Bitcoin Forum

Paper on different attacks related to multibranching forging is published by Consensus Research https://github.com/ConsensusResearch/articles-papers/blob/master/multistrategy/multistrategy.pdf

TL/DR version and consequences:

- multibranch forging gives measurable possibility to earn more fees. I guess Nxt should not ignore it in long-term as the profitable activity will be implemented by somebody sooner or later

- there's no long-range attack against a blockchain V. Buterin described, only short-range. The short-range attack doesn't allow double-spending but gives multibranching forger possibility to earn more fees in singlebranch environment by producing few blocks in a row. However producing few blocks in a row could be an issue too (e.g. evil forger may postpones orders submissions etc) but not critical at the moment.

- not explicitly stated in the paper but easily derived, a long delay between blocks not only annoying but also a security problem as it's the moment for short-range attack could happens

- we have formally defined nothing-at-stake attack(again, using Buterin's informal definition) and made initial simulations. We haven't included their results in paper as they are seems to be too raw, but I can reveal them here: N@S attack could happens only in short-range, e.g. for within 20 blocks for 10% stake, so with 30 confirmations we haven't observed the successful attack. Also please note the attack has pretty unpredictable nature for attacker, so he can hardly enforce it, even in theory(in practice it's even harder to get it done properly). The correlation with stake size is still the open question, but it's nearly impossible to attack a proof-of-stake currency with "1% stake even" as stated by Buterin

- the N@S simulation tool is published also https://github.com/ConsensusResearch/MultiBranch  so feel free to make your own experiments



-----------------------------

Consensus Research is the micro-group of two researchers working on Proof-of-Stake consensus algorithm investigation at the moment. We're raising funds via NXT Assets Exchange ( https://trade.secureae.com/#5841059555983208287 ), have own GitHub https://github.com/ConsensusResearch/ and subforum on NXT forum: https://nxtforum.org/consensus-research/ , also check my personal blog please http://chepurnoy.org/

Nice to see some research on N@S, instead of claims without backup.

Would be nice to see some discussion going over this. :)

I don't have the time/energy to fully digest what the paper
is saying, but the conclusions of the author seem to say that
Nothing at stake is a real problem that hasn't been solved.

Jordan Lee has claimed to have solved nothing at stake in version 0.4.0 of the Nu network. Vitalik comments on it. Is that strategy mentioned in the paper?
https://discuss.nubits.com/t/proof-of-stake-and-weak-subjectivity/716/3

Vitalik's comment on Jordan Lee's 'solution':

And then goes on to say:

My understanding is that the more severe long range attack does not exist and even the short range attack is quite difficult to achieve. Also with more confirmations, the required attacking stake keeps going up. And if it requires actual stake to do a N@S attack, then there is definitely something at stake!

So by definition this paper is very close to proving that when properly done PoS cannot be attacked with nothing.

Of course if you throw enough resources to buy 51% (or probably 30%) of any PoS, you can do all sorts of nasty things to it. just like if you are able to control 51% (or is it 33% due to minority attacks) of mining power, you can do all sorts of nasty things to a PoW. Dont want to get into a discussion about how likely it is for anybody to obtain 51% of PoW mining power or 51% of a PoS currency, as the point of this thread is about Nothing at Stake attack.

OK, maybe just a little. Mining power costs are not coupled to the PoW coin, so you can simply buy arbitrary amounts of mining hardware with the limit only being the manufacturing capacity of the vendors. Certainly a mass buy will raise the cost of the mining hardware due to the increased demand, but surely not more than 2x and only until the manufacturers start making new production runs. [this is totally ignoring the logistics cost of some "special" team to infiltrate three mining operations, let us stay within the laws for this discussion]

Now let us imagine you are wanting to buy 51% of a PoS currency. What would happen to the price? What would the cost be? Maybe if you are patient, over time you can accumulate a large amount of anything, but any meaningful inflow of capital into a market will necessarily increase the price. will it be 2x or 20x or 200x by the time 51% is obtained? of course, depends on the coin, but the fact that there is a feedback loop to the cost for any financial attacker provides some level of protection.

If there is no attack without anything at stake, then it seems that something is at stake, which is the point of PoW right? to have a cost. Seems like you need to have a significant stake and fancy algos and computing resources to conduct a short range attack, which is thwarted by having more confirmations.

At the high level, it seems that both PoW and properly implemented PoS are able to require capital investment to obtain the coins. I am actually a PoW/PoS agnostic, I just want the coin to be secure and the small number of mining pools that control BTC mining output worry we far more than someone doing a N@S attack.

The days of just declaring PoS as impossible should be behind us. We now have academics with equations, so let the debate be resolved by logic and math, instead of rhetoric.

Clearly any crypto if improperly used will be vulnerable https://bitcointalk.org/index.php?topic=581411.0 and the first implementation of PPC PoS had a coinage vulnerability, but that does not mean that all PoS is flawed. Now what happens if 90% of BTC miners stopped? Like after a multipool abandons a coin after a diff adjustment, the blocktimes will slow down, a lot. This is not an attack scenario, but a real possibility if this bear market continues for another 6 months. With BTC diff readjustments 2000+ blocks, how long will things be in slow motion and if it slows to the point where all the blocks are full and it overflows, then what happens?

So, there are potential problems with all such things and the ideal algo has yet to be made. Ideally the best ideas from PoW can be combined with the best ideas of PoS.

James

Hopefully Vitalik can comment on the Consensus Research paper.

You don't seem to understand what the Nothing at stake problem is about.

(Yes, obviously you need to own coins, but you could attack and then
sell your coins.)

Nothing at stake refers to the fact that the best strategy is
forging on multiple chains at the same time.

The conundrum is that PoS really seeks "free"
security.  Would be nice to have a secure
network that establishes distributed consensus
without security costs, but is it feasible?

One of the biggest arguments in favor of
proof of work is that it costs more to attack
the network than to participate in its security.


 

Why would I do that when

A) I just stated I don't have time
B) I can quote the author's own conclusions

So you obtain a stake and then magically sell the coins after you attack it. Since it would take time to accumulate enough coins to attack it, then you are doing this simply to destroy the coin. But who would buy the coins back after it is attacked successfully? Ever try to sell even 10% of a coin supply all at once? Pretty much no market can withstand such things. What would a 1 million BTC sell order do to its price?

so if N@S requires an insane millionaire to conduct it, then this madman can easily buyout the top mining pools right?

to use a wild card against one approach but not the other is not quite an objective analysis.

Now if N@S now is requiring to obtain a meaningful stake before conducting the attack then it would be fair to say:

One of the biggest arguments in favor of
proof of stake is that it costs more to attack
the network than to participate in its security.

James

actually you can sell your coins first and then attack...
since the nature of an attack is a re-org on the blockchain,
how would anyone know you don't own the coins that
you owned several blocks ago?  That's another aspect
of N@S.


 

I just wanted to comment that Sigmike (who designed this solution along with Jordan Lee) is a core developer for both NuBits and Peercoin. Sunny King has reviewed it and approved this change in Peercoin and it will be supported in the next version when it releases, which will be v0.5.

He asked a logical question: If you don't have time to understand it - why do you have time to comment on it?
The conclusion actually states it in very simple terms: The problem exists, but is basically theoretical, because extremely hard to realize. Notice also that they are suggesting the "multibranch" approach - which makes the attack even more unlikely.


Then there is something at stake. Really... why deny it when in the next sentence you affirm it?
You attack the coin that you own. The value will likely drop - with or without a final success.


So where is the difference? Buying 25% of the POS coin would not be a high cost?
In fact to buy the 51% mining power of Bitcoin would be way cheaper than buying 25% of the currency. Probably by several orders of magnitude.

so in several blocks you spread out your orders to sell 15% of the currency. Well I am no rocket scientist, but I would think that still you would run into some liquidity issues. Actually it might create more of a panic. Imagine a 100,000 BTC sell order, then another, then another, then another, .... That would probably be more panic creating than a single million BTC sell order.

And by selling the coins, your entire attack is based on the false chain you cleverly made so you get one shot to make it pay off.

Next you might propose to buy the coins over 6 months, conduct the attack, sell the coins over 6 months and then use a time machine to go back 6 months. But you know about the clever algos that make it so after some amount of blocks, say one day's worth that it is set in stone? So this shrinks your sell the coins and attack timeframe to a day. Spreading out the million BTC orders over a day, hmmm, still seems to be causing market meltdown and all the capital spent to acquire the coins are gone and hence something is at stake.

I think maybe you are liking the EMP attack I came up with. This one requires simultaneously taking out all the nodes of a PoS network, then get your totally made up blockchain as the only one for all the nodes to connect to. I think this EMP attack would actually work, but I think it would work with any coin PoW or PoS. also some logistical problems with finding all the nodes, obtaining the EMP's, deploying them, etc. and also you need to just convince a few of the genesis keyholders to just give them their keys to you. Oh, after that there wont be anybody with a working computer though so who will know about your false chain?

