Bitcoin Forum

(It was already mentioned a couple of times in comments, but they are often buried, so I want a separate discussion.)

The most 'interesting' part of a cryptocurrency design is its defense against double-spend attacks (since ownership is trivially implemented via public key crypto). In Bitcoin it is done using proof-of-work approach.

In PPCoin it is done using proof-of-stake/proof-of-work hybrid.

The problem is that proof-of-stake used in PPCoin does not really defend against double spend attacks. At all.

If you have a large enough stash of coins you can do a history rewrite of arbitrary size. Particularly, you can rewrite last few blocks to do a practical double-spend.

If it fails, you lose nothing. So only irrational person would not do double spends.

If we assume that miners are rational, they will try to do these attacks, it is a legitimate business with PPCoin. It costs you nothing, but brings money (e.g. kickbacks), so why not?

So, well,. this scheme of proof-of-stake does not work. Actually, authors note it in PPCoin paper, so they use a centralized checkpointing approach.

So, let's summarize:

• proof-of-stake is useless
• currency is secured through centralized checkpointing

Thus it is definitely not a decentralized cryptocurrency.

(It's worth noting that there are better ways to implement proof-of-stake, it's just that method used in PPCoin is flawed. https://en.bitcoin.it/wiki/Proof_of_Stake )

In all fairness, the authors of PPCoin admit it is currently not fully decentralized, but they wish to remove these "broadcasted checkpoints" in a future software update - it is used for bootstrapping the coin.

I can't say that I support the idea myself, but it doesn't smell like yet another SolidCoin to me, just leaves a bad taste.

They hope that they'll find an algorithm to do distributed checkpointing... But that's the whole point!

So what they say essentially is: "We haven't developed the main part yet, but we hope there is some solution. Meanwhile, here's this completely centralized system with proof-of-stake used as disguise of decentralization".

I'm not claiming that they are scammers, it is just incredibly sloppy crypto design. Somebody was just too eager to release the first proof-of-stake based cryptocurrency, without thinking about security much.

This a fundamental flaw with PoS in general. A decentralized currency is based on game theory. In PoW we have miners competing with hash power to win blocks. In PoS we have the game owner making up the rules as they go along. That's not much of a game. A hybrid money game would work, expecially with competing verification systems, but the rules have to clear, up-front, and fair.

No, it's not. Read the wiki page on proof-of-stake. The existing proposals have been designed to not hand the keys to the network over to anyone. Proof-of-stake must be implemented as PoW *AND* PoS. Proof-of-work is meant to add security, not take it away. But that's exactly what happens in PPCoin--PPCoin greatly lessens the security of the network.

As long as it's based on a game theory with both competition and cooperation, then it can be fair. I did not mean that the blockchain is controlled by network keys, but by monopolists that have control simply by being early adopters.

But in the existing, community-vetted proof-of-stake proposals nobody is given control because of a high balance. In Mini's proposal, for example, PoS is simply a method of voting on checkpoints. It's therefore reactionary and you'd have both significant mining power *and* a significant balances to execute a double-spend attack. With PPCoin you need either significant mining power *or* a significant balance to execute a double-spend. That's not a trivial difference.

I hope the issue of checkpoints can be automated without any human intervention. Competing strategies for block and fee rewards should serve to keep each other from gaining overwhelming advantage. I suppose a two-factor strategy will work once the game is fully developed. PPCoin (or a version of) may work in the long run but it seems a very complex set of rules would be needed to manage the network. I would prefer a third player for simpler game balance, but it looks promising for now.

Well, I believe proof-of-stake can work if there is a way for someone to lose his stake if he is caught participating in malicious activity.

E.g. you use 1000 coins to sign a double-spend transaction and you're caught, your 1000 coins are banned. If chances to get caught are high, incentive from this double-spend must be much higher.

This means that for a transaction worth 100 coins you can trust 1000 coins worth of confirmations, as nobody in his sane mind will risk his 1000 coins for 100 coin double-spend.

Now there is a question: how do we detect and punish a double-spend? Well, detection is trivial, but we don't know which miner is guilty. (Or maybe miners are not guilty at all.)

I believe it's tricky, but not impossible.

One way is to implement is to make it manual: if there is a large reorg, simply half operation and let human operator to decide which blockchain we trust. Eventually consensus will be reached and guilty party would be punished.

So under these conditions double-spends will never be done for profit, but only as a form of DoS attack. But this DoS attack costs money, so we can expect that there won't be a lot of that.

Also, monopolization isn't such a problem: if monopolist pisses off people they can just ban his stake. (For this to work stakes must be identifiable, i.e. one needs to move his money from transactional account to stake account, and this move should take a lot of time to mature so it's not easy to switch.)

So back to your game theory analogy, it is a game where if you play by rules you get profit, but if you try to break the rules you lose. Makes sense, no?

It seems to me that in order for a coin to become soiledcoin, the coin's dev must pick a fight with an uber-hacker.

Do you know something about solidcoin that I do not ?

Pretty  much this.

+1

PPCoin is NOT DECENTRALIZED!

+ 2

The creator, Sunny Drag Queen, claims to have spent $100k-$200k of development time on PEEPEE COIN.

interesting thread

Not the case at all (see the white papers please.), and even if you it *was* the case... consider bitcoin, to buy even 10% of bitcoin market, would cost $12million.  This is more expensive than a 51% attack, and, and you'd need more than 10% of the cap.

