Come-from-Beyond
Legendary
 Offline
Activity: 2142
Merit: 1009
Newbie
|
 |
March 31, 2015, 10:50:07 AM |
|
yes; in the sense that any other approach requires you to know more information about a node in one way or another if you want to prevent sibyl attacks, so that you know you can trust them (you could see proof-of-stake as just some anonymized form of trust). And the thing with trust is...  We don't see her tits, hence your "appeal to authority" is not accepted. |
|
|
|
|
koubiac (OP)
Newbie
Offline
Activity: 25
Merit: 0
|
|
March 31, 2015, 10:51:41 AM |
|
As far as spoofing the time intervals,
lets say you want to start a chain
"from 200 minutes ago". You can have
a computer calculate an alternate
chain that supposedly started 200 minutes
ago in a few seconds, and broadcast
that in realtime right now. Nodes receiving that
would not know that the blocks on
the false chain weren't really
built 200 minutes ago.
Nodes must accept the longest chain,
otherwise you will loose consensus and
risk a fork in the blockchain.
You won't always be able to achieve this,
but occassionally you will, and since
the cost is minimal, why not try it?
The reason this is incorrect is that there is no possibility for a "computer to calculate an alternate chain that started 200 minutes ago" and have it become longer than the main one. What one has to keep in mind is that everything is deterministic. For an attacker to build this fork he must own private keys that give him control over some stakes at the beginning of the attack. Let's say the attacker has control over 10% of the mining coins. Two possibilities: - These coins have been used to mine on the main chain. In this case, the stakes will create blocks exactly at the same timestamps then they did when mining on the main chain because since everything is deterministic, the proofs are the same.
Starting our clock at the start of the fork, let's consider the average case (20 blocks mined by the coins the attacker control), the stakes have generated blocks at time 3,7,13,[...],189,198. Then the attacker's fork will consist of 20 blocks created with the exact same proofs.
The important part is that since the fork will always be a subset of the main branch he will never be able to create a fork with more trust than the main chain. A second important remark is that the attacker cannot try his luck many time.
- The coins used to stake were not mining previously and in this case he would need in average 50% of all mining coins to be able to create a longer fork. This corresponds of course to a 51% attack.
You might ask, if he gets his hand on 10% might he win? The probability that an attacker a fork with 10% of the coins will outperform the 90% remaining over a 200 minutes period is ~10^-100 (using formula on p.35 on the white paper). Therefore, this kind of event will never happen no matter how often attackers try.
- A third possibility would be to send coins you own the fork and mine with them. In theory, you could do that a great number of time and you might expect to succeed at some point. That's why the minimum stake age (i.e. the minimum time during which coins have to wait before they can mine) is important. For these coins to be allowed to mine they must wait a significant amount of time and this creates a lag. And this has a consequence on "real time" since the nodes receiving the forks will check if the proofs used to generate the blocks are valid.
You won't always be able to achieve this,
but occassionally you will, and since
the cost is minimal, why not try it? The important part is that, you will not "not always be able to achieve this", you will actually never be able to achieve this without owning ~50% of the mining coins. I'm not sure what the 200 minute buffer
zone applies to (new coins staking?),
but that really doesn't solve the issue,
as you can keep trying to attack with
old coins, or you can attack less frequenly
(every 200 minutes) with coins you just
bought and sold. In addition, I believe
it opens additional attack vectors based
on older stake participants rejecting
newer participants. The reason behind this is that since you cannot "hope" to win be trying to fork a large number of time, the best thing you can hope for is to "grind" through stake modifiers, and to do that you must have control over the current stake modifier and this takes time. Finally, what do you mean by "additional attack vectors"? |
|
|
|
|
|
calme
|
|
March 31, 2015, 10:57:32 AM |
|
whoa, is taylor swift a hardcore bitcoiner? maybe it's been taylor swift who has been doing megadumps all over us.
|
|
|
|
|
tokeweed
Legendary
Offline
Activity: 3962
Merit: 1419
Life, Love and Laughter...
|
|
March 31, 2015, 11:07:14 AM |
|
whoa, is taylor swift a hardcore bitcoiner? maybe it's been taylor swift who has been doing megadumps all over us.
