|
Come-from-Beyond
Legendary
Offline
Activity: 2142
Merit: 1010
Newbie
|
|
April 05, 2015, 07:20:32 PM |
|
Has Gridcoin solved the issue with the exploit that allowed to generate reward without doing actual work?
|
|
|
|
traderman
Legendary
Offline
Activity: 1260
Merit: 1001
|
|
April 05, 2015, 07:37:31 PM |
|
Ohhh are you referring to the CPU measurement thing, cause that was 1 year ago, Gridcoin has changed a lot since then. Has Gridcoin solved the issue with the exploit that allowed to generate reward without doing actual work?
|
|
|
|
Come-from-Beyond
Legendary
Offline
Activity: 2142
Merit: 1010
Newbie
|
|
April 05, 2015, 07:47:04 PM |
|
Ohhh are you referring to the CPU measurement thing, cause that was 1 year ago, Gridcoin has changed a lot since then.
Yes. Good if the issue is solved.
|
|
|
|
jonald_fyookball
Legendary
Offline
Activity: 1302
Merit: 1008
Core dev leaves me neg feedback #abuse #political
|
|
April 05, 2015, 08:34:40 PM Last edit: April 06, 2015, 02:54:12 AM by jonald_fyookball |
|
maybe you could describe how the attacker tries many times and what he does to get different outcomes cause that's the part that's unclear to me in your explanation.
Simple, he just constructs different blocks of different transactions sending coins to himself. Different addresses, different amounts, different timestamps, whatever. Not only can he try endless combinations for each block in order to make sure he meets the requirements to forge that block, he can build as many blocks in a row as he wants. Moreover, if he builds a good attack chain and it wasn't accepted, he can (a block later, or at any time) start over and try the whole process again. FYI, there is some guy named Bittrix who is demonstrating successful attacks on PoS coins, so its no longer just theoretical. https://bitcointalk.org/index.php?topic=686403.msg10169983#msg10169983
|
|
|
|
koubiac (OP)
Newbie
Offline
Activity: 25
Merit: 0
|
|
April 07, 2015, 10:22:37 AM |
|
maybe you could describe how the attacker tries many times and what he does to get different outcomes cause that's the part that's unclear to me in your explanation.
Simple, he just constructs different blocks of different transactions sending coins to himself. Different addresses, different amounts, different timestamps, whatever. Exactly and that's the point I'm trying to make! Every time an attacker sends coins to himself, his coins must wait minimum stake age to be able to mine. This will cause a lag that will make it impossible for an attacker to catch up no matter how many times he tries! Therefore, to succeed an attacker needs the equivalent of ~50% of the mining coins. From what I gathered from the thread, this attacker doesn't even try many times, he simply accumulates >50% of the block generation power. He attacks a coin which has ~10% of coins mining and that uses coin age. He was able to conduct a temporary 51% attack with 0.07% of the coins. 10%/0.07%~71 So what he did was just accumulate coin age for ~71 days. This is the reason NeuCoin doesn't use coin age. In order to improve the whitepaper, I was wondering if you've read the technical part. I feel like maybe some points should be made clearer since I'm having a hard time making my point
|
|
|
|
Daedelus
|
|
April 07, 2015, 10:40:08 AM |
|
The high quality, in depth research you do before you post is showing through again The message you posted is from the admin of Bitt rex, an exchange. The attacker was CynicSOB who Nxters invited over to attack Nxt, even set him up on the testnet and let him have as much testNxt as he wanted to try and recreate the attack. That was mid January. Cynic has so far failed to recreate this attack in Nxt, even in the benign environment of the testnet. Read the full thread here: https://nxtforum.org/testnet/nxt-security-audit-attack-simulations-on-testnet/Apex coin can only be taken as the poster child of POS if GlobalCoin or Vootcoin can be taken as the same for POW
|
|
|
|
|
jonald_fyookball
Legendary
Offline
Activity: 1302
Merit: 1008
Core dev leaves me neg feedback #abuse #political
|
|
April 07, 2015, 06:04:37 PM Last edit: April 08, 2015, 12:53:23 AM by jonald_fyookball |
|
maybe you could describe how the attacker tries many times and what he does to get different outcomes cause that's the part that's unclear to me in your explanation.