And this.

Most the complaints about PPC are from smoothie, and dice/greedi. All well known LTC speculators. 

The PPCoin proof of stake system does exactly what it is supposed to do:

Amplifying the early adopter benefit to the point where it becomes useless for any other useage except pump & dump. If you have lots of cash and think you can corner the market you can probably get quite a bit of profit by doing it.

+1...now Pump and dump that shit...lol...oh wait....no just dump lol

BITCH!, i told you to get me beers!, wtf is up with up.. i TOLD you on IRC to get my beers, you KNOW your my lttle BITCH!!

meh I think PPcoin has one last hickup in it, look at solidcoinII there was a short but very profitable climax for some sharky investors.

where is the graph of PPC worth....where you can see that it was already pumped and dumped


ElectricMucus could be right, there still might be another one left in it.



someone linked it:   http://www.proofofstake.com/ (http://www.proofofstake.com/)

pump and dump much?

anwser me on IRC bitch, or are you to bitched to do that?

Not really, have a look at the charts on http://www.proofofstake.com

I think compared to other currencies, PPC has the most valid argument for not being this pump/dump currency due to it's innovative minting vs difficulty construct.  Could you explain why it may the opposite?



No graph shows this, unless you can link me to one? have a look at the ltc ones at ltc-charts - it's a regular cycle if you check the trade volumes.  

1000% increase and then 1000% decrease. How the fuck is it not PUMP and DUMP?

Clearly it is! :D

ANSWAR ME BITCH!!!!

If you and Dice have anything to say, say it here. I know you're upset that I've called LTC out for it's pump/dump mechanic, as have amny others, and shown your LTC scam here (https://bitcointalk.org/index.php?topic=108826.0), but no need to get childish.

hmmn it goes like this

-) get PPC
-) collect proof of stake reward
-) ?????
-) profit

ahh fuck off andyrossy u lil bitch

[/quote]

Most the complaints about PPC are from smoothie, and dice/greedi. All well known LTC speculators.  

[/quote]

The thing is, at this point Litecoin actually looks like a credible alternative currency to use along side Bitcoin. It's similar enough that people don't really have to think about it too much, and it has the added benefit of faster confirmations.

And I say this currently owning 0 Litecoins. But I think there is a demand, and probably a growing demand, for a reasonable alternative/complimentary currency to Bitcoin.

The onus is on PPCoin supporters to demonstrate why they think it is a superior choice. Because at this point Litecoin doesn't look like it's going anywhere. And all the criticism towards PPCoin does not seem too out of line from an outside perspective.

I support LTC, I just think as you said, it doesnt really bring anything new to the table.  The information about PPC can be read on the white papers (http://www.ppcoin.org) for those who are curious. :)

The criticism to PPCoin, at least the numerical / pump dump stuff isnt really credible, but, other criticisms about the PoS have merit- i think the biggest question at the moment is more offline wallets vs PoS generation, but there is a thread actively discussing which way to take this.

I don't know why you guys resurrected 2 months old thread...


This is bullshit: white paper has little information, and it is about an old version of ppcoin. It isn't relevant anymore, and probably it wasn't really ever relevant...

After harsh criticism (including mine) Sunny King changed  how PoS works...

It actually have got considerably more secure, I admit it. Still I believe it is inferior to proof-of-work and to PoS+PoW hybrids.

But what's alarming is that Sunny King is not willing to publish his security analysis. When I did some analysis on my own he showed that he is fully aware of issues involved. But he simply does not want to participate in discussion. I.e. he develops some algorithm, says that it should work and you people believe him. That's pathetic.

lol you guys are talking about PP

I am perfectly willing to engage in discussions however to my disappointment only cunicula among the self-proclaimed proof-of-stake experts seems to be capable of civil discussions. I don't see much merit in your so-called security analysis. I understand your criticism, but coblee also thinks the type of attacks you are concerned with are not practical when you presented the same argument to his litecoin proposal. Sure I will consider improvements in the future as problems arise, but that's hardly a valid excuse to paint ppcoin design as worthless.

The problem I see with your camp is that you guys have too much ego and think only your proof-of-stake design is good. The so-called critics (except for cunicula) did not give even a tiny credit to ppcoin team and me. I only hear regurgitation of how your design is more legitimate and superior blah blah plus a lot of dirty words thrown on ppcoin.

I am sorry I cannot acknowledge this type of 'criticism' as constructive. No you didn't contribute to ppcoin, with or without your 'harsh criticism' I was going to introduce the v0.2 improvement to ppcoin, which I entirely came up with by myself.

I hope you can realize the error in your ways and start engaging in meaningful discussions without unreasonable attack on ppcoin and me. I think you are smart and maybe can contribute some good ideas if your mind is in the right place. As I said before I wish everyone of us can look deeper and realize that maybe we work towards the same larger goal so we can throw away our petty differences and be respectful to each other. I do not hate all these litecoin trolls either who throw insults on me freely, but I pity them and hope one day they would realize what they did was wrong as well.

+1 well said, too much ego in this place

just my 2 ppc here ;)

Sunny contacted myself directly after seeing my issue with payments below 1 ppc.
For my limited experience and first impression he seems very willing to discuss any issue with ppc.

