Bitcoin Forum

neucoin.org/en/whitepaper

Facts:

• PoW mining is an incredibly inefficient way of processing transactions. Bitcoin miners earn roughly $1 million per day for processing just 100,000 transactions - $10 each.
• An oligopoly of corporate miners has taken control of the Bitcoin network - decentralization is gone.
• Bitcoin holders are reluctant to debate competitive alternatives to PoW such as PoS and trusted nodes (like Ripple, despite its nearly $1B market cap).

Myth: there is “nothing at stake” in PoS, or in other words, since PoS mining doesn’t consume outside resources, it’s costless for attackers to keep trying to modify transaction history until they succeed. The truth is that PoS security does have a cost: the capital cost of acquiring and holding coins. And the actual probabilities of “until they succeed” have never been mathematically analyzed.

Folklore: Poelstra’s paper Distributed Consensus from Proof of Stake is Impossible. The author even admits in his own conclusion: “there is no rigorous argument that it is impossible to obtain a distributed consensus without provably consuming some resource outside the system.”

The NeuCoin Project’s 39-page white paper mathematically demonstrates how PoS can maintain consensus and defeat all attack vectors - including grinding, history revision and pre-programmed attacks. Bounties for anyone who points out flaws in the paper.

So instead a cartel of miners you'll get a cartel of crypto-banks and exchanges with lots of coins in their cold wallets for which they'll additionally earn interest, without having to reinvest in new generation hardware. MtGox would have dominated a PoS-version of Bitcoin quite exclusively back then.

Not that I know of any better solution, concentration of wealth and power seems to be a general problem inherent in capitalism, or possibly even any imaginable form of human society.

You don't get it. Bitcoin mining is supposed to be inefficient. There in lies the very core of its trustworthiness.

See Andreas Antonopoulos explain this (https://www.youtube.com/watch?v=lIgjogLipvk&t=33m41s) very clearly in a few minutes.

Centralized exchanges is so 2014...

Debate going on right now on on reddit:
Jeff Garzik arguing against PoS

http://www.reddit.com/r/Bitcoin/comments/30t3k4/proofofstake_is_more_decentralized_efficient_and/

Who supposed that? Satoshi? No, he was making excuses on that part telling that mining will migrate to cold countries and will be used for heating. So, if the creator didn't suppose mining to be inefficient, then maybe PoW-evangelists are just biased because of holding a lot of BTC?

Who will pay attention to words of someone who vouches for centralization by endorsing FinCEN regulation and launching a project that will allow USA govt to control Bitcoin satellite traffic?

Interesting.

Let's see what Satoshi himself had to say about that:

(Emphasis in bold added by me)

This. For some reason people can't get their heads around the fact the difficulty levels are good and it's what makes the network bulletproof. I would rather trust POW than POS distribution..

I've skimmed over the paper.

I don't quite understand the
claims of reducing the effectiveness of grinding attacks .

To quote the paper:


Why does this process have to take "at least hundreds of minutes" when the block time
of this coin is 1 minute?  The paper says its very technical and it doesn't matter
but I think it does matter since its at the heart of the matter here.

They should be able to explain in plain English and clear terms why
their design would necessitate a long lag in creating a false chain.

They seem to be saying that there is some kind of prohibition:


But none of these time intervals happen in real time or matter to the attacker
in a PoS.  They can all be spoofed...You can always broadcast a false chain
and that has always been the problem with PoS.

(Only PoW is resistant to time manipulations because it takes real time
to do the work.)

Can someone explain to me what is really new here?

I have an un-addressed concern regarding PoS, and it's not consensus nor any kind of attack vector, it's a question of economic incentives to distribute the coins.

With PoS, coins are created by owning coins. If I owned 51% of the coins, where is the incentivization for me to distribute the coins in a fair manner, instead of sleeping on top of my loot like Smaug while all the suckers spend their money? Over time, I would actually own more of the PoS coin economy by just passively printing money, while everyone else spends it, by virtue of inflation.

This isn't a hypothetical problem, it's real because exchanges essentially are printing their own money with PoS coins in this case. Just-Dice is a pretty good example of this.

In PoW, the miners' hands are forced to give up the coins by means of competition and resource expenditure, thus a good portion of the coinbase reward are sold on the open market and there lies forced incentivization of distribution.
With PoS, what is the incentivization to distribute the coinbase?

The pre-mine in many PoS systems today (I'm looking at you, NXT), is ludicrous and consists of a bunch of early adopters hustling unwitting newcomers into accepting Bitcoin 2.0. Printing money with zero work is no better than the Federal Reserve we strive to avoid.

Created a strawman and successfully defeated it. Well done!

imo a hybrid of pos pow is the best way to do this. dashcoin kind of accomplishes this feat. but the market will decide in the end what it wants.

It doesn't matter who supposed it. Did you check the video excerpt I mentioned? Highly recommended, Andreas explains it very well.

Anyone still saying "altcoin X or hashing algorithm Y is better because it's more efficient" doesn't understand the delicate equilibrium between security and value of the network.

Yep, and yet my concerns are still unanswered by you, an NXT supporter.  ::)

I-... I'm sorry, am I using NXT as ad hominen now? Please point out more of my debate fallacies o wise one. ;D

you left out the most important thing

pow = forever downward pressure on price if new fiat doesn't keep up with coin generation
pos = new fiat goes to making my coins more valuable and soon 1 btc = $10000

you forgot that in pow, there is the halving, which will lead at the end to an increase in price because of less supply and more demand

in pos no one will buy anymore because he/she can generate coins without any effort, free money for them

I tried, but his spoken English was too hard for me.

No other fallacies were spotted. You were right, after 200 years of forging a Nxt whale would double his stake.

i didn't forget halvings i just don't want to wait years for coin generation to be low enough that it doesnt hurt the price anymore and when that happens we get bigger risk of 51% as many miners switch off machines

of course someone will buy, the same who are buying now except they will be buying from our hoarded coins + 1% interest instead of miners who dump at any price

Hi jonald,

I'd love to go into details about the grinding attack.
Could you clarify a few points for me before we dig in so that I don't paraphrase the paper.
1/What do you mean by "creating a false chain"? Creating a competing chain? I'm not sure what "false" means here.
2/What do you mean by "time intervals can all be spoofed". Of course, the attacker doesn't have to "redo the work" if he can reuse some previously create proofs but in this case his fork (at the beginning) will be a subset of the mainchain.

More generally, could you please provide a detailed description of how you would conduct such an attack (even a high level explanation would be great)
thanks !

POW and POS both have relative advantanges and disadvantages. The inherent weakness I see in POS is that new capital doesn't flow in as readily because your stake multiplies on its own. The weakness with POW is massive power consumption and ever increasing expense if you mine.

As a late comer to crypto currency bitcoin is much more difficult to accumulate in an appreciable amount. Add the downward pressure of mined coins being sold constantly and the ever present fraud that goes on and it is a risky investment.

Personally I collect and hold bitcoin and clams. If i had to choose I would hold just bitcoin but I think both hve their place in the crypto world.   

I don't believe that proof-of-stake is necessarily appropriate for Bitcoin but I do completely agree with:


It seems like every new technological innovation being pioneered by other cryptocoins is categorically rejected for implementation in Bitcoin almost immediately. It also seems like most of the people behind Bitcoin are also on the board of dozens of projects designed to replace it. If Bitcoin does end up failing, I think that the failure will be entirely social, a refusal to adapt and innovate. This is something that anybody interested in the project should be worried about.

http://www.links.org/files/decentralised-currencies.pdf claims that cryptocurrencies with unknown "miners" are flawed. Unlike PoW, PoS coins do know who the "miners" are.

There is some mechanism to decide who gets
to stake the next block.

In PoW, you must solve be the first to
solve a puzzle.  In PoS, you need only
meet certain conditions with your stake.
(And those conditions must be flexible
enough to ensure that blocks come out
in a timely manner -- should the chosen
participant not mint the block, an alternate
must be quickly selected).

Forcing a reorganization by broadcasting
a longer chain is the same mechanism
whether one is attempting a double spend
or simply trying to garner transaction
fees.

As the paper, says, grinding refers
to "cheaply searching the blockspace to find blocks
that direct history in their favor".

So a false chain is any other chain than
the main chain -- it is one that you forked
from a previous point on the main chain,
either for the purposes of double spending,
or gaining fees.

As far as spoofing the time intervals,
lets say you want to start a chain
"from 200 minutes ago".  You can have
a computer calculate an alternate
chain that supposedly started 200 minutes
ago in a few seconds, and broadcast
that in realtime right now.  Nodes receiving that
would not know that the blocks on
the false chain weren't really
built 200 minutes ago.

Nodes must accept the longest chain,
otherwise you will loose consensus and
risk a fork in the blockchain.

You won't always be able to achieve this,
but occassionally you will, and since
the cost is minimal, why not try it?

Of course, if everyone starts doing that,
you are back to the issue of using
competing computing resources, and thus
energy costs will rise to the level of
marginal profitability, which is the
very thing that PoS claims to avoid.