Simple, he just constructs different blocks of different transactions sending coins to himself. Different addresses, different amounts, different timestamps, whatever. Exactly and that's the point I'm trying to make! Every time an attacker sends coins to himself, his coins must wait minimum stake age to be able to mine. This will cause a lag that will make it impossible for an attacker to catch up no matter how many times he tries! Therefore, to succeed an attacker needs the equivalent of ~50% of the mining coins. This will be my last post in this thread because you just don't get it or don't want to get it. I've made my points very clear several times. Not saying I'm infallible but we aren't moving forward with a productive discussion. As I already explained, if he sends coins to himself using an attack chain, and the chain is not accepted by the rest of the network , then nothing has changed in his UTXOs, including the stake age, thus allowing him to try again and again until that chain or another chain is accepted. Those are my criticisms...you had an ample opportunity to address them. The white paper and yourself seem to miss these known issues with PoS. Nothing really new here and nothing to prove " Proof-of-stake is more decentralized, efficient and secure than PoW".
|
|
|
|
koubiac (OP)
Newbie
Offline
Activity: 25
Merit: 0
|
|
April 08, 2015, 07:09:30 AM |
|
This will be my last post in this thread because you just don't get it or don't want to get it. I've made my points very clear several times. Not saying I'm infallible but we aren't moving forward with a productive discussion.
As I already explained, if he sends coins to himself using an attack chain, and the chain is not accepted by the rest of the network , then nothing has changed in his UTXOs, including the stake age, thus allowing him to try again and again until that chain or another chain is accepted.
Those are my criticisms...you had an ample opportunity to address them. The white paper and yourself seem to miss these known issues with PoS.
Nothing really new here and nothing to prove " Proof-of-stake is more decentralized, efficient and secure than PoW".
Since this doesn't appear to be clear, we'll be updating the white paper with a more detailed explanation of why the attack you describe is impossible. I think you're mistaking what the minimum stake age does. The fact that the attacker cannot mine when sending his coins to himself has nothing to do with the fact that the chain he's building will eventually be accepted or not. I agree that this discussion isn't going anywhere so I hope you'll take time to give some feedback on the update version.
|
|
|
|
ensurance982
|
|
April 08, 2015, 01:45:25 PM |
|
It would only be more decentralized if the stakes are also more decentralized. Especially concerning PoS is mostly used in smaller Altcoins, this is a highly questionable claim...
|
We Support Currencies: BTC, LTC, USD, EUR, GBP
|
|
|
achimsmile
Legendary
Offline
Activity: 1225
Merit: 1000
|
|
April 08, 2015, 02:20:43 PM |
|
It would only be more decentralized if the stakes are also more decentralized. Especially concerning PoS is mostly used in smaller Altcoins, this is a highly questionable claim...
The magic number is 4 https://blockchain.info/de/pools
|
|
|
|
funkenstein
Legendary
Offline
Activity: 1066
Merit: 1050
Khazad ai-menu!
|
|
April 08, 2015, 03:13:58 PM |
|
Oh good, more pimping of PoS again. The solution in search of a problem which presents its own problems before finding a problem it could solve, we have seen many times before. This should be fun. Mostly the paper tries to address security concerns that PoS introduces. Fair enough, that is an interesting topic and all we can really discuss because in the end I don't think there is really a use for this. Bitcoin works fine thanks. But lets forge ahead with the paper: Mining reward rates: NeuCoin dramatically increased coinstake rewards for mining in order to maximize the percentage of coins being mined at all times, which is the bedrock of security in any PoS cryptocurrency.
Notice that the "bedrock of PoS" claimed here is that you have to keep your coin online and staking just to stay up with inflation. As a maximum reward you get: the same percentage of the money supply you had before. This by itself doesn't sound so bad, at least we are used to it in the fiat world. Six percent annual inflation planned forever. So lets continue: Duplicate stake punishment: NeuCoin uses a client version developed by Michael Witrant, aka “sigmike” (core developer of Peercoin and Technical Advisor to NeuCoin), that not only detects duplicate stakes so that honest nodes can reject them, but also punishes nodes that broadcast duplicate stakes by rejecting all blocks broadcast by the dishonest miner.