The point about egos is on point. Most criticism (not all) is driven by personal feelings. This type of criticism is just noise and should be ignored.

That said, killerstorm raised a very important point. The workings of PPC are opaque. Learning the  protocol requires sifting through the code. It is not reasonable to expect outsiders to do this.

This makes it very difficult for outsiders to analyze PPC. A new white paper which contains details sufficient to implement ppc independently would solve this problem.

Sunny has to be the person to write this. Sonny, lay out the protocol details and let these details speak for themselves.

I agree. Claiming you (Sunny Drag Queen) spent $100,000 to $200,000 of development time on PPC is EGO


AND A LIE.

beat me too it smoothie...did he not take it in bitcoin too?  ::)

Is this in reference to the 250BTC that RealSolid begged to be paid? lol...

yup, thats right...why not take it in PPC or Scamcoin?

Civil or not, my formula is the ONLY estimate of cost of double-spend attack for PPCoin (as far as I know). Ironically, I demonstrated that attacking PPCoin's PoS is somewhat hard and thus it might be secure.

Without this estimate it's just faith-based currency. Like, Sunny King's intuition says that this code is secure, then it must be it! All praise Sunny King!


People try to find holes in crypto constructs all the time. For example, best known preimage attack on SHA-256 is: "41-round SHA-256 out of 64 rounds with time complexity of 2^253.5 and space complexity of 216". It is completely theoretical since it doesn't even attack full SHA-256 and 2^253 time complexity is absolutely impractical.

But these kind of theoretic attacks are very important since they show that even very clever people cannot find ways to attack SHA-256. We were able to get some confidence in this crypto function only after years of analysis.

But Sunny King wants people to simply trust him...


Litecoin proposal is PoS+PoW, you have pure PoS. It is a completely different thing.

Also, bribery isn't the only way to attack PPCoin, one having access to considerable amounts of "stake" can try to do that. Practical double-spend attacks require much less than 50% of coins.

---

If Sunny King has no trust in theories, perhaps we can show it in practice? We can organize a fund which would purchase as much ppcoin as possible. Then it will try to perform double-spend attacks... Alternatively, fund can bribe people to use their stake.


1. I don't have my own proof-of-stake design.
2. I think that PPCoin is interesting and Sunny King is likely a smart guy.
3. However Sunny King has too much ego which likely hurts his currency.


Yeah I guess those people who try to attack SHA-256 all have too much ego, they simply should have trusted SHA-256 designers.


Sure, you can just dismiss formula which estimates costs of attack simply because a guy who wrote that formula doesn't sing you praises. That's how it works among mature people.


Yeah I know, you developed it for 9 months, then two weeks after release you found a way to make it much better and completely different. Your sudden enlightenment has nothing to do criticism you read on forums.


Apparently spending several hours on analysis and writing down a couple of formulas doesn't count as meaningful now.

As for unreasonable attacks, you should probably send a message to that guy who found 2^253 attack on a weakened SHA-256: his attack is just unreasonable, he shouldn't have published that paper. Likely he's just too mean and has too much ego and doesn't want to engage in meaningful discussions.


Oh, how cute, so when will you publish detailed design documents and analysis so we can discuss it?

IIRC you said that you have it, but you don't want to share it with anyone.

Tip sent for being one of the best posts I have seen here. Well done Killerstorm, well done.

Killerstorm, Now that is fucking ownage on a whole new level. Good job.

Hey Sunny, I'd like to see your reply to Killerstorm's post.  :D

Show us all how much ego we have please...

Right now my priority is operational and security issues. Design paper may be updated in the future but there is no guarantee at this moment. Unfortunately that's how things are done outside ivory tower. I feel with the design paper + source code out there if you truly want to do some analysis of the algorithm you already have all you need, not out of the norm even for pure research oriented work you'd have to make some effort to understand things.

You can also help to make the learning curve a bit less steep, by creating some wiki articles/discussion topics for example.

Sigh, killerstorm, I already replied to your formula the same day I don't think they are correct. Whatever you believe, you can feel all superior and think your 'security analysis' is all foolproof, and warrant personal attacks and smear campaigns of ppcoin.

Sorry I don't think a real researcher on these issues act like you do. They are probably more level headed and responsible. So I guess we'd have to part our ways then.

Actually there is a method to provide accuracy, it's called a mathematical proof.

Of course that requires alot of work research and skills, and somebody capable enough to do it wouldn't even fork the bitcoin code but start over.

I don't think so. You replied with an asymptotic approximation of my formula which shows that splitting stake into many pieces doesn't help. (Which is understandable.)
I guess this confirms that you accept my formula, or at least you don't have a better formula. Otherwise you would have shown your own numbers to dismiss mine.

So, well, maybe indeed my formula isn't correct. It was a very quick and crude analysis anyway. So where is YOUR formula?

You've designed this proof-of-stake system, so you must have some estimate for cost of double-spend attack, right? Right?

IIRC you said that one needs at least 50% of stake to own the network. Can you show at least some sketch for a proof for this?

Or -- gasp -- you don't really have any mathematical estimate, just your intuition? This really shows how security is your priority.

Note that Satoshi have published security analysis in his paper. See section 11 in the Bitcoin paper. Satoshi wrote two pages of text to explain fairly basic probabilistic model, then he included a C program which does the calculation and gave concrete numbers of several scenarios (i.e. 5 confirmations is enough to get less than 0.001 probability of double spend from attacker who has 10% of network's hashing power).

