Title: PPCoin Criticism / Security / etc Post by: fido on November 27, 2012, 06:38:34 AM At present, I've concluded there are only a few 'legit' remaining alt-coins at the moment (ie. not dead yet) , with varying degrees of legitimacy. Litecoin (LTC) PPCoin (PPC) Namecoin (NMC) Devcoin (DVC) Terracoin (TRC) Liquidcoin (LQC) All of the remaining alt-coins which are not dead are Bitcoin Forks -- with the two main exception being PPcoin (using 'proof of work' along with 'proof of stake') and Liquidcoin (which is based on Tenebrix and modified Bitcoin). The main advantage of a pure Bitcoin fork (Litecoin, Namecoin, Devcoin, and Terracoin) is that the security model is well analyzed, and the strengths and weaknesses are well-known. Yet we avoid the existing bureaucracy and codebase from Bitcoin, allowing the development to take a different direction from BTC. However, this 'inheritance' of Bitcoin's security model certainly does not apply to PPcoin. I have yet to see a comprehensive whitepaper or design document on PPcoin. There is a complete lack of transparency with PPcoin, and it seems to be based upon novelty of 'proof of stake' without any comprehensive cryptographic rationale. Criticisms of PPcoin: (1) The author has not published a Design Document or a Protocol Specification ... only an extremely shallow non-academic whitepaper , which prevents analysis of how addition of proof-of-stake affects the security model. (2) The author is not amenable to community suggestions (such as integrating the proof-of-stake and proof-of-work blocks together, rather than keeping them separate) to increase security. (3) There have been numerous criticisms regarding the PPcoin protocol security on these forums, but the PPcoin author seems to take a 'trust me I'll fix it in the next release' approach to security. Why rush to release PPcoin in an immature form (with an awful name), rather than taking the time to get the design right from the start? Arrogance and secrecy is not a substitute for security. (4) It appears the PPcoin algorithm uses SHA256 rather than Scrypt. Why is this fact so buried (in that we need to wade through the source to learn about it?) (5) Lack of transparency. There is not an open discussion of flaws, strengths, weaknesses and possible attacks. These are shot down by the author as being 'unrealistic' even though these attacks (accumulating 'stake' to attack the protocol) are quite realistic. (6) The phonetic name "Pee-pee coin"... Would Coca-Cola have succeeded if it was called "PP-cola"? As such, I do not consider PPcoin to be a secure alternative cryptocurrency. Certainly not until the PPcoin author takes the time to draft and publish a comprehensive and detailed design document and/or protocol specification (with rationale for design choices, strengths, weaknesses, etc) to the community (rather than suggesting the community wade through the source code , and reverse engineer the protocol from the source). Title: Re: PPCoin Criticism / Security / etc Post by: cunicula on November 27, 2012, 06:49:23 AM At present, I've concluded there are only a few 'legit' remaining alt-coins at the moment (ie. not dead yet) , with varying degrees of legitimacy. Litecoin (LTC) PPCoin (PPC) Namecoin (NMC) Devcoin (DVC) Terracoin (TRC) Liquidcoin (LQC) All of the remaining alt-coins which are not dead are Bitcoin Forks -- with the two main exception being PPcoin (using 'proof of work' along with 'proof of stake') and Liquidcoin (which is based on Tenebrix and modified Bitcoin). The main advantage of a pure Bitcoin fork (Litecoin, Namecoin, Devcoin, and Terracoin) is that the security model is well analyzed, and the strengths and weaknesses are well-known. Yet we avoid the existing bureaucracy and codebase from Bitcoin, allowing the development to take a different direction from BTC. However, this 'inheritance' of Bitcoin's security model certainly does not apply to PPcoin. I have yet to see a comprehensive whitepaper or design document on PPcoin. There is a complete lack of transparency with PPcoin, and it seems to be based upon novelty of 'proof of stake' without any comprehensive cryptographic rationale. Criticisms of PPcoin: (1) The author has not published a Design Document or a Protocol Specification ... only an extremely shallow non-academic whitepaper , which prevents analysis of how addition of proof-of-stake affects the security model. (2) The author is not amenable to community suggestions (such as integrating the proof-of-stake and proof-of-work blocks together, rather than keeping them separate) to increase security. (3) There have been numerous criticisms regarding the PPcoin protocol security on these forums, but the PPcoin author seems to take a 'trust me I'll fix it in the next release' approach to security. Why rush to release PPcoin in an immature form (with an awful name), rather than taking the time to get the design right from the start? Arrogance and secrecy is not a substitute for security. (4) It appears the PPcoin algorithm uses SHA256 rather than Scrypt. Why is this fact so buried (in that we need to wade through the source to learn about it?) (5) Lack of transparency. There is not an open discussion of flaws, strengths, weaknesses and possible attacks. These are shot down by the author as being 'unrealistic' even though these attacks (accumulating 'stake' to attack the protocol) are quite