So, if we are leaving the world of the practical and believable, anything is possible. I think it is better to have some scientist types analyse the math in the consensus paper and then make some improvements.

Dont you agree?

James

There is nothing wrong with PoW and actually the latest NXT lets you even create a new PoW coin with a single API command. so everything has its pros and cons and logical analysis is the way to determine the best course to take

Great paper! I think everybody is looking forward to the scientific debate now.

The logical answer is:  I wanted to highlight the conclusions
of the paper, since people have linked to it, misquoted it,
and misrepresented it as some kind of "debunking".

I mentioned that I don't have time to study
it deeply because I don't.   Hey, at least
I skimmed the paper... Some people
aren't even reading the paper and throwing
around their worthless opinions.  


Well, for one thing, you can buy coins and sell them, or spend them, either
before or after an attack with PoS.  Secondly, if you already have coins,
you can try to double spend with them.

you come across as a reasonable sounding guy, maybe a bit too busy, but you are now repeating a claim that I thought I did not believe was true: https://bitcointalk.org/index.php?topic=897488.msg9884322#msg9884322

so this magical instant selling is to me nonviable, which means the N@S will cost you the amount to acquire the stake, so a lot at stake. Secondly, where is this "you can try to double spend with them" coming from? The whole debate is about how this double spending is not possible with enough blocks, rolling checkpoints, maybe even some sort of preventing of chain jumping.

If you just ignore all this and just make statements like just double spend them, it seems you are really short on time to make any coherent point. I was looking forward to some deep insight about this issue from you.

James

Actually, the td;dr version is:

- multibranch forging gives measurable possibility to earn more fees. I guess Nxt should not ignore it in long-term as the profitable activity will be implemented by somebody sooner or later

- there's no long-range attack against a blockchain V. Buterin described, only short-range. The short-range attack doesn't allow double-spending but gives multibranching forger possibility to earn more fees in singlebranch environment by producing few blocks in a row. However producing few blocks in a row could be an issue too (e.g. evil forger may postpones orders submissions etc) but not critical at the moment.

- not explicitly stated in the paper but easily derived, a long delay between blocks not only annoying but also a security problem as it's the moment for short-range attack could happens

- we have formally defined nothing-at-stake attack(again, using Buterin's informal definition) and made initial simulations. We haven't included their results in paper as they are seems to be too raw, but I can reveal them here: N@S attack could happens only in short-range, e.g. for within 20 blocks for 10% stake, so with 30 confirmations we haven't observed the successful attack. Also please note the attack has pretty unpredictable nature for attacker, so he can hardly enforce it, even in theory(in practice it's even harder to get it done properly). The correlation with stake size is still the open question, but it's nearly impossible to attack a proof-of-stake currency with "1% stake even" as stated by Buterin

So yes, there máy be problems with certain forms of N@S, and that needs to be researched. Research means keeping an open mind, not cherrypicking and taking out the last sentence and twisting it to mean what you want to mean.

They do nót say "Nothing at stake is a real problem that hasn't been solved." They say "We have made a simulation that produces a N@S as described and we are going to find out what it does."

James,

I don't know if I have any deep insights,
and I don't claim to be any expert.

My thoughts on this:

With proof of stake, there's no
external resource being spent
on security as with proof of work.

The holy grail which is sought after
with proof of stake, is costless
security (everyone just has their stake,
that's enough to secure the network).
 
But by the same token, if nothing
of significance is being spent on
securing the network (as with
miners in PoW), then it costs
basically nothing to try to fool
the network (attack it).

For example,  people can forge
on multiple chains at the same
time without penalty.

They can send themselves
coins back and forth to
try to get more fees.
 
That's why Vitalik proposed
security deposits, to try to
solve this nothing at stake
issue.
  
Or you could even try to
double spend.  This easy
way would be to try to
spend coins that you sold.

Since you still have the keys,
how would nodes know you
spent the coins except by
looking at the blocks after
yours?  Unlike proof of
work, you don't really need
any resources to try this attack.

This nothing-at-stake issue
is nothing new -- this is
what people have been talking
about for months and months.

https://github.com/ethereum/wiki/wiki/Problems

That's what the paper is about.
They are trying to explore possibilities
with multi branch structures instead
of the traditional blockchain, but with
no clear solutions so far.

The content lacks the most obvious and outward attributes of open trolling- maybe many people simply are so superficial...

Wasn't meaning to be trolling but I guess I'm done in this thread.

Read the whitepaper in the OP or
the ethereum blog if you want to know
more about the Nothing at Stake problem.

https://github.com/ethereum/wiki/wiki/Problems

(Or, just pretend its not a problem. 
Whatever floats your boat.)

later! :)

I'm a huge supporter of PoS and I think everyone should be working towards that as a goal for all crypto, but there have been double spends and attacks on PoS coins this year. Off the top of my head I remember Navajo Coin had a problem with that and then the big one being Vericoin which really hurt its market cap after they rolled back.

Weren't they both related to exchanges holding a large proportion of the coins and being hacked? Or maybe being 'hacked'?

I'm pretty sure he is referring to me here  :D when I said there are still some issues but

"it's nearly impossible to attack a proof-of-stake currency with "1% stake even" as stated by Buterin"

After implying I'm a liar  :'(  I pointed out that is a direct quote of the OP in this thread  :D Then I was called a muppet so I quoted the whole paragraph. And now I have a worthless opinion? For the record (and repeating myself again), it isn't my opinion. It is that of the authors :D :D And you are refusing to engage honestly with it.


I think we have a flat-earther on our hands, it won't matter what research Kushti & andruiman produce. He'll cling to the unproven claims he has parroted for months. We need open minds and a technical demolition (if one is even possible) of the paper to move forward. Kushti has even provided the tools and models to do it! :D But make no mistake, this is a big step for everyone ;D

Not sure exactly what the circumstances were. Exchanges had something to do with though yeah. Maybe the exchanges weren't staking their reserves or something. I thought that the exchanges got doubled spent against, but I'm not sure.

PoS opponents usually citing two sources, "A Treatise on Altcoins" by A. Poelstra & statements made by V. Buterin(mostly in the form of blogposts). Poelstra's paper contains only kinda philosophical statements(like "consensus inside a system could be achieved only by external resources spending"), and we won't to deal with it at all: the only way for us is not to participate in philosophical disputes, but make a constructive proof of opposite(like Satoshi Nakamoto made constructive proof decentralized currency could exists with his revolutionary paper).

V. Buterin statements are much more clear so we started with them.


Well, in the first place it's not possible to mine on every chain as number of them is growing exponentially with time(and no special hardware could helps, as processing is needed for each block in each branch with storing final balances, it consumes both CPU and memory a lot), so the only strategy is to keep N best branches (we have another paper on multibranching forging called "PoS forging algorithms: formal approach and multibranch forging" https://github.com/ConsensusResearch/articles-papers/blob/master/multibranch/multibranch.pdf ).

In the second place, the possibility of the attack with 1% stake is negligible. Even with big enough stake the outcome of an attack is unpredictable for an attacker and could be done only in short-range(so with raising number of confirmations to 30 in our experiments attacks are always failed). And in practice
 attacker needs to feed part of network with one transaction, another part with other and both parts need to be large enough I guess, and that's hard to get done also.

Also we've found "long-range attack" stated by Buterin should be renamed to "short-range attack", see the paper or tl/dr in the first post.

While other PoS researchers think forging on multiple branches is the problem and working on avoiding it with punishments or incentives, we don't think
it's the problem at all. Multiple branches are okay, if the consensus property met: after k confirmations it's impossible(or extremely expensive) to change system state in the past. So we're working on PoS model corresponds to the property in a proven or evident enough way without throwing multibranch forging away.

I haven't kept up with PoS developments lately, but how do people address the following issue.  PoW and DPOS have coin ownership and network control as separate parts.  For other PoS models, coin ownership grants network control.  Since exchanges and "bitcoin banks" tend to monopolize the control of coins into a small number, or single entity, shouldn't regular PoS be called, "proof of trust in exchange platform"?  Then you also have the possibility of a rogue exchange performing a history attack.

A lot of Vericoins were stolen off of Mintpal, this had nothing to do with PoS/PoW.

There were doublespends in Navajo (PoS), and there were doublespends on Worldcoin, Whitecoin etc. (PoW)

PoS1 != PoS2

for a young coin, it is indeed an issue where a large percentage of coins could and have been on a single exchange, which then gets hacked.

However for a mature PoS, like NXT, even the largest exchange has less than 5% of all NXT, so even if they went all evil, not much they can do. It also seems quite unlikely for an exchange that is earning regular revenues from a coin to effectively sabotage it by attacking it.