Do you think that Satoshi was in ivory tower when he wrote that?

(Now, guys, this was a real ownage.)


I never said it is. If you have something better show me that I was wrong.


Is it a smear campaign if I just state facts?


Yeah that will surely shield you from criticism :)

I'm not writing it for you, idiot, I'm writing it for people who consider 'investing' into ppcoin. They have a right to know.

I do not ask people to trust me, I ask people to question you before they get involved. That's all.

Again, nothing personal.

I don't think it's really that hard. For example, Satoshi's analysis of proof-of-work security is something undergrad math student should be able to do.

PPCoin is quite a bit harder to analyze (which is a bad thing), but numeric simulation isn't hard, again something undergrad student should be able to do.

Sunny King definitely knows both math and programming. If he haven't done simulation this is just because he doesn't give a fuck about research, as long as people trust that his coins are valuable and buy them.

Also, in many companies, particularly ones which work with important, mission critical things, programmers are required to write specification and tests before they start coding.

You are right I don't have a math analysis of how much coins are needed to attempt control of block chain. First it's more difficult than Satoshi's design, secondly I think there maybe other practical attacking vectors that I have missed so putting a math formula there as the final say on security is a bit misleading as well. So no I don't think I am ready to do this type of analysis. I think I have mentioned this before.

I did not claim that you need 50% coins to control ppcoin block chain. Much less of that would be enough.

It may not match your expectations but I did what I can to contribute, rather than sitting there and accusing other people being lazy and greedy while they are the ones doing the real work. How convenient.

If you are so helpful then why don't you polish your analysis and continue discussion on the security properties? Instead you would just launch your personal crusade to attack me and ppcoin project. If you worried so much about investors then why I haven't seen one pm from you describing the vulnerability of ppcoin and discuss with me ways of fixing it? I have received quite a number of pms but none are from the detractors as their main goal is to discredit ppcoin in public.

However given all that I have endured from you, you are still welcome to pm me if you truly wish to discuss about security analysis of ppcoin. Otherwise we would just have to part our ways.

Nevermind that you didn't analyse your protocol, I haven't even seen evidence that you know how the protocol works. Remind us again why you refuse to post the protocol specifications? Maybe someone else wrote parts of the code and disappeared, leaving you clueless? IMHO killerstorm is being far too respectful towards you than he should be.

Agreed.

How can you not have a math analysis of something you created. Oh wait...maybe because it wasn't you right?

No need to properly inform people of how your new system works, just get it out there and all the kiddies will buy it because it is a "crypto-thingie".

Do you really think, you're on the same understanding level as killerstorm as you seem to be trying to implying the same understanding as him. Even though he disagrees he actually seems to be relatively intelligent.

Oh nice try to change the subject on an important point. The intelligence insults don't work very well on me. Keep trying though, it is entertaining.

Like I asked in the other thread, does Sunny Drag Queen pay you in PPC by the hour or the minute to keep detracting from the SHADINESS of all things that are PPC?

lol  :D

OK, so let's put it straight. The purpose of proof-of-stake, and of blockchain protocol in general, is to prevent double-spends.

You claim that you've invented a crypto currency which uses proof-of-stake to prevent double-spends. But you don't know whether this protection is actually strong.

Too much cognitive dissonance... I'll give you an analogy:

"Hey guys, I've invented a new kind of tank armor, it's very lightweight, thus it's much more efficient and will likely replace other kinds of armor in future. You ask what damage it can withstand? Well, I don't know really, I neither can do modeling nor I can test it in practice. But how about this: you'll make some tanks with it and use it in battlefield, so we'll see what explosions and shells it can deal with. By the way, my recipe for coating is all open, so any material expert can analyze it."


It's not a "final say", it's a basis, a very first block for a proof-of-stake design. Proof-of-stake's purpose is to prevent double-spends, so first and foremost you need to check how good is your scheme against double-spends. Once you know it's good enough you can consider other "attacking vectors".

And I don't think it's hard, you probably can come up with a good estimate in a couple of days if you have skills. If you don't want a theoretic solution, you can do a simulation. It isn't hard to implement, again just a couple of days worth of work.

(Control of the blockchain is a different thing, by the way. It's obvious that one who controls blockchain can do double-spends, but small scale reorgs -- and thus double-spends -- are possible with much less effort, and this is what matters for security of payments first and foremost.)


Logic escapes you here. Again, perhaps analogy can help: suppose you build houses and I build bridges. Suppose I've noticed house you're building when I was walking in my spare time, and as I know a bit about structural integrity I've noticed that house you're building might collapse at any time. So I ask you to check your calculations (I might be missing something) and I also tell other people that they shouldn't go inside that house since it can collapse and kill them.

So now you say that you don't have calculations, but that's OK because you are the only one who builds houses. And apparently I shouldn't comment because I build bridges, not houses.

Does it make sense?

I do not work on proof-of-concept schemes, but I still can comment on them. It really isn't convenient because I don't get anything out of it, I do it in my spare time to entertain myself.


That's simply not what I do, I'm not an expert on that matter. You see, your problem is that real experts do not even want to touch your stuff because they don't want to dig into your code to guess the details. They just have better things to do. So you only get attention from guys like me which do it just for entertainment.

