What supports the security of POW is not computing power but faith

What supports the security of POW is not computing power, but faith;

People seriously overestimate the security of POW;

· POS only needs one reason to exist: it can solve the hidden danger of POW 51% attack;

Staking Economy is harmful to POS, as it will reduce the security of the POS system;

The real unsolvable problem of POS is the attack without benefits

· …

This article systematically analyzes the security advantages and disadvantages of POW and POS, and draws many different conclusions. The text is very dense and requires a lot of patience to read. I recommend you to save it and read it later. Most people understand POW and POS based on experience, but experience is often wrong.

The author of this article: Maxdeath, Dr. Ren Zhijie, is a senior researcher at VeChain Blockchain. His main research directions include blockchain consensus algorithms, capacity expansion, and applications. He has published many blockchain papers at international academic conferences.

Recently, it happens to be the peak period for some star POW and POS projects to prepare for the launch of the main network, so the comparison of the advantages and disadvantages of POW and POS has become popular again. I have read a lot of articles on this topic before, and I don’t know why, but I always feel like there is something stuck in my throat, and I feel like I can’t get it out until I get it out - the POW and POS that most people compare are not things on the same level.

POW is an algorithm that is used more in reality, while POS, especially the current POS (not the early semi-finished products such as peercoin), is something that only exists in theory; at the same time, POW is a type of algorithm, and POS is also a type of algorithm. Therefore, we cannot compare Bitcoin's POW when considering simplicity, practicality, and security, and then take out another different POW when considering efficiency and decentralization.

So, here, I want to compare the two from a more fundamental perspective. In other words, what we want to compare is not Bitcoin's POW and Ethereum's casper, nor the current POW and POS, but the future and prospects of these two ideas, POW and POS, and which one is more suitable for the governance and operation of blockchain.

Therefore, we must put aside all the limitations of the existing POW and POS, and explore the fundamental differences and limitations between the two from the essence, or from an ideal state.

1

The essence of POW and POS

So first, we need to define POW and POS.

First of all, both try to achieve a state of "randomly selecting nodes to generate blocks, with the probability of selection proportional to some verifiable resource of the node, and then, because we use the longest chain consensus, in order to overturn the confirmed blocks, we need to control more than 50% of the resources", but the resources of the two are workload and coins owned respectively.

From this perspective, let's take a look at what is indispensable between the two:

POW : Nodes that can provide evidence of a certain amount of work are awarded the right to produce blocks.

POS : Anyone who provides proof that they own certain coins before a certain time gets the right to produce blocks.

That's all.

In this article, all the comparisons we make are based solely on the above definition and this one difference between the two, and then carried out through logical reasoning.

Of course, I have no intention of comparing them purely from a theoretical perspective, because in fact both have so-called theoretical "security", but in fact they are based on some unrealistic assumptions. Therefore, we also need to consider the advantages and disadvantages of both in reality, that is, in the society we live in, in the present and in the not too distant future, when applied to blockchain.

In other words, we assume that, in terms of functionality, we can find two such ideal algorithms in the next few years. If we want to use them in a public chain, which one is better?

2

Security of POW and POS

The most common criticism of POS is that it has not been tested in practice, while POW has been proven to be safe in practice.

However, the opposite is true.

The fact is that POS has not been proven to be unsafe in practice, while POW has exposed a huge security risk in practice - the 51% attack.

This is not a fantasy, nor is it groundless worry. The threat of 51% attack is real for almost all digital currencies that use the POW algorithm. This is also the biggest reason why we are talking about POS - not because POW wastes electricity, not because the economic model of POS is fairer, not because POS sounds cooler, but because -

POW has exposed great security risks and problems, and POS can solve this problem. Although POS may not necessarily be better than POW in other aspects, this is enough to be the reason why we need POS.

The core problem of a 51% attack can be described as follows:

In an ideal blockchain, from a security perspective, the interests of consensus participants should be consistent with the interests of the blockchain itself. Therefore, a 51% attack is not feasible, because participants who can dominate the consensus will not be willing to attack the blockchain, otherwise they will lose their own interests.

