Is PoS a lie?

After releasing Fork It #22: PoW vs PoS on August 31 , the Chinese podcast program Fork It, which is jokingly called the "annual update", recorded the 23rd episode on the eve of the Ethereum merger: Is PoS a lie?

This episode is co-hosted by Daniel and Terry, and we have invited Mr. Ajian, the content director of BTCStudy, to talk to everyone about the debate on PoW vs PoS, his views and position.

Teacher Ajian was once a very hardcore researcher, translator, and content contributor in the Ethereum Chinese community. The host's wish is to make the topic easy to understand, but Teacher Ajian's ability does not allow it. So if you have some understanding of the design ideas and basic concepts of PoW/PoS and distributed consensus algorithms, it will help you understand why through Teacher Ajian's analysis, we can conclude that PoW is superior to PoS in all aspects.

At the end of the interview, the host was most moved by Mr. Ajian's words, which are excerpted here: A technology paradigm should think about protecting its own users, it should protect consensus, it should cherish every hard-earned consensus, it should accommodate every possible individual to enter this ecosystem, to be able to use it to continue dreaming, and to strive for a beautiful future that is far away that I can imagine.

The following is a transcript compiled by community members (recommendations of good things not related to the topic have been deleted):

Daniel: Hello everyone, welcome to the new episode of Fork It. I am Daniel, the host of the show who has disappeared for a long time. Today, Terry and I will be hosting the show together, and we have invited Teacher Ajian to be our guest.

Before we begin, let me first introduce the current special time point. The recording time of this program is very close to a very big event in the Ethereum community, the so-called Ethereum Merge. The Ethereum Merge will happen within 48 hours. When everyone listens to this program, it should be when the merger has just been completed.

Okay, let us first introduce today’s guest, Mr. Ajian.

Ajian: Hello, listeners of the Fork It podcast, my name is Ajian. I am very happy to be invited by Daniel and Terry to be a guest on Fork It. I have listened to many episodes of Fork It before, and I found that Fork It always invites the most professional people to talk about the most professional topics, so I also regard this as a recognition of me by Terry and Daniel, and I feel very happy.

I entered this industry in 2017, and I have been working as a translator since then. From 2017 to 2021, I have been working as an Ethereum enthusiast . Now many friends may know me as an Ethereum enthusiast, because I have been doing translation and editing work in it. If you look at it from this point in time, I guess I am now a more senior person in the industry. Because I have been doing the same thing for so many years, I have been constantly learning in this process and doing some research. Although these studies may not be very important, they have accumulated some understanding of blockchain.

I have been contributing to BTCStudy since the end of 2021. It is a very small website with no extra content. It is all about the technical principles of Bitcoin, some possible technical improvement directions, and some interesting technical solutions emerging in the ecosystem.

Daniel: Actually, I know that Mr. Jian doesn’t usually participate in the front-stage events. You mainly do some content and article work behind the scenes. Some listeners may not know that Mr. Jian is a very important figure in the small circle of core technology enthusiasts of Ethereum in China. Why do you say that? Because every time a major event happens in the Ethereum community, everyone will discuss it. The opinions of these real KOLs, which we call KOLs, often play a very important role in the entire Chinese community. Mr. Jian is one of the few real hardcore KOLs of Ethereum in this small circle that I know.

Terry: There are many KOLs, but relatively few hardcore ones.

Ajian: When I considered myself a member of the Ethereum ecosystem, the Ethereum ecosystem was also very exciting, and everyone could see a variety of people and a variety of opinions. I think what makes me relatively special is that I may have one thing in common with Terry, Daniel, and other guests who have been on Fork It, that is, we pay special attention to technology and the underlying layer. I think many things about the application layer are not my greatest interest, or not what people in my so-called community identity should care about the most. So in this process, I paid a lot of attention to the protocol layer of Ethereum, including its origins and development, its direction, etc. I think this may make people think that I have some understanding of these issues. I think it is just like this.

Daniel: Teacher Ajian doesn’t participate in discussions very often, but whenever there is a very critical discussion, I will definitely post your comments and read them carefully. For a long time before the Ethereum merge, the entire community started a debate about PoW and PoS. I believe that Teacher Ajian may have participated in many such discussions. Can you introduce your position or your proposition to everyone on this protracted discussion that has lasted for years?

Ajian: First of all, regarding my stance, I undoubtedly believe that PoW is better than PoS in all aspects.

I also think that this debate may have existed a long time ago, when the idea of ​​PoS first emerged, about 10-12 years ago, and at the latest in 2014. Because in 2014, the research and development of Ethereum had already started. From that time to now, my biggest feeling may be that in this process, with the development or further research of the PoS mechanism proposed by Ethereum and other projects, some new ideas or new opinions will emerge.

