|
|
|
|
|
|
|
|
|
|
|
The forum strives to allow free discussion of any ideas. All policies are built around this principle. This doesn't mean you can post garbage, though: posts should actually contain ideas, and these ideas should be argued reasonably.
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
|
|
|
|
|
|
d5000
Legendary
 Offline
Activity: 3892
Merit: 6134
Decentralization Maximalist
|
 |
November 20, 2017, 06:16:39 PM |
|
That are awesome news! I'm waiting for cold minting for years ... Time to come back to Peercointalk?  I've superficially read the Medium article and so far it seems a good proposal, will re-read it later because I've still not entirely understood some of the technical details. A maybe controversial comment: I'm for the abolition of the concept of coin-days entirely. That would, obviously, mean to follow the path that NXT and Peercoin clones like Blackcoin have taken, and for some may mean "throwing basic Peercoin principles". But afaik research on this topic, by various parties, has shown that coin-days is doing more harm than it is protecting the chain - because attackers, with this mechanism, can always accumulate more power with less stake and once they've accumulated enough power to be near an attack, can only be stopped with immense amounts of "staking coins". |
|
|
|
Nagalim
Newbie
Offline
Activity: 33
Merit: 0
|
|
November 20, 2017, 06:56:24 PM |
|
A maybe controversial comment: I'm for the abolition of the concept of coin-days entirely. That would, obviously, mean to follow the path that NXT and Peercoin clones like Blackcoin have taken, and for some may mean "throwing basic Peercoin principles". But afaik research on this topic, by various parties, has shown that coin-days is doing more harm than it is protecting the chain - because attackers, with this mechanism, can always accumulate more power with less stake and once they've accumulated enough power to be near an attack, can only be stopped with immense amounts of "staking coins".
The chainweight in Peercoin's security model was switched from coindays to PoS difficulty some time ago, coindays are only used to determine the mint reward. So your concerns have already been accounted for in Peercoin. |
|
|
|
|
d5000
Legendary
Offline
Activity: 3892
Merit: 6134
Decentralization Maximalist
|
|
November 20, 2017, 07:59:41 PM |
|
The chainweight in Peercoin's security model was switched from coindays to PoS difficulty some time ago, coindays are only used to determine the mint reward. So your concerns have already been accounted for in Peercoin.
Ah, ok, thanks for the information! In this case, I think Peercoin - with the cold minting feature - would be fully prepared for the abolition of the centrally broadcasted checkpoints. |
|
|
|
Nagalim
Newbie
Offline
Activity: 33
Merit: 0
|
|
November 20, 2017, 08:44:37 PM |
|
centrally broadcasted checkpoints.
Checkpoints were made optional via an easily accessible checkbox in v0.6. Developers still believe checkpoints have value as a voluntary option, especially if we do something like multisig checkpoints in the future. Turning this feature off is currently as easy as unchecking a box in settings>options. |
|
|
|
|
|
HichemFetoui
|
|
November 22, 2017, 05:27:22 PM |
|
excellent projet .. je vais voir si je peut investir dans ce ico cette année j'ai investit dans beaucoup de ico pourquoi pas celui la |
|
|
|
|
antaresus
Member
Offline
Activity: 117
Merit: 11
|
|
November 22, 2017, 11:09:02 PM |
|
|
|
|
|
|
d5000
Legendary
Offline
Activity: 3892
Merit: 6134
Decentralization Maximalist
|
|
November 23, 2017, 03:40:07 AM |
|
Checkpoints were made optional via an easily accessible checkbox in v0.6. Developers still believe checkpoints have value as a voluntary option, especially if we do something like multisig checkpoints in the future. Turning this feature off is currently as easy as unchecking a box in settings>options.
Yep, I knew that. However, even if some nodes disable the centrally broadcasted checkpoints, some will still follow them - and that converts them, in theory, in a vulnerability (it's not that the checkpoint key owner had to be an attacker, but it could be the case that his checkpoint server gets "lured" into an attack chain by an attacker), above all, if the checkpoint option is used by nodes that are minting. I would prefer a rolling checkpoint scheme like in NXT and many other PoS cryptocoins. Or even Vitalik's exponential subjective scoring. |
|
|
|
Nagalim
Newbie
Offline
Activity: 33
Merit: 0
|
|
November 23, 2017, 09:17:25 AM |
|
What do you mean when you say "lured into an attack chain"? If the false chain is does not have more chainweight than the true chain, then you would have to prevent the checkpoint server from accessing the open internet, a feat that becomes very difficult if we implement multisig. If it does have more chainweight, then it is by definition the true chain, so broadcasting it is not an issue.