I'm not sure I follow this. If I were trying to do a reorg. attack (grinding, in the terminology of this paper) to rewrite some history, I am not going to broadcast anything until I have found a chain that works. Then, when I broadcast it, it will not have any duplicate stakes. It will follow all the rules. To keep Bitcoin security from declining, total payments to miners must be maintained. As coinbase rewards decline, there are only three ways to make up the difference: Bitcoin’s price can increase, transaction volumes can increase, and/or fees per transaction can increase.
Well this is actually a good point, and does address a potential problem worthy of discussion. This is a problem of economics, not of PoW. For example, one could create a PoW currency that also gave a 6% annual inflation. The money supply curve is important. NeuCoin's mining equation is simply: hash(kernel)< target*balance of UTXO
OK, so now we see that the best way to mine NeuCoin is to form massive pools. This is not incentivised due to smaller more regular payouts like it is in bitcoin, but a directly higher return due to the formation of a larger UTXO balance. This looks completely broken to me. Am I missing something? This stance neglects to acknowledge that PoS security does have a cost: the capital cost of acquiring and holding coins.
Exactly. PoS is just a PoW algorithm, where the work is a bit different. Now the work is aquiring coin, and (once again) doing some hashing. What's the difference? Nothing really. If you aren't substantially rewarding your miners (stakers), your security sucks. (cough, not mentioning names) Miners and stakers have a variety of tricks they can play to and a lot of motivation to behave efficiently. Bitcoin is incredibly efficient for this reason. Claims of inefficiency are typically made by outsiders who don't understand the business. Who do you think is best qualified to judge the efficiency of a mining operation? Anyway, thanks for posting. This has been an interesting read, much better than I expected from the glossy page and Proof of Stake hype, and I commend all efforts to better understand coin economics. Cheers -- funkenstein the dwarf
|
|
|
|
koubiac (OP)
Newbie
Offline
Activity: 25
Merit: 0
|
|
April 10, 2015, 11:23:58 AM |
|
Duplicate stake punishment: NeuCoin uses a client version developed by Michael Witrant, aka “sigmike” (core developer of Peercoin and Technical Advisor to NeuCoin), that not only detects duplicate stakes so that honest nodes can reject them, but also punishes nodes that broadcast duplicate stakes by rejecting all blocks broadcast by the dishonest miner.
I'm not sure I follow this. If I were trying to do a reorg. attack (grinding, in the terminology of this paper) to rewrite some history, I am not going to broadcast anything until I have found a chain that works. Then, when I broadcast it, it will not have any duplicate stakes. It will follow all the rules. Hi Funkenstein, Thanks for the feedback The duplicate stake detection mechanism's purpose is to prevent miners from mining on multiple chain when a natural network fork occurs. Without this system miners could mine on both (or more) forks in order to avoid having their block orphaned and this would hurt the consensus. It's not a security measure against people creating a fork in order to rewrite the transaction history. Well this is actually a good point, and does address a potential problem worthy of discussion. This is a problem of economics, not of PoW. For example, one could create a PoW currency that also gave a 6% annual inflation. The money supply curve is important. The chosen inflation level is not the only parameter that matters. If you consider a PoS and a PoW coin that are economically identical (market cap, inflation, transaction volume etc..) the cost of an attack will be orders of magnitude higher in the case of the PoS coin. Let's imagine as you say that the PoW coin uses a 6% inflation rate to pay for security and both coins have a $100B market cap. - In the case of the PoW coin, the cost of a 51% attack will be 51%*$100B*6%~$3B
- In the case of the PoS coin, let's suppose that with a 6% inflation rate, 50% of the coins mine, then the cost of a 51% attack will be: 51%*$100B*50%~B25$
And this doesn't even take into account the fact that in our example the actual inflation rate for the PoW coin is 6% whereas for the PoS coin it's 6%*50%=3%. Therefore, the PoS coin is paying twice less for a security level ~8 times better. NeuCoin's mining equation is simply: hash(kernel)< target*balance of UTXO
OK, so now we see that the best way to mine NeuCoin is to form massive pools. This is not incentivised due to smaller more regular payouts like it is in bitcoin, but a directly higher return due to the formation of a larger UTXO balance. This looks completely broken to me. Am I missing something? I'm not sure I get what you mean by that? Your probability to win depends on the size of your stake. Let's imagine you and I both own 100 neucoins. If we mine separately, we both try once per second (therefore, together we try twice per second) to find a solution to: hash(kernel)<target*100 If we put our coins together, we will once per second try to find a solution to: hash(kernel)<target*200 So it's exactly the same as trying once per second to find a number between 1 and 1000 or trying twice per second to find a number between 1 and 2000. The odds of succeeding are the same.