However, this is true for POS, but not for POW. This is because the benefits that miners gain from the system are actually much smaller than the value of the entire system. In other words, when there is a conflict between the two, POW miners are entirely likely to engage in malicious behavior for their own benefit. Here, “their own benefit” may be the control of the dominant position of the blockchain, the concept of the future development of the blockchain, or the benefit of a double-spending attack.

If you agree with this, you don’t need to read the following long article. If you disagree, I will make some detailed analysis of the security risks of POW.

2.1

Security of POW

In fact, the security of POW is far less than what the public thinks.

In the public's perception, Bitcoin is secure as long as the majority of computing power is honest, and it is impossible to control most of the computing power.

In fact, this assumption is also widely used in almost all consensus algorithms - whether it is POW, POS, BFT, or other various POx, we are all using similar assumptions - that is, if most nodes or resources, maybe 1/2, maybe 2/3, maybe computing power, maybe equity, or something else, are honest, then the system is safe.

However, this assumption itself is not naturally valid - so in the Bitcoin white paper, Satoshi Nakamoto did not directly say "We assume that more than 50% of the computing power is honest", but said:

“If someone can control 51% of the computing power, then there is no need for him to conduct a 51% attack, because he can get better returns through mining, and a 51% attack will make the coins he mined before and his mining machine worthless.”

In other words, it is not that POW will not be attacked by 51%, but that it is not cost-effective to launch a 51% attack on POW.

So, is it really unprofitable to conduct a 51% attack on POW?

Some might say of course - "Bitcoin has never been attacked, and that's because the cost of attacking Bitcoin is so high that you can't even imagine it."

However, in fact, anyone who pays a little attention to blockchain security knows that there are countless 51% attacks on POW - the more recent ones include Verge, BTG, ETC... These have all suffered 51% attacks, and they all use the POW algorithm, and the algorithm they use is the same as Bitcoin and Ethereum.

From this perspective, which is safer, Bitcoin or POW?

Some people may say that I am changing the concept: Can these altcoins be the same as Bitcoin (Ethereum)? The prices of these altcoins themselves are not enough to meet the threshold of 51% attack - if I make a xx coin by myself and use Bitcoin POW for mining, and then it is attacked by 51%, does this also mean that POW is not safe?

But this explanation is not enough - because in the previous logic, we are not saying that POW will not be attacked by 51%, but that 51% attack is not cost-effective. If I create a xx coin and then it is attacked by 51%, the attacker cannot benefit from it. But in the previous examples, the attacker actually benefited from the attack.

So what’s wrong with this logic?

Don’t the miners of Verge, BTG, and ETC know that they can make more money through mining? Don’t they know that if they attack these coins, the price of the coins will drop, and the mines they mined before will be worthless?

What is the difference between Bitcoin and these currencies? Is it just the price?

2.2

Analysis of 51% Attack of POW

“The security support of POW is not computing power, but faith”

Let's analyze the actual situation of these attacks:

There is no such thing as making more money through mining, and there is no such thing as a 51% attack causing the value of the currency in their hands to depreciate, because they themselves do not need to have any connection with the blockchain before the attack - their computing power is cut from the Bitcoin mining pool, and they themselves do not hold any currency, they just need to buy some coins from the exchange, sell them, and then carry out a double payment attack and sell them again before the exchange notices.

Therefore, in the final analysis, the logical problem of POW is that ideally, miners with more than 50% of the computing power should be consistent with the interests of the system. For example, for digital currency, the interest of the system is security, and the interest of miners is mining income, so the expected return of mining should be very generous, so that miners are willing to maintain the security of the system, so they are unwilling to carry out double-spending attacks.

However, to what extent must the mining rewards be high to completely resist double-spending attacks?

Let's take a closer look at the input and benefits of mining, as well as the input and benefits of double spending. Here, we assume that the first condition has been established, that is, the mining machine has no other use except mining this coin.

