PPCoin is NOT a decentralized cryptocurrency

[Sunny King]

You do lose a little due to compound interest. I get 1% interest a year from PPCoin. This is compounded every time I get a block. Getting the block earlier increases the compounding frequency.
I concede that the benefit is extremely small.

My problem is as follows:

1) There is a positive incentive to adopt modified code.
2) The modified code invalidates the proof-of-stake mechanism.

A cheap attack is to release modified code and pay new users a small amount to adopt it. Stake contributed by these corrupted clients would no longer secure the network. You depend on the residual users who decide to use the original code out of altruism. Again, admittedly just a tiny bit of altruism would suffice to motivate them.

Anyways, the broader point is that security should be created by block validity rules. These rules are enforceable. Modifiable code should not be the basis for security.
The blockchain-based solution is to require stakeholders to submit work when they submit signatures. This rule can be enforced in the blockchain.

This probably belongs to the same type of issues as the other open issue that minters may stop processing transactions. I generally consider under these type of situations most rational nodes would not try to modify client to gain very little profit. Tragedy of the commons most likely does not apply as the gain is minimal.

Ideally it would be nice to not have this type of issues, but in practice it might not be easy to completely rid of them given the design goals and other more serious attacks to defend. Also if it's true that users are easily bribed to adopt corrupted clients, then there are likely a lot more tragedy of the commons type of attacks to all cryptocurrencies including bitcoin.

But anyways we can keep this topic open in case it becomes realistic.

[1715189200]

1715189200

[1715189200]

1715189200

[Sunny King]

It may be doable to persist and broadcast evidence of duplicate stakes and punish the offending address in some way (rejecting stake from this address or even outright reject spending). Although this would require much more careful design to avoid introducing other problems.

[pyra-proxy]

You do lose a little due to compound interest. I get 1% interest a year from PPCoin. This is compounded every time I get a block. Getting the block earlier increases the compounding frequency.
I concede that the benefit is extremely small.

My problem is as follows:

1) There is a positive incentive to adopt modified code.
2) The modified code invalidates the proof-of-stake mechanism.

A cheap attack is to release modified code and pay new users a small amount to adopt it. Stake contributed by these corrupted clients would no longer secure the network. You depend on the residual users who decide to use the original code out of altruism. Again, admittedly just a tiny bit of altruism would suffice to motivate them.

Anyways, the broader point is that security should be created by block validity rules. These rules are enforceable. Modifiable code should not be the basis for security.
The blockchain-based solution is to require stakeholders to submit work when they submit signatures. This rule can be enforced in the blockchain.

This probably belongs to the same type of issues as the other open issue that minters may stop processing transactions. I generally consider under these type of situations most rational nodes would not try to modify client to gain very little profit. Tragedy of the commons most likely does not apply as the gain is minimal.

Ideally it would be nice to not have this type of issues, but in practice it might not be easy to completely rid of them given the design goals and other more serious attacks to defend. Also if it's true that users are easily bribed to adopt corrupted clients, then there are likely a lot more tragedy of the commons type of attacks to all cryptocurrencies including bitcoin.

But anyways we can keep this topic open in case it becomes realistic.

Would it not be relatively trivial to force a client to expend a portion of their coin age every time they sign a block and the remaining from the whole less a portion if they sign the "winning" block?  This way the will expend a whole coin age expenditure on the winning plus additional portions of the whole for every other split they sign?  ***note: does not fully understand PPC so this is just conjecture at best

[cunicula]

It may be doable to persist and broadcast evidence of duplicate stakes and punish the offending address in some way (rejecting stake from this address or even outright reject spending). Although this would require much more careful design to avoid introducing other problems.

The obvious fix is to require work submission to accompany stake signatures. Could you explain why you don't want to do this?

[Sunny King]

It may be doable to persist and broadcast evidence of duplicate stakes and punish the offending address in some way (rejecting stake from this address or even outright reject spending). Although this would require much more careful design to avoid introducing other problems.

The obvious fix is to require work submission to accompany stake signatures. Could you explain why you don't want to do this?

