Talk:Proof of Stake

From Bitcoin Wiki
Revision as of 15:58, 27 March 2012 by Cunicula (talk | contribs)
Jump to: navigation, search

Malicious forking

Surely proof-of-stake is vulnerable to malicious forking of the blockchain, whether motivated by double spending or just sowing destructive confusion of multiple versions?

Each version of the blockchain is a full, self-contained "version of reality". If you (the malicious party engineering a fork) burn through your "stake" - whether bitcoins owned, bitcoin days destroyed, or anything similar - on one version of the blockchain, that still doesn't stop you creating another version, starting from the same block-before-yours as you started from for your first effort, where your same "stake" still exists and hasn't been burned through. (And then another, and another... All forking from the blockchain-as-was (just before you started your malicious antics), which records your untouched stake.) So with trivial computational effort, you can create huge multiple forks; and there's no easy way for the network to pick a winner.

Proof-of-work doesn't suffer from this problem. A malicious party trying the above trick would have to perform fresh work for each fork, since the work done in finding a difficulty-satisfying hash on one fork has no transferable value to the task of finding one on the other fork(s).

Am I missing something? Iain Stewart 23:24, 24 March 2012 (GMT)

This is a good point. However, I see it is an argument against pure proof-of-stake. It doesn't apply to a mixed proof-of-stake/proof-of-wrok system, even one where work is a very small component. Please let me know if you think otherwise. Here are some thoughts:

1) The creation of multiple forks is only a problem if there is doubt about which chain is the correct one. In the case of a tie in length, other miners can pick a chain to extend at random. One well-intentioned miner will get lucky and find the first block after the attacker. He will pick one of the attacker's chains, extend it, and broadcast this to the network. Even though they may have been working on other chanis before, other miners will also extend this chain because it is now longer and thus more likely to survive. Users just need to wait for one chain to have a significant length advantage.

2) Perhaps you are worried that all other miners will extend every single competing chain. If so, all chains will grow at the same rate and it won't due to pick the winner at random. This is a problem in pure proof-of-stake. As you point out, in pure proof-of-stake extending multiple chains simultaneously has no resource cost. However, under a mixed-system, there is a non-trivial work component to any chain extension. Miners would not find it worthwhile to extend chains that have a low probability of growing. I think even a pretty small computational cost would be sufficient to discourage this. It is even okay if some miners (say 10%) extend every single chain. It just is not okay if almost all miners do this. Cunicula 27 March 2012