Isolating the checkpoint server from the open internet is similar to isolating a single large minter. You really can't do limitless damage, as all transactions and blocks have to be cryptographically valid. The maximal disruption is probably along the lines of causing a fork between checkpoint enforced and checkpoint unenforced that will reorg to the heavier chain when the checkpoint server sees the open internet again.
|
|
|
|
|
d5000
Legendary
Offline
Activity: 3892
Merit: 6134
Decentralization Maximalist
|
|
November 23, 2017, 09:58:48 PM |
|
What do you mean when you say "lured into an attack chain"? If the false chain is does not have more chainweight than the true chain, then you would have to prevent the checkpoint server from accessing the open internet, a feat that becomes very difficult if we implement multisig. If it does have more chainweight, then it is by definition the true chain, so broadcasting it is not an issue. I'm referring here to the "long-range attack" or "history attack" - e.g. the attacker would buy a large stake of coins, deposit them on his wallet (so he can cryptographically prove he "possessed" them), and then sell them again, but secretly minting a chain where he transfers the coins he supposedly sold to an address he controls via a double spend. This chain would need to be "designed" so that it accumulates more chain weight than the "true" chain (so it's not a cheap attack -> he, in some moment, would have to possess a very large amount of coins, but he can sell them again). If he can manage to spot the IP address of the "checkpoint server", I suppose he can try to lure him into a reorganization using his attack chain on multiple "fake nodes" that would try to connect to the checkpoint server. It would be very probably worse than a normal history attack (where the attacker is trying to "lure" large minters into his chain) if most nodes still follow the centrally broadcasted checkpoints. |
|
|
|
Nagalim
Newbie
Offline
Activity: 33
Merit: 0
|
|
November 24, 2017, 05:35:32 AM |
|
If the attacker forms a chain with higher chainweight, checkpoints won't hinder or help the reorg. That higher weight chain will replace all instances of the current chain, regardless of if they have checkpoints enforced or not. The only way to use checkpoints in an attack is to block the checkpoint server from the open internet. The thing is, it's near impossible to find the IP address of the checkpoint server, because checkpoint authority is based on a cryptographic signature rather than an IP address.
|
|
|
|
|
jc12345
Legendary
Offline
Activity: 1638
Merit: 1013
|
|
November 24, 2017, 05:43:39 AM |
|
I read somewhere that peercoin is working on an implementation of cold minting from a hardware wallet like Ledger Nano S. When do you foresee this to be implemented?
|
|
|
|
|
Nagalim
Newbie
Offline
Activity: 33
Merit: 0
|
|
November 24, 2017, 07:06:11 AM |
|
Cold minting will take a hardfork to accomplish. It is possible we will see it rolled out in the next couple updates, but as it is still somewhat controversial I would rather not specify a timeline yet.
|
|
|
|
|
antaresus
Member
Offline
Activity: 117
Merit: 11
|
|
November 25, 2017, 08:51:45 AM |
|
|
|
|
|
|
|
reffi
|
|
November 25, 2017, 06:11:42 PM |
|
PPC is one of the oldest legacy coins out there, its like a close family friend, hope it finally has a chance to go $50 next year!
|
|
|
|
|
tooh
Member
Offline
Activity: 156
Merit: 10
|
|
November 26, 2017, 07:59:53 AM |
|
In 2017 Many ICOs were created. When fake ico lost credibility. Investors are looking for old coins.
|
|
|
|
|
d5000
Legendary
Offline
Activity: 3892
Merit: 6134
Decentralization Maximalist
|
|
November 26, 2017, 12:16:50 PM |
|
If the attacker forms a chain with higher chainweight, checkpoints won't hinder or help the reorg. That higher weight chain will replace all instances of the current chain, regardless of if they have checkpoints enforced or not.