realistic. (6) The phonetic name "Pee-pee coin"... Would Coca-Cola have succeeded if it was called "PP-cola"? As such, I do not consider PPcoin to be a secure alternative cryptocurrency. Certainly not until the PPcoin author takes the time to draft and publish a comprehensive and detailed design document and/or protocol specification (with rationale for design choices, strengths, weaknesses, etc) to the community (rather than suggesting the community wade through the source code , and reverse engineer the protocol from the source). What you say is mostly true. However a cryptographic rationale and novelty seems like a very poor choice of words. You could have made the same accusations against bitcoin long ago. They miss the point. Proof of stake has a powerful economic rationale that is completely independent of cryptography (e.g. it is how most decision-making authority problems are handled in the real world). We have joint-stock companies because this form of organization is very effective. PoS is a very close analogy to a joint stock company. I prefer a gamble (PPCoin) to something that I am pretty sure will collapse due to many layers of agency problems (everything but PPCoin). There are a few possible explanations for PPCoin's lack of transparency: 1) PPCoin developers are really awful at English Communication. 2) PPCoin developers are really awful at PR. 3) PPCoin developers are jealous and afraid of being copied/outdone. (open source, but not open interpretation of source) 4) PPCoin developers know something bad and they are hiding it strategically. I'm hoping it is (1)-(3) and not (4). Who knows? I also hope that someone will fork PPCoin and adopt transparency, that would be great. I suggest the fork do at least the following three things: 1) Stop all PoW generation. 2) Remove centralized checkpoints. 3) Cap interest accumulation at 90 days. [Incentive to keep node running is much too weak right now.] If it works without PoW and checkpoints, then we will have more valuable real-world data. Right now the use of PoW is just an excuse for including checkpoints as far as I can see. [e.g. the PoW guys can make currency and accumulate a majority of stake and destroy us. It's convenient FUD.] Inclusion of PoW also defeats the point (it is like PoS but also incorporates the implicit fees and waste of PoW). Title: Re: PPCoin Criticism / Security / etc Post by: ninjaboon on November 27, 2012, 07:43:30 AM watching.
Title: Re: PPCoin Criticism / Security / etc Post by: Liquid on November 27, 2012, 10:21:46 AM watching.
Title: Re: PPCoin Criticism / Security / etc Post by: FuzzyBear on November 27, 2012, 10:27:32 AM Anyone know where i can get the namecoin daemon or client for windowes is?
Title: Re: PPCoin Criticism / Security / etc Post by: Jutarul on November 27, 2012, 10:34:59 AM I suggest the fork do at least the following three things: How would you solve the fairness of initial distribution problem, without POW?1) Stop all PoW generation. 2) Remove centralized checkpoints. How else to protect a nascent blockchain?3) Cap interest accumulation at 90 days. [Incentive to keep node running is much too weak right now.] I thought that this is implemented:Quote CBigNum bnCoinDay = CBigNum(nValueIn) * min(txNew.nTime-pcoin.first->nTime, (unsigned int)STAKE_MAX_AGE) / COIN / (24 * 60 * 60); Inclusion of PoW also defeats the point (it is like PoS but also incorporates the implicit fees and waste of PoW). waste is an issue. However, what's more important is network security. So introducing PoS is a significant alteration in the resilience level.Title: Re: PPCoin Criticism / Security / etc Post by: cunicula on November 27, 2012, 11:07:02 AM I suggest the fork do at least the following three things: How would you solve the fairness of initial distribution problem, without POW?1) Stop all PoW generation. 2) Remove centralized checkpoints. How else to protect a nascent blockchain?If not, we need to know what these checkpoints are for. We can't find out as long as they are there and no one tells us. 3) Cap interest accumulation at 90 days. [Incentive to keep node running is much too weak right now.] I thought that this is implemented:Quote CBigNum bnCoinDay = CBigNum(nValueIn) * min(txNew.nTime-pcoin.first->nTime, (unsigned int)STAKE_MAX_AGE) / COIN / (24 * 60 * 60); STAKE_MAX_AGE is set to 90 days.If I don't earn more by being online often, then there is no incentive to come online. Instead I can just hold my PPCoin until I want to cash out. Then quickly generate my stake block and sell. This does do much to secure the network at all. I should be generating many stake blocks to earn my interest, not just one. The cap ensures that I have to come online at least once in a while. Inclusion of PoW also defeats the point (it is like PoS but also incorporates the implicit fees and waste of PoW). waste is an issue. However, what's more important is network security. So introducing PoS is a significant alteration in the resilience level.I think waste is a big issue. To me, PoS schemes are attractive because a) they are secure b) they are efficient and cheap. Efficient and cheap means no PoW inflation tax and minimal txn fees. Title: Re: PPCoin Criticism / Security / etc Post by: markm on November 27, 2012, 03:50:02 PM Looking at the code, it seems to basically be solidcoin without maybe only one master-node instead of several master-nodes.
