Proof-of-Work versus Proof-of-Stake redux

The difference between PoW and PoS becomes starkly clear once you understand these 2 things:

* PoS is a modified, weaker form of PoW
* Energy efficiency and conservation of energy

A thread. 1/
Abstract: The only way PoS-aka-modified-PoW could be seen as an improvement over pure-PoW is _if and only if_ SHA256 hashing, which is what actually happens when you mine Bitcoin, is inefficient when it comes to protecting the Bitcoin ledger. 2/
For a quick preview, check out my Anatomy of PoW article. 3/
bitcointechtalk.com/the-anatomy-of…
It doesn’t matter what you call it, PoS is still “work”.

What do I mean by this? 4/
PoS manifests as work in how you must go about in setting up your staking operation: taking out a loan, running a staking server, protecting your server from getting hacked, etc.

Every system known to man needs “work” to be put in for it to become useful. No exception. 5/
PoS is also PoW, just a modified form. That means one can evaluate PoS within the PoW framework. This is important.

Now comes the second, less intuitive part. Energy efficiency and conservation of energy. 6/
In the old days, it used to take many weeks of work and effort to send a message across large distances.

But since the radio (and later the Internet) was invented, it now merely takes us fractions of a second with very little energy to communicate with one another. 7/
The old ways of delivering a message was simply too energy-inefficient. So better methods could be discovered to improve the communication process. 8/
Similarly, the combustion engine only has ~20-40% energy efficiency. Much of the energy generated through combustion is lost.

That means we could keep coming up with more efficient ways to generate torque, including non-combustion techniques. 9/
Back to PoW and PoS.

Because PoS gets rid entirely of the PoW mining process, the only way it could prove that it can achieve roughly the same security is by proving PoW mining is very inefficient in the first place.

Conservation of energy. 10/
However, SHA256 hashing is in fact perfectly efficient in protecting the Bitcoin blockchain.

To understand this you must understand the difference between a physical process, like combustion, with a software operation like hashing, which is backed by math. 11/
Physical processes like combustion wastes energy. Our own body motions waste energy.

Almost everything physical wastes energy. 12/
SHA256 is different. It is backed by something called a one-way math function.

A one-way function is a function that is easy to compute on every input, but hard to invert given the output. 13/
An example is multiplication and factoring.

61x71 = 4,331 is easy.

But if you get 4,331 and need to guess which numbers when multiplied will give you 4,331, it’s a lot harder. 14/
In reality, the existence of one-way functions still cannot be proven yet. Proving that they exist formally would mean proving P != NP, the most important problem in Computer Science. 15/
en.wikipedia.org/wiki/P_versus_…
But in practice, we can roughly take P!=NP as truth.

Not only because intuitively we can “sense” that it’s true, like in the above factoring problem and other problems, but also because much of our modern world has been built on P != NP. 16/
Our entire digital infrastructure - the Internet, banking, secure communication, etc. - is based on a P != NP foundation.

If someone manages to prove P = NP, which is highly unlikely IMO, we wouldn’t exactly revert back to the Stone Age, but close to it. 17/
What we get with this one-way hashing in PoW mining is that for an attacker to undo changes to the Bitcoin blockchain, he would need to perform a roughly equivalent amount of hash operations.

One hash in, one hash out. 18/
If it took a trillion hash operations to produce the last 2 blocks, it would take roughly a trillion hash operations to undo or revert those 2 blocks. 19/
This is close to 100% efficiency.

In reality, it is not _quite_ 100% because it depends on SHA256 being perfectly random. But SHA256’s track record is pretty good. 20/
To recap:
PoW mining = 1 hash in, 1 hash out.

~100% efficiency in protecting the Bitcoin ledger.

You’ll be hard-pressed to find anything being this efficient in the physical world. As a matter of fact, there isn’t one! 21/
SHA256 hashing might be the only thing in the world that dedicates its entire existence to one goal and one goal only: protecting the Bitcoin ledger. Totally and completely.

(I don’t know about you, but IMO this is incredibly beautiful. Almost heroic.) 22/
One might ask, but mining hardware like ASICs do generate heat, isn’t that also waste and inefficiency?

Great question. But it’s important to separate the hardware from the software operation. 23/
Like all physical processes, mining hardware does have inefficiencies.

For example, the 7nm or 5nm chips are not the fastest computing chips humans can make. They also generate heat. 24/
But the hardware can be inefficient, while the non-physical software operation can be perfectly efficient!

That is because again, hash function is not a physical process. 25/
Going back to our earlier example:

61x71 is 4,331

The idea of factoring 4,331 into 61 and 71 requires a non-trivial amount of computations. You cannot cheat using shortcuts, but actually have to sit down and brute-force this math problem. 26/
These math problems and hash operations belong to the abstract world. Since they reside in the abstract world, they can achieve no efficiency loss.

If factoring requires some specific steps you must follow, then you cannot get around them. 27/
Otoh, if you can prove that you can cheat without doing brute force calculations, not only for factoring 4,331, but for all other types of one-way functions such as discrete log in Elliptic curves, congrats, you just crack one of mankind’s most important problems. 28/
Here’s another way to put it: anyone who claims PoS can achieve equivalent security to PoW is essentially saying P = NP.

That is, they claim they have found a way to cheat around one-way functions, but still be able to get the same result. 29/
To conclude:

Every PoW hash operation contributes 100% of their existence to securing the Bitcoin ledger, based on one-way functions. PoS removes these perfectly-efficient operations, so it must sacrifice its own security. Conservation of energy.

