem, and verifying whether the solution is a solution or not, and the amount of calculation required is not the same. I am talking about the type of asymmetry that is "difficult to calculate and easy to verify."

For example, if the mathematical problem is 3X = 9, the process of solving this X is exactly the same as verifying that the solution (X = 3) is the correct solution. In this case, the calculation and verification are completely symmetrical. .

However, if it is a Sudoku puzzle (9 9 grids form a large grid, requiring 1-9 in each row, column, and 9 squares), you must calculate a solution to the Sudoku puzzle. It takes a lot of work, but it is extremely simple to verify, which is asymmetrical.

Of course, there are still problems where verification is extremely simple, but computational solving is nearly impossible, such as deriving a private key with a public key on an elliptic curve.

(The concepts of "computation" and "validation" also have different meanings in different contexts. A friend who is proficient in cryptography has explained it to me. However, my knowledge is superficial and I can't repeat it, so I will leave it to friends in the community. Interpretation and elucidation)

In distributed ledgers, the importance of “difficult to calculate, easy to verify” is that it determines whether the cost of verification increases as the security of the ledger rises.

In Bitcoin's PoW algorithm, the computation-verification asymmetry is very strong: the cost of verification does not change regardless of the security.

But in the PoS solution we are seeing now (mainly pledged PoS), this is not obvious. Because signatures (giving legitimacy for chunking) is no more difficult (more time consuming) than checking (validating this legitimacy). Conversely, in some algorithms (such as elliptic curve-based signature algorithms), the signature is even more than a signature. It's even harder, it's "easy to calculate, hard to verify"!

In a PoS system that limits the number of certifiers, it can be said that this verification cost is capped, but in a PoS system that does not limit the number of certifiers, the cost of verification increases as the number of certifiers increases, that is, verification Efficiency and the decentralization of the right to block (and even the security of the network itself) have conflicted.

Realizing this, we can understand the wisdom of the master:

As long as the agreement sends money, people always have to invest resources to compete; since this can buy security, then I can pick one and pick which resources to use to provide security; on the other hand, to make a block Always need to verify, or that verification can really constrain the behavior of the blocker, then choose the low cost of verification; finally, since the demand for verification exists for a long time, it is better to think of a way to make the cost of verification always low. This will better accommodate the growth of security.

This "difficult to calculate and easy to verify" attribute is simple to say, and everyone who understands modern cryptography understands it, but it is likely to be the core secret of PoW.

V. Crypto-economics

I have always opposed the prefixing of economics. Although economics has been a social science and has been arguing over research methods for a long time, in my opinion, this kind of debate has already had a result. Usually, certain economics, It's just convenient for communication. Similarly, I don't really like the word "Crypto-economics", but I also think that if the word really makes sense, the ideas I have learned so far are few enough to meet the specifications of the word, because Most of the time, the economics of people discussing Crypto-economics are not very good.

To make sense, the only good thing about cryptoeconomics is to use mature economics to judge what role different components play in a distributed system, and even to assert their pros and cons.

For example, PoW and PoS are anti-witch mechanisms in cryptography (or distributed systems), but from an economic perspective, it is a secure resource and a source of security for the system. Verification, from the perspective of cryptography, is a challenge to the prover, but from the perspective of economics, it becomes a process of judgment. The cost of this process is the cost of judgment. and many more.

Most of the time, technology belongs to technology, economics goes to economics, but when we need to judge the pros and cons of a component in system design, we may need to cross the two. If there is such a thing as cryptography, I believe this will be one of the important implications.

Conclusion

In summary, I think that PoS is feasible as a witch-resistant mechanism, but the consensus algorithm it requires may be more complicated; but if we look at Moneyness, we will find that PoW currency is more cost-effective. Low, and because of some technical attributes, we can believe that it will remain at a relatively low level for a long time; and the PoS system has at least so far, there is no low verification fee comparable to PoW, and even its verification fee will rise.

I hope that the fire of the big debate between PoW and PoS will not burn out!

references:

Friedman, The Scourge of Money

Alchin: Why do you need money?

"false rights" attack on chain structured PoS systems

Understand the BLS signature algorithm

(Finish)

Author: A sword @EthFans

If you are interested in this topic, you can read this again:

"PoW and PoS big debate: Who has real openness? Who can stay away from the end of thermodynamics?