With decentralized exchanges getting more and more traction, this issue will get smaller over time. Over time there is more distribution, not less, so not sure where you get this assumption about monopoly control. I guess the fact that bitcoin mining pools have this exact mechanism might be predisposing you to this false assumption

James

correct.

Also the current NXT PoS is more like PoS4 or PoS5 and from what I can tell it is more advanced than PoS2, though PoS2 is starting to incorporate some aspects of NXT PoS

more improvements are in the pipeline for NXT PoS

James

"Proof of trust in exchange platform" - only if the scenario you describe actually applies. BTER is the biggest Nxt exchange and had problems in the summer. Even then, the wallet was only 50 million Nxt = ~5% of all tokens. What you describe might be true for smaller POS but broadbrush generalising isn't representative of POS.

There is no reason to think Nxt will follow the centralisation of bitcoin. You can already trade NXT <> BTC from within the platform in the most decentralised way to date through Multigateway. BTCD, Blackcoin, Veri, Doge are in development and there is no reason other coins couldn't be added. Additional security of Nxt account will come next year with Account Control and 2-Phased transactions (you will be able to 'lock' an account for N blocks, or limit transfers to nominated accounts only so even if someone gets your password they can't move your Nxt). Smart Contracts will also take the risk away from dealing P2P and not use exchanges. Through Monetary System, coins built on top of Nxt can be traded in a completely decentralised way through Nxt itself.


Nxt is still maturing but there is less and less reason to use exchanges or even centralised services at all. Even now it is no where near the scenario you describe.

Come on man, let's try to stick to the topic of general PoS mechanics instead of NXT shilling.  Anytime PoS is mentioned, there's always some NXT guy crawling out of the woodwork with a multi-level marketing campaign.  Before you try to shill NXT to me, you should probably read one of the posts I've made before regarding IPOs:

http://bitcointalk.org/index.php?topic=443196.0

Name a POS you want your Proof-of-Trust to apply to and we can look at that one. The above is the answer for Nxt. And which parts aren't true or you object to?

Generalising is helpful to you as it is easier to create strawman arguments. Have some POS come unstuck having too much on an exchange? Yes. Is that justification for calling all POS "Proof-of-Trust in exchanges"? No. Especially in the case of Nxt.


This topic is actually about reviewing Kushti's research findings, not generalising POS based on opinion.

The general public, and even experienced Bitcoiners themselves, aren't very good at securing coins.  This problem has been almost completely addressed for PoW by smartcard, hardware wallets for $30.  With PoS, it's a different ballgame.  You're required to keep coins online to stake, opening up the system to problems the general public will never be able to deal with unless they outsource that activity to someone else, aka a Bitcoin bank.

PoS systems that don't utilize coin age don't seem to provide benefit to small stakers at all.  You have a combination of the small staker not being rewarded to stake factor, plus the general public tendency to outsource their staking to a Bitcoin bank since they don't want to deal with the risk and technology.  This means a large movement to staking centralization and exchange centralization.  It's really no different from Bitcoin PoW centralization.  The exception is that circumstances that lead to double spend attacks for PoS coins, are much more dangerous long term for most PoS models than circumstances that lead to double spends for PoW coins.

I'm not particularly positive or negative on Bitshares, but DPOS, just like PoW, separates coin ownership from network control, so it doesn't have the above drawbacks where the general public is expected to jump through hoops that they aren't going to do, and will either not stake at all, which network security requires them to do, or will just outsource their staking to a Bitcoin bank, making it possibly more centralized than PoW.

I'm aware of NXT pool forging to try and combat the issues I've stated, which is, hilariously, almost like recreating PoW pool mining.  It does have significantly less energy use than PoW, but once again, this is something that most or all NXT holders are expected to participate in to maintain network security, and the general public is just not going to do it.  Once you start trying to fix the core issues of PoS, you start to run into issues that make it so the system might be too complex for the general public to use, since it seems to demand much more active participation than PoW, while also assuming everyone walking the planet is a combination of computer science and finance major.

The biggest issue of DPOS, is even if it's 100% positive your initial 101 delegate rollout can't and won't collude, how can you make a system to ensure that when they either stop delegating or die, that their replacements won't be colluding.  Delegating as a DPOS participant should be a revenue stream, but maybe you will receive a more attractive, instant lump sum to sell out.

In summary, if Bitcoin PoW is ever found to be an inferior system to whatever PoS system emerges, Bitcoin PoW still has a large chance of beating it without even factoring in the network effect, just from being a much more simple and straightforward system.

In PoW centralized bank could be robbed by a centralized miner  ;D  All those issues are out of scope of our research at the moment.

Regarding history attack, it exists but as rollback is limited(e.g. max 1440 blocks for Nxt now and could be much less in future) the only result is new nodes being mislead i.e. network partitioning. The current solution is to use checkpoints but we're looking for more elegant approach.

Regarding history attack, I will introduce in this topic another very interesting idea from NXT that is not yet implemented but could solve concerns with hidden history rebuilding, it's called Economic Clustering.

In Economic Clustering, basically, all transactions have to include a signed reference to an older block or transaction in the history, so if an attacker gets the keys of an account that used to have huge amounts of stake (those close to the genesis of the coin) and tries to reconstruct his/her own version of history in isolation it's impossible to rebuild it including the transactions of the rest of the economy and collect any of their fees, simply because the hashes of the new history will never match those included in the transactions previously broadcast.
If you already belong to the network and see the hidden branch being released your client can immediately spot the fake history as not including any transaction that you know about (from you or from a list of known companies/entities).

I see it as a social consensus: to fool the history you need to pro-actively involve a majority of the network signing the scam.

@r0ach I actually liked your poll at:

http://bitcointalk.org/index.php?topic=443196.0

Couldnt we have reference NXT nodes that a new node queries to find the right chain?
Just look at the block explorer sites, it becomes quite clear if you are on the wrong chain (assuming the block explorers are on the right chain, seems safe assumption).

So having a list of websites/nodes to query about the right chain would seem to prevent any new node from using the false chain.

Why is this a big problem? Maybe I am missing something significant.

Pick half a dozen websites that are the NXT main websites, have a way for the user to add new ones to add to the consensus list. All these sites would need to agree about the hash value for the chain as of 1440 blocks ago and closer. Some checking could be done for the initial blocks during the time of vulnerability against the false chain.

This simple method seems to prevent any new node from believing the history attack created false chain (not that it is likely to be achieved).

James

Sounds too centralized. However, only initial part of history could be downloaded(e.g. first 100K or 200K blocks in case of Nxt), as its irreversible anyway. And that's  equivalent to checkpoints.

Btw, I think the importance of history attack is overestimated and its solved though in pretty rough way.

Congratulations Kushti on an apparently flawless paper  :D

This paper has been added to the thread Nxt Papers: Whitepapers, Academic and Economic at https://bitcointalk.org/index.php?topic=847868

To summarize the discussion, known claimed attacks on proof-of-stake distributed consensus algorithm(and concrete implementations) at the moment:

1. Short-range attack  - attacker can offer better chain started few blocks behind current canonical chain. The attack is possible at the moment, the only likely outcome though is just gathered fees increase for an attacker. In our simulations this kind of attack is possible mostly when a long delay occurs due to low target. By the way, the attack has positive aspect for network, as it shorten delays average between blocks. So attacker gets extra fees for a good job done  ;D

2. Long-range attack - attacker can start fork hundreds or thousands blocks behind current chain. From our investigations the attack isn't possible.  

3. Nothing-at-stake attack - not possible at the moment! Will be possible when a lot of forgers will use multiple-branch forging  to increase profits. Then attacker can contribute to all the chains(some of them e.g. containing a transaction) then start to contribute to one chain only behind the best(containing no transaction) making it winner.  Previous statements on N@S attack made with assumption it costs nothing to contribute to an each fork possible and that makes N@S attack a disaster. In fact, it's not possible at all to contribute to each fork possible, as number of forks growing exponentially with time. So the only strategy for a multibranch forger is to contribute to N best forks. In such scenario attack is possible only within short-range e.g. with 25 confirmations needed 10% attacker can't make an attack. And attack is pretty random in nature, it's impossible to predict whether 2 forks will be within N best forks(from exponentially growing set) for k confirmations. So from our point of view the importance of the attack is pretty overblown.

4. History attack - attacker can buy whale's private key for $5 and build alternative story. Solved with some checkpoints now, located behind max rollback possible, so the solution is not so scary in terms of centralization etc.


If you know any other kind of attack, please add. Please note IPO properties of a concrete coins etc isn't related to proof-of-stake distributed consensus problems.

And Consensus Research is going to work on better proof-of-stake prototyping & implementation !

How about the Sybil attack? I know that the Sybil attack may be not unique to PoS?

HOW is that solved???  Centralized checkpoints = not decentralized currency. 

