POW vs. POS: A comparison of security costs in open distributed ledger protocols

Paul Sztorc recently argued on his blog that there is no way to decrease the cost of securing an open consensus protocol [1] below the costs of the work in Proof of Work.


Any analysis of a system requires one (or more) functional outputs that are supposed to be maximized

The overall argument here is that we need to agree on a common functional output in order to compare the amount of work wasted in POW vs POS/DPOS consensus systems. I suggest security as this functional output and argue than that POS/DPOS can require less work than POW to achieve the same amount of security although this is hard to estimate or even measure.

I agree with Paul that no „work independent“ protocol is possible in so far as security and decentralization are always costly and costs sometimes are hidden (as voter attention cost in DPOS for example). I am glad he made that point as it helps to compare (incentive) systems in terms of hidden and obvious costs. I don’t agree though that the work/cost to reach a given level of security is the same with every consensus system.

The first important point to make is that if you say „all consensus systems waste the same amount of work“ (which Paul does) you will have to say to what end if the hypothesis should have any significance. Otherwise it would be like saying an aircraft wastes as much energy as a car without adding „in order to travel the same distance“. What follows from this is that any discussion based on the assumption that POW could only be attacked by buying hashing power is pointless. A security centered discussion would have to compare the least expensive ways to attack the different consensus protocols.


Design goals apart from security?

I feel like I am forcing the purpose of security onto this discussion but I don’t see any other purpose of a consensus mechanism than making transaction history revisions impossible respectively as costly as possible (apart form speed, distribution of control and scalability. In non of these three parameters POW has an advantage). Paul writes:

Blockchain security is not the main function of Bitcoin’s PoW. Instead, PoW serves to delay the release of the coins such they they are still cheaply available when potential-network-joiners first discover the project (what some complain as today’s problematic “dumping” by miners).

It is right that initially the delayed release of coins was helpful for marketing. But that was only as long as mining attracted owners of consumer grade mining equipment who did not have access to subsidized industrial grade electricity. Nowadays new bitcoins are only distributed to big mining farms and such a coin distribution scheme does not help to make more people aware of and use Bitcoin. Now the argument could be made that such a delayed coin distribution helps to keep the Bitcoin price low (as it constitutes constant sell pressure) but the price of bitcoin and all crypto currencies is so relative that this argument also doesn’t make much sense.

But the important point here is to not confuse the delayed release of coins with the consensus mechanism (POW in this case). It is entirely possible to combine POS/DPOS with any kind of delayed release of coins / inflation schedule. So delayed coin distribution / inflation over time can not be a reason to choose POW.


Security considerations under the assumption of buying hashing power to attack POW

So let’s look at the the security implications of this discussion, assuming the easiest way to attack a POW network would be to buy hashing power which is the most favorable assumption for POW (see below). More specifically I will show why work, more specifically the money spent on mining rigs and electricity in POW, to gain x percent of hashing power in a POW system is unlikely to buy x percent in a POS/DPOS network:

Assuming a bribe attack on a DPOS network, the opportunity costs of a delegate associated with loosing his reputation are multiplied by the number of contexts and business opportunities in which a delegates makes use of the same reputation that is used to attract and retain votes in a DPOS system. There can be many such contexts: other areas of business, general social reputation. One can profit from the same reputation (tied to the respective individual / company) in various business / social contexts. So the attacker would have to take on all the opportunity costs of all the businesses of all delegates where they utilize that reputation. I consider this argument valid but there is a counterargument which weakens it partly: Someone that highly depends on his/her reputation has the cost of potentially decreasing this reputation globally if the delegate node proves unreliable or appears to be untrustworthy. This would not allow entities that highly depend on their reputation to run a delegate node. This could be the case because the delegate node ends up producing blocks on a minority chain or because there might be a malicious employee in your company in case you run your delegate as a company. But it seems rather theoretical since there are worse things employees can do to wreck your reputation.

A similar argument can be applied to POS – this applies to DPOS and POW only if the delegate/miner holds stake/coins –  where the opportunity costs of a loss in value of stake/coins for stake/coin-holders gives an incentive to the block producers to be honest and would therefore be a cost to the attacker.