In this scenario, a long-range double-spend attacker would always be successful (and checkpoints would only be helpful for short-range forks), As far as I have understand Vitalik Buterin's "Weak Subjectivity" paradigm, this behaviour (the chain with the highest weight winning every time, even if it's a fake chain) should be avoided at all costs, because even if the attack is difficult and expensive, there is an incentive to try it if you always will be successful. Chain-weight, unfortunately in PoS coins is not objective, because it can be faked. That's why some pure PoS coins prohibit long reorgs (the "rolling checkpoints" I mentioned before) and use techniques like Economic Clustering to know if well-known nodes like exchanges are on the same chain like you. With these mechanisms it can be avoided that the attacker "establishes" his attack chain, because most nodes won't follow him even if his chain-weight is higher. But yes, you sacrifice "objectivity" - but at the same time, you dis-incentive these attacks, so they become almost impossible. |
|
|
|
Nagalim
Newbie
Offline
Activity: 33
Merit: 0
|
|
November 26, 2017, 01:11:17 PM |
|
I don's understand what you mean when you talk about 'faking chainweight'. If you have a heavier chainweight, your chain is the 'real' chain by definition. What is your definition of a 'fake chain'?
|
|
|
|
|
d5000
Legendary
Offline
Activity: 3892
Merit: 6134
Decentralization Maximalist
|
|
November 26, 2017, 01:50:29 PM |
|
I don's understand what you mean when you talk about 'faking chainweight'. If you have a heavier chainweight, your chain is the 'real' chain by definition. What is your definition of a 'fake chain'?
With "faking chainweight" I mean the chain-weight of a chain that includes an alternative transaction as a consequence of a double spend (long-range attack). The mechanism in detail: 1) the attacker buys, mines and/or lends a large number of coins - he must calculate the approximate number of coins that are staking, and buy more than 50% of them (e.g. 15%+ of the total supply if 30% are continuously "staking") 2) He deposits the coins on a wallet (or various wallets), still without trying to "stake". 3) After some blocks he sells the coins again (this procedure can take as long as he wants if there is no reorg limit). 4) At the same block height he transferred the coins to the exchange, he (secretly) issues a double spend to a wallet he owns and disconnects his client from the network. 5) He then secretly mints an attack chain that contains this double spend (without publishing it). This attack chain would have more chain-weight than the "normal best chain": From the point of view of his wallet/client he still owns the coins and so he can use them to stake, and as in his attack chain he owns more coins than the rest of the stakers, the weight of the chain is higher. 6) When he has sold all coins (step 3 accomplished) then he publishes the attack chain - it would have more chain-weight than the "true" chain but as we have seen the weight is "faked" using the double spend. If what you said in the previous post is true and all nodes - including the checkpoint node - always follow the chain with most weight, step 6 would lead to a re-organization on all nodes that obey the protocol and eventually all of them would follow the attack chain. The attack would have succeeded. If the attacker specifically tries to connect to the checkpoint node, then his attack would probably succeed even faster. I know this attack is very expensive, but the attacker can design it in a way he can profit from it (e.g. if he manages to drive the price higher before he sells). And if he is very likely to succeed, then the incentive is high for a rich individual or group to try it. |
|
|
|
Nagalim
Newbie
Offline
Activity: 33
Merit: 0
|
|
November 26, 2017, 06:59:45 PM |
|
So you are talking about a 50% attack, which is also executable on the Bitcoin chain and basically any crypto. It at first appears more tempting for Peercoin because it doesn't require investment in hardware like it does on Bitcoin. However, you do invest in the digital coins, hoping to sell them before you unleash your attack chain. This is similar to selling your Bitcoin hardware after attacking the chain, in that you can recover some of your investment and still carry out the attack. So on its face, 50% attacking Peercoin is similar to 50% attacking any crypto, in that it requires overcoming whatever network effect the coin has generated.
For the specific long-range nature of the attack you describe, it is important to realize that clients will not reorg beyond a certain depth (Peercoin has two types of checkpoints: 'synchronized', which is what we've been talking about, and 'hard', which is what I'm talking about now and something that Bitcoin also has). So what you describe will cause a fork between fresh chain downloads and old nodes. As the checkpoint server is an old node, it will not follow the attack chain and new users can follow the checkpoints to get on the old chain. Then there can be an emergency client update that specifically bans that fork, or something similar.
A 50% attack is indeed no joke.
|
|
|
|
|
|