Stake does not equal exposure:

Consider for example a pirateat40 style "trust" on a POS coin. The "trust" has a very significant stake combined with a very significant short exposure, and consequently a vested interest in the collapse of the currency, and can vote the stake accordingly. https://en.bitcoin.it/wiki/Pirateat40. POS rewards the creators of ponzi schemes.
 
A variant of this is an exchange gone bad. Again the exchange operator controls a massive stake via customer deposits but no exposure, and if fraud occurs creating a fractional reserve. The exchange has a vested interest in the collapse of the currency in order to cover losses and can vote the stake accordingly.

Buying the currency while at the same time selling a greater amount on a derivatives market, creating a large stake with a short exposure and vested interest in the collapse of the currency. Again the stake can be voted accordingly.

Need I go on ...

Cross posted from https://bitcointalk.org/index.php?topic=924725.msg10158797#msg10158797 (https://bitcointalk.org/index.php?topic=924725.msg10158797#msg10158797)

So where's the whitepaper on how you created decentralized checkpoints?

The network won't accept reorgs deeper than 720 blocks so block 721 back from the current block is the rolling checkpoint. That's how it is done, though there isnt a whitepaper.

There is a general Nxt whitepaper, I can get the link if you haven't seen it.

Kind of hard to keep up with what exactly NXT is and whether it works or not:

The basic idea is what Vitalik talks about in his blog post on weak subjectivity: https://blog.ethereum.org/2014/11/25/proof-stake-learned-love-weak-subjectivity/

It is decentralized in that if you've been away from the network for the past 720 (or whatever # of) blocks, when you come back online you have to ask someone or some set of people which chain is the real one. So if you know your best friend has been keeping a node online, you can ask him, or you can ask Vitalik, or you can ask Gavin Andressen, or you can ask some combination of any # of people you want -- the choice is up to you.

It isn't and never was:


you would have to present a source code comparison between ppc and the first version of Nxt to make me think otherwise.

This solution is already implemented in BitShares, though called something different (TaPoS):
https://bitcointalk.org/index.php?topic=354573.0

Come-from-Beyond described Economic Clustering in May when he committed it. Not sure it is quite the same idea as rolling checkpoints but it is in the same area.
https://nxtforum.org/news-and-announcements/economic-clustering/msg26267/#msg26267

Consensus research have also shown that the "Nothing-at-stake problem" (described in Vitalik's post) has been overstated. A lot. On the contrary, multibranch forging (aka mining on every chain you see) actually helps with security as you can't mine on every chain as they grow exponentially with time. You have to choose what you think are the best N chains and the results can't be predicted so the 'attack' is pretty useless.

I believe this also removes the need for Vitaliks security deposit as it makes it unnecessary as it protects against something that can't happen. It could even be damaging as it restricts the number of branches in multibranch forging so it is no longer exponentially growing in size but is finite, for practical purposes. Equal to the number of nodes in the network? Given they can only forge only 1 branch they see without being penalised. Have I understood correctly, Kushti?


All CfB's descriptions and Q&A on Economic Clustering are collated in this thread...

https://nxtforum.org/economic-clustering/cfb's-announcement-of-economic-clustering/ (you need an account to see the whitepaper section of the forum)



Here is the most recent whitepaper, though it may not have been updated with most recent features:

Nxt Whitepaper
https://www.dropbox.com/s/cbuwrorf672c0yy/NxtWhitepaper_v122_rev4.pdf

I just performed this type of attack in APEXcoin. Please see here: https://bitcointalk.org/index.php?topic=897493.0 (https://bitcointalk.org/index.php?topic=897493.0)
It was a short-range attack, but the consequences are not just more fees: I successfully double-spent.

You may want to expand this "Short-range attack" category, since there can be many different ways to achieve this.
I did it by splitting the coins and waiting for age to accumulate, and as I mention in the linked thread, I think it may be possible to do something similar in nxt.

Just like with POW, 51% guarrantees success but if you have 10% of the hashrate you will eventually have the chance to double spend. Same thing here: small stake + patience = double-spend. Only worse because in most POS coins the % of actively staked coins is low.

I think it's more like stabbing a tied up deer to prove that stabs can be deadly, but let's skip the animal killing analogies please. Poor Bambi...

That's being discussed on the other thread. This doesn't directly apply to nxt becase it doesn't have coin age, but I think the attack can be adapted for it.

May I suggest NAS as the NXT clone target ?
https://bitcointalk.org/index.php?topic=523187.2060

Poor little things been dead in the water for a long time, so the code is pretty much out of date as far as current NXT code goes, but I reckon it'd be a good next step.
And I've got a couple of million NAS lying around somewhere I could lend ya........

Edit: Has there been any contact with or any sign of life from the Apexcoin devs/BlockNet crew?

Could you describe attack scenario in details? After reproducing it in simulation we would like to pay you pretty good bounty :)

P.S. Good description on practical impossibility of N@S by JordanLee http://www.peercointalk.org/index.php?topic=2976.msg27303#msg27303

thanks, I'll look into it. No contact from Apex devs yet.

Hmmm....if I get some spare time I'll fire up a NAS node and see how the network looks.

I posted on the Apexcoin and BlockNet ANN threads, maybe we'll hear something from their devs about your attack.

 Apexcoin ANN  (https://bitcointalk.org/index.php?topic=686403.new#new)
 BlockNet ANN  (https://bitcointalk.org/index.php?topic=829576.new#new)

I wasn't able to connect to any peers.  You have any better luck?

I will elaborate on the idea against nxt.
But that link you sent regarding PPC is not about practical impossibility of N@S. It's only about practical impossiblity of the particular attack that the writer describes. This was proven by my attack on APEX. Also, it has some flaws:
is wrong, if you mine your chain in private and publish it only when it has accumulated more work than the main chain then you can attempt this after every block.
is also wrong: 1% gives you about 20% chance of a block. 5% guarantees success.

please elaborate on the details of the bounty :)
writing a white-paper quality explanation is a time consuming task

Absolutely nothing. Looks like NAS is very dead.

So it I understand this correctly an attacker could borrow rather than buy say 10% of the target POS coin. This could be done for example using a pirateat40 type scheme. Sell half of the borrowed POS coins short, and use the remaining 5% of the borrowed coins to launch the attack. This would cause the price of the coin to collapse creating massive profits for our short seller / attacker. There is some real Bitcoin history here that is a must for anyone either attacking or defending a POS coin. Here is a good place to start. https://bitcointalk.org/index.php?topic=50822.0. pirateat40 failed with Bitcoin but Bitcoin is POW! I can just imagine what would have happened to Bitcoin if pirateat40 could have used the borrowed XBT to launch an attack on the Bitcoin blockchain. This would indeed have been the case if Bitcoin had been POS.  

Er...I think Kushti may be getting a little bit ahead of himself here.
If you can pull off a successful attack on NXT, or an attack that works in Kushtis simulations, there will be lots of love for ya....possibly even parades!
And definitely some bounty, if you can also produce good quality documentation on the attack.  (Doesn't have to be real WP standard, but that would be up to our devs to judge.)

But: right now, we don't have a formal bounty offer already open.

I just had a thought: maybe you could run an attack on the NXT Testnet ?
Shouldn't be any problem giving you a stake of TestNXT to play with........

If you're up for it, head on over to NXTworld:
https://nxtforum.org/index.php
and we can discuss further......

Those posts make no sense. It's not an attack, but mere market manipulation. If you can just get 51% of a currency by repeatedly FUDding, then you're golden anyways.
From then on it's not N@S at all - because you earned 51%. It's a 51%@Stake attack. You're harming yourself.

Your assumption ignores the possibility of profits from shorting a currency, large bets, or eventual gains from investments in other currencies when the competition is removed.

Simply dumping a large stake on an illiquid market isn't as profitable as repeatedly manipulating the market and taking profits in another currency before taking one large exit with a leveraged short that is assured when one performs a 51% attack.

With PoW there is much less incentive to risk such a large short on the market because one cannot as easily guarantee the difficulty increase and one is more exposed to risks of others noticing the accumulation of miners and hash rate and one has to spend a great amount of resources to mount said attack.

Additionally, I am only mentioning monetary motivations for attacking ones stake, there are plenty of other reasons which may motivate someone to perform this attack as well.

No. The point is that the attacker also has a much larger short position in the currency. So while the attacker looses on the stake this is more than offset by the gains on the short position.

You're totally ignoring what I'm saying: It's not a nothing at stake attack. That's a technical term. You have a stake - even if you short it.

Secondly ... come on guys: I buy 51% of a POS, then I buy again 51% of the value as shorts (well, more - as I want to make profit). And then I make an attack? Genius! You just managed to make the same fricking attack we knew all along worse, since you have to invest twice as much.
It also contradicts itself - since you fudded the currency into junk to get your stake, you don't even need to attack it. And you probably wouldn't get anyone offering you shorts.