eeeeewww |
|
|
|
|
|
| R |
▀▀▀▀▀▀▀██████▄▄
████████████████
▀▀▀▀█████▀▀▀█████
████████▌███▐████
▄▄▄▄█████▄▄▄█████
████████████████
▄▄▄▄▄▄▄██████▀▀ | LLBIT | | | 4,000+ GAMES███████████████████
██████████▀▄▀▀▀████
████████▀▄▀██░░░███
██████▀▄███▄▀█▄▄▄██
███▀▀▀▀▀▀█▀▀▀▀▀▀███
██░░░░░░░░█░░░░░░██
██▄░░░░░░░█░░░░░▄██
███▄░░░░▄█▄▄▄▄▄████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀ | █████████
▀████████
░░▀██████
░░░░▀████
░░░░░░███
▄░░░░░███
▀█▄▄▄████
░░▀▀█████
▀▀▀▀▀▀▀▀▀ | █████████
░░░▀▀████
██▄▄▀░███
█░░█▄░░██
░████▀▀██
█░░█▀░░██
██▀▀▄░███
░░░▄▄████
▀▀▀▀▀▀▀▀▀ |
| | | ██░░░░░░░░░░░░░░░░░░░░░░██
▀█▄░▄▄░░░░░░░░░░░░▄▄░▄█▀
▄▄███░░░░░░░░░░░░░░███▄▄
▀░▀▄▀▄░░░░░▄▄░░░░░▄▀▄▀░▀
▄▄▄▄▄▀▀▄▄▀▀▄▄▄▄▄
█░▄▄▄██████▄▄▄░█
█░▀▀████████▀▀░█
█░█▀▄▄▄▄▄▄▄▄██░█
█░█▀████████░█
█░█░██████░█
▀▄▀▄███▀▄▀
▄▀▄▀▄▄▄▄▀▄▀▄
██▀░░░░░░░░▀██ | | | | | | | .
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
░▀▄░▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄░▄▀
███▀▄▀█████████████████▀▄▀
█████▀▄░▄▄▄▄▄███░▄▄▄▄▄▄▀
███████▀▄▀██████░█▄▄▄▄▄▄▄▄
█████████▀▄▄░███▄▄▄▄▄▄░▄▀
████████████░███████▀▄▀
████████████░██▀▄▄▄▄▀
████████████░▀▄▀
████████████▄▀
███████████▀ | ▄▄███████▄▄
▄████▀▀▀▀▀▀▀████▄
▄███▀▄▄███████▄▄▀███▄
▄██▀▄█▀▀▀█████▀▀▀█▄▀██▄
▄██▀▄██████▀████░███▄▀██▄
███░█████████▀██░████░███
███░████░█▄████▀░████░███
███░████░███▄████████░███
▀██▄▀███░█████▄█████▀▄██▀
▀██▄▀█▄▄▄██████▄██▀▄██▀
▀███▄▀▀███████▀▀▄███▀
▀████▄▄▄▄▄▄▄████▀
▀▀███████▀▀ | | OFFICIAL PARTNERSHIP
FAZE CLAN
SSC NAPOLI | | |
|
|
|
|
spartacusrex
|
|
March 31, 2015, 11:22:50 AM |
|
@koubiac - Hi, how many 'Mining Coins' do you think will be used, realistically, as a percent of the whole ?
|
Life is Code.
|
|
|
johnyj
Legendary
Offline
Activity: 1988
Merit: 1012
Beyond Imagination
|
|
March 31, 2015, 11:27:26 AM |
|
For PoS coins, there is no big difference between PoS clones, means unlimited money supply and they will all worth nothing in the end
PoW infrastructure on the other hand is not possible to duplicate, and since real world resource is limited, it gives PoW coin backing of scarcity from real world
|
|
|
|
LiQio
Legendary
Offline
Activity: 1181
Merit: 1002
|
|
March 31, 2015, 11:39:04 AM |
|
...
PoW infrastructure on the other hand is not possible to duplicate, and since real world resource is limited, it gives PoW coin backing of scarcity from real world
Do you really believe that the value of a Bitcoin is backed by the energy wasted? If so how is the structure of this correlation? |
|
|
|
|
Come-from-Beyond
Legendary
Offline
Activity: 2142
Merit: 1009
Newbie
|
|
March 31, 2015, 11:51:45 AM |
|
PoW infrastructure on the other hand is not possible to duplicate, and since real world resource is limited, it gives PoW coin backing of scarcity from real world
Ever heard of merged mining? |
|
|
|
|
|
Daedelus
|
|
March 31, 2015, 12:09:55 PM |
|
Has this paper been discussed anywhere? |
|
|
|
|
Come-from-Beyond
Legendary
Offline
Activity: 2142
Merit: 1009
Newbie
|
|
March 31, 2015, 12:32:20 PM |
|
Has this paper been discussed anywhere?