Mining investment: mining machine cost + electricity cost * time.

Mining income: the number of coins obtained by mining with a unit of computing power + the interest brought by the income (real currency or virtual currency)

Double payment input: mining machine cost (purchase or lease) + transaction fee + currency price fluctuation caused by obtaining computing power and double payment

Double payment benefit: Double payment profit + interest - risk

First, let’s put aside all the one-time costs — the cost of mining machines, obtaining computing power and price fluctuations during a double-spend attack, as well as the risk of a double-spend attack.

Comparing the two, we found that considering long-term income, when a miner already has more than 50% of the computing power, the coin price or the income from the investment coin is not a reason to prevent him from conducting a 51% attack - because he can completely use the profits from the 51% attack to make other investments.

Therefore, "high coin price" is not enough to resist double-spending attacks, and "coin price continues to rise" is not enough to resist double-spending attacks, because the number of reward coins per unit of computing power will decrease as the total computing power increases. Even "unit computing power benefits continue to increase" is not enough, because the "coin price per unit of computing power must rise to a degree that exceeds other investment products, that is, the attacker cannot find a more cost-effective investment than investing in computing power" to completely resist double-spending attacks. Otherwise, theoretically speaking, there is always a certain degree of benefit that is enough to induce 51% of the computing power to take risks and conduct double-spending attacks.

However, if the expected mining income can outperform other investment products, and if the system is decentralized enough, more people should come to mine, resulting in lower income per unit of computing power. Unless the expectations of mining income of those who are mining are different from those who are not joining the mining - that is, "belief".

Due to the blessing of faith, and the fact that those who have not joined have received a reduction in holdings for "no faith", miners believe that investing in computing power is worthwhile, while those who have not joined believe that investing in computing power is not worthwhile. In such a scenario, miners with more than 50% of the computing power will not carry out double payment attacks.

On the contrary, if cryptocurrency becomes mainstream enough and computing power becomes a normal investment product, then, just as people take out their money from banks, stocks, funds, and financial management to invest in virtual currency when the price of the currency rises, when the return on mining is not good, what can drive the miners who own 51% not to withdraw their money from the computing power market and invest in other industries? If at this time, he finds that he can carry out a 51% attack, and the profit from the attack will exceed the money he can withdraw from selling the computing power, then what reason does he have not to do so?

This conclusion itself is alarming enough, but the significance it reveals is actually more profound: when miners have 51% of the computing power, we wishfully believe that their interests are already tied to this blockchain. However, the fact is that the only difference between the reasons that support them to continue mining and the reasons that support them to make any investment is probably faith.

This "belief" is nothing more than "mining can make money". Whether cryptocurrency becomes mainstream or eventually fades, this belief will gradually fade away. At that time, as long as they find that mining is not profitable, their best choice is to make a profit. The only question is how much they can make.

“Mining machine costs are not part of the attack costs”

So, the question is - how much can we get from a double payment? This value cannot be too large, because: 1) you need to be able to buy so many coins from the market; 2) selling so many coins is not enough to cause immediate market alert.

As a result, many things that we ignored before have become irrelevant, such as mining machine fees, transaction fees, currency price fluctuations, and other risks...

Here, the mining machine fee is actually the most intuitive threshold, and it is also the source of many people’s confidence in POW - how easy is it to get 50% of the computing power? You can find out by looking at the computing power of these POW chains and then calculating it based on the market price of the corresponding mining machines.

But we don’t actually need to buy mining machines, we just need to acquire computing power. In other words, we just need to buy off the people who control the computing power. As for those who have computing power, don’t forget our previous analysis - from the perspective of interests, they are not tied to the chain, as long as there is enough return, they can get off at any time.

There are two cases here:

1. Their mining machines have other uses besides mining this chain.

2. Their mining machines have no other use except mining this chain.

Generally, we think the latter is safer. To use a practical example, if we want to issue a new POW coin, it is not safe to use the same algorithm as the mainstream currency, and it is safer to use a special POW algorithm.