I will formulate the attack: The "Second Pirate Savings and Trust" attack on Proof-of-Stake

1. The attacker creates the "Second Pirate Savings and Trust" modelled after the "First Pirate Savings and Trust" later called "Bitcoin Savings and Trust" https://bitcointalk.org/index.php?topic=50822.msg605957#msg605957 (https://bitcointalk.org/index.php?topic=50822.msg605957#msg605957). This is done in a falling market.
2. The "trust" offers a very attractive rate of interest payable in the POS coin. This rate is significantly higher than the stake rate
3. The "trust" allows investors to leave the interest in the "trust" and roll over the investment.
4. The "trust specifically disclaims that it is a HYIP / Ponzi scam https://bitcointalk.org/index.php?topic=50822.msg605981#msg605981 (https://bitcointalk.org/index.php?topic=50822.msg605981#msg605981)
5. The attacker sells a portion of the borrowed POS coin say 50% for XBT, another POW alt-coin, one or more fiat currencies etc. This will becomes the attackers profit at the end. This will also depress the price by short selling creating the "bear raid"
6. A portion of the received POS coins is used to repay interest to those investors that do not reinvest their interest. This is the "ponzi" component; however see below.
7. The rest of the borrowed POS coin is kept by the attacker, accumulated and staked.

At this point this is no different from any bear raid on a stock, fiat currency POW currency etc. If the market exchange rate falls faster than 2x the interest rate less the stake rate then in the 50% example above, the attacker is actually in the black and there is no ponzi. In the normal bear raid the attacker, if the attacker can depress the price enough and cover the short, can actually walk away with a profit. The problem with the simple bear raid is that in covering the short the exchange rate can rise sharply. This converts the bear raid into a ponzi and the scheme collapses in a rising market. This is what happened to "First Pirate Savings and Trust". It collapsed during a rise in the Bitcoin price.

It is at this point where the specific to Proof-of-Stake part of the attack comes into play.

8. The attacker continues the ponzi until he has accumulated enough stake to launch a network attack.
9. The attacker is also accumulating a greater debt in the POS coin and can even continue selling 50% of the borrowed coin to increase his profit.
10. The attacker launches the attack on the coin causing its value to fall to zero. This wipes out the attacker's stake, but more importantly also wipes out the attacker's debt. The specifics of the attack will of course depend on the particular POS coin.
11. The attacker is left with is profit in some other currency, a worthless amount of the POS coin and a debt denominated in the now worthless POS currency.

Countermeasure:
The only known countermeasure is the intervention of the state.  http://www.sec.gov/News/PressRelease/Detail/PressRelease/1370539730583#.VLncGTVVIWw (http://www.sec.gov/News/PressRelease/Detail/PressRelease/1370539730583#.VLncGTVVIWw).

The challenge here is to devise a countermeasure to this attack that does not involve the involvement of the state or some other centralized authority for example a corporation.

Edit: The network attack can be any attack on a POS coin that requires the attacker to have stake.

Yeah, you can add more detail to your attack - it's still as stupid as when you started.

That story has soo many holes - it's incredible. Most insane of all to call it Nothing-At-Stake. If all you need is to have ROI at some point, to define it as N@S, then it doesn't even have anything to do with POS at all.

Step 1 to 7 are exactly the same in any crypto. The rest is actually easier in POW. I don't even need 60% of the coin (or more as you seem to propose). A fraction of it, when sold, would be enough to buy a mining majority. I can short at the same time. A price drop would even help me, since the miners would drop out and the difficulty falls.
Still: None of this is any remotely realistic scenario.

Sure the price of Bitcoin has gone down by 80% over the last year and the difficulty has gone up. https://blockchain.info/charts/difficulty (https://blockchain.info/charts/difficulty). In my attack there is no additional purchase required, and is based on a scenario that has already happened.

This attack requires a large % of a coin's stakeholders to be stupid enough to trust 'Pirate S+T'. Why don't you call your bank cryptodouble instead of Pirate S+T? I think cryptodouble is a catchier name, might get more suckers. In the accumulation phase, you are 100% operating a ponzi. How do you convince people to invest in the ponzi (I know, tell them it's not a ponzi, you instead intend to attack the currency)?

Explain why you can't do the same with a PoW coin? Just needs the added measure where you buy hashrate with your accumulated funds, but you would require much less funds. What % of bitcoin, what % of litecoin would it take to buy enough hashrate to attack? What % of a PoS coin would it take for you to attack that.

What happens if your attack doesn't reduce the value of the coin to zero? Does your attack merely consist of double spending?

You don't understand your own text. I give up man.

All these questions have been answered in the previous page. Additionally, convincing people to invest in a ponzi is just one variation of an attack, other variations include convincing 10 % to deposit their stake in your exchange / bank, or taking 10% loans with many profiles , or simply being a large whale that already has 10% or more as is possible with NxT. Why do you act incredulous when these scenario's are commonplace within the crypto ecosystem?

The wastefulness of PoW is also a form of security because it incentivizes users to merely profit off of a bear raid and other market manipulation tactics rather than attacking the currency with a 51% attack. The difference with PoS you can attack the currency and profit in doing so and with PoW you have to take a large gamble and spend a lot of resources in order to perform a 51% attack.


You can start by first educating yourself from what researchers are discussing who are sympathetic towards PoS:

https://github.com/ConsensusResearch/articles-papers/blob/master/multistrategy/multistrategy.pdf

https://blog.ethereum.org/2014/11/25/proof-stake-learned-love-weak-subjectivity/
https://blog.ethereum.org/2014/10/03/slasher-ghost-developments-proof-stake/
https://blog.ethereum.org/2014/07/05/stake/

After you have done this research come back and join the conversation.


You understand that one doesn't need to invest in any of the currency , or control 51% stake when performing a N@S right?


The above applies to NxT and other variations of TaPoS only . Other variations of PoS are susceptible to long-range attacks as well.

Please keep in mind that kushti only used his own simulation model.
I'm very interested to see real world tries on the  Nxt testnet. I imagine that the attack is more complex there because network topology and latency, behaviour of peers,  etc.

Yes, you should encourage more tests to be done.

Most of the peer review and security analysis has been focused on Bitcoin. This is one advantage Bitcoin has with having the largest mind-share, first mover advantage , and largest developer pool of any crypto-currency.

Another consideration for security one must consider that few mention involves how many different working stacks or implementations interact with your blockchain and how this is critical to security.

I highlighted the key word for you.
Yes, if you're simply already owning a stake of a size that never existed in NXT - and you additionally simply scam yourself into 41% more - and then simply buy 100% of all that value in shorts, and then simply gain another 30% so you cover your costs. Then you can attack.
Why did no one think of that before?


Clearly there is zero gambling in your perfect scheme.


You gotta be kidding me. Nothing of your scenario has anything to do with any of those articles - and yes, I've read them before.
Clearly you didn't because you still don't even know what the term "nothing" means.

Does stupidity really know no limits?



Yes, and in not a single word you said you ever talked about N@S. All the links you provided actually conclude specifically that N@S does not exist, or is not realistically executable.

10% is needed for an attack. Re-read the research paper sir. None of that 10% needs to be owned either as we have discussed.


There are risks with all attacks. We are discussing a specific scenario where attacking PoS is far less risky than a similar attack with PoW.


You also understand that in physics "nothing" does not have the same connotation as within philosophy?
Of course some effort is needed to perform a N@S attack. I am using the definition as defined by Buterin and kushti.


Vitalik is going with PoW for ethereum despite all his research into TaPoS and weak subjectivity. Why?



All this being said, TaPoS has some security differences, advantages and disadvantages to PoW and would nicely compliment Bitcoin as an additional wallet layer or sidechain.

I'm incredulous about it being easy/cheap to get 10% of a stake of a well functioning coin. If you can get 10% of a stake without buying and want to profit from it, the easiest way is not to give back the 10%, and sell the coins on the market.

If you have the resources to get 10% of a PoS coin, often the price to buy enough hashrate to control a PoW coin is much less than 10%. I don't see how the incentives are drastically different. Usually owning a coin gives more incentive to not damage the coin than owning hardware does. For example, say bitcoin falls more, and lots of bitcoin mining rigs get shut off. Someone who doesn't own any bitcoin, and has lots of unprofitable bitcoin miners could just launch an attack at very low cost. Maybe put money on some shorts on bitfinex to offset the cost of electricity while attacking.

Source? As I understand it, he is still deciding between a PoS/PoW combo and full PoS.