But throughout the whole process, I think the arguments of the PoS side on the superiority of PoS actually contain a lot of impurities, and I even think that most of them contain lies. They actually used a method of argumentation based on the selective presentation of facts, that is, when you only present part of the facts instead of the whole facts, although the part you present seems to be the fact, your argument cannot be called an argument. In this sense, I call them lies.

Let me give you a simple example. For example, there is a voice that often appears that PoS is a new thing. Since it is a new thing and an improvement on the old things, it must be a new trend and a new future. For example, they believe that PoS abandons the computationally intensive block production process of PoW, and does not waste energy to produce blocks, which will become so-called greener. Or because the process does not require so much computing power, scalability seems to be improved. These are all missing comparisons.

Let's take the simplest example. Is PoS a new thing? This is a very interesting topic. Many people think that Bitcoin first proposed PoW and then someone proposed the idea of ​​PoS. In fact, from a technical point of view, I think it is a category error. Because if you know something about the consensus algorithm in the distributed field, you will know that the research on the consensus mechanism in the distributed field originated from Lamport. The paper published by Leslie Lamport in 1987 was about the Byzantine Generals Problem. What he envisioned was a voting-based mechanism with unforgeable identity proof, that is, a digital signature scheme. Under this premise, a key conclusion of the Byzantine Generals Problem is that 1/3 is an insurmountable upper limit. If more than 1/3 of the people are malicious and do not want to reach a consensus, then this distributed system will not be able to reach a consensus.

Then there came the so-called Byzantine fault-tolerant algorithm, that is, when no more than 1/3 of the participants are malicious, do we have a set of algorithms to reach this consensus? In fact, these Byzantine fault-tolerant algorithms are all based on the identity and digital signature system, so you can think of the Byzantine fault-tolerant algorithm at that time as the predecessor of the so-called PoS algorithm today.

It appeared much earlier than PoW, but in the earliest form of the Byzantine Fault Tolerance algorithm, it assumed that the signature weights of all participants were the same, and there would be no situation where the voting weights of participants were different. The conceptual progress of PoS over the Byzantine Fault Tolerance algorithm is that it relaxes this point, so that the signatures of different participants have different weights. However, in fact, we can say that PoS is an older thing, and it does not actually bring us a consensus mechanism like Bitcoin that does not require permission and everyone can participate. This is a very important feature.

Back to the technology itself, there are actually quite a lot of points to discuss. For example, based on a model that everyone is familiar with, comparing it in three dimensions: security, scalability, and decentralization, we can actually compare a lot of things.

Terry: I think it is very appropriate to talk about it from the perspective of the impossible triangle.

I see a common argument for PoS now, that it is more secure. If this point cannot be compared, they will point out that PoS is more secure at the same cost. In terms of anti-censorship, I think PoS has a more obvious disadvantage, but at this time they usually compare it together, saying that PoW is not much better in terms of anti-censorship. In terms of decentralization, they said at the beginning that PoS would not have a mining pool and would not have stakes, but later found that this is a very professional matter and there must be stakes.

Can you analyze the current common views as a whole from these three dimensions and your evaluation of their wrong views?

Ajian: I may ask the audience of Fork It to be patient with me, because I will talk for a long time. As I have said above, all the arguments I have come across about the superiority of PoS contain a lot of missing comparisons or selective comparisons.

I can state my conclusion here: in any dimension, it is impossible to prove that PoS is better than PoW. I am responsible for this statement.

First, let’s talk about security. Existing security research on PoS basically mentions a very basic attack: Stake Grinding Attack, equity grinding attack or rational fork.

PoS does not use the competitive method of PoW to compare who is lucky enough and fast enough to propose the next block's proof of work mechanism, nor does it compete to find a random number that meets the difficulty requirements faster. One way of generating blocks in PoS is to divide a period of time into 12 or 36 segments, for example, and assign a block producer to each segment.

Another way, such as the earliest PPCoin, is that everyone has a UTXO, each UTXO has a face value, and the length of time it has not been spent, which is called coin age. Two factors determine whether you can use UTXO to become the block producer of the next block. Some calculations still need to be done in the middle, but the most interesting point is that the block production attribute of PoW is non-progressive, Progress Free. What does it mean? It means that if this block is produced now, no matter how the hash value of this block is adjusted, no matter how many times it is tried, it will not affect the probability of mining the next block. The block producer of the next block still has to go through a lot of calculations. Affecting the hash value of the current block actually does not help the block difficulty of the next block.