I have stated this numerous times, the goal of ppcoin project is to demonstrate energy consumption is not required to secure a cryptocurrency. If you want an implementation of your hybrid proof-of-stake design you are free to start your own coin, forking off ppcoin code is also welcome. I would only consider enhancement proposals that preserve energy-efficiency of ppcoin.

[ElectricMucus]

It may be doable to persist and broadcast evidence of duplicate stakes and punish the offending address in some way (rejecting stake from this address or even outright reject spending). Although this would require much more careful design to avoid introducing other problems.

The obvious fix is to require work submission to accompany stake signatures. Could you explain why you don't want to do this?

I have stated this numerous times, the goal of ppcoin project is to demonstrate energy consumption is not required to secure a cryptocurrency. If you want an implementation of your hybrid proof-of-stake design you are free to start your own coin, forking off ppcoin code is also welcome. I would only consider enhancement proposals that preserve energy-efficiency of ppcoin.

Except it is not more energy efficient. You are just engage in obscuration of difficulty and it's connection to energy consumption.

[cunicula]

It may be doable to persist and broadcast evidence of duplicate stakes and punish the offending address in some way (rejecting stake from this address or even outright reject spending). Although this would require much more careful design to avoid introducing other problems.

The obvious fix is to require work submission to accompany stake signatures. Could you explain why you don't want to do this?

I have stated this numerous times, the goal of ppcoin project is to demonstrate energy consumption is not required to secure a cryptocurrency. If you want an implementation of your hybrid proof-of-stake design you are free to start your own coin, forking off ppcoin code is also welcome. I would only consider enhancement proposals that preserve energy-efficiency of ppcoin.

Okay, so it's all or nothing for you. That doesn't make any sense to me, but I'll respect that and try to come up with solutions that meet your ideals. I agree that (as an ideal) it would be better to have no work involved at all.

If you're really after this, you need to fork PPC so that it generates only proof-of-stake blocks and does not use centralized checkpointing. If it works, then we're golden. Otherwise the energy-efficient cryptocurrency is just an unsubstantiated hypothesis.

[cunicula]

It may be doable to persist and broadcast evidence of duplicate stakes and punish the offending address in some way (rejecting stake from this address or even outright reject spending). Although this would require much more careful design to avoid introducing other problems.

Punishments would likely cause reorganization of the currently accepted chain. Blocks and txns that were valid would become invalid once duplicate stake is incorporated in an older block. Strategic insertion of duplicate stake would become a double-spending strategy. My guess is that attempts to punish offending addresses will introduce very severe problems. People will strategically seek out these punishments to mess with the blockchain.

I think the appropriate strategy is to fiddle with the proof-of-stake reward. You want to make it so that, once your stake block is included in the main chain, you would always suffer from using the same stake to mine a block in an earlier, alternate chain.

For example say that you make the stake block reward as follows:

stake coins * (0.01+confirmations on stake coins/length of main chain in blocks*0.5)*coin-age in years. [This formula should be continuous compounding, but the simple one is easier to read.]

Then you have a minimum interest rate of 1% and a maximum of 51% (if you use coins that have sat idle since the genesis block). You get rewarded for delaying inclusion of your stake block. If you use the same stake to build on earlier branches of the chain, then you risk causing a reorganization that takes away your reward.

Some people will benefit from a reorg ex-post, but if they participate in the re-org, they will suffer from it. You can think of re-orgs as redistributing block reward from attackers to everyone else.

A question that arises is: If you always benefit from mining later rather than now, then why mine now? I think the answer is that some people will always be impatient and want spendable coins right away. You should take advantage of human weakness and use it secure the blockchain.

[pyra-proxy]

A question that arises is: If you always benefit from mining later rather than now, then why mine now? I think the answer is that some people will always be impatient and want spendable coins right away. You should take advantage of human weakness and use it secure the blockchain.

Could you improve this by making the algo such that the reward bonus works in a logarithmic factor ... i.e. if I wait 1 month I get say 5%, 2 months I get say 9%, 3 months - 12% and so forth (Numbers fudged for example) .... eventually you would get to the point where people would be encouraged to apply their stake in lieu of the diminishing reward increases.  And in this way you are not 100% relying on human weakness.

[cunicula]

A question that arises is: If you always benefit from mining later rather than now, then why mine now? I think the answer is that some people will always be impatient and want spendable coins right away. You should take advantage of human weakness and use it secure the blockchain.