So just extend the number of confirmations to 30, then short range attack becomes impossible. (6 confirmations on bitcoin is an hour, so a shorter block PoS coin would still take less time than bitcoin confirmation)

Banks and exchanges already have far greater than 10% stake for certain PoS coins right now. I am not discussing a hypothetical. It is also likely that a few Nxt users have over 10% stake.


 https://www.youtube.com/watch?v=qPsCGvXyrP4
More specifically, Ethereum will be a hashimoto dagger IO bound PoW consensus mechanism.
The latest under review is here under PoC7:

https://github.com/ethereum/cpp-ethereum/wiki
http://gavwood.com/Paper.pdf

He may use both however:
https://blog.ethereum.org/2015/01/10/light-clients-proof-stake/

Whether he uses straight PoW or PoW/TaPoS the point to consider is that he has thoroughly studied the vulnerabilities within PoS variations and deems them to have insufficient security alone without PoW.



20 Blocks , not confirmations. The attack would have still occurred whether you wait for more confirmations or not. waiting for 30 confirmations simply means that you could avoid participating in an illegitimate transaction, but the attack still occurred.  20 blocks is merely the window the attack needs to occur in for NxT, once the attack occurs the network will need to perform a hardfork, or rollback the blockchain to recover which has its own set of problems.

--------------------------------------------------------------------------------


TaPoS can be used with PoW to improve the security of Bitcoin like one example I provided:

These things are not mutually exclusive. The selling that you brought up to discussion could be one part of the plan. Actually I think the selling of the coins is going to be prominent part of most of the attacks. Let me remind that selling of a big stash usually does not happen instantenously when talking about a large stash like 10%. There is quite typically first a contract signed that there is going to be a sale and some time after that the coins actually change owners.

The period between signing the contract of the sale and the actual transfer of the coins is a perfect place to attack the coin where the seller has nothing to lose and in many cases quite a lot of to win by doing so. And there are situations where the timegap between those events is naturally quite long like months. A well functioning monetary system allows all kinds of transactions including ones where somebody can buy a big stash of coins in such a way for example in a situation where a whole bank/exchange business is up for a sale.

In PoS economy it is very risky to buy a big bank or exchange business from its previous owner. Think about a situation where the owner of a bank/exchange with big stash of customer coins in their possession has decided that he is more a risktaker entrepenour type of person instead of a person that runs an established mature boring business and he wants to cash out and start over from scratch and take new risks on some other competing emerging new kind of coin. Quite natural event that I guarantee is going to happen thousands of times.

Can you explain this, please. An attack happens, someone generates an incorrect chain of 20 blocks. Now, everyone waits for 30 confirmations, so they then see that the fork is invalid and no one accepts an transactions. Why is a rollback or hardfork required? 

"Hence, it may make sense for a proof of stake algorithm to still require a small amount of proof of work on each block, ensuring that an attacker must spend some computational effort in order to even slightly inconvenience light clients."

I believe Nxt requires a single SHA256 hash for each block. So it already has an element of PoW as suggested there.


I know the initial intention of ethereum was to be mainly PoW, but with every blog post, Vitalik seems to embrace PoS more, so I'll be interested to see what the final version comes out with. With his last few posts, he seems to find very few problems with PoS (he learned to love weak subjectivity). I guess some others in ethereum might have different views to Buterin.

So I take the fact that Buterin, and now kushti/andruiman have taken a thorough look at PoS and they are seeing problems, sure, but also seeing solutions to those. If there is no fundamental reasons why PoW is better than PoS, then PoS will win out due to lower cost (imho). So I'm hoping that investigations into PoS continue, and that better solutions emerge, whether it be a stronger PoS algo, a PoS/PoW combo or a TaPoS addition.

You understand that long range attacks have proven impossible in simulations. So if a bank buys a large chunk of coins and waits the required number of confirmations, then the previous owner cannot launch any attacks. Or am I misunderstanding your premise?

I am talking about a situation where first a contract is signed where the whole bank is being sold including the stash of coins in their possession. A month later the actual change of ownership of the whole bank happens when new owner gets his personnel to take over. During that month the previous owner still has complete control of the bank but he has nothing to lose if the coins in the banks possession collapse in value. He still can transfer the 100 million coins to the new owner of the bank a month later like it says on the contract and he could not care less whether the coins have value or not.

Note that there does not have to be an actual attack. All that is needed is market to know that a big bank is changing ownership and the whole market knows that the stability of the whole economy is hanging by a thread during this month. Maybe somebody else sees this as an perfect opportunity to perform an actual attack and they also do not need to be nothing else than big nasty rumours that cause panic.

The consensus algo is what accepts the fork and this is where the weak subjectivity of the users and or developers would need to step in and correct the invalid fork. This has its own set of problems.


This has nothing to do with PoW consensus mechanisms. Next you are going to insinuate hashing itself is "work" thus one should consider all PoS to incorporate the PoW consensus mechanism.


Yet despite Bitcoin being in a death spiral of capitulation both Bitshares and Nxt have lost far more against bitcoin in the last year. Perhaps there are other factors that are far more prescient than the mining costs to secure the network?


There are many different variants of PoS, and some of them are indeed susceptible to long range attacks. Stop generalizing.

Which paper? The papers say there is no viable 10% attack.
There also is no 10% whale or exchange in NXT - you crossing it out doesn't make a fact disappear, you know.


Not sure what you mean with "we".
We know that PoW would be easier to attack if you magically get a 10% stake - since that would likely buy you 51% of all mining.


Physics? Really? I hope you're just kidding.


You're lying, or again proving that you're not even reading the links you provide.
And since you're wrong: You should answer the "why" question yourself.


A small proof of work component is exactly what NXT (and Blackcoin... and others) do.
Again, it would help if you read what you link - would waste less of everyone's time.

https://github.com/ConsensusResearch/articles-papers/blob/master/multistrategy/multistrategy.pdf

A previous block explorer, now taken down in favor of one with less granularity, showed that between 4-14 members controlled over 51% of the Nxt stake.


Incorrect as you assume that markets aren't dynamic, ignoring the costs of electricity, ignoring the alarms raised from amassing such large amounts of asics , ignoring the cost of setting up and maintaining the equipment and doing so in secrecy, ect...


This has nothing to do with PoW consensus mechanisms. Next you are going to insinuate hashing itself is "work" thus one should consider all PoS to incorporate the PoW consensus mechanism. If we must use your twisted definition of PoW than the point still stands: Why does Vitalik insist upon a much more inefficient version of PoW with a hashimoto dagger IO bound PoW consensus mechanism?

I think what ThomasVeil was hinting at is that the amount of work required to forge on all possible chains grows exponentially over time.

Research Paper correcting/revising the one I cited?

yes

Link so I can review?

Ok, you are referring to a bank that has 10%+ of coins. This should not happen much/at all in a flourishing PoS economy. However, if this is happening, and the market knows the possible problems, the buyer can yet put specifications on his sale such as seller destroying the assets prior to the sale can invalidate the sale.

No WP quality needed, just step-by-step instructions. And why should I trust you made successful attack on Apexcoin? Please provide proof of that then we can start talk about the details

I wouldn't say far more. There are more forces at work than mining cost, certainly. Bitcoin is the big daddy of crypto and in a world of it's own in terms of price and network effect. But if you compare PoS coins versus non-bitcoin PoW coins over the last year, I'd expect PoS coins to come up on top.

Well, I agree that some PoS algorithms are most likely much worse than PoW. I'm more interested in the potential of PoS, how secure it could be if best practices are followed. PoS is still growing up, Bitcoin is much further ahead in terms of protocol security.

(Edited to remove something I was wrong about.)

Dude, you're killing me. Reposting the link doesn't help if it doesn't contain what you're claiming.


Learn basic math. 
Some common sense would also help: That block explorer probably showed the forging stake, not the coin ownership.


Buying one or two forging pools and one mining facility should totally do the job. I don't see how I miss costs there... those likely run profitable or close to.
Note how for a state actor all this would be in fact easy, undetectable - and basically free.


I don't "insinuate" - it's a straight up fact: hashing is work. It has a difficulty  - used as protection mechanism. You can't provide blocks for free.


The paper you linked doesn't say that. In the blog links you posted he doesn't say that. You're chasing me in circles with your fake references. I'll end responding.
In fact most your links say: he leans towards POS (which checkpoints of several months of age), which you don't want to explain. You're not living up to your own standards.

If you are speaking about the past years this simply isn't factual. PoS coins have almost all proven to be ICO scams or pump and dump opportunities.


I agree and would like a TaPoS layer or sidechain added to bitcoin as an option for added security.

It was coin distribution based upon the ICO.


States are porous and leak secrets all the time. Most people in IT knew of the Snowden revelations years before he became a whistleblower.


I will concede he changes his mind often but if you have been following the nuances of his papers and interviews you will see that he is not content with Slasher Ghost for security alone and is likely to include hashimoto dagger IO bound PoW.

I like TaPoS and think it should be added as an option to bitcoin. You seemed to me to be somewhat defensive and reactionary. Are you upset that Nxt and Bitshares are losing ground and dying?

