Yes. I have 6 accounts with 1 coin in each account. I wait for 1600 confirmations (~11 days), now I have 1600 coin-confirmations in each account, 9600 coin-confirmations.

At the same time rest of hashing units (which act independently) each have about 100 confirmations on average, 94*100 = 9400 total.

I have a hashing power of 9600 and rest of network has hashing power of 9400 if each hashing unit is hashing on its own. Thus, I win having just ~50% of total coin-confirmations stock and 6% of hashing power.

So, again, a person owning 6% of coins and 6% of hashing power (which he can buy temporarily from Amazon, so only ownership of coins is required) can do 6-block deep reorg in 11 days.

Likewise a person having 5% of coins and 5% of hashing power can do a 50 block deep reorg in 138 days.


If a miner has 9400 coin-confirmations in one account and he has 94 units of hashing power, he has an apparent 883600 hashing power.

If there are 94 miners which have 100 coin-confirmations each on average, and each one uses 1 unit of hashing power, apparent hashing power of a system is 94*100 = 9400.

A model where there are 94 miners is correct because on the next block they have an apparent hash power of 9400 again, i.e. hashing power is stable.

But a single miner will have 0 coin-confirmations for the second block, so winning a string of blocks afterwards would be trivial.


Then when you say that rest of the network has 1% of coin-confirmations it means that each person has 0.001% of coin-confirmations. You need to plug this value into hash-target calculation, not the sum of coin-confirmations they have.


I find it rather strange that I have to explain that in a system where build-up of coin-confirmations compensates for lack of hashing power attacker can perform a double-spend if he waits enough. It is absolutely obvious.

I have no interest in further discussion. I've already demonstrated that your system if faulty with numbers. There is no need to explain me anything.

If you still don't get it please re-read my message enough times.

Seems to be about right except number 99%.

Let's re-purpose my previous example: there are 94 hashing units which have 100 coin-confirmations on average each, thus their cumulative hashing power is 94*100 = 9400.
I have 6 hashing units with 1600 coin-confirmations each, my hashing power is 6*1600 = 9600. So I can perform 51% attack and mine next 6 blocks with ~50% probability.

Thus I need only about 50% of total coin-confirmations and 6% of hashing power to run this attack.

I guess we get different numbers (50% vs 99%) because you consider only momentary hash power parity to mine next block, while you should consider hash power parity to mine _any_ block. I.e. you assume that 1% of coin-confirmations sits in one account and so 99 hashing units can compete with 1 hashing unit and 99% coin-confirmations. It is true that they have 50% chance of mining next block, but note that if rest-of-the-world actually wins, it now has 0% of confirmations and attacker has 100%. So you need to consider a scenario where that 1% of coin-confirmation is spread over many accounts, and each such account gives only a minuscule bonus to hashing power.


Well, in my example if you have 6% of coins you need to wait 1600 confirmations = ~11 days. Which isn't good, IMO: it means that a mid-sized miner can mount double-spends from time to time, and he doesn't even need to spend much on electricity.


I agree that getting 50+ blocks in a row is not a small feat. But still, this design is weaker than pure PoW for relatively short reorgs. I.e. if we adopt it, we would have to wait for more confirmations for each payment. (Same is true for PPCoin and PoA.)

Imagine our whole world consists of 100 identical hashing units which consist of 1 unit of hashing power and 1 coin which is used to get coin-confirmations.

One averaged, out of 100 solved blocks one block belongs to each hashing unit.

Now let's say I own 6 hashing units and I want to do a 6-block reorg. I stop hashing on my units for some time. Difficulty stays the same or decreases.

After I waited enough (say, for 100 blocks) I start hashing. I have twice the average coin-confirmations in my hashing units. Besides that, I have 6 units. So chances that next block would be solved by one of my units are something like (I'm probably very wrong here, but it doesn't matter much -- I just need to wait enough for chances to be close to 1.)

OK, one of my hashing units is out of coin-confirmations, but I have 5 more. And, again, chances that one of them will solve the block are high. Thus I have high chances of solving 6 blocks in a row, achieving desired reorg.

If I'm not mistaken, achieving a reorg with this wonderful system is as simple as waiting a bit, neither large hashing power nor high stake are required.

Your mistake, cunicula, is that you consider only output averaged over a large interval of time. It is true that you cannot increase your output by splitting/merging your coins/hashing power. But you can affect temporal clustering of your blocks via splitting and waiting, and it makes a reorg of arbitrary size possible with little resources.

This is intriguing, but I don't understand where do you get these numbers from. Is there a more detailed example?

On wiki page I see   formula. This means that twice more confirmations equals 16 more hash power, right?

So if I have 6 accounts with twice the average coin-confirmations I'll be able to do a 6-block reorg with just 51/16 = 3% of hashing power.