Could you improve this by making the algo such that the reward bonus works in a logarithmic factor ... i.e. if I wait 1 month I get say 5%, 2 months I get say 9%, 3 months - 12% and so forth (Numbers fudged for example) .... eventually you would get to the point where people would be encouraged to apply their stake in lieu of the diminishing reward increases.  And in this way you are not 100% relying on human weakness.

I don't think you would want to do that. Human weakness is pretty reliable.

[Jutarul]

This probably belongs to the same type of issues as the other open issue that minters may stop processing transactions. I generally consider under these type of situations most rational nodes would not try to modify client to gain very little profit...But anyways we can keep this topic open in case it becomes realistic.

IIRC this refers to the QoS issue with the missing incentives to incorporate transactions into the generated blocks. I would give that a lower priority than the issue discussed in this thread. Preventing double spending and creating a strong main chain are very important. QoS issues are a nuisance, Trust issues are a hazard.

Anyway - AFAIK one way to mitigate the risk of double spending is to just increase the number of required confirmations - and that can be chosen by the participants of a transaction. It may make ppcoin impractical for any form of fast transaction processing, but may still be viable for transfers which need cheap transaction fees (one of the effects of lower energy consumption is lower cost of maintaining the network at a higher level of security [51% attack] ) and can wait for a few days.

However, I like the idea of cunicula to impose some form of cost on creating a rejected proof-of-stake block. In that case the network would have to negotiate on what a rejected proof-of-stake block is, how to count them and what cost it generates on the used stake.

[ripper234]

I just read most of this interesting thread.

The way I see it, the goal of PPCoin should be to lead the Proof of Stake currency space. As such a leader, it is essential that a simple security model for how it works is prepared and presented. The model should be on the same "analysis complexity level" as Satoshi's whitepaper - it should make it easy for every capable person to validate the model's assumptions and predictions.

I am somewhat invested in PPCoin, because of two reasons:

1. IMO Sunny King has shown some capabilities and innovation, as well as good communication practices. I haven't seen him "pull a RealSolid" and lose it.
2. I believe Proof of Stake is a good hedge for Proof of Work, and PPCoin is the best PoS coin we have.

Still, I agree with the detractors and think that a security analysis is clearly missing.
Perhaps such an analysis will reveal some changes to PPCoin that could solidify its security?
If a major change in PPCoin is required, now is a much better time to implement it rather than in a year or two.

Sunny King - PPCoin is not a research project anymore, with a market cap of $6,000,000. 8 months have passed since this thread was created. Sunny King, whatever else was on your development roadmap this past 8 months, isn't it time to focus on this aspect of PPCoin's security?

Detractors - Do you have constructive proposals for increasing the security of PPCoin? I think that solid, well documented proposals, will be favorably considered. I kind of like that Sunny King insists on such proposals to maintain the "long term energy efficient" property of PPCoin - the goal isn't to consume 1/2 or 1/5 of the electricity and hardware that Bitcoin does, but to achieve a cryptocurrency that's multiple orders of magnitudes more energy efficient than Bitcoin. Security should not be compromised for this end, but neither should energy efficiency.

Isn't there a Grand Unifying Theory of PoS that is easy to analyze, "secure enough", and diminishes the significance of PoW as time progresses?

[jubalix]

@Sunny and @AndyRossy,

How about that EGO claim of Sunny's eh? Someone has a huge ego claiming their development time into PPC which they have no formula, have no analysis, and have an incomplete white paper is worth $100k-$200k and that bitcoin development is ONLY worth about $500k, don't you think?

So funny that many of the claims that are made are so true of yourselves in your attempts to continually detract attention from PPC and the important questions that people have asked and will continue to ask.

hang on hang on even if this quote is attributable (and I can get my retinas back)...so what

this maybe a true claim of cost to do....I think you (or someone) admitted Sunnys work was more complex. It's not (always)ego to say  I think my work is worth X and that work over there is worth Y. It just a persons market appraisal.