However, in reality, both are equally unsafe—

First of all, the judgment of "whether there are other uses" is completely subjective, because the judgment of "whether the attacker uses the attack" is subjective. If we judge that the mining machine has other uses after the attack, then the cost of the mining machine does not need to be included in the cost of the attack. If they judge that the mining machine has no other use after the attack, then, since the premise of the attack is that they judge that the investment in the mining machine is not cost-effective in the long run and are ready to get out, then at this time, the mining machine is already a sunk cost and does not need to be included in the cost of the attack.

Some people may say that I am changing the concept - even if mining continues without making money, it does not mean that miners will sell computing power to attackers!

But the fact is that miners are selling their computing power to mining pools. So, who knows that the mining pools that give you more rewards than other mining pools are not attackers? We will discuss this in detail later.

“In POW, the cost of a 51% attack is only 1/100,000 of its market value”

Now, we come back to our previous conclusion - we have seriously overestimated the security of POW.

1. First, people think that a 51% attack requires the purchase of mining machines that can provide this computing power. In fact, this is not necessary. You only need to purchase the corresponding computing power from the computing power owner. The cost of purchasing computing power has nothing to do with the cost of the mining machine itself, but only with the expected return of the computing power owner. This acquisition may be quite easy, because you only need to create a mining pool with a slightly higher return than other mining pools.

2. Secondly, people think that it is not cost-effective to launch a 51% attack because mining can also get more lucrative returns. In fact, it is not, because after the attack, you can get cash in one go, and you can use this cash to make other investments and get lucrative returns. Therefore, let alone the decline or non-rise of the currency price, as long as the investment in mining cannot outperform other investments, its security will decrease. At the same time, whether it is a bear market that causes the belief value of the miners to decrease, or a bull market that causes the belief value of the public in mining investment to increase, its security will decrease - only when the miners feel that it is particularly profitable and the non-miners are unwilling to come in, the mining benefits are the greatest and the security is the highest.

3. Again, the only remaining security of POW lies in the fluctuation of currency prices, handling fees and security risks - in other words, the risk of exchanging these currencies. However, these risks are actually borne by the exchanges. Because in order to compete with each other, exchanges will try their best to provide lower handling fees, better liquidity, and faster transfers, that is, to reduce the cost of double-spending attacks, and also reduce the security of POW.

So, after deducting these, we come to a conclusion: in fact, the security of POW is basically equal to the cost of obtaining 50% of the computing power, and this cost is only related to the revenue, but not to the cost of the computing power itself.

If there is a relatively open, transparent and free market for computing power, then if you go to crypto51.app, the cost of renting one hour of computing power is almost the cost of attacking each currency. If computing power cannot be obtained through the open market and needs to be purchased from the controller of computing power, then considering the premium that needs to be paid to the owner, this value may be higher than the estimate on crypto51. But in any case, it is very insignificant compared to the total market value of this currency, about 1/100,000. And the fluctuation caused by such a small transaction volume is almost negligible.

Based on these analyses, it is not difficult to understand why Verge, BTG, and ETC were attacked. We can even summarize what kind of coins are more vulnerable to attacks:

1. Computing power is easy to obtain and the cost is low: These three currencies all use the same POW as mainstream currencies, and sufficient computing power for attacks can be easily obtained from computing power rental websites.

2. The currency value appreciation is not good.

3. Accepted by many exchanges.

2.3

POS Security

So, why can POS resist 51% attacks?

In fact, it is very easy to say - we don’t need to conduct such a detailed analysis as POW, and POS is naturally immune to 51% attacks in the form of POW, because the cost of a 51% attack is the more than 50% of the coin holders, and any attack on the coin will cause the price of the coin to fall, and the biggest losses will only be suffered by the more than 50% of the coin holders themselves.