If you publish a better paper MAYBE you'll get more attention from real experts. But I cannot guarantee you anything, of course.

BTW I've already mentioned a couple of times what you can do to improve security.


It isn't a crusade, I'm just warning people about situation about ppcoin because a lot of people do not get it, they cannot do analysis on their own and they trust you.

But I didn't post anything about ppcoin at least for a month... Smoothie resurrected old topic which was relevant only before you released v0.2 (?). I just posted an update here, and that's all.


ppcoin is vulnerable by design, you can't fix it unless you implement significantly different algorithm. Do you want me to do your work for you or something?


Yeah, that's ok. I'm already quite bored with this ppcoin stuff.

So basically its another SolidCoin, and isn't even willing to actually claim he is not simply solidCoin back again under another username?

-MarkM-

What exact simulation do you want ran, I will run it. 

Andy

I would run the simulation too. However, Sonny needs to provide a detailed explanation of the random process that generates proof-of-stake blocks.

I cannot read the code. I cannot write a simulation if I don't know what I'm simulating.

Sounds like lots of people have questions that aren't being answered and are responded to, mostly by Sunny, as "It is the way it is because it is complex"...

lol

Who are you quoting?

It is more of a paraphrase of what Sunny has said recently on why he has no formula and analysis of PPC.

"It's difficult/complex....that's why"

http://youtu.be/C_c7cmeDAOw

kind of like a taco, within a taco, within a Taco Bell within YOUR MIND!  Its super cool and complex.

How is that a paraphrase?

Honestly Andy, your knob slobbing is almost as bad as smoothie's trolling. Are you getting paid?

How is it not a paraphrase?

 :D

Edit: Detract...change subject...oh back on topic....."it's difficult/complex....that's why"

No the question is whether it is by the minute or the hour in PPC is he getting paid.

LOL  :D

I do not want to run anything, I'm merely suggesting a simulation.

For example, you can simulate proof-of-stake mining where one malicious miner tries to mine many blocks in one go.

Setup is described here: https://bitcointalk.org/index.php?topic=102342.msg1139483#msg1139483

Suppose we have N equal 'stakes'. (N-n) stakes belong to honest miners, n belong to a greedy one who wants to do double-spend.

You can simulate PoS mining in this way: each block should have some random number X associated with it. Then miner rolls a dice to get random number Xi. If |X-Xi| < coin-days miner has then he signs PoS block.

So you go through all miners trying to find one who have solved PoS block. If nobody solves it then next block is PoW block, so you just roll another X.

For a malicious miner things are a bit different, though. He tries all his n shares one by one. If one or more shares solve the block, he immediately tries to build another blocks on top of it using his other stakes. If chain of k blocks can be built malicious miner wins a double spend. If his best chain is less than k blocks he doesn't submit his blocks so coin-days of his stake isn't reset.

For everybody else, solving the block resets coin-days, not solving it in this round increases it by one.

This is a very basic simulation. Ideally you should use parts of PPCoin code to simulate real mining. (Of course, only PoS blocks, you don't need to make valid PoW blocks.)

E.g. CTransaction::CheckProofOfStake https://github.com/ppcoin/ppcoin/blob/master/src/main.cpp

It isn't easy, it might take a couple of days, or maybe a week of work. But it's not a rocket science either...

How hard would it be to modify the PPC coin client so that it attempts to generate a stake block for not just the main chain, but also for any forks from the main branch?

Adoption of such a modified client would seem to slightly increase stake income.
(i.e. in the event of an orphaned block, you get your stake earlier. This means you accumulate coin age more quickly. This means your next block comes slightly earlier too.)

Complete adoption of this modified client would seem to make all forks equivalent in terms of stake content. Therefore only proof-of-work would determine chain selection, correct?

Also, as more people adopt this client forks become more frequent. Therefore, the rewards from adopting the updated client increase. Right?

Would that not nullify any perceived advantage of PoS though and then you might as well go back to PoW?  PoS in this case would really only be serving the purpose of transaction processing between PoW which would again contain all the security responsibility no?

Thanks.

Yes, that is the point. Proof-of-stake allows stakeholders to send a signal that one fork is correct. However, conditional on you having the necessary stake, each signal is costless and you can simultaneously signal for multiple forks (i.e. you can take both sides of the bet without any additional cost). Each signal will earn a reward if the fork turns out to win. Therefore you might as well signal for as many forks as possible.

I've been agitating for costly signals to avoid this problem. If each signal is costly, then you would only send it out for chains that are likely to succeed. The cost would be paid in work.

For some reason, only my proof-of-stake proposal incorporates costly signaling. I don't understand why.  I'm trying to provoke an argument about whether costless signaling is a major problem.
I think it is. Therefore, I think PPC coin should be modified to make signaling costly.

Now that I truly understand where you were going with that I agree :-)

Right now its not a proof of stake coin at all, its just a free coins for rich folk coin.

-MarkM-

You could try to do that, but other nodes may only take the first block you send due to duplicate stake detection (see design paper for the description of duplicate stake detection). That means you would end up on one fork anyway.

Also the proof-of-stake mint is based on coin age consumed by minter. You don't lose much if your block is on the wrong fork, as then the coin age wasn't consumed. So there isn't much incentive to try to prevent mint loss by getting on multiple forks.

And that is the problem.

