Title: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: kushti on December 18, 2014, 05:12:37 PM Paper on different attacks related to multibranching forging is published by Consensus Research https://github.com/ConsensusResearch/articles-papers/blob/master/multistrategy/multistrategy.pdf
TL/DR version and consequences: - multibranch forging gives measurable possibility to earn more fees. I guess Nxt should not ignore it in long-term as the profitable activity will be implemented by somebody sooner or later - there's no long-range attack against a blockchain V. Buterin described, only short-range. The short-range attack doesn't allow double-spending but gives multibranching forger possibility to earn more fees in singlebranch environment by producing few blocks in a row. However producing few blocks in a row could be an issue too (e.g. evil forger may postpones orders submissions etc) but not critical at the moment. - not explicitly stated in the paper but easily derived, a long delay between blocks not only annoying but also a security problem as it's the moment for short-range attack could happens - we have formally defined nothing-at-stake attack(again, using Buterin's informal definition) and made initial simulations. We haven't included their results in paper as they are seems to be too raw, but I can reveal them here: N@S attack could happens only in short-range, e.g. for within 20 blocks for 10% stake, so with 30 confirmations we haven't observed the successful attack. Also please note the attack has pretty unpredictable nature for attacker, so he can hardly enforce it, even in theory(in practice it's even harder to get it done properly). The correlation with stake size is still the open question, but it's nearly impossible to attack a proof-of-stake currency with "1% stake even" as stated by Buterin - the N@S simulation tool is published also https://github.com/ConsensusResearch/MultiBranch so feel free to make your own experiments ----------------------------- Consensus Research is the micro-group of two researchers working on Proof-of-Stake consensus algorithm investigation at the moment. We're raising funds via NXT Assets Exchange ( https://trade.secureae.com/#5841059555983208287 ), have own GitHub https://github.com/ConsensusResearch/ and subforum on NXT forum: https://nxtforum.org/consensus-research/ , also check my personal blog please http://chepurnoy.org/ Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: Damelon on December 18, 2014, 10:15:28 PM Nice to see some research on N@S, instead of claims without backup.
Would be nice to see some discussion going over this. :) Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: jonald_fyookball on December 19, 2014, 12:04:21 AM I don't have the time/energy to fully digest what the paper
is saying, but the conclusions of the author seem to say that Nothing at stake is a real problem that hasn't been solved. Quote As we have all the algorithms developed to simulate N@S attack we present result in the separate paper along with possible ways to resist it. Giving some results now we present not the full picture of the problem. Fol- lowing this section it is reasonable to get the impression that this problem actually matters and we concentrate to possible solutions at the moment.... ...The open question for the future work are: (1) the PoS consensus depen- dence on the measure function (2) the ways to avoid N@S attack if any (3) the optimal confirmation length investigation (4) the optimal multibranch depth investigation. Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: Yurizhai on December 19, 2014, 12:16:09 AM Jordan Lee has claimed to have solved nothing at stake in version 0.4.0 of the Nu network. Vitalik comments on it. Is that strategy mentioned in the paper?
https://discuss.nubits.com/t/proof-of-stake-and-weak-subjectivity/716/3 Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: jonald_fyookball on December 19, 2014, 12:23:25 AM Jordan Lee has claimed to have solved nothing at stake in version 0.4.0 of the Nu network. Vitalik comments on it. Is that strategy mentioned in the paper? https://discuss.nubits.com/t/proof-of-stake-and-weak-subjectivity/716/3 Vitalik's comment on Jordan Lee's 'solution': Quote What they've figured out is a way of discounting double-votes from scoring, not disincentivizing people from making them Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: Yurizhai on December 19, 2014, 12:25:48 AM Jordan Lee has claimed to have solved nothing at stake in version 0.4.0 of the Nu network. Vitalik comments on it. Is that strategy mentioned in the paper? https://discuss.nubits.com/t/proof-of-stake-and-weak-subjectivity/716/3 Vitalik's comment on Jordan Lee's 'solution': Quote What they've figured out is a way of discounting double-votes from scoring, not disincentivizing people from making them And then goes on to say: Quote So, the system still relies on weak subjectivity, so it's basically just another security deposit-like mechanism that as far as I can see has exactly the same properties. Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: jl777 on December 19, 2014, 12:56:41 AM I don't have the time/energy to fully digest what the paper My understanding is that the more severe long range attack does not exist and even the short range attack is quite difficult to achieve. Also with more confirmations, the required attacking stake keeps going up. And if it requires actual stake to do a N@S attack, then there is definitely something at stake!is saying, but the conclusions of the author seem to say that Nothing at stake is a real problem that hasn't been solved. Quote As we have all the algorithms developed to simulate N@S attack we present result in the separate paper along with possible ways to resist it. Giving some results now we present not the full picture of the problem. Fol- lowing this section it is reasonable to get the impression that this problem actually matters and we concentrate to possible solutions at the moment.... ...The open question for the future work are: (1) the PoS consensus depen- dence on the measure function (2) the ways to avoid N@S attack if any (3) the optimal confirmation length investigation (4) the optimal multibranch depth investigation. So by definition this paper is very close to proving that when properly done PoS cannot be attacked with nothing. Of course if you throw enough resources to buy 51% (or probably 30%) of any PoS, you can do all sorts of nasty things to it. just like if you are able to control 51% (or is it 33% due to minority attacks) of mining power, you can do all sorts of nasty things to a PoW. Dont want to get into a discussion about how likely it is for anybody to obtain 51% of PoW mining power or 51% of a PoS currency, as the point of this thread is about Nothing at Stake attack. OK, maybe just a little. Mining power costs are not coupled to the PoW coin, so you can simply buy arbitrary amounts of mining hardware with the limit only being the manufacturing capacity of the vendors. Certainly a mass buy will raise the cost of the mining hardware due to the increased demand, but surely not more than 2x and only until the manufacturers start making new production runs. [this is totally ignoring the logistics cost of some "special" team to infiltrate three mining operations, let us stay within the laws for this discussion] Now let us imagine you are wanting to buy 51% of a PoS currency. What would happen to the price? What would the cost be? Maybe if you are patient, over time you can accumulate a large amount of anything, but any meaningful inflow of capital into a market will necessarily increase the price. will it be 2x or 20x or 200x by the time 51% is obtained? of course, depends on the coin, but the fact that there is a feedback loop to the cost for any financial attacker provides some level of protection. If there is no attack without anything at stake, then it seems that something is at stake, which is the point of PoW right? to have a cost. Seems like you need to have a significant stake and fancy algos and computing resources to conduct a short range attack, which is thwarted by having more confirmations. At the high level, it seems that both PoW and properly implemented PoS are able to require capital investment to obtain the coins. I am actually a PoW/PoS agnostic, I just want the coin to be secure and the small number of mining pools that control BTC mining output worry we far more than someone doing a N@S attack. The days of just declaring PoS as impossible should be behind us. We now have academics with equations, so let the debate be resolved by logic and math, instead of rhetoric. Clearly any crypto if improperly used will be vulnerable https://bitcointalk.org/index.php?topic=581411.0 and the first implementation of PPC PoS had a coinage vulnerability, but that does not mean that all PoS is flawed. Now what happens if 90% of BTC miners stopped? Like after a multipool abandons a coin after a diff adjustment, the blocktimes will slow down, a lot. This is not an attack scenario, but a real possibility if this bear market continues for another 6 months. With BTC diff readjustments 2000+ blocks, how long will things be in slow motion and if it slows to the point where all the blocks are full and it overflows, then what happens? So, there are potential problems with all such things and the ideal algo has yet to be made. Ideally the best ideas from PoW can be combined with the best ideas of PoS. James Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: jl777 on December 19, 2014, 12:57:45 AM Jordan Lee has claimed to have solved nothing at stake in version 0.4.0 of the Nu network. Vitalik comments on it. Is that strategy mentioned in the paper? https://discuss.nubits.com/t/proof-of-stake-and-weak-subjectivity/716/3 Vitalik's comment on Jordan Lee's 'solution': Quote What they've figured out is a way of discounting double-votes from scoring, not disincentivizing people from making them And then goes on to say: Quote So, the system still relies on weak subjectivity, so it's basically just another security deposit-like mechanism that as far as I can see has exactly the same properties. Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: jonald_fyookball on December 19, 2014, 01:30:14 AM And if it requires actual stake to do a N@S attack, then there is definitely something at stake! You don't seem to understand what the Nothing at stake problem is about. (Yes, obviously you need to own coins, but you could attack and then sell your coins.) Nothing at stake refers to the fact that the best strategy is forging on multiple chains at the same time. The conundrum is that PoS really seeks "free" security. Would be nice to have a secure network that establishes distributed consensus without security costs, but is it feasible? One of the biggest arguments in favor of proof of work is that it costs more to attack the network than to participate in its security. Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: jonald_fyookball on December 19, 2014, 01:36:42 AM Quote I don't have the time/energy to fully digest what the paper is saying, but the conclusions of the author seem to say that Nothing at stake is a real problem that hasn't been solved. Maybe you ought to go ahead and fully digest what the paper is saying before proceeding. A) I just stated I don't have time B) I can quote the author's own conclusions Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: jl777 on December 19, 2014, 01:47:41 AM And if it requires actual stake to do a N@S attack, then there is definitely something at stake! You don't seem to understand what the Nothing at stake problem is about. (Yes, obviously you need to own coins, but you could attack and then sell your coins.) Nothing at stake refers to the fact that the best strategy is forging on multiple chains at the same time. The conundrum is that PoS really seeks "free" security. Would be nice to have a secure network that establishes distributed consensus without security costs, but is it feasible? One of the biggest arguments in favor of proof of work is that it costs more to attack the network than to participate in its security. so if N@S requires an insane millionaire to conduct it, then this madman can easily buyout the top mining pools right? to use a wild card against one approach but not the other is not quite an objective analysis. Now if N@S now is requiring to obtain a meaningful stake before conducting the attack then it would be fair to say: One of the biggest arguments in favor of proof of stake is that it costs more to attack the network than to participate in its security. James Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: jonald_fyookball on December 19, 2014, 01:51:43 AM actually you can sell your coins first and then attack...
since the nature of an attack is a re-org on the blockchain, how would anyone know you don't own the coins that you owned several blocks ago? That's another aspect of N@S. Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: Sentinelrv on December 19, 2014, 02:00:26 AM Jordan Lee has claimed to have solved nothing at stake in version 0.4.0 of the Nu network. Vitalik comments on it. Is that strategy mentioned in the paper? https://discuss.nubits.com/t/proof-of-stake-and-weak-subjectivity/716/3 I just wanted to comment that Sigmike (who designed this solution along with Jordan Lee) is a core developer for both NuBits and Peercoin. Sunny King has reviewed it and approved this change in Peercoin and it will be supported in the next version when it releases, which will be v0.5. Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: ThomasVeil on December 19, 2014, 02:08:36 AM Quote I don't have the time/energy to fully digest what the paper is saying, but the conclusions of the author seem to say that Nothing at stake is a real problem that hasn't been solved. Maybe you ought to go ahead and fully digest what the paper is saying before proceeding. A) I just stated I don't have time B) I can quote the author's own conclusions He asked a logical question: If you don't have time to understand it - why do you have time to comment on it? The conclusion actually states it in very simple terms: The problem exists, but is basically theoretical, because extremely hard to realize. Notice also that they are suggesting the "multibranch" approach - which makes the attack even more unlikely. And if it requires actual stake to do a N@S attack, then there is definitely something at stake! You don't seem to understand what the Nothing at stake problem is about. (Yes, obviously you need to own coins, but you could attack and then sell your coins.) Then there is something at stake. Really... why deny it when in the next sentence you affirm it? You attack the coin that you own. The value will likely drop - with or without a final success. Quote One of the biggest arguments in favor of proof of work is that it costs more to attack the network than to participate in its security. So where is the difference? Buying 25% of the POS coin would not be a high cost? In fact to buy the 51% mining power of Bitcoin would be way cheaper than buying 25% of the currency. Probably by several orders of magnitude. Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: jl777 on December 19, 2014, 02:29:06 AM actually you can sell your coins first and then attack... so in several blocks you spread out your orders to sell 15% of the currency. Well I am no rocket scientist, but I would think that still you would run into some liquidity issues. Actually it might create more of a panic. Imagine a 100,000 BTC sell order, then another, then another, then another, .... That would probably be more panic creating than a single million BTC sell order.since the nature of an attack is a re-org on the blockchain, how would anyone know you don't own the coins that you owned several blocks ago? That's another aspect of N@S. And by selling the coins, your entire attack is based on the false chain you cleverly made so you get one shot to make it pay off. Next you might propose to buy the coins over 6 months, conduct the attack, sell the coins over 6 months and then use a time machine to go back 6 months. But you know about the clever algos that make it so after some amount of blocks, say one day's worth that it is set in stone? So this shrinks your sell the coins and attack timeframe to a day. Spreading out the million BTC orders over a day, hmmm, still seems to be causing market meltdown and all the capital spent to acquire the coins are gone and hence something is at stake. I think maybe you are liking the EMP attack I came up with. This one requires simultaneously taking out all the nodes of a PoS network, then get your totally made up blockchain as the only one for all the nodes to connect to. I think this EMP attack would actually work, but I think it would work with any coin PoW or PoS. also some logistical problems with finding all the nodes, obtaining the EMP's, deploying them, etc. and also you need to just convince a few of the genesis keyholders to just give them their keys to you. Oh, after that there wont be anybody with a working computer though so who will know about your false chain? So, if we are leaving the world of the practical and believable, anything is possible. I think it is better to have some scientist types analyse the math in the consensus paper and then make some improvements. Dont you agree? James Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: jl777 on December 19, 2014, 02:30:35 AM i love seeing the PoS fudsters being slaughtered lol seems only the most hard core fudsters are left to fight their dwindling corner. There is nothing wrong with PoW and actually the latest NXT lets you even create a new PoW coin with a single API command. so everything has its pros and cons and logical analysis is the way to determine the best course to takeTitle: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: durerus on December 19, 2014, 03:08:01 AM Great paper! I think everybody is looking forward to the scientific debate now.
Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: jonald_fyookball on December 19, 2014, 03:52:44 AM He asked a logical question: If you don't have time to understand it - why do you have time to comment on it? The logical answer is: I wanted to highlight the conclusions of the paper, since people have linked to it, misquoted it, and misrepresented it as some kind of "debunking". I mentioned that I don't have time to study it deeply because I don't. Hey, at least I skimmed the paper... Some people aren't even reading the paper and throwing around their worthless opinions. Quote Quote One of the biggest arguments in favor of So where is the difference? Buying 25% of the POS coin would not be a high cost?proof of work is that it costs more to attack the network than to participate in its security. Well, for one thing, you can buy coins and sell them, or spend them, either before or after an attack with PoS. Secondly, if you already have coins, you can try to double spend with them. Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: jl777 on December 19, 2014, 05:04:18 AM He asked a logical question: If you don't have time to understand it - why do you have time to comment on it? The logical answer is: I wanted to highlight the conclusions of the paper, since people have linked to it, misquoted it, and misrepresented it as some kind of "debunking". I mentioned that I don't have time to study it deeply because I don't. Hey, at least I skimmed the paper... Some people aren't even reading the paper and throwing around their worthless opinions. Quote Quote One of the biggest arguments in favor of So where is the difference? Buying 25% of the POS coin would not be a high cost?proof of work is that it costs more to attack the network than to participate in its security. Well, for one thing, you can buy coins and sell them, or spend them, either before or after an attack with PoS. Secondly, if you already have coins, you can try to double spend with them. so this magical instant selling is to me nonviable, which means the N@S will cost you the amount to acquire the stake, so a lot at stake. Secondly, where is this "you can try to double spend with them" coming from? The whole debate is about how this double spending is not possible with enough blocks, rolling checkpoints, maybe even some sort of preventing of chain jumping. If you just ignore all this and just make statements like just double spend them, it seems you are really short on time to make any coherent point. I was looking forward to some deep insight about this issue from you. James Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: Damelon on December 19, 2014, 05:43:19 AM I don't have the time/energy to fully digest what the paper is saying, but the conclusions of the author seem to say that Nothing at stake is a real problem that hasn't been solved. Quote As we have all the algorithms developed to simulate N@S attack we present result in the separate paper along with possible ways to resist it. Giving some results now we present not the full picture of the problem. Fol- lowing this section it is reasonable to get the impression that this problem actually matters and we concentrate to possible solutions at the moment.... ...The open question for the future work are: (1) the PoS consensus depen- dence on the measure function (2) the ways to avoid N@S attack if any (3) the optimal confirmation length investigation (4) the optimal multibranch depth investigation. Actually, the td;dr version is: - multibranch forging gives measurable possibility to earn more fees. I guess Nxt should not ignore it in long-term as the profitable activity will be implemented by somebody sooner or later - there's no long-range attack against a blockchain V. Buterin described, only short-range. The short-range attack doesn't allow double-spending but gives multibranching forger possibility to earn more fees in singlebranch environment by producing few blocks in a row. However producing few blocks in a row could be an issue too (e.g. evil forger may postpones orders submissions etc) but not critical at the moment. - not explicitly stated in the paper but easily derived, a long delay between blocks not only annoying but also a security problem as it's the moment for short-range attack could happens - we have formally defined nothing-at-stake attack(again, using Buterin's informal definition) and made initial simulations. We haven't included their results in paper as they are seems to be too raw, but I can reveal them here: N@S attack could happens only in short-range, e.g. for within 20 blocks for 10% stake, so with 30 confirmations we haven't observed the successful attack. Also please note the attack has pretty unpredictable nature for attacker, so he can hardly enforce it, even in theory(in practice it's even harder to get it done properly). The correlation with stake size is still the open question, but it's nearly impossible to attack a proof-of-stake currency with "1% stake even" as stated by Buterin So yes, there máy be problems with certain forms of N@S, and that needs to be researched. Research means keeping an open mind, not cherrypicking and taking out the last sentence and twisting it to mean what you want to mean. They do nót say "Nothing at stake is a real problem that hasn't been solved." They say "We have made a simulation that produces a N@S as described and we are going to find out what it does." Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: jonald_fyookball on December 19, 2014, 05:56:57 AM James,
I don't know if I have any deep insights, and I don't claim to be any expert. My thoughts on this: With proof of stake, there's no external resource being spent on security as with proof of work. The holy grail which is sought after with proof of stake, is costless security (everyone just has their stake, that's enough to secure the network). But by the same token, if nothing of significance is being spent on securing the network (as with miners in PoW), then it costs basically nothing to try to fool the network (attack it). For example, people can forge on multiple chains at the same time without penalty. They can send themselves coins back and forth to try to get more fees. That's why Vitalik proposed security deposits, to try to solve this nothing at stake issue. Or you could even try to double spend. This easy way would be to try to spend coins that you sold. Since you still have the keys, how would nodes know you spent the coins except by looking at the blocks after yours? Unlike proof of work, you don't really need any resources to try this attack. This nothing-at-stake issue is nothing new -- this is what people have been talking about for months and months. https://github.com/ethereum/wiki/wiki/Problems That's what the paper is about. They are trying to explore possibilities with multi branch structures instead of the traditional blockchain, but with no clear solutions so far. Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: l8orre on December 19, 2014, 06:54:18 AM I can't tell if jonald_fyookball is trolling or serious. The content lacks the most obvious and outward attributes of open trolling- maybe many people simply are so superficial... Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: jonald_fyookball on December 19, 2014, 07:01:04 AM I can't tell if jonald_fyookball is trolling or serious. Wasn't meaning to be trolling but I guess I'm done in this thread. Read the whitepaper in the OP or the ethereum blog if you want to know more about the Nothing at Stake problem. https://github.com/ethereum/wiki/wiki/Problems (Or, just pretend its not a problem. Whatever floats your boat.) later! :) Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: Este Nuno on December 19, 2014, 07:36:24 AM So anyone is seeing double spend in any of the PoS coins we have so far since 2013 ? I think not. This whole conversation about that PoS supposed to be a vulnerable and PoW not ? Lol give me a break.... maybe you should check how easy is it to make a 51% Attack on PoW with Ascis ? You don't need more then 70k~ $ btw... so do your research where it is needed. I'm a huge supporter of PoS and I think everyone should be working towards that as a goal for all crypto, but there have been double spends and attacks on PoS coins this year. Off the top of my head I remember Navajo Coin had a problem with that and then the big one being Vericoin which really hurt its market cap after they rolled back. Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: Daedelus on December 19, 2014, 08:09:02 AM So anyone is seeing double spend in any of the PoS coins we have so far since 2013 ? I think not. This whole conversation about that PoS supposed to be a vulnerable and PoW not ? Lol give me a break.... maybe you should check how easy is it to make a 51% Attack on PoW with Ascis ? You don't need more then 70k~ $ btw... so do your research where it is needed. I'm a huge supporter of PoS and I think everyone should be working towards that as a goal for all crypto, but there have been double spends and attacks on PoS coins this year. Off the top of my head I remember Navajo Coin had a problem with that and then the big one being Vericoin which really hurt its market cap after they rolled back. Weren't they both related to exchanges holding a large proportion of the coins and being hacked? Or maybe being 'hacked'? Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: Daedelus on December 19, 2014, 08:16:44 AM The logical answer is: I wanted to highlight the conclusions of the paper, since people have linked to it, misquoted it, and misrepresented it as some kind of "debunking". *snip*...Some people aren't even reading the paper and throwing around their worthless opinions. I'm pretty sure he is referring to me here :D when I said there are still some issues but "it's nearly impossible to attack a proof-of-stake currency with "1% stake even" as stated by Buterin" After implying I'm a liar :'( I pointed out that is a direct quote of the OP in this thread :D Then I was called a muppet so I quoted the whole paragraph. And now I have a worthless opinion? For the record (and repeating myself again), it isn't my opinion. It is that of the authors :D :D And you are refusing to engage honestly with it. I think we have a flat-earther on our hands, it won't matter what research Kushti & andruiman produce. He'll cling to the unproven claims he has parroted for months. We need open minds and a technical demolition (if one is even possible) of the paper to move forward. Kushti has even provided the tools and models to do it! :D But make no mistake, this is a big step for everyone ;D Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: Este Nuno on December 19, 2014, 09:17:42 AM So anyone is seeing double spend in any of the PoS coins we have so far since 2013 ? I think not. This whole conversation about that PoS supposed to be a vulnerable and PoW not ? Lol give me a break.... maybe you should check how easy is it to make a 51% Attack on PoW with Ascis ? You don't need more then 70k~ $ btw... so do your research where it is needed. I'm a huge supporter of PoS and I think everyone should be working towards that as a goal for all crypto, but there have been double spends and attacks on PoS coins this year. Off the top of my head I remember Navajo Coin had a problem with that and then the big one being Vericoin which really hurt its market cap after they rolled back. Weren't they both related to exchanges holding a large proportion of the coins and being hacked? Or maybe being 'hacked'? Not sure exactly what the circumstances were. Exchanges had something to do with though yeah. Maybe the exchanges weren't staking their reserves or something. I thought that the exchanges got doubled spent against, but I'm not sure. Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: kushti on December 19, 2014, 09:19:10 AM PoS opponents usually citing two sources, "A Treatise on Altcoins" by A. Poelstra & statements made by V. Buterin(mostly in the form of blogposts). Poelstra's paper contains only kinda philosophical statements(like "consensus inside a system could be achieved only by external resources spending"), and we won't to deal with it at all: the only way for us is not to participate in philosophical disputes, but make a constructive proof of opposite(like Satoshi Nakamoto made constructive proof decentralized currency could exists with his revolutionary paper).
V. Buterin statements are much more clear so we started with them. Quote However, this algorithm has one important flaw: there is ”nothing at stake”. In the event of a fork, whether the fork is accidental or a malicious attempt to rewrite history and reverse a transaction, the optimal strategy for any miner is to mine on every chain, so that the miner gets their reward no matter which fork wins. Thus, assuming a large number of economically interested miners, an attacker may be able to send a transaction in exchange for some digital good (usually another cryptocurrency), receive the good, then start a fork of the blockchain from one block behind the transaction and send the money to themselves instead, and even with 1% of the total stake the attacker’s fork would win because everyone else is mining on both. Well, in the first place it's not possible to mine on every chain as number of them is growing exponentially with time(and no special hardware could helps, as processing is needed for each block in each branch with storing final balances, it consumes both CPU and memory a lot), so the only strategy is to keep N best branches (we have another paper on multibranching forging called "PoS forging algorithms: formal approach and multibranch forging" https://github.com/ConsensusResearch/articles-papers/blob/master/multibranch/multibranch.pdf ). In the second place, the possibility of the attack with 1% stake is negligible. Even with big enough stake the outcome of an attack is unpredictable for an attacker and could be done only in short-range(so with raising number of confirmations to 30 in our experiments attacks are always failed). And in practice attacker needs to feed part of network with one transaction, another part with other and both parts need to be large enough I guess, and that's hard to get done also. Also we've found "long-range attack" stated by Buterin should be renamed to "short-range attack", see the paper or tl/dr in the first post. While other PoS researchers think forging on multiple branches is the problem and working on avoiding it with punishments or incentives, we don't think it's the problem at all. Multiple branches are okay, if the consensus property met: after k confirmations it's impossible(or extremely expensive) to change system state in the past. So we're working on PoS model corresponds to the property in a proven or evident enough way without throwing multibranch forging away. Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: r0ach on December 19, 2014, 09:45:28 AM I haven't kept up with PoS developments lately, but how do people address the following issue. PoW and DPOS have coin ownership and network control as separate parts. For other PoS models, coin ownership grants network control. Since exchanges and "bitcoin banks" tend to monopolize the control of coins into a small number, or single entity, shouldn't regular PoS be called, "proof of trust in exchange platform"? Then you also have the possibility of a rogue exchange performing a history attack.
Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: achimsmile on December 19, 2014, 10:02:19 AM So anyone is seeing double spend in any of the PoS coins we have so far since 2013 ? I think not. This whole conversation about that PoS supposed to be a vulnerable and PoW not ? Lol give me a break.... maybe you should check how easy is it to make a 51% Attack on PoW with Ascis ? You don't need more then 70k~ $ btw... so do your research where it is needed. I'm a huge supporter of PoS and I think everyone should be working towards that as a goal for all crypto, but there have been double spends and attacks on PoS coins this year. Off the top of my head I remember Navajo Coin had a problem with that and then the big one being Vericoin which really hurt its market cap after they rolled back. Weren't they both related to exchanges holding a large proportion of the coins and being hacked? Or maybe being 'hacked'? Not sure exactly what the circumstances were. Exchanges had something to do with though yeah. Maybe the exchanges weren't staking their reserves or something. I thought that the exchanges got doubled spent against, but I'm not sure. A lot of Vericoins were stolen off of Mintpal, this had nothing to do with PoS/PoW. There were doublespends in Navajo (PoS), and there were doublespends on Worldcoin, Whitecoin etc. (PoW) PoS1 != PoS2 Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: jl777 on December 19, 2014, 10:06:48 AM I haven't kept up with PoS developments lately, but how do people address the following issue. PoW and DPOS have coin ownership and network control as separate parts. For other PoS models, coin ownership grants network control. Since exchanges and "bitcoin banks" tend to monopolize the control of coins into a small number, or single entity, shouldn't regular PoS be called, "proof of trust in exchange platform"? Then you also have the possibility of a rogue exchange performing a history attack. for a young coin, it is indeed an issue where a large percentage of coins could and have been on a single exchange, which then gets hacked.However for a mature PoS, like NXT, even the largest exchange has less than 5% of all NXT, so even if they went all evil, not much they can do. It also seems quite unlikely for an exchange that is earning regular revenues from a coin to effectively sabotage it by attacking it. With decentralized exchanges getting more and more traction, this issue will get smaller over time. Over time there is more distribution, not less, so not sure where you get this assumption about monopoly control. I guess the fact that bitcoin mining pools have this exact mechanism might be predisposing you to this false assumption James Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: jl777 on December 19, 2014, 10:08:20 AM So anyone is seeing double spend in any of the PoS coins we have so far since 2013 ? I think not. This whole conversation about that PoS supposed to be a vulnerable and PoW not ? Lol give me a break.... maybe you should check how easy is it to make a 51% Attack on PoW with Ascis ? You don't need more then 70k~ $ btw... so do your research where it is needed. I'm a huge supporter of PoS and I think everyone should be working towards that as a goal for all crypto, but there have been double spends and attacks on PoS coins this year. Off the top of my head I remember Navajo Coin had a problem with that and then the big one being Vericoin which really hurt its market cap after they rolled back. Weren't they both related to exchanges holding a large proportion of the coins and being hacked? Or maybe being 'hacked'? Not sure exactly what the circumstances were. Exchanges had something to do with though yeah. Maybe the exchanges weren't staking their reserves or something. I thought that the exchanges got doubled spent against, but I'm not sure. A lot of Vericoins were stolen off of Mintpal, this had nothing to do with PoS/PoW. There were doublespends in Navajo (PoS), and there were doublespends on Worldcoin, Whitecoin etc. (PoW) PoS1 != PoS2 Also the current NXT PoS is more like PoS4 or PoS5 and from what I can tell it is more advanced than PoS2, though PoS2 is starting to incorporate some aspects of NXT PoS more improvements are in the pipeline for NXT PoS James Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: Daedelus on December 19, 2014, 10:18:15 AM I haven't kept up with PoS developments lately, but how do people address the following issue. PoW and DPOS have coin ownership and network control as separate parts. For other PoS models, coin ownership grants network control. Since exchanges and "bitcoin banks" tend to monopolize the control of coins into a small number, or single entity, shouldn't regular PoS be called, "proof of trust in exchange platform"? Then you also have the possibility of a rogue exchange performing a history attack. "Proof of trust in exchange platform" - only if the scenario you describe actually applies. BTER is the biggest Nxt exchange and had problems in the summer. Even then, the wallet was only 50 million Nxt = ~5% of all tokens. What you describe might be true for smaller POS but broadbrush generalising isn't representative of POS. There is no reason to think Nxt will follow the centralisation of bitcoin. You can already trade NXT <> BTC from within the platform in the most decentralised way to date through Multigateway. BTCD, Blackcoin, Veri, Doge are in development and there is no reason other coins couldn't be added. Additional security of Nxt account will come next year with Account Control and 2-Phased transactions (you will be able to 'lock' an account for N blocks, or limit transfers to nominated accounts only so even if someone gets your password they can't move your Nxt). Smart Contracts will also take the risk away from dealing P2P and not use exchanges. Through Monetary System, coins built on top of Nxt can be traded in a completely decentralised way through Nxt itself. Nxt is still maturing but there is less and less reason to use exchanges or even centralised services at all. Even now it is no where near the scenario you describe. Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: r0ach on December 19, 2014, 11:42:18 AM I haven't kept up with PoS developments lately, but how do people address the following issue. PoW and DPOS have coin ownership and network control as separate parts. For other PoS models, coin ownership grants network control. Since exchanges and "bitcoin banks" tend to monopolize the control of coins into a small number, or single entity, shouldn't regular PoS be called, "proof of trust in exchange platform"? Then you also have the possibility of a rogue exchange performing a history attack. "Proof of trust in exchange platform" - only if the scenario you describe actually applies. BTER is the biggest Nxt exchange and had problems in the summer. Even then, the wallet was only 50 million Nxt = ~5% of all tokens. What you describe might be true for smaller POS but broadbrush generalising isn't representative of POS. There is no reason to think Nxt will follow the centralisation of bitcoin. You can already trade NXT <> BTC from within the platform in the most decentralised way to date through Multigateway. BTCD, Blackcoin, Veri, Doge are in development and there is no reason other coins couldn't be added. Additional security of Nxt account will come next year with Account Control and 2-Phased transactions (you will be able to 'lock' an account for N blocks, or limit transfers to nominated accounts only so even if someone gets your password they can't move your Nxt). Smart Contracts will also take the risk away from dealing P2P and not use exchanges. Through Monetary System, coins built on top of Nxt can be traded in a completely decentralised way through Nxt itself. Nxt is still maturing but there is less and less reason to use exchanges or even centralised services at all. Even now it is no where near the scenario you describe. Come on man, let's try to stick to the topic of general PoS mechanics instead of NXT shilling. Anytime PoS is mentioned, there's always some NXT guy crawling out of the woodwork with a multi-level marketing campaign. Before you try to shill NXT to me, you should probably read one of the posts I've made before regarding IPOs: http://bitcointalk.org/index.php?topic=443196.0 Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: Daedelus on December 19, 2014, 11:46:49 AM Name a POS you want your Proof-of-Trust to apply to and we can look at that one. The above is the answer for Nxt. And which parts aren't true or you object to?
Generalising is helpful to you as it is easier to create strawman arguments. Have some POS come unstuck having too much on an exchange? Yes. Is that justification for calling all POS "Proof-of-Trust in exchanges"? No. Especially in the case of Nxt. This topic is actually about reviewing Kushti's research findings, not generalising POS based on opinion. Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: r0ach on December 19, 2014, 12:25:44 PM Name a POS you want your Proof-of-Trust to apply to and we can look at that one. The above is the answer for Nxt. And which parts aren't true or you object to? The general public, and even experienced Bitcoiners themselves, aren't very good at securing coins. This problem has been almost completely addressed for PoW by smartcard, hardware wallets for $30. With PoS, it's a different ballgame. You're required to keep coins online to stake, opening up the system to problems the general public will never be able to deal with unless they outsource that activity to someone else, aka a Bitcoin bank. PoS systems that don't utilize coin age don't seem to provide benefit to small stakers at all. You have a combination of the small staker not being rewarded to stake factor, plus the general public tendency to outsource their staking to a Bitcoin bank since they don't want to deal with the risk and technology. This means a large movement to staking centralization and exchange centralization. It's really no different from Bitcoin PoW centralization. The exception is that circumstances that lead to double spend attacks for PoS coins, are much more dangerous long term for most PoS models than circumstances that lead to double spends for PoW coins. I'm not particularly positive or negative on Bitshares, but DPOS, just like PoW, separates coin ownership from network control, so it doesn't have the above drawbacks where the general public is expected to jump through hoops that they aren't going to do, and will either not stake at all, which network security requires them to do, or will just outsource their staking to a Bitcoin bank, making it possibly more centralized than PoW. I'm aware of NXT pool forging to try and combat the issues I've stated, which is, hilariously, almost like recreating PoW pool mining. It does have significantly less energy use than PoW, but once again, this is something that most or all NXT holders are expected to participate in to maintain network security, and the general public is just not going to do it. Once you start trying to fix the core issues of PoS, you start to run into issues that make it so the system might be too complex for the general public to use, since it seems to demand much more active participation than PoW, while also assuming everyone walking the planet is a combination of computer science and finance major. The biggest issue of DPOS, is even if it's 100% positive your initial 101 delegate rollout can't and won't collude, how can you make a system to ensure that when they either stop delegating or die, that their replacements won't be colluding. Delegating as a DPOS participant should be a revenue stream, but maybe you will receive a more attractive, instant lump sum to sell out. In summary, if Bitcoin PoW is ever found to be an inferior system to whatever PoS system emerges, Bitcoin PoW still has a large chance of beating it without even factoring in the network effect, just from being a much more simple and straightforward system. Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: kushti on December 19, 2014, 01:11:41 PM I haven't kept up with PoS developments lately, but how do people address the following issue. PoW and DPOS have coin ownership and network control as separate parts. For other PoS models, coin ownership grants network control. Since exchanges and "bitcoin banks" tend to monopolize the control of coins into a small number, or single entity, shouldn't regular PoS be called, "proof of trust in exchange platform"? Then you also have the possibility of a rogue exchange performing a history attack. In PoW centralized bank could be robbed by a centralized miner ;D All those issues are out of scope of our research at the moment. Regarding history attack, it exists but as rollback is limited(e.g. max 1440 blocks for Nxt now and could be much less in future) the only result is new nodes being mislead i.e. network partitioning. The current solution is to use checkpoints but we're looking for more elegant approach. Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: neoranga on December 20, 2014, 10:58:26 AM Regarding history attack, I will introduce in this topic another very interesting idea from NXT that is not yet implemented but could solve concerns with hidden history rebuilding, it's called Economic Clustering.