However, in PoS, everyone has to use past historical blocks as the source of random numbers, that is, use a random number source to generate a random number, and use this random number to decide who will produce the next block, or who will produce the next ten blocks respectively. It loses the characteristic of non-process.

What does this mean? It means that whoever mines this block and finds the characteristics of this block data can determine who will produce the next block or even ten blocks.

So what will everyone do? Although I can only have one block within ten seconds at this point in time, I am actually secretly mining and have counted 100 blocks. I will see which block will allow me to be the block producer in the next block, or find which block can maximize my chance of producing a block in the next chain. This is called a stake grinding attack. It will constantly try to mine at any block point and try to interfere with the choice of future block producers.

Stake grinding attacks were very common and deadly at the time. Although we saw that only one block appeared on the network at that time, in fact, everyone had secretly mined hundreds or thousands of blocks. They were just waiting for him to mine a super long chain, and then at a certain moment, they would show it to you, and everyone would jump to it because of the longest chain consensus.

But is the longest chain consensus stable? It is not stable either. Someone will give you a longer chain next time. This was the stake grinding attack that appeared at the time. Later, everyone attributed it to a property called Nothing at Stake, which means no stake or no interests. What does it mean? Although you only arrange for me to point out blocks, I am secretly mining N blocks. This will not affect my interests at all. It has only benefits and no disadvantages.

The equity grinding attack directly led to the introduction of a penalty mechanism in almost all subsequent PoS mechanisms. Everyone has discovered that this reward-based, random block generation method does not work, so a penalty mechanism is needed to constrain people from making rational forks. What is its logic? When people have proposed a block, if they are found to have proposed the same block on another chain, they will be punished, so as to constrain them from mining forked chains and ensure that only one chain is mined. This principle basically runs through the design of all subsequent PoS chains since 2014.

But we will find that this problem is not that simple, because the penalty mechanism we just talked about seems to be only one-way in the dimension leading to the future, preventing everyone from mining forked chains in large quantities, and can constrain everyone to one chain and produce blocks straight forward. Does this mean there is no problem? No. Because a chain not only has a dimension leading to the future, it also has a historical dimension, and we even think that the historical dimension is more important.

Why? Because if the history of the chain can be tampered with at will, how can it serve as a ledger, how can it serve as everyone's basic transaction system, and how can various application functions be built on it? This is what I think is a more critical factor. If the blockchain can form an unalterable ledger and an unalterable history, then I can be afraid of nothing. For an ordinary user, I never worry about losing my money, because almost all the history is reliable. And cryptographic schemes such as private keys and digital signatures have given me a property attribute that is comparable to any other property system so far, or even better than them.

Next, you will find another situation called long-range attack. Long-range attack means that although it seems that everyone can produce blocks on a chain, this does not solve the problem. Why? Because I can dig out another chain from the genesis state. This chain may not be longer, but the point is that we have no formal effective method to compare this newly mined chain with the chain that everyone has been using in history. What is the difference?

This is the most critical attribute. Why? For example, as an ordinary PoS chain user, when my node synchronizes to a chain, I actually don’t know whether this chain is a chain that everyone has always participated in through PoS consensus, nor do I know whether it is a chain that some people have dug up separately. Some people say that we can observe signatures because each block carries the signature of a PoS participant.

But this happens to be linked to another thing. Everyone found something very interesting. All PoS validators need to lock their coins in, but why do they lock them in? To make money, right? If you make money, you have to spend it one day, so you always have to unlock it. If you can't unlock it, it becomes a one-way process, and no one will be willing to participate in such an algorithm because it means there is absolutely no benefit.

The validator's coins will be released at a certain time. Once the release time is reached, all the penalties set at the consensus level of this chain will no longer have any meaning to you. Because my money has been withdrawn, what are you punishing me for? My money has been withdrawn, so there is no way to impose any punishment on me at this time. The aforementioned punishment to make a person sign a block on only one chain is not true.

This is the process of combining the long-range attack with a special form of attack that people have discovered before, called the old private key attack. Once a PoS participant leaves the constraints of the consensus layer, you actually have no way to constrain his private key behavior. Then at this time, someone can completely buy some old private keys. Buying old private keys may be very cheap because it is just buying a private key and does not require property.

With the old private key, we can forge a chain that is exactly the same as the previous chain. All transactions can be replayed and all signatures can be put back on. So which chain is the real one? Under this long-range attack, we will find that all existing PoS algorithms cannot solve this problem technically, including Ethereum.

