Proof of Stake and "Weak Subjectivity"

Ben 2014-11-25 20:08:27 UTC #1

Chronos 2014-11-25 20:19:28 UTC #2

I enjoyed this article. The entire blog is fantastic. Vitalik is crazy smart.

JordanLee 2014-11-25 23:40:23 UTC #3

Yet another demonstration of how we are still under the radar: Vitalik is unaware we solved the nothing at stake issue in version 0.4.0. The solution sigmike and I designed is much more elegant than using deposits.

Chronos 2014-11-26 00:13:06 UTC #4

Perhaps you would like to go into more detail in a comment on his blog post? That would bring awareness to the entire readership.

miner 2014-11-26 01:25:48 UTC #5

https://bitcointalk.org/index.php?topic=873198.0 BTT thread

Yurizhai 2014-11-26 02:14:43 UTC #6

I would love to see someone take a look at Jordan and sigmike’s solution and give their thoughts.

Sentinelrv 2014-11-26 03:19:44 UTC #7

I posted info about the change Sigmike made in the thread miner linked to…

https://bitcointalk.org/index.php?topic=873198.msg9657823#msg9657823

Benjamin 2014-11-26 03:47:41 UTC #8

So what you are doing is essentially discarding new blocks associated with duplicate stakes.

I approve of this decision. It is not a full resolution of nothing @ stake though.

There are two distinct of nothing @ stake issues.

The possibility that miners will mint on every fork they see to maximize block output.
The possibility that someone who owned a whole bunch of coins in the past will build on the distant past.

You certainly cover the first. The second issue is much trickier and I’m not sure if you have it covered. Let’s examine the second issue for a moment.

Suppose for example, that pirate held 51% of all coins at some point in the past. He didn’t, but you could see how this might happen. Pirate was supposed to have held 20%. Given that only a fraction of stake actively mines, even 20% could be enough.
Pirate no longer owns these coins, but decides to take them back. To do this he uses his 20% of coins to build a private blockchain. If the % of miners actively mining on the main chain is less than 20%, eventually pirate will overtake the main chain. A checkpoint, of course, could prevent this.

I don’t think you can address this issue with your system duplicate stake detection. If you apply duplicate stake detection over a long-time range, miners will get stuck on a fork when they download the wrong block (or set of blocks) by accident. Ways of addressing this issue include:

Checkpoints
Downloading candidate blockchains in their entirety. Computing a set of suspect inputs associated with duplicate stake or double-spending within the candidate blockchains. Recalculating total chain difficulties for each blockchain after subtracting out blocks signed by the set of suspect inputs. Selecting the true blockchain based on the recalculated total difficulties.

(2) is essentially a form of long-range duplicate stake detection. I don’t think Vitalik is aware of this option. I also don’t think any blockchains are using a system like this right now.

cryptog 2014-11-26 13:25:49 UTC #9

i think his mind is too recursive.

JordanLee 2014-11-26 19:05:54 UTC #10

Benjamin’s analysis is exactly correct.

We have solved this issue with checkpoints that are hard coded in the source code with every release, which you correctly identified as a solution. These are quite different from the checkpoints that can be issued by Sunny King in Peercoin. Nu doesn’t allow checkpoints to be issued in real time by a trusted party. Bitcoin has the exact same implementation of checkpoints that Nu has.

Sabreiib 2014-11-27 02:50:28 UTC #11

So we completely resolved all the issues.

mhps 2014-11-27 04:17:29 UTC #12

You might want to take a look at this record and see what has been discussed and what conclusions the peercoin community has made.

Benjamin 2014-11-27 05:29:15 UTC #13

I don’t mean to imply that nothing@stake is a security risk for nubits.
As Jordan Lee mentioned, solutions are in place for both types of nothing@stake attacks. The solutions used by nubits are short-range duplicate stake detection and long-range checkpoints.

I just wanted to clarify that

duplicate stake detection as implemented in nubits does not obviate the need for long-range checkpoints.
It is possible to use a different form of duplicate stake detection that allows for well-defined consensus without checkpoints. I don’t think Vitalik is aware of this alternative method.

I don’t think long-range checkpoints are bad. But even if you are absolutely opposed to them, you do not need to reject POS. You can have an alternative flavor of POS that generates long-run consensus without any checkpoints.

mquandalle 2014-11-29 13:32:15 UTC #14

Vitalik’s answer: http://www.reddit.com/r/ethereum/comments/2nda25/proof_of_stake_how_i_learned_to_love_weak/cmdcpe1

Chronos 2014-11-29 17:25:16 UTC #15

I posted a reply to Vitalik’s answer. I don’t know if he’ll see it, though…

masterOfDisaster 2014-11-29 19:16:58 UTC #16

He did see it and he did answer it:

mhps 2014-11-30 03:48:28 UTC #17

Right. He said

So, the system still relies on weak subjectivity

So, according to him, the peercoin/nubits solution embodies what he has learned to love. Welcome aboard, Vitalik!

cryptog 2014-11-30 06:07:55 UTC #18

can you care to sum up what weak subjectivity is…I tend to think that vitalik prose is too complicated for me…

seki 2014-12-01 14:53:09 UTC #19

Vitalik and Sunny are admiring each other, no secret here

cryptog 2014-12-02 01:56:31 UTC #20

do u have a link that shows that sunny likes ethereum?