But what we haven’t considered here is the Staking Economy, that is, in the future, POS will also form a “stake mining pool” like POW, that is, coin holders who are unwilling to spend energy to participate in consensus will entrust the right to produce blocks to some larger coin holders or more prestigious institutions, and then only collect mining rewards (of course, the entrustor will get a part of the reward). Therefore, for a 51% attack on POS, it is no longer necessary to purchase these coins, but only to temporarily control the mining pool with a probability of producing blocks exceeding 50%.

However, even so, the cost of a POS attack will be much higher than that of a POW attack.

First of all, unlike POW, which requires continuous investment in electricity, so that small miners must join mining pools to obtain continuous income, the continuous investment in server maintenance costs in POS is much less than POW, so the possibility of computing power being concentrated in large mining pools is less than POW. In other words, even if the Staking Economy really appears in the POS chain, it is not necessarily that a few large mining pools will monopolize it.

And, most importantly, nodes with a certain amount of coins are fully capable and willing to maintain a node by themselves, without relying on mining pools. Especially some large coin holders - it is hard to imagine that they are unwilling to maintain full nodes, that is, they do not care about the blocks on this chain. Another important reason is that, unlike POW, POS blocks require the signature of coin holders, so POS mining pools may pay a greater social price when doing evil. For POS mining pools, since the equipment investment they actually need for mining is far less than that of POW, their social status and reputation costs are actually the highest in reality.

Of course, these points cannot change one conclusion, which is that the practice of entrusting consensus in Staking Economy will indeed weaken the security of POS.

Therefore, I personally do not have a positive view on Staking Economy. At the same time, many POS projects are also aware of the potential security risks brought by Staking Economy, so they will regulate relevant institutions, such as requiring a certain amount of currency to be held. But in any case, just like the POW mining pool, the Staking Economy of POS is also unavoidable. However, if the entrusted institution is a large coin holder, then in the end it will only reduce the attack cost from 50% to a smaller proportion, such as 10%, but it will never be at the level of 1/100,000 like POW.

Above, we have shown that the cost of a 50% attack in POS is very high. So from another perspective, if it costs so much, is it possible for the attacker to make a profit? The answer is almost impossible, because you have to find a sucker who is willing to trade such a large amount with you. It is almost impossible for an exchange to pay for such a large transaction. Therefore, the only possibility is that you find two suckers who don’t understand virtual currency, and then conduct a real off-site "double payment"...

But if such people really exist, it seems that we have a much simpler way to fool them.

However, this is not enough to illustrate the security superiority of POS over POW, because we only said that the 51% attack applicable to POW cannot be replicated to POS, but POS itself will be threatened by two other attacks that do not exist in POW: long range attack and nothing-at-stake attack.

Let’s analyze these two attacks separately.

2.4

Analysis of long-distance attacks on POS

The concept of long-distance attack is that nodes with no more than 50% of the equity can generate a longer chain by some method to replace the current longest chain - the so-called "some method" here usually takes a long time. It involves an important difference between POW and POS - POW can not only generate random numbers, but also generate a random number at regular intervals in an asynchronous system. This property is not available in POS, so POS must introduce some concepts of time. However, this gives malicious nodes an opportunity to take advantage of it, because the block generation rights obtained by honest nodes are time-limited, while malicious nodes are not.

This point itself should not be included in the scope of our discussion this time, because we want to compare the essence of POW and POS, and this problem is not the essential defect of POS. In other words, POS can solve this problem through some methods, such as VDF. However, given that the algorithm using VDF to solve this problem is not mature yet, and I personally think that the current solution is completely sufficient, so I will still talk about this issue in detail here.

There are three known long-range attack methods:

1. Posterior Corruption Attack : When former equity holders sell their equity, they are no longer constrained by the depreciation of the coins they hold. However, if more than 50% of the early coin holders sell their coins, the attacker can bribe them to regenerate a history in which they have not sold their equity, and then it is possible to create a longer chain.

2. Stake Bleeding Attack : Nodes with less than 50% stake can carry out long chain attacks by "hiding a chain of their own", because on their own chain, since only their own nodes produce blocks, they will always receive mining rewards. Although the chain they generate must be shorter than the external chain at the beginning, as long as they hide it for a long enough time, their stake will eventually exceed 50%, and they will slowly obtain a faster block frequency than the external chain.