Voting for the wrong fork should be costly, not a freebie.

Failing to consume your coindays means you can vote for every fork.

So stake ends up not helping at all, its just free coins for rich folk and does not protect against attacker's forks.

-MarkM-

Is it rational for miners to try to detect duplicate stake? I don't understand this well, so please correct any errors I make.

Say we have two forks (A and B) with a common history H. Each fork has the probability pA and pB of becoming the main chain. Chain B is one block longer, containing an extra block Sb. They share a duplicated stake block Sd.

(A) H-Sd

(B) H-Sb-Sd

Some unlucky miners are going to see fork A first. They perceive chains A and B to be of equal length. They will either extend fork A or add another fork to B. Some lucky miners see fork B fist and thus perceive fork B as longer. The lucky miners only extend fork B.

Aren't the unlucky miners at a disadvantage because their blocks are more likely to be orphaned. Wouldn't they be better off ignoring duplicate stake detection and just extending the longer chain, B?

If so, wouldn't miners prefer a modified client that drops duplicate stake detection?

The current algorithm is for the unlucky miner to try to extend fork A, but if B gets extended by others first then the unlucky miner would accept fork B and reorganize.

Once again I don't see much incentive here to try to disable duplicate stake detection and open yourself to serious DoS attacks. You just get your 1% later, it's not lost.

You do lose a little due to compound interest. I get 1% interest a year from PPCoin. This is compounded every time I get a block. Getting the block earlier increases the compounding frequency. I concede that the benefit is minuscule. You could reduce the benefit to 0 by compounding interest continuously rather than just calculating the block reward using simple interest.

My problem is as follows:

1) There is a positive incentive to adopt modified code.
2) The modified code invalidates the proof-of-stake mechanism.

A cheap attack is to release modified code and pay new users a small amount to adopt it. Stake contributed by these corrupted clients would no longer secure the network. You depend on the residual users who decide to use the original code out of altruism. Again, admittedly just a tiny bit of altruism would suffice to motivate them.

Anyways, the broader point is that security should be created by block validity rules. These rules are enforceable. Modifiable code should not be the basis for security. The blockchain-based solution is to require stakeholders to submit work when they submit signatures. This rule can be enforced in the blockchain.

This probably belongs to the same type of issues as the other open issue that minters may stop processing transactions. I generally consider under these type of situations most rational nodes would not try to modify client to gain very little profit. Tragedy of the commons most likely does not apply as the gain is minimal.

Ideally it would be nice to not have this type of issues, but in practice it might not be easy to completely rid of them given the design goals and other more serious attacks to defend. Also if it's true that users are easily bribed to adopt corrupted clients, then there are likely a lot more tragedy of the commons type of attacks to all cryptocurrencies including bitcoin.

But anyways we can keep this topic open in case it becomes realistic.

It may be doable to persist and broadcast evidence of duplicate stakes and punish the offending address in some way (rejecting stake from this address or even outright reject spending). Although this would require much more careful design to avoid introducing other problems.

Would it not be relatively trivial to force a client to expend a portion of their coin age every time they sign a block and the remaining from the whole less a portion if they sign the "winning" block?  This way the will expend a whole coin age expenditure on the winning plus additional portions of the whole for every other split they sign?  ***note: does not fully understand PPC so this is just conjecture at best

The obvious fix is to require work submission to accompany stake signatures. Could you explain why you don't want to do this?

I have stated this numerous times, the goal of ppcoin project is to demonstrate energy consumption is not required to secure a cryptocurrency. If you want an implementation of your hybrid proof-of-stake design you are free to start your own coin, forking off ppcoin code is also welcome. I would only consider enhancement proposals that preserve energy-efficiency of ppcoin.

Except it is not more energy efficient. You are just engage in obscuration of difficulty and it's connection to energy consumption.

Okay, so it's all or nothing for you. That doesn't make any sense to me, but I'll respect that and try to come up with solutions that meet your ideals. I agree that (as an ideal) it would be better to have no work involved at all.

If you're really after this, you need to fork PPC so that it generates only proof-of-stake blocks and does not use centralized checkpointing. If it works, then we're golden. Otherwise the energy-efficient cryptocurrency is just an unsubstantiated hypothesis.

Punishments would likely cause reorganization of the currently accepted chain. Blocks and txns that were valid would become invalid once duplicate stake is incorporated in an older block. Strategic insertion of duplicate stake would become a double-spending strategy. My guess is that attempts to punish offending addresses will introduce very severe problems. People will strategically seek out these punishments to mess with the blockchain.

I think the appropriate strategy is to fiddle with the proof-of-stake reward. You want to make it so that, once your stake block is included in the main chain, you would always suffer from using the same stake to mine a block in an earlier, alternate chain.

For example say that you make the stake block reward as follows:

stake coins * (0.01+confirmations on stake coins/length of main chain in blocks*0.5)*coin-age in years. [This formula should be continuous compounding, but the simple one is easier to read.]

Then you have a minimum interest rate of 1% and a maximum of 51% (if you use coins that have sat idle since the genesis block). You get rewarded for delaying inclusion of your stake block. If you use the same stake to build on earlier branches of the chain, then you risk causing a reorganization that takes away your reward.

Some people will benefit from a reorg ex-post, but if they participate in the re-org, they will suffer from it. You can think of re-orgs as redistributing block reward from attackers to everyone else.