Bitcoiners can't counteract arguments raised in that paper so they ignore it. |
|
|
|
|
|
Daedelus
|
|
March 31, 2015, 12:46:05 PM |
|
Shame.
|
|
|
|
|
achimsmile
Legendary
Offline
Activity: 1225
Merit: 1000
|
|
March 31, 2015, 01:03:46 PM |
|
For PoS coins, there is no big difference between PoS clones, means unlimited money supply and they will all worth nothing in the end
No |
|
|
|
|
|
spartacusrex
|
|
March 31, 2015, 01:09:23 PM |
|
Has this paper been discussed anywhere?
Bitcoiners can't counteract arguments raised in that paper so they ignore it. Err.. Is that why all the POS-ers are ignoring my question about how many 'Mining Coins', as a percent, they realistically think will be used mining a POS coin ? I have asked twice now.. The 51% POS attack, would never actually require 51% of the total supply, as many people seem to think. Just 51% of the Mining Coins.. and this will be a lot smaller.. just not sure how much smaller.. and it may still prove to be large enough to be considered unattainable. Third and final time : Anyone ? @Come-From-Beyond : I would love to know the percent used on NXT ? I'm sure no-one knows more than you on this topic ? (Except BCNext - if that's not you anyway..  ).. Or you Daedelus - you're well informed on POS matters ? |
Life is Code.
|
|
|
Come-from-Beyond
Legendary
Offline
Activity: 2142
Merit: 1009
Newbie
|
|
March 31, 2015, 01:20:41 PM |
|
@Come-From-Beyond : I would love to know the percent used on NXT ?
Fast calculation based on data from last 500 blocks gave me 28%. |
|
|
|
|
|
Daedelus
|
|
March 31, 2015, 01:26:05 PM |
|
Last I saw, 41% of Nxt was forging. Edit: I don't know how CfB calculates this figure. I thought the live figures were on peerexplorer.com but can't see where. Weren't you in the thread the last time this was discussed? CynicSOB claimed to be able to do some vaguely specified damage to a POS coin (after controlling the dead APEXcoin for 90 blocks). Started at <1%, then 5% then 10%. He hasn't been in touch for a while now. So if you had 210,000,000 NXT (based on 41%) you could do some damage. This is obvious to most who have looked at POS. You're turn  http://www.links.org/files/decentralised-currencies.pdf |
|
|
|
|
|
spartacusrex
|
|
March 31, 2015, 01:29:11 PM |
|
@Come-From-Beyond : I would love to know the percent used on NXT ?
Fast calculation based on data from last 500 blocks gave me 28%. Last I saw, 41% of Nxt was forging. Edit: I don't know how CfB calculates this figure. I thought the live figures were on peerexplorer.com but can't see where. Weren't you in the thread the last time this was discussed? CynicSOB claimed to be able to do some vaguely specified damage to a POS coin (after controlling the dead APEXcoin for 90 blocks). So if you had 210,000,000 NXT you could do some damage. This is obvious to most who have looked at POS.
Thank you! Actually that's more than I thought there would be.. (Using the smaller 28% figure..) 14.1% of the TOTAL supply of a currency, is still a very large number.. (More than Satoshi has in BTC..) |
Life is Code.
|
|
|
LiQio
Legendary
Offline
Activity: 1181
Merit: 1002
|
|
March 31, 2015, 01:31:38 PM |
|
@Come-From-Beyond : I would love to know the percent used on NXT ?
Fast calculation based on data from last 500 blocks gave me 28%. Last I saw, 41% of Nxt was forging. Edit: I don't know how CfB calculates this figure. I thought the live figures were on peerexplorer.com but can't see where. Weren't you in the thread the last time this was discussed? CynicSOB claimed to be able to do some vaguely specified damage to a POS coin (after controlling the dead APEXcoin for 90 blocks). So if you had 210,000,000 NXT you could do some damage. This is obvious to most who have looked at POS.
Thank you! Actually that's more than I thought there would be.. (Using the smaller 28% figure..) 14.1% of the TOTAL supply of a currency, is still a very large number.. (More than Satoshi has in BTC..) and just to throw in another number based on nexern's block explorer: http://nxtexplorer.com/nxt/nxt.cgi?action=16046.8% |
|
|
|
|
Come-from-Beyond
Legendary
Offline
Activity: 2142
Merit: 1009
Newbie
|
|
March 31, 2015, 01:32:17 PM |
|
I don't know how CfB calculates this figure.