I tried to hack out all proof of work nd all checking of checkpoints but then both sides seem to wait for the other to start saying something. So possibly it won't even do anything until it gets a go-ahead from the solid node or something. Since without proof of work blocks coins have to come from somewhere, I set the minimum reward for a proof of stake block to one coin. The fact they won't even talk to each other is nasty though, it seems to imply that there is expected to alredy be something out there to get and that someone you connect to will push it at you. I have been awake too long now to track down exactly why tht happens until after I sleep. Cunicula it does seem likely you are correct that the whole proof of work thing is only there to provide an excuse for being controlled by the solid node(s) in the usual solid central control style system we have seen so many times before. I did try to put into the counting up of coin ages max of 90 days per each coin it found. Maybe my problem is there is no coin-age initilly so maybe it does not try to make a stake block thus does not get the free minimum one coin reward for making a stake block. i might have to make it always have one coin's worth of chance to try, or something, in the case where it has no coins initially. An incentive to be online is for transactions to get processed, since with stake blocks being the only blocks no transactions will go through unless at least one node stays online long enough for a block to get created; and maybe also the less people who are online trying to make a stake block the longer it maybe might take for one to be made. 9that one lone person who made one maybe used all his coin-age so needs 90 days to recover... so initially it might need at least 90 wallets to have been created in order for one block a day to be able to be made...) -MarkM- Title: Re: PPCoin Criticism / Security / etc Post by: cunicula on November 27, 2012, 04:21:19 PM Looking at the code, it seems to basically be solidcoin without maybe only one master-node instead of several master-nodes. The PoW does nothing but generate currency. It doesn't try to secure anything. I have no idea how the master node works.I tried to hack out all proof of work nd all checking of checkpoints but then both sides seem to wait for the other to start saying something. [/quote] As I understand it, the proof of stake relies on the proof of work to generate time stamps. The timestamps are then used to iterate a random process which allows stake generation. Unless proof-of-stake can also generate the timestamps, it might be necessary to leave proof-of-work in there to get it to run. If so, perhaps reduce the block reward to some trivial amount. There also is some management of the proportions of both types of blocks that would need to be adjusted to pure proof-of-stake. So possibly it won't even do anything until it gets a go-ahead from the solid node or something. Hmmm. remove that part? Since without proof of work blocks coins have to come from somewhere, I set the minimum reward for a proof of stake block to one coin. Fine by me. One coin is pretty trivial.The fact they won't even talk to each other is nasty though, it seems to imply that there is expected to alredy be something out there to get and that someone you connect to will push it at you. Can you reinsert bitcoin code that facilitates communication?Cunicula it does seem likely you are correct that the whole proof of work thing is only there to provide an excuse for being controlled by the solid node(s) in the usual solid central control style system we have seen so many times before. I did try to put into the counting up of coin ages max of 90 days per each coin it found. My only comment on the rest of this is that I do not believe that it is completely a SolidCoin master node style system. There is underlying code underneath which may work.Maybe my problem is there is no coin-age initilly so maybe it does not try to make a stake block thus does not get the free minimum one coin reward for making a stake block. i might have to make it always have one coin's worth of chance to try, or something, in the case where it has no coins initially. An incentive to be online is for transactions to get processed, since with stake blocks being the only blocks no transactions will go through unless at least one node stays online long enough for a block to get created; and maybe also the less people who are online trying to make a stake block the longer it maybe might take for one to be made. 9that one lone person who made one maybe used all his coin-age so needs 90 days to recover... so initially it might need at least 90 wallets to have been created in order for one block a day to be able to be made...) -MarkM- Title: Re: PPCoin Criticism / Security / etc Post by: markm on November 27, 2012, 04:33:21 PM If it will work it might be useful to that person who apparently has oodles of folk wanting to each start a separate chain, since basically if they sell more than half the company it makes sense the buyer should have control of it. They could spawn oodles of them so that there would be many many many small targets each available in effect for purchase by buying half their coins. Might work okay as a corporate shares system.
Maybe in fact they would be better than coloured coins because the majority owner's control would be kind of built in, instead of the sellers being able to wait for someone to buy most of their offering then go like ha ha so what you still have no power over the part we didn't yet sell to you, no control of the whole set so to speak. -MarkM- Title: Re: PPCoin Criticism / Security / etc Post by: tacotime on November 27, 2012, 07:12:53 PM Relevant code changes to main.cpp