I'm not sure what the 200 minute buffer
zone applies to (new coins staking?),
but that really doesn't solve the issue,
as you can keep trying to attack with
old coins, or you can attack less frequenly
(every 200 minutes) with coins you just
bought and sold.  In addition, I believe
it opens additional attack vectors based
on older stake participants rejecting
newer participants.

Again, this kind of thing has always
been a problem with PoS coins.  
I just don't see how neucoin is anything new.

disclaimer: I'm not an expert and I could certainly
be wrong, but I would like someone to
explain why I am wrong.

After the creation of proof-of-activity and proof-of-capacity schemes I think there is no reason to create new proof-of-stake coins.

I like the unusual formatting, since it makes your post look like poetry.
Were you on a phone (very small screen) typing it?

No, that's just how I post. 
It's an old habit to try to
make emails more readable.

I like proof of activity the best.  

In POW we are saying whoever can waste the most electricity should get the honor of forming a block, but that doesn't really help the network.

In proof of capacity, we are saying that whoever can waste the most hard drive space should get the honor of forming a block, but again that doesn't really help the network.

In POS, we are saying that who every directly invested in the network gets the honor to produce the next block.  So in a way a person is in someways contributing to the network.  Way better than the above two options.

But in proof of activity a person that is the most active in the network gets the honor to produce the next block.  It basically is a return to proof of work, except the work now is not some random arbitrary and pointless work but instead work done in the ecosystem that is strengthening it.  

In the end, there is always more room for improvement.

I feel like by the end of 2015 the community will really have some exchanges that will not run with the money because they are either 1) insured so even if the money disappears, it is just repaid, or 2) the exchanges are designed in a way that it is unpractical to steal the money because the exchange was designed from the ground up to not be able to steal money, and even the few weaknesses where it could be exploited would be pointless because it is in the exchanges interest in the long run to not act maliciously.

Interesting --
http://eprint.iacr.org/2014/452.pdf

i could agree that halving structure isn't ideal as it is right now, 4 years between halving is too much, satoshi didn't take that into account maybe, it should have been 2 years max or even one year, the sooner bitcoin enter in the "fees phase" the better

What about terrible initial distribution of coins in Proof-of-stake ? About the security, in order to stake new coins you must have unlocket wallet, so basicaly the least secure option to keep your coins.

POS vs POW!!

Again!!!

hmm..

I did ask a few question in the Neucoin https://bitcointalk.org/index.php?topic=1003488.0 thread but no answers were forthcoming..

For me, there are issues with POS that many choose to ignore, or are ignorant about, simply because they think POW is wasteful..

I repeat :

1) Much is made of the 'wasted' and 'costly' electricity used to run the POW mining rigs.. People seem to think this number can increase 'INDEFINITELY' and somehow consume ALL the power in the world. LOL. This simply is not the case. The miners will spend what they can make from mining, they can't spend more.. or go out of business. The Market will determine what this will be. Personally, I don't see it as an issue, at all. The amount of energy Bitcoin mining uses is literally PEANUTS in the bigger scheme of things.  

Can someone explain a couple of POS queries.. ?

2) What if all the coins in a POS system are distributed evenly, the dream!, so that there are very few, if any, whales. Everyone thinks they have an insignificant amount, for mining purposes, but in truth they are ALL minnows. Who would mine ? Can't just lock up your funds if you are living hand to mouth..

3) If 10% of the stakeholders mine in POS, since I think 100% or even 50% seems unlikely, does that mean you need 5.1% to perform a 51% attack ?

4) In POS, can energy be expended searching more chain branches to find a valid chain on which you make more money ? If this is the case, won't future miners just spend money and expend energy until they spend slightly less than 1 block makes (same as POW) ?

5) Is this true : If a Cartel of POS stakeholders ever reach 51%.. That's it.. They can never be overtaken if they choose not to be. In POW this is not the case.

Thank you..

Except it isn't a "proof". Proof-of-activity, proof-of-resource, proof-of-storage or similar are all misnomers. There can't be "proof" of these things, all of these can be forged; only spent CPU power can algorithmically be proven because it boils down to pure physical entropy at the end of the day. Also MaidSafe use the term proof-of-resource but in reality their security mechanism is a node-ranking system which does introduce a degree of trust.

You refuted one bold claim with another...

which one of my claims you think is bold?

yes; in the sense that any other approach requires you to know more information about a node in one way or another if you want to prevent sibyl attacks, so that you know you can trust them (you could see proof-of-stake as just some anonymized form of trust). And the thing with trust is...

https://i.imgur.com/ttNwXON.jpg

We don't see her tits, hence your "appeal to authority" is not accepted.

The reason this is incorrect is that there is no possibility for a "computer to calculate an alternate chain that started 200 minutes ago" and have it become longer than the main one.
What one has to keep in mind is that everything is deterministic.
For an attacker to build this fork he must own private keys that give him control over some stakes at the beginning of the attack.
Let's say the attacker has control over 10% of the mining coins. Two possibilities:

• These coins have been used to mine on the main chain. In this case, the stakes will create blocks exactly at the same timestamps then they did when mining on the main chain because since everything is deterministic, the proofs are the same.
  Starting our clock at the start of the fork, let's consider the average case (20 blocks mined by the coins the attacker control), the stakes have generated blocks at time 3,7,13,[...],189,198. Then the attacker's fork will consist of 20 blocks created with the exact same proofs.
  The important part is that since the fork will always be a subset of the main branch he will never be able to create a fork with more trust than the main chain. A second important remark is that the attacker cannot try his luck many time.
  
• The coins used to stake were not mining previously and in this case he would need in average 50% of all mining coins to be able to create a longer fork. This corresponds of course to a 51% attack.
  You might ask, if he gets his hand on 10% might he win? The probability that an attacker a fork with 10% of the coins will outperform the 90% remaining over a 200 minutes period is ~10^-100 (using formula on p.35 on the white paper). Therefore, this kind of event will never happen no matter how often attackers try.
  
• A third possibility would be to send coins you own the fork and mine with them. In theory, you could do that a great number of time and you might expect to succeed at some point. That's why the minimum stake age (i.e. the minimum time during which coins have to wait before they can mine) is important. For these coins to be allowed to mine they must wait a significant amount of time and this creates a lag. And this has a consequence on "real time" since the nodes receiving the forks will check if the proofs used to generate the blocks are valid.
  

The important part is that, you will not "not always be able to achieve this", you will actually never be able to achieve this without owning ~50% of the mining coins.


The reason behind this is that since you cannot "hope" to win be trying to fork a large number of time, the best thing you can hope for is to "grind" through stake modifiers, and to do that you must have control over the current stake modifier and this takes time.

Finally, what do you mean by "additional attack vectors"?

whoa, is taylor swift a hardcore bitcoiner? maybe it's been taylor swift who has been doing megadumps all over us.

eeeeewww

@koubiac - Hi, how many 'Mining Coins' do you think will be used, realistically,  as a percent of the whole ?

For PoS coins, there is no big difference between PoS clones, means unlimited money supply and they will all worth nothing in the end

PoW infrastructure on the other hand is not possible to duplicate, and since real world resource is limited, it gives PoW coin backing of scarcity from real world

Do you really believe that the value of a Bitcoin is backed by the energy wasted?
If so how is the structure of this correlation?

Ever heard of merged mining?

Has this paper been discussed anywhere?

Bitcoiners can't counteract arguments raised in that paper so they ignore it.

Shame.

No

Err.. Is that why all the POS-ers are ignoring my question about how many 'Mining Coins', as a percent, they realistically think will be used mining a POS coin ? I have asked twice now..

The 51% POS attack, would never actually require 51% of the total supply, as many people seem to think. Just 51% of the Mining Coins.. and this will be a lot smaller.. just not sure how much smaller.. and it may still prove to be large enough to be considered unattainable.

Third and final time : Anyone ?

@Come-From-Beyond : I would love to know the percent used on NXT ? I'm sure no-one knows more than you on this topic ? (Except BCNext - if that's not you anyway..  :P).. Or you Daedelus - you're well informed on POS matters ?

Fast calculation based on data from last 500 blocks gave me 28%.

Last I saw, 41% of Nxt was forging. Edit: I don't know how CfB calculates this figure. I thought the live figures were on peerexplorer.com but can't see where. Weren't you in the thread the last time this was discussed? CynicSOB claimed to be able to do some vaguely specified damage to a POS coin (after controlling the dead APEXcoin for 90 blocks). Started at <1%, then 5% then 10%. He hasn't been in touch for a while now. So if you had 210,000,000 NXT (based on 41%) you could do some damage. This is obvious to most who have looked at POS.

You're turn  :D

http://www.links.org/files/decentralised-currencies.pdf (http://www.links.org/files/decentralised-currencies.pdf)

Thank you!

Actually that's more than I thought there would be.. (Using the smaller 28% figure..) 14.1% of the TOTAL supply of a currency, is still a very large number.. (More than Satoshi has in BTC..)

and just to throw in another number based on nexern's block explorer:
http://nxtexplorer.com/nxt/nxt.cgi?action=160
46.8%

Average base target of the last 500 blocks is 3.5652 (or 356.52%).