In Economic Clustering, basically, all transactions have to include a signed reference to an older block or transaction in the history, so if an attacker gets the keys of an account that used to have huge amounts of stake (those close to the genesis of the coin) and tries to reconstruct his/her own version of history in isolation it's impossible to rebuild it including the transactions of the rest of the economy and collect any of their fees, simply because the hashes of the new history will never match those included in the transactions previously broadcast. If you already belong to the network and see the hidden branch being released your client can immediately spot the fake history as not including any transaction that you know about (from you or from a list of known companies/entities). I see it as a social consensus: to fool the history you need to pro-actively involve a majority of the network signing the scam. Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: siameze on December 20, 2014, 11:37:55 PM @r0ach I actually liked your poll at:
http://bitcointalk.org/index.php?topic=443196.0 Quote It is an evolution backwards in the technical domain of distribution, and in the ethics domain of corruption issues Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: jl777 on December 21, 2014, 12:20:38 AM I haven't kept up with PoS developments lately, but how do people address the following issue. PoW and DPOS have coin ownership and network control as separate parts. For other PoS models, coin ownership grants network control. Since exchanges and "bitcoin banks" tend to monopolize the control of coins into a small number, or single entity, shouldn't regular PoS be called, "proof of trust in exchange platform"? Then you also have the possibility of a rogue exchange performing a history attack. In PoW centralized bank could be robbed by a centralized miner ;D All those issues are out of scope of our research at the moment. Regarding history attack, it exists but as rollback is limited(e.g. max 1440 blocks for Nxt now and could be much less in future) the only result is new nodes being mislead i.e. network partitioning. The current solution is to use checkpoints but we're looking for more elegant approach. Just look at the block explorer sites, it becomes quite clear if you are on the wrong chain (assuming the block explorers are on the right chain, seems safe assumption). So having a list of websites/nodes to query about the right chain would seem to prevent any new node from using the false chain. Why is this a big problem? Maybe I am missing something significant. Pick half a dozen websites that are the NXT main websites, have a way for the user to add new ones to add to the consensus list. All these sites would need to agree about the hash value for the chain as of 1440 blocks ago and closer. Some checking could be done for the initial blocks during the time of vulnerability against the false chain. This simple method seems to prevent any new node from believing the history attack created false chain (not that it is likely to be achieved). James Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: kushti on December 22, 2014, 03:39:36 PM Couldnt we have reference NXT nodes that a new node queries to find the right chain? Sounds too centralized. However, only initial part of history could be downloaded(e.g. first 100K or 200K blocks in case of Nxt), as its irreversible anyway. And that's equivalent to checkpoints. Btw, I think the importance of history attack is overestimated and its solved though in pretty rough way. Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: Daedelus on December 28, 2014, 06:34:10 PM Congratulations Kushti on an apparently flawless paper :D
Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: Daedelus on January 06, 2015, 09:55:29 AM This paper has been added to the thread Nxt Papers: Whitepapers, Academic and Economic at https://bitcointalk.org/index.php?topic=847868
Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: kushti on January 14, 2015, 03:53:27 PM To summarize the discussion, known claimed attacks on proof-of-stake distributed consensus algorithm(and concrete implementations) at the moment:
1. Short-range attack - attacker can offer better chain started few blocks behind current canonical chain. The attack is possible at the moment, the only likely outcome though is just gathered fees increase for an attacker. In our simulations this kind of attack is possible mostly when a long delay occurs due to low target. By the way, the attack has positive aspect for network, as it shorten delays average between blocks. So attacker gets extra fees for a good job done ;D 2. Long-range attack - attacker can start fork hundreds or thousands blocks behind current chain. From our investigations the attack isn't possible. 3. Nothing-at-stake attack - not possible at the moment! Will be possible when a lot of forgers will use multiple-branch forging to increase profits. Then attacker can contribute to all the chains(some of them e.g. containing a transaction) then start to contribute to one chain only behind the best(containing no transaction) making it winner. Previous statements on N@S attack made with assumption it costs nothing to contribute to an each fork possible and that makes N@S attack a disaster. In fact, it's not possible at all to contribute to each fork possible, as number of forks growing exponentially with time. So the only strategy for a multibranch forger is to contribute to N best forks. In such scenario attack is possible only within short-range e.g. with 25 confirmations needed 10% attacker can't make an attack. And attack is pretty random in nature, it's impossible to predict whether 2 forks will be within N best forks(from exponentially growing set) for k confirmations. So from our point of view the importance of the attack is pretty overblown. 4. History attack - attacker can buy whale's private key for $5 and build alternative story. Solved with some checkpoints now, located behind max rollback possible, so the solution is not so scary in terms of centralization etc. If you know any other kind of attack, please add. Please note IPO properties of a concrete coins etc isn't related to proof-of-stake distributed consensus problems. And Consensus Research is going to work on better proof-of-stake prototyping & implementation ! Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: Tobo on January 14, 2015, 05:19:19 PM How about the Sybil attack? I know that the Sybil attack may be not unique to PoS?
Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: r0ach on January 14, 2015, 07:52:55 PM 4. History attack - attacker can buy whale's private key for $5 and build alternative story. Solved with some checkpoints now, located behind max rollback possible, so the solution is not so scary in terms of centralization etc. HOW is that solved??? Centralized checkpoints = not decentralized currency. Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: ArticMine on January 15, 2015, 01:08:39 AM Stake does not equal exposure:
Consider for example a pirateat40 style "trust" on a POS coin. The "trust" has a very significant stake combined with a very significant short exposure, and consequently a vested interest in the collapse of the currency, and can vote the stake accordingly. https://en.bitcoin.it/wiki/Pirateat40. POS rewards the creators of ponzi schemes. A variant of this is an exchange gone bad. Again the exchange operator controls a massive stake via customer deposits but no exposure, and if fraud occurs creating a fractional reserve. The exchange has a vested interest in the collapse of the currency in order to cover losses and can vote the stake accordingly. Buying the currency while at the same time selling a greater amount on a derivatives market, creating a large stake with a short exposure and vested interest in the collapse of the currency. Again the stake can be voted accordingly. Need I go on ... Cross posted from https://bitcointalk.org/index.php?topic=924725.msg10158797#msg10158797 (https://bitcointalk.org/index.php?topic=924725.msg10158797#msg10158797) Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: r0ach on January 15, 2015, 01:49:12 AM 4. History attack - attacker can buy whale's private key for $5 and build alternative story. Solved with some checkpoints now, located behind max rollback possible, so the solution is not so scary in terms of centralization etc. HOW is that solved??? Centralized checkpoints = not decentralized currency. So where's the whitepaper on how you created decentralized checkpoints? Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: Daedelus on January 15, 2015, 02:01:23 AM 4. History attack - attacker can buy whale's private key for $5 and build alternative story. Solved with some checkpoints now, located behind max rollback possible, so the solution is not so scary in terms of centralization etc. HOW is that solved??? Centralized checkpoints = not decentralized currency. So where's the whitepaper on how you created decentralized checkpoints? The network won't accept reorgs deeper than 720 blocks so block 721 back from the current block is the rolling checkpoint. That's how it is done, though there isnt a whitepaper. There is a general Nxt whitepaper, I can get the link if you haven't seen it. Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: r0ach on January 15, 2015, 03:16:58 AM 4. History attack - attacker can buy whale's private key for $5 and build alternative story. Solved with some checkpoints now, located behind max rollback possible, so the solution is not so scary in terms of centralization etc. HOW is that solved??? Centralized checkpoints = not decentralized currency. So where's the whitepaper on how you created decentralized checkpoints? The network won't accept reorgs deeper than 720 blocks so block 721 back from the current block is the rolling checkpoint. That's how it is done, though there isnt a whitepaper. There is a general Nxt whitepaper, I can get the link if you haven't seen it. Kind of hard to keep up with what exactly NXT is and whether it works or not: Quote from: Sunny King As far as I know at least the first version of NXT's PoS is a direct clone of PPC's with some modifications, appeared lacking a good understanding of the security involved in PPC's PoS. Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: go1111111 on January 15, 2015, 06:24:39 AM So where's the whitepaper on how you created decentralized checkpoints? The basic idea is what Vitalik talks about in his blog post on weak subjectivity: https://blog.ethereum.org/2014/11/25/proof-stake-learned-love-weak-subjectivity/ It is decentralized in that if you've been away from the network for the past 720 (or whatever # of) blocks, when you come back online you have to ask someone or some set of people which chain is the real one. So if you know your best friend has been keeping a node online, you can ask him, or you can ask Vitalik, or you can ask Gavin Andressen, or you can ask some combination of any # of people you want -- the choice is up to you. Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: achimsmile on January 15, 2015, 06:49:19 AM Kind of hard to keep up with what exactly NXT is and whether it works or not: Quote from: Sunny King As far as I know at least the first version of NXT's PoS is a direct clone of PPC's with some modifications, appeared lacking a good understanding of the security involved in PPC's PoS. It isn't and never was: Quote from: BCNext After thinking about the mining algorithm I came to conclusion that original proof-of-stake used by PPC and NVC is a bit flawed. Bob could accumulate small amounts on different accounts during a long period of time and then attempt a 51% attack. Artificial limits like max 90 days don't seem to work as intended. Nxt will use a different proof-of-stake approach. you would have to present a source code comparison between ppc and the first version of Nxt to make me think otherwise. Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: alphaBar on January 15, 2015, 07:27:15 AM Regarding history attack, I will introduce in this topic another very interesting idea from NXT that is not yet implemented but could solve concerns with hidden history rebuilding, it's called Economic Clustering. In Economic Clustering, basically, all transactions have to include a signed reference to an older block or transaction in the history, so if an attacker gets the keys of an account that used to have huge amounts of stake (those close to the genesis of the coin) and tries to reconstruct his/her own version of history in isolation it's impossible to rebuild it including the transactions of the rest of the economy and collect any of their fees, simply because the hashes of the new history will never match those included in the transactions previously broadcast. If you already belong to the network and see the hidden branch being released your client can immediately spot the fake history as not including any transaction that you know about (from you or from a list of known companies/entities). I see it as a social consensus: to fool the history you need to pro-actively involve a majority of the network signing the scam. This solution is already implemented in BitShares, though called something different (TaPoS): https://bitcointalk.org/index.php?topic=354573.0 Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: Daedelus on January 15, 2015, 08:53:07 AM So where's the whitepaper on how you created decentralized checkpoints? The basic idea is what Vitalik talks about in his blog post on weak subjectivity: https://blog.ethereum.org/2014/11/25/proof-stake-learned-love-weak-subjectivity/ It is decentralized in that if you've been away from the network for the past 720 (or whatever # of) blocks, when you come back online you have to ask someone or some set of people which chain is the real one. So if you know your best friend has been keeping a node online, you can ask him, or you can ask Vitalik, or you can ask Gavin Andressen, or you can ask some combination of any # of people you want -- the choice is up to you. Come-from-Beyond described Economic Clustering in May when he committed it. Not sure it is quite the same idea as rolling checkpoints but it is in the same area. https://nxtforum.org/news-and-announcements/economic-clustering/msg26267/#msg26267 Consensus research have also shown that the "Nothing-at-stake problem" (described in Vitalik's post) has been overstated. A lot. On the contrary, multibranch forging (aka mining on every chain you see) actually helps with security as you can't mine on every chain as they grow exponentially with time. You have to choose what you think are the best N chains and the results can't be predicted so the 'attack' is pretty useless. I believe this also removes the need for Vitaliks security deposit as it makes it unnecessary as it protects against something that can't happen. It could even be damaging as it restricts the number of branches in multibranch forging so it is no longer exponentially growing in size but is finite, for practical purposes. Equal to the number of nodes in the network? Given they can only forge only 1 branch they see without being penalised. Have I understood correctly, Kushti? All CfB's descriptions and Q&A on Economic Clustering are collated in this thread... https://nxtforum.org/economic-clustering/cfb's-announcement-of-economic-clustering/ (you need an account to see the whitepaper section of the forum) Here is the most recent whitepaper, though it may not have been updated with most recent features: Nxt Whitepaper https://www.dropbox.com/s/cbuwrorf672c0yy/NxtWhitepaper_v122_rev4.pdf Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: cynicSOB on January 15, 2015, 10:03:45 PM To summarize the discussion, known claimed attacks on proof-of-stake distributed consensus algorithm(and concrete implementations) at the moment: 1. Short-range attack - attacker can offer better chain started few blocks behind current canonical chain. The attack is possible at the moment, the only likely outcome though is just gathered fees increase for an attacker. In our simulations this kind of attack is possible mostly when a long delay occurs due to low target. By the way, the attack has positive aspect for network, as it shorten delays average between blocks. So attacker gets extra fees for a good job done ;D I just performed this type of attack in APEXcoin. Please see here: https://bitcointalk.org/index.php?topic=897493.0 (https://bitcointalk.org/index.php?topic=897493.0) It was a short-range attack, but the consequences are not just more fees: I successfully double-spent. You may want to expand this "Short-range attack" category, since there can be many different ways to achieve this. I did it by splitting the coins and waiting for age to accumulate, and as I mention in the linked thread, I think it may be possible to do something similar in nxt. Just like with POW, 51% guarrantees success but if you have 10% of the hashrate you will eventually have the chance to double spend. Same thing here: small stake + patience = double-spend. Only worse because in most POS coins the % of actively staked coins is low. Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: cynicSOB on January 16, 2015, 01:07:58 PM you did it with a dead coin lol its not impressive when you only do it to a dead coin. thats liek stabbing a dead deer and saying you hunted it. do it even with a nxt clone and then people will take notice. I think it's more like stabbing a tied up deer to prove that stabs can be deadly, but let's skip the animal killing analogies please. Poor Bambi... That's being discussed on the other thread. This doesn't directly apply to nxt becase it doesn't have coin age, but I think the attack can be adapted for it. Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: EvilDave on January 16, 2015, 01:40:17 PM May I suggest NAS as the NXT clone target ?
https://bitcointalk.org/index.php?topic=523187.2060 Poor little things been dead in the water for a long time, so the code is pretty much out of date as far as current NXT code goes, but I reckon it'd be a good next step. And I've got a couple of million NAS lying around somewhere I could lend ya........ Edit: Has there been any contact with or any sign of life from the Apexcoin devs/BlockNet crew? Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: kushti on January 16, 2015, 01:43:47 PM I just performed this type of attack in APEXcoin. Please see here: https://bitcointalk.org/index.php?topic=897493.0 (https://bitcointalk.org/index.php?topic=897493.0) It was a short-range attack, but the consequences are not just more fees: I successfully double-spent. You may want to expand this "Short-range attack" category, since there can be many different ways to achieve this. I did it by splitting the coins and waiting for age to accumulate, and as I mention in the linked thread, I think it may be possible to do something similar in nxt. Just like with POW, 51% guarrantees success but if you have 10% of the hashrate you will eventually have the chance to double spend. Same thing here: small stake + patience = double-spend. Only worse because in most POS coins the % of actively staked coins is low. Could you describe attack scenario in details? After reproducing it in simulation we would like to pay you pretty good bounty :) P.S. Good description on practical impossibility of N@S by JordanLee http://www.peercointalk.org/index.php?topic=2976.msg27303#msg27303 Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: cynicSOB on January 16, 2015, 02:00:19 PM May I suggest NAS as the NXT clone target ? https://bitcointalk.org/index.php?topic=523187.2060 Poor little things been dead in the water for a long time, so the code is pretty much out of date as far as current NXT code goes, but I reckon it'd be a good next step. And I've got a couple of million NAS lying around somewhere I could lend ya........ Edit: Has there been any contact with or any sign of life from the Apexcoin devs/BlockNet crew? thanks, I'll look into it. No contact from Apex devs yet. Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: EvilDave on January 16, 2015, 02:06:42 PM Hmmm....if I get some spare time I'll fire up a NAS node and see how the network looks.