Err, let's start from beginning. WHAT is included into a block chain as an evidence of wrongdoing? I see two options:

1. block-signing transaction itself as self-evident thing
2. a special message with a special format which includes both that txn and all require information

Apparently if we choose second approach we can include as much information as needed (i.e. block header, coinbase) so cheating would be not possible.

If you're concerned about 'signature of random data' then you probably assuming approach number 1 as it requires less coding. But I guess in that case a block-signing txn must have a certain format to distinguish it from normal txns... Otherwise block will be considered invalid as it contains invalid transaction.

(We cannot assume that all invalid transactions are evidence of wrong-doing because they might be traces of double-spends performed ON that user, not BY that user.)

Thus we can assume that a coinbase output for block-signing has some special scriptPubKey and block-signing txn includes scriptSig which matches that scriptPubKey.

For example: scriptSig might include 1) magic number which distinguishes it from normal txns. 2) signature for coinbase txn spend. 3) block metadata like timestamp, height; 4) signature for that metadata.

As metadata is not random, we no longer have random-key attack, do we? If we demand meta-data to be plausible, this would significantly limit attacker.

(While we are here, what if we just request two signatures: for block's hash and for block's hash hash? Attacker can choose any block's hash, but then he cannot choose block's hash hash, is it still RPA? I really don't know much about ECDSA.)




Double-spending, sure, but we should probably differentiate small-scale double spending caused by reorg of ~10 blocks (6 blocks is a standard for Bitcoin, I think) from large-scale double-spending, like 100+ blocks.

I believe that neither PoA nor PoS can directly help with small-scale double-spending as they more like increase fork/main chain weight variance.

For this reason Meni's scheme aims to prevent this small-scale double-spending with cementing, and PoS just fixes split issue which arises from double-spending.

PoS and PoA can, in theory, help against large-scale reorgs.

But I'm not convinced that automatic resolution is really needed here. A low tech solution is to bring client into a panic mode if it sees large reorg. Then a human operator can analyze what happened and either checkpoint an older (pre-attack) chain which would invalidate all of attacker's blocks, or he will follow longer chain if he sees that it was probably a network split.

So you just need to add:

1. Panic mode.
2. An RPC call for user to checkpoint older (cemented?) chain.
3. An RPC call for user to continue reorg.

It's much simpler than PoA/PoS and likely more reliable. And this would completely remove profit motive from such reorgs.

Attacker can still try to do that as a form of DoS, but then it is not really a double-spend attack, it is a DoS attack you're preventing.

And, again, I believe that there is an easy, low-tech solution to frequent DoS attacks: give user an option to do auto-cementing. Then watch how idiot burns his money trying to DoS you. (Alternative: an option to temporarily enable centralized checkpointing like in PPCoin.)

(Just to give due credit, I largely designed this solution for an alt-chain I intended to do myself, but then I talked to Lolcust and it turned out that he had similar solution in mind. So it might be possible that some ideas expressed here are Lolcust's (or somebody else's). So if somebody finds it new and wants to include somewhere, mention Lolcust in credits.)

I still don't get what kind of attack are you trying to defend against with PoA. What problem is it trying to fix?

If it is about small-scale reorgs, I doubt anything can be done at all since ultimately weight modification from signing increases variance and thus likelihood of attacks "from time to time".

If you focus on large reorgs, i.e. it is a defense against attacks which aim to discredit currency as a whole, I'd say introducing lag should help. I.e. you can sign block only once it has like 50 confirmations.

This way block signing for double-spends will become largely impractical. One can try to use PoA vector in that large attack, but (arguably) that's harder than simply borrowing hashing power. Additionally you can implement punishment to make it even better, but it's not necessary to have punishment from start. I.e. it is required only against really sophisticated attack.

And in general I would advice to follow Meni's PoS design, PoA with lag will be similar to it. If you want extra double-spend protection you can add cementing. Also, stuff that iddo have written, i largely agree with him.

(Note that Meni pretty much confirms that you cannot prevent small-scale reorgs with PoS, but you can prevent them with cementing, and you can fix problems which arise from use of cementing with PoS (or PoA)).

I'm not sure I follow you, coblee wrote:


So apparently evidence of banning should include that spending and corresponding block header with coinbase.


Well, if you want block signature to work this way, evidence of wrongdoing should include at least a whole block header.


I still don't get what kind of problem PoA is trying to fix.

If we assume efficient markets, it will drop significantly once you announce that you want to include a feature which worsens protection against double-spends

Also, I don't think you should depend on the fact that stake holders will be reluctant to participate in attacks which decrease exchange rate: "intuitively optimal" solutions can be very different from Nash equilibrium produced by independent rational players. I believe that double-spending with proof-of-stake can be quite like prisoner's dilemma where Nash equilibrium is the worst option. (Which, basically, means that one shouldn't include this feature.)