Code: // ppcoin: miner's coin stake is rewarded based on coin age spent (coin-days) Code: unsigned int static GetNextTargetRequired(const CBlockIndex* pindexLast, bool fProofOfStake) Code: bool CTransaction::ConnectInputs(CTxDB& txdb, MapPrevTx inputs, Code: // ppcoin: coinstake must meet hash target according to the protocol: Code: // CreateNewBlock: Code: void BitcoinMiner(CWallet *pwallet, bool fProofOfStake) There are also lots of curious "stake connection tests," which may or may not indicate the aforementioned centralized nature of this PoS method. Stake blocks are always difficulty 1 and nonce zero. Apparently the blockchain is programmed to always accept them as valid as long as a certain quantity of network time has passed and the quantity for which they are valid is predestined by the code included. For whatever reason Sunny King decided not to bother publishing the pseudocode implementation of his algorithms in favour of the epic LaTeX narrative of his implementation, but if there are vulnerabilities you should be able to see them in the above code. Title: Re: PPCoin Criticism / Security / etc Post by: markm on November 27, 2012, 08:12:38 PM Here is my hacks-so-far, as diff against github default main/head/whatever:
Code: diff ../poscoin/src/checkpoints.cpp src/checkpoints.cpp (I called it POScoin. Whether it will end up any use for Point Of Sale systems remains to be seen though. :)) -MarkM- Title: Re: PPCoin Criticism / Security / etc Post by: Jutarul on November 27, 2012, 09:49:40 PM 3) Cap interest accumulation at 90 days. [Incentive to keep node running is much too weak right now.] I thought that this is implemented:Quote CBigNum bnCoinDay = CBigNum(nValueIn) * min(txNew.nTime-pcoin.first->nTime, (unsigned int)STAKE_MAX_AGE) / COIN / (24 * 60 * 60); STAKE_MAX_AGE is set to 90 days.If I don't earn more by being online often, then there is no incentive to come online. Instead I can just hold my PPCoin until I want to cash out. Then quickly generate my stake block and sell. This does do much to secure the network at all. I should be generating many stake blocks to earn my interest, not just one. The cap ensures that I have to come online at least once in a while. The likelihood of generating a POS block is capped to 90 days. But when it generates a valid POS block it takes the full coinage for calculating the reward, which can be anything above 30 days. I generally agree that we need an incentive for people to keep their POS generating nodes running. I don't know whether capping the POS reward to 90 days is enough though, since, as you previously pointed out, 1% per year is a minuscule incentive. The only other way to tune that would be to make it attractive to generate a POS block shortly after the 30 day mark. However, you don't want to penalize late redemption of coinage. Usually exponential functions are good for that: E.g make it 4% for 30 days, 2% for 60 days, 1% for 120 days, 0.5% for 240 days. This has the effect that the POS blocks to get a reward which is rather constant instead of being proportional to the coinage. However, quick redemption (after 30 days) allows a quicker turnover and is beneficial to the POS miner. However this is a drastic change - and the quickest way to get this sorted out would be to work together with Sunny on the issue. ADDENDUM: While doing a revision of the POS reward scheme, it may also be beneficial to investigate how the incentive structure for including transactions can be optimized. Maybe the block reward can be proportional to the overall destroyed coinage instead of the stake transaction (however, the "likelihood" of generating the POS block should only be determined by the stake transaction) Then including transactions which destroy significant coinage is beneficial to the miner and it's an incentive to include them instead of leaving them out. The above mentioned exponential modifier can work on the total coinage for the block instead of the stake transaction... Title: Re: PPCoin Criticism / Security / etc Post by: cabin on November 29, 2012, 03:15:39 AM 3) Cap interest accumulation at 90 days. [Incentive to keep node running is much too weak right now.] I thought that this is implemented:Quote CBigNum bnCoinDay = CBigNum(nValueIn) * min(txNew.nTime-pcoin.first->nTime, (unsigned int)STAKE_MAX_AGE) / COIN / (24 * 60 * 60); STAKE_MAX_AGE is set to 90 days.If I don't earn more by being online often, then there is no incentive to come online. Instead I can just hold my PPCoin until I want to cash out. Then quickly generate my stake block and sell. This does do much to secure the network at all. I should be generating many stake blocks to earn my interest, not just one. The cap ensures that I have to come online at least once in a while. The likelihood of generating a POS block is capped to 90 days. But when it generates a valid POS block it takes the full coinage for calculating the reward, which can be anything above 30 days. I generally agree that we need an incentive for people to keep their POS generating nodes running. I don't know whether capping the POS reward to 90 days is enough though, since, as you previously pointed out, 1% per year is a minuscule incentive. The only other way to tune that would be to make it attractive to generate a POS block shortly after the 30 day mark. However, you don't want to penalize late redemption of coinage. Usually exponential functions are good for that: E.g make it 4% for 30 days, 2% for 60 days, 1% for 120 days, 0.5% for 240 days. This has the effect that the POS blocks to get a reward which is rather constant instead of being proportional to the coinage. However, quick redemption (after 30 days) allows a quicker turnover and is beneficial to the POS miner. However this is a drastic change - and the quickest way to get this sorted out would be to work together with Sunny on the issue. ADDENDUM: While doing a revision of the POS reward scheme, it may also be beneficial to investigate how the incentive structure for including transactions can be optimized. Maybe the block reward can be proportional to the overall destroyed coinage instead of the stake transaction (however, the "likelihood" of generating the POS block should only be determined by the stake transaction) Then including transactions which destroy significant coinage is beneficial to the miner and it's an incentive to include them instead of leaving them out. The above mentioned exponential modifier can work on the total coinage for the block instead of the stake transaction... This part in interesting: Maybe the block reward can be proportional to the overall destroyed coinage instead of the stake transaction (however, the "likelihood" of generating the POS block should only be determined by the stake transaction) It might also solve several problems at once. I think it would: - make the number of stakes you claim more important than the amount of the stake transactions (atleast once there are lots