>I understand Proof of Stake to be much more centralized and prone to takeovers than proof of work. So if the merge ever actually happens, it would fix the energy consumption issue at the trade-off of security (staking, aka rich get richer).
The opposite is true, proof of work is hopelessly insecure and centralized. It's hopelessly insecure because resources needed to mine are external - so any attack by the only realistic adversary (ie. a state) is always just a question of resources, and the most pessimistic cost is in low billions of dollars. Realistically - America could already 51% bitcoin by forcing regulations on existing miners for nearly zero cost.
It's also centralized because mining has infinite economies of scale. Bitcoin mining started with hobbyists mining on home pcs, now there are companies buying power plants just to mine. This only makes it easier for governments to control.
The only reason no big PoW coins were successfully attacked is because there's no clear motivation for anyone - nothing in the real world relies on any cryptocurrency to continue existing. The only realistic attack would be to try to exchange tokens on the attacked PoW network for tokens on another - which is easily done for low 9 figs, but becomes increasingly hard afterwards - making any attack uneconomical. On top of that there are legal issues - it's very possible a 51% double spending attack would be legally treated as theft.
This all changes completely the moment major countries and corporations go down if some blockchain goes down. Imagine Iran defaulting if bitcoin or ethereum gets taken over in a 51% PoW attack, with all transactions from Iran addresses censored. It would be orders of magnitudes cheaper than any serious military action. Fortunately for Iran and crypto holders that's not true. A significant adoption of a PoW network would end up in an inevitable disaster and potentially destroy any trust in cryptocurrencies forever.
Of all invented consensus methods only proof of stake can survive in a truly hostile environment. No government can print eth at will to take over ethereum, and stakers can easily stay anonymous, unlike massive corporate miners.
Bitcoin holders are very good at propaganda and pretending PoW is safe, which works as marketing, but wouldn't do anything against a real military incentive to take control over bitcoin.
>I'm much more bullish on Chia and proof-of-space/time
No, Chia has the same issue. Anything that relies on external resources as consensus votes is fundamentally insecure.
I think your comment would need to be five times as long to cover the attack surface and unknowns of a post-merge Ethereum PoS system.
Already custodied stake is centralized. In Ethereum today Infura could selectively withhold and distribute transaction data in a manner suitable to attack - with 64x the chain space reliance on data providers which are already highly centralized increases.
In both scenarios the security comes from the motivation to not sully trust in the network you have invested so much to attack, so you are correct in pointing out how externalizing the work function provides a dangerous way in. The issue with PoS, of course, is that while the work function is insular, purchasing stake is not.
The only solution is to design a consensus that pays for the whole network (so Infura type entities are not necessary) and which always has a negative return on attack. The seed to achieving this is attaching work to every transaction, rather than every block. Saito goes further.
Infura is completely irrelevant as far as security goes, they have zero power to do anything related to consensus.
>The issue with PoS, of course, is that while the work function is insular, purchasing stake is not.
That's not the issue, that's the 'S' in PoS. Consensus partially breaks if majority of state is hostile (no imminent double spend risk unlike PoW, but may require a manually coordinated fork with minority of validators). It breaks for 2/3 of hostile validators in the sense that new nodes would follow a different chain while honest minority is building on its own fork.
Both failure modes require some manual coordination, but rather than successfully censor or steal, they create temporary chaos - at the cost of millions of eth. It's impossible to even buy enough now, and any attack is self extinguishing because the available supply shrinks.
Under PoW the failure mode is trivial and deadly. If the attacker owns majority of hashrate he can censor anyone forever, including other miners. There's no real defense because there's no in-protocol way to delete the attacker's asics. Switching to a gpu pow achieves nothing - because the only entity prepared for that would be the attacker itself - but it would be pointless in the more general sense, as nobody would ever trust PoW anyway, because the same attack can always be repeated. The issue is use of external resources not controlled by the protocol.
Attack from the state is one thing, infinite economies of scale is another. An entity controlling majority can multiply its income by censoring everyone else. Eventually, everyone else mining at loss disappears. Then they can only mine at a fraction of hashrate and instead of paying for energy, use a fraction of excess profits to buy more asics. In the case of any competitor they would turn all of them on again until competitor gives up. This one is eventually inevitable, hard to say how soon.