100% / 3.5652 = 28.05%.

If an adversary is forging now then he needs to control only 140'000'000 NXT for 51% attack.

If an adversary is not forging now then he needs to buy only 280'000'000 NXT for 51% attack.

nexern's block explorer may return more correct result, my math based on assumption that all coins belong to a single account, as it's known bigger accounts have an extra forging bonus and they need less coins to reach the same average base target.

 
As you said, an attacker can simply use coins that are old
enough and keep trying with them.  Those attacks would
be smaller than 200 block reorgs.

As far as the new coins (or any coins), what you are not considering is that the blockchain
MUST find new blocks.

Assume you have a 10 percent stake, so you'd have a
1 in 10 chance of being awarded a block.  
Your argument is that you'd have a 10% chance (or .1 probability)
of succeeding at one block, .1^2 for two blocks in a row, .1^3 for
blocks in a row, etc.

However, here's where that argument falls apart:

What if the block found "deterministically"
wasn't broadcast by the chosen stakeholder?  Now the network
must choose again, so you get another 10% chance.  This
process can continue ad infinitum in a grinding fashion.

That is what I was referring too  :)

Is this difference due to Transparent Forging? I try to explain it here:



TF is still an enigma and a little hazy to me...

OK, thanks CfB

Just FYI I quickly summed up the current amount of forgers/forging stake seen here http://nxtportal.org/forgers/ :
47M = 47%

@spartacusrex
The interesting thing with NXT is that you don't simply forge to secure NXT but the NXT asset exchange assets and monetary system currencies.
I for example proudly forge with my 27k account to secure more than double the value in assets  8)

This difference is due to bias and retargetting algo.

hi,

I guess it depends on mainly two parameters:

• The long term nominal interest rate.
• How developed the ecosystem of "mining wallets" (service providers that act as traditional wallets + insure a fixed interest rate to coin holders) will be.

During the infancy of the coin, since distribution is done through PoS reward (instead of PoW for Peercoin, Blackcoin etc...), the interest rate will be very high. Therefore, we expect the percentage of mining coins to be very high >80-90% (it's of course difficult to provide an exact number).
After the first years, as the coin becomes highly distributed - meaning most coin holders own <1/100,000th of the coin for instance - the role of the "mining wallet" will become increasingly important. The percentage of coins mining would probably drop to 50%, but this is of course only an educated guess.

Moreover, there are plenty of mechanism that could be easily implemented to increase the long-term mining participation without increasing the chosen maximum inflation.
For example, the mining interest rate could be a function of mining participation. Let's say a long-term inflation rate of 3% is deemed optimal and let's only 30% of the coin holders think it's worth mining for 3% a year, by implementing such a scheme, the miners' interest would be come 3%*10/3=10% . Therefore, the percentage of coins mining would increase and the inflation rate would be fixed at 3%.


PS: sorry I haven't answered your other questions yet. I'm a bit swamped but will definitely get to them when I get a moment :)

I'm not a fan of blockchain tech, it's too inefficient. Necessity to store every state transition can't scale no matter what. So I'll just watch this show from outside.

But you co-founded Nxt. Do you still have a decent amount (let's say more than 500K) of NXT in your portfolio?

I'll wager 0 NXT

How soon do you think that a decentralized ledger without a blockchain will emerge as a good and strong alternative to the blockchain?

I had. Blackjack and girls are so expensive these days.

Next year.

neither is your counter-non-argument.


https://twitter.com/swiftonsecurity
http://imgur.com/gallery/1PDRJ

Yes.

Factually incorrect.  Of course it can scale, it's doing so now.  With current ongoing development, scaling will continue to be possible for the foreseeable future.  The top posts in this forum will start you on the road to knowledge.

It's a delusion, but I'm not going to waste time on explaining why it is so.

Darn! And I was so close to seeing the light!  *Sadface*

Could you link something? I would be really interested in reading more about it!

coz i guess you are not meaning blockchain size and tps right?

If you are not a programmer then start with http://en.wikipedia.org/wiki/Analysis_of_algorithms, if you are then you already see why blockchain is not scalable.

It is not backed by, but indicated by energy consumption and chip R&D investment

If there is any demand for a certain coin, people will use the lowest possible cost to get that coin, that will eventually drive the mining cost close to buying cost

Imagine that a PoS coin cost 3 cents to mine but cost $3 to buy, then everyone will mine it instead of buy it, and they will sell the mined coin immediately to cash in a 99% gain. The value of PoS coin thus will stay forever at 3 cents

Good point

I think the by-product of merged mining can be regarded as no cost, but they share a stronger network security, so they should have some value, and once they had some value, that will dilute the value of the main coin because the cost of main coin is reduced

A generic wikipedia page on algorithms.  I'm completely sure that all the non-programmers out there are now fully up to speed on your argument.  It must be the unfortunate fact of my 30 years of programming experience that's preventing me from absorbing your genius.  Ahh well, back to the darkness and misery for me.

I expect that's exactly what he's referring to, and is either being willfully ignorant of bitcoin development direction, or is just another crapcoin pumper.

You seem to be a team leader, they always sux in practical programming.

".. indicated .." -> this is economical nonsense

"If there is any demand..." -> what if something cannot be mined, how is the price determined?

"Imagine that a PoS coin..." -> one will generally select the option with the highest benefit. Whether miners cash out immediately or not would also depend on other factors, e.g. the expectation of future value. But again the question what if a coin (anything else) is not mineable, how do you determine the price?

This is basic economy behavior, people always seek the lowest possible cost to get a coin, and the arbitraging will eventually make the cost close to coin's market price. The demand can go down, thus cause the cost to shrink, but the cost and price should always be close to each other


A technical barrier to prevent others from entering competition? The cryptocurrencies are open source, the technology itself is free. PoS coin will be cloned to many tastes if it shows slightest sign of usefulness. Just like email, it could be useful but will not be valuable since value only exists where scarcity exists

If you take over the government, you can make a law to make people only use your PoS coin, then it will have value without cost, just like fiat money. But in a market driven environment, you can't create money out of thin air, money's value will always be close to their production cost


In fact PoS coin are more like a company's stock, whose value is backed by company's earnings and dividend. And I haven't seen any PoS coin are generating positive cash flow since the stake holders are not doing any business operation

Please answer the question: "what if something cannot be mined, how is the price determined?"
(Let's forget about PoS or PoW for the moment)

A common misconception is that you can "keep trying". What do you mean by keep trying?
You can try creating forks at every block of the main chain but the probability to create more blocks than the rest of the network combined over a significant period of time (significant doesn't have to be more than say 10 minutes) is negligible you don't own a very large portion of the mining coins.
If you mean "keep trying" as in trying many times to create a fork at a given height, you simply cannot do that because the outcome will always be the same (since the computation is deterministic and the input is seeded on the mainchain). To get a different outcome and thus be able to "keep trying" the attacker needs to move his coins to the fork and that's when the minimum stake age kicks in.
This is what necessarily creates a lag.



What do you mean it can continue ad infinitum? What you're describing is basically the percentage of coins mining dropping to zero! This is not realistic assumption!
The blocks that should mine and don't are already taken into account in the computation because the attacker compares his stake to the total mining coins and not the total coins.

Exactly.  The percentage of mining from other people would drop to zero in a false chain that the attacker generates on his own through grinding.  It would have to, by definition, since the attacker must create the entire chain.  However, since no one really knows who owns what coins, the network would not be able to tell the difference except that perhaps there is a longer time than usual between blocks.  

Then, you might propose restricting chains with too long gaps between blocks.

Let's explore this idea further:  say you have a rule that says every minute I'm doing to cut in half the hash value or requirement to forge a new block. So if you have a ten percent stake, you have a ten percent chance.  after two minutes it's twenty, after three minutes it's forty, and after four minutes it's eighty.  So based on that, let's say it's taking you 3.5 minutes between blocks.  (Keep in mind these spaces of 3.5 minutes would be time stamps only for the attacker, not real gaps of time.)

So if I broadcast a false chain, all the blocks are going to about 3.5 minutes apart in their time stamps.

You might consider, say, a weighted function that decreases the chain's "effective length" when using the longest chain rule.  For example, we divide each block by the number of minutes, so that a block taking 3 minutes instead of 1 only counts for a third of a block. So now you would need a chain 3.5 times as long.  

But then attackers could simply build longer chains.  

You could in turn, prevent this from occurring in long range attacks
by creating an additional rule that the time stamps can't be
too far in the future, but it doesn't prevent shorter term grinding
attacks from older coins.

One idea I've seen to prevent these kinds of PoS attacks is Vitalik Buterin's suggestion of using security deposits, but even that doesn't solve the problem
because you can just attack once you get your deposit back, so it may lessen the frequency of attacks, similar to the 200 minute rule proposed here, but I don't think it stops them.