of transactions flying around and the destroyed coinage is mostly coming from the included transactions and not the stake transaction itself). This would then encourage you to keep the client running to claim as many stakes as possible and to include as many transactions as possible. - there would be more reason to include large transactions and not so much of a reason to include the spammy small ones. This is a bit weak but it might give larger transactions higher priority which isn't so bad. The percents would have to be tweaked and probably dynamic somehow though, otherwise the rewards and inflation would get out of hand as the network processed more and more transactions. Title: Re: PPCoin Criticism / Security / etc Post by: Jutarul on November 29, 2012, 05:38:55 AM It might also solve several problems at once. I think it would: good catch. Indeed - generating more blocks from the same stake will give you more bang for the buck, if you can claim a percentage of the destroyed coinage from the included transactions as a reward. Thus you have an incentive to have your stake existing as many small outputs. An indirect consequence of that is that you need to have more uptime for the stake - because smaller stakes have larger sampling requirements, i.e. need more online time.- make the number of stakes you claim more important than the amount of the stake transactions (atleast once there are lots of transactions flying around and the destroyed coinage is mostly coming from the included transactions and not the stake transaction itself). This would then encourage you to keep the client running to claim as many stakes as possible and to include as many transactions as possible. That incentive may be so strong, that you may not have to modify the 1% per year reward at all to encourage POS miner to be online. E.g take block 16924: Coin-days Destroyed: 47119.621896 POS Generation: 0.43 Total (503.69*0.01*31/365) Stake: 503.69 If you allow for 1%/365=0.000027 transaction reward per block you have an additional reward of 47119.621896*0.000027=1.27 which is almost three times the actual POS reward. That means that a POS miner which is always online may easily effectively generate 3-4% on the used stake, which suddenly makes it much more attractive... A change in the POS incentive structure like above would also likely put the discussion about the lack of transaction fees to rest: https://bitcointalk.org/index.php?topic=114664.0 Title: Re: PPCoin Criticism / Security / etc Post by: cunicula on November 29, 2012, 07:12:12 AM good catch. Indeed - generating more blocks from the same stake will give you more bang for the buck, if you can claim a percentage of the destroyed coinage from the included transactions as a reward. Thus you have an incentive to have your stake existing as many small outputs. An indirect consequence of that is that you need to have more uptime for the stake - because smaller stakes have larger sampling requirements, i.e. need more online time. That incentive may be so strong, that you may not have to modify the 1% per year reward at all to encourage POS miner to be online. E.g take block 16924: Coin-days Destroyed: 47119.621896 POS Generation: 0.43 Total (503.69*0.01*31/365) Stake: 503.69 If you allow for 1%/365= transaction reward per block you have an additional reward of 47119.621896*0.000027=1.27 which is almost three times the actual POS reward. That means that a POS miner which is always online may easily effectively generate 3-4% on the used stake, which suddenly makes it much more attractive... There is some incentive to include txns in PPCoin already. There is a fee that destroys currency. As a stake holder, the more currency destroyed the better off I am. It is a weak incentive, but it may be sufficient. You don't need to pay people to do something extremely easy. In fact, you certainly shouldn't pay them a lot. You would be wasting money. https://bitcointalk.org/index.php?topic=114664.0 That thread contains a good discussion. It points out some problems with txn fees in a PoS context. I go over some issues below.Incentives in PPCoin are based on interest and not txn fees for good reason. There is a fundamental problem with history revision in a PoS system. As a miner I have at least two choices: 1) Mine on the main chain using the official client 2) Mine on the main chain and older chains using a modified client. (naughty naughty) The number of blocks I mine per unit time is random. If I do (2), I can explore alternate histories where I mine a larger share of blocks. If a large fraction f of users do (2), then there will be periodic reorganization events. If f=100%, then there will be perpetual reorganization and no "main chain." In PPCoin, doing (2) is not rational. There is an infinitesimal personal benefit related to more frequent compounding of interest. There is also a cost because doing (2) undermines PPCoins market value. If you have a non-negligible stake, then you care about market valuation and it will never be rational to do (2). If you have a negligible stake, then what you do doesn't really matter anyway. If we introduce piece rates for txns, the calculation changes. The benefits of more frequent mining become non-trivial. This encourages more people to do (2). I expect that for any txn fee, r, there will be a cut-off stake level, s*(r), where for s<s*(r) it becomes optimal to do (2) instead of (1). s(r) is increasing in r. In other words, if you introduce excessive piece-rates, you will only be able to trust very wealthy people to do (1). If you introduce very low piece rates, then almost everyone should keep doing (1). What can be done about this? a) Restrict yourself to weak incentives (e.g. interest perhaps with a time cap to weakly motivate more frequent mining) [This is what I am suggesting for PPCoin.] b) Mitigate the theft risks of keeping coins online. This is probably a large reason why people would avoid mining. [Again I am suggesting this for PPCoin.] c) Introduce a mechanism that makes it extremely unlikely that minority chains overtake the main chain. Essentially this means that (2) is irrelevant unless the fraction of people doing (2) approaches 100%. [I describe a mechanism like this here: https://en.bitcoin.it/wiki/Proof_of_Stake. It is too big of a change to be a fork of PPC] d) Find an incentive mechanism that