In general, the PoS system still has more advantages than disadvantages: higher efficiency, better ability to respond to and recover from attacks.
Original title: “Vitalik: Proof of Stake vs. Proof of Work (November 2020)”
Written by: Vitalik Buterin, founder of Ethereum Translation: Chih-Cheng Liang, Hsiao-wei Wang
Source: ETH Chinese Network
This article was originally translated into traditional Chinese by Chih-Cheng Liang and Hsiao-wei Wang. Due to different expression habits and considering the reading experience of simplified Chinese readers, ECN has carried out simplified conversion and secondary proofreading of this article.
There are three key factors that Proof of Stake (PoS) is superior to Proof of Work (PoW) in terms of blockchain security.
Proof of equity can provide higher security at the same cost
The easiest way to understand this is to look at the proof of stake and proof of work together. Assuming that there is a block reward of $1 per day, what is the cost of attacking this network.
GPU-based proof of work
You can rent GPUs cheaply, so the cost of attacking the network is just renting enough GPU computing power to exceed the existing miners. For every block reward of $1, the cost of existing miners is close to $1 (if the cost is higher than $1, miners will withdraw because they are unprofitable, otherwise new miners will join in to make profits). Therefore, the cost of attacking the network only needs to be higher than $1/day, and may only last a few hours.
Total attack cost: ~$0.26 (assuming 6 hours of attack), and because the attacker can receive block rewards, this number may be reduced to zero.
ASIC-based proof of work
ASICs are actually the cost of capital: when you buy an ASIC, you expect it to last for about two years, because it will slowly wear out or be replaced by better performance hardware. If a chain is 51% attacked, the community will probably change the PoW algorithm to respond, and your ASIC will lose value at this time. On average, mining costs are about 1/3 of the recurring cost and 2/3 of the capital cost (see here for details).
Therefore, for every $1 of block reward, miners will spend ~$0.33 per day on power and maintenance, and ~$0.67 on their ASICs. Assuming that the ASIC can be used for about 2 years, the miners need to spend $486.67 for the unit ASIC hardware. (Annotation: $486.67 = 365 days x 2 x $0.67 cost of capital)
Total attack cost: $486.67 (ASICs) + $0.08 (power and maintenance) = $486.75
(Annotation: Electricity and maintenance costs are also assumed to be 6 hours of attack time)
Having said that, it is worth noting that the higher security brought by ASICs (compared to GPUs) comes at a high cost of centralization, so the threshold for joining ASIC mining is also very high. )
Proof of stake
The cost of proof of equity is almost 100% of the capital cost (collateralized currency); the only operating cost is the cost of running the node. In this way, how much money will people be willing to lock up for every $1 block reward every day? Unlike ASIC, the mortgaged currency will not depreciate, and when you don’t want to mortgage it, you can get back the pledged deposit in a short period of time. Therefore, participants should be willing to pay a higher cost of capital for the same degree of reward than in the case of ASIC.
Let us assume that ~15% of return is enough to attract people to mortgage (this is the expected return of eth2). Therefore, a block reward of $1 per day will attract a mortgage equivalent to 6.667 annual rewards, or converted into an amount of $2,433. The cost of hardware and electricity consumed by the node is very small, every thousand yuan of computer can mortgage thousands of assets, and the monthly electricity and network fees of ~$100 are enough. But conservatively, we assume that these recurring costs are ~10% of the total mortgage cost. So we only have a block reward of $0.90 per day corresponding to the cost of capital, so we have to reduce the above figure by ~10%.
(Annotation: 6.667 years = $1 / (15% annual remuneration); $2,433 = $1/day x 365 x 6.667)
Total attack cost: $0.90/day * 6.667 years = $2,189
In the long run, the cost of this attack is expected to be higher because mortgages will become more efficient and people will be more accepting of lower returns. I personally expect that this number will eventually climb to $10,000.
The only “price” for achieving such a high degree of security is the inconvenience to transfer the pledge deposit at will during the pledge period. It is even possible that because people recognize that these locked coins will cause the value of the coins to rise, the total amount of currency circulating in the community or the funds that can be used for productive investment can remain unchanged. On the other hand, PoW, the “price” of maintaining consensus is crazy power consumption.
Higher security or lower cost?
Note that we have two ways to use this 5-20 times increase in cost per unit security. One way is for block rewards to maintain the status quo and benefit from increased security. Another way is to maintain the current level of security and greatly reduce block rewards (that is, reduce the “waste” of the consensus mechanism cost).
Either way. I personally like the latter because as we will see below, a successful attack in a proof of stake can cause less damage and is easier to recover from an attack than a proof of work.
Proof of stake is easier to recover from an attack
In a proof-of-work system, if your chain suffers a 51% attack, what would you do? So far, the only way to respond in practice has been to “wait slowly until the attacker gets bored.” But this ignores a more dangerous attack called “spawn camping attack”. The attacker can attack the chain again, with the clear goal of making the chain unusable.