I posted on the Apexcoin and BlockNet ANN threads, maybe we'll hear something from their devs about your attack. Apexcoin ANN (https://bitcointalk.org/index.php?topic=686403.new#new) BlockNet ANN (https://bitcointalk.org/index.php?topic=829576.new#new) Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: xyzzyx on January 16, 2015, 02:33:06 PM Hmmm....if I get some spare time I'll fire up a NAS node and see how the network looks. I wasn't able to connect to any peers. You have any better luck? Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: cynicSOB on January 16, 2015, 02:38:34 PM Could you describe attack scenario in details? After reproducing it in simulation we would like to pay you pretty good bounty :) P.S. Good description on practical impossibility of N@S by JordanLee http://www.peercointalk.org/index.php?topic=2976.msg27303#msg27303 I will elaborate on the idea against nxt. But that link you sent regarding PPC is not about practical impossibility of N@S. It's only about practical impossiblity of the particular attack that the writer describes. This was proven by my attack on APEX. Also, it has some flaws: Quote "They must wait 90 days to get another optimal chance to attack after a failed attempt" is wrong, if you mine your chain in private and publish it only when it has accumulated more work than the main chain then you can attempt this after every block.Quote "If you buy 1% of Peercoins and put them all in the same output (similar to an address), you might have about a 3% chance of finding the next block." is also wrong: 1% gives you about 20% chance of a block. 5% guarantees success.Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: cynicSOB on January 16, 2015, 02:45:16 PM Could you describe attack scenario in details? After reproducing it in simulation we would like to pay you pretty good bounty :) please elaborate on the details of the bounty :) writing a white-paper quality explanation is a time consuming task Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: EvilDave on January 16, 2015, 06:45:31 PM Hmmm....if I get some spare time I'll fire up a NAS node and see how the network looks. I wasn't able to connect to any peers. You have any better luck? Absolutely nothing. Looks like NAS is very dead. Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: ArticMine on January 16, 2015, 07:05:53 PM Could you describe attack scenario in details? After reproducing it in simulation we would like to pay you pretty good bounty :) P.S. Good description on practical impossibility of N@S by JordanLee http://www.peercointalk.org/index.php?topic=2976.msg27303#msg27303 I will elaborate on the idea against nxt. But that link you sent regarding PPC is not about practical impossibility of N@S. It's only about practical impossiblity of the particular attack that the writer describes. This was proven by my attack on APEX. Also, it has some flaws: Quote "They must wait 90 days to get another optimal chance to attack after a failed attempt" is wrong, if you mine your chain in private and publish it only when it has accumulated more work than the main chain then you can attempt this after every block.Quote "If you buy 1% of Peercoins and put them all in the same output (similar to an address), you might have about a 3% chance of finding the next block." is also wrong: 1% gives you about 20% chance of a block. 5% guarantees success.So it I understand this correctly an attacker could borrow rather than buy say 10% of the target POS coin. This could be done for example using a pirateat40 type scheme. Sell half of the borrowed POS coins short, and use the remaining 5% of the borrowed coins to launch the attack. This would cause the price of the coin to collapse creating massive profits for our short seller / attacker. There is some real Bitcoin history here that is a must for anyone either attacking or defending a POS coin. Here is a good place to start. https://bitcointalk.org/index.php?topic=50822.0. pirateat40 failed with Bitcoin but Bitcoin is POW! I can just imagine what would have happened to Bitcoin if pirateat40 could have used the borrowed XBT to launch an attack on the Bitcoin blockchain. This would indeed have been the case if Bitcoin had been POS. Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: EvilDave on January 16, 2015, 07:50:23 PM Could you describe attack scenario in details? After reproducing it in simulation we would like to pay you pretty good bounty :) please elaborate on the details of the bounty :) writing a white-paper quality explanation is a time consuming task Er...I think Kushti may be getting a little bit ahead of himself here. If you can pull off a successful attack on NXT, or an attack that works in Kushtis simulations, there will be lots of love for ya....possibly even parades! And definitely some bounty, if you can also produce good quality documentation on the attack. (Doesn't have to be real WP standard, but that would be up to our devs to judge.) But: right now, we don't have a formal bounty offer already open. I just had a thought: maybe you could run an attack on the NXT Testnet ? Shouldn't be any problem giving you a stake of TestNXT to play with........ If you're up for it, head on over to NXTworld: https://nxtforum.org/index.php and we can discuss further...... Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: inBitweTrust on January 16, 2015, 11:57:28 PM 5% to sell short and induce a "bear raid" https://en.wikipedia.org/wiki/Bear_raid (https://en.wikipedia.org/wiki/Bear_raid) 5% to wreck havoc on the network by voting the stake against the interests of the coin. To use the 1 billion USD example. The attacker borrows 2 billion USD. The attacker has 2 billion USD and a 2 billion USD debt. The attacker sells 1 billion USD for 870 million EUR.The attacker now has 870 million EUR, 1 billion USD and 2 billion USD in debt. The attacker now uses the 1 billion USD to cause the value of the USD to go to zero. The attacker is now left with 870 million EUR, 0 USD (the 1 billion USD was spent in order to crash the price) and a debt of 2 billion USD now worth 0 for a net profit of 870 million EUR. To clarify, you are suggesting the bear raid attack (which PoW coins are equally susceptible towards) is used to leverage a N@S attack on a PoS coin? I.E... Someone with 1% PoS stake borrows 9% stake with many different profiles as not to arouse suspicion. They than proceed to sell 5% stake for BTC (most likely over time as not to bring suspicion and to get the most BTC), they than perform a bear raid attack with the remaining 5% and marketing FUD on the exchanges with low liquidity causing the currency to crash to almost 0 , repaying the debts on the 9% borrowed from the BTC which are now insignificant and than buying back the PoS for very cheap(from many accounts/profiles to not arouse suspicion) increasing ones stake from 10% to 30% or higher , and this manipulation can occur several times till the attacker can perform a N@S attack at will. In reality with Nxt this attack could easily be performed by one of the original whales even more easily than above. Between 4-15 Nxt users control over 51% of the coins thus any individual whale has between a 13% to 4% stake right from the get go. With PoW this attack is not possible because hashing power/Electricity is needed to launch an attack instead of existing stake. With PoS the attacker could actually profit off of destroying the currency. With PoW attackers need to subtract the profits generated from the bear raid from the expenses from a 51% Attack and thus the attacker is incentivized to only play market manipulation games for profit rather than attacking the currency itself. ... ...and if the attacker is unsuccessful crashing the price with his 1 billion due to to others buying the dollar then he is BK'd. What you are describing can be applied to any asset or stock including BTC. Yes this would be a classic bear raid. Pirateat40 tried that with Bitcoin and failed. The crucial difference with POS is that in addition the attacker has the option of voting the borrowed stake against the interests of the coin in order to induce panic and further cause a price drop. It literally turns POS on its head since you have a major "stakeholder" with a vested interest in the coin's collapse. What I am suggesting is the combination of a bear raid attack using leverage with a 51% type attack on the POS network using the borrowed stake. In this scenario both attacks will feed on each other creating a positive feedback for the attack. The key is that the attacker has the actual POS coins but also has a much larger short position. The bear raid side is what pirateat40 tried with Bitcoin and failed. Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: ThomasVeil on January 17, 2015, 12:42:49 AM Those posts make no sense. It's not an attack, but mere market manipulation. If you can just get 51% of a currency by repeatedly FUDding, then you're golden anyways.
From then on it's not N@S at all - because you earned 51%. It's a 51%@Stake attack. You're harming yourself. Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: inBitweTrust on January 17, 2015, 12:52:46 AM Those posts make no sense. It's not an attack, but mere market manipulation. If you can just get 51% of a currency by repeatedly FUDding, then you're golden anyways. From then on it's not N@S at all - because you earned 51%. It's a 51%@Stake attack. You're harming yourself. Your assumption ignores the possibility of profits from shorting a currency, large bets, or eventual gains from investments in other currencies when the competition is removed. Simply dumping a large stake on an illiquid market isn't as profitable as repeatedly manipulating the market and taking profits in another currency before taking one large exit with a leveraged short that is assured when one performs a 51% attack. With PoW there is much less incentive to risk such a large short on the market because one cannot as easily guarantee the difficulty increase and one is more exposed to risks of others noticing the accumulation of miners and hash rate and one has to spend a great amount of resources to mount said attack. Additionally, I am only mentioning monetary motivations for attacking ones stake, there are plenty of other reasons which may motivate someone to perform this attack as well. Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: ArticMine on January 17, 2015, 01:04:37 AM Those posts make no sense. It's not an attack, but mere market manipulation. If you can just get 51% of a currency by repeatedly FUDding, then you're golden anyways. From then on it's not N@S at all - because you earned 51%. It's a 51%@Stake attack. You're harming yourself. No. The point is that the attacker also has a much larger short position in the currency. So while the attacker looses on the stake this is more than offset by the gains on the short position. Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: ThomasVeil on January 17, 2015, 01:34:58 AM You're totally ignoring what I'm saying: It's not a nothing at stake attack. That's a technical term. You have a stake - even if you short it.
Secondly ... come on guys: I buy 51% of a POS, then I buy again 51% of the value as shorts (well, more - as I want to make profit). And then I make an attack? Genius! You just managed to make the same fricking attack we knew all along worse, since you have to invest twice as much. It also contradicts itself - since you fudded the currency into junk to get your stake, you don't even need to attack it. And you probably wouldn't get anyone offering you shorts. Title: The "Second Pirate Savings and Trust" attack on Proof-of-Stake Post by: ArticMine on January 17, 2015, 04:01:18 AM I will formulate the attack: The "Second Pirate Savings and Trust" attack on Proof-of-Stake
1. The attacker creates the "Second Pirate Savings and Trust" modelled after the "First Pirate Savings and Trust" later called "Bitcoin Savings and Trust" https://bitcointalk.org/index.php?topic=50822.msg605957#msg605957 (https://bitcointalk.org/index.php?topic=50822.msg605957#msg605957). This is done in a falling market. 2. The "trust" offers a very attractive rate of interest payable in the POS coin. This rate is significantly higher than the stake rate 3. The "trust" allows investors to leave the interest in the "trust" and roll over the investment. 4. The "trust specifically disclaims that it is a HYIP / Ponzi scam https://bitcointalk.org/index.php?topic=50822.msg605981#msg605981 (https://bitcointalk.org/index.php?topic=50822.msg605981#msg605981) 5. The attacker sells a portion of the borrowed POS coin say 50% for XBT, another POW alt-coin, one or more fiat currencies etc. This will becomes the attackers profit at the end. This will also depress the price by short selling creating the "bear raid" 6. A portion of the received POS coins is used to repay interest to those investors that do not reinvest their interest. This is the "ponzi" component; however see below. 7. The rest of the borrowed POS coin is kept by the attacker, accumulated and staked. At this point this is no different from any bear raid on a stock, fiat currency POW currency etc. If the market exchange rate falls faster than 2x the interest rate less the stake rate then in the 50% example above, the attacker is actually in the black and there is no ponzi. In the normal bear raid the attacker, if the attacker can depress the price enough and cover the short, can actually walk away with a profit. The problem with the simple bear raid is that in covering the short the exchange rate can rise sharply. This converts the bear raid into a ponzi and the scheme collapses in a rising market. This is what happened to "First Pirate Savings and Trust". It collapsed during a rise in the Bitcoin price. It is at this point where the specific to Proof-of-Stake part of the attack comes into play. 8. The attacker continues the ponzi until he has accumulated enough stake to launch a network attack. 9. The attacker is also accumulating a greater debt in the POS coin and can even continue selling 50% of the borrowed coin to increase his profit. 10. The attacker launches the attack on the coin causing its value to fall to zero. This wipes out the attacker's stake, but more importantly also wipes out the attacker's debt. The specifics of the attack will of course depend on the particular POS coin. 11. The attacker is left with is profit in some other currency, a worthless amount of the POS coin and a debt denominated in the now worthless POS currency. Countermeasure: The only known countermeasure is the intervention of the state. http://www.sec.gov/News/PressRelease/Detail/PressRelease/1370539730583#.VLncGTVVIWw (http://www.sec.gov/News/PressRelease/Detail/PressRelease/1370539730583#.VLncGTVVIWw). The challenge here is to devise a countermeasure to this attack that does not involve the involvement of the state or some other centralized authority for example a corporation. Edit: The network attack can be any attack on a POS coin that requires the attacker to have stake. Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: ThomasVeil on January 17, 2015, 04:36:26 AM Yeah, you can add more detail to your attack - it's still as stupid as when you started.
That story has soo many holes - it's incredible. Most insane of all to call it Nothing-At-Stake. If all you need is to have ROI at some point, to define it as N@S, then it doesn't even have anything to do with POS at all. Step 1 to 7 are exactly the same in any crypto. The rest is actually easier in POW. I don't even need 60% of the coin (or more as you seem to propose). A fraction of it, when sold, would be enough to buy a mining majority. I can short at the same time. A price drop would even help me, since the miners would drop out and the difficulty falls. Still: None of this is any remotely realistic scenario. Title: Re: The "Second Pirate Savings and Trust" attack on Proof-of-Stake Post by: ArticMine on January 17, 2015, 04:51:35 AM Yeah, you can add more detail to your attack - it's still as stupid as when you started. That story has soo many holes - it's incredible. Most insane of all to call it Nothing-At-Stake. If all you need is to have ROI at some point, to define it as N@S, then it doesn't even have anything to do with POS at all. Step 1 to 7 are exactly the same in any crypto. The rest is actually easier in POW. I don't even need 60% of the coin (or more as you seem to propose). A fraction of it, when sold, would be enough to buy a mining majority. I can short at the same time. A price drop would even help me, since the miners would drop out and the difficulty falls. Still: None of this is any remotely realistic scenario. Sure the price of Bitcoin has gone down by 80% over the last year and the difficulty has gone up. https://blockchain.info/charts/difficulty (https://blockchain.info/charts/difficulty). In my attack there is no additional purchase required, and is based on a scenario that has already happened. Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: valarmg on January 17, 2015, 11:01:47 AM This attack requires a large % of a coin's stakeholders to be stupid enough to trust 'Pirate S+T'. Why don't you call your bank cryptodouble instead of Pirate S+T? I think cryptodouble is a catchier name, might get more suckers. In the accumulation phase, you are 100% operating a ponzi. How do you convince people to invest in the ponzi (I know, tell them it's not a ponzi, you instead intend to attack the currency)?
Explain why you can't do the same with a PoW coin? Just needs the added measure where you buy hashrate with your accumulated funds, but you would require much less funds. What % of bitcoin, what % of litecoin would it take to buy enough hashrate to attack? What % of a PoS coin would it take for you to attack that. What happens if your attack doesn't reduce the value of the coin to zero? Does your attack merely consist of double spending? Title: Re: The "Second Pirate Savings and Trust" attack on Proof-of-Stake Post by: ThomasVeil on January 17, 2015, 11:06:52 AM Quote In my attack there is no additional purchase required, You don't understand your own text. I give up man. Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: inBitweTrust on January 17, 2015, 11:16:13 AM This attack requires a large % of a coin's stakeholders to be stupid enough to trust 'Pirate S+T'. Why don't you call your bank cryptodouble instead of Pirate S+T? I think cryptodouble is a catchier name, might get more suckers. In the accumulation phase, you are 100% operating a ponzi. How do you convince people to invest in the ponzi (I know, tell them it's not a ponzi, you instead intend to attack the currency)? Explain why you can't do the same with a PoW coin? Just needs the added measure where you buy hashrate with your accumulated funds, but you would require much less funds. What % of bitcoin, what % of litecoin would it take to buy enough hashrate to attack? What % of a PoS coin would it take for you to attack that What happens if your attack doesn't reduce the value of the coin to zero? Does your attack merely consist of double spending? All these questions have been answered in the previous page. Additionally, convincing people to invest in a ponzi is just one variation of an attack, other variations include convincing 10 % to deposit their stake in your exchange / bank, or taking 10% loans with many profiles , or simply being a large whale that already has 10% or more as is possible with NxT. Why do you act incredulous when these scenario's are commonplace within the crypto ecosystem? The wastefulness of PoW is also a form of security because it incentivizes users to merely profit off of a bear raid and other market manipulation tactics rather than attacking the currency with a 51% attack. The difference with PoS you can attack the currency and profit in doing so and with PoW you have to take a large gamble and spend a lot of resources in order to perform a 51% attack. Quote In my attack there is no additional purchase required, You don't understand your own text. I give up man. You can start by first educating yourself from what researchers are discussing who are sympathetic towards PoS: https://github.com/ConsensusResearch/articles-papers/blob/master/multistrategy/multistrategy.pdf https://blog.ethereum.org/2014/11/25/proof-stake-learned-love-weak-subjectivity/ https://blog.ethereum.org/2014/10/03/slasher-ghost-developments-proof-stake/ https://blog.ethereum.org/2014/07/05/stake/ After you have done this research come back and join the conversation. Secondly ... come on guys: I buy 51% of a POS, then I buy again 51% of the value as shorts (well, more - as I want to make profit). You understand that one doesn't need to invest in any of the currency , or control 51% stake when performing a N@S right? - we have formally defined nothing-at-stake attack(again, using Buterin's informal definition) and made initial simulations. We haven't included their results in paper as they are seems to be too raw, but I can reveal them here: N@S attack could happens only in short-range, e.g. for within 20 blocks for 10% stake, so with 30 confirmations we haven't observed the successful attack. Also please note the attack has pretty unpredictable nature for attacker, so he can hardly enforce it, even in theory(in practice it's even harder to get it done properly). The correlation with stake size is still the open question, but it's nearly impossible to attack a proof-of-stake currency with "1% stake even" as stated by Buterin The above applies to NxT and other variations of TaPoS only . Other variations of PoS are susceptible to long-range attacks as well. Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: achimsmile on January 17, 2015, 11:47:42 AM Please keep in mind that kushti only used his own simulation model.