|
|
|
|
funkenstein
Legendary
Offline
Activity: 1066
Merit: 1050
Khazad ai-menu!
|
|
April 10, 2015, 02:13:49 PM |
|
Thanks for your reply Koubiac. The duplicate stake detection mechanism's purpose is to prevent miners from mining on multiple chain when a natural network fork occurs. Without this system miners could mine on both (or more) forks in order to avoid having their block orphaned and this would hurt the consensus. It's not a security measure against people creating a fork in order to rewrite the transaction history.
OK thanks, I understand the motivation here now. This mechanism helps to force a consensus. The chosen inflation level is not the only parameter that matters. If you consider a PoS and a PoW coin that are economically identical (market cap, inflation, transaction volume etc..) the cost of an attack will be orders of magnitude higher in the case of the PoS coin. Let's imagine as you say that the PoW coin uses a 6% inflation rate to pay for security and both coins have a $100B market cap. - In the case of the PoW coin, the cost of a 51% attack will be 51%*$100B*6%~$3B
- In the case of the PoS coin, let's suppose that with a 6% inflation rate, 50% of the coins mine, then the cost of a 51% attack will be: 51%*$100B*50%~B25$
And this doesn't even take into account the fact that in our example the actual inflation rate for the PoW coin is 6% whereas for the PoS coin it's 6%*50%=3%. Therefore, the PoS coin is paying twice less for a security level ~8 times better. Sorry but this analysis fails. Your numbers on PoW and PoS are calculated differently. Your PoW analysis looks decent, for the case of carrying out the attack for a full year, and assuming 0 frictional costs (ASIC rental service fees, organizational costs, etc). However the PoS analysis should give exactly the same number, because by construction we have chosen parameters such that both networks pay the same security fee to the miners. Why would I buy the PoS coins? I can borrow them, perform the attack, and return them. interest rates are frictional costs. The 6% is calculated from the full money supply but we only need to get 51% of the staking coin, so one could argue this attack would be cheaper than the PoW for the normal case of not all coin being staked (some people might actually want to transact in it). NeuCoin's mining equation is simply: hash(kernel)< target*balance of UTXO
OK, so now we see that the best way to mine NeuCoin is to form massive pools. This is not incentivised due to smaller more regular payouts like it is in bitcoin, but a directly higher return due to the formation of a larger UTXO balance. This looks completely broken to me. Am I missing something? I'm not sure I get what you mean by that? Your probability to win depends on the size of your stake. Let's imagine you and I both own 100 neucoins. If we mine separately, we both try once per second (therefore, together we try twice per second) to find a solution to: hash(kernel)<target*100 If we put our coins together, we will once per second try to find a solution to: hash(kernel)<target*200 So it's exactly the same as trying once per second to find a number between 1 and 1000 or trying twice per second to find a number between 1 and 2000. The odds of succeeding are the same. OK, you have a point there. What was the point of Sonny's time weighting again? What enforces the 1 per second rule, block time or hashpower?
|
|
|
|
koubiac (OP)
Newbie
Offline
Activity: 25
Merit: 0
|
|
April 13, 2015, 08:55:57 AM |
|
Sorry but this analysis fails. Your numbers on PoW and PoS are calculated differently. Your PoW analysis looks decent, for the case of carrying out the attack for a full year, and assuming 0 frictional costs (ASIC rental service fees, organizational costs, etc). However the PoS analysis should give exactly the same number, because by construction we have chosen parameters such that both networks pay the same security fee to the miners. Why would I buy the PoS coins? I can borrow them, perform the attack, and return them. interest rates are frictional costs. The 6% is calculated from the full money supply but we only need to get 51% of the staking coin, so one could argue this attack would be cheaper than the PoW for the normal case of not all coin being staked (some people might actually want to transact in it).
