Bitcoin Forum

Please correct me if I'm wrong, but doesn't PoS require the miners to keep their private keys online on the machine doing block validation? Isn't this a major security flaw, since if a vulnerability in the software is found that allows an attacker to extract the private key, he can clean out pretty much all miners wallets, making it a breeze to gain >50% stake?

A workaround would be for each output to have 2 keys, a spending key and a POS key.

This would allow users to upload their POS key(s) to a mining pool without that pool being able to spend their money.

Is this implemented in any current PoS systems?

Are you talking about a specific PoS implementation?

Only speaking about Nxt:
Don't confuse private and public keys. Private keys are only needed for things like opening an account, sending Nxt, signing messages etc. They are not stored on the machine, nor are they ever transmitted online, if you run Nxt on your local machine.

https://wiki.nxtcrypto.org/wiki/Whitepaper:Nxt#The_Forging_Algorithm

Yup, But doing that also eliminates some of the incentive alignment arguments in the first place: E.g. that you'll take care of your keys, and not delegate (or do so only cautiously), not leak them, etc.. because your funds depend on them.

Sort of moot because the whole approach seems fundamentally unsound (or at least none of its advocates have stated a clear set of reasonable assumptions under which their system is secure (and where a centralized ledger wouldn't be)). https://download.wpsoftware.net/bitcoin/pos.pdf

I am curious to hear other's opinions on Vitalik's PoS proposals that attempt to address these security weaknesses:

https://blog.ethereum.org/2014/10/03/slasher-ghost-developments-proof-stake/

These proposals do not address the fundamental concerns in the document that gmaxwell posted. They do add a fair bit of complexity, making them hard to analyze (and making a concrete attack too intricate to describe). IIRC Vitalik has backed away from these proposals because they do not provide the security benefits he originally thought they did.

It's worth noting that by writing a well-defined security model and working toward it, it is possible to create a "working" PoS which is only broken when the assumptions of the security model are violated. If one were to do this, it would then be easy to point out how the security model is not applicable to the real world. But Vitalik's posts --- and no PoS writeups that I'm aware of --- actually do this.

Thanks for the information. The post I linked is from this month so what you are discussing must be fairly recent. Do you know where i can look to find him backing away from PoS so I can review those arguments?

As far as I'm aware he is favorable to Slasher ghost but doesn't want to trust untested algos on Ethereum and is opting to roll in PoS later on(how will be interesting)

Oh, my bad, I thought you had linked to an earlier one.

The one you posted was his backing-away post: (a) he makes comments like "actually implementing a proof of stake algorithm that is effective is proving to be surprisingly complex" (this was not surprising, by the way --- the pos.pdf document that gmaxwell linked had been published before any of Vitalik's posts); (b) he says "we will relax our assumptions somewhat: we will say that we are only concerned with maintaining consensus between a static set of nodes that are online at least once every N days". This latter point is him changing the security model to be dramatically different from Bitcoin's, since it no longer aims to provide a decentralized publicly verifiable view of history. I think it's possible to get distributed consensus, for this definition of distributed consensus.

Given this, I can't make a meaningful comparison between Bitcoin's distributed consensus and the PoS stuff that Vitalik is talking about. They solve different problems. (Though IMHO Bitcoin's problem is a real one, while Vitalik's is a contrived one designed to make PoS work ;).)

As andytoshi points out, all of these analyses are complicated by the specific model assumptions and therefore the different systems are not necessarily directly comparable. However, it would be interesting to work towards a formal proof under a standard bitcoin model that shows PoW is the only way to achieve secure consensus.

I'm still not completely convinced this is true, though. So long as the protocol is entirely self-contained, perhaps, but supposing we can rely on "reflecting" the consensus off reality (through social networks and other media), I think we can actually solve this in the real world.

