Bitcoin Forum

In a Proof-of-Stake system similar to bitcoin, a large number of coins could lie dormant and accrue 'coin days'.   If these coins are in escrow, like on Mt.Gox, their 'coin days' could be used to do an attack on the network.

Thus any large escrow service would be a threat to the network, in addition to large miners.

Thus either escrow services must pay interest, or the need for escrow should be eliminated by a better block chain design and p2p exchanges.

have you read the white paper.  stop being such a scrub

Yes I've read the paper.

Maybe you didn't understand the attack.  The attack is that the escrow service cooperates with a miner to destroy coin days.

This is prevented by checkpointing (centralized control)

https://bitcointalk.org/index.php?topic=152809.msg1636798#msg1636798

If you can circumvent checkpointing, you can easily double spend with stake blocks

Exchanges can defend against these attacks by simply ignorning stake blocks for the purpose of confirmation.

coindays is not stake!!!

coindays destroyed in POS block generation are awarded in a 1% roi.
if you find a block and destroy coinage of 10000 coins lying in there for 365 days, wou will be rewarded 100 coins.

but that would not make it easy for you to attack. generation is baset not on coinage, but on stake.
stake is only generated up to 90 days so it cannot be super charged for an attack, also new 3.0 protocol has protection against finding pos block one by one.


checkpointing is still there, but just in case of som unknown vulnerabilities. users trust developer so there is actualy not mush pressure from PPC supporters to remove it.

there are no known possible atacks that would be easier on PPC than on any other coin including BTC.
 

The new protocol (as far as I can tell) just makes it harder to spam consecutive blocks from a single source (again, it's hard to tell because SK doesn't want to explain it in simple pseudocode) -- but I think you can still do it if you keep multiple wallets.  For instance, if you have 500 clients all with some coins 90 days old, and you keep them offline then suddenly bring them online, you might be able too.

No, because there is limit for coinage in PPC and NVC, 90 days. You will receive ~ 25 coins.

There is no difference between "1 wallet" and "500 wallets" configurations.

xorxor is correct, 90 day limit only applies to kernel hash weighting, but when calculating reward full coin age is used. So you do get 100 coins provided you are online long enough to generate stakes.

So the number of stake blocks that would be generated after bringing them online after a 90 day period is the same?

It's almost the same as 100 mhash/s vs. 100 x 1 mhash/s for PoW system.

For example:

PoW diff-1 is ~ 4.29 * 10^9 hashes per block
PoS diff-1 is ~ 4.29 * 10^9 coin-day-second per block

P.S. I was wrong about reward, sorry.

Right.  But, you need 6 blocks to double spend (unless there's some kind of "block trust score" system that ignores the number of blocks and just calculates how much to trust each stake block).

For those of you who can't be bothered to read (only a few hundred lines of) source code and constantly fault me for not teaching the new algorithm in fine detail, I am sorry I cannot take you seriously as a critic as I think to be a good critic you need to seriously spend some effort as well. Besides I have already outlined the algorithm in my weekly updates but some people don't read it either before throwing complaints.

I am very busy and continue to work hard in order to better compete in the cryptocurrency market. So get some coffee and start reading before I can start taking you seriously.

^^  Thanks for the criticism.  Here's your enlightening weekly update:


The 0.3 release thread for detailed instruction:
https://bitcointalk.org/index.php?topic=144964.0

Here is your enlightening answer as to what these 400 lines of code accomplish in kernel.cpp:

edit: Diff for anyone interested, took me a while to dig up
https://github.com/ppcoin/ppcoin/commit/b0b7eb2ecad409a2a98f6aa35bf99a4fb247ff35

All systems ignores the number of blocks. The both PoW and PoS systems calculates "trust score" for each block.

In BTC-like systems, for example, this "trust score" comes from nBits field. You can't overwrite current chain with your own, if you have not enough "trust score" aka bnChainWork. Even if you generated 100x longer chain.

I see, thank you for taking the time to answer my questions.  How do exchanges implement confirmation, then?  As you worked with BTC-e with NovaCoin, you must know.