I don't think it does, and I can't say I've ever seen this kind of argument against PoS before. The fact that the cost of a 51% attack scales with the market cap is a well known fact. There is no reason for the "PoS analysis to give the same number". I'm not making any frictionless hypothesis in the case of PoW. If anything, I'm not taking into account the economies of scale that someone willing to buy the equivalent of 51% of the network's hashrate would enjoy. The economics of PoW and PoS security are fundamentally different. While borrowing the coins might seem like a better option than buying them, the security precisely lies in the fact that one cannot simply borrow 25% of the total currency. In our example, how would you go about borrowing $25B worth of coins? Let's suppose you could, I guess that in return, you would need a ~$25B collateral. Once you've attacked the coin and made the price plummet (unlike PoW, the attack can be traced back to you), I very much doubt you collateral wouldn't be seized. Therefore, the attack would still cost you $25B. Also, in the example I gave, I haven't made the hypothesis than 100% of the coins were mining but only 50%. OK, you have a point there. What was the point of Sonny's time weighting again? What enforces the 1 per second rule, block time or hashpower? By time weighting do you mean the use of coin age in the mining equation? If so, the goal was to diminish the variance of the mining process to encourage small stake miners to mine. It has proven ineffective to attract more miners and it greatly hurts the security of the coin. Concerning the 1 second rule, it is enforced by the fact that the only parameter that varies with time in the kernel (PoS's equivalent of Bitcoin's block header) is the time stamp which has a 1 second granularity.
|
|
|
|
funkenstein
Legendary
Offline
Activity: 1066
Merit: 1050
Khazad ai-menu!
|
|
April 13, 2015, 12:37:29 PM |
|
Sorry but this analysis fails. Your numbers on PoW and PoS are calculated differently. Your PoW analysis looks decent, for the case of carrying out the attack for a full year, and assuming 0 frictional costs (ASIC rental service fees, organizational costs, etc). However the PoS analysis should give exactly the same number, because by construction we have chosen parameters such that both networks pay the same security fee to the miners. Why would I buy the PoS coins? I can borrow them, perform the attack, and return them. interest rates are frictional costs. The 6% is calculated from the full money supply but we only need to get 51% of the staking coin, so one could argue this attack would be cheaper than the PoW for the normal case of not all coin being staked (some people might actually want to transact in it).
I don't think it does, and I can't say I've ever seen this kind of argument against PoS before. The fact that the cost of a 51% attack scales with the market cap is a well known fact. There is no reason for the "PoS analysis to give the same number". I'm not making any frictionless hypothesis in the case of PoW. If anything, I'm not taking into account the economies of scale that someone willing to buy the equivalent of 51% of the network's hashrate would enjoy. The economics of PoW and PoS security are fundamentally different. While borrowing the coins might seem like a better option than buying them, the security precisely lies in the fact that one cannot simply borrow 25% of the total currency. In our example, how would you go about borrowing $25B worth of coins? Let's suppose you could, I guess that in return, you would need a ~$25B collateral. Once you've attacked the coin and made the price plummet (unlike PoW, the attack can be traced back to you), I very much doubt you collateral wouldn't be seized. Therefore, the attack would still cost you $25B. Also, in the example I gave, I haven't made the hypothesis than 100% of the coins were mining but only 50%. Well I am more interested in facts that you know and can articulate than those which are "well known". I am interested in particular in how you are avoiding checkpointing. In terms of the 51% attack, obviously we don't buy asics we go directly to hash rental markets. I just want to reverse a TX a few blocks in, not own the whole network. Similarly with PoS. I put $25B worth of BTC in a smart escrow, so that I only get it back after I return the requisite numbero of PoS coins to the lenders, with interest / fee / whatever. Then I reverse the transactions on the PoS network I need to reverse, and get you your coin back. There is no reason why a few nice doublespends will crash the price to zero, and anyway the lenders have agreed to accept the units back at contractual terms independnet of price vs. any other asset. If those numbers seem too large, you can replace them with the actual market cap of your coin for a more realistic scenario. Yes I can see how the security against reversing transactions is proportional to market cap, because you are paying 6% of market cap per year (in your example) to those who secure the network. It is well known that you "get what you pay for".. except of course when you don't By time weighting do you mean the use of coin age in the mining equation? If so, the goal was to diminish the variance of the mining process to encourage small stake miners to mine. It has proven ineffective to attract more miners and it greatly hurts the security of the coin.