I'm very interested to see real world tries on the Nxt testnet. I imagine that the attack is more complex there because network topology and latency, behaviour of peers, etc. Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: inBitweTrust on January 17, 2015, 12:03:00 PM Please keep in mind that kushti only used his own simulation model. I'm very interested to see real world tries on the Nxt testnet. I imagine that the attack is more complex there because network topology and latency, behaviour of peers, etc. Yes, you should encourage more tests to be done. Most of the peer review and security analysis has been focused on Bitcoin. This is one advantage Bitcoin has with having the largest mind-share, first mover advantage , and largest developer pool of any crypto-currency. Another consideration for security one must consider that few mention involves how many different working stacks or implementations interact with your blockchain and how this is critical to security. Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: ThomasVeil on January 17, 2015, 12:50:43 PM Additionally, convincing people to invest in a ponzi is just one variation of an attack, other variations include convincing 10 % to deposit their stake in your exchange / bank, or taking 10% loans with many profiles , or simply being a large whale that already has 10% or more as is possible with NxT. Why do you act incredulous when these scenario's are commonplace within the crypto ecosystem? I highlighted the key word for you. Yes, if you're simply already owning a stake of a size that never existed in NXT - and you additionally simply scam yourself into 41% more - and then simply buy 100% of all that value in shorts, and then simply gain another 30% so you cover your costs. Then you can attack. Why did no one think of that before? Quote The wastefulness of PoW is also a form of security because it incentivizes users to merely profit off of a bear raid and other market manipulation tactics rather than attacking the currency with a 51% attack. The difference with PoS you can attack the currency and profit in doing so and with PoW you have to take a large gamble and spend a lot of resources in order to perform a 51% attack. Clearly there is zero gambling in your perfect scheme. Quote You can start by first educating yourself from what researchers are discussing who are sympathetic towards PoS: https://github.com/ConsensusResearch/articles-papers/blob/master/multistrategy/multistrategy.pdf https://blog.ethereum.org/2014/11/25/proof-stake-learned-love-weak-subjectivity/ https://blog.ethereum.org/2014/10/03/slasher-ghost-developments-proof-stake/ https://blog.ethereum.org/2014/07/05/stake/ After you have done this research come back and join the conversation. You gotta be kidding me. Nothing of your scenario has anything to do with any of those articles - and yes, I've read them before. Clearly you didn't because you still don't even know what the term "nothing" means. Does stupidity really know no limits? Quote Secondly ... come on guys: I buy 51% of a POS, then I buy again 51% of the value as shorts (well, more - as I want to make profit). You understand that one doesn't need to invest in any of the currency , or control 51% stake when performing a N@S right? Yes, and in not a single word you said you ever talked about N@S. All the links you provided actually conclude specifically that N@S does not exist, or is not realistically executable. Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: inBitweTrust on January 17, 2015, 01:07:02 PM I highlighted the key word for you. Yes, if you're simply already owning a stake of a size Why did no one think of that before? 10% is needed for an attack. Re-read the research paper sir. None of that 10% needs to be owned either as we have discussed. Clearly there is zero gambling in your perfect scheme. There are risks with all attacks. We are discussing a specific scenario where attacking PoS is far less risky than a similar attack with PoW. Clearly you didn't because you still don't even know what the term "nothing" means. You also understand that in physics "nothing" does not have the same connotation as within philosophy? Of course some effort is needed to perform a N@S attack. I am using the definition as defined by Buterin and kushti. Yes, and in not a single word you said you ever talked about N@S. All the links you provided actually conclude specifically that N@S does not exist, or is not realistically executable. Vitalik is going with PoW for ethereum despite all his research into TaPoS and weak subjectivity. Why? - we have formally defined nothing-at-stake attack(again, using Buterin's informal definition) and made initial simulations. We haven't included their results in paper as they are seems to be too raw, but I can reveal them here: N@S attack could happens only in short-range, e.g. for within 20 blocks for 10% stake, so with 30 confirmations we haven't observed the successful attack. Also please note the attack has pretty unpredictable nature for attacker, so he can hardly enforce it, even in theory(in practice it's even harder to get it done properly). The correlation with stake size is still the open question, but it's nearly impossible to attack a proof-of-stake currency with "1% stake even" as stated by Buterin All this being said, TaPoS has some security differences, advantages and disadvantages to PoW and would nicely compliment Bitcoin as an additional wallet layer or sidechain. Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: valarmg on January 17, 2015, 01:15:32 PM This attack requires a large % of a coin's stakeholders to be stupid enough to trust 'Pirate S+T'. Why don't you call your bank cryptodouble instead of Pirate S+T? I think cryptodouble is a catchier name, might get more suckers. In the accumulation phase, you are 100% operating a ponzi. How do you convince people to invest in the ponzi (I know, tell them it's not a ponzi, you instead intend to attack the currency)? Explain why you can't do the same with a PoW coin? Just needs the added measure where you buy hashrate with your accumulated funds, but you would require much less funds. What % of bitcoin, what % of litecoin would it take to buy enough hashrate to attack? What % of a PoS coin would it take for you to attack that What happens if your attack doesn't reduce the value of the coin to zero? Does your attack merely consist of double spending? All these questions have been answered in the previous page. Additionally, convincing people to invest in a ponzi is just one variation of an attack, other variations include convincing 10 % to deposit their stake in your exchange / bank, or taking 10% loans with many profiles , or simply being a large whale that already has 10% or more as is possible with NxT. Why do you act incredulous when these scenario's are commonplace within the crypto ecosystem? The wastefulness of PoW is also a form of security because it incentivizes users to merely profit off of a bear raid and other market manipulation tactics rather than attacking the currency with a 51% attack. The difference with PoS you can attack the currency and profit in doing so and with PoW you have to take a large gamble and spend a lot of resources in order to perform a 51% attack. I'm incredulous about it being easy/cheap to get 10% of a stake of a well functioning coin. If you can get 10% of a stake without buying and want to profit from it, the easiest way is not to give back the 10%, and sell the coins on the market. If you have the resources to get 10% of a PoS coin, often the price to buy enough hashrate to control a PoW coin is much less than 10%. I don't see how the incentives are drastically different. Usually owning a coin gives more incentive to not damage the coin than owning hardware does. For example, say bitcoin falls more, and lots of bitcoin mining rigs get shut off. Someone who doesn't own any bitcoin, and has lots of unprofitable bitcoin miners could just launch an attack at very low cost. Maybe put money on some shorts on bitfinex to offset the cost of electricity while attacking. Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: valarmg on January 17, 2015, 01:19:22 PM Vitalik is going with PoW for ethereum despite all his research into TaPoS and weak subjectivity. Why? Source? As I understand it, he is still deciding between a PoS/PoW combo and full PoS. - we have formally defined nothing-at-stake attack(again, using Buterin's informal definition) and made initial simulations. We haven't included their results in paper as they are seems to be too raw, but I can reveal them here: N@S attack could happens only in short-range, e.g. for within 20 blocks for 10% stake, so with 30 confirmations we haven't observed the successful attack. Also please note the attack has pretty unpredictable nature for attacker, so he can hardly enforce it, even in theory(in practice it's even harder to get it done properly). The correlation with stake size is still the open question, but it's nearly impossible to attack a proof-of-stake currency with "1% stake even" as stated by Buterin So just extend the number of confirmations to 30, then short range attack becomes impossible. (6 confirmations on bitcoin is an hour, so a shorter block PoS coin would still take less time than bitcoin confirmation) Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: inBitweTrust on January 17, 2015, 01:48:55 PM I'm incredulous about it being easy/cheap to get 10% of a stake of a well functioning coin. If you can get 10% of a stake without buying and want to profit from it, the easiest way is not to give back the 10%, and sell the coins on the market. If you have the resources to get 10% of a PoS coin, often the price to buy enough hashrate to control a PoW coin is much less than 10%. I don't see how the incentives are drastically different. Usually owning a coin gives more incentive to not damage the coin than owning hardware does. For example, say bitcoin falls more, and lots of bitcoin mining rigs get shut off. Someone who doesn't own any bitcoin, and has lots of unprofitable bitcoin miners could just launch an attack at very low cost. Maybe put money on some shorts on bitfinex to offset the cost of electricity while attacking. Banks and exchanges already have far greater than 10% stake for certain PoS coins right now. I am not discussing a hypothetical. It is also likely that a few Nxt users have over 10% stake. Source? As I understand it, he is still deciding between a PoS/PoW combo and full PoS. https://www.youtube.com/watch?v=qPsCGvXyrP4 More specifically, Ethereum will be a hashimoto dagger IO bound PoW consensus mechanism. The latest under review is here under PoC7: https://github.com/ethereum/cpp-ethereum/wiki http://gavwood.com/Paper.pdf He may use both however: https://blog.ethereum.org/2015/01/10/light-clients-proof-stake/ Whether he uses straight PoW or PoW/TaPoS the point to consider is that he has thoroughly studied the vulnerabilities within PoS variations and deems them to have insufficient security alone without PoW. So just extend the number of confirmations to 30, then short range attack becomes impossible. (6 confirmations on bitcoin is an hour, so a shorter block PoS coin would still take less time than bitcoin confirmation) 20 Blocks , not confirmations. The attack would have still occurred whether you wait for more confirmations or not. waiting for 30 confirmations simply means that you could avoid participating in an illegitimate transaction, but the attack still occurred. 20 blocks is merely the window the attack needs to occur in for NxT, once the attack occurs the network will need to perform a hardfork, or rollback the blockchain to recover which has its own set of problems. -------------------------------------------------------------------------------- TaPoS can be used with PoW to improve the security of Bitcoin like one example I provided: Sidechain or not. No need for burning bitcoins, as someone could simply create a TaPoS blockchain that mirrored and synced the distribution of BTC and than have a wallet acknowledge both blockchains but have the TaPoS layer hidden where only BTC is used and the TaPoS layer acts to add another form of security that could have 1-30 second confirmation times in addition to PoW 10 min confirmation times. I.E... pay for a cup of Coffee the confirmations start rolling in this way: TaPoS 1 second confirmation, TaPoS 3 second confirmation, TaPoS 5 second confirmation, TaPoS 10 second confirmation, TaPoS 30 second confirmation, TaPoS 1 min confirmation, TaPoS 3min confirmation, TaPoS 5 min confirmation,TaPoS 7min confirmation, PoW Bitcoin 1st confirmation ~10min, TaPoS 13min confirmation, ect... This would allow you to have instant confirmations and better security because now you are trusting full nodes and miners and you could detect a PoW 51% attack if the TaPoS confirmations weren't confirming while the PoW confirmations were. You wouldn't even need a softfork or hardfork to accomplish this, just a TapoS blockchain and a wallet that acknowledged it. Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: ab8989 on January 17, 2015, 02:25:24 PM I'm incredulous about it being easy/cheap to get 10% of a stake of a well functioning coin. If you can get 10% of a stake without buying and want to profit from it, the easiest way is not to give back the 10%, and sell the coins on the market. These things are not mutually exclusive. The selling that you brought up to discussion could be one part of the plan. Actually I think the selling of the coins is going to be prominent part of most of the attacks. Let me remind that selling of a big stash usually does not happen instantenously when talking about a large stash like 10%. There is quite typically first a contract signed that there is going to be a sale and some time after that the coins actually change owners. The period between signing the contract of the sale and the actual transfer of the coins is a perfect place to attack the coin where the seller has nothing to lose and in many cases quite a lot of to win by doing so. And there are situations where the timegap between those events is naturally quite long like months. A well functioning monetary system allows all kinds of transactions including ones where somebody can buy a big stash of coins in such a way for example in a situation where a whole bank/exchange business is up for a sale. In PoS economy it is very risky to buy a big bank or exchange business from its previous owner. Think about a situation where the owner of a bank/exchange with big stash of customer coins in their possession has decided that he is more a risktaker entrepenour type of person instead of a person that runs an established mature boring business and he wants to cash out and start over from scratch and take new risks on some other competing emerging new kind of coin. Quite natural event that I guarantee is going to happen thousands of times. Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: valarmg on January 17, 2015, 02:30:47 PM 20 Blocks , not confirmations. The attack would have still occurred whether you wait for more confirmations or not. waiting for 30 confirmations simply means that you could avoid participating in an illegitimate transaction, but the attack still occurred. 20 blocks is merely the window the attack needs to occur in for NxT, once the attack occurs the network will need to perform a hardfork, or rollback the blockchain to recover which has its own set of problems. Can you explain this, please. An attack happens, someone generates an incorrect chain of 20 blocks. Now, everyone waits for 30 confirmations, so they then see that the fork is invalid and no one accepts an transactions. Why is a rollback or hardfork required? From this: https://blog.ethereum.org/2015/01/10/light-clients-proof-stake/ I believe Nxt requires a single SHA256 hash for each block. So it already has an element of PoW as suggested there. Whether he uses straight PoW or PoW/TaPoS the point to consider is that he has thoroughly studied the vulnerabilities within PoS variations and deems them to have insufficient security alone without PoW. I know the initial intention of ethereum was to be mainly PoW, but with every blog post, Vitalik seems to embrace PoS more, so I'll be interested to see what the final version comes out with. With his last few posts, he seems to find very few problems with PoS (he learned to love weak subjectivity). I guess some others in ethereum might have different views to Buterin. So I take the fact that Buterin, and now kushti/andruiman have taken a thorough look at PoS and they are seeing problems, sure, but also seeing solutions to those. If there is no fundamental reasons why PoW is better than PoS, then PoS will win out due to lower cost (imho). So I'm hoping that investigations into PoS continue, and that better solutions emerge, whether it be a stronger PoS algo, a PoS/PoW combo or a TaPoS addition. Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: valarmg on January 17, 2015, 02:33:53 PM I'm incredulous about it being easy/cheap to get 10% of a stake of a well functioning coin. If you can get 10% of a stake without buying and want to profit from it, the easiest way is not to give back the 10%, and sell the coins on the market. In PoS economy it is very risky to buy a big bank or exchange business from its previous owner. Think about a situation where the owner of a bank/exchange with big stash of customer coins in their possession has decided that he is more a risktaker entrepenour type of person instead of a person that runs an established mature business and he wants to cash out and start over from scratch and take new risks on some other competing emerging new kind of coin. Quite natural event that I guarantee is going to happen thousands of times. You understand that long range attacks have proven impossible in simulations. So if a bank buys a large chunk of coins and waits the required number of confirmations, then the previous owner cannot launch any attacks. Or am I misunderstanding your premise? Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: ab8989 on January 17, 2015, 02:38:15 PM I am talking about a situation where first a contract is signed where the whole bank is being sold including the stash of coins in their possession. A month later the actual change of ownership of the whole bank happens when new owner gets his personnel to take over. During that month the previous owner still has complete control of the bank but he has nothing to lose if the coins in the banks possession collapse in value. He still can transfer the 100 million coins to the new owner of the bank a month later like it says on the contract and he could not care less whether the coins have value or not.
Note that there does not have to be an actual attack. All that is needed is market to know that a big bank is changing ownership and the whole market knows that the stability of the whole economy is hanging by a thread during this month. Maybe somebody else sees this as an perfect opportunity to perform an actual attack and they also do not need to be nothing else than big nasty rumours that cause panic. Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: inBitweTrust on January 17, 2015, 02:50:00 PM Can you explain this, please. An attack happens, someone generates an incorrect chain of 20 blocks. Now, everyone waits for 30 confirmations, so they then see that the fork is invalid and no one accepts an transactions. Why is a rollback or hardfork required? The consensus algo is what accepts the fork and this is where the weak subjectivity of the users and or developers would need to step in and correct the invalid fork. This has its own set of problems. I believe Nxt requires a single SHA256 hash for each block. So it already has an element of PoW as suggested there. This has nothing to do with PoW consensus mechanisms. Next you are going to insinuate hashing itself is "work" thus one should consider all PoS to incorporate the PoW consensus mechanism. If there is no fundamental reasons why PoW is better than PoS, then PoS will win out due to lower cost (imho). Yet despite Bitcoin being in a death spiral of capitulation both Bitshares and Nxt have lost far more against bitcoin in the last year. Perhaps there are other factors that are far more prescient than the mining costs to secure the network? You understand that long range attacks have proven impossible in simulations. So if a bank buys a large chunk of coins and waits the required number of confirmations, then the previous owner cannot launch any attacks. Or am I misunderstanding your premise? There are many different variants of PoS, and some of them are indeed susceptible to long range attacks. Stop generalizing. Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: ThomasVeil on January 17, 2015, 03:01:29 PM I highlighted the key word for you. Yes, if you're simply already owning a stake of a size Why did no one think of that before? 10% is needed for an attack. Re-read the research paper sir. None of that 10% needs to be owned either as we have discussed. Which paper? The papers say there is no viable 10% attack. There also is no 10% whale or exchange in NXT - you crossing it out doesn't make a fact disappear, you know. Quote We are discussing a specific scenario where attacking PoS is far less risky than a similar attack with PoW. Not sure what you mean with "we". We know that PoW would be easier to attack if you magically get a 10% stake - since that would likely buy you 51% of all mining. Quote Clearly you didn't because you still don't even know what the term "nothing" means. You also understand that in physics "nothing" does not have the same connotation as within philosophy? Physics? Really? I hope you're just kidding. Quote Vitalik is going with PoW for ethereum despite all his research into TaPoS and weak subjectivity. Why? You're lying, or again proving that you're not even reading the links you provide. And since you're wrong: You should answer the "why" question yourself. https://blog.ethereum.org/2015/01/10/light-clients-proof-stake/ Whether he uses straight PoW or PoW/TaPoS the point to consider is that he has thoroughly studied the vulnerabilities within PoS variations and deems them to have insufficient security alone without PoW. A small proof of work component is exactly what NXT (and Blackcoin... and others) do. Again, it would help if you read what you link - would waste less of everyone's time. Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: inBitweTrust on January 17, 2015, 03:09:56 PM Which paper? The papers say there is no viable 10% attack. There also is no 10% whale or exchange in NXT - you crossing it out doesn't make a fact disappear, you know. https://github.com/ConsensusResearch/articles-papers/blob/master/multistrategy/multistrategy.pdf A previous block explorer, now taken down in favor of one with less granularity, showed that between 4-14 members controlled over 51% of the Nxt stake. Not sure what you mean with "we". We know that PoW would be easier to attack if you magically get a 10% stake - since that would likely buy you 51% of all mining. Incorrect as you assume that markets aren't dynamic, ignoring the costs of electricity, ignoring the alarms raised from amassing such large amounts of asics , ignoring the cost of setting up and maintaining the equipment and doing so in secrecy, ect... A small proof of work component is exactly what NXT does. Again, it would help if you read what you link - would waste less of everyone's time. This has nothing to do with PoW consensus mechanisms. Next you are going to insinuate hashing itself is "work" thus one should consider all PoS to incorporate the PoW consensus mechanism. If we must use your twisted definition of PoW than the point still stands: Why does Vitalik insist upon a much more inefficient version of PoW with a hashimoto dagger IO bound PoW consensus mechanism? Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: achimsmile on January 17, 2015, 03:18:20 PM I think what ThomasVeil was hinting at is that the amount of work required to forge on all possible chains grows exponentially over time.
Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: inBitweTrust on January 17, 2015, 03:19:15 PM I think what ThomasVeil was hinting at is that the amount of work required to forge on all possible chains grows exponentially over time. Research Paper correcting/revising the one I cited? Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: achimsmile on January 17, 2015, 03:21:14 PM yes
Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: inBitweTrust on January 17, 2015, 03:22:31 PM Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: valarmg on January 17, 2015, 03:34:52 PM I am talking about a situation where first a contract is signed where the whole bank is being sold including the stash of coins in their possession. A month later the actual change of ownership of the whole bank happens when new owner gets his personnel to take over. During that month the previous owner still has complete control of the bank but he has nothing to lose if the coins in the banks possession collapse in value. He still can transfer the 100 million coins to the new owner of the bank a month later like it says on the contract and he could not care less whether the coins have value or not. Note that there does not have to be an actual attack. All that is needed is market to know that a big bank is changing ownership and the whole market knows that the stability of the whole economy is hanging by a thread during this month. Maybe somebody else sees this as an perfect opportunity to perform an actual attack and they also do not need to be nothing else than big nasty rumours that cause panic. Ok, you are referring to a bank that has 10%+ of coins. This should not happen much/at all in a flourishing PoS economy. However, if this is happening, and the market knows the possible problems, the buyer can yet put specifications on his sale such as seller destroying the assets prior to the sale can invalidate the sale. Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: kushti on January 17, 2015, 03:40:54 PM Could you describe attack scenario in details? After reproducing it in simulation we would like to pay you pretty good bounty :) please elaborate on the details of the bounty :) writing a white-paper quality explanation is a time consuming task No WP quality needed, just step-by-step instructions. And why should I trust you made successful attack on Apexcoin? Please provide proof of that then we can start talk about the details Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: valarmg on January 17, 2015, 03:51:08 PM If there is no fundamental reasons why PoW is better than PoS, then PoS will win out due to lower cost (imho). Yet despite Bitcoin being in a death spiral of capitulation both Bitshares and Nxt have lost far more against bitcoin in the last year. Perhaps there are other factors that are far more prescient than the mining costs to secure the network? I wouldn't say far more. There are more forces at work than mining cost, certainly. Bitcoin is the big daddy of crypto and in a world of it's own in terms of price and network effect. But if you compare PoS coins versus non-bitcoin PoW coins over the last year, I'd expect PoS coins to come up on top. You understand that long range attacks have proven impossible in simulations. So if a bank buys a large chunk of coins and waits the required number of confirmations, then the previous owner cannot launch any attacks. Or am I misunderstanding your premise? There are many different variants of PoS, and some of them are indeed susceptible to long range attacks. Stop generalizing. (Edited to remove something I was wrong about.) Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: ThomasVeil on January 17, 2015, 03:57:01 PM Which paper? The papers say there is no viable 10% attack. There also is no 10% whale or exchange in NXT - you crossing it out doesn't make a fact disappear, you know. https://github.com/ConsensusResearch/articles-papers/blob/master/multistrategy/multistrategy.pdf Dude, you're killing me. Reposting the link doesn't help if it doesn't contain what you're claiming. Quote A previous block explorer, now taken down in favor of one with less granularity, showed that between 4-14 members controlled over 51% of the stake. Learn basic math. Some common sense would also help: That block explorer probably showed the forging stake, not the coin ownership. Quote We know that PoW would be easier to attack if you magically get a 10% stake - since that would likely buy you 51% of all mining. Incorrect as you assume that markets aren't dynamic, ignoring the costs of electricity, ignoring the alarms raised from amassing such large amounts of asics , ignoring the cost of setting up and maintaining the equipment and doing so in secrecy, ect... Buying one or two forging pools and one mining facility should totally do the job. I don't see how I miss costs there... those likely run profitable or close to. Note how for a state actor all this would be in fact easy, undetectable - and basically free. Quote A small proof of work component is exactly what NXT does. Again, it would help if you read what you link - would waste less of everyone's time. This has nothing to do with PoW consensus mechanisms. Next you are going to insinuate hashing itself is "work" thus one should consider all PoS to incorporate the PoW consensus mechanism. I don't "insinuate" - it's a straight up fact: hashing is work. It has a difficulty - used as protection mechanism. You can't provide blocks for free. Quote If we must use your twisted definition of PoW than the point still stands: Why does Vitalik insist upon a much more inefficient version of PoW with a hashimoto dagger IO bound PoW consensus mechanism? The paper you linked doesn't say that. In the blog links you posted he doesn't say that. You're chasing me in circles with your fake references. I'll end responding. In fact most your links say: he leans towards POS (which checkpoints of several months of age), which you don't want to explain. You're not living up to your own standards. Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: inBitweTrust on January 17, 2015, 03:57:06 PM But if you compare PoS coins versus non-bitcoin PoW coins over the last year, I'd expect PoS coins to come up on top. If you are speaking about the past years this simply isn't factual. PoS coins have almost all proven to be ICO scams or pump and dump opportunities. Well, I agree that some PoS algorithms are most likely much worse than PoW. I'm more interested in the potential of PoS, how secure it could be if best practices are followed. PoS is still growing up, Bitcoin is much further ahead in terms of protocol security. I agree and would like a TaPoS layer or sidechain added to bitcoin as an option for added security. Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: inBitweTrust on January 17, 2015, 04:05:47 PM Learn basic math. Some common sense would also help: That block explorer probably showed the forging stake, not the coin ownership. It was coin distribution based upon the ICO. Buying one or two forging pools and one mining facility should totally do the job. I don't see how I miss costs there... those likely run profitable or close to. Note how for a state actor all this would be in fact easy, undetectable - and basically free. States are porous and leak secrets all the time. Most people in IT knew of the Snowden revelations years before he became a whistleblower. The paper you linked doesn't say that. In the blog links you posted he doesn't say that. You're chasing me in circles with your fake references. I'll end responding. In fact most your links say: he leans towards POS (which checkpoints of several months of age), which you don't want to explain. You're not living up to your own standards. I will concede he changes his mind often but if you have been following the nuances of his papers and interviews you will see that he is not content with Slasher Ghost for security alone and is likely to include hashimoto dagger IO bound PoW. I like TaPoS and think it should be added as an option to bitcoin. You seemed to me to be somewhat defensive and reactionary. Are you upset that Nxt and Bitshares are losing ground and dying? Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: siameze on January 17, 2015, 05:05:55 PM If you are speaking about the past years this simply isn't factual. PoS coins have almost all proven to be ICO scams or pump and dump opportunities. This is true. I wondered if most ICO scams choose PoS variants because they cannot easily get network backing using PoW? Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: achimsmile on January 17, 2015, 05:09:55 PM https://bitcointalk.org/index.php?topic=897488.msg10152632#msg10152632 Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: achimsmile on January 17, 2015, 05:10:47 PM If you are speaking about the past years this simply isn't factual. PoS coins have almost all proven to be ICO scams or pump and dump opportunities. This is true. I wondered if most ICO scams choose PoS variants because they cannot easily get network backing using PoW? Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: ThomasVeil on January 17, 2015, 05:14:31 PM You seemed to me to be somewhat defensive and reactionary. Are you upset that Nxt and Bitshares are losing ground and dying? Because I like a good discussion it grinds my gears if someone pretends to engage in one, and then doesn't do the most minimal diligence - not even spending 2 seconds thinking. Posting links and completely misrepresenting what they say. It's disrespectful. Or this stuff: Quote It was coin distribution based upon the ICO. ... which would take about 5 seconds to verify. It's public info (in fact in the blockchain) and 3rd grade math. No user could have had close to 10% of the stake. Quote Buying one or two forging pools and one mining facility should totally do the job. I don't see how I miss costs there... those likely run profitable or close to. Note how for a state actor all this would be in fact easy, undetectable - and basically free. States are porous and leak secrets all the time. Most people in IT knew of the Snowden revelations years before he became a whistleblower. ...or diverting into completely unrelated topics, ignoring the issue. Quote The paper you linked doesn't say that. In the blog links you posted he doesn't say that. You're chasing me in circles with your fake references. I'll end responding. In fact most your links say: he leans towards POS (which checkpoints of several months of age), which you don't want to explain. You're not living up to your own standards. I will concede he changes his mind often Or concessions like that. Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: Damelon on January 17, 2015, 05:20:34 PM If you are speaking about the past years this simply isn't factual. PoS coins have almost all proven to be ICO scams or pump and dump opportunities. This is true. I wondered if most ICO scams choose PoS variants because they cannot easily get network backing using PoW? My guess would be that PoS is a useful "buzz word" that few people have actually researched, but that seems to be really cool. Marketing 101. :) It's one of the reasons I am glad research that is verifiable is finally being done. It's a lot harder to make claims when there are verifiable counter arguments around. Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: inBitweTrust on January 17, 2015, 05:23:20 PM ... which would take about 5 seconds to verify. It's public info (in fact in the blockchain) and 3rd grade math. No user could have had close to 10% of the stake. It is a premined ICO with only ~70 participants. The original blockchain explorer reflected granularity from 10 million to 100 million instead of 1 million to 1,000,000,000 as shown here: https://nxtblocks.info/#section/blockexplorer_distribution I was able to calculate that between 4-14 individuals control 51% stake in NxT at the time which indicates there could be a few people with over 10% stake. In fact it would be surprising that a couple of the developers didn't hold onto at least 10% of the premine. No user could have had close to 10% of the stake. How could you possibly know that? https://bitcointalk.org/index.php?topic=897488.msg10152632#msg10152632 This isn't a research paper refuting the previous work but just a statement just like below: https://nxtforum.org/consensus-research/multibranch-forging-approach/?PHPSESSID=qi7nicmsk2cmc6ri87mtrstcd6 Quote And I agree, all Proof-o-Stake currencies share N@S concern. Even more, they share much more. So it will be cool to share research efforts as well. Or are you just playing a semantic games and claiming that a little effort is expended in performing a N@S attack therefore it technically shouldn't use the word "nothing". Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: achimsmile on January 17, 2015, 05:43:55 PM let me google that for you: "kushti n@s attack"
First hit: https://github.com/ConsensusResearch/articles-papers/blob/master/multistrategy/multistrategy.pdf Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: Daedelus on January 17, 2015, 05:46:22 PM I like how the Nothing@Stake attack keeps mutating as time passes :D
Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: Este Nuno on January 17, 2015, 05:48:19 PM From what I know Vitalik wants to go PoS, but Gavin Wood et al refuse to do anything other than PoW.
Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: inBitweTrust on January 17, 2015, 05:54:34 PM let me google that for you: "kushti n@s attack" First hit: https://github.com/ConsensusResearch/articles-papers/blob/master/multistrategy/multistrategy.pdf That is the article I linked to which indicates you can perform short range N@S attacks with 10% stake. When kushti published it he even admitted such: - we have formally defined nothing-at-stake attack(again, using Buterin's informal definition) and made initial simulations. We haven't included their results in paper as they are seems to be too raw, but I can reveal them here: N@S attack could happens only in short-range, e.g. for within 20 blocks for 10% stake, so with 30 confirmations we haven't observed the successful attack. Also please note the attack has pretty unpredictable nature for attacker, so he can hardly enforce it, even in theory(in practice it's even harder to get it done properly). The correlation with stake size is still the open question, but it's nearly impossible to attack a proof-of-stake currency with "1% stake even" as stated by Buterin I believe what is happening now is Nxt Supporters are now suggesting N@S is impossible because they are interpreting "Nothing" literally and indicating only short range attacks are possible. If you want to play word games that is fine, lets call it a bear raid and short range attack combo. From what I know Vitalik wants to go PoS, but Gavin Wood et al refuse to do anything other than PoW. Interesting and plausible. Gavin is a wise man if so. Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: Damelon on January 17, 2015, 06:24:15 PM The original blockchain explorer reflected granularity from 10 million to 1,000,000,000 instead of 1 million to 1,000,000,000 as shown here: https://nxtblocks.info/#section/blockexplorer_distribution The first explorer is still very much active: http://nxtexplorer.com/ Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: inBitweTrust on January 17, 2015, 06:35:57 PM The original blockchain explorer reflected granularity from 10 million to 1,000,000,000 instead of 1 million to 1,000,000,000 as shown here: https://nxtblocks.info/#section/blockexplorer_distribution The first explorer is still very much active: http://nxtexplorer.com/ I was referring to this: http://charts.nxtcrypto.org/cDistribution.aspx https://web.archive.org/web/20140928121336/http://charts.nxtcrypto.org/charts/cDistribution.png On the old site you could also see the exact amount of This only reflected the amount of coins per wallet so even some of those few wallets at the top which contained between 10million-100 million could have been held by the same individuals. Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: valarmg on January 17, 2015, 06:53:02 PM Source? As I understand it, he is still deciding between a PoS/PoW combo and full PoS. https://www.youtube.com/watch?v=qPsCGvXyrP4 More specifically, Ethereum will be a hashimoto dagger IO bound PoW consensus mechanism. The latest under review is here under PoC7: https://github.com/ethereum/cpp-ethereum/wiki http://gavwood.com/Paper.pdf He may use both however: https://blog.ethereum.org/2015/01/10/light-clients-proof-stake/ Whether he uses straight PoW or PoW/TaPoS the point to consider is that he has thoroughly studied the vulnerabilities within PoS variations and deems them to have insufficient security alone without PoW. Quote from: inBitweTrust Quote From what I know Vitalik wants to go PoS, but Gavin Wood et al refuse to do anything other than PoW. Interesting and plausible. Gavin is a wise man if so.So earlier, that Buterin had thoroughly studied the vulnerabilities and found PoS wanting made it clear to you that PoS had insufficient security. Now, when you find out that Buterin has decided that PoS is the best option (but is dissuaded by others from using it), Buterin is clearly wrong despite his thorough study. So there are probably no arguments or studies or science that could persuade you that PoS is secure, right? Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: inBitweTrust on January 17, 2015, 07:00:22 PM So earlier, that Buterin had thoroughly studied the vulnerabilities and found PoS wanting made it clear to you that PoS had insufficient security. Now, when you find out that Buterin has decided that PoS is the best option (but is dissuaded by others from using it), Buterin is clearly wrong despite his thorough study. So there are probably no arguments or studies or science that could persuade you that PoS is secure, right? It's more of a faith thing, and we might as well be arguing evolution with right wing catholics, maybe? First of all, we don't know if Buterin prefers TaPoS over PoW... I am simply open to evidence and am willing to admit it is plausible. The point still stands with Ethereum whether it comes from Gavin or Vitalik. Secondly, as I have stated numerous times in this thread, I like TaPoS, and think it offers some security differences, benefits, and weaknesses to PoW and would like to see it integrated as a layer on top of Bitcoin for added security and other benefits. Just because I can find critical flaws within PoS variants doesn't mean I see no security or benefits from such consensus mechanisms. I have been vary critical of bitcoins weaknesses, PoW weaknesses, and Bitcoin companies throughout my post history. I am not interested in trading one set of problems for another but rather discussing methods of strengthening crypto-currencies security and understanding inherent weaknesses. Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: Damelon on January 17, 2015, 07:38:05 PM The original blockchain explorer reflected granularity from 10 million to 1,000,000,000 instead of 1 million to 1,000,000,000 as shown here: https://nxtblocks.info/#section/blockexplorer_distribution The first explorer is still very much active: http://nxtexplorer.com/ I was referring to this: http://charts.nxtcrypto.org/cDistribution.aspx https://web.archive.org/web/20140928121336/http://charts.nxtcrypto.org/charts/cDistribution.png On the old site you could also see the exact amount of This only reflected the amount of coins per wallet so even some of those few wallets at the top which contained between 10million-100 million could have been held by the same individuals. That site wasn't "taken down", but abandoned by the person running the charts. Small difference, and you could not know that. :) We're working on getting them back up. It's good info to have available. Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: Daedelus on January 17, 2015, 11:44:32 PM let me google that for you: "kushti n@s attack" First hit: https://github.com/ConsensusResearch/articles-papers/blob/master/multistrategy/multistrategy.pdf That is the article I linked to which indicates you can perform short range N@S attacks with 10% stake. When kushti published it he even admitted such: - we have formally defined nothing-at-stake attack(again, using Buterin's informal definition) and made initial simulations. We haven't included their results in paper as they are seems to be too raw, but I can reveal them here: N@S attack could happens only in short-range, e.g. for within 20 blocks for 10% stake, so with 30 confirmations we haven't observed the successful attack. Also please note the attack has pretty unpredictable nature for attacker, so he can hardly enforce it, even in theory(in practice it's even harder to get it done properly). The correlation with stake size is still the open question, but it's nearly impossible to attack a proof-of-stake currency with "1% stake even" as stated by Buterin I believe what is happening now is Nxt Supporters are now suggesting N@S is impossible because they are interpreting "Nothing" literally and indicating only short range attacks are possible. If you want to play word games that is fine, lets call it a bear raid and short range attack combo. That article isn't the latest information, this post from 14th Jan is.. To summarize the discussion, known claimed attacks on proof-of-stake distributed consensus algorithm(and concrete implementations) at the moment: *snipped* 3. Nothing-at-stake attack - not possible at the moment! Will be possible when a lot of forgers will use multiple-branch forging to increase profits. Then attacker can contribute to all the chains(some of them e.g. containing a transaction) then start to contribute to one chain only behind the best(containing no transaction) making it winner. Previous statements on N@S attack made with assumption it costs nothing to contribute to an each fork possible and that makes N@S attack a disaster. In fact, it's not possible at all to contribute to each fork possible, as number of forks growing exponentially with time. So the only strategy for a multibranch forger is to contribute to N best forks. In such scenario attack is possible only within short-range e.g. with 25 confirmations needed 10% attacker can't make an attack. And attack is pretty random in nature, it's impossible to predict whether 2 forks will be within N best forks(from exponentially growing set) for k confirmations. So from our point of view the importance of the attack is pretty overblown. *snipped* When he published the multistrategy paper in Dec, the post indicated that he thought the N@S was overblown and explicitly stated that he hadn't included these results in that paper. Kushti's research shows that the Nothing @ Stake attacked described by Vitalik (as he was the only one to describe it in any detail) is BS. If you have a different attack, you'll need a different name :D Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: achimsmile on January 18, 2015, 09:11:08 AM let's wait until someome tries to attack Nxt testnet. I'm sure the community would be glad to give out some teststake.
