#  PoS (proof of stake) via Andrew Poelstra

These are notes on the work of Poelstra[1]. He argues that Proof of Stake
consensus methods are either not secure or require trust. Therefore Proof of
Stake is not a secure distributed consensus algorithm, and therefore it should
not be used in blockchains.

## Intro
- Bitcoin uses DMMS (Dynamic Membership Multiparty Signature)
- DMMS must be costly to produce

## Distributed consensus
- Distributed consensus is defined in the paper/post as "consensus between
  many mutually-distrusting parties who lack identities and were not necessarily
  present at the time of the set up"

## Dynamic Membership Multiparty Signature
- cryptography can not distinguish between real and fake history, so there must
  be some party authenticating that history
- DMMS schemes are different from traditional signature schemes [ there are
  costs, which are not present in traditional signatures]
- In DMMS there is a cost to sign, and a DMMS is secure if the best algorithm is
  the defined one [ i.e. you gain nothing by using any different algorithm]
- Mining (as in BTC) is a DMMS [in the random oracle model]
- there is no univeral time, so we cannot just order the transactions when they
  arrive
- In BTC the cost comes from the use of the hash function which is a measure of
  the energy consumed (see [Lan61]). Therefore, BTC's cost is scarce
- In BTC, divide the history in blocks; the chain of blocks [blockchain] with
  the highest costs is the true one. To change it, you need to produce a chain
  with higher costs
- Are dmms necessary to produce distributed consensus? Open problem

## Proof of Stake (PoS)
- PoS is a proof of ownership. To sign a block, and needs to write the
  continuation of history, a user proves that he has blocked the funds (in a
  bond). So instead of physical proofs, PoS bsed blockchain use cryptographic
  proofs, i.e. the cost function measure the
- the cost function measure the currency itself, which is not scarce. therefore
  the DMMS of PoS _is not secure_: it is costless to produce a chain with higher
  cost; this can not work out
- to solve the problem of non scarcity of the currency, some blockchains have
  introduced punishment. This does not solve problem of time: a malicious actor
  can sign one block (first history), then move funds out of the bond after some
  time, then sign another block at the same height (second history). this also
  invalidate the idea of making bonds last several blocks.
- if you implement _real block history is in line with real time_, then new
  users have to trust old users: this violate the definition of distributed
  consensus, i.e. PoS with this variation is not a distributed consensus algorithm


*Created on  2020-03-21*
[1] https://download.wpsoftware.net/bitcoin/pos.pdf