[Cryptography] Proposal for a PoS blockchain

Phillip Hallam-Baker phill at hallambaker.com
Sun May 24 14:15:10 EDT 2020

There are two separate questions for 'securing blockchains'.

1) Can the chain be forked without this being noticed?
2) Does the scheme provide a basis for distributing new currency?

The second criteria is of course utterly unnecessary as far as the security
of the chain goes. But it is the governing concern for most people
developing 'blockchain' versions of what I call 'one way sequences'. It is
this bogus constraint that restricts selections to some form of 'proof of

If we focus on the security requirement alone it is pretty clear that
almost any scheme is sufficiently secure because Haber-Stornetta hash
chains are pretty much unbreakable to start with.

BitCoin cheats by making itself secure 'by definition'. Saying that the
longest chain is the right one makes the system impossible to attack by
definition. But if we reject that definition and instead ask 'what is the
work factor for unwinding the chain by n steps', the BitCoin algorithm
becomes hilariously weak when we attempt to use it outside BitCoin.

Consider the case in which Alice and Bob decide to create a private
'crypto-currency' just for themselves and a few hundred friends. Is this
secure? Of course not, lets say that they have ten million bucks in the
scheme and it is costing $100 to mint a new block. Mallet can come in and
unwind any transaction within ten cycles for a mere $1000. And within a
hundred for only $10K. A 51% attack is completely plausible against this

So contrary to the ideology, the algorithm is not secure in the slightest.
It is only the system that provides any security. But we are not allowed to
criticize the BitCoin system because that is only a proof of concept. It is
work in progress. It will evolve into something that is secure. It is too
soon to criticize the system after a mere ten years of operation. To
criticize people's religion is wrong. People who criticize BitCoin only
ever do so out of ignorance. Yada yada.

There is however one very simple step Alice and Bob could take that would
make their chain at least as secure as BitCoin's and that is to include the
BitCoin output into their chain every five blocks and to inject their
output into the BitCoin chain every five blocks. This effectively binds the
two chains together and neither can defect without this being noticed
within five steps.

But at this point, there is no need for Alice and Bob to bother with proof
of waste at all. They sign their output with a signature key every step.
They are (mostly) free riding on BitCoin's work factor. They can however be
caught out if they are found to have signed two different chain values for
the same point in time. And if they ever start doing that, they have to
continue maintaining both forks forever.

Now imagine that we take this to the limit and we have a hundred similar
chains all interlinked and all ultimately free riding on BitCoin's proof of
work and we take BitCoin away. What is the work factor then?

Point is that it is not zero. It is only possible for one of these chains
to defect if they can somehow persuade all the rest to defect. And these
defections are visible and auditable. Anyone who can publish two
inconsistent signed outputs for the same output index can prove that a
notary defected.

So I conclude that proof of work/waste/stack etc. are unnecessary for
'security'. Their only real purpose is to provide a means of enriching some
people by allocating what they imagine to be 'currency'.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20200524/1dd4e676/attachment.htm>

More information about the cryptography mailing list