You also have to be careful with these kinds of rules and not making them too restrictive so you don't risk losing distributed consensus (blockchain fork) or the network halting because no chain is valid when an edge case arises involving low miner participation, ddos, etc, as well as opening up new attack vectors.  I don't think there is any free lunch.

Ok I think the reason why we had a hard time understanding each other is because you're talking about an entirely different implementation of PoS than that derived from Peercoin.
I guess it's closer to NXT's protocol although I'm not particularly familiar with it.

Explaining in details how NeuCoin's (and Peercoin's) implementation works would be too long to do here but you can take a look at the white paper (sections 3.1 to 3.2 starting page 13) if you want more details.

However, it's not possible to grind through stakes the way you described. Basically, the kernel (which is the equivalent of the stake modifier in Peercoin) is designed in way that prevents you from grinding in a efficient manner. This is explained in details in sections 3.3.3 of the white paper.



I thought Vitalik's suggestion of using security deposits were linked to the problem of users mining on multiple branches in case of a network fork, not of attackers trying to rewrite history. I should go take another look at his post :)

If you find some time to read the technical part of the white paper I'd love to get your feedback on the attacks and whether you think there are more efficient attack vectors.

Here we go again.

Yes.

I'm not particular familiar with NXT or various implementations, i'm speaking in terms
of general principles.  Based on the whitepaper, there's a complex calculation involving
the UXTOs and the block headers of previous blocks. I still don't see how that prevents
"grinding" or using computational power to build a chain.

If it is difficult to compute, isn't that almost becoming proof of work and everything
that goes along with it?  (If its difficult to compute for an "average" computer,
wouldnt an ASIC do it easily?)

You seem to be saying that it is not difficult to build a chain of 1 block, but it
difficult to build a chain of many blocks under this implementation.  
What exactly makes that possible?  I haven't seen any explanation of that assertion,
if that's what is being claimed.

(Please note that even with proof of work, building a longer chain technically
isn't exponentially more difficult than building a shorter chain. It only
becomes exponentially more unlikely to execute a successful 51%
attack because of the diminishing probablity that you can keep up in a
LINEAR fashion in real time with the main chain)

Maybe I'm missing something, but it sounds like a self-defeating argument:

"We'll prevent this from turning into proof of work by making it really
hard to compute."  :P

It is enough to prove that an account "leased" you his minting/forging power.

Example:
Account A has a balance of 1M
Account B has a balance of 0

I make an offline transaction from my air gapped account A, saying that account B can generate blocks with the power of account A. Account A was never online and account B can now mint/forge with the power of 1M, without actually having access to the funds.

I do this all the time, it's pretty easy, just a few clicks required.

You seem to found a fatal flaw in leased forging!

PS: Don't read about forging! It's like virus - today you read about forging, tomorrow you sell your bitcoins, the day after tomorrow you start recruiting new zealots into PoS religion.

...with coin-age.

Sorry, your post looked trollish because tricks that you mentioned are easily counteracted.

PS: https://wiki.nxtcrypto.org/wiki/Forging

You can sign the transaction offline, but you have to broadcast it to the network as well. (Sorry I did not mention it explicitly)
If you broadcast two leasing transactions successfully, the network will see both and cancel one.
If you only sign the transaction offline and don't broadcast, it will have no effect, as the network does not know about it.
If you sell your stake during leasing, the leased forging power will decrease by the spent amount.

Also see: http://wiki.nxtcrypto.org/wiki/Account_Leasing

I'm starting to think that this is the REAL issue..

Whether 'it is' or 'is not' possible to get a secure POS blockchain working, Jhonnyj's argument is 'META' to all that.

He's saying that the price of the coin is fixed at,..'will tend to', what it costs a miner to make it. And in POS, this is always a small number, by design.

And before you jump in and say, 'You need a lot of POS coins to MINE that POS coin!'.., there's seems to be a self-referential issue to that statement that makes it negate-itself.. [Cough] If you see what I mean.. Like a snake eating it's tail..

What I mean is, the security of a POS network is dependant on the trustworthiness of the majority of Stakeholders.

I could run a POS network amongst people I know and trust, the members of my village maybe, and it would probably be MORE secure than any other POS coin out there, for me and my friends... Since it costs nothing 'in the REAL world' to run the network securely, just stake in my virtual coin.

The real 'Benefit' from one POS coin to another might be acceptance, not security. How many people accept a certain POS coin .. ?

There would need to be a way of exchanging all these coins for each other, or fiat,  or whatever, on some mega-exchange, but then, hey presto..

..

Maybe that's what will happen.. We'll just have thousands and thousands of different POS coins.. All exchanging for each other..

Come on CfB..  ;D ..

Do POS coins break the basic Economic tenant that says - 'The value of a good tends to its production cost'.. ?

And

Does it even matter if the Price of a POS coin IS set to it's production cost.. Just need a lot of coins.. ?

Why do you think "the value of a good tends to its production cost" applies universally? How do you account for things being perceived as 'sexy' or 'incredibly useful' or 'making things effortless or a fraction of the cost"?

You assume consumers are 100% rational and are not influenced by such things?

Sexxy POS !? I Like..

I AM saying that POS can be incredibly useful. But can it be valuable ?

I don't even know if the value matters, if we can understand just quite how useful it could be..

For Instance..

The Asset Exchange on NXT is 'almost' separate from the value of NXT itself. It certainly makes users want to choose it, like someone picking the NASDAQ or London Stock Exchange, given it's reputation and standing.

POS Teck has enabled a decentralised secure low-energy-usage exchange  to operate in a way unimagined BB (Before Bitcoin).

That's useful.

Would that mean exchanges would not have to take fees from users then? Enabling fee free trading?

spartacusrex, your theory is constantly falsified in reality:

Collectors items tend to cost a lot more than their producction cost
When 1 bitcoin was >1000$, production cost was a lot lower than that, if you didn't pay crazy high electricity rates.
A 100$ bill is worth more than the fancy paper (yes, because the government guarantees it).

In the PoS currency that I use, I gain about a magnitude more fees than what I pay for electricity to produce the blocks.

It s definitely more user friendly for ordinary small miners/minters. Big guys cannot crown us out just like that.

Hmmm.. Well 'Collector's Items' are a little special.. I agree.

As for the Bitcoin and POS statements, we are simply to early to make any judgement calls about what, quite frankly, the Hell is going on.. ???

I'm referring to a future where crypto is more established and understood.

When I think of mobile phones, TV's, cars, computers,  etc etc.. they all tend to cost pretty much the production cost..  Except when you pay just for the label.. Like apple.. .. ..

Or not ?

Apple is sexy taken care of.

What makes New York or London Stock Exchange more valuable than Toronto or Madrid? Is 'cloning' the NYSE a ticket to untold riches?

Would you invest in a carbon copy startup of facebook today?

Although "the value of a good tends to its production cost" is not wrong in many cases you cannot reverse the argument. Production cost compromises a lot more than electricity. Wasting energy doesn't produce value. And Bitcoin mining means wasting a lot of energy (to secure the network and to distribute coins) as soon as we observe that the same result can be generated using other (less costly) methods. It is possible that PoS can fill the gap here (and that's probably also the reason why loads of Legendary members and even Bitcoin developers spread FUD about PoS).

poS has been discussed deeply by Bitcoin developers and it might be possible in the future to incorporate an element of PoS but so far I don't think there are any implementations suggested that improve overall security.  Even when I asked Meni R. who's PoW/PoS implementation is on the Bitcoin wiki, he basically said it wasn't going to work.

I forget, miners being forced (if they want to remain competitive) to continually throw away old hardware and but new hardware a positive thing?

And yes, people with larger balances that they can stake will earn more than people with smaller balance, but everyone would have the opportunity to earn proportionate to their balances,, rather than the mining world which is getting more and more consolidated.

If it's just about income, people will migrate to services that share more of that income with their depositors/investors, or else be actually motivated to hold their own coins.

If it's consolidated power, such a set up would allow the community to have a say; if they saw that one exchange or wallet service was accruing too much power, it would be trivial to shift their coins elsewhere to balance things out. Far more democratic than the mining cartels were or are. Way back when, we basically had to take friedcats word that ASICminet wouldn't account for more than 30% of the network, but no way to keep them in check.


None of this sounds bad, and in fact sounds preferable. If course, there is huge vested interest that will be opposed to such an idea. Mining pool operators. Miners themselves. Who will either say if you want POS, go for a different coin, rather than try to envision a way forward fir Bitcoin itself; I still think that ASICSZ were detrimental to the community, as it drastically reduced the democracy of the ecosystem, replaced a single investment in a set of GPUS with a never ending cycle of buying newer and newer asics to what end? Security? I don't think the network is anymore secure if it requires an attacker to invest $2bn in Gpus rather than $2bn in asics

That's also how I understand it - IMO sad for Bitcoin. Too many smart people start to discover PoS, Bitcoin developers should change direction (again IMO).