This is true. I wondered if most ICO scams choose PoS variants because they cannot easily get network backing using PoW?

https://bitcointalk.org/index.php?topic=897488.msg10152632#msg10152632

cough cough paycoin cough

Because I like a good discussion it grinds my gears if someone pretends to engage in one, and then doesn't do the most minimal diligence - not even spending 2 seconds thinking. Posting links and completely misrepresenting what they say. It's disrespectful.
Or this stuff:


... which would take about 5 seconds to verify. It's public info (in fact in the blockchain) and 3rd grade math. No user could have had close to 10% of the stake.


...or diverting into completely unrelated topics, ignoring the issue.


Or concessions like that.

My guess would be that PoS is a useful "buzz word" that few people have actually researched, but that seems to be really cool.

Marketing 101. :)

It's one of the reasons I am glad research that is verifiable is finally being done. It's a lot harder to make claims when there are verifiable counter arguments around.

It is a premined ICO with only ~70 participants. The original blockchain explorer reflected granularity from 10 million to 100 million  instead of 1 million to  1,000,000,000 as shown here: https://nxtblocks.info/#section/blockexplorer_distribution

I was able to calculate that between 4-14 individuals control 51% stake in NxT at the time which indicates there could be a few people with over 10% stake. In fact it would be surprising that a couple of the developers didn't hold onto at least 10% of the premine.


How could you possibly know that?


This isn't a research paper refuting the previous work but just a statement just like below:


https://nxtforum.org/consensus-research/multibranch-forging-approach/?PHPSESSID=qi7nicmsk2cmc6ri87mtrstcd6


Or are you just playing a semantic games and claiming that a little effort is expended in performing a N@S attack therefore it technically shouldn't use the word "nothing".

let me google that for you: "kushti n@s attack"

First hit:

https://github.com/ConsensusResearch/articles-papers/blob/master/multistrategy/multistrategy.pdf

I like how the Nothing@Stake attack keeps mutating as time passes  :D

From what I know Vitalik wants to go PoS, but Gavin Wood et al refuse to do anything other than PoW.

That is the article I linked to which indicates you can perform short range N@S attacks with 10% stake. When kushti published it he even admitted such:




I believe what is happening now is Nxt Supporters are now suggesting N@S is impossible because they are interpreting "Nothing" literally and indicating only short range attacks are possible. If you want to play word games that is fine, lets call it a bear raid and short range attack combo.



Interesting and plausible. Gavin is a wise man if so.

The first explorer is still very much active: http://nxtexplorer.com/

I was referring to this:

http://charts.nxtcrypto.org/cDistribution.aspx
https://web.archive.org/web/20140928121336/http://charts.nxtcrypto.org/charts/cDistribution.png

On the old site you could also see the exact amount of users wallets in the 10 million to 100 million category.

This only reflected the amount of coins per wallet so even some of those few wallets at the top which contained between 10million-100 million could have been held by the same individuals.

So earlier, that Buterin had thoroughly studied the vulnerabilities and found PoS wanting made it clear to you that PoS had insufficient security.

Now, when you find out that Buterin has decided that PoS is the best option (but is dissuaded by others from using it), Buterin is clearly wrong despite his thorough study.

So there are probably no arguments or studies or science that could persuade you that PoS is secure, right?

First of all, we don't know if Buterin prefers TaPoS over PoW... I am simply open to evidence and am willing to admit it is plausible. The point still stands with Ethereum whether it comes from Gavin or Vitalik.

Secondly, as I have stated numerous times in this thread, I like TaPoS, and think it offers some security differences, benefits, and weaknesses to PoW and would like to see it integrated as a layer on top of Bitcoin for added security and other benefits.

Just because I can find critical flaws within PoS variants doesn't mean I see no security or benefits from such consensus mechanisms. I have been vary critical of bitcoins weaknesses, PoW weaknesses, and Bitcoin companies throughout my post history.

I am not interested in trading one set of problems for another but rather discussing methods of strengthening crypto-currencies security and understanding inherent weaknesses.

That site wasn't "taken down", but abandoned by the person running the charts.
Small difference, and you could not know that. :)
We're working on getting them back up. It's good info to have available.

That article isn't the latest information, this post from 14th Jan is..


When he published the multistrategy paper in Dec, the post indicated that he thought the N@S was overblown and explicitly stated that he hadn't included these results in that paper.

Kushti's research shows that the Nothing @ Stake attacked described by Vitalik (as he was the only one to describe it in any detail) is BS. If you have a different attack, you'll need a different name  :D

let's wait until someome tries to attack Nxt testnet. I'm sure the community would be glad to give out some teststake.

If anyone wants to have a try, please go to nxtforum.org and ask for testnxt.

We can talk again after some guys tried and report their findings, ok?

Hi Kushti  ;D

Do you plan to write these findings...

https://bitcointalk.org/index.php?topic=897488.msg10152632#msg10152632

... up into a 4th paper?


Or shall I just add the link to the post to the 'Nxt Whitepaper' thread?

Bump. Testcoin with modified forging algo is still in development. Kushti will have more time after release of version 1.5 of Nxt.

Two separate projects. CynicSOB still thinks he can break Nxt and is still trying AFAIK. Kushti is testing improvements that could be adopted by Nxt, all being well.

Further research published into Nothing at Stake- "tails switching":

The attack is more complex, right... for an attacker. Any non-determinism helps winning chain, that's pretty clear from our simulations(especially Nxt-like model https://github.com/ConsensusResearch/ForgingSimulation).

And for real-world-like testing, we're going to release own 100% Proof-of-Stake proto-CC https://nxtforum.org/general/kushti%27s-topic/msg157355/#msg157355 . We'll release attacking scripts as well, so everyone please join to try to crack proof-of-stake.

All I have seen is trying to twist the definition of "Nothing at Stake" to try and keep it alive (Kushti's rationalisation in his summary was a list of "N@S definitions so far" rather than thoughtful proposals)  ;D. Of these twists I've seen, none are POS specific and POW have it's own versions. GMaxwell warned Bill White off of using POS, so I pointed him to this research but he has made no comment as yet...

Last paper was about "tails switching". And now we're working on the several things simultaneously:
1. Better blockchain measure(than cumulative difficulty). Should lower number of confirmations needed to consider an attack impossible.
2. Proof-of-Stake + Proof-of-Activity hybrid simulation (paper on PoW + PoA http://eprint.iacr.org/2014/452.pdf)
3. Formal (yeah, truly formal) definition of some cryptocurrency properties. Probably next paper will be about that, as code is mostly ready here(definitions + lemmas/theorems with proofs made in Coq interactive theorem prover).
4. SCOREX to try research findings in almost-real world environment.

Hi there,

Can I clear up a few questions floating around ? Not sure if there are answers or not.. So just thought I'd ask outright..

When connecting to a POS network, a bootstrap number must be collected from a trusted source ? Say a recent block hash from the current valid chain. (You may already have one, but I'm referring to either NEW users or users reconnecting after a non-negligent period of time)

Once you have connected to the Network, it seems that everything runs smoothly. That's great!  ;D

Now, if you have connected to an INVALID / BOGUS POS network, when someone on the actual valid network connects to me and says 'Hey - THIS is the valid Network' there is no way for me to know which network is valid ? (Based on looking solely at the 2 POS chains in contention) I would need to ask someone I trust ? There may of course be 100's of competing chains, all saying ' I'm the valid chain! ' not just 2.

It seems that long range / short range attacks are a non-event ATM, but the current troubling aspect, for me at least, is the inability to rectify connecting to a bogus network at start up. If that is the case ?

What I mean is, in a POW network I can look at various chains, and see that one has more work than the other. Simple. Even if I do connect to the wrong network, I can always tell when I see the real thing. In POS I cannot ?

I do not see this as an ' IT'S BROKEN if this is the case ', but I do think this is a 'fundamental' issue that troubles many of us..

It would appear analogous to The Silk Road's Onion address changing every week, and having to re-find the valid address, or risk using an FBI honey pot trap. Yes obviously I can ask my friends what address they use, assuming they have used the site in the last week or so, but anyone who has tried to find that particular TOR address, knows that it is not 100% straight forward.. Does that make sense ?

be gentle..  :-\

You weren't frothing at the mouth in your post so there is no reason why anyone else should be  ;D and you seem genuinely interested so the following applies to Nxt POS

Longest chain rule with highest difficulty applies in Nxt too. Nxt is pretty much the same as bitcoin if you imagine each Nxt as a mini mining rig. The current solution to joining the network after a break or initially is the yet to be implemented Economic Clustering feature. The idea being, to complete a transaction you both have to be on the same chain. So everyone joining would look to an entity (or two or ten) that makes a lot of activity I.e. a store, exchange etc. This is where the economy clusters around. Everyone has the incentive to be on the same chain, as otherwise their transactions are void so number of forks should tend towards 0. I believe Vitalik refers to this concept as Weak Subjectivity whrn he wrote about it in his blog.