If anyone wants to have a try, please go to nxtforum.org and ask for testnxt. We can talk again after some guys tried and report their findings, ok? Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: inBitweTrust on January 18, 2015, 11:52:23 AM let's wait until someome tries to attack Nxt testnet. I'm sure the community would be glad to give out some teststake. If anyone wants to have a try, please go to nxtforum.org and ask for testnxt. We can talk again after some guys tried and report their findings, ok? And I'll do nxt next (testnet or a clone) but it'll take some time because it's a very different thing I need to get used to. Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: Daedelus on January 26, 2015, 01:26:31 PM Hi Kushti ;D
Do you plan to write these findings... https://bitcointalk.org/index.php?topic=897488.msg10152632#msg10152632 ... up into a 4th paper? Or shall I just add the link to the post to the 'Nxt Whitepaper' thread? Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: Daedelus on February 09, 2015, 10:05:22 PM Bump. Testcoin with modified forging algo is still in development. Kushti will have more time after release of version 1.5 of Nxt.
Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: Daedelus on February 10, 2015, 07:52:47 AM Bump. Testcoin with modified forging algo is still in development. Kushti will have more time after release of version 1.5 of Nxt. is that for the challenge to break a nxt clone? if so, why modify the forging algo? would a straight clone not be the best candidate so as to acquire the most accurate results? Two separate projects. CynicSOB still thinks he can break Nxt and is still trying AFAIK. Kushti is testing improvements that could be adopted by Nxt, all being well. Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: Daedelus on February 16, 2015, 01:54:02 PM Further research published into Nothing at Stake- "tails switching":
We have updated our github repository https://github.com/ConsensusResearch/ForgingSimulation with a new version of the PoS simulation haskell code. It now included two branches, master - for the single branch classical Nxt based code and "multibranch-experimental" - for the multibranch forging simulation. Recently new algorithm for regulating tails switching effect is proposed and implemented. With it, a possibility of the N@S attack becomes also regulated as we now can introduce deducible parameter of confirmations needed to stabilize recent blocks tails. The idea of regulating is straightforward - from time to time the node "forgets" almost all the branches and prolong only those whose cumulativeDifficulty measure is above some retargeting threshold. This threshold changes discretely, starting from 0. Unlike the Bitcoin difficulty param, the threshold always grows as the best block cumulativeDifficulty exceeds the previous threshold+delta. So nodes work as multibranch almost all the time, but sometimes becomes "single-branch" for a short time (one tick). This approach allows to have all the multibranch benefits and also get the network with regulating convergence. With a certain confirmation number calculated, we can propose the strong resistance to the N@S as the long tails switching become very-very unlikely after the confirmations. We'll present the N@S simulation results ASAP. There are more possible regulation procedures, for sure. Basing on the idea that sometimes nodes switch to the single-branch behavior one can introduce any verifiable quasi-random algorithm to do this. The proposed is the simple but efficient one, however more complicated algos (e.g. based on some nice hashes) could secure the system more likely. New paper on tails switching effect had been publicly released (https://github.com/ConsensusResearch/articles-papers/tree/master/switching). However the results of the simulations presented in the paper have been already renewed by the simulation software at https://github.com/ConsensusResearch/ForgingSimulation/tree/multibranch-experimental with the proposed threshold algorithm. As expected the algorithm allows to have confirmation number parameter deducible from the system constants and prevents the prolongation of similar branches. With it the resistance to the N@S becomes feasible and measurable! The results of N@S simulation + switching tails length distribution are coming. Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: kushti on February 24, 2015, 12:16:34 AM Please keep in mind that kushti only used his own simulation model. I'm very interested to see real world tries on the Nxt testnet. I imagine that the attack is more complex there because network topology and latency, behaviour of peers, etc. The attack is more complex, right... for an attacker. Any non-determinism helps winning chain, that's pretty clear from our simulations(especially Nxt-like model https://github.com/ConsensusResearch/ForgingSimulation). And for real-world-like testing, we're going to release own 100% Proof-of-Stake proto-CC https://nxtforum.org/general/kushti%27s-topic/msg157355/#msg157355 . We'll release attacking scripts as well, so everyone please join to try to crack proof-of-stake. Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: Daedelus on February 24, 2015, 12:27:06 AM nxt fudding has pretty much stopped entirely since all these academic papers came out.. nice job.. :) All I have seen is trying to twist the definition of "Nothing at Stake" to try and keep it alive (Kushti's rationalisation in his summary was a list of "N@S definitions so far" rather than thoughtful proposals) ;D. Of these twists I've seen, none are POS specific and POW have it's own versions. GMaxwell warned Bill White off of using POS, so I pointed him to this research but he has made no comment as yet... Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: kushti on February 24, 2015, 12:39:47 AM Hi Kushti ;D Do you plan to write these findings... https://bitcointalk.org/index.php?topic=897488.msg10152632#msg10152632 ... up into a 4th paper? Or shall I just add the link to the post to the 'Nxt Whitepaper' thread? Last paper was about "tails switching". And now we're working on the several things simultaneously: 1. Better blockchain measure(than cumulative difficulty). Should lower number of confirmations needed to consider an attack impossible. 2. Proof-of-Stake + Proof-of-Activity hybrid simulation (paper on PoW + PoA http://eprint.iacr.org/2014/452.pdf) 3. Formal (yeah, truly formal) definition of some cryptocurrency properties. Probably next paper will be about that, as code is mostly ready here(definitions + lemmas/theorems with proofs made in Coq interactive theorem prover). 4. SCOREX to try research findings in almost-real world environment. Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: spartacusrex on February 24, 2015, 05:33:02 PM Hi there,
Can I clear up a few questions floating around ? Not sure if there are answers or not.. So just thought I'd ask outright.. When connecting to a POS network, a bootstrap number must be collected from a trusted source ? Say a recent block hash from the current valid chain. (You may already have one, but I'm referring to either NEW users or users reconnecting after a non-negligent period of time) Once you have connected to the Network, it seems that everything runs smoothly. That's great! ;D Now, if you have connected to an INVALID / BOGUS POS network, when someone on the actual valid network connects to me and says 'Hey - THIS is the valid Network' there is no way for me to know which network is valid ? (Based on looking solely at the 2 POS chains in contention) I would need to ask someone I trust ? There may of course be 100's of competing chains, all saying ' I'm the valid chain! ' not just 2. It seems that long range / short range attacks are a non-event ATM, but the current troubling aspect, for me at least, is the inability to rectify connecting to a bogus network at start up. If that is the case ? What I mean is, in a POW network I can look at various chains, and see that one has more work than the other. Simple. Even if I do connect to the wrong network, I can always tell when I see the real thing. In POS I cannot ? I do not see this as an ' IT'S BROKEN if this is the case ', but I do think this is a 'fundamental' issue that troubles many of us.. It would appear analogous to The Silk Road's Onion address changing every week, and having to re-find the valid address, or risk using an FBI honey pot trap. Yes obviously I can ask my friends what address they use, assuming they have used the site in the last week or so, but anyone who has tried to find that particular TOR address, knows that it is not 100% straight forward.. Does that make sense ? be gentle.. :-\ Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: Daedelus on February 24, 2015, 11:27:30 PM You weren't frothing at the mouth in your post so there is no reason why anyone else should be ;D and you seem genuinely interested so the following applies to Nxt POS
Longest chain rule with highest difficulty applies in Nxt too. Nxt is pretty much the same as bitcoin if you imagine each Nxt as a mini mining rig. The current solution to joining the network after a break or initially is the yet to be implemented Economic Clustering feature. The idea being, to complete a transaction you both have to be on the same chain. So everyone joining would look to an entity (or two or ten) that makes a lot of activity I.e. a store, exchange etc. This is where the economy clusters around. Everyone has the incentive to be on the same chain, as otherwise their transactions are void so number of forks should tend towards 0. I believe Vitalik refers to this concept as Weak Subjectivity whrn he wrote about it in his blog. In theory, if 51% the network nodes and passing around garbage chains then as long as people stick to the economic cluster (which I believe will be automated but don't quote me) then the attack will be resisted (a lot of garbage floating around though). I believe this is what led BCNext to believe Nxt was 90%+ resistant to attack. And the garbage chain would still have to have a higher block height and difficulty to stand a slim chance of a shred of success, which I think Kushti and Anduiman have shown is very very unlikely. Kushti will correct me if I am wrong ;D Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: Hueristic on February 25, 2015, 02:34:19 AM You weren't frothing at the mouth in your post so there is no reason why anyone else should be ;D and you seem genuinely interested so the following applies to Nxt POS Longest chain rule with highest difficulty applies in Nxt too. ... Please explain to me difficulty in POS? Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: LiQio on February 25, 2015, 05:32:13 AM You weren't frothing at the mouth in your post so there is no reason why anyone else should be ;D and you seem genuinely interested so the following applies to Nxt POS Longest chain rule with highest difficulty applies in Nxt too. ... Please explain to me difficulty in POS? TL;DR cumulative difficulty is higher the larger the total amount of stake that forged the chain More information: Formula see here: https://wiki.nxtcrypto.org/wiki/Whitepaper:Nxt#Cumulative_Difficulty "A cumulative difficulty value is stored as a parameter in each block, and each subsequent block derives its new difficulty from the previous blocks value. In case of ambiguity, the network achieves consensus by selecting the block or chain fragment with the highest cumulative difficulty." "In Nxt higher difficulty of a branch means that this particular branch was forged by owners of a larger amount of coins." (Come-from-Beyond) Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: Hueristic on February 25, 2015, 05:43:52 AM You weren't frothing at the mouth in your post so there is no reason why anyone else should be ;D and you seem genuinely interested so the following applies to Nxt POS Longest chain rule with highest difficulty applies in Nxt too. ... Please explain to me difficulty in POS? TL;DR cumulative difficulty is higher the larger the total amount of stake that forged the chain More information: Formula see here: https://wiki.nxtcrypto.org/wiki/Whitepaper:Nxt#Cumulative_Difficulty "A cumulative difficulty value is stored as a parameter in each block, and each subsequent block derives its new difficulty from the previous blocks value. In case of ambiguity, the network achieves consensus by selecting the block or chain fragment with the highest cumulative difficulty." "In Nxt higher difficulty of a branch means that this particular branch was forged by owners of a larger amount of coins." (Come-from-Beyond) IC, Whichever chain has more coins is considered more difficult. Weird way of expressing that. I would think it would be refereed to as heavier. Thx for the explanation. Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: spartacusrex on February 25, 2015, 11:05:55 AM You weren't frothing at the mouth in your post so there is no reason why anyone else should be ;D and you seem genuinely interested so the following applies to Nxt POS Longest chain rule with highest difficulty applies in Nxt too. Nxt is pretty much the same as bitcoin if you imagine each Nxt as a mini mining rig. The current solution to joining the network after a break or initially is the yet to be implemented Economic Clustering feature. The idea being, to complete a transaction you both have to be on the same chain. So everyone joining would look to an entity (or two or ten) that makes a lot of activity I.e. a store, exchange etc. This is where the economy clusters around. Everyone has the incentive to be on the same chain, as otherwise their transactions are void so number of forks should tend towards 0. I believe Vitalik refers to this concept as Weak Subjectivity whrn he wrote about it in his blog. In theory, if 51% the network nodes and passing around garbage chains then as long as people stick to the economic cluster (which I believe will be automated but don't quote me) then the attack will be resisted (a lot of garbage floating around though). I believe this is what led BCNext to believe Nxt was 90%+ resistant to attack. And the garbage chain would still have to have a higher block height and difficulty to stand a slim chance of a shred of success, which I think Kushti and Anduiman have shown is very very unlikely. Kushti will correct me if I am wrong ;D ok. The highest difficulty being the 'Chain with the most Stake involved' is nice for sorting out chain forks on the valid chain. But I don't think that helps with the 'bootstrap' scenario, as an attacker can fake as much stake as he wants on his 'fake' chain. 'Fake as much Stake'.. lol.. Also - the Economic Clustering, which as I understand it involves putting the hash of a previous block that must be on any chain this txn is added to, does indeed help reach consensus on the valid chain. But again an attacker could fake as much or as little activity as he wanted on his fake chain. Thus in a bootstrap scenario, I'm not sure that helps either. ? Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: achimsmile on February 25, 2015, 11:40:08 AM ok. The highest difficulty being the 'Chain with the most Stake involved' is nice for sorting out chain forks on the valid chain. But I don't think that helps with the 'bootstrap' scenario, as an attacker can fake as much stake as he wants on his 'fake' chain. 'Fake as much Stake'.. lol.. In crypto, a stakeholder has to prove that he has the private key to his stake when he wants to do a transaction. You can't insert a fake block where everyone sends their coins to you, because transactions need to be signed with private keys. The NRS would detect and ignore such a block. But this is not what you want to do, you want newbies to see a complete fake chain. Because each block contains information about the previous block, and you need to sign transactions with the private key of the account owner, you would need to alter history all the way back to the genesis block and create a new one where you have the private keys for creating a fake chain. Since GENESIS_BLOCK_ID = 2680262203532249785L and all initial transactions from genesis account are hardcoded in Genesis.java, I don't see how the attacker could succeed. All he could do is create a Nxt clone. Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: spartacusrex on February 25, 2015, 11:54:05 AM Since GENESIS_BLOCK_ID = 2680262203532249785L is hardcoded in Genesis.java, I don't see how the attacker could succeed. All he could do is create a Nxt clone. Yes I see. Thanks. In effect, the 'bootstrap number' I've been talking about, is now 'PART OF THE PROTOCOL'. Although - if the initial stake holders ever sold their private keys once those accounts were empty, or lost / hacked / QC cracked, then maybe you could cause a little heart ache.. Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: achimsmile on February 25, 2015, 12:28:46 PM Yes I see. Thanks. In effect, the 'bootstrap number' I've been talking about, is now 'PART OF THE PROTOCOL'. Welcome. Indeed, it's been part of it from the beginning. Although - if the initial stake holders ever sold their private keys once those accounts were empty, or lost / hacked / QC cracked, then maybe you could cause a little heart ache.. This is not possible because of checkpoints in the client. A newbie with a clean NRS downloading the blockchain from scratch would still reject the fake blockchain. Quote from nxtforum.org: Kushti has proved (and no one has produced any counter evidence) that the long range attack (Kushti's definition: Long-range attack - attacker can start fork hundreds or thousands blocks behind current chain) isn't possible. It is just in case indeed (and I have 4 locks on my door, not two). It is to prevent history rewriting attack where somebody buys no longer used early stakeholder accounts to build a complete alternative blockchain, regardless of what the theory says if such attack is possible or not.As you say, you put the checkpoint in after 720 blocks had passed so it was behind the decentralised rolling checkpoints. So why put the second checkpoint in at all? 'Just in case', maybe similar to having two deadbolts on your door? A practical use of such checkpoint would be also if people provide for download a full copy of the blockchain, ending just before the checkpoint, then a node starting with such a copy and passing the checkpoint can be sure that blockchain is the same that other nodes running 1.4.8 or later use, up to the checkpoint at least. When downloading a compressed archive of the full database, a rescan is also needed if one wants to be sure that all tables containing account balances, assets and so on are populated correctly, but the checkpoint at least guarantees that the transactions up to it are the same. it is refreshing to have such civil discussions here on btt for a change :) Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: valarmg on February 25, 2015, 08:54:31 PM Since GENESIS_BLOCK_ID = 2680262203532249785L is hardcoded in Genesis.java, I don't see how the attacker could succeed. All he could do is create a Nxt clone. Yes I see. Thanks. In effect, the 'bootstrap number' I've been talking about, is now 'PART OF THE PROTOCOL'. Although - if the initial stake holders ever sold their private keys once those accounts were empty, or lost / hacked / QC cracked, then maybe you could cause a little heart ache.. True. But it would be a lot of work for an attacker to get these historical keys, create a new chain that seemed to have a greater cumulative difficulty, fake all the timestamps and rolling checkpoints, and then they'll only fool newcomers to the Nxt blockchain with no one to tell them which is the correct one. By the time someone attempts such at attack, there may be other protections in place. I know that Consensus Research are looking into options. Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: Daedelus on March 10, 2015, 12:19:16 AM CynicSOB still hasn't convinced any of his theory and has yet to put his attack into practice yet, one day soon hopefully!