These issues are completely unsolvable in PoW.
>so Infura type entities are not necessary
It's just a rpc - it's always necessary to answer queries and send transactions. At best it could work inside js in metamask as a light node. The only theoretical attack infura could do is lie about balances to someone, but the discrepancy would be detected and that would be the end of people trusting infura (to report correct state).
Infura collects upwards of 80 percent of the fees that flow into Ethereum and is in a position to control exactly who participates profitably. If your solution is "minority will fork" the obvious question is surely "with what scalable infrastructure?"
Infura is not 'just an rpc.' It takes real economic output to do what Infura does and its necessary for Ethereum to operate as well as it does today. If you force users to run their own lite nodes in their browsers they will simply leave, the alternative is that chain data interfaces centralize exactly as they have.
> Infura is completely irrelevant as far as security goes, they have zero power to do anything related to consensus.
Not directly, but the majority of data which ends up in block chains runs through Infura which accounts for transaction fees and affects the profits of miners. There are certainly levers to be pulled there. At the end of the day networking operations are important to security and therefore should be directly tied into consensus and the incentive system. That's why I bring up Saito, its work function is the quality of open networking provided.
As far as staking goes. Stake isn't protected from custodial pools, its already condensing in pools since people want to stake and can't afford 32 Eth. Not only does that defeat the purpose of having an arbitrary requirement, it incentivizes users to give up control of their keys.
Your failure condition for PoW is that someone eventually accumulates 51%, and you simply assume that it will happen. Convenient you get to ignore one of the best arguments for PoW, which is that sustainably mining, monopolizing mining, and centralizing the resources for profitable mining are all made extremely difficult by the distributed and remote nature of cheap energy. Scaling up with thin margins is not as simple as just buying another ASIC.
But just like in Ethereum's proposed PoS system, controlling a PoW network to the point of disaster does nothing but damage the attacker's own investment. The incentives are basically the same: extract as much value without going noticed. Its not great in either case.
Appreciate the enlightened discussion. It's in the spirit of crypto these systems are highly debated and it helps everyone get ahead and learn to participate in them.
While on the topic of Saito consensus and energy consumption, as far as I understand is far more energy efficient than both PoW and PoS without having to sacrifice security (or anything else) in the process.
The opposite is true, proof of work is hopelessly insecure and centralized. It's hopelessly insecure because resources needed to mine are external - so any attack by the only realistic adversary (ie. a state) is always just a question of resources, and the most pessimistic cost is in low billions of dollars. Realistically - America could already 51% bitcoin by forcing regulations on existing miners for nearly zero cost.
It's also centralized because mining has infinite economies of scale. Bitcoin mining started with hobbyists mining on home pcs, now there are companies buying power plants just to mine. This only makes it easier for governments to control.
The only reason no big PoW coins were successfully attacked is because there's no clear motivation for anyone - nothing in the real world relies on any cryptocurrency to continue existing. The only realistic attack would be to try to exchange tokens on the attacked PoW network for tokens on another - which is easily done for low 9 figs, but becomes increasingly hard afterwards - making any attack uneconomical. On top of that there are legal issues - it's very possible a 51% double spending attack would be legally treated as theft.
This all changes completely the moment major countries and corporations go down if some blockchain goes down. Imagine Iran defaulting if bitcoin or ethereum gets taken over in a 51% PoW attack, with all transactions from Iran addresses censored. It would be orders of magnitudes cheaper than any serious military action. Fortunately for Iran and crypto holders that's not true. A significant adoption of a PoW network would end up in an inevitable disaster and potentially destroy any trust in cryptocurrencies forever.
Of all invented consensus methods only proof of stake can survive in a truly hostile environment. No government can print eth at will to take over ethereum, and stakers can easily stay anonymous, unlike massive corporate miners.
Bitcoin holders are very good at propaganda and pretending PoW is safe, which works as marketing, but wouldn't do anything against a real military incentive to take control over bitcoin.
>I'm much more bullish on Chia and proof-of-space/time
No, Chia has the same issue. Anything that relies on external resources as consensus votes is fundamentally insecure.