It is really that simple. 30/
> why is energy required in the first place to protect the ledger?

This is the key question that underlines the understandable delusion with PoS.

Can we just get security without spending any energy? 31/

To understand this, let’s borrow a little from the Laws of Relativity: how fast a train is going to you is different depending on whether you are standing still, or driving in a car.

But the speed of light is constant regardless of perspective. 32/
Similarly, PoW security is constant and absolute (in terms of number of hashes). It doesn’t matter which perspective you are coming from if you want to attack Bitcoin.

There is no negotiating around the wall of energy and SHA256 hash operations. You must tackle it head-on. 33/
On the other hand, just like observing a speeding train, what PoS gives you is relative security.

It is only secure depending on which perspective you look at the network. 34/
It’s like when you ask a friend to hold your money for you, it’s because you trust him/her.

In this case, the security comes from the relative strength of the bond between you and your friend. 35/
PoS works the same way, except it’s not trusting your friend. It’s trusting the largest stakeholders of the PoS network. Trust that they behave nicely- and also that the network doesn’t get partitioned accidentally.

PoS “security” comes from this relative trust among humans. 36/
If say, a state actor gets ahold of the richest stakeholders in PoS, and manages to find their weaknesses, they can manipulate these stakeholders into doing what the state actor wants: censoring transactions, or re-orging the chain as they wish. 37/
An outsider can make PoS insecure by forcefully becoming one of the “good” insiders.

In PoW that’s not possible: even if a state actor manages to take over the largest mining operations, they still need to spend energy to attack Bitcoin, insider or not. 38/
To sum things up:

PoW provides you absolute security, regardless of perspective.

By removing the energy associated with PoW mining, PoS falls back on the relative trust among humans - a false sense of security. 39/
One valid question, assuming you agree PoW is necessary for security, is how much PoW is enough?

That is trickier to answer. Like most things designed to protect, we only get to find out their true worth when shit hits the fan. Safer to lean on overpaying than underpaying. 40/

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Hugo Nguyen

Hugo Nguyen Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @hugohanoi

1 Dec
Insightful article from @LynAldenContact. I love this question:

“[…] are there use-cases for a partially-centralized and partially-decentralized database?”

My answer is no. Because it’s a highly slippery slope. 1/

lynalden.com/proof-of-stake/
It is evidenced by the dilemma Ethereum faces when dealing with challengers.

You can’t claim “you’re not decentralized enough” when decentralization is a fuzzy metric, and especially when you don’t have a clear set of principles like Bitcoin. 2/
Part of what makes decentralization fuzzy is that it’s only a means, not an end. And the end is not nigh.

What we want is not decentralization for decentralization's sake, but something else. 3/
Read 10 tweets
29 Nov
Ethereum’s BS and intellectual dishonesty.

A thread. 1/
Some background: About 3 and 1/2 years ago I started looking into PoS systems and published a series of articles documenting my thoughts & findings. 2/

hugonguyen.medium.com/work-is-timele…
hugonguyen.medium.com/proof-of-stake…
hugonguyen.medium.com/proof-of-stake…
Since then, I haven’t paid much attention to Ethereum. Until @TuurDemeester’s and @BitMEXResearch's tweets made me curious. So I take a quick look to see what they’ve been up to. 3/

Read 58 tweets
12 Jul
Can MEV happen in PoW? Yes.

Will it be a big deal? No.

IMO the mistake with these doomsday analyses of PoW in the fees era is to assume non-adaptive behavior.

Simply waiting for more confs under PoW will give strong protection against reorgs (CZ-like scenario). Not so for PoS.
Read 9 tweets
5 Jan
A friend, who's a seasoned CFA analyst, cited Buffett's criticism of Bitcoin that it's a nonproductive asset and most successful Bitcoin investors were "lucky", i.e. investing based on sentiment not skill (like valuing stocks based on DCF).

Of course I need to play defense 🙂 1/
First of all, I’ve always been a fan of Buffett. Love his autobiography “Snowball” and I take his compounding interest lesson to heart. In investing and everything else in life: everything compounds. Knowledge, friendship, etc. 2/
I also love his humility, most successful people have a lot of luck on their side, whether they know it or not. There’s no such thing as a self-made man (Ovarian Lottery theory). 3/
Read 25 tweets
31 Oct 20
I just published Introducing Nunchuk: Multisig Made Easy link.medium.com/7uYBIDxk2ab
(Bitcoin, year 11.)

Alice: This year sucks. You know what’s almost as bad as 2020?
Bob: Yeah?
Alice: Multisig is still scary.
Nunchuk: Hold my beer.

1/
It’s somewhat ironic that for a technology that reveres decentralization as its central operating principle, Bitcoin still heavily relies on single point of failure as the dominant method of ownership. 2/
Read 32 tweets
12 Apr 20
Why S2F has been misapplied in Bitcoin, in mathematical terms:

By using S2F and by restricting ‘flow’ to merely rewards, you are saying Bitcoin supply is an integral function (of changes in supply over time).

But asymptotically changes are zero. There’s nothing to integrate.
Applying S2F to things that are not integrals in nature is a mistake. Math is useful only when it’s applied correctly to phenomenon. It’s mental masturbation otherwise.
Examples of things with true S2F characteristics: population, CO2 concentration, the Bitcoin’s ledger (security strength as an integral of fee flows over time)

link.medium.com/dQ2RDcS3B5
Read 6 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(