> if someone can gather enough private keys together for a specific snapshot in time, they can create an alternate history.

This only works for histories older than the account deposits for stakers, which will likely be 4-6 months. In other words, a person using ethereum's POS will need to turn on their computer once every 4-6 months to sync to the network, while stakeholders still have their deposits locked, to make this attack impossible- However, I agree this is less optimal than POW in a theoretic sense but the issue is pretty negligible.

(for those interested in learning more about this line of argumentation and who want to understand why regular syncing to the network is needed to counter this attack, look up the term "weak subjectivity" on Google.

> An attacker who is able to gain enough stake to commit an attack for a short period of time can commit that attack forever.

No, an attacker's addresses will be known and the protocol will slash their funds for most types of attack. In the cases for more difficult attacks that the protocol cannot slash for, the community can fork the network an exclude the attacker's accounts (something not possible in POW where a miner staging an attack can switch addresses at will.)

The reverse is actually true: If there was a successful 51% attack against bitcoin, the hashrate would drop precipitously (since the value of the currency and mining profitability would drop) and hence the attacker's 51% would skyrocket to an even higher number immediately.

> a lot of good reason to believe that it will never be viable in the fully decentralized, fully trustless environment that bitcoin thrives in.

I'm pretty confident Bitcoiners will clamor for a POS algorithm in a few years, once it gets marginalized by POS coins. But you Bitcoiners are definitely welcome to hobble along with the status quo approach if you like :-)

> In the cases for attacks that the protocol cannot slash for, the community can fork the network an exclude the attacker's accounts […]

Forks are always possible but, they’re not the solution, they’re the problem that a blockchain tries to avoid in the first place, because they lead to the issue: which chain do we follow?

If the community were able to organize itself to reach consensus on a given transaction history, we wouldn't need a blockchain in the first place.

> Forks are always possible but, they’re not the solution

The argument is not that we would fork away attacks, the argument is that we can threaten forks to remove the incentive to attack in the first place.

> If the community were able to organize itself to reach consensus on a given transaction history, we wouldn't need a blockchain in the first place.

Well, the idea is that the community can't police every transaction, but they WOULD be able to give input once a year in an emergency situation- And we can show that these "emergency situations" would be infrequent (if they happen at all) due to the fact that an attacker will forfeit large amounts of money with every attack.

> In other words, a person using ethereum's POS will need to turn on their computer once every 4-6 months to sync to the network

That only works if you were already bootstrapped to the network. But if this is your first time joining the network, how can you tell?

Weak subjectivity more or less becomes a proxy for letting the major players decide. If your friend says that they've been on the chain for years and chain 'X' is the true chain, but blockchain.info is saying that chain 'Y' is the true chain, what happens? How can you tell if both seem valid? If a Proof-of-Stake system had an NYA-style agreement to perform a hardfork that benefits major players over individuals, would you be able to fight it?

I think it would be much harder in a Proof-of-Stake system than in a PoW system, because in PoW creating an alternate system costs hundreds of millions of dollars in electricity.

> an attacker's addresses will be known and the protocol will slash their funds for most types of attack

This only works if you can get a transaction through to prove on-chain that the attacker has been double signing. If you can't (which you won't be able to because the attacker has control), you can't slash their funds.

> If there was a successful 51% attack against bitcoin, the hashrate would drop precipitously

The hardware doesn't magically stop existing. It may turn off, but many miners have contracts with electrical companies that require them to use the electricity. But even with that aside, the hardware would merely turn off. Buy some more hardware, and then you can coordinate with the existing honest hardware to resume mining, now outnumbering the 51% attacker.

------------------

Another issue with PoS systems: they traditionally have very low participation rates. A 51% attack in a PoS system is often more like a 10% attack, because only 20% of the people are actually staking their coins anyway.

In a market as volatile as modern cryptocurrency (remains to be seen if volatility would drop), it's very expensive to stake your coins for 6 months in a row because that means you can't be doing any trading on those coins, or deploying them as any other form of capital.

All good counterpoints- Actually, I mostly agree with all of these points and they portray the issues in a fair way, so I won't comment any more and let readers come to their own conclusions which side has the strongest argument.

> If there was a successful 51% attack against bitcoin, the hashrate would drop precipitously

Is this really true? There are a ton of factors that mitigate the value/importance of a 51% attack:

1. You still can't spend other people's money. You spend your money twice. Your damage is limited to people who you've transacted with.

2. You can't arbitrarily rewrite history, you can really only play with very recent history. You have to pick a point that you're going back to, and the further back you go the harder it will be to catch up to the original chain. The smaller your margin over 50% the slower the catch-up will be.

3. You're out in the open. Let's say you have 51% power, you still will need hours or days to catch up to the original chain. In that time, people will be able to very clearly see what you are doing and can decide to blacklist your chain. White hats can also bring more computing resources online to make it even harder for you to catch up.

4. During your catch-up period, you need to be able to get your assets out of the blockchain. That's a very specific constraint. If you are trying to buy two boats with the same money, you need to get the first boat off the lot during the time between your first transaction and the moment your fork catches up to the original chain. If the seller of the first boat is watching the blockchain closely, they might even be alerted right when you fork the chain, before you've even caught up. You also need to prevent the seller of the second boat from figuring out what you're up to before you get the second boat off the lot.

5. You're still subject to all existing law enforcement. You still stole a boat.

So who's really at risk? Basically, people doing huge transactions purely within the crypto realm, where the assets can be cleared instantaneously. That's a fairly narrow segment of the market, and those people can use escrow services and other techniques to mitigate their double-spend risk.

Frankly, I think a 51% attack would increase Bitcoin's value, because everyone would see how little value it really gives the attacker. And we'd see all the mitigation strategies we have, which are many. It'd be like the DAO and Parity attacks on ETC, which only seem to have increased confidence, by showing how firewalled those thefts are, and educating people on the choices available to the network for mitigation.

>if someone can gather enough private keys together for a specific snapshot in time

IIRC from the CASPER blog posts, the solution is simply to not let the validators reverse history beyond a certain point. I think that was about 2000 blocks or so. After that point a client won't accept an alternate history.

>An attacker who is able to gain enough stake to commit an attack for a short period of time can commit that attack forever.

Not necessarily. Again, CASPER, an attacker who violates some of the consensus rules will loose their entire stake over time (heavy penalties), so behaving is the most profitable option. To misbehave means to burn a lot of cash.

Since CASPER is based on betting, an attacker may be able to temporarily censor a transaction but they can't censor another validator who is honest without loosing money in the process (they have to bet against and burn the money)

>a lot of good reason to believe that it will never be viable in the fully decentralized, fully trustless environment that bitcoin thrives in.

Honestly, it doesn't need to be. It just needs to be decentralized enough, trustless enough while also providing better value than bitcoin.

> IIRC from the CASPER blog posts, the solution is simply to not let the validators reverse history beyond a certain point. I think that was about 2000 blocks or so. After that point a client won't accept an alternate history.

This doesn’t solve the boostrap problem: how do new clients know which fork to choose? PoS is an algorithm that takes a chain as input, and outputs who gets to build the next block. The problem, however, is deciding which chain to give this function as input in the first place — deciding who gets to mine the next block in a chain is fairly easy, agreeing on which chain to choose in the first place is the hard part.

> Not necessarily. Again, CASPER, an attacker who violates some of the consensus rules will loose their entire stake over time (heavy penalties), so behaving is the most profitable option.

They will only lose their stake on a fork, that includes the proof of their violation (because stakers have no incentive to include the proof in the chain they control). Which, again, brings us back to the initial issue: how do clients, who want to join the network, decide which fork to follow?

>This doesn’t solve the boostrap problem: how do new clients know which fork to choose

Google "weak subjectivity". In short; they don't. The user supplies initial consensus. It's also fairly okay if the clients come with a baked in blockhash to start from, you only need to update that once every quarter or so to keep it current.

If an attacker would poison a chain, for example by censoring it, the network can fairly easily slash his stake (this is allowed as part of the protocol) and start a new chain. You only need to point the client at it.

That is, an attacker can only operate while they have both the proof-of-stake consensus and the social consensus. If they loose either, they loose everything.

The criticism's in this post really make very little sense. What does that mean that "private keys only have value when you hold them." Private keys are worthless, they only give you access to the wallets that they unlock.

Also, no, you are not guaranteed to stay at 51% forever. Vitalik has explicitly said that if a 51% attack happens, the community is expected to fork, and all of your funds will be isolated and slashed in the fork. If you want to attack again, you then need to collect another 51% of funds. This gets exponentially more difficult.

> What does that mean that "private keys only have value when you hold them."

What he's saying is that people would sell their old private keys and an attacker could then use these to create a fake history of stakers- The existence of this attack is a valid criticism against POS, though one that can be easily prevented by just syncing to the network at regular intervals.