PS: Speaking of Meni Rosenfeld, since I read the following I tend to put him in the category of FUD spreaders with an agenda as well:
"So they [BCNext] went with a centralized issuing, where the coin's creator gets all the proceeds from the issuing. Of course, this means the currency is not decentralized.
Probably, the creator wanted to get rich quick, and this contributed to the decision."
(source http://bitcoin.stackexchange.com/questions/36675/what-prevented-nxt-from-being-distributed-the-same-way-bitcoins-are )

Also, the inefficiency adds an intrinsic value to bitcoin - the cost to mine it.  Although the current value far surpasses this cost, it was this cost of inefficiency that gave bitcoin it's initial "value", and it is this cost that will ensure that bitcoin always has a value.

Now, this (bold) is dead wrong. (Assuming that you speak of a value > 0)

No , you sir are dead wrong.

There are enough of us fundamentalists that will insure that bitcoin will always remain above 0 in price. Even if I am the only one buying it , the price will be above 0. I can afford to buy all Bitcoin mined and run a few ASICs myself to keep it going. It may drop down to a very low amount if only a few of us are buying but will never go to 0 out of respect for this project and what Satoshi has done..


You just don't get it do you?  Bitcoin represents a historic achievement and its tokens have value even if its just for sentimental reasons to honor that achievement.

I don't think we are in agreement actually.

It's not they believe that PoS can work and
they are ignoring it to keep the status quo.
They just don't believe it can work, and
I can see why (see my previous posts in this thread).

I had (and still have) pretty much the same opinion as Meni Rosenfield about BCNext.  So if he's a FUD spreader, then so am I.

Anyway, the security of a PoW block chain is largely a matter of the miners expending a resource to support exactly one version of the block chain, which they cannot also use to support a different version of the block chain.  That is, they're committing a finite resource and, at the same time, showing that it is not also being used elsewhere.

That's really hard to match with a PoS system.  Locking up coins for a given number of rounds doesn't really provide security for the chain.

The only finite "stake flavored" resource I can come up with is transactions - and that's true only if the transactions cannot be played into both forks by an attacker.  If the transactions have to "stake" a recent block and are not valid in any chain that does not include that block, then they become a finite resource that can't also be used in support of a different branch.  An attacker could still try spending the same coins in both branches of the fork, and waiting for confirmation would be a lot more important because the tx you get won't be valid unless the branch it's staked in becomes the accepted branch.

Anyway, given all that -- the TxOuts that were created before the fork and used in transactions staked in blocks after the fork, can be counted as a resource spent in support of that branch.

The major advantage is that if an attacker tries to build an attack chain in secret, with everybody else in the world staking their tx in the visible block chain, he literally has to have a greater stake than everybody who makes a transaction while he's working or it's not going to work.  That's a guarantee ALMOST as good as PoW.  

But the tx being valid only in one branch of the fork opens up all kinds of games that attackers can play.  And while mining effort is very stable because miners mine at about the same rate whenever they've got their stuff turned on, Transactions as Proof of Stake is very sensitive to the timing of large spends, and a big spend in a fork that's nine blocks behind can force a reorg.  

So, although I think it's secure against VERY long forks, it's pretty horrible for deciding forks in a very short time the way PoW mining does.  So you'd have to use it in combination with something else.  

One thing about this is that it's the people making transactions who secure the block chain, so they deserve their part of the payment for securing the block chain.  The people who actually form blocks?  They can continue to form blocks by PoW or something, also contributing to the security of the block chain. They'll be needed until transaction volume gets high enough that it starts to be at least a little bit "steady" for purposes of short-term resolving stuff.  Thing is, that makes PoW necessary for YEARS, not weeks, and it only makes sense if the coin actually gets used.  It might work for Bitcoin at this point; but no alt that isn't seeing widespread actual use could sustain it.

This is a legendary post, I like you  :)

PS: Just for the record, I totally agree with you here "Bitcoin represents a historic achievement"

I've added my answer to that question.

Yes, our opinions differ.

Yes, they don't believe it can. It remains to be seen what the future holds...

Cheers brother. I heard many bitcoin advocates and critics suggest "Bitcoin will either go to over a million or 0" and I thought that was ludicrous. I think Bitcoin will either go to a few dollars or between 10k and  millions for the simple reason that people still buy obsolete fiat currency like older nigerian dollars or confederate notes for sentimental reasons.


I agree with everything in you post and would love seeing a TapoS layer, sidechain, or bitcoin wallet (using PoW and TapoS) to strengthen the security of bitcoin. Simpler variants of PoS can easily be attacked with a 4 % stake, but more elaborate TaPoS variants like Nxt and the crazy ideas that Vitalik has been dreaming up need much higher stakes of 20-30% to attack or different forms of sophisticated attacks where you compromise stakeholders or create a ponzi lease staking scheme. Certainly there are benefits to PoW above TaPoS and vice versa so I would love seeing them come together in time.

With power comes responsibility. Therefore the occasional "IMO" or swallowing an entire statement would be welcomed.

You should have the guys from the consensus research group (http://consensusresearch.org/) analyze that kind of attack.
They have a thread here: https://bitcointalk.org/index.php?topic=829639.0

OK, you propose at least some PoS influence - adds an additional layer of complexity though.

Cool, thanks Come-from-Beyond.

@NeuCoin people: This is your thread, didn't you want to "defend" your whitepaper?!
(Or are you currently busy reading up on other PoS implementations than the one of Peercoin  :D )


(I'm leaving now...)

Well, the argument and counter point you put together are air tight, thanks for the contribution.  You reply is a good example of 0 value.  :P

Good post.  I'm curious how this idea of transactions would work
and how it is "almost as good as Pow".   Can't an attacker create
many chains that look like they have transactions (sent to one's self)
or how would the mechanics of this play out?  What is meant by
staking a certain block, and couldnt that be done retroactively
by an attacker at no cost?

Right.  An attacker can play all sorts of silly-buggers with a TaPoS system in the short run; that's why I can't recommend it on its own.  So, yes, I'm envisioning a system with PoW mining as well, and the people making transactions getting paid for block chain security in the same ratio against the block subsidy that their transactions are counted relative to PoW mining for purposes of resolving blocks.  That's why "almost" as good as PoW.  

A TaPoS system becomes secure only when the "law of large numbers" means that the number of tx per block gets huge and starts to be a fairly constant amount -- the way mining effort is in a PoW system.

Staking a certain block means that when Alice sends Bob 5 coins, she gets paid a "stake security payment" amounting to interest on those 5 coins if she specifies ("stakes") a  very recent block that the transaction then depends on. The transaction has that block ID recorded in it, and isn't valid in any block chain that doesn't include the block Alice staked.

In the case of a block chain fork, TaPoS counts in favor of the fork that has the most coins spent - specifically in txOuts created before the fork and used in transactions staked after the fork.  If more than half the coins that were in existence as of a certain block have been spent - even once - in transactions staked after that block, then no reorg can EVER dislodge that block.  

That's a stronger guarantee than PoW can really make.  Although the combined hashing effort that's gone into the chain makes it impossible in practice that a reorg could ever undo more than ten or fifteen blocks, there's no mathematical guarantee.  In theory, a new block chain could emerge tomorrow that undoes every transaction back to the beginning.  It'll never happen, but there isn't a mathematical guarantee the way there is with a TaPoS system.  

In the short run, if there's a reorg that goes back before the staked block, Alice's payment to Bob disappears.  Bob is looking for (or waiting for) the stake block to be at least 6 blocks in the past to protect him from a reorg that reaches back past the transaction's stake block, the same way that in a PoW system it's wise to wait at least 6 blocks after the payment to protect you from a reorg that happens after the transaction.  

So if Bob wants to be extra-sure he gets paid, he protects himself from a reorg that goes back six blocks by demanding that Alice stake earlier.  He might just check some monitor to make sure there's no known fork in progress and that'll be it.  If Alice is just paying for coffee, he may let her stake the very last block, the same way coffee shops in a PoW system don't wait for the next block for confirmation.  

One nice thing about a TaPoS system is that miners are motivated to include all the tx they can; that makes their block the 'best block' if two are found and prevents it from getting orphaned.

The obvious question is what happens when the subsidies end...then you're left with a pure TaPos. 


Yeah but how do you implement that so you balance the TaPoS count with the proof of work.  You add some security by introducing an element, yet
take it away with the other hand by diminishing/diluting the requirements of PoW longest chain.



 

I don't think you can possibly add anything that counts without making the thing that counts for EVERYTHING at the moment count for less than everything.

From my notes on how this is supposed to work:  

txSpend = total txouts that existed before fork, used in tx staked after fork

hashes = proof of work since fork
stake payments counted for security = the amount of the txSpend set times the interest rate for the full age of the txOuts or the *MEDIAN* age of the txOuts whichever is less. 

Priority = Hashes * (Block subsidy awarded + stake payments)

So while there are no tx, priority is exactly like Proof-of-work.  When there are a few, TaPoS becomes essentially a tie-breaker deciding which of two recent blocks gets orphaned.  But as block subsidies gradually get smaller and the stake awards gradually get proportionally bigger, TaPoS becomes the dominant consideration in resolving forks.  

