They just released the fourth proof of concept for proof of stake, they've simplified the design so it's not much more complicated to implement than proof of work, and they've got some formal proofs of its properties. They're also working on a PoC for the initial sharding design. Here's the latest dev roundup:
In the blog post[1], on which Casper PoC4[2] is based, Vitalik writes:
> Accountable safety is what brings us this idea of “economic finality”: if two conflicting hashes get finalized (ie. a fork), then we have mathematical proof that a large set of validators must have violated some slashing condition, and we can submit evidence of this to the blockchain and penalize them.
Why would the validators, who decide what goes into blocks, willingly include a proof that they have cheated?
As far as I can see, these proofs must be communicated out-of-band (not through the blockchain) by nodes, since no validator would ever incriminate itself by including a proof that it has cheated.
How do nodes coordinate this, and come to agreement on which chain is the right one?
I'm not sure but I think that (a) it does you no good to put your cheats only on your own node, they need to be public to give you a chance of profiting, and (b) therefore other staking nodes will see them, and can include them in the blocks they produce. They could even get rewarded for that.
Last time the Casper fork was discussed on HN I read through a very long and very dense document only to find out that Vitalik, or someone similar, had a key that decided which blocks were genuine, in case of dispute. I take it that design has not changed? In that case I am surprised the design could not be simplified further.
How do nodes choose which fork — past the latest checkpoint — to view as the main chain?
E.g. let’s say I take the main chain, go back to the first block past the latest checkpoint, and remove the competing staking-transactions so that only my staking-transaction is present in that block. The I build on top of this, without competition, because I can selectively remove competing staking transactions simply by constructing new blocks that don’t contain them.
Let’s say hundreds, or thousands, of stakers do this. How do nodes decide which chain is the right one?
If I understand this right, in Casper the right chain is the one in which the least stake is destroyed. In one version, stakers are heavily penalized for going offline, so the chain you describe would destroy a fair amount of stake.
This is Vlad Zamfir's version; Vlad is the lead Casper esearcher, and takes a more long-term theoretical approach, while Vitalik is more focused on near-term practicality. Vitalik's version doesn't penalize dropping offline as heavily; I don't know whether there's some other mechanism to cover this, or he just thinks a lighter penalty is sufficient.
Thanks for the question! Until now I didn't realize the reason for the offline penalty.
That was a bit tongue in cheek, it's probably the Foundation. The documentation doesn't specify really how it's done, only that the nodes "authenticate out of band" to determine state when necessary.
There's no key with special privileges. You're probably remembering "weak subjectivity," which is basically an acceptance of things like publicly known checkpoints every now and then. Anyone who's online continually doesn't need to rely on a checkpoint, but in PoS someone new coming in would need it...but this isn't all that different from needing to find out what software they need to run. E.g. Vitalik writes:
"It solves the long-range problems with proof of stake by relying on human-driven social information, but leaves to a consensus algorithm the role of increasing the speed of consensus from many weeks to twelve seconds and of allowing the use of highly complex rulesets and a large state. The role of human-driven consensus is relegated to maintaining consensus on block hashes over long periods of time, something which people are perfectly good at. A hypothetical oppressive government which is powerful enough to actually cause confusion over the true value of a block hash from one year ago would also be powerful enough to overpower any proof of work algorithm, or cause confusion about the rules of blockchain protocol."
How do you know which checkpoints to trust, unless they are signed?
And if you have trusted checkpoints I fail to see the point of proof-of-stake (or proof-of-anything really). Just call every block a checkpoint and you're done.
Any remaining use cases probably centers around availability, but we know how to build highly available systems and can build them to any degree. Trustless and decentralized systems are much harder.
https://blog.ethereum.org/2017/10/09/roundup-6/