[Jutarul]

The way I see it, the goal of PPCoin should be to lead the Proof of Stake currency space. As such a leader, it is essential that a simple security model for how it works is prepared and presented. The model should be on the same "analysis complexity level" as Satoshi's whitepaper - it should make it easy for every capable person to validate the model's assumptions and predictions.
....
Isn't there a Grand Unifying Theory of PoS that is easy to analyze, "secure enough", and diminishes the significance of PoW as time progresses?

Unfortunately the community will have to reverse engineer the security model of ppcoin in an effort to document it. On that note I'd like to push the idea of a tournament scheme to introduce a habit of exploring the security of POS (https://bitcointalk.org/index.php?topic=152809.0). I haven't had time to work on the details, but the idea is out there and people should state their opinions.

The POS implementation in ppcoin and any of its derivatives is mainly broken at this time. There has been an acclaimed "fix", but based on my analysis all it did was to disguise the underlying problems. A practice which seems to be systemic for the development of ppcoin. However, that doesn't prevent people from bidding the price of ppcoin up - 99% of traders have no technical understanding.

The current POS implementation in ppcoin has the following problems:
1) No theory model on required stake granularity and steady state allocations for stake. I want to see a differential equation.
2) Missing incentive structure to perform transaction validation
3) No effective cost for working on competing branches with respect to the main chain
4) Reversibility between stake and coins - leading to a situation in which market price manipulations change the incentive structure for allocating stake

Especially 4) gets me worried. It exhibits opposite dynamics to POW. In POW, an increase in price encourages investments in hashing power and leads to a strengthening of the network, while in POS, an increase in price creates an incentive to move coins out of stake, effectively weakening the network. However 4) could be dealt with a protocol enhancement which prevents the reversibility between stake and coins.

I still stand by my assessment that ppcoin is an unfinished cryptocurrency. Any investments in it will evaporate as soon as the underlying flaws start to affect the resilience of the system. Buyer beware, drama included!

[jubalix]

The way I see it, the goal of PPCoin should be to lead the Proof of Stake currency space. As such a leader, it is essential that a simple security model for how it works is prepared and presented. The model should be on the same "analysis complexity level" as Satoshi's whitepaper - it should make it easy for every capable person to validate the model's assumptions and predictions.
....
Isn't there a Grand Unifying Theory of PoS that is easy to analyze, "secure enough", and diminishes the significance of PoW as time progresses?

Unfortunately the community will have to reverse engineer the security model of ppcoin in an effort to document it. On that note I'd like to push the idea of a tournament scheme to introduce a habit of exploring the security of POS (https://bitcointalk.org/index.php?topic=152809.0). I haven't had time to work on the details, but the idea is out there and people should state their opinions.

The POS implementation in ppcoin and any of its derivatives is mainly broken at this time. There has been an acclaimed "fix", but based on my analysis all it did was to disguise the underlying problems. A practice which seems to be systemic for the development of ppcoin. However, that doesn't prevent people from bidding the price of ppcoin up - 99% of traders have no technical understanding.

The current POS implementation in ppcoin has the following problems:
1) No theory model on required stake granularity and steady state allocations for stake. I want to see a differential equation.
2) Missing incentive structure to perform transaction validation
3) No effective cost for working on competing branches with respect to the main chain
4) Reversibility between stake and coins - leading to a situation in which market price manipulations change the incentive structure for allocating stake

Especially 4) gets me worried. It exhibits opposite dynamics to POW. In POW, an increase in price encourages investments in hashing power and leads to a strengthening of the network, while in POS, an increase in price creates an incentive to move coins out of stake, effectively weakening the network. However 4) could be dealt with a protocol enhancement which prevents the reversibility between stake and coins.

I still stand by my assessment that ppcoin is an unfinished cryptocurrency. Any investments in it will evaporate as soon as the underlying flaws start to affect the resilience of the system. Buyer beware, drama included!

is all the ppc code os?

if so can't you just read through the code?

[Jutarul]

is all the ppc code os?

if so can't you just read through the code?

Yes. Everything is open source. However, recreating the design documents from the source code is like trying to learn about civil engineering from looking at how people build bridges.