Merchant operator usually selects fixed confirmations amount and takes a risk of double-spend. This is the fundamental problem, one can't say what the chain is correct, if there are no another chains for trust score comparison. And it doesn't matter how many confirmations do you have, 6 or even 600.

Okay, thank you for your answer.

... but it's possible to estimate risks and select confirmations amount for your own situation. If attack costs more than transaction volume, you can trust it with lower amount of confirmations, for example. :)

More confirmations means more security from double-spend. It's same for proof-of-stake.

Yes, because it decreases a risk and makes attacker costs higher. But you still can't say that N confirmations amount provides you the 100% protection against double-spend. Risk still exists, it can be 0.00000000001%, but it still exists. But everyday life is a complex of balanced risks, anyway.  :)

It's true that an exchange or wallet service could use it's wallet to launch attack on proof-of-stake, although unlikely. The current plan is to implement reorg depth limit and relegate checkpoint to be advisory be default, so if this type of attack (considered to be equivalence of 51% attack on proof-of-work) occurrs users can subscribe to checkpoint so that transaction processing can continue on block chain.

Miners don't have a play in double-spending attack, unless they wait and become stake owner. Security comes from proof-of-stake, proof-of-work only provides minting. Please don't confuse ppcoin's design with other proof-of-stake proposals. Our design is the only one that gives full respect to the concept of proof-of-stake and is the only one that actually has an implementation rather than just talks.

Yes, they can, but technically it will be suicide for them. Anyway, it's possible to prevent such attacks by implementing another REORGANIZE algo.

why reorganize? it is still harder and extremally expensive to 51% a PoS blockchain, than a PoW only one.

beauty of PoS concept is that atacker to be succesfuf has to attack himself.   

Because clearly, all human creatures are rational (or at least L-rational) and economically motivated.

"man shall not live by bread alone" - said no human, ever  ::)


So, basically, this entire ppcoin thing is a bit like Solidcoin sans massive egotism and with less retarded pignode implementation?

Why not discard the PoW component altogether, if it has no "say" in choosing which chain is "goodchain" ?

P.S.:
Disclosure - passerby is affectionately fond of hybrid PoW/PoS things, and hybrid things in general :)

From FAQ:

Ripple founders chose to do just that, eliminating proof-of-work and using a centralized model of initial minting and distribution, which I found against the spirit of bitcoin. I am not against people making profit, but in a larger picture, cryptocurrency is way more important than the success of one company or a small group of people. Putting the distribution in a central administration makes the currency highly vulnerable to confiscation as there is no plausible deniability.

The reason for compensating miners (with fees, subsidy, or anything at all) is that because in a PoW scheme they provide a service that is vital to the entire market.

In a scheme where solving progressively complex cryptopuzzles does not serve to secure the ledger against doublespends and other shenanigans, mining is, frankly speaking, a waste and should have been replaced with a more reasonable initial wealth distribution routine - of which there are many options (including collusion-proof cryptographic lotteries)

In fact, mining provides outright perverse initial wealth distribution in pure PoS because you are essentially rewarding folks for the investment they have made into another, different crypto-currency scheme (by buying BTC mining equipment), an investment that has been likely already paid off via that other scheme.

That's like if Microsoft started paying me money for the fact that I own Google shares ;)

Interesting point, and I agree with the wealth distribution argument.  However this can be fixed by not using SHA256 which is not designed to be a technology-neutral algorithm.

Regarding a crypto lottery, where is the collusion-proof cryptographic lottery that is immune to a sybil attack?

Well, yeah, a different PoW might have alleviated the issue a bit, though designing a PoW that would be hostile to modern mining equipment turns out to be a pretty hard task it seems...

Immune ? No.

But significant sybil-resistance could be achieved by various tricks (an obvious and somewhat imperfect one would be to use v4 IPs as "identities". Admittedly, you can still sybil a lot, especially if you are a botty op, but during initial wealth distribution a botnet is not likely to show up and anyone who honestly buys a crapton of IPs just to win MORE PPCOINS is probably an individual with quite a bit of interest in your specific coin)