No. You forget that this is a stochastic process: number of signatures available in different forks is a random variable with large variance.

Attacker does not need to win all the time, he doesn't need to win most of the time. He needs to win from time to time.

Since variance is high from time to time his chain would win in a number of signatures and double-spend would be successful.

For example, if attacker has access to 25% of stake he'll get three signatures for three blocks in 1.5% of cases. So at least one double-spend per day.

Also note that legitimate stake holders do not always sign blocks immediately, they don't really have an incentive for it. Delayed signing will further shift probability towards attacker (stakeholders who work for attacker have higher motivation to sign ASAP).


Maybe. Its feasibility depends on particular economic conditions and altruism/laziness among stakeholders.

But why would you make your blockchain theoretically weaker? I really see no reason for it, it doesn't really prevent any kind of attack...

Well, if you want to work further on proof-of-stake approach I strongly recommend reading other proposals and discussing them.

Particularly, check this one: https://en.bitcoin.it/wiki/Proof_of_Stake#Meni.27s_implementation

Note that each particular implementation detail is there for a reason. Particularly, it includes a way to punish malicious stakeholders:



Also I think that cementing is a great idea, but I'm not sure it can work in 'energy-efficient' variant.

Thanks, that would be cool, but I'm also looking for somebody to help with marketing/bizdev stuff, I'm afraid I won't be able to do it myself...

General 'video meetings' concept is too generic, I think, perhaps it's better to make sites specially for various niche use cases, for example, "Real time freelancing". I believe there are many good uses.

Coblee now has a proposal to integrate a form of PoS into Litecoin. But he first asks experts on forum whether they see vulnerabilities.

If he'll find a solution which works, I doubt he'll have any problems integrating it into Litecoin. So I disagree that "Proper typically equates to not doing anything at all."

Yes, many things fail, but that's probably because they shouldn't exist.

Have you ever heard about prisoner's dilemma? Nash equilibrium can be bad for everyone.


You don't really have a security mindset, do you? You shouldn't be operating with categories like 'crazy', you should look at various attack motives, e.g. what would a rational entity do? What if somebody will try to kill your currency if he has a stake in a competing currency?

First of all, accumulating vast wealth isn't necessary. Once you've made a block with double-spending txn, you can bribe stake-holders to build blocks on top of your block to force a reorg. Rational stake holders would do that because that doesn't cost them anything: they will earn their bounty in either case, but in case of reorg they get an extra reward (bribe).

You say that then their currency holdings become less valuable? No, one double-spend won't cause devaluation. The knowledge that such double-spend is possible will make it worthless from the start.

This is just game theory basics.


If you assume that then your protocol is based on trust, essentially. There is much better protocol based on trust: Ben Laurie's mintettes. http://www.links.org/files/distributed-currency.pdf Please check it.

Besides that, assumption that there is just one wealthy guy is just wrong. You should assume that people can sell their signatures, form alliances and whatnot.

You are thinking in right direction: punishing mis-behaving stakeholders can work. But it should be a part of your crypto protocol, you should not assume availability of a lynching mob.

I meant that attacker will reveal only block hashes or block headers, but not transactions in blocks.


I don't quite understand cunicula's protocol, but it seems to be vulnerable.


I think this fixes this problem. In general, I think proof-of-stake can work only if there is some form of punishment for malicious activity.

If there is no punishment then one can experiment with malicious activity without repercussions.

(It's also worth noting that Meni's protocol does not help against Denial of Service. But it makes bribery for DoS harder, I think.)


Well, instead of using weights we can just ban whole address so he won't be able to spend his coins, is that what you've meant?

I also considered use of distinct type of addresses for transactions and for stake signing (i.e. you can have your money either on transactions, or on interest-earning account and moving between them takes some time), it might make banning easier. (i.e. we can ban money which is sitting on time deposit account.)

OK, here's a full description of attacks which, I think, prove that PoA is not useful for anything, and is, in fact, harmful.

A. For-profit double-spending.

So I want to do for-profit double-spending. If I don't have all resources myself, I'll announce it as a double-spending service. It is a legitimate business in the cryptocurrency world. I need three things:

1. A steady source of double-spend transactions. I announce that I'll include double-spends into my chain for a kickback. I've outline process in details here: https://bitcointalk.org/index.php?topic=101820.msg1119119#msg1119119 (ppcoin thread) I assume that double-spend txns are submitted to me secretly so mechants do not know about them.

2. A source of PoA block signatures. Note that it is not necessary to have a full block to make a signature. I'll just announce hashes of my blocks as well as whatever is necessary for a signature, but not transactions in those blocks. It's possible to implement it as an add-on for a client software which submits these signatures in hope to get reward.