detects and penalizes people who do (2) regardless of whether they succeed or fail. I think the solution here is to make mining "quasi- deterministic". Deterministic mining means there is only one true history. Quasi-deterministic mining means that there is a very limited set of alternative histories and you have to pay everyone coins to search through them. I'm working on a pure proof-of-stake system that does a combination of (c) and (d). The system would use txns to measure "time". I will post a brainstorming thread about it shortly. I would appreciate comments. [Much too big of a change to be a fork of PPC.] Title: Re: PPCoin Criticism / Security / etc Post by: Jutarul on November 29, 2012, 07:30:53 AM d) Find an incentive mechanism that detects and penalizes people who do (2) regardless of whether they succeed or fail. I think the solution here is to make mining "quasi- deterministic". Deterministic mining means there is only one true history. Quasi-deterministic mining means that there is a limited set of alternative histories. I'm working on a pure proof-of-stake system that does a combination of (c) and (d). The system would use txns to measure "time". I will post a brainstorming thread about it shortly. I would appreciate comments. [Much too big of a change to be a fork of PPC.] as usual good points. I agree - having an incentive for including transactions suddenly provides incentives for block history rewriting. The only way to compensate for that is to penalize events which indicate rewriting attempts. We don't have a solution for that yet. So I am looking forward to your brainstorming thread.Title: Re: PPCoin Criticism / Security / etc Post by: scrybe on November 30, 2012, 03:17:15 PM Looking at the code, it seems to basically be solidcoin without maybe only one master-node instead of several master-nodes. I tried to hack out all proof of work and all checking of checkpoints but then both sides seem to wait for the other to start saying something. OK, I have finished the thread, that took a while (because there is a lot of info here, thanks guys) I've been thinking about this a lot lately. The point of PoW in PPC is as a Clock, and an initial coin minter. Without PoW PPC does not know when 10 minutes has elapsed. Checkpoints are there to ensure that nobody does a double-spend before the network gets big enough to defend itself, as well as provide a clock of last resort (IIRC) I believe that sunny-king did mention removing check-pointing in and upcoming build. (note, I'm not reading the code, using my memory of descriptions) The Clock aspect of PoW makes it almost impossible to move away from, or at least replace. Using an external timeserver would open up all sorts of network vulnerabilities and attacks, same with checkpoint servers, or any other centralized mechanism. Why not do merged mining with BitCoin for the PoW, so you can keep the fork "pure" and focused on the Proof of Stake aspects? Initial coin minting needs to be heavily deflationary too, in my opinion, that is another issue I have with PPC. No matter how far I game it out, it keeps looking like mining will ALWAYS be FAR more lucrative than holding, and since transaction fees are destroyed there is no incentive to mine PoW if we tried to just make the existing coin deflationary. I guess my wish list is: - Deflationary initial coin distribution that is... - ... replaced by transaction fees over time, but... - ... no hard limit on coins since PoS will continue forever. - Merged Mining with BitCoin for PoW - Clear direction with milestones, - and much better communication. Cabin made a good point on transaction fees, without fees being shared with miners, how do we incent folks to include some transactions over others. We have to assume that we might get more transactions than we can handle at some point and will need to prioritize... ADDENDUM: While doing a revision of the POS reward scheme, it may also be beneficial to investigate how the incentive structure for including transactions can be optimized. Maybe the block reward can be proportional to the overall destroyed coinage instead of the stake transaction (however, the "likelihood" of generating the POS block should only be determined by the stake transaction) Then including transactions which destroy significant coinage is beneficial to the miner and it's an incentive to include them instead of leaving them out. The above mentioned exponential modifier can work on the total coinage for the block instead of the stake transaction... I Disagree with this one, the only benefit from "stake" should be during holding. If you elect to stop holding and move it, it's income stops. I like the declining aggregate interest idea, but it would just cause folks to move coins around on a quarterly or annual basis to optimize rewards. This would however essentially require that ALL coins be stored online, or come online regularly, so it might be an overall security disadvantage. I think if you bring your wallet back online after 1 year, you should be able to get 1 year of interest, unless this is Proof of Online Stake (POS?) in which case we should actually be checking availability of coins or something. (I think) Title: Re: PPCoin Criticism / Security / etc Post by: killerstorm on November 30, 2012, 03:44:44 PM 1) PPCoin developers are really awful at English Communication. 2) PPCoin developers are really awful at PR. 3) PPCoin developers are jealous and afraid of being copied/outdone. (open source, but not open interpretation of source) 4) PPCoin developers know something bad and they are hiding it strategically. x) They know that design is half-assed, but it sort of works for now so they just don't care, hoping that in future problem will be solved. Sunny King has no problems with communications and PR, he simply does not give a fuck. Title: Re: PPCoin Criticism / Security / etc Post by: cunicula on November 30, 2012, 06:15:40 PM Looking at the code, it seems to basically be solidcoin without maybe only one master-node instead of several master-nodes. I tried to hack out all proof of work and all checking of checkpoints but then both sides seem to wait for the other to start saying something. OK, I have finished the thread, that took a while (because there is a lot of info here, thanks guys) I've been thinking about this a lot lately. The point of PoW in