With PoW, why do we need PoS?

Some people believe that only PoW can reliably connect the value of the real world and the virtual world; PoS creates coins out of thin air and distributes them in an unfair way, which is bound to cause monopoly, etc. There is also a more straightforward view: all PoS chains are scammers. These assertions cannot be refuted, or they can neither be proved nor falsified. I think PoS has some properties that PoW does not have, and these properties are very important for at least some encryption protocol applications. This article attempts to present some characteristics of PoS in a non-technical prophecy.

PoW and PoS, which are often mentioned, refer to the Nakamoto consensus based on proof of work and the BFT consensus based on proof of stake, respectively. They are referred to as PoW and PoS in the following. The design of the consensus protocol is not to issue coins fairly, but to maintain the security of the blockchain network. The blockchain mentioned in this article refers to the public chain, excluding consortium chains and private chains. What is blockchain network security? This question seems very basic, but it is actually very complicated. But it is much simpler to explain it the other way around. What is an unsafe blockchain? Or what security incidents may occur in the blockchain, and what problems will occur if they occur?

Blockchain is a distributed ledger technology and a machine for producing trust. The data structure and network protocol design of blockchain are designed to record accounts safely and verifiably without central coordination, in a Byzantine environment where the network is unreliable and the participating nodes are unreliable. It can be said that blockchain is inherently safer than other types of network architectures. Without considering software defects, there are only two types of security incidents that may occur in blockchain: DDOS distributed denial of service attacks and double-spending attacks. DDOS attacks are to disrupt the network, making the network as a whole or partially unable to work normally, but disrupting does not directly make money. For traditional networks, the profit model of DDOS attacks is extortion or charging money to do things. Either someone pays hackers to disrupt competitors or networks he doesn't like. Or the attackers disrupt first and then ask the operator for money, and continue to disrupt if they don't pay. Blockchain is a decentralized network, and extortion doesn't know who to ask for money from. Moreover, blockchain is a distributed self-organizing network. If it is large in scale and well designed, it is difficult and costly to make it invalid. Therefore, blockchain security should consider DDOS service attacks, but they are not the focus.

The key point is the double-spending attack, which is a real threat to the blockchain network. Double-spending literally means spending a sum of money twice. So how can a sum of money be spent twice? The successful double-spending attacks that have occurred so far all follow the following process:

1. Transfer coins to the exchange;

2. Sell ​​the coins and withdraw the money;

3. The attack forks the blockchain, and the new chain does not include the first step of the coin transfer transaction. This is equivalent to the coin returning to the attacker's address.

Double-spending attacks require careful preparation in advance and are not something that can be launched on a whim. In addition, the blockchain must be forked, and the fork must start from a block some time ago, which has costs. For PoW, you need computing power. You have to mine the forked chain into the longest chain and be accepted by others. A successful double-spending attack means that the gains from the attack are greater than the costs, and the attacker makes a profit from it. If after all the hassles, the cost of buying computing power is higher than the gains from double-spending, it still falls into the category of making trouble. Therefore, it is not easy to carry out a double-spending attack, and there are not many successful cases.

There are two points worth noting about the successful double-spending attacks in the history of blockchain. The first is that the PoW chain was successfully attacked. I hope those who say PoS is unsafe every day will pay attention to this fact. Even the early and immature PoS chains have never been attacked by double-spending. This does not mean that the PoS chain cannot be attacked, but that attacking the PoS chain is unprofitable. I will talk about the reason later. Therefore, the research on PoS attack methods is theoretical, and no one does it in the real environment. The second point is the impact of double-spending attacks on the price of coins. Maybe many people are like me. Double-spending attacks prove that the chain is unsafe, so the price of coins must plummet. The reality is not like this. If you check the market of ETC, Bitcoin Gold, and Verge that were attacked by double-spending, the price of coins only fell a little. Why? Because the exchange suffered the loss of double-spending, which is equivalent to the attacker cheating the coins that should belong to the exchange. Most coin holders will think: What does it have to do with me? The coins in my hand are not reduced or diluted. The exchange makes so much money, it deserves to bleed. So if the coin you invested in is attacked by double-spending, don't think that the sky is falling and run away immediately. But be careful, don't run away immediately. You should still run away after the storm has passed. Why? Because ensuring the security of encrypted assets is the most important ability of blockchain. He was unlucky in this attack, and I might be unlucky in the next attack. So once a blockchain is labeled as unsafe, it is basically on the road to slowly returning to zero, unless it can prove that the security problem has been solved, which is very difficult. You can check the changes in the market value rankings of ETC, Bitcoin Gold, and Verge after they were attacked. Because price changes are related to the overall market, the market value ranking reflects the position in the industry.

