# PoS (proof of stake) via Andrew Poelstra These are notes on the work of Poelstra[1]. He argues that Proof of Stake consensus methods are either not secure or require trust. Therefore Proof of Stake is not a secure distributed consensus algorithm, and therefore it should not be used in blockchains. ## Intro - Bitcoin uses DMMS (Dynamic Membership Multiparty Signature) - DMMS must be costly to produce ## Distributed consensus - Distributed consensus is defined in the paper/post as "consensus between many mutually-distrusting parties who lack identities and were not necessarily present at the time of the set up" ## Dynamic Membership Multiparty Signature - cryptography can not distinguish between real and fake history, so there must be some party authenticating that history - DMMS schemes are different from traditional signature schemes [ there are costs, which are not present in traditional signatures] - In DMMS there is a cost to sign, and a DMMS is secure if the best algorithm is the defined one [ i.e. you gain nothing by using any different algorithm] - Mining (as in BTC) is a DMMS [in the random oracle model] - there is no univeral time, so we cannot just order the transactions when they arrive - In BTC the cost comes from the use of the hash function which is a measure of the energy consumed (see [Lan61]). Therefore, BTC's cost is scarce - In BTC, divide the history in blocks; the chain of blocks [blockchain] with the highest costs is the true one. To change it, you need to produce a chain with higher costs - Are dmms necessary to produce distributed consensus? Open problem ## Proof of Stake (PoS) - PoS is a proof of ownership. To sign a block, and needs to write the continuation of history, a user proves that he has blocked the funds (in a bond). So instead of physical proofs, PoS bsed blockchain use cryptographic proofs, i.e. the cost function measure the - the cost function measure the currency itself, which is not scarce. therefore the DMMS of PoS _is not secure_: it is costless to produce a chain with higher cost; this can not work out - to solve the problem of non scarcity of the currency, some blockchains have introduced punishment. This does not solve problem of time: a malicious actor can sign one block (first history), then move funds out of the bond after some time, then sign another block at the same height (second history). this also invalidate the idea of making bonds last several blocks. - if you implement _real block history is in line with real time_, then new users have to trust old users: this violate the definition of distributed consensus, i.e. PoS with this variation is not a distributed consensus algorithm *Created on 2020-03-21* [1] https://download.wpsoftware.net/bitcoin/pos.pdf