Ethereum's Casper algorithm has gone through a lot of evolution. Its core concept is to use penalty constraints to make people produce blocks on the same chain and ensure that consensus is reached regularly. Ethereum's design based on the penalty algorithm is complex and sophisticated, and should be ranked first among the current PoS mechanisms. It is very sophisticated and makes full use of the penalty-based concept.

For example, if someone proposes two conflicting blocks, they will be punished; for example, Casper voting is not a vote on block generation, but a vote on the checkpoints of previous historical blocks. Checkpoints are equivalent to everyone refreshing its genesis state regularly. The original genesis state may be blockchain No. 0. Now after block No. 100, everyone has 2/3 of the votes in favor, so everyone makes block No. 100 a new starting point for all state construction, and then block No. 100 becomes a new genesis block.

The Casper punishment mechanism is that whenever there is some irregular behavior in the checkpoint voting, including double voting and wraparound voting, specifically, whether you will vote for two competing checkpoints, and whether you jump to another fork point when voting on the checkpoint. For example, the first checkpoint voted is on chain A, but the next checkpoint actually jumps to chain B, which means there is a problem.

What is another more interesting punishment? When the entire chain cannot reach a consensus, it will punish all participants. Note that it is all participants, not just those who are not online, but all participants. If you understand game theory, you can think about why you want to stop these offline participants and frame others by not forwarding their blocks and signatures?

The consensus algorithm itself imposes severe penalties on offline participants. Being offline is confirmed by the presence of your signature in a certain period of time. If there is no penalty, then I can not forward your signature and keep the chain in a state where there is no way to confirm the consensus for a long time. On the one hand, I can confiscate the other party and on the other hand, I can increase my weight. In order to prevent this from happening, penalties will be imposed on such behavior, and then these penalties will be used to continuously eliminate those offline participants and make them resynchronize. But even if all of these are added together, there is still no way to deal with what we call long-range attacks and old private key attacks.

Why? Because all participants will exit the system one day. After exiting the system, the old private key attack becomes an incentive, that is, an attack that is feasible based on the incentive mechanism. Just by buying an old private key, you can create an extremely long chain.

This property has been discussed very thoroughly, and there is a lot of relevant information on the market. There is a very important document, the original version of which was published in 2014. Later, the author revised this paper in 2015, called On Stake and Consensus. This article is very important, and it summarizes all the attacks I talked about above. The final conclusion is that this long-range attack actually represents the final form of attack on PoS, and it can be superimposed.

For example, I have heard a friend propose a very interesting attack called coin scattering. It is to combine long-range attacks with airdrops to these people, so that they will support my chain instead of the original chain. For example, if I want to fork Ethereum now, I will not only let you have so many coins, but also give you more coins. In this process, you can even combine some other attacks on social consensus, such as launching a propaganda war, telling others that the people of the Ethereum Foundation have collapsed our chain, they are not good, so we have to revolt, fine their coins and share the money with everyone, our coins do not have any inflation, it is still strong in value in the market, but we punish the bad guys.

I remember a few years ago, Jan also mentioned that the entire PoS model is a bit like an Ouroboros, a snake biting its own tail. If your ledger is to be secure, then the consensus mechanism must be secure, but if you want the consensus mechanism to be secure, then the ledger must also be secure, so it forms an Ouroboros.

The author of On Equity and Consensus also came to the same conclusion. Why is the consensus mechanism of proof of equity insecure? Because it relies on the ledger it wants to form to impose its growth. Everyone can jump to another ledger and launch a long-range attack to fork the chain. On this forked chain, all the punishment measures of the original chain are ineffective. In this case, how can you say that your consensus mechanism is secure? So everyone attributes it to a circular argument: if the ledger needs to be secure, the consensus algorithm must be secure, and if the consensus algorithm is secure, your ledger must be secure.

Notice that I used two "security" here. Assuming that these two security definitions are exactly the same, what does this mean? It means that it is a circular argument. But in fact, the current Ethereum PoS algorithm, including Vitalik himself, believes that this is not a circular argument. Why? Because the definitions of the two "security" in this sentence are different. He believes that the definition that the latter ledger must be secure is different from the definition that the consensus algorithm must be secure. He believes that the security of this ledger is based on the so-called social consensus, which is a social process. This social consensus determines that we all recognize that this chain is Ethereum. So based on this point, we form a process for Ethereum PoS consensus participation on this basis to further determine which transactions this chain will process next.

But he cannot deny that if everyone is not syncing this chain all the time, and if the entire process is not syncing this blockchain from its genesis block, then there is really no way to tell which of the two chains that are identical in form a period of time ago is the real Ethereum. This is technically impossible to do, and there is no way to reach a consensus.