3. A source of hashing power. This is more complex, but one thing is that less than 50% is necessary, and another thing is that if there is certainty that my service works miners would be eager to use my mining pool because their rewards in main chain will be wiped with a reorg. Again, no full knowledge of blocks is necessary, miners only see hashes. I can temporary buy hashing power to bootstrap the thing.

So here's how I'll overpower the network: rational entities would submit their signatures both for main chain and into my fork-chain. But they are interested into waiting as long as possible to submit signature into main chain because my chain pays higher reward (from double-spend kickbacks).

In any cases, people do not lose their money: if fork works, they get twice the reward. If it fails, they still get reward in the main chain.

So, statistically, I'll get somewhat more signatures because main chain would be starved of signatures for some time. (It depends on people getting rewards in both chains within a certain window. This happens from time to time, especially for people with a lot of money.)

Thus, I need less than 50% of hashing power to perform a commercial double-spend.

B. Malicious 51% attack aimed to destroy a chain.

A malicious entity would pay for PoA block signatures for his alternative chain. He needs to pay in a different currency, obviously.

Essentially, it would be like a self-fulfilling prophecy: if people know that attacker has enough hashing power, they will trade their Litecoin savings for reward denominated in Bitcoin.

----

So what we get is that this PoA can make it cheaper to perform both for-profit and destructive attacks on a chain due to profit motives. It can only work if majority of nodes are altruistic.

I think it would help to clarify about what kinds of attacks it is designed to protect against. 51% attack does not say me anything, what is motive?

I guess it's obvious that this scheme simply cannot help against double-spends induced by small-scale (e.g. ~10 blocks) reorgs. In fact, coblee's proposal makes them much simpler. To a larger degree than he thinks.

He thinks that large stake is necessary to help yourself to do a double-spend. But this misses the fact that attacker can simply bribe people to make signatures for his double-spending fork.

For example, I would announce that if someone adds a signing txn to my chain instead of main chain, I would double his reward. Reward is will be paid in a fork, so if forking is not successful, reward isn't paid. (It's essentially a kickback from double-spend.)

Rational entities would prefer 2x reward to 1x reward, so my work will statistically get more signatures if we assume rationality, so double-spending is trivial if you have some fraction of hashpower to mine blocks from time to time (20% of hashpower is enough for 10-block reorg) and you can pay an interesting reward.

If you introduce lag, signatures won't help against small-scale reorgs at all. They might help against malicious history rewrites which aim to discredit currency as a whole. (Or a variant of this: an attacker who mines empty blocks.)

If this is true, it should be tuned towards this goal: introduce a big enough lag, low X value would be better.

Can you please explain, is this just a game or do these corporations actually do anything? I've been reading your messages for some time, but still I cannot understand.

I understand that play assets are not fundamentally different from 'real' assets, but the difference is in fundamentals: is there any activity other than posting about it on forum? So, well, is this an economy in itself, or is it integrated with outer world?

Well I guess it's aimed primarily at byzantine attackers, at expense of higher small-scale reorgs. Also, doing calculated double-spends might be harder due to chaotic environment, but opportunistic double-spends might be easier.

Existing proposals are not energy-efficient.

I believe that the only way to make it energy-efficient is to make people lose their stakes in case of double-spend or other malicious act.
This will attacks economically unfeasible. Double-spend can be trivially detected.

If people can do attacks without downsides, they WILL do these attacks.

So you need PoS+PoW scheme, then a downside of an attack is money lost on PoW part.

But PoS+PoW is not energy efficient, since it still requires PoW.

What do you mean by "perhaps"? We already know it doesn't work without centralized timestamping. PoW and PoS in this design do pretty much nothing to secure the network, and even if some algorithm will be invented to fix it, it would be simply another currency since rules will change dramatically.


Well, yeah.

Proper way to do this: discuss algorithm beforehands, try the idea on a disposable testnet first, and only then release it as a "permanent" currency.

Improper way to do this: release half-baked, not well thought out version as a currency.

Now thinking about it, WHY would you do it in the improper way if not for pump & dump? I see absolutely no other reasons.

High PoW mint rate is also great for pump and dump: this way people can just use existing mining infrastructure to get coins, thinking that they will be valuable one day, and thinking that they are doing something worthwile.

Even if Sunny King has good intents and is just delusional, he behaves EXACTLY like pump-and-dumper, I can't think of a better scheme. (Well, PoS which would actually work would be better, but it would take much more time to develop a working scheme.)

Well, I'm interested in colored bitcoins, but not so much in that twitcoins. To be honest, I don't see how that can work: there won't be any demand. Also, unlimited supply...

But if you're working on bitcoin integration perhaps same code can be used for other colored bitcoins, like in general case, then I'm interested in that. But I don't have much spare time, to be honest...

I haven't found any github links so I don't see what is done (and in which direction) so far.