In case of a bribe attack on a DPOS network the following additional costs apply: If delegates assume that it will be unlikely to get 50% of delegates to collude the attacker faces another cost which is the mental cost for delegates to calculate the overall profit of an anyway unlikely event. This is the more effective the higher the number of delegates is who the attacker would need to bribe. This doesn’t equally apply to POS and POW, as both suffer from centralization of block producers because of economies of scale. In contrast DPOS allows for a fixed number of block producers. BitShares which uses DPOS has 100 delegates at the moment which are operated by roughly 70 unique individuals. Under those circumstances an attacker would have to bribe at least 35 individuals to gain 50% control of the network as compared to 3 mining pool operators (at the moment: AntPool, BitFury and F2Pool) which control more than 50% of the mining power for Sha256 hashing (date: 8/7/2015) which brings us to practical security considerations.


Security considerations in practice

Overall the above is an „academic exercise“ in so far as such an analysis ignores what the least expensive way to attack a POW network would be and assumes that the only way to subvert a POW network is to buy the hashing power. The other option would be to bribe miners or more simply mining pool operators, of which exist about a hand full that control the majority of the mining power for Sha256 / Bitcoin. This would be far less expensive than bribing delegates (DPOS) or forgers (POS) and most likely also cheaper than „malicious campaigning“ attacks in a DPOS system, especially if market capitalization / maturity of ecosystems are comparable. Mining pool operators are few, have no stake in the network (as compared to POS) and have made a commitment to miners and not to Bitcoin holders respectively the Bitcoin network. One counterargument would be that miners (in order to protect their mining business which depends on the price of the native token (e.g. bitcoin) which would go down in case of a prolonged attack) would quickly change to honest pools in case of an attack. The same re-balancing mechanism would apply to DPOS where stakeholders would vote out dishonest delegates in case of a bribing attack. This though does not defeat the point that it would be easier to bribe mining pool operators in the first place.
Another practical and even less expensive attack on a POW network would be to set up a pool that pays miners more than other pools and attack the network when the pool has reached 51% of all hashing power. This is analogous to vote buying in a DPOS system with the difference that the stake miners have in the Bitcoin ecosystem is not as high and not as direct as stakeholders do in the respective DPOS ecosystem. Such a „generous pool“ attack could either be done by telling everyone in advance that the reason this pools pays considerably more is a future attack which would make it more likely that miners would stay in the pool during and after the attack or without talking about the purpose of such a well paying mining pool which might bring miners on more quickly.

The POW vs. DPOS security discussion can be summarized with the following scheme:

Mining pool operators have the same potential as delegates and stakeholders the same potential as miners to harm the network. Mining pool operators can be replaced by miners, like delegates can be replaced by stakeholders.

There are two kinds of efficient attacks that apply to POW and DPOS:
(1) „Malicious campaigning“: A mining pool can attract miners only in order to attack. Equally a delegate can attract stakeholder votes only in order to attack.
(2) „Bribing“: One can try to bribe mining pool operators and delegates – there is the same potential for harm in both cases. In both cases stakeholders respectively miners can switch delegates respectively mining pools if the bribe attack becomes apparent.

The differences are:
(a) There are more delegates to bribe or campaign for than there are mining pools.
(b) Delegates have made a commitment to work in the interest of stakeholders whereas mining pool operators work in the interest of miners who’s first interest is not necessarily the health of the Bitcoin network.

Regarding DPOS specifically Paul argues that voting is not „capitalisitic“ in that no capital can be gained and none can be lost when voting thus not giving stakeholders the incentive to invest enough effort and time into voting which results in a sub optimal voting outcome. Paul writes: „DPoS, like all voting, is not capitalistic. Capitalism is not about ‚one dollar, one vote‘, it is instead ‚one dollar risked, one vote‘.“ I totally agree with the conclusion that there is a tragedy of the commons issue at play here. On the other side I consider it „good enough“ like shareholder voting in publicly traded companies which suffers from the same problems, as pointed out by Paul, but works good enough for companies to manage (the owners vote for executives which then make operational decisions) to successfully compete with companies where the owners are the same individuals as those in control of the company’s operations. Also there is the remedy of setting a proxy that votes for a stakeholder.

There are other security considerations for POS systems like long ranging nothing at stake attacks but those have been widely discussed with the conclusion that open consensus processes finally rest on social consensus which also applies to Bitcoin like the recent block size debate shows.

[1] Open consensus protocol here implies that participation in the consensus process is open to anyone that can prove some objective / measurable resource (hashing power in POW, stake in POS, stakeholder votes in DPOS).