Average base target of the last 500 blocks is 3.5652 (or 356.52%). 100% / 3.5652 = 28.05%. If an adversary is forging now then he needs to control only 140'000'000 NXT for 51% attack. If an adversary is not forging now then he needs to buy only 280'000'000 NXT for 51% attack. |
|
|
|
|
Come-from-Beyond
Legendary
Offline
Activity: 2142
Merit: 1009
Newbie
|
|
March 31, 2015, 01:35:33 PM |
|
nexern's block explorer may return more correct result, my math based on assumption that all coins belong to a single account, as it's known bigger accounts have an extra forging bonus and they need less coins to reach the same average base target. |
|
|
|
|
jonald_fyookball
Legendary
Offline
Activity: 1302
Merit: 1004
Core dev leaves me neg feedback #abuse #political
|
|
March 31, 2015, 01:37:55 PM
Last edit: April 01, 2015, 05:14:13 AM by jonald_fyookball |
|
As far as spoofing the time intervals,
lets say you want to start a chain
"from 200 minutes ago". You can have
a computer calculate an alternate
chain that supposedly started 200 minutes
ago in a few seconds, and broadcast
that in realtime right now. Nodes receiving that
would not know that the blocks on
the false chain weren't really
built 200 minutes ago.
Nodes must accept the longest chain,
otherwise you will loose consensus and
risk a fork in the blockchain.
You won't always be able to achieve this,
but occassionally you will, and since
the cost is minimal, why not try it?
The reason this is incorrect is that there is no possibility for a "computer to calculate an alternate chain that started 200 minutes ago" and have it become longer than the main one. What one has to keep in mind is that everything is deterministic. For an attacker to build this fork he must own private keys that give him control over some stakes at the beginning of the attack. Let's say the attacker has control over 10% of the mining coins. Two possibilities: - These coins have been used to mine on the main chain. In this case, the stakes will create blocks exactly at the same timestamps then they did when mining on the main chain because since everything is deterministic, the proofs are the same.
Starting our clock at the start of the fork, let's consider the average case (20 blocks mined by the coins the attacker control), the stakes have generated blocks at time 3,7,13,[...],189,198. Then the attacker's fork will consist of 20 blocks created with the exact same proofs.
The important part is that since the fork will always be a subset of the main branch he will never be able to create a fork with more trust than the main chain. A second important remark is that the attacker cannot try his luck many time.
- The coins used to stake were not mining previously and in this case he would need in average 50% of all mining coins to be able to create a longer fork. This corresponds of course to a 51% attack.
You might ask, if he gets his hand on 10% might he win? The probability that an attacker a fork with 10% of the coins will outperform the 90% remaining over a 200 minutes period is ~10^-100 (using formula on p.35 on the white paper). Therefore, this kind of event will never happen no matter how often attackers try.
- A third possibility would be to send coins you own the fork and mine with them. In theory, you could do that a great number of time and you might expect to succeed at some point. That's why the minimum stake age (i.e. the minimum time during which coins have to wait before they can mine) is important. For these coins to be allowed to mine they must wait a significant amount of time and this creates a lag. And this has a consequence on "real time" since the nodes receiving the forks will check if the proofs used to generate the blocks are valid.
You won't always be able to achieve this,
but occassionally you will, and since
the cost is minimal, why not try it? The important part is that, you will not "not always be able to achieve this", you will actually never be able to achieve this without owning ~50% of the mining coins. I'm not sure what the 200 minute buffer
zone applies to (new coins staking?),
but that really doesn't solve the issue,
as you can keep trying to attack with
old coins, or you can attack less frequenly
(every 200 minutes) with coins you just
bought and sold. In addition, I believe
it opens additional attack vectors based
on older stake participants rejecting
newer participants. The reason behind this is that since you cannot "hope" to win be trying to fork a large number of time, the best thing you can hope for is to "grind" through stake modifiers, and to do that you must have control over the current stake modifier and this takes time. Finally, what do you mean by "additional attack vectors"? As you said, an attacker can simply use coins that are old enough and keep trying with them. Those attacks would be smaller than 200 block reorgs. As far as the new coins (or any coins), what you are not considering is that the blockchain MUST find new blocks. Assume you have a 10 percent stake, so you'd have a 1 in 10 chance of being awarded a block. Your argument is that you'd have a 10% chance (or .1 probability) of succeeding at one block, .1^2 for two blocks in a row, .1^3 for blocks in a row, etc. However, here's where that argument falls apart: What if the block found "deterministically" wasn't broadcast by the chosen stakeholder? Now the network must choose again, so you get another 10% chance. This process can continue ad infinitum in a grinding fashion. |
|
|
|
|