Concerning the 1 second rule, it is enforced by the fact that the only parameter that varies with time in the kernel (PoS's equivalent of Bitcoin's block header) is the time stamp which has a 1 second granularity.
Interesting. Isn't there a range of timestamps I can look through? Do blocks need to be sequential in timestamp? (they don't in bitcoin classic) Time enforcement is very central to these networks, if you have some new approach I would like to hear it.
|
|
|
|
Troonetpt
|
|
April 13, 2015, 01:02:45 PM |
|
It would only be more decentralized if the stakes are also more decentralized. Especially concerning PoS is mostly used in smaller Altcoins, this is a highly questionable claim...
The magic number is 4 https://blockchain.info/de/poolsThe hash rate distribution always change, no one can occupy the most market share for a long time.
|
|
|
|
achimsmile
Legendary
Offline
Activity: 1225
Merit: 1000
|
|
April 13, 2015, 01:56:04 PM |
|
It would only be more decentralized if the stakes are also more decentralized. Especially concerning PoS is mostly used in smaller Altcoins, this is a highly questionable claim...
The magic number is 4 https://blockchain.info/de/poolsThe hash rate distribution always change, no one can occupy the most market share for a long time. True. A while ago the magic number was 1. (Ghash.io)
|
|
|
|
koubiac (OP)
Newbie
Offline
Activity: 25
Merit: 0
|
|
April 16, 2015, 03:39:40 PM |
|
I am interested in particular in how you are avoiding checkpointing. In terms of the 51% attack, obviously we don't buy asics we go directly to hash rental markets. I just want to reverse a TX a few blocks in, not own the whole network. Similarly with PoS. I put $25B worth of BTC in a smart escrow, so that I only get it back after I return the requisite numbero of PoS coins to the lenders, with interest / fee / whatever. Then I reverse the transactions on the PoS network I need to reverse, and get you your coin back. There is no reason why a few nice doublespends will crash the price to zero, and anyway the lenders have agreed to accept the units back at contractual terms independnet of price vs. any other asset. If those numbers seem too large, you can replace them with the actual market cap of your coin for a more realistic scenario. Yes I can see how the security against reversing transactions is proportional to market cap, because you are paying 6% of market cap per year (in your example) to those who secure the network. It is well known that you "get what you pay for".. except of course when you don't It depends on what you call "a few blocks". As you are aware of when owning less than 50% of the mining power (be it hash power or staked coins), your probability to successfully conduct the attack decreases exponentially when the number of blocks you want to replace increases. So I guess we agree that to reverse any transaction of significant value, the attacker would need 50% of the mining power. In this case I guess it boils down to: Could an attacker realistically "rent" 50% of the mining power? While it might be possible in PoW if you suppose a very fluid hash rental market (it might be worth noting that this is not what Bitcoin is heading towards), in the case of renting the coins themselves, it sounds highly unrealistic. There will never be an escrow system with 1/ no limit to what you can borrow 2/ enough liquidity. There's no technical flaw in your argumentation, I just don't believe this is realistic scenario 50% of the mining coins represents a significant portion of the coins. However, it's a very good point against coins with very low mining participation (and PoW!) By time weighting do you mean the use of coin age in the mining equation? If so, the goal was to diminish the variance of the mining process to encourage small stake miners to mine. It has proven ineffective to attract more miners and it greatly hurts the security of the coin.
Concerning the 1 second rule, it is enforced by the fact that the only parameter that varies with time in the kernel (PoS's equivalent of Bitcoin's block header) is the time stamp which has a 1 second granularity.
Interesting. Isn't there a range of timestamps I can look through? Do blocks need to be sequential in timestamp? (they don't in bitcoin classic) Time enforcement is very central to these networks, if you have some new approach I would like to hear it. What do you mean look through? If you mean guess when your stakes will mine, the stake modifier prevents this. Blocks do not need to have sequential timestamps. Anyone can broadcast a valid block at any time, however, nodes do not accept blocks created with a proof which time stamp is too far in the future.
|
|
|
|
|