It's an interesting experiment that I think I'm going to do in an altcoin, and which I think somebody *HAS* to do in an altcoin before it would be responsible to even propose it for Bitcoin.   Assuming stake payments at some economically sane rate like ten percent annually, and a constant mining award, it would be about eight years before transactions counted for as much as mining.  Or you could think of that as a "reward halving time" of eight years for the miners if you'd rather - relative to the entire money supply that would be equivalent.

Yes, I am a mad scientist.  I propose running an experiment on human beings.  Would you like to be a test subject?

All very interesting ideas.
 
I think the idea of alternating blocks of PoS and PoW
might be fruitful, but again, it needs to be implemented
correctly, and again one of the issue is how do you issue
the blocks.

I'm also in favor of alt coin promoters writing and publishing
simulation and testing software proving the security of their
coin if they think they have a better idea.
Just publishing a white paper with some fancy formulas
is "fine" if you're trying to look good but at the end
of the day, it has to stand up to scrutiny.  That's
probably why most of the "serious" developers aren't
even reading these threads.

Real value will prove itself.

Ironically, someone recently published a PoS reseach paper with software
(I think they called themselves "consensus research" or something),
and they actually showed that the nothing-at-stake
attack was real and that even with a 1% stake,
an attacker can cause problems.  Several PoS
proponents then inverted their conclusions on this forum, claiming
that it proved how safe PoS is! lol.

PoS as usually implemented means "Piece of Shit."  Excuse my language, but it's simply bad protocol design.  Those guys who have a brief mining period, or an IPO, or whatever, aren't distributing it to enough people for any kind of PoS to be stable, let alone the broken kind of PoS they're implementing where people just lock up coins for the ability to form blocks and get paid for that.  

One person's locked-up coins do not matter when you're deciding security for ALL of the users.  If you're going to measure stake you have to do it in a way that counts everybody's or you'll have someone preparing an attack chain in secret.  And you have to have a very wide distribution before the law of large numbers statistically smooths out the amount of stake observed per block. And you have to pay the people who are providing security (that is to say, everybody who makes transactions).  The people doing PoW are doing security for PoW block chains so the block subsidy to them is appropriate.  But if you're counting everybody's stake, you have to distribute payments to people according to how much security everybody contributes to the chain. 

Finally, and most crucially, you have to have a limited finite resource (in TaPoS, the transactions committed to one side of the fork or the other) that cannot go to both branches of a fork, or else you have the nothing-at-stake problem.  

Proof of stake doesn't have to be anywhere near that bad.  

Dispite going over their findings several times, you choose to see what you want to see. Concensus Research themselves say the 1% attack described by Vitalik is garbage. You claim to understand but you only refer to their 3rd published paper which suits your opinion if you ignore everything else they said. And you have thr gall to accuse others of inverting!    :D :D ;D

This being the 5-6th time we have discussed this same thing, it is obvious this is some kind of religious debate to you. So I'll leave it to others to repeat themselves and re-rake over old ground.

Never read any of the other papers, and not going to debate this with you again.  Feel free to post the link to the white papers and let readers make up their own mind.

Why do you think this? What if "mining on all branches you see" in POS actually made the network more,  not less, secure?

There is no debate  :D see if you Cryddit to agree that your position is reasonable, given the evidence.  Or if he/she thinks you have a severe case if cherry picking to prop up your own ingrained beliefs.  That would be interesting to see..

My position on what exactly?  Cryddit stated several times that most PoS has issues.
He's proposing PoW + TaPos.  Not sure what your point is.


 

Have you invented a protocol in which it does? If so I'd be genuinely interested in how it works. Remember, the primary point of block chain protocol is to swiftly and impartially come to a shared consensus of what version of history we believe.  If someone says "all of them" then by any methodology we understand now, it doesn't help much. 

Did Concensus Research say the 1% stake attack is feasible or BS? The bit about inverting things was my point.

Did Concensus Research say Nothing @stake was something to worry about or that it was completely overblown BS (I'm paraphrasing  ;D ) again, the bit about inverting was my point.

I haven't, no  :D but research (with published models to review their findings) say they "mining on every chain" is a benefit to the network as the number of branches you see grows expontially with time and so tends towards proof of work when trying to "simply build a longer chain". As the nothing at stake criticisms haven't progressed beyond vague words and hand waving, Concensus Research defined 4 different definitions, based on the forum debates.

You seem an open minded person ;) take a look here: https://bitcointalk.org/index.php?topic=897488.0

Keep an eye out for the paper on multibranch forging ("mining every chain you see")

Unless forced by government like fiat money, price is always decided by supply and demand. If the coin can not be mined, the demand will drop quickly, since the most important character of cryptocurrency is that people can create money by themselves

In fact that's also a concern for bitcoin when most of the coins are mined, by then transaction fee will take over. With a larger block size, I foresee that transaction fee will rise to the same level as block reward in 20 years

With all due respect, if you're only understanding the nothing-at-stake issue as "vague words and hand waving", perhaps you do not really understand those criticisms?  I say that because to me, those criticisms are clear and logical. 

Regarding multiple chains, the simplest way to put it is: more chains = more reorgs = weaker security.

More reorgs = weaker security is correct... for PoW. For PoS you are supposed to provide reasoning that proves your claim.

A reorg is a reorg, meaning not everyone is on the same page (consensus) as far as the blockchain history,
and that's a bad thing, regardless of how the blocks of transactions are being chained together (Pow or Pos).

Also more reorgs means it's easier for Mallory to cause a reorg whenever it suits his nefarious purposes.  Want to double spend your coins?  Spend them, cause a reorg, spend them again, done. 

Is it the only reasoning you are able to provide?

Umm, it seems like pretty sound reasoning to me.  much, much better reasoning than the ten words of yours I just quoted. 

I accept as an axiom that the purpose of the block chain protocol is to come to a shared consensus about what actually happened and what therefore can happen next. 

A reorg means that consensus is not shared -- therefore meaning, for the time that it persists, the purpose of the block chain protocol is not being fulfilled. 

Because a lack of shared consensus is a condition that enables people to double spend, or allows people who have been paid to have those payments undone and be deprived of their money, I characterize this failure as a "security failure." 

This is crystal clear.  Are you trolling, or just stupid?

I'm sorry, but you are obviously not interested in any kind of discussion that takes us a step further:
Why else would you state such things as facts  ???

And thanks for the supply and demand lecture that's of course a true statement but also another head-shot for our discussion.

johnyj wish you all the best and hope the box you're living in grows over time.

To address your point:

...it is the only reasoning required.

I'm not sure how much elaboration is possible, as this is a fundamental concept.
Reorgs are the manifestation of the breakdown of distributed consensus
in a blockchain and should be ideally minimized both in frequency and in severity.

We must support btc i dont care miners
At fact, i prefer pow but we need a halving soon haha

I must be stupid because there is a whitepaper that proves the opposite to "more chains = weaker security" and I can't get how adding "more reorgs" in the middle changes things so drastically.

The issue with discussion about grinding is that as long as you don't go into specifics it's difficult to really make progress!!!
I didn't say it was "difficult" to compute but that grinding was made extremely inefficient.
An order of magnitude, is that an attacker with 1 ASIC miner (1TH/S) would need ~33% of the mining coins to perform a 51% attack while an attacker with the entire hash rate of the bitcoin network (~300PH/S) would need ~30%. That's what ennificient means.
The advantage you can get through grinding is highly non-linear.

More generally, it's difficult to answer objections about grinding if the argument specify through which parameter you are trying to grind.



What is difficult (actually probabilistically impossible without large portion of the coins) is to build a chain that is longer than the main chain at any point.
Let me explain, using a relatively simple example:
Unlike in PoW, building a chain in PoS doesn't take time. You could create a fork and know practically immediately what the trust of your fork will be X days from now.
Let's imagine you've got 10% of the coins. What is the probability that you'll be longer than the main chain after it has built 10 blocks? The answer is ~10^-6

From that, you'd be tempted to conclude that you can try again ("grind") many times and that at some point you'll win, because after all 10^6 attempts is nothing even for a laptop.
However, and that's where specifying what you grind through is important, the only way to "try" more than once is to change the kernel of your 10% of coins mining. The best way to do that is to change the parameters of the kernel inherited form the UTXO by sending all the coins to the fork. That's when the minimum stake age kicks in. It will prevent these stakes from mining for 1.6 days (in NeuCoin's case) so the attacker's fork will basically be "losing" 1.6 days worth of blocks he could've mined had his stakes been allowed to.

This period during which he cannot mine is devastating for his performance. It's similar to starting 1.6 days behind in PoW. With 10% the probability to succeed is null.

Maybe another thing I should point out is that nodes do not accept blocks created with a proof that has a timestamp too far in the future (otherwise forking would obviously be trivial).








Maybe I'm missing something, but it sounds like a self-defeating argument:

"We'll prevent this from turning into proof of work by making it really
hard to compute."  :P

Sure nowadays everyone want to be the stake holder and rule others, but the real world does not work that way, since users are also getting smarter each day. In a free market, you either take huge risk or putting huge amount of resources to get some value in return, no shortcut ;)  

I deeply doubt that given the very limited understanding of PoS that Bitcoin developers have.
The very fact that when asked about PoS in his reddit AMA, Gavin simply provided a link to Andrew Poelstra's paper (Distributed consensus from PoS is impossible) which provides no solid proof whatsoever makes it very hard to believe that they are totally unbiased.

