On Stake and Consensus by Andrew Poelstra
Original document: https://download.wpsoftware.net/bitcoin/pos.pdf
Would be interesting to have Sunny King point of view on it.
4.3 “Long-Range” versus “Short-Range” Attacks
It is possible, by requiring stake to be bonded for many consecutive blocks, and by choosing signers using randomness extracted by long-past (in blocktime) blocks, to force the attacks described above to rewrite long stretches of history. This is often described as “preventing short-range attacks”.
It is clear that this does not address the costless simulation issue; after all, if it’s easy to change history, it’s easy to change long stretches of history. However, proponents argue that since for an honestly-created history, long stretches of blocktime correspond to long stretches of real time, any revision of so much history is sure to contradict the history as remembered by participants in the system. Thus such an attack would be detected, recognized as an attack, and the new history rejected.
If this is implemented correctly, there is no problem with this, except that it changes the trustmodel from that of Bitcoin. New users who encounter multiple histories are no longer able to distinguish them on their own; they need to ask existing participants in the network (which may include friends and family, large corporate entities with reputations to maintain, public websites, etc.) which history they know to be the true one. This is not a distributed consensus! It is a different sort of consensus, which may be formed amongst always-online peers in a decentralized way, but depends on trust for new users and temporarily offline ones. It is correspondingly vulnurable to legal pressure, attacks on “trusted” entities, and network attacks.
4.4 Other Considerations
Again, we quote [Poe14b]:
Further, this ability to control the future selection of stakeholders (and even the set of stakeholders, by controlling which transactions appear in blocks) has serious consequences. This is because even without a deliberate attacker, the signers who extend the history at every point have an incentive to direct the history toward one in which they have more stake (and therefore more reward), which causes the system to trend toward centralization. They may do this by skewing the stake selection of future blocks, or more insidiously by censoring transactions which (may eventually) increase the set of stakeholders.
5 Conclusions and Further Research
We have described a mechanism, DMMS, for obtaining a distributed consensus. While DMMS, in conjunction with some economic requirements, is sufficient to form consensus, it is probably not necessary. Open problems include reducing these economic assumptions (or showing they cannot be removed), and determining necessary conditions under which distributed consensus can be obtained.
We also explored an alternative to DMMS, proof of stake. We showed that by depending only on resources within the system, proof of stake cannot be used to form a distributed consensus, since it depends on the very history it is trying to form to enforce loss of value.