3. Stake Grinding Attack : This attack method has different forms in different POS, but in general, nodes with less than 50% of the equity can use their own advantages in computing power, or their advantage of being able to change block timestamps at will, to obtain more block generation opportunities than honest nodes, and then use this advantage to generate a longer chain than the honest nodes over a longer period of time.

The usual response to these three attacks is checkpoints, that is, a block authenticated by some nodes needs to be generated once in a while to ensure that the chain before this block will not be changed again.

"If it's acceptable to download the client, then why can't it be possible to download the checkpoint?"

For many more idealistic blockchain supporters, the checkpoint mechanism is a less “elegant” expedient because it commits several sins that blockchain supporters cannot accept:

1. In an ideal blockchain, no one needs to trust anything other than the algorithm and the genesis block to independently verify the legitimacy of any transaction. However, the checkpoint is equivalent to introducing another thing that needs to be trusted. Even if this checkpoint is signed and authenticated by all coin holders, it is theoretically unacceptable because for new nodes joining the system, they need to trust previous coin holders.

2. Checkpoints require the introduction of signatures, which destroy anonymity.

We will also discuss the issue of anonymity in depth later in the text. Here we will first talk about the first question.

Here I would like to explain my views on the checkpoint mechanism - from a practical point of view, is this really unacceptable?

To be honest, if you are a node that has just entered the network, what is the essential difference between downloading the genesis block and algorithm and downloading the genesis block, algorithm and history? The latter is nothing more than an additional possibility, that is, malicious nodes can forge a history through long chain attacks, so even though you know the correct algorithm and genesis block, you don’t actually get the real chain.

But the problem is, for ordinary users, how do you know that the client you downloaded uses the correct algorithm? Although theoretically we only need to trust the algorithm. But in fact, whether in reality or in the future, I have reason to believe that no one will implement the algorithm from scratch - in fact, everyone still needs to trust some trusted nodes to provide a secure client, that is, software, and no one will dig into the code to see if the software is consistent with the paper.

So, let’s assume that we need to rely on trusted nodes to obtain the history of blocks, which is not an unforgivable thing.

“Off-chain consensus exists objectively”

Then, there is the second question - indeed, long-distance attacks are possible, just as 51% attacks are possible. We should not only consider the theoretical possibility of such attacks, but also discuss its actual conditions.

When we demonstrated the danger of 51% attack to POW, we first analyzed its theoretical possibility, and then analyzed the conditions for its attack in reality. We found that both in theory and in practice, the conditions are much lower than the public's perception. Therefore, I concluded that POW has security risks.

Then, let's also analyze the conditions under which the above-mentioned long-range attacks are effective in reality.

First of all, whether it is a bleeding stake attack or a crushing stake attack, the probability of success depends on the proportion of stake you have. In other words, although the attacker does not have more than 50% of the stake and therefore cannot normally generate a longer chain, if they have, for example, 40% of the stake, then they can use the above two methods and a relatively long time to carry out a long-distance attack.

Therefore, everyone has seen the impracticality of this attack - when the malicious nodes have a relatively small stake, it is unrealistic for them to launch a long-distance attack. If they have a larger stake, they have no reason to attack the system, and the cost of attacking the system is not much lower than 50% of the stake - this is the advantage of POS itself.

The only troublesome long-distance attack is the "forward corruption attack", and it specifically refers to the situation where the former coin holders are the attackers themselves. Because if the attackers themselves did not intend to attack, but were bribed after selling the coins, this situation can be solved by something called Key-Evolving Signature. Therefore, they must have been prepared for the attack from the time they held the coins, that is, they must secretly start to hide a chain.

This is actually equivalent to a long-term 51% attack, that is, the previous large equity owner (more than 50%) secretly holds a chain while slowly selling off the equity. After all the equity is sold out, he takes out the privately held chain and tells everyone: "I, Hu Hansan, am back, you guys have eaten my shares, spit them out!"