@koubiac,

You say that the only way for the attacker to try again
is to change the kernel, but if their attack fails
(chain is not accepted), then why can't they try
again with the same kernel?

@come-from-beyond, maybe you are not stupid; there is a
certain cognitive bias that causes us to lend more credibility
to white papers, but if you post the link to the paper
and point out what section it is in, I'll take a look.

I'm not a big fan of Proof of stake because it just makes the richest even richer, not a ton of room for competition.

Because if he tries again with the same kernel, he will produce exactly the same branch.
I'm not sure if this is clear or not. The hash being deterministic, the only way to try again (i.e. to try to obtain a different outcome) is to change the kernel.

I can't wrap my head around why this idea is so widespread. Maybe a detailed post should be written about it.
What do you mean by "it makes the richest richer"?
People earn coins according to the capital they've invested in the currency (be it in mining hardware or coins). How would you distribute a coin differently?
If anything, PoW is less democratic because people with access to capital enjoy high economies of scale, which by the way is the main reason why small Bitcoin miners are have been going out of business.

No, you are not clear.

Look, an attacker can build any number
of DIFFERENT "branches" or chains very quickly.

Whether this so-called "kernel" changes
as a result of the various permutations of
transactions and blocks he's put together,
or whether it remains the same because the staking UTXOs
are the same, really doesn't matter.

Why doesn't it matter?

It doesn't matter because if the chain isn't accepted, the attacker
still has his UTXOs and can try again.

So either way, you do not need to change your UTXO set to
try more than once. The only way to force that would be to start having stakeholders
penalizing other stakeholders if they spot a false chain being broadcast, but
that opens a whole new can of worms, issues, and attack vectors.

The bottom line is that if the attack chain isn't accepted, you still
have your stake age, and there's nothing stopping you from trying again.

EDIT: The fact that the "hashes are deterministic" is really saying
nothing at all.  That always is the case.  How could they be random?
(Who would be generating the random numbers and how would they
be verified?)  So yes, you would need to change the attacking
chain to get a different outcome against a different main chain,
but there's nothing stopping you from doing that.

There you have it you have basically answered your own question haven't you?

This is the cycle of life though the rich will always get richer whether crypto or in fiat the world has been designed for it to do exactly that.

An oligopoly of corporate miners has taken control of the Bitcoin network - decentralization is gone. << I agree to this and now see it as no different to the private bankers who have the power to print money, it is the same centralized power they both have.

I would like a mix of POW for a long period but that uses HDD like burst or you are able to mine from your computer longer then changes to POS when the chance has been given for a lot of different people to accumulate.

And that, in a nutshell, is why deciding chain priority by "coin days destroyed" is a basically broken idea.

It gives the attacker the opportunity to generate more priority in the attack chain, simply by spending the double-spent coins at a later point in the attack chain.

As opposed to mining farms, which are developed and owned by the destitute?

Looking to NeuCoin's documentation I found this:

http://www.neucoin.org/media/ckeditor/2015/02/01/chart_funding.jpg

This is a serious concern in a POS coin. Two entities with 2/3 of all coins?

Also, there's a lot of bullshit, like the issue about Bitcoin's popularity (with a graphic comparing active users of Candy Crush with Bitcoin, which clearly show they don't understand Bitcoin, being experimental, still can't achieve that level of users), ICO instead of IPO, a lot of marketing about micropayments as if this is really a new thing, restrictions about your rights to decide what you can do with your own coins, hemisphere-oriented dates, false claims about the relation between Bitcoin halving rewards and transaction fees, claims you need to have 51% of all coins to do a 51% attack instead 51% of staking coins,  ...


http://www.neucoin.org/en/wiki/


Proof-of-capacity allows a cheap mining-way without these false claims about "ASIC-resistance".

In proof-of-work or in proof-of-capacity you are a direct investor in the coin too. If you start to abuse with your hash power, the price of the coin will go down, which affects your rewards.

I agree about POA, because it rewards you for running a node. Even if it doesn't give an economic return, contributing to the security of network is very simple and cheap, you can do this even with a Raspberry Pi. Even better, in opposite to POS, it can be used to distribution.

The only merit which I can see in proof-of-stake is for creating a more cheap way to securing the network. But in a very questionable way. In order to minting and profit, you need to have a lot of coins in an unlocked wallet at an online computer. Sounds very good at the security point, doesn't it? Also, it doesn't work as a distribution model and makes the spending of the coin an uninteresting thing.

People also forgets why Bitcoin needs to be proof-of-work. If Bitcoin was born as POS-only, it would be dead, because there would be no way to distribute the coins. How would be possible to buy bitcoins at the beggining, specially from unknown entities?


The proof is cryptographic. Or not.

Of course the attacker can try as many times as he wants I never said the contrary, what I'm saying is that he will never succeed


I guess we're having a hard time understanding each other!

Let's do it differently, if you want give me some hypothesis: total UTXOs the attacker owns, what kind of attack he want to conduct (i.e. how far behind the attacker starts his fork) etc. and I will prove you mathematically that he will never succeed if he doesn't own a very large portion of the mining coin.
The fact that he can try many times doesn't help him.
Otherwise, maybe you could describe how the attacker tries many times and what he does to get different outcomes cause that's the part that's unclear to me in your explanation.

This is why Gridcoin was made, a POS hybrid that determines the block reward based on Boinc science work. http://btcfeed.net/news/gridcoin-cryptocurrency-scientific-distributed-computing/

http://wiki.gridcoin.us/Proof-of-Research

Has Gridcoin solved the issue with the exploit that allowed to generate reward without doing actual work?

Ohhh are you referring to the CPU measurement thing, cause that was 1 year ago, Gridcoin has changed a lot since then.

Yes. Good if the issue is solved.

Simple, he just constructs different blocks of different transactions
sending coins to himself.  Different addresses, different
amounts, different timestamps, whatever.
 
Not only can he try endless combinations for each block in
order to make sure he meets the requirements to forge
that block, he can build as many blocks in a row as he
wants.

Moreover, if he builds a good attack chain and it wasn't
accepted, he can (a block later, or at any time) start
over and try the whole process again.

FYI, there is some guy named Bittrix who is demonstrating
successful attacks on PoS coins, so its no longer just
theoretical.  https://bitcointalk.org/index.php?topic=686403.msg10169983#msg10169983
 

Exactly and that's the point I'm trying to make!
Every time an attacker sends coins to himself, his coins must wait minimum stake age to be able to mine. This will cause a lag that will make it impossible for an attacker to catch up no matter how many times he tries!
Therefore, to succeed an attacker needs the equivalent of ~50% of the mining coins.



From what I gathered from the thread, this attacker doesn't even try many times, he simply accumulates >50% of the block generation power.
He attacks a coin which has ~10% of coins mining and that uses coin age.
He was able to conduct a temporary 51% attack with 0.07% of the coins.
10%/0.07%~71
So what he did was just accumulate coin age for ~71 days. This is the reason NeuCoin doesn't use coin age.

In order to improve the whitepaper, I was wondering if you've read the technical part. I feel like maybe some points should be made clearer since I'm having a hard time making my point :)

The high quality, in depth research you do before you post is showing through again  :D


The message you posted is from the admin of Bittrex, an exchange. The attacker was CynicSOB who Nxters invited over to attack Nxt, even set him up on the testnet and let him have as much testNxt as he wanted to try and recreate the attack. That was mid January. Cynic has so far failed to recreate this attack in Nxt, even in the benign environment of the testnet. Read the full thread here:

https://nxtforum.org/testnet/nxt-security-audit-attack-simulations-on-testnet/


Apex coin can only be taken as the poster child of POS if GlobalCoin or Vootcoin can be taken as the same for POW  ;D

The research of cynicSOB is appreciated, although APEX was a dead coin (only ~10% active stake) that used coin age (bad idea)

in PoW: http://www.reddit.com/r/Bitcoin/comments/o6qwx/lukejr_attacks_and_kills_coiledcoin_altcurrency/
PoW is doomed.

hint: Do you think Bitcoin is insecure because Luke-Jr. killed a PoW coin?

This will be my last post in this thread because you just don't get it or don't want to get it.  I've made my points very clear several times.  Not saying I'm infallible but we aren't moving forward with a productive discussion.

As I already explained, if he sends coins to himself using an attack chain, and the chain is not accepted by the rest of the network , then nothing has changed in his UTXOs, including the stake age, thus allowing him to try again and again until that chain or another chain is accepted.

Those are my criticisms...you had an ample opportunity to address them.  The white paper and yourself
seem to miss these known issues with PoS.

Nothing really new here and nothing to prove " Proof-of-stake is more decentralized, efficient and secure than PoW".  