A question that arises is: If you always benefit from mining later rather than now, then why mine now? I think the answer is that some people will always be impatient and want spendable coins right away. You should take advantage of human weakness and use it secure the blockchain.

Could you improve this by making the algo such that the reward bonus works in a logarithmic factor ... i.e. if I wait 1 month I get say 5%, 2 months I get say 9%, 3 months - 12% and so forth (Numbers fudged for example) .... eventually you would get to the point where people would be encouraged to apply their stake in lieu of the diminishing reward increases.  And in this way you are not 100% relying on human weakness.

I don't think you would want to do that. Human weakness is pretty reliable.

IIRC this refers to the QoS issue with the missing incentives to incorporate transactions into the generated blocks. I would give that a lower priority than the issue discussed in this thread. Preventing double spending and creating a strong main chain are very important. QoS issues are a nuisance, Trust issues are a hazard.

Anyway - AFAIK one way to mitigate the risk of double spending is to just increase the number of required confirmations - and that can be chosen by the participants of a transaction. It may make ppcoin impractical for any form of fast transaction processing, but may still be viable for transfers which need cheap transaction fees (one of the effects of lower energy consumption is lower cost of maintaining the network at a higher level of security [51% attack] ) and can wait for a few days.

However, I like the idea of cunicula to impose some form of cost on creating a rejected proof-of-stake block. In that case the network would have to negotiate on what a rejected proof-of-stake block is, how to count them and what cost it generates on the used stake.

I just read most of this interesting thread.

The way I see it, the goal of PPCoin should be to lead the Proof of Stake currency space. As such a leader, it is essential that a simple security model for how it works is prepared and presented. The model should be on the same "analysis complexity level" as Satoshi's whitepaper - it should make it easy for every capable person to validate the model's assumptions and predictions.

I am somewhat invested in PPCoin, because of two reasons:

1. IMO Sunny King has shown some capabilities and innovation, as well as good communication practices. I haven't seen him "pull a RealSolid" and lose it.
2. I believe Proof of Stake is a good hedge for Proof of Work, and PPCoin is the best PoS coin we have.

Still, I agree with the detractors and think that a security analysis is clearly missing.
Perhaps such an analysis will reveal some changes to PPCoin that could solidify its security?
If a major change in PPCoin is required, now is a much better time to implement it rather than in a year or two.

Sunny King - PPCoin is not a research project anymore, with a market cap of $6,000,000. 8 months have passed since this thread was created. Sunny King, whatever else was on your development roadmap this past 8 months, isn't it time to focus on this aspect of PPCoin's security?

Detractors - Do you have constructive proposals for increasing the security of PPCoin? I think that solid, well documented proposals, will be favorably considered. I kind of like that Sunny King insists on such proposals to maintain the "long term energy efficient" property of PPCoin - the goal isn't to consume 1/2 or 1/5 of the electricity and hardware that Bitcoin does, but to achieve a cryptocurrency that's multiple orders of magnitudes more energy efficient than Bitcoin. Security should not be compromised for this end, but neither should energy efficiency.

Isn't there a Grand Unifying Theory of PoS that is easy to analyze, "secure enough", and diminishes the significance of PoW as time progresses?

hang on hang on even if this quote is attributable (and I can get my retinas back)...so what

this maybe a true claim of cost to do....I think you (or someone) admitted Sunnys work was more complex. It's not (always)ego to say  I think my work is worth X and that work over there is worth Y. It just a persons market appraisal.

Unfortunately the community will have to reverse engineer the security model of ppcoin in an effort to document it. On that note I'd like to push the idea of a tournament scheme to introduce a habit of exploring the security of POS (https://bitcointalk.org/index.php?topic=152809.0). I haven't had time to work on the details, but the idea is out there and people should state their opinions.

The POS implementation in ppcoin and any of its derivatives is mainly broken at this time. There has been an acclaimed "fix", but based on my analysis all it did was to disguise the underlying problems. A practice which seems to be systemic for the development of ppcoin. However, that doesn't prevent people from bidding the price of ppcoin up - 99% of traders have no technical understanding.

The current POS implementation in ppcoin has the following problems:
1) No theory model on required stake granularity and steady state allocations for stake. I want to see a differential equation.
2) Missing incentive structure to perform transaction validation
3) No effective cost for working on competing branches with respect to the main chain
4) Reversibility between stake and coins - leading to a situation in which market price manipulations change the incentive structure for allocating stake

Especially 4) gets me worried. It exhibits opposite dynamics to POW. In POW, an increase in price encourages investments in hashing power and leads to a strengthening of the network, while in POS, an increase in price creates an incentive to move coins out of stake, effectively weakening the network. However 4) could be dealt with a protocol enhancement which prevents the reversibility between stake and coins.

I still stand by my assessment that ppcoin is an unfinished cryptocurrency. Any investments in it will evaporate as soon as the underlying flaws start to affect the resilience of the system. Buyer beware, drama included!

is all the ppc code os?

if so can't you just read through the code?

Yes. Everything is open source. However, recreating the design documents from the source code is like trying to learn about civil engineering from looking at how people build bridges.