In theory, if 51% the network nodes and passing around garbage chains then as long as people stick to the economic cluster (which I believe will be automated but don't quote me) then the attack will be resisted (a lot of garbage floating around though). I believe this is what led BCNext to believe Nxt was 90%+ resistant to attack. And the garbage chain would still have to have a higher block height and difficulty to stand a slim chance of a shred of success, which I think Kushti and Anduiman have shown is very very unlikely.

Kushti will correct me if I am wrong  ;D

Please explain to me difficulty in POS?

TL;DR cumulative difficulty is higher the larger the total amount of stake that forged the chain


More information:
Formula see here: https://wiki.nxtcrypto.org/wiki/Whitepaper:Nxt#Cumulative_Difficulty

"A cumulative difficulty value is stored as a parameter in each block, and each subsequent block derives its new difficulty from the previous blocks value. In case of ambiguity, the network achieves consensus by selecting the block or chain fragment with the highest cumulative difficulty."

"In Nxt higher difficulty of a branch means that this particular branch was forged by owners of a larger amount of coins."
(Come-from-Beyond)

IC, Whichever chain has more coins is considered more difficult. Weird way of expressing that. I would think it would be refereed to as heavier. Thx for the explanation.

ok. The highest difficulty being the 'Chain with the most Stake involved' is nice for sorting out chain forks on the valid chain. But I don't think that helps with the 'bootstrap' scenario, as an attacker can fake as much stake as he wants on his 'fake' chain. 'Fake as much Stake'.. lol..

Also - the Economic Clustering, which as I understand it involves putting the hash of a previous block that must be on any chain this txn  is added to, does indeed help reach consensus on the valid chain. But again an attacker could fake as much or as little activity as he wanted on his fake chain. Thus in a bootstrap scenario, I'm not sure that helps either.

?

In crypto, a stakeholder has to prove that he has the private key to his stake when he wants to do a transaction. You can't insert a fake block where everyone sends their coins to you, because transactions need to be signed with private keys. The NRS would detect and ignore such a block.

But this is not what you want to do, you want newbies to see a complete fake chain.
Because each block contains information about the previous block, and you need to sign transactions with the private key of the account owner, you would need to alter history all the way back to the genesis block and create a new one where you have the private keys for creating a fake chain.

Since GENESIS_BLOCK_ID = 2680262203532249785L and all initial transactions from genesis account are hardcoded in Genesis.java, I don't see how the attacker could succeed. All he could do is create a Nxt clone.

Yes I see. Thanks.  In effect, the 'bootstrap number' I've been talking about, is now 'PART OF THE PROTOCOL'. 

Although - if the initial stake holders ever sold their private keys once those accounts were empty, or lost / hacked / QC cracked, then maybe you could cause a little heart ache..

Welcome. Indeed, it's been part of it from the beginning.


This is not possible because of checkpoints in the client. A newbie with a clean NRS downloading the blockchain from scratch would still reject the fake blockchain.
Quote from nxtforum.org:


it is refreshing to have such civil discussions here on btt for a change :)

True. But it would be a lot of work for an attacker to get these historical keys, create a new chain that seemed to have a greater cumulative difficulty, fake all the timestamps and rolling checkpoints, and then they'll only fool newcomers to the Nxt blockchain with no one to tell them which is the correct one.

By the time someone attempts such at attack, there may be other protections in place. I know that Consensus Research are looking into options.

CynicSOB still hasn't convinced any of his theory and has yet to put his attack into practice yet, one day soon hopefully!

Will have a talk about Proof-of-Stake and our work around it @ SF Bitcoin devs meetup on Sunday http://www.meetup.com/SF-Bitcoin-Devs/events/221241204/?fromEmail=221241204&rv=ea1 . Feel free to join and ask questions!

Are there any details already available or it will be a surprise?

Well, that will be about allowing multiple branches as described in our papers. It seems the Valley people are still discussing deposits / fines to "improve" Proof-of-Stake, so our ideas will be pretty innovative to them, I guess :)

My comment on Poelstra's rewrite of PoS impossibility article https://www.reddit.com/r/Bitcoin/comments/2zpmlj/expanded_rewrite_of_distributed_consensus_from/cplj4ug

Slides from my talk @ SF Bitcoin Devs Hackathon (titled "Proof-of-Stake and its Improvements") http://www.slideshare.net/AlexChepurnoy/proofofstake-its-improvements-san-francisco-bitcoin-devs-hackathon

Any good criticisms there?

Got some good questions & feedback. Love Sunday meetups much more than others  :)

I guess no one has any found any fatal flaws in this research then?

What are the next steps Kushti, were you planning on testing a modified algo in a test coin?

No any critical flaws found in Nxt-like proof-of-stake. On other hand, no any strict formalization made yet as well.

So there are two things to be done:

1. Formalized model showing Nakamoto's property could be met in proof-of-stake with contribution to multiple forks allowed(in other cases there are other problems with formalization). Simulations show the property is seems to be met, thanks to cumulative difficulty working more or less ok as fork selector function(btw, PoS coins with longest chain rule have problems here, at least).
I'm now talking with guys much more skilled in CS/math about possibility of the truly formal framework.

2. Practical contributions to Nxt / other projects around. Nxt's algo seems to be pretty safe, though block delays distribution is needed to be better(closer to average value). It will reduce or mb even eliminate incentive to contribute to multiple forks(by trying to do private branch attacks, then share private forks, then we have majority of forgers having multiple-branch forging with N@S possible as result in such environment). I hope some improvements will be made in 1.7/1.8.

And yeah, "test coin"(don't like "coin" word here, I would like to call it "experimental blockchain engine for hackers"). Making some changes now, so it will be possible to switch Qora's PoS to Nxt's by changing 1 line of code(and introduce other consensus models easily). Then yeah, multiple branching will be introduced in Scorex. Some non-consensus things will be tested as well, e.g. Bill White's scalability proposal etc.

Switching from Qora's to Nxt's algo with 1 line change is implemented, having a lot of fun by playing with both algos.

Glad to hear this.

Thanks,kushti.

Bump  ;D

Any news on the truly formal framework formalization?

Or the "experimental blockchain engine for hackers"?

P.S. Bill white plans to contact you about Scorex when he has time...

Will you be integrating the finished thing into Qora before Nxt to see how it performs on a main net?

1. No major news in the field of truly formal proof-of-stake description. It's the question of months at least probably(btw, good formal framework describing proof-of-work appeared only in second half of 2014, 5+ years after Nakamoto's paper which is pretty informal).

2. Just made pre-announcement https://bitcointalk.org/index.php?topic=1060567


P.S. Communicating with the awesome guy Bill regularly :)




Nope. And Nxt will got some evolutional improvements, not radical. as radical changes seems to be not much needed at all. Qora's algo needs for some other improvements, I would like not to disclose the details here though.

Kushti, what exactly do people mean when they say "Nakamoto's property"?  Can you link me to somewhere that gives a precise definition for this term?


Any links you can share for "good formal framework describing proof-of-work"?

Well, I meant this awesome paper https://eprint.iacr.org/2014/765.pdf . Please take a look to "The common prefix property" in the paper - it's literally the same as "Nakamoto's property".

Just finished constructive proof of the FLP impossibility theorem with Coq https://github.com/ConsensusResearch/flp . Hope it will  be a step to blockchain consensus formalization. Now I have a lot of other work to do but hope Coq repository with blockchain consensus formalization code(PoS-friendly) will be started someday :)

Kushti,

I came across a guy looking and thinking deeply about POS.

See https://bitcointalk.org/index.php?topic=1082139.msg11547314#msg11547314


It opens...


... I made him aware of your work  ;D but he seems serious and open minded so maybe you two can help each other to keep pushing the boundaries.

Thanks, answered there :)

Update:

Can anyone link me to some criticism of these claims by qualified people? I'm especially interested in a rebuttal to the claim that long range NaS attacks are not possible in the system that kushti has defined in his and his group's research.

I think long range is not possible because rolling checkpoints. Also when downloading a new chain there is a trust system so you download from a trusted source. Rolling checkpoints are nice but create the risk of dividing the network. A fork larger than the largest allowed reorganization would not be resolved and the network would split.


maybe he's thinking too deeply: he proposes an overcomplication that generates centralization and doesn't solve the problem it's supposed to solve.

I remember Bitcoin itself was using checkpoints at one time, not too long ago too. Haven't heard much about that in a while. Do you or anyone else know if they are still in use at all?

Here they are: https://github.com/bitcoin/bitcoin/blob/86cfd23f68367af072500b1758a4c446cdd36e74/src/chainparams.cpp#L122 . Last at 295K.

Long range isn't possible not because of rolling checkpoints only(max reorg depth in Nxt is 1440 blocks and you can't generate private branch of such length better than network's not having majority of online stake before splitting).

I hope James saw the following comments pointing out that shorting is a means to profit from the destruction of a currency as alternative to needing to sell or double-spend: