> By the logic of that article asymmetric cryptography doesn't, because the value equal to what's protected by the key is magically wasted somewhere. Of course, that isn't true, because it's not possible to break asymmetric cryptography by brute force with expenditure equal to whatever is protected. Same applies to PoS.

Not quite. He's arguing that MC = MR implies that PoS is really PoW through obscure means. There's more to securing PoS than asymmetric cryptography -- namely, you have to convince everyone that your keys (and the coins attached to them) are legitimate, and not the next guy's keys and coins on a fork. Convincing people of this isn't a cost-free task, especially if there's wealth to be accumulated through convincing more and more people that your coins are legitimate, and everyone else's conflicting coins on different forks are not.

This game of convincing people that your fork is the true fork is exactly what stake-grinding is. Given a choice, and no a priori knowledge, which history of the PoS chain is the true history? What would convince you that one is legitimate, and the other is not? The article argues that the act of convincing you is, itself, a form of PoW. After all, without PoW, looking at the chainstate isn't convincing -- if you have staked coins today, you could easily create a fork of the chain history where everyone else stopped spending except for you. Without no 3rd party way to verify if that actually happened, you could go around trying to bribe people to accept that your subsequent transactions on this fork are the chain's "true" transactions. There's many tactics for doing this -- you could go on Twitter and spam everyone; you could organize events and rallies; you could even take malicious actions and disable your rivals. You and everyone trying to do the same thing would be in competition to convince everyone else that your fork is the "true" fork. But regardless of the tactics, all of them require expenditures on your part in the forms of time, energy, health, stress, etc. Hence the "PoW by obscurity" argument. But at the end of the day, you'd be unwise spend any more than you'd expect to receive in return because of MC = MR.

Here's a concrete example. The reason you can tell that there's a lot more belief that ETH is the true Ethereum fork, and not ETC, is because ETH has a much higher PoW score than ETC. Miners can choose between ETH and ETC to mine, and they mine the one whose tokens are worth more. ETH is worth more because more people value it. Therefore, PoW is a proxy measurement of the social consensus -- more people believe in ETH than ETC.

If ETH were PoS at the time of the split, it would be a lot less obvious from the chainstate which one people would choose to use. Both chains' participants would try to make it look like their chains had more users by some other means. But the point in the article is that those "other means" are not only costly actions, but also the marginal cost each fork can afford for these actions is, in equilibrium, equal to their respective marginal revenues.

> If ETH were PoS at the time of the split, it would be a lot less obvious from the chainstate which one people would choose to use. Both chains' participants would try to make it look like their chains had more users by some other means. But the point in the article is that those "other means" are not only costly actions, but also the marginal cost each fork can afford for these actions is, in equilibrium, equal to their respective marginal revenues.

You forget that when the ETH/ETC split happened, the hashrate fluctuated immensely after the Poloniex listed ETC (and ETCs price skyrocketed) and many miners switched to mine ETC.

Now in hindsight it is obvious but during the chaotic days, it wasn't obvious which chain would be worth more in the future. That ETH had more POW done at that moment was unimportant. You had to use other means to decide which chain to use.

In other words, the PoW scores on ETH and ETC after the fork ultimately were predictive of how much one token was valued versus another. You are right that there was uncertainty at first -- and it was reflected in how much PoW each chain got! -- but for someone who's just now coming into crypto with no a priori knowledge of the event, the higher PoW score on ETH is indicative of higher market demand. Which is exactly my point.

>This game of convincing people that your fork is the true fork is exactly what stake-grinding is

Stake grinding is something else, in coins like NXT the producer of the next block was set by the seed based on the previous block, so it was possible to bruteforce blocks until you were also the next generator.

>The article argues that the act of convincing you is, itself, a form of PoW.

He makes a much stronger claim that resources spent on that (+ staking) are equal to revenue. There's an additional assumption in the article: he writes about marginal cost and revenue, but what he actually assumes is a system where average cost is equal to marginal cost, as it is in PoW under perfect competition. It's even equated explicitly in "“Rent” always forces production costs (MC) to always equal sale prices (MR)". He starts from the assumption that PoS uses exactly same resources as PoW and then shows it's true based on the assumption.

>Given a choice, and no a priori knowledge, which history of the PoS chain is the true history? What would convince you that one is legitimate, and the other is not?

What does 'true' and 'legitimate' mean here? The whole point is to interact with other people, so naturally I'm going to use the same network that people I want to interact with use. Same whether it's PoW or PoS - no real difference between choosing forks from some block height vs choosing networks with completely different genesis blocks and names.

Once the network is chosen a node has to follow it. The question of 'how long it's safe to be offline to reproduce the behavior of being online all the time' has a complex answer of percentage of slashed stake if two conflicting histories exist. Currently I think it's about 16% for one month, which is about $2B.

>Without no 3rd party way to verify if that actually happened, you could go around trying to bribe people to accept that your subsequent transactions on this fork are the chain's "true" transactions.

PoW doesn't change anything here, it's an arbitrary fork like any other. People that ended up with coins from mining can receive coins on your fork too, made with a much smaller mining difficulty. Mining cost is irrelevant because that's destroyed wealth - nobody ends up with it. The reason it won't happen in reality is because of network effects - even if you have external wealth able to pay enough at once to everyone that has to be paid, no single person wants to be left alone on a new fork - they would all have to move at once.

> it was possible to bruteforce blocks until you were also the next generator.

This sounds exactly like a special case of the game of convincing people that your fork is the true fork. NXT stakers each have their own preferred forks (i.e. the ones in which they get the most tokens), and are willing to spend energy to make it so their fork is accepted by the network.

> He starts from the assumption that PoS uses exactly same resources as PoW and then shows it's true based on the assumption.

Maybe it's not well-written here, but his argument is that PoS ultimately will require the same energy commitments as PoW through the act of each staker trying to convince both other stakers and newcomers (i.e. with no a priori knowledge of how the chain evolved) that their preferred fork is the fork the network accepts. A PoS chain may not take the same initial resources as a PoW chain, but it will over time.

Source: I've spoken to the author at conferences.

> What does 'true' and 'legitimate' mean here? The whole point is to interact with other people, so naturally I'm going to use the same network that people I want to interact with use.

And how do we know which fork this is, out of all the alternatives? You either have to ask people (i.e. you need a priori knowledge obtained out-of-band), or you need a way to independently but deterministically choose the fork that the economic majority of people use (which is the problem PoW solves).

> PoW doesn't change anything here, it's an arbitrary fork like any other.

Except, this is not what's happening in real life. People follow the canonical chain, and PoW helps them all determine what the canonical chain is without having to ask around.

>You either have to ask people (i.e. you need a priori knowledge obtained out-of-band)

Again, the only reason blockchains need consensus is to allow people to interact with each other - consensus is between people. Computers are just tools to make that easier. It's a fundamental contradiction to assume you can use any blockchain to make any economic transactions without interacting with other people - because economic transactions require other economic entities.

Of course when you assume something false you can prove any absurd result, like that PoS wastes same resources as PoW.

PoW relies on social coordination in the short term, because short term attacks are cheaper, so in the case of a 51% attack people would have to organize fast. PoS is extremely safe in the short term, and only maybe falls back on social coordination in the long term (again, only in the case of an attack), which is the correct security model.

>deterministically choose the fork that the economic majority of people use (which is the problem PoW solves)

No it doesn't. Mining revenue is an insignificant part of what the real consensus in any PoW coin is. For a while BCH had biggest revenues after the fork (because of their difficulty algorithm). Ethereum has higher mining revenues than bitcoin for months now (last 24h: $49M ethereum, $31.3M bitcoin) - does that make ethereum the true bitcoin now?

> Again, the only reason blockchains need consensus is to allow people to interact with each other - consensus is between people. Computers are just tools to make that easier. It's a fundamental contradiction to assume you can use any blockchain to make any economic transactions without interacting with other people - because economic transactions require other economic entities.

Did I say otherwise?

> Of course when you assume something false you can prove any absurd result, like that PoS wastes same resources as PoW.

Well, no widely-used PoS system exists (so we have no real-world examples to learn from), but despite this, you're insisting that no PoS system will use more than PoW from now until the last blockchain goes offline, despite these systems (in expectation) driving essentially unbound amounts of revenue. That's quite an extraordinary claim!

Let's steel-man this. Let's assume that a PoS blockchain becomes so widely successful that its token becomes a major world currency. Then what? Controlling a PoS node would be like controlling a country's reserve banks and mints. So, what keeps these nodes safe from asshats breaking into them and using them print themselves money? Like, why can't an armed band of asshats show up at my server rack and physically steal my validators' keys?

The answer of course is that the building security and law enforcement officers keep this from happening. But, where do these people come from? Who pays them? Where do they get their equipment? What do they do with the asshats they catch? How do they deal with escalations from asshats, and stay ahead of the asshats' tactics? How much energy is going into keeping these PoS nodes secure?

It appears that there is energy involved in keeping the PoS system running in the face of asshattery, and that energy is proportional to how important it is that it remains usable for the societies that rely on it. It seems, then, that the more successful PoS becomes, the more it co-opts the very infrastructure that keeps today's financial systems secure. That's a lot of energy!

So, in the event of success, I have no reason to believe that PoS will take less energy to secure than PoW, once I think about what has to go into securing a successful PoS system. At least with PoW, I can rest assured that if the asshats hijack a mining rig to print money, they'll have to continuously out-mine the rest of the world in perpetuity in order for their coins to remain realized on the canonical chain. PoS doesn't have that resiliency, which necessitates building and maintaining an extrinsic security apparatus to keep the staked coins from getting stolen in the first place. This security apparatus -- including all the laws, supply chains, manufacturing, and so on to keep it going as it becomes a more and more valuable target to asshats -- is on the MC side of the equation.

> No it doesn't. Mining revenue is an insignificant part of what the real consensus in any PoW coin is. For a while BCH had biggest revenues after the fork (because of their difficulty algorithm).

You've completely misread my comment. Miners mine on the chain that is most profitable to them, and the blockchains they mine on encode the history of their activities. Even though during a chain split it's not immediately apparent which resulting chain will attract the most miners over time, it does become apparent quickly enough. The revenues (and thus profits) come from users actually demanding the coins.

> Ethereum has higher mining revenues than bitcoin for months now (last 24h: $49M ethereum, $31.3M bitcoin) - does that make ethereum the true bitcoin now?

I thought it was widely understood that Bitcoin and Ethereum are not the same thing? If there is contention between two forks of the same blockchain, then PoW provides you a way to determine which one has more demand. PoW doesn't tell you anything about two different blockchains with two different difficulty algorithms (but it might tell you something about two different blockchains with the same difficult algorithm, such as Bitcoin vs Bitcoin Cash).

>>Except, this is not what's happening in real life. People follow the canonical chain, and PoW helps them all determine what the canonical chain is without having to ask around.

In POW you still have to ask around, to find out what the canonical consensus protocol is. Having more POW alone is not enough to have your chain accepted, as it still needs to be valid according to the other rules of the protocol.

Both POS and POW depend on some level of subjectivity/trust, even while the latter relies on it less than the former.

https://blog.ethereum.org/2014/11/25/proof-stake-learned-lov...

> Both POS and POW depend on some level of subjectivity/trust, even while the latter relies on it less than the former.

No one is arguing that you don't have a trusted computing base.

What is being argued is, why make the TCB bigger when it doesn't need to be? Why trust someone to tell me what the current validator set or fork tip when I boot up my node, when there exists protocols whereby the node figures this out automatically?

Some people say that the energy cost of PoS justifies this, but that's not really true in the long run. This is the point Paul Sztorc was making in his article about MC = MR -- competing PoS forks will still spend the same amount of trying to convince you that their preferred fork is the canonical fork. PoW does this as well, but it gains you an in-band way to discover this, thereby making the TCB lower than it would be in PoS.

>>What is being argued is, why make the TCB bigger when it doesn't need to be?

That's the point of debate: of course PoS proponents argue you can get more security at a given economic cost than you can with PoW, and that more than makes up for the security loss from the TCB bigger.

Sztorc's argument is heavily disputed in this thread, and you can see the arguments against it in the critiques provided.

Making the TCB bigger makes PoS less secure overall. If you pick the wrong validator set when you boot your node up, you're fucked -- your node will never discover the chain history which represents actual user activity [1]. PoS is the blockchain equivalent of forcing users to pick out which TLS certificates they trust when they install their OS. PoW is the blockchain equivalent to your OS having a way to discover which TLS certificates the majority of the Internet currently trusts in-band, as well as a way to upgrade them to the newly-trusted set if the majority switches.

The sad part is, PoS doesn't even gain you anything -- it's not cheaper. It's just a feel-good measure that doesn't solve the underlying problem.

> Sztorc's argument is heavily disputed in this thread, and you can see the arguments against it in the critiques provided.

Other people not understanding the argument doesn't make the argument wrong.

[1] The proof is in the appendix of this paper: https://eprint.iacr.org/2016/919.pdf. The gist is that they show that two forks are indistinguishable without a priori knowledge of which validator set is not corrupt.

>>Making the TCB bigger makes PoS less secure overall.

That is a debatable point. The TCB amounts to a single hash, that the global Ethereum userbase has had at least three months to converge on, with extremely obvious ways of establishing its correctness. If that can't be securely established, it's unlikely a consensus on the correct software distribution channels can be established either, meaning new users would still be completely fucked.

And there are other factors that establish the security of the network besides how much subjectivity plays a role in consensus, like the economic incentives dissuading an attack, and the difficulty of acquiring the economic assets needed to attack the chain.

> That is a debatable point. The TCB amounts to a single hash, that the global Ethereum userbase has had at least three months to converge on, with extremely obvious ways of establishing its correctness. If that can't be securely established, it's unlikely a consensus on the correct software distribution channels can be established either, meaning new users would still be completely fucked.

Sure, let's use Ethereum 2.0 as an example (but note that both myself and the linked paper talk about PoS in general.). Suppose I'm a newcomer to Ethereum 2.0 well after it launches. Suppose that, sometime after the launch but before my arrival on the scene, there's another DAO-like event where there's been a contentious chain split, and lots of bad blood on both sides of the split between developers, users, and exchanges. If I'm only interested in using the chain with the most economic activity, then why should I trust you and your servers to tell me who the initial validators are, especially now that you have a financial reason to tell me your preferred fork? It's like a bank asking me to choose between multiple sets of TLS certificates for all the banks I could conceivably use without giving me a chance to vet them -- why would I ever do this? And how would I even do this reliably?

In PoS, all I have to go on is your word against the others (this is the proof the paper makes) -- there is no way around this. In PoW, I can compare the hashpower between forks and use that to determine on my own which fork has the more valuable coin (and thus the larger economy for it). This, by itself, is a strictly more resilient system design.

What Paul Sztorc is saying is that in the event of contention between competing validator sets, both validators will spend resources equivalent to PoW trying to convince all these newcomers that their validators represent the most economic activity. This includes, but is not limited to, spending energy keeping your validator nodes from getting stolen or hijacked in a bid to change the validator set without consent. So, not only are the energy savings that TFA touts expected to disappear in the long run, but also the energy spend won't even help make the protocol more resilient.

By the way, I believe that ETC is the 'true' Ethereum, and ETH was forever compromised by Buterik after that DAO fiasco. Code is Contract, but only until somebody decides otherwise.

(I fully understand that this belief of mine is not shared by the majority of Ethereum users.)