(Annotation: Rebirth point ambush is a game term. Ambush where the opposing player is killed and reborn, causing the opposing player to die as soon as he is reborn, without the ability to fight back.)
GPU-based systems have no defense at all, and an attacker who continues to attack can easily make a chain useless forever (or more practically, transfer to proof of rights or proof of authority). In fact, in the first few days after the attack starts, the cost of the attacker will become very low, and the honest miners will leave because they cannot obtain block rewards under continuous attack.
In ASIC-based systems, the community has a way to deal with the first wave of attacks, but subsequent attacks will become very easy. The community can hard fork to replace the proof-of-work algorithm after the first wave of attacks, that is, “brick” all ASICs (including ASICs of attackers and honest miners). But if the attacker is willing to bear the cost of bricking his own ASIC, the next situation is the same as that of the GPU (because there is not enough time to make and produce ASICs for the new algorithm), so the attacker can cheaply Continue to ambush the rebirth point.
Annotation: Turn bricks into electronic product slang, meaning that they cannot be used after damage, just like bricks.
In the case of proof of equity, the situation has become very cheerful. For some types of 51% attacks (especially the intention to overthrow the finalized block), the proof of stake consensus has a built-in “slashing” mechanism, and a large proportion of the attacker’s mortgage will be automatically destroyed (and will not be destroyed) To other people’s mortgage).
For other kinds of attacks that are more difficult to detect (especially 51% colluding to intercept other people’s information), the community can coordinate a “minority user-activated soft fork (UASF) initiated by a few users” , which can be destroyed in large quantities Attacker’s funds (in Ethereum, it can be done through “negative punishment for inactivity leak”). There is no need to take “hard fork removal of currency” measures. Except that UASF needs to manually coordinate which few blocks to choose, the rest are automated, as long as they are executed in accordance with the rules of the agreement.
Annotation: A minority block is a block determined by validators who have less than 51% of the total mortgage.
Therefore, the first attack on the chain will cost the attacker millions of dollars, and the community can gain a foothold in a few days. The second attack will still cost the attacker millions of dollars, because they need to buy new coins to replace the old burned coins. Attacking a third time will burn more millions of dollars. The situation is extremely asymmetric, and the advantage is not on the attacker’s side.
Proof of stake is more decentralized than ASIC
The GPU-based workload proves to be reasonably decentralized, because obtaining a GPU is not too difficult. However, as mentioned earlier, GPU-based mining cannot meet the criterion of “security under attack”. On the other hand, ASIC-based mining requires millions of dollars in capital (and if your ASIC is bought, most of the time, the manufacturer will take advantage of it)
This capital threshold will be the answer to the common argument that “Proof of Rights and Interests means that the rich get richer”: ASIC mining also makes the rich get richer, and in this situation, the rich have an advantage. The minimum mortgage threshold for proof of equity is relatively low, and many ordinary people have a better chance to enter.
(Annotation: Judging from the current price of 440 USD/ETH at the completion of the article, the minimum mortgage threshold is about 93,000 RMB.)
Furthermore, proof of rights is more resistant to review. GPU mining and ASIC mining are easy to detect. They require a lot of power consumption, expensive hardware purchases, and large factories. On the other hand, proof of rights can be run on a humble laptop, or even through VPN.
Proof of work possible advantages
I think PoW has two main advantages, but these advantages are actually quite restrictive.
Proof of equity is more like a “closed system”, in which wealth is more concentrated in the long run.
In proof of equity, if you have some coins, you can pledge those coins and get more coins of the same type. In proof of work, you can always get more coins, but you need some external resources to achieve it. Therefore, people would think that the distribution of proof-of-stake coins will be more concentrated in the long run.
My response is that in PoS, the reward is generally very low (so the validator’s profit will also be low). In eth2, we expect that the validator’s annual rate of return will be equivalent to ~0.5-2% of the total ETH supply. And more validators pledge, the interest rate will be lower. Therefore, it may take a century for the entire concentration of assets to double, and within this time span, other pressures to promote distribution (people want to spend their money, allocate assets to charity or their own Children and grandchildren, etc.) are more likely to prevail.
Proof of equity requires “weak subjectivity” and proof of workload does not.
For the concept of “weak subjectivity” you can read this original introduction. Essentially, the node goes online for the first time, or goes online again after being offline for a long time (several months). This node must use third-party resources to determine where the correct chain head is. This third party can be their friend, it can be an exchange or a blockchain browser, or the client developer itself, or another role. PoW does not have such a requirement.
However, this may be a weak requirement. In fact, users themselves must have this level of trust in the client developer, or “community”. At the very least, users must trust someone (usually a client developer) to tell them what the protocol is and what updates the protocol has undergone. This cannot be avoided in any software application. Therefore, the marginal trust cost of PoS is still very low.
But even if these risks will eventually occur, for me, the advantages of PoS systems still outweigh the disadvantages: higher efficiency, greater ability to respond to and recover from attacks.
Reference source:
Source link: vitalik.ca
