#  PoS (proof of stake) via Andrew Poelstra

These are notes on the work of Poelstra[1]. He argues that Proof of Stake
consensus methods are either not secure or require trust. Therefore Proof of
Stake is not a secure distributed consensus algorithm, and therefore it should
not be used in blockchains.

## Intro
- Bitcoin uses DMMS (Dynamic Membership Multiparty Signature)
- DMMS must be costly to produce

## Distributed consensus
- Distributed consensus is defined in the paper/post as "consensus between
 many mutually-distrusting parties who lack identities and were not necessarily
 present at the time of the set up"

## Dynamic Membership Multiparty Signature
- cryptography can not distinguish between real and fake history, so there must
 be some party authenticating that history
- DMMS schemes are different from traditional signature schemes [ there are
 costs, which are not present in traditional signatures]
- In DMMS there is a cost to sign, and a DMMS is secure if the best algorithm is
 the defined one [ i.e. you gain nothing by using any different algorithm]
- Mining (as in BTC) is a DMMS [in the random oracle model]
- there is no univeral time, so we cannot just order the transactions when they
 arrive
- In BTC the cost comes from the use of the hash function which is a measure of
 the energy consumed (see [Lan61]). Therefore, BTC's cost is scarce
- In BTC, divide the history in blocks; the chain of blocks [blockchain] with
 the highest costs is the true one. To change it, you need to produce a chain
 with higher costs
- Are dmms necessary to produce distributed consensus? Open problem

## Proof of Stake (PoS)
- PoS is a proof of ownership. To sign a block, and needs to write the
 continuation of history, a user proves that he has blocked the funds (in a
 bond). So instead of physical proofs, PoS bsed blockchain use cryptographic
 proofs, i.e. the cost function measure the
- the cost function measure the currency itself, which is not scarce. therefore
 the DMMS of PoS _is not secure_: it is costless to produce a chain with higher
 cost; this can not work out
- to solve the problem of non scarcity of the currency, some blockchains have
 introduced punishment. This does not solve problem of time: a malicious actor
 can sign one block (first history), then move funds out of the bond after some
 time, then sign another block at the same height (second history). this also
 invalidate the idea of making bonds last several blocks.
- if you implement _real block history is in line with real time_, then new
 users have to trust old users: this violate the definition of distributed
 consensus, i.e. PoS with this variation is not a distributed consensus algorithm


*Created on  2020-03-21*
[1] https://download.wpsoftware.net/bitcoin/pos.pdf

You are viewing proxied material from sdf.org. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.