PPC is as a Clock, and an initial coin minter. Without PoW PPC does not know when 10 minutes has elapsed. Checkpoints are there to ensure that nobody does a double-spend before the network gets big enough to defend itself, as well as provide a clock of last resort (IIRC) I believe that sunny-king did mention removing check-pointing in and upcoming build. (note, I'm not reading the code, using my memory of descriptions) The Clock aspect of PoW makes it almost impossible to move away from, or at least replace. Using an external timeserver would open up all sorts of network vulnerabilities and attacks, same with checkpoint servers, or any other centralized mechanism. Time itself is unimportant. The only reason the time is necessary is to allow you to iterate over something. I have been thinking about txn counts as an alternative clock. Think about the following (ignore the double-spending issues for now, just think about txn-based time): 1) Txns have a block stamp t (i.e. rather than being independent of the blockchain, they must go in certain block t and cannot go in t-1 or t+1) 2) Certain types of txns can iterate the clock. Suppose that only txns that move 210 or more BTC iterate the clock. [I just use BTC because it's familiar] 3) Suppose further that every txn requires a minimum fee, c>0. This means that each iteration has a minimum cost of c. 4) For for any block t, there are up to 100,000 possible clock iterations. [because at most 21 million BTC could be moved in 100,000 210 BTC txns in a single block] Iteration txns (anything with > 210 BTC inputs) are escrowed for 6 blocks before they can be spent again. 5) With any given iteration there is a chance of moving to block t+1 and starting the process over again. 6) Now for this to work as a timing mechanism we have to be sure that the probability that the clock runs out is 0. Suppose for example that the probability of success at any iteration is 0.01. In 10,000 iterations, this gives us a probability of 10,000 consecutive failures of 3*10^-44. This is effectively 0. Probably humanity is dead before the clock stops. Note: A block includes not just the iterated txns, but also any number of smaller, fee-paying txns as well. If we introduce this type of 'clock' into PPCoin it creates problems. Given a sizable stash of coin divided among different addresses, I can merrily mine blocks without any connection to the network, potentially overtaking the main chain with some probability. However, I think this problem can be overcome. Think about the following process for block generation (similar to what I describe in the proof of stake wiki): 1) Any pair (block number, n) maps to a random lottery draw. (where n is the number of iterations) 2) The lottery picks 4 random satoshis in sequence. The satoshi owners are invited to sign a block including any n iterated txns. 3) Let's say the 4 owners communicate via the network and agree to mine a block. 4) The first lottery winner creates a block and hashes it. Then he broadcasts the hash though the network. The other winners sign the hash and rebroadcast it. 5) Now the first lottery winner broadcasts the block together with the signed hash. [Note that one person can't modify the block because then the signature hash won't match. A conspiracy of these 4 guys could collude to generate many different blocks of the same height. One solution is to a) just pick one if we hear that someone has built on it. b) If not, combine any two duplicate blocks that build on the same root into a 'null block', ignore all txns in the 'null block', and build on the null block.] If we have a process like this, it is hard to mine offline. Suppose for example suppose I have 10% of all coins. To mine a block offline I need to draw my own satoshis 4 times in a row. This takes about 10,000 iterations on average. With 10% of all coins, I can do up to 10,0000 iterations, so it within my capability. However, if I want to mine 6 blocks in a row it becomes much harder because of the escrow of txns. The problem is more complicated, but I'll just pretend I do this by dividing coins into 6 even piles. With 6 even piles, I can only do 1,667 iterations per block. This gives me a success probability of about 8% per block. For 6 blocks in a row that is about once every 4 million blocks. On the other hand, consider legit public mining. Suppose 50% of coins are online. Then the success probability from one iteration is 6.25%. We would get a block about once every 16 iterations. That is very good. If only 20% of coins are online, however, then we only get a block about once every 625 iterations. People could stir the pot if necessary by sending out some txns; perhaps that could be automated in the client. That should still be fine. If we drop lower than this, the iterations are going to blow up and double-spending risk becomes a problem. Thus, there needs to be strong incentives to keep coins online. The incentives should be flexible. If 50% of coins are online then everything is hunky dory and the people who keep their coins offline do not need to be penalized. One possibility is to issue a block reward that explodes in the number of iterations (e.g. the block reward = k*(average of iterations in recent blocks)^2). Iterations only explode if everyone is offline. Thus if we see lots of iterations, then we need to drastically increase incentives. Drastically increasing block reward redistributes wealth to whoever is online, solving the problem of offline coins (or lost coins). When hyperinflation is necessary, people who can't manage nodes would store their coins in an online bank that pays interest. The bank funds this by putting the coins online and earning interest. Another interesting thing about this is it could be scheduled. Recall that the lottery draws are deterministic. If we approximately know who is online, then we can approximately know who will mine the upcoming blocks. This might allow for a rapid communication process and relatively quick blocks. Anyways, there are kinks to be ironed out. The parameters need adjusting. Are there some crippling issues that I am missing? I think that secret mining attacks are mostly covered here. Are there public attacks that will work? Title: Re: PPCoin Criticism / Security / etc Post by: scrybe on November 30, 2012, 09:26:45 PM Replying from mobile, so no elaborate quoting.
