undefined | Better HN

0 pointsmattwilsonn8882y ago0 comments

I ultimately agree - I'll play Devil's advocate a bit:

Such an attack is referred to as a "long range attack" and is 'solved' by 'finality' in Ethereum, the largest running PoS network. Finality basically means a hard checkpoint. I won't make you say it: finality can of course be changed on different forks, and that's the core issue in PoS.

There is probably some utility in adding friction to such corruption, but that the mechanism doesn't ultimately prevent it and really just adds incentives to controlling it.

Attacks on PoS are more convoluted, but there are more of them and more ways to approach them. I fully agree this fact is lost in obfuscation and jargon.

0 comments

4 comments · 1 top-level

nullc2y ago· 3 in thread

One risk in creating cryptosystems is that I think applies very much to these POS systems is that you create something, it gets broken, you revise it, broke, revise it broken, revise it broken, revise it each time adding more complexity... okay no breaks found. Is it now a cryptographically secure system or was it just revised until it was cryptographically secure against review?

That's very much the history of POS systems but it's even worse than that, because as the revisions went they added new conditions to the assumed security model so at the end of the day the security assumptions are very different from where they started. They might be secure but for example a function whose security definition is that whatever the function does it correct is always "secure". :P

There is one prominent POS cryptocurrency (I'll not name it because it's not relevant and naming it will just invoke vicious shills) which has a formal security proof that starts with the assumption that all participants have a network that faithfully delivers all messages without loss and in the same order. It's trivial to have a consensus system that is secure in that model because you don't even need a consensus system in that model: "first transaction out of any competing set wins" is an adequate policy, the network in that case is equivalent to a consensus system. (Maybe the system provides some useful security properties, but its security proof won't tell you anything about them)

In any case we're largely in violent agreement. I think.

While I can agree with your argument that some of the friction in these systems may have practical utility even if it doesn't meet a strong security criteria, the danger that worries me is that people don't actually have a clear mental model for what they do provide or what risks they have. This may lead them to expose themselves in ways that they wouldn't if the properties were better known, and ultimately result in losses greater than the benefits.

Or maybe not: lots of things work fine on fully centralized systems, or works fine even when their security rests on no one bothering to attack. But there is a little pedantic voice inside me that weeps at the obfuscation and misrepresentation.

mattwilsonn888OP2y ago

As trevelyan stated, and for clarification: the protocol described in the OP is not PoS. I think that was assumed, but maybe not clear.

trevelyan2y ago

the irony is that POW is actually more complex here, which is why it is vulnerable to these attacks

trevelyan2y ago

The sybil-proof mechanism here is not POS but a variant of POW.

j / k navigate · click thread line to collapse

0 comments

4 comments · 1 top-level

nullc2y ago· 3 in thread

In any case we're largely in violent agreement. I think.

mattwilsonn888OP2y ago

As trevelyan stated, and for clarification: the protocol described in the OP is not PoS. I think that was assumed, but maybe not clear.

trevelyan2y ago

the irony is that POW is actually more complex here, which is why it is vulnerable to these attacks

trevelyan2y ago

The sybil-proof mechanism here is not POS but a variant of POW.

j / k navigate · click thread line to collapse