However, my consistent view on the core role of blockchain is that the significance of blockchain is to replace "human consensus" with "machine consensus". However, at this stage, there are some "human consensus" that we cannot explain or replace. At this time, it is impractical and meaningless to blindly pretend that this "off-chain consensus" does not exist and crudely try to use a certain algorithm to achieve absolute security by abandoning all off-chain consensus.

Therefore, I agree with Professor Elaine Shi of Cornell University on this issue. In fact, if this situation really occurs, something called "social common knowledge" will naturally correct it. To put it more simply, for any POS chain, suppose its early equity owners suddenly come back with a longer chain one day and say to the current equity owners: Give me all your money, the current equity owners, or even, not to mention the current equity owners, probably all the stakeholders of this chain, will create a new rule that does not recognize the legitimacy of this chain, even if this chain is indeed more "legitimate" from an algorithmic point of view.

So, how different is a chain that is not accepted by most users of the chain from a newly created forked chain? Or, after several upgrades to Ethereum, can a chain that is legal according to the original rules, such as ETC, also be considered a long-range attack?

So, in the final analysis, the so-called "social consensus" exists objectively, both now and in the foreseeable future. Therefore, whether it is this long-distance attack or several other long-distance attacks, even if they are theoretically possible, in fact, as long as it still takes a long time to carry out, such as months or years, then its threat is actually very limited.

Then, whether it is the introduction of checkpoints, or the introduction of a "committee list", or the introduction of "social consensus", it is actually the introduction of an assumption that "some credible off-chain information exists". In my opinion, in reality, whether now or in the foreseeable future, this is not a problem for the security of POS.

2.5

Analysis of no-profit attacks on POS

The truly unsolvable problem is attack without benefit.

POS has no solution to attacks without benefits, which is actually the same in any POS, because according to the principle of POS, the constraints on nodes that have no benefits or very little benefits in the system are very low.

In an extreme case, for example, if there are 100 million nodes in the entire system and the interests of all the owners are very small, then any POS algorithm is unsafe, because the loss of interests caused by malicious node behavior is too small, so we have no reason to believe that more than 50% of the nodes are honest. On the contrary, if they can benefit from malicious behavior, according to the Tragedy of the Commons, they will definitely do evil.

The penalty mechanism cannot solve this problem, because the penalty must be commensurate with the benefit. In a system where all nodes have tiny benefits, the penalty must either be negligible or be so high that no one is willing to enter the system.

Therefore, almost all POS need to introduce an additional access mechanism - either through mortgage or a threshold for the number of coins held. All nodes participating in the consensus must ensure that they have enough rights and interests to make them care and thus constrain their behavior.

This is different in POW, because in POW, no matter how much computing power you have, you can't escape the loss of electricity. And, because the only way you can benefit is double payment - so when your computing power does not exceed 50%, it is strictly uneconomical for you to do evil.

In other words, in fact, for POW, the evil behavior of small miners (miners with less chance of mining blocks) will be severely punished because there is almost no reward while wasting computing power; while for large miners (miners with more chance of mining blocks), their evil behavior may benefit, because the benefits of joining together for 50% attacks can far exceed the cost.

However, for POS, small miners' evil behaviors are punished very slightly, so as long as they can benefit from evil, they have the motivation to do evil; however, POS punishes evil for large mines with extremely serious punishment, because the larger the miners represent their rights and interests, and the greater the losses caused by malicious behavior.

These two points are the fundamental difference between POW and POS.

If we compare the advantages and disadvantages of the two, we can clearly see:

· In a system where computing power (equity) is more scattered and more average, POW is more suitable.

· In a system where computing power (equity) is more concentrated and unequal, POS is more suitable.

We have compared the security issues of POW and POS and have also come to some conclusions - but unfortunately, in a non-licensed public chain environment, both POW and POS will eventually tend to a system with more centralized, centralized and unequal computing power.