On timing, I think it is true that you do not care about absolute time, you do care about approximate time of intervals however. With the transaction based timing mechanism you described I believe that block time would get shorter and shorter as the network was busier, not a steady flow. Setting and trying to maintain a regular block interval is important, IMHO, and should be a mechanism that is as far from being manipulated as possible. I also think asking or encouraging folks to keep their coins online is a mistake. Even if everyone tries, there will be plenty of times that less than 50% of coins are offline, especially if folks want to protect them. So if the currency is successful the majority will disappear. Simpler is better, this last suggestion is so complex it will take a lot of testing to check every possible angle. Title: Re: PPCoin Criticism / Security / etc Post by: Sunny King on November 30, 2012, 09:36:57 PM I've been thinking about this a lot lately. The point of PoW in PPC is as a Clock, and an initial coin minter. Without PoW PPC does not know when 10 minutes has elapsed. Checkpoints are there to ensure that nobody does a double-spend before the network gets big enough to defend itself, as well as provide a clock of last resort (IIRC) I believe that sunny-king did mention removing check-pointing in and upcoming build. (note, I'm not reading the code, using my memory of descriptions) The Clock aspect of PoW makes it almost impossible to move away from, or at least replace. Using an external timeserver would open up all sorts of network vulnerabilities and attacks, same with checkpoint servers, or any other centralized mechanism. This is a misunderstanding. Proof-of-work blocks do not act as clock for proof-of-stake blocks. Proof-of-stake blocks have their own difficulty and will adjust toward target spacing of 10 minutes all by their own. Title: Re: PPCoin Criticism / Security / etc Post by: Bitcoin Oz on November 30, 2012, 11:21:51 PM The real security problem with ppcoin ? The possibility that Sunny King = realSolid
Title: Re: PPCoin Criticism / Security / etc Post by: cunicula on December 01, 2012, 04:26:44 AM This is a misunderstanding. Proof-of-work blocks do not act as clock for proof-of-stake blocks. Proof-of-stake blocks have their own difficulty and will adjust toward target spacing of 10 minutes all by their own. Is the PoW clock just ignored then for blockchain validity purposes? If so, good idea. That means you can toss PoW entirely. What do you do about PoS miners who report blockchains from the future? A lot of coin-age can be destroyed if we allow 2025 to reported as occurring tomorrow, even if only a tiny % of coins did the mining. Title: Re: PPCoin Criticism / Security / etc Post by: tacotime on December 01, 2012, 05:13:00 AM PoS as implemented is by block number, not time, hence time attacks do not affect it. It looks like you can just mine a PoS transaction at 1 diff after a certain number of blocks have passed
What I don't understand so much is how they're signed for securely Title: Re: PPCoin Criticism / Security / etc Post by: cunicula on December 01, 2012, 06:15:59 AM Replying from mobile, so no elaborate quoting. The optimal timing probably depends on network characteristics and technology. It doesn't make much sense to fix a permanent timing in the protocol. At some point, if there is enough txn volume to pay for the bandwidth/storage and the scheduling technology is there, confirmations could be almost instantaneous.On timing, I think it is true that you do not care about absolute time, you do care about approximate time of intervals however. With the transaction based timing mechanism you described I believe that block time would get shorter and shorter as the network was busier, not a steady flow. Setting and trying to maintain a regular block interval is important, IMHO, and should be a mechanism that is as far from being manipulated as possible. For now, suppose we want to target a 10 iterations every 10 minutes. Just give clients the following instructions. For every second (based on the client's private clock), push a txn to stir the pot with probability x, where x is some small number. If there are less then 5 iterations announced over the past 10 minutes, then increase x by 10%. If there are more than 15 iterations announced, then decrease x by 10%. If everyone does, this you will end up with about 1 iteration per minute. One individual could spend money to speed this up temporarily, but it won't help him in any significant way. Any small action, is countered by negative feedback. If the network is running smoothly, he is better off relying on others to do the work. Large actions are costly and infeasible unless you have a lot of coin. I also think asking or encouraging folks to keep their coins online is a mistake. Even if everyone tries, there will be plenty of times that less than 50% of coins are offline, especially if folks want to protect them. So if the currency is successful the majority will disappear. I don't agree with you at all here. The right approach is to make keeping coins online safe from significant theft. We need this anyways to solve the theft issues that plague bitcoin. How to do this is kind of orthogonal to the discussion here.Briefly, it is not hard to implement limited keys that place periodic withdrawal limits on txns. This is what real-world banks do. These are the keys that need to be online. Keys that can do anything are like your ID and bank account book. You can keep those in a safe. Title: Re: PPCoin Criticism / Security / etc Post by: cunicula on December 01, 2012, 06:20:56 AM PoS as implemented is by block number, not time, hence time attacks do not affect it. It looks like you can just mine a PoS transaction at 1 diff after a certain number of blocks have passed In PPCoin, the PoS contains both a coin-age element (value of inputs, block number) and a time-stamping element (time is used as a random number seed). What I don't understand so much is how they're signed for securely I am suggesting using the # of large txns as a random number seed rather than time. (i.e. take time out of the protocol entirely) As far how blocks are signed securely, that is simple. You just need to sign with your private key showing that you control the relevant inputs. It is just like securely signing a txn except the txn mines a block. Title: Re: PPCoin Criticism / Security / etc Post by: Sunny King on December 02, 2012, 02:09:42 AM What do you do about PoS miners who report blockchains from the future? A lot of coin-age can be destroyed if we allow 2025 to reported as occurring tomorrow, even if only a tiny % of coins did the mining. Block timestamp is subject to the same bitcoin protocol of max two hours in the future. |