The main issue with PoS is so-called nothing at stake. Slasher can mitigate this effectively for its temporal range (Vitalik likes 3000 blocks), but is subject to long-range attacks. Long-range attacks can be mitigated by check-pointing, so the problem becomes one of secure check-pointing (say every 3000 blocks). One approach would be a proof-of-work based checkpointing mechanism in an otherwise fully proof-of-stake system. The PoS people probably won't like that, and it could be very dangerous (I literally just thought of it). The other approach is stake based check-pointing on chains of progressively higher security (where security is effectively measured by the size of the security deposits that must be put up to be eligible for signing/checkpointing). So the question can be reduced further to one of secure-checkpointing on the most secure chain (we are assuming here an interweb of chains, where lower security chains checkpoint on higher security chains). The highest security chain then checkpoints against the real world, by literally broadcasting hashes on facebook and twitter and so on.

It's a little ridiculous, but it has an interesting appeal in that in brings the consensus full circle by embedding it back in reality. Of course it already is semi embedded in reality due to the nature of software development (clients are not developed according to a protocol, they are made by humans who do their best, but are not infallible).

Either way, it will be interesting to see this field play out!

As to your original question, hardware devices that do not export keys but simply allow inputs to be signed and spit those out can mostly mitigate your concern. Stay tuned!

I still don't see how a nothing at stake attack could succeed. Buying majority of PoS coin supply isn't exactly nothing, and finding private keys of the initial stakeholders does not help if you have checkpoints.

Nxt uses a reorg window of 720 blocks. blocks older than that won't be accepted by any client. This means that checkpoints are set up in decentralized manner (each client sets its own reorg limit). You need to effectively buy 51%.

I would like to see a nothing at stake attack succeed, so far I only saw 51% attacks on low hashrate PoW coins. Also I don't see how decentralized consensus should not be possible in PoS? I see it working in real world while the "consensus is not possible" statement is theoretical.

Setting checkpoints merely constrains the attack window which is trivial if an attack can happen near-instantly with compromised stakeholders.  PoS advocates seem to be fixated upon the need for external threats attacking their ecosystem by purchasing stake which is ignoring other attack vectors altogether. The lack of historical examples of NaS attacks does not negate the risk of such an event occurring and really highlights the lack of seriousness some people have about security.

NXT allows you to lease the balance of your account to another account for forging.  This way you can lease your balance to an empty proxy account that can remain unlocked/online without any risk.  If the account is compromised, you simply issue a new lease transaction for a new account, or move the coins out of the leasing account.  A lease only becomes effective after 1440 blocks to prevent a number of exploits that would otherwise be possible.

http://wiki.nxtcrypto.org/wiki/Nxt_API#Lease_Balance

Attack may be trivial, but compromising private keys of majority of stakeholders looks a tad bit harder.

Would you consider the risk of compromising only 7-12 stakeholders who likely know each other and work together (thus compromising one would likely lead to compromising multiple) a secure arrangement for a currency ?

P.S....What is funny about all this is Nxt was already attacked in a fundamental way even before being released and thus has little hope of widespread adoption. Speaking about the security and viability of PoS variants is one thing , but IMHO Nxt was doomed from the start. Bitshares seems to have taken a dangerous recent precedent as well with the "merger" which is effectively switching the currency from a deflationary one to an inflationary one.

You used the word "likely" two times too much. Vague assumptions are not enough to base an attack on.
Many (anon) stakeholders have their PoS private keys in cold storage. Good luck in finding them.

The "crypto-currency" community is small enough of a network let alone the Nxt stakeholder community...sheesh. We are not talking about 6 degrees of separation here but 1-2 degrees to connect most individuals.

15 stakeholders hold over 75% of Nxt:

http://charts.nxt.org/cDistribution.aspx

Are you suggesting that these stakeholders are likely not some of the same creators and early investors who know each other?

The reason I use qualifiers is because I am honest about the possibilities and realities of security and there exists a very small probability that those 15 largest stakeholders are complete strangers. I'd be inclined to suggest that over half of the 15 are friends and collaborators. What do you think?

Maybe if you read my PoS paper where I actually give a specific attack?

It isn't exactly anything, either. "majority of PoS coin" is not well-defined in the absence of consensus.

...yes, obviously you can create a non-distributed consensus. Humans have been doing this since before we had language.

Is this actually what they do? Reorg windows simply make forks permanent. There is literally no attack they are capable of mitigating -- either you have no deep forks and they are pointless, or you do and they result in permanent partitioning of the network. (This idea has come up hundreds, if not thousands of times, and is orthogonal to the consensus mechanism.)

Stake-grinding is an example of a NaS attack. See peercoin or the original NXT for examples.


Maybe if you read my PoS paper?


I see this claim, along with its variant ""consensus is not possible" statement is bullshit", a lot. But this paper has been out for over six months, has been read by thousands of people, has changed the discourse around PoS to the point where I was accused of strawmanning after its last appearance on Reddit since "nobody is actually proposing distributed consensus by PoS", and yet there have been exactly zero counterarguments. I'm getting tired of these sorts of proudly uninformed comments.

andytoshi, what do you think about saving PoS by bouncing checkpoints/blockhashes off reality?

You want to know the top of the chain that everyone is using? Check facebook and twitter. Seeing something different in your client? Someone's trolling you ...

Then you are introducing trust assumptions and new attack vectors. There are no universally trusted parties to provide checkpoints.


And if somebody has hacked Facebook or Twitter? Or put pressure on them from some USG agency? Or has compromised your access to them? Or maybe you just don't trust them because they routinely censor data and besides treat their users as data crops?

Yes, I implemented it in MC2, although currently that is in testing and not available publicly. The paper for that needs to be entirely rewritten too, so I guess there will be a lot more information when it's actually FOSSd.

My security assumption is: "PoW provides the primary security of the system even with PoS enabled. If PoS breaks the system, we hardfork back to PoW."

Yes, I'm introducing trust of large scale society itself, but not a particular institution. We already trust society implicitly with basically everything we do.


Exactly. It's not just facebook and twitter. It's them, and hacker news, and slashdot, and the various subreddits, and this forum, and wikipedia, and the google homepage, and the local grocery store's bulletin board, and the lcd display above the central square, and everyone who cares to participate's website or other medium. You'd have to break all of them - reduce the world to the Truman Show. Good luck!

Granted, it may increase the potential for consensus failure, if the USG posts a different hash than Russia, or w/e. But at least it will be much clearer which agencies are vying for which consensus outcomes.

The idea has obviously not been fully fleshed out. But I think these kinds of things are worth thinking about to the extent that internet based consensus systems can be reflected off the real world.  There's more to this than simply accelerating the heat death of the universe ;)

No PoS system that I'm aware of, has actually been attacked, all the theories remain theories, the real world has said "no I can't attack a PoS system".

Many PoW systems have been attacked, the real world has provided many successful attacks, lots of PoW systems have basically been attacked to death.

How can anyone still claim PoW security is superior to PoS?

PoS may not be a perfectly secure system, but it's clearly superior in a security sense and also economical sense.

PoS scales beautifully, while PoW struggles to waste more hardware and electricity, and transfers more value out of a crypto eco-system.

You have some flawed reasoning with regards to security.

1) Just because no case of a 51% attack has been successful with Bitcoin doesn't mean that Bitcoin is secure from such an attack in the future. The same reasoning can be applied to any PoS with NaS. When it comes to security, analyzing all possible attack vectors is of utmost importance.

2) To only focus on NaS attacks PoS/DPoS critics are not accurately reflecting all the possible attack vectors in which these currencies are vulnerable to.

I.E...  Some would consider Bitshares to be recently attacked with a "51% democratic attack by delegates" which decided to change BTSX from a deflationary currency to an inflationary currency and upsetting a minority group of investors who were sold on the idea of a deflationary currency.

Your paper is too vague.



You make it sound easy to just grind through "many" choices of blocks, yet don't provide a model of how many that excatly means. This attack vector may have been possible with peercoin and an early version of Nxt (before transparent forging was partly implemented at block height 30000, in the current version the account that will forge the next block is already known, you don't have enough time to produce a valid block and influence the desired next forging account, you would need huuuge amounts of computing power to do so).

You need to provide mathematical proof of how much cumputing power is needed to build a long enough chain and trick the network to accept your fake chain. I say (sorry only speaking about Nxt again) you'd need too much. Prove me wrong.

And Nxt does not use coin age, which released minting power to the account that signed the block, if the block was orphaned. So that attack vector is also gone.



720 blocks is not "much later".

Bitcoin is not a mining algorithm by itself, it uses the same PoW algorithm as many other PoW crypto, and since other systems with the same PoW algorithm has been attacked, therefore it's already proven Bitcoin can be attacked in the same manner. Bitcoin has the advantage of being an order of magnitude larger than any other crypto, that's another form of security, unrelated to PoW.

For example, yahoo and my personal blog site, both can be DDoS attacked, but yahoo being so big, it's much more difficult to DDoS it. It doesn't mean yahoo has good anti-DDoS measures at all, my personal blog site might have better anti-DDoS measures, but since it's small, it's easier to attack.

The fact that ZERO PoS systems have been attacked, even though many of them are tiny, speaks volumes about PoS security. ALL of your attack vectors remains a theory at best. If you want to prove your point, the best method is not theorycraft further, but actually go and attack one currently public and working PoS system, you can even pick a tiny one if you wish.

I don't want to get into another discussion with you about Bitshares, since it's pointless to discuss Bitshares with your vivid imagination. You are calling a community voted and approved change by the developer team an "attack", that's just too funny. Can I call Gavin's "block size" increase of 50% per year an attack? I didn't even get to vote on it. I would have preferred another way of handling the block size, damn I'm now alienated and upset!

Btw, Bitcoin with PoW is currently and will always be inflationary at least 10% annually, it is much more inflationary than Bitshares. Due to the 10% PoW mining tax. Bitcoin value will rise only with constant inflow of new money, otherwise Bitcoin value will naturally decrease by at least 10% annually.

Is their even a Whitepaper available that details the security of Nxt Transparent forging yet? If not than how can we even discuss it?

I'm not blackhat and won't go around commiting crimes to prove a point. My logic is sound and eventually some blackhat may perform a NaS. I don't believe NaS is a likely attack vector for PoS and never claimed as much however ignoring the possibility is irresponsible.



I would consider anything that strayed from the central tenets of Bitcoins purpose/ideals to be an attack. Increasing the transaction volume was actually an intended improvement while some investors where sold that Bitshares was a "true deflationary" currency by many promoters including yourself which is a big deal.

BTSX recent short term price drop compared to Bitcoin isn't even my main concern but the trust and credibility of the currency is now tarnished as new investors will always wonder when/if /and how much the next devaluation will be.

If BTC would ever increase above 21million than it would be catastrophic and many in the community would not consider the new fork "Bitcoin". As you suggested, security can come in many forms and not just the algorithm itself and the fact that Bitcoin is a certain size, has first mover advantage, has enough developers, and has a community with certain ideals (I.E... we will not inflate the currency supply) are tremendous security aspects one must consider.  

Well I agree with you, it would be nice to have an independent in-dept review on the security of transparent forging. But it doesn't actually change the forging algo, which was reviewed here:
http://www.docdroid.net/ahms/forging0-4-1.pdf.html

and the crypto behind it looks sound (https://gist.github.com/doctorevil/9521116)

It just let's you know the next forger (in it's current state). How would that negatively impact security? It makes it much harder to compute a longer fake chain.