We talked about unsafe blockchains above. Bitcoin is very safe, and everyone agrees on this, but Bitcoin's safety does not mean PoW is safe. The next time you hear someone say that PoW is safer than PoS, you can refute him with facts. Why are some PoW chains safer and some not? Because the premise of PoW chain security is that the block reward is higher than the cost of renting 51% of the computing power during the same period. (It should be block reward + transaction fee, but the transaction fee is usually two orders of magnitude lower than the block reward, so it is ignored here, the same below). It's a very brief premise, but the actual situation is very complicated and needs to be explained in several situations. First, is it mainly general-purpose computers or special-purpose mining machines? If it is mainly general-purpose computers that mine cryptocurrencies, it is theoretically unsafe. Why? Because general-purpose computers that mine cryptocurrencies only account for a very small part of the computers on the Internet. If the botnet controlled by the attacker (similar to renting a large number of general-purpose computers at a very low cost) has a higher computing power than the honest mining network, a double-spending attack can be launched.

Dedicated mining machines are mining machines that have a certain hash algorithm fixed, such as SHA256. All chains using SHA256 can be mined. For the same type of dedicated mining machines, the chain with the largest computing power is the safest. The distribution of computing power is determined by the amount of block rewards. Assuming that the block rewards provided by the three chains BTC/BCH/BSV are 100 yuan, 3 yuan, and 2 yuan per hour, respectively, the computing power will be distributed in a ratio of 100:3:2. If it is profitable, the attacker may rent a small part of the total computing power to attack BSV, but it is very difficult to rent most of the computing power to attack BTC.

There are two questions here. First, why do we need to rent computing power? Can't miners attack directly? Generally speaking, no, because miners and mining farms may make profits when they do double-spending attacks. However, if the chain is not secure, the currency will depreciate, and the corresponding mining machines will also depreciate. Therefore, people who have a large number of professional mining machines will not attack the chain, at least not the chain with the largest block reward. The second question is that in most cases, mining is profitable, so the cost of renting computing power is very high, and the attack is not valid. However, in special cases, the price of the currency plummets, the computing power of the early expansion is too much, and a large number of mining machines are shut down. At this time, the price of renting a mining machine is only higher than the operating cost, that is, the electricity cost, and the currency with low block rewards is very dangerous. Combining the above sharing, the security premise of PoW can be roughly transformed into: mining with dedicated mining machines, and the computing power accounts for the highest proportion.

Well-known cryptocurrency researcher Nic Carter used the above picture to illustrate: Chain A accounts for a small part of the same computing power. Chain B accounts for a large part of the same computing power. Although the absolute value of the computing power of Chain A (i.e., Hash Rate) is higher than that of Chain B, Chain B is more secure than Chain A.

At this point, we can return to the topic and talk about why PoS is needed. A preliminary question is: In addition to BTC, are other chains necessary? Bitcoin maximalists believe that Bitcoin is the only useful cryptocurrency, and other blockchains, including Ethereum, are just messing around. If you agree with this view, of course PoS is unnecessary. Others (including me) believe that decentralized encryption protocols define efficient markets and can reduce transaction costs. The world needs many encryption protocols and many blockchains.

If a new blockchain is running and adopts the PoW protocol, it will encounter cold start difficulties. In fact, not only the new PoW chain, but also Bitcoin has encountered cold start difficulties. That is, the coin is not valuable, and few people are mining, so the network is not safe. The network is not safe, so the coin cannot appreciate. In the three years after Bitcoin, the coin price was low, the network was fragile, and few people paid attention. Since mining income = market value * issuance rate. PoW coins must have a high market value and issuance rate to attract mining machine manufacturers to design ASIC mining machines (with high one-time costs) and miners to purchase and deploy mining machines in large quantities. This is a cold start problem of whether the chicken or the egg came first: the new network is insecure and has few applications; and the issuance rate is high, it is not regarded as a value storage; the market value is difficult to expand. The low market value means low mining income, and the computing power cannot grow.

When designing a new PoW chain, you need to choose which Hash algorithm to use. If you choose an algorithm that already has dedicated mining machines, then the initial coin price, the computing power ratio is low, and the chain is not secure. If you choose an algorithm that does not have dedicated mining machines, you will have to go through a period of general hardware mining, and the network will not be secure during this period. When I just say it is difficult, I don’t mean it is not feasible. For example, Nervos, their team has a good reputation and has made many innovations. So when the mainnet was launched, CKB already had a relatively high market value and a high block reward, which could attract a lot of computing power to mine. Nervos designed a unique Hash algorithm. Due to the high block reward, dedicated mining machines may soon appear, which is something the Nervos community is happy to see. Because the Hash algorithm is new, the new mining machine can only be used to mine CKB, and the security of the network is greatly improved. However, Nervos should be regarded as a special case. Its startup process just proves that it is very difficult for a new chain to adopt PoW. It is hard to imagine that there will be more than a dozen, dozens, or even more PoW chains in the next few years that can complete self-bootstrapping.