I really think the best thing Sunny King could do for the development of proof of stake currency is to discuss the potential weaknesses of the current system, what is currently done to combat those, and what ideas he might have for the future. I'd like to get involved, but I feel there's not enough clear information out there for me to get a good grasp of how the current implementation works and where its weaknesses may lie. I'd be extremely interested to read about this and I think proof of stake cryptocurrency is a worthy cause and, if done right, I imagine it could have both efficiency and security advantages over traditional proof of stake coins.

As far as I am aware there are no known vulnerabilities. It's just FUD.

There's a huge number of PPCoins traded daily and they are worth over 30 cents, if there was some known exploit it would have been carried out.

... Uh, what?
You could have said the exact same thing about Terracoin until quite recently, when the known exploit WAS carried out.
You could have said the same thing about BITCOIN until the external dependency bug that caused the blockchain to split in 2...

You would make a very poor software engineer if your security analysis was based on "Well, people are using it, and it works fine, so let's not even address this known method of attack simply because it hasn't happened yet."

"If it ain't broke, don't fix it" doesn't work because we are trying to plan for things that might break, i.e. obvious vulnerabilities that could be taken advantage of in a realistic situation.

The Terracoin saga backs up what I am saying. It's called empirical justification. People were at one point deliberately attacking Terracoin and trying to do double spends. You think they weren't trying to attack PPCoin either? Of course they were. Terracoin also crumbled under the pressure of ASICs. Do you think those ASICs decided not to bother mining PPCoin?

PPCoin has stood up to every challenge thrown at it so far. At the end of the day, empirically withstanding testing 'out in the wild' breeds confidence... it's what Bitcoin has had to do. Despite all the papers and discussions on it, there is no mathematical proof that the entire Bitcoin protocol is fail-safe. And no-one said "if it ain't broke, don't fix it', your reading comprehension is awful, so please spare me the condescension. And as for, "let's not even address this known method of attack", try reading my first sentence again and ask yourself why you're trying to say that to me.

May I ask you what's your qualification? Forum bullshitter?


Do you even understand what kind of "exploit" we are talking about?

Really???

I have found the opposite its only be reading and running parts of the code I can actually understand whats going on.....

the design docs are often not spot on/not useful.

you can learn civil by looking at bridges!!!

And can be intentionally misleading if you know that's where most will go to find the data....  the source is the only for sure way but we all understand that not everyone can read code or even all the numerous languages out there but if you can its the way togo.  Then there are those of us too lazy to care and are just happy with a working system who hope someone more motivated will look out for us lol :-)

Please feel encouraged to help create design documents based on the source code. I'll be available to revise them.

There are many important aspects about a cryptocurrency which are not readily available from the source code. E.g. Sunny chose to use a POW mining reward as a function of difficulty^4. What is the rationale for that? Ideally Sunny would have at least performed a calculation to derive good parameters. Unless many things are just random - but that would not qualify as design.

Good luck trying to assess design flaws this way.

well, you can by NDT and other mechanisims, however os code is much different, I can go to the guts of every piece and test it individually...

what I usually do is rip out class by class, function by function and put in test rig code and throw generated (rather extreme) parameters at it to see if it behaves as expected and out a whole load of debug exceptions so you can verify your understanding....

I'm not sure what other people do....

Some people fail to understand the direct seriousness of this kind of design and programming. Peoples lives could hang in the balance of Bitcoin or alt currencies working. It's understandable that PPC doesn't work because it's not 1.0 and it's not even claimed to be a working product by Sunny King. It's in the beta phase and it's in that phase where all securities issues must be addressed.

If the code is not documented then Sunny King is going to have to comb through every line and comment it. It's very important that his code be audited and he wont get maximal adoption if it's not. Many of us can read the code but if it's not commented then we don't know what it's SUPPOSED to do to check it against what it actually is doing.

Theoretical attacks are as important for consideration as practical attacks. Yes practical attacks should be addressed first but theoretical attacks must ultimately be addressed.

Yes but you cannot audit code that way. There is a difference. A security audit of code requires clear commenting and documentation of what everything does because even a slight variation or stray from that could be a major security hole.

Consider that software are just algorithms and if something works it should be able to be mapped out as an algorithm on paper. So the people saying the equations must work are absolutely correct. Then when we get the source code we can compare the source code to the equations and algorithmic proofs to determine it works as intended.

Without the algorithms, equations, etc, without the documentation of what everything does, it's much harder to audit. To audit you want the maximum number of eyes looking at it and understanding it which requires clean and clear documentation of both the source code and the blueprint the algorithms and equations behind that.

I haven't seen the source code. Are you telling me it's uncommented?

If so, this is a big deal. I would sell all my PPC today and not touch it again with a 10 yard cattle-prod.

It's commented, just vaguely eg
"This fragment of code does this"

Still not happy. Especially with a project like this. :-\

What's Sunny King's programming background? He's obviously brilliantly talented, but has he done many professional projects, or coded much in a team?

I've just looked through code of version 0.3...

Problem isn't in a lack of comments... If you have a couple of days you can easily figure out how it works. (Some comments are present, by the way.)

Problem is that the flaw I outlined back in August on 2012: https://bitcointalk.org/index.php?topic=102342.msg1139483#msg1139483

Sunny changed weighting a bit, so numbers will be different. But idea is the same: it is secure only if number of active stake coins is large.

killer, I'd like to hear your input on the newest decrits proposal. It's everything proof of stake wishes it could be.  ;D

Sure, when I'll get a round tuit :)