Since this doesn't appear to be clear, we'll be updating the white paper with a more detailed explanation of why the attack you describe is impossible.
I think you're mistaking what the minimum stake age does. The fact that the attacker cannot mine when sending his coins to himself has nothing to do with the fact that the chain he's building will eventually be accepted or not.
I agree that this discussion isn't going anywhere so I hope you'll take time to give some feedback on the update version.

It would only be more decentralized if the stakes are also more decentralized. Especially concerning PoS is mostly used in smaller Altcoins, this is a highly questionable claim...

The magic number is 4

https://blockchain.info/de/pools

Oh good, more pimping of PoS  again.  The solution in search of a problem which presents its own problems before finding a problem it could solve, we have seen many times before.  This should be fun.  Mostly the paper tries to address security concerns that PoS introduces.  Fair enough, that is an interesting topic and all we can really discuss because in the end I don't think there is really a use for this.  Bitcoin works fine thanks.   But lets forge ahead with the paper:  


Notice that the "bedrock of PoS" claimed here is that you have to keep your coin online and staking just to stay up with inflation.  As a maximum reward you get: the same percentage of the money supply you had before.  This by itself doesn't sound so bad, at least we are used to it in the fiat world.  Six percent annual inflation planned forever.  So lets continue:


I'm not sure I follow this.  If I were trying to do a reorg. attack (grinding, in the terminology of this paper) to rewrite some history, I am not going to broadcast anything until I have found a chain that works.  Then, when I broadcast it, it will not have any duplicate stakes.  It will follow all the rules.  


Well this is actually a good point, and does address a potential problem worthy of discussion.  This is a problem of economics, not of PoW.  For example, one could create a PoW currency that also gave a 6% annual inflation.  The money supply curve is important.    


OK, so now we see that the best way to mine NeuCoin is to form massive pools.  This is not incentivised due to smaller more regular payouts like it is in bitcoin, but a directly higher return due to the formation of a larger UTXO balance.  This looks completely broken to me.  Am I missing something?  



Exactly.  PoS is just a PoW algorithm, where the work is a bit different.  Now the work is aquiring coin, and (once again) doing some hashing.  What's the difference?  Nothing really.  If you aren't substantially rewarding your miners (stakers), your security sucks.  (cough, not mentioning names)  Miners and stakers have a variety of tricks they can play to and a lot of motivation to behave efficiently.  Bitcoin is incredibly efficient for this reason.  Claims of inefficiency are typically made by outsiders who don't understand the business.  Who do you think is best qualified to judge the efficiency of a mining operation?    

Anyway, thanks for posting.  This has been an interesting read, much better than I expected from the glossy page and Proof of Stake hype, and I commend all efforts to better understand coin economics.  

Cheers --  funkenstein the dwarf


 
 

Hi Funkenstein,

Thanks for the feedback

The duplicate stake detection mechanism's purpose is to prevent miners from mining on multiple chain when a natural network fork occurs. Without this system miners could mine on both (or more) forks in order to avoid having their block orphaned and this would hurt the consensus.
It's not a security measure against people creating a fork in order to rewrite the transaction history.

 

The chosen inflation level is not the only parameter that matters.
If you consider a PoS and a PoW coin that are economically identical (market cap, inflation, transaction volume etc..) the cost of an attack will be orders of magnitude higher in the case of the PoS coin.
Let's imagine as you say that the PoW coin uses a 6% inflation rate to pay for security and both coins have a $100B market cap.

• In the case of the PoW coin, the cost of a 51% attack will be 51%*$100B*6%~$3B
• In the case of the PoS coin, let's suppose that with a 6% inflation rate, 50% of the coins mine, then the cost of a 51% attack will be: 51%*$100B*50%~B25$

And this doesn't even take into account the fact that in our example the actual inflation rate for the PoW coin is 6% whereas for the PoS coin it's 6%*50%=3%.
Therefore, the PoS coin is paying twice less for a security level ~8 times better.



I'm not sure I get what you mean by that? Your probability to win depends on the size of your stake.
Let's imagine you and I both own 100 neucoins.
If we mine separately, we both try once per second (therefore, together we try twice per second) to find a solution to:
hash(kernel)<target*100

If we put our coins together, we will once per second try to find a solution to:
hash(kernel)<target*200

So it's exactly the same as trying once per second to find a number between 1 and 1000 or trying twice per second to find a number between 1 and 2000. The odds of succeeding are the same.

Thanks for your reply Koubiac. 


OK thanks, I understand the motivation here now.  This mechanism helps to force a consensus.   


Sorry but this analysis fails.  Your numbers on PoW and PoS are calculated differently. 
Your PoW analysis looks decent, for the case of carrying out the attack for a full year, and assuming 0 frictional costs (ASIC rental service fees, organizational costs, etc).  However the PoS analysis should give exactly the same number, because by construction we have chosen parameters such that both networks pay the same security fee to the miners.  Why would I buy the PoS coins?  I can borrow them, perform the attack, and return them.  interest rates are frictional costs.  The 6% is calculated from the full money supply but we only need to get 51% of the staking coin, so one could argue this attack would be cheaper than the PoW for the normal case of not all coin being staked (some people might actually want to transact in it). 


OK, you have a point there.  What was the point of Sonny's time weighting again?  What enforces the 1 per second rule, block time or hashpower?     

I don't think it does, and I can't say I've ever seen this kind of argument against PoS before. The fact that the cost of a 51% attack scales with the market cap is a well known fact.
There is no reason for the "PoS analysis to give the same number". I'm not making any frictionless hypothesis in the case of PoW. If anything, I'm not taking into account the economies of scale that someone willing to buy the equivalent of 51% of the network's hashrate would enjoy.
The economics of PoW and PoS security are fundamentally different.
While borrowing the coins might seem like a better option than buying them, the security precisely lies in the fact that one cannot simply borrow 25% of the total currency. In our example, how would you go about borrowing $25B worth of coins? Let's suppose you could, I guess that in return, you would need a ~$25B collateral. Once you've attacked the coin and made the price plummet (unlike PoW, the attack can be traced back to you), I very much doubt you collateral wouldn't be seized. Therefore, the attack would still cost you $25B.
Also, in the example I gave, I haven't made the hypothesis than 100% of the coins were mining but only 50%.



By time weighting do you mean the use of coin age in the mining equation? If so, the goal was to diminish the variance of the mining process to encourage small stake miners to mine. It has proven ineffective to attract more miners and it greatly hurts the security of the coin.

Concerning the 1 second rule, it is enforced by the fact that the only parameter that varies with time in the kernel (PoS's equivalent of Bitcoin's block header) is the time stamp which has a 1 second granularity.

Well I am more interested in facts that you know and can articulate than those which are "well known". 

I am interested in particular in how you are avoiding checkpointing. 

In terms of the 51% attack, obviously we don't buy asics we  go directly to hash rental markets.  I just want to reverse a  TX a few blocks in, not own the whole network.  Similarly with PoS.  I put $25B worth of BTC in a smart escrow, so that I only get it back after I return the requisite numbero of PoS coins to the lenders, with interest / fee / whatever.  Then I reverse the transactions on the PoS network I need to reverse, and get you your coin back.  There is no reason why a few nice doublespends will crash the price to zero, and anyway the lenders have agreed to accept the units back at contractual terms independnet of price vs. any other asset.  If those numbers seem too large, you can replace them with the actual market cap of your coin for a more realistic scenario.     

Yes I can see how the security against reversing transactions is proportional to market cap, because you are paying 6% of market cap per year (in your example) to those who secure the network.  It is well known that you "get what you pay for"..  except of course when you don't :P 

 



Interesting.  Isn't there a range of timestamps I can look through?  Do blocks need to be sequential in timestamp?  (they don't in bitcoin classic)  Time enforcement is very central to these networks, if you have some new approach I would like to hear it. 

The hash rate distribution always change, no one can occupy the most market share for a long time.

True. A while ago the magic number was 1. (Ghash.io)

It depends on what you call "a few blocks".
As you are aware of when owning less than 50% of the mining power (be it hash power or staked coins), your probability to successfully conduct the attack decreases exponentially when the number of blocks you want to replace increases.
So I guess we agree that to reverse any transaction of significant value, the attacker would need 50% of the mining power.

In this case I guess it boils down to: Could an attacker realistically "rent" 50% of the mining power?

While it might be possible in PoW if you suppose a very fluid hash rental market (it might be worth noting that this is not what Bitcoin is heading towards), in the case of renting the coins themselves, it sounds highly unrealistic. There will never be an escrow system with 1/ no limit to what you can borrow 2/ enough liquidity.

There's no technical flaw in your argumentation, I just don't believe this is realistic scenario 50% of the mining coins represents a significant portion of the coins. However, it's a very good point against coins with very low mining participation (and PoW!)



What do you mean look through? If you mean guess when your stakes will mine, the stake modifier prevents this.
Blocks do not need to have sequential timestamps. Anyone can broadcast a valid block at any time, however, nodes do not accept blocks created with a proof which time stamp is too far in the future.

Imo a hybrid of pos pow is the best way to do this. And Well done.