# Andrew Poelstra (2015) ###### tags: `PoS`, `security`, `stake-grinding`, `long-range`, `axel` ## Summary To ensure token ownership, Bitcoin uses a Dynamic Membership Multiparty Signature system implementing proof-of-work, in which a fraudulent digital signature cannot be forged by an adversary except with extreme luck. This is what makes it secure, though energy-hungry. There is no well-defined clock time in a distributed system because of network latency and the arrival of new users. It hasn’t been done yet, though it would create many new possibilities. Given a DMMS, it is possible to create a distributed consensus, Bitcoin being the existing proof of this statement. But can a distributed consensus be achieved without DMMS ? In proof-of-stake, as the blockchain history can be cheaply created by a party (this is called “costless simulation”), such a party can create multiple blockchains and select one which favors him. This is called a stake-grinding, or a short-range attack. Furthermore, as there is no universal time, there is no way to differentiate users who are “now” holding the currency from users who “were” holding the currency. In the end, the incentive to be honest only exists until the stakeholders move their coins. Within this cheap history system, there can also be long-ranged attacks, that aim at modifying the blockchain since its first block. Also, even without being attackers, the signers who extend the history at every point have an incentive to direct the history toward one in which they have more stake. To conclude, by depending only on resources within the system, proof of stake cannot be used to form a distributed consensus, since it depends on the very history it is trying to form to enforce loss of value. ## Comments This paper is much more serious that the previous one, and it still is quite relevant today as the problems addressed in it are still being studied. The security limits of proof-of-stake are well-defined here.