PoS chains can be very safe even in their early stages. Because to perform a double-spending attack on a PoS chain, you need to control at least 1/3 of the coins staked. With so many coins in your hands, you should be one of the largest holders. If a double-spending attack causes the price of the coin to fall, you will suffer the most. This is the same reason why the largest miners will not attack Bitcoin. So is it possible for the attacker to sell the double-spending coins twice and quickly make a profit and leave? Let's take a look at an example:

Suppose a PoS chain has a total circulation market value of only 10 million US dollars, and the staking ratio is very low, only 30%. Compared with the PoS chains with a circulation market value of more than tens of millions of dollars and a staking ratio of 50% or even higher, it is obviously easier to attack. The attacker has prepared the conditions. He controls 1/3 of the staking (10% of the total) and also has 10% of the circulating chips. So the attacker first transferred the 10% of the circulation to exchange 1, sold it and withdrew the money. Then he launched an attack to reverse the deposit transaction. In order not to bear the loss of the coin price drop exposed by the attack, he quickly deposited the 10% restored to his own address into exchange 2, and sold it and withdrew the money. If the coin price does not fall during the whole process. The attacker's cost (10% Staking was confiscated) and the income (10% of the circulating chips were sold twice) are exactly equal. The above is the most favorable situation for the attacker, but it is impossible to happen in the real environment. Because the attacker's selling is limited by market liquidity. Let's not talk about the impact of the first 10% selling on the coin price. It only takes a few minutes for a professional security company to discover the BFT chain fork and issue a warning. It is impossible for an attacker to sell the second 10% without attracting the attention of the exchange and affecting the price of the currency.

Therefore, the PoS chain, regardless of the value of the currency, is safe as long as the software has no defects. In addition, software defects have nothing to do with the protocol itself, but are implementation issues. However, it is undeniable that the new generation of PoS chains has been online for too short a time, and there may be hidden defects. It will take time to verify its security.

In addition to secure boot, PoS has another advantage over PoW, which is fast finality. Finality means that the block will not be abandoned by the chain and become an orphan block. The PoW chain only has probabilistic finality, and the newly generated block is not very reliable and may be abandoned (reorganized). As blocks are continuously added to the block (depth increases), the possibility of being abandoned becomes lower and lower. When the depth increases to a certain amount, users can be sure that the block will not be abandoned and the transactions in the block will not be reversed. The BFT consensus based on PoS usually has fast finality. The legal (mixed consensus for block generation and finalization refers to being finalized) block is final as soon as it comes out. If it is reversed, it means something big has happened, and 1/3 of the staked coins will be confiscated by the system. To compare fast finality and probabilistic finality, you need to find a comparable dimension. Just like pears and apples, some people like to eat pears and some like to eat apples. Comparing their taste will not lead to a conclusion that everyone agrees on. If you compare prices, it is easy. In a market, it is clear which is more expensive and which is cheaper.

Nic Carter wrote “It’s called a transaction settlement guarantee, silly”. This article was originally about comparing PoW chains. However, the concept of settlement guarantee he proposed is also applicable to comparing PoW and PoS chains.

As shown in the figure above, the settlement guarantee of PoW is in a step-like shape. For each additional block, the settlement guarantee amount of the block (all transactions in it) increases by one block reward amount. The current price of BTC is $8,000, and each block rewards 12.5 BTC, which is about $100,000. Bitcoin produces one block every 10 minutes on average, and the settlement guarantee increases by $100,000. Roughly speaking, the settlement guarantee of the PoS chain can be considered unchanged over time. A PoS chain has a circulating market value of $10 million, a staking ratio of 30%, and adopts a BFT protocol that is finalized as soon as the block is produced (such as Tendermint). As long as the transaction is included in a legal block, it will immediately obtain a settlement guarantee of 10 million * 30% * 1/3 = 1 million US dollars. Quickly obtaining quantifiable settlement guarantees is meaningful for many application scenarios of encryption protocols. This is the second reason why I think PoS is necessary. In addition, based on PoS, efficient community governance of encryption protocols can be developed. For analysis in this regard, please refer to my work "The Way of Governance of Encryption Protocols".