(quoting Come-from-Beyond)

• Do http://localhost:7876/nxt?requestType=getState to get value of "lastBlock"
• Do http://localhost:7876/nxt?requestType=getBlock&block=10621696942372068326 (assuming 10621696942372068326 is the value of "lastBlock")
• Convert "generationSignature" into binary, and append the public key bytes returned by getAccountPublicKey
• Calculate SHA256 (generationSignature, publicKey)
• The first 8 bytes of this value, as an unsigned long in little-endian notation, is the "HIT" value
• The value of "baseTarget", multiplied by the effective balance of the account, is STATIC_TARGET
• Repeat steps 3-6 for each active account, and find the one with lowest HIT/STATIC_TARGET ratio. This account will forge the next block

Apart from the likeliness of the attack, I'm agreeing with you, ignoring an attack vector is irresponsible.

The paper you cited doesn't refer to transparent forging algorithm except as a footnote link which shows a forum post where there is a proposed algorithm.

It would be nice if a Whitepaper is available discussing transparent forging in detail otherwise the use of the term is mostly marketing fluff.


How does this protect you from 7-12 compromised stakeholders?



So you are disagreeing with me and are suggesting a NaS attack is likely?

Security through No One Gives a Fig.

That's a new one.

No need to read it. Just listen to the scraping of goalposts moving on the ground and you'll get the idea. I've tried countless times.

gmaxwell calls it Security against Cryptoanalysis  ;D

I do love that it's considered "Transparent" Forging though.

Not really, many tiny PoW systems have been attacked, actually being tiny increase the likelihood of an attack for PoW systems.

No, it means you are too lazy to try out if one can really know the account  that will forge the next block (transparent). I provided you a step by step guide on how to verify. I feel like there's a pudding in front of me and I'm telling you it's there, but you keep your eyes closed and pretend it's not, you wan't to read an abstract first that proofs that the pudding exists.




It does not, and I never said otherwise. This is a different argument. Thank you for not answering anything to my criticism against the anti-PoS paper. The attack you describe has nothing to do with a technical weakness, but with size of community and distribution.

I'll be fair and calculate which accounts you'd need to compromise:

Current estimated active stake in Nxt is 413,042,354 NXT. Meaning you'd roughly need to control private keys of 207M Nxt at the moment (if inactive holders don't start forging which they probably would if they noticed an attack).
If you're only after the largest stakeholders, you'll need to find out who the following accounts belong to, where they live, and where they store their private keys, and then steal them.


NXT-THLJ-CYAL-JQST-6FNS5
NXT-4GSE-75S2-TVVP-3N2YV
NXT-R3V3-2S79-F3ZM-BVXKZ
NXT-GQPU-UKGD-H89L-EUWFN
NXT-MRBN-8DFH-PFMK-A4DBM
NXT-A2Q2-N6JD-AAEW-GYTT8

Yay, only 6 accounts, pretty easy. :) They have a combined amount of 223'155'189. Good luck in finding them (hint, they might use Tor and have their private keys in cold storage hidden anywhere in the world since not all of them are forging).

I think it could be easier to just put a gun to the head of the 3 operators of Discus Fish, Ghash.io and KnC Mining pool. Since BTC is worth way more, this approach would be more profitable.

Disclaimer: I am against any voilence and unethical stuff such as stealing or threatening, both approaches are disgusting.



No.

I'll wait till all the changes are sorted out with transparent forging and the developers publish a whitepaper before making any assumptions upon the security direction Nxt is headed.

 From reading the material and from your statements the security concerns I bring up aren't addressed from this partial implementation of transparent forging. It appears you are resigned to believe that it is near impossible to find and identify any of those 15 top stakeholders which is a bit disconcerting. Some other concerns deal with bugs creeping into Nxt that allow for an exploit of some/everyone's stake.

I still am interested from an academic perspective in the future whitepaper but not Nxt as a currency because I consider the way it was launched an attack on the credibility of the network right from the start so don't hold out much hope for Nxt itself. PoS /DPoS future I'm not so certain about.

I'm curious to hear your thoughts on the whitepaper I have recently posted: https://bitcointalk.org/index.php?topic=845827.0