[sangaman]

I really think the best thing Sunny King could do for the development of proof of stake currency is to discuss the potential weaknesses of the current system, what is currently done to combat those, and what ideas he might have for the future. I'd like to get involved, but I feel there's not enough clear information out there for me to get a good grasp of how the current implementation works and where its weaknesses may lie. I'd be extremely interested to read about this and I think proof of stake cryptocurrency is a worthy cause and, if done right, I imagine it could have both efficiency and security advantages over traditional proof of stake coins.

[mr_random]

I really think the best thing Sunny King could do for the development of proof of stake currency is to discuss the potential weaknesses of the current system, what is currently done to combat those, and what ideas he might have for the future. I'd like to get involved, but I feel there's not enough clear information out there for me to get a good grasp of how the current implementation works and where its weaknesses may lie. I'd be extremely interested to read about this and I think proof of stake cryptocurrency is a worthy cause and, if done right, I imagine it could have both efficiency and security advantages over traditional proof of stake coins.

As far as I am aware there are no known vulnerabilities. It's just FUD.

There's a huge number of PPCoins traded daily and they are worth over 30 cents, if there was some known exploit it would have been carried out.

[BitcoinAshley]

I really think the best thing Sunny King could do for the development of proof of stake currency is to discuss the potential weaknesses of the current system, what is currently done to combat those, and what ideas he might have for the future. I'd like to get involved, but I feel there's not enough clear information out there for me to get a good grasp of how the current implementation works and where its weaknesses may lie. I'd be extremely interested to read about this and I think proof of stake cryptocurrency is a worthy cause and, if done right, I imagine it could have both efficiency and security advantages over traditional proof of stake coins.

As far as I am aware there are no known vulnerabilities. It's just FUD.

There's a huge number of PPCoins traded daily and they are worth over 30 cents, if there was some known exploit it would have been carried out.

... Uh, what?
You could have said the exact same thing about Terracoin until quite recently, when the known exploit WAS carried out.
You could have said the same thing about BITCOIN until the external dependency bug that caused the blockchain to split in 2...

You would make a very poor software engineer if your security analysis was based on "Well, people are using it, and it works fine, so let's not even address this known method of attack simply because it hasn't happened yet."

"If it ain't broke, don't fix it" doesn't work because we are trying to plan for things that might break, i.e. obvious vulnerabilities that could be taken advantage of in a realistic situation.

[mr_random]

I really think the best thing Sunny King could do for the development of proof of stake currency is to discuss the potential weaknesses of the current system, what is currently done to combat those, and what ideas he might have for the future. I'd like to get involved, but I feel there's not enough clear information out there for me to get a good grasp of how the current implementation works and where its weaknesses may lie. I'd be extremely interested to read about this and I think proof of stake cryptocurrency is a worthy cause and, if done right, I imagine it could have both efficiency and security advantages over traditional proof of stake coins.

As far as I am aware there are no known vulnerabilities. It's just FUD.

There's a huge number of PPCoins traded daily and they are worth over 30 cents, if there was some known exploit it would have been carried out.

... Uh, what?
You could have said the exact same thing about Terracoin until quite recently, when the known exploit WAS carried out.
You could have said the same thing about BITCOIN until the external dependency bug that caused the blockchain to split in 2...

You would make a very poor software engineer if your security analysis was based on "Well, people are using it, and it works fine, so let's not even address this known method of attack simply because it hasn't happened yet."

"If it ain't broke, don't fix it" doesn't work because we are trying to plan for things that might break, i.e. obvious vulnerabilities that could be taken advantage of in a realistic situation.

The Terracoin saga backs up what I am saying. It's called empirical justification. People were at one point deliberately attacking Terracoin and trying to do double spends. You think they weren't trying to attack PPCoin either? Of course they were. Terracoin also crumbled under the pressure of ASICs. Do you think those ASICs decided not to bother mining PPCoin?

PPCoin has stood up to every challenge thrown at it so far. At the end of the day, empirically withstanding testing 'out in the wild' breeds confidence... it's what Bitcoin has had to do. Despite all the papers and discussions on it, there is no mathematical proof that the entire Bitcoin protocol is fail-safe. And no-one said "if it ain't broke, don't fix it', your reading comprehension is awful, so please spare me the condescension. And as for, "let's not even address this known method of attack", try reading my first sentence again and ask yourself why you're trying to say that to me.