I'm being cryptic about issue #2 because I don't want to reveal the fruits of my work without knowing if there is going to be a bounty and because I want to test if it applies against other coins. But #1 should be easy to understand. Detailed instructions: 1) Gather 20% of staking weight and do not forge (yet) 2) at block height H send a tx to a victim on the main chain (to be included in block H+1) 3) fork to a private chain at block height H. A private chain is a chain that is the same as the main chain until block H but then stops listening to new blocks or new tx. It also stops publishing found blocks 4) create a new tx that would conflict with the one in step 2 and put it in your private chain. 5) forge your private chain with your 20% weight, ignoring other people's blocks. After your tx has 10 confirmations, and your victim accepted the tx you made in step 2, publish your chain. There is a 1 in 1000 chance that yours will have more cummulative difficulty. In that case, your fork is accepted and you have successfully double spent. 6) profit! Of course, this should be optimized so you do step 2 only if you know that you'll succeed. So, not multiple branch forging: only a private branch in parallel to the main chain. It's a short-range attack not directly related to what has been described as N@S. Your chance to make successful attack is negligible even compared to 1/2^10 (~0.1%) chance. Here's why: 1. After "switching off' the network we can consider two networks then, one yours with 0.2*X forging stake and others with 0.8*X. 2. As last common block is generated by X stake, retargeting is needed for both networks. 3. But retargeting is limited, next target value could be within 0.5x...2x of previous 4. So others network will retarget smoothly and yours not, so your cumulative difficulty(which is sum(1/baseTarget) will be worse. And I see no way to know that you'll succeed in prior. Simulation of such attack could be done very quickly with our tool https://github.com/ConsensusResearch/ForgingSimulation, Haskell knowledge is needed though. I bet andruiman already did such things, but has to ask him, we started with such things in November so I've forgotten :) Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: kushti on March 18, 2015, 08:00:25 PM Will have a talk about Proof-of-Stake and our work around it @ SF Bitcoin devs meetup on Sunday http://www.meetup.com/SF-Bitcoin-Devs/events/221241204/?fromEmail=221241204&rv=ea1 . Feel free to join and ask questions!
Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: Come-from-Beyond on March 18, 2015, 09:06:10 PM Will have a talk about Proof-of-Stake and our work around it @ SF Bitcoin devs meetup on Sunday http://www.meetup.com/SF-Bitcoin-Devs/events/221241204/?fromEmail=221241204&rv=ea1 . Feel free to join and ask questions! Quote An innovative approach for proof-of-stake consensus improvement will then be presented. Are there any details already available or it will be a surprise? Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: kushti on March 19, 2015, 07:34:10 AM Quote An innovative approach for proof-of-stake consensus improvement will then be presented. Are there any details already available or it will be a surprise? Well, that will be about allowing multiple branches as described in our papers. It seems the Valley people are still discussing deposits / fines to "improve" Proof-of-Stake, so our ideas will be pretty innovative to them, I guess :) Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: kushti on March 20, 2015, 11:36:51 PM My comment on Poelstra's rewrite of PoS impossibility article https://www.reddit.com/r/Bitcoin/comments/2zpmlj/expanded_rewrite_of_distributed_consensus_from/cplj4ug
Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: kushti on March 26, 2015, 01:45:01 AM Slides from my talk @ SF Bitcoin Devs Hackathon (titled "Proof-of-Stake and its Improvements") http://www.slideshare.net/AlexChepurnoy/proofofstake-its-improvements-san-francisco-bitcoin-devs-hackathon
Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: Este Nuno on March 26, 2015, 07:56:59 AM Slides from my talk @ SF Bitcoin Devs Hackathon (titled "Proof-of-Stake and its Improvements") http://www.slideshare.net/AlexChepurnoy/proofofstake-its-improvements-san-francisco-bitcoin-devs-hackathon Any good criticisms there? Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: kushti on April 01, 2015, 08:15:15 AM Any good criticisms there? Got some good questions & feedback. Love Sunday meetups much more than others :) Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: Daedelus on April 06, 2015, 09:06:19 PM I guess no one has any found any fatal flaws in this research then?
What are the next steps Kushti, were you planning on testing a modified algo in a test coin? Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: kushti on April 14, 2015, 06:07:44 PM I guess no one has any found any fatal flaws in this research then? What are the next steps Kushti, were you planning on testing a modified algo in a test coin? No any critical flaws found in Nxt-like proof-of-stake. On other hand, no any strict formalization made yet as well. So there are two things to be done: 1. Formalized model showing Nakamoto's property could be met in proof-of-stake with contribution to multiple forks allowed(in other cases there are other problems with formalization). Simulations show the property is seems to be met, thanks to cumulative difficulty working more or less ok as fork selector function(btw, PoS coins with longest chain rule have problems here, at least). I'm now talking with guys much more skilled in CS/math about possibility of the truly formal framework. 2. Practical contributions to Nxt / other projects around. Nxt's algo seems to be pretty safe, though block delays distribution is needed to be better(closer to average value). It will reduce or mb even eliminate incentive to contribute to multiple forks(by trying to do private branch attacks, then share private forks, then we have majority of forgers having multiple-branch forging with N@S possible as result in such environment). I hope some improvements will be made in 1.7/1.8. And yeah, "test coin"(don't like "coin" word here, I would like to call it "experimental blockchain engine for hackers"). Making some changes now, so it will be possible to switch Qora's PoS to Nxt's by changing 1 line of code(and introduce other consensus models easily). Then yeah, multiple branching will be introduced in Scorex. Some non-consensus things will be tested as well, e.g. Bill White's scalability proposal etc. Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: kushti on April 16, 2015, 02:48:50 PM Switching from Qora's to Nxt's algo with 1 line change is implemented, having a lot of fun by playing with both algos.
Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: allwelder on April 24, 2015, 09:52:57 AM I guess no one has any found any fatal flaws in this research then? What are the next steps Kushti, were you planning on testing a modified algo in a test coin? No any critical flaws found in Nxt-like proof-of-stake. Glad to hear this. Thanks,kushti. Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: Daedelus on May 11, 2015, 11:30:29 AM I guess no one has any found any fatal flaws in this research then? What are the next steps Kushti, were you planning on testing a modified algo in a test coin? No any critical flaws found in Nxt-like proof-of-stake. On other hand, no any strict formalization made yet as well. So there are two things to be done: 1. Formalized model showing Nakamoto's property could be met in proof-of-stake with contribution to multiple forks allowed(in other cases there are other problems with formalization). Simulations show the property is seems to be met, thanks to cumulative difficulty working more or less ok as fork selector function(btw, PoS coins with longest chain rule have problems here, at least). I'm now talking with guys much more skilled in CS/math about possibility of the truly formal framework. 2. Practical contributions to Nxt / other projects around. Nxt's algo seems to be pretty safe, though block delays distribution is needed to be better(closer to average value). It will reduce or mb even eliminate incentive to contribute to multiple forks(by trying to do private branch attacks, then share private forks, then we have majority of forgers having multiple-branch forging with N@S possible as result in such environment). I hope some improvements will be made in 1.7/1.8. And yeah, "test coin"(don't like "coin" word here, I would like to call it "experimental blockchain engine for hackers"). Making some changes now, so it will be possible to switch Qora's PoS to Nxt's by changing 1 line of code(and introduce other consensus models easily). Then yeah, multiple branching will be introduced in Scorex. Some non-consensus things will be tested as well, e.g. Bill White's scalability proposal etc. Bump ;D Any news on the truly formal framework formalization? Or the "experimental blockchain engine for hackers"? P.S. Bill white plans to contact you about Scorex when he has time... Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: fish731 on May 11, 2015, 05:29:41 PM I guess no one has any found any fatal flaws in this research then? What are the next steps Kushti, were you planning on testing a modified algo in a test coin? No any critical flaws found in Nxt-like proof-of-stake. On other hand, no any strict formalization made yet as well. So there are two things to be done: 1. Formalized model showing Nakamoto's property could be met in proof-of-stake with contribution to multiple forks allowed(in other cases there are other problems with formalization). Simulations show the property is seems to be met, thanks to cumulative difficulty working more or less ok as fork selector function(btw, PoS coins with longest chain rule have problems here, at least). I'm now talking with guys much more skilled in CS/math about possibility of the truly formal framework. 2. Practical contributions to Nxt / other projects around. Nxt's algo seems to be pretty safe, though block delays distribution is needed to be better(closer to average value). It will reduce or mb even eliminate incentive to contribute to multiple forks(by trying to do private branch attacks, then share private forks, then we have majority of forgers having multiple-branch forging with N@S possible as result in such environment). I hope some improvements will be made in 1.7/1.8. And yeah, "test coin"(don't like "coin" word here, I would like to call it "experimental blockchain engine for hackers"). Making some changes now, so it will be possible to switch Qora's PoS to Nxt's by changing 1 line of code(and introduce other consensus models easily). Then yeah, multiple branching will be introduced in Scorex. Some non-consensus things will be tested as well, e.g. Bill White's scalability proposal etc. Will you be integrating the finished thing into Qora before Nxt to see how it performs on a main net? Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: kushti on May 14, 2015, 04:01:05 PM Bump ;D Any news on the truly formal framework formalization? Or the "experimental blockchain engine for hackers"? P.S. Bill white plans to contact you about Scorex when he has time... 1. No major news in the field of truly formal proof-of-stake description. It's the question of months at least probably(btw, good formal framework describing proof-of-work appeared only in second half of 2014, 5+ years after Nakamoto's paper which is pretty informal). 2. Just made pre-announcement https://bitcointalk.org/index.php?topic=1060567 P.S. Communicating with the awesome guy Bill regularly :) Quote Will you be integrating the finished thing into Qora before Nxt to see how it performs on a main net? Nope. And Nxt will got some evolutional improvements, not radical. as radical changes seems to be not much needed at all. Qora's algo needs for some other improvements, I would like not to disclose the details here though. Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: Peter R on May 15, 2015, 02:29:46 AM Formalized model showing Nakamoto's property could be met in proof-of-stake… Kushti, what exactly do people mean when they say "Nakamoto's property"? Can you link me to somewhere that gives a precise definition for this term? 1. No major news in the field of truly formal proof-of-stake description. It's the question of months at least probably(btw, good formal framework describing proof-of-work appeared only in second half of 2014, 5+ years after Nakamoto's paper which is pretty informal). Any links you can share for "good formal framework describing proof-of-work"? Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: kushti on May 17, 2015, 07:27:08 PM Formalized model showing Nakamoto's property could be met in proof-of-stake… Kushti, what exactly do people mean when they say "Nakamoto's property"? Can you link me to somewhere that gives a precise definition for this term? 1. No major news in the field of truly formal proof-of-stake description. It's the question of months at least probably(btw, good formal framework describing proof-of-work appeared only in second half of 2014, 5+ years after Nakamoto's paper which is pretty informal). Any links you can share for "good formal framework describing proof-of-work"? Well, I meant this awesome paper https://eprint.iacr.org/2014/765.pdf . Please take a look to "The common prefix property" in the paper - it's literally the same as "Nakamoto's property". Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: kushti on June 04, 2015, 05:22:32 PM Just finished constructive proof of the FLP impossibility theorem with Coq https://github.com/ConsensusResearch/flp . Hope it will be a step to blockchain consensus formalization. Now I have a lot of other work to do but hope Coq repository with blockchain consensus formalization code(PoS-friendly) will be started someday :)
Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: Daedelus on June 09, 2015, 04:47:44 PM Kushti,
I came across a guy looking and thinking deeply about POS. See https://bitcointalk.org/index.php?topic=1082139.msg11547314#msg11547314 It opens... Multiple Voting in POS Cannot be Detected and It Weakens Security ... I made him aware of your work ;D but he seems serious and open minded so maybe you two can help each other to keep pushing the boundaries. Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: kushti on June 10, 2015, 05:07:12 PM Kushti, I came across a guy looking and thinking deeply about POS. See https://bitcointalk.org/index.php?topic=1082139.msg11547314#msg11547314 It opens... Multiple Voting in POS Cannot be Detected and It Weakens Security ... I made him aware of your work ;D but he seems serious and open minded so maybe you two can help each other to keep pushing the boundaries. Thanks, answered there :) Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: Daedelus on July 02, 2015, 11:52:10 AM Update:
No activity in the subforum for last months, but we continue to work! :) 1. Scorex, our fully working cryptocurrency prototype, was pre-announced on BitcoinTalk. Hopefully, will be announced soon here & on BitcoinTalk. We plan to use it to check our ideas in the close-to-real-world environment. https://github.com/ConsensusResearch/Scorex-Lagonaki 2. I made alternative constructive proof of the FLP theorem with Coq: https://github.com/ConsensusResearch/flp . Hope to publish a paper about that in a peer-reviewed journal. andruiman has some Coq code done around CC transactions layer, will be published later. 3. We have some proposals on PoS improvements, preparing to publish them along with possible attack vectors, in form of blogposts and/or reviewed papers(seems we will write no non-reviewed internet papers on that). 4. We're starting to work with jl777 on research around crypto777. andruiman is starting to check its' pegging ideas. 5. More news soon :) So progress is not super-fast, but we're making it :) Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: Este Nuno on August 04, 2015, 04:22:58 PM Can anyone link me to some criticism of these claims by qualified people? I'm especially interested in a rebuttal to the claim that long range NaS attacks are not possible in the system that kushti has defined in his and his group's research.
Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: cynicSOB on August 09, 2015, 03:36:43 AM Can anyone link me to some criticism of these claims by qualified people? I'm especially interested in a rebuttal to the claim that long range NaS attacks are not possible in the system that kushti has defined in his and his group's research. I think long range is not possible because rolling checkpoints. Also when downloading a new chain there is a trust system so you download from a trusted source. Rolling checkpoints are nice but create the risk of dividing the network. A fork larger than the largest allowed reorganization would not be resolved and the network would split. I came across a guy looking and thinking deeply about POS. maybe he's thinking too deeply: he proposes an overcomplication that generates centralization and doesn't solve the problem it's supposed to solve.See https://bitcointalk.org/index.php?topic=1082139.msg11547314#msg11547314 Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: Este Nuno on August 09, 2015, 09:53:30 PM Can anyone link me to some criticism of these claims by qualified people? I'm especially interested in a rebuttal to the claim that long range NaS attacks are not possible in the system that kushti has defined in his and his group's research. I think long range is not possible because rolling checkpoints. Also when downloading a new chain there is a trust system so you download from a trusted source. Rolling checkpoints are nice but create the risk of dividing the network. A fork larger than the largest allowed reorganization would not be resolved and the network would split. I remember Bitcoin itself was using checkpoints at one time, not too long ago too. Haven't heard much about that in a while. Do you or anyone else know if they are still in use at all? Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: kushti on August 13, 2015, 07:42:04 PM Can anyone link me to some criticism of these claims by qualified people? I'm especially interested in a rebuttal to the claim that long range NaS attacks are not possible in the system that kushti has defined in his and his group's research. I think long range is not possible because rolling checkpoints. Also when downloading a new chain there is a trust system so you download from a trusted source. Rolling checkpoints are nice but create the risk of dividing the network. A fork larger than the largest allowed reorganization would not be resolved and the network would split. I remember Bitcoin itself was using checkpoints at one time, not too long ago too. Haven't heard much about that in a while. Do you or anyone else know if they are still in use at all? Here they are: https://github.com/bitcoin/bitcoin/blob/86cfd23f68367af072500b1758a4c446cdd36e74/src/chainparams.cpp#L122 . Last at 295K. Long range isn't possible not because of rolling checkpoints only(max reorg depth in Nxt is 1440 blocks and you can't generate private branch of such length better than network's not having majority of online stake before splitting). Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: TPTB_need_war on November 15, 2015, 07:10:02 PM so in several blocks you spread out your orders to sell 15% of the currency. Well I am no rocket scientist, but I would think that still you would run into some liquidity issues. Actually it might create more of a panic. Imagine a 100,000 BTC sell order, then another, then another, then another, .... That would probably be more panic creating than a single million BTC sell order. And by selling the coins, your entire attack is based on the false chain you cleverly made so you get one shot to make it pay off. so this magical instant selling is to me nonviable, which means the N@S will cost you the amount to acquire the stake, so a lot at stake. I hope James saw the following comments pointing out that shorting is a means to profit from the destruction of a currency as alternative to needing to sell or double-spend: So it I understand this correctly an attacker could borrow rather than buy say 10% of the target POS coin. This could be done for example using a pirateat40 type scheme. Sell half of the borrowed POS coins short, and use the remaining 5% of the borrowed coins to launch the attack. This would cause the price of the coin to collapse creating massive profits for our short seller / attacker. Your assumption ignores the possibility of profits from shorting a currency, large bets, or eventual gains from investments in other currencies when the competition is removed. Simply dumping a large stake on an illiquid market isn't as profitable as repeatedly manipulating the market and taking profits in another currency before taking one large exit with a leveraged short that is assured when one performs a 51% attack. Title: Re: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) Post by: TPTB_need_war on November 16, 2015, 09:08:36 AM Tangentially please note even though you didn't make this error, it is a semantic conflation error to equate "nothing at stake" with "nothing to stake" as others have (and James apparently wasn't considering that attackers with large value to stake, can short the coin (https://bitcointalk.org/index.php?topic=897488.msg12982044#msg12982044) as a way to make sure they have nothing at stake ... will make sure I bring this to his attention next time we exchange messages): And if it requires actual stake to do a N@S attack, then there is definitely something at stake! ...If there is no attack without anything at stake, then it seems that something is at stake... |