So he proposed the concept of weak subjectivity , which means that the node must be online once every four months. Once it is offline for more than four months, it must synchronize with a node you trust. In other words, no matter who you synchronize with, for the chain that was broken four months ago, you actually need to trust the node that provides you with blockchain data. This is weak subjectivity.

It cannot achieve the same objectivity as PoW. In PoW, you don’t have to trust any node that provides blockchain data. Why? Because I can verify independently from the genesis block, and it is lightweight to verify to the latest block. No one can cheat me. The entire PoW consensus model through competition makes everyone converge on only one chain in the end. This is the proof of PoW’s security.

However, this cannot be done in the operation of the entire consensus algorithm of the PoS chain. Ultimately, it depends on social consensus and so-called trust. As long as you are offline for a long time, you will be trapped in weak subjectivity and must trust a node that provides you with blockchain data. Why is this important? Because it means that consensus will continue to weaken, and ultimately everyone's information source will tend to be centralized to those who have not been offline for a long time.

PoW will continue to accumulate consensus, and everyone will continue to accumulate work on the same chain. All the nodes that join do not need to trust each other. They only need to use computers to verify all the data and verify its formal validity, and then they can determine that this is a valid chain. Therefore, PoW is a process of continuous accumulation and cohesion in social consensus.

What do these two mean? I think you can think carefully about what problems do we want blockchain to solve? Do we just need a machine that we frequently check and repair, or do we hope to find a most basic principle, on which blockchain can be used as a full-time processing system that continuously generates blocks to provide us with the most basic services and continuously build consensus in the process. This is what we hope blockchain can do.

Therefore, PoS cannot be compared with PoW in terms of security. The lie that I hate the most and is the most common one is Vitalik’s own argument about why PoW is not safe, because as long as you rent 51% of the computing power, you can launch a 51% attack. However, to attack PoS, you need to buy 51% of the coins, or buy the deposits of 51% of the PoS participants.

Isn’t this a naked lack of comparison? What is it comparing? It is comparing the cost of launching a temporary censorship of PoW for a short period of time, such as a few hours or dozens of blocks, and the cost of permanently destroying a PoS chain. These are obviously comparing two different things.

If you just rent 51% of the mining machines, it is equivalent to only being able to temporarily launch a censorship attack, or a short-term double-spending attack. So what do we want to ask is what’s next?

First of all, the fact that you can rent 51% of the computing power is not true in reality. We can see a website that shows the cost of 51% attack2, which shows how much it costs to rent 51% of the mining machines, ranging from thousands of dollars to tens of thousands of dollars. If the cost of attack is really so cheap, why doesn't anyone do it? Because there are still many insurmountable difficulties, such as the difficulty of network implementation, etc.

Assuming that it is possible to rent, what is the result of the attack? Everyone experienced a few hours of chaos, and then it was over. The PoW longest chain consensus will push everyone to continue to gather on the same chain. The PoW system has not collapsed, and it has not been completely destroyed. Unless you can guarantee that you can permanently control 51% of the mining machines, there is no way to permanently launch a 51% attack. This is an obvious truth.

If you really bought 51% of the PoS rights, what can you do? The answer is that you can do whatever you want. Because if you have 51% of the rights, you can completely dominate the process of block generation. It also means that newcomers who want to participate in the PoS process must also get your consent. Because they must lock their deposits into the system through a transaction. If they cannot lock their funds into the system, they cannot become a staker and cannot participate in block generation. Their signatures are invalid and meaningless. As long as you can control 51% of the PoS rights, you can permanently destroy a PoS chain.

Some people will say, don’t we still have social consensus? If this happens, we can just punish him. This is a ridiculous statement. Not to mention that this is a missing comparison, if you compare at this level, you can’t compare PoS to PoW. Secondly, if you really think this is a feasible solution, it’s ridiculous. Because what we need is a 24/7 system, but this system actually requires the participation of all people and needs to be checked frequently to see if there are any problems. And when there is a problem, are you sure you can gather so much social consensus to punish it? Or from the perspective of the consensus mechanism, is this social consensus a way to be exploited?

Because if someone uses propaganda to make people believe that we now have a consensus and that if we want to punish a group of people, they will be punished, do you think that as a participant and user of the PoS consensus chain, do you feel safe? This means that the security of your assets is completely subject to that illusory social consensus, and there is no mechanism to protect you. And the key point is that everyone's ability to initiate social consensus is different, which is an obvious fact. Do you have to put the security of your assets under the will of that small group of people? That small group of people can initiate social consensus, which means that they can attack your property at any time. Is this the system you want? Is this a system you want to put your assets in? This is a very absurd and ridiculous statement.