Bitcoin Forum
November 09, 2024, 11:47:26 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1] 2 »  All
  Print  
Author Topic: Proof-of-stake and unlimited alternate chains attack  (Read 1772 times)
mably (OP)
Sr. Member
****
Offline Offline

Activity: 380
Merit: 266



View Profile
April 23, 2015, 11:31:10 PM
Last edit: April 23, 2015, 11:43:52 PM by mably
 #1

« The basic problem with all PoS vs PoW is that it doesn't take real time to construct unlimited alternate chains which can then be used for attacks. »

Here we are Jonald, let's start to build our attack scenario here.

I'll try to synchronize with the wiki page simultaneously: https://wiki.peercointalk.org/index.php?title=Unlimited_alternate_chains_attack
I'll also try to update the original post to synthesize things there.

We need to describe step by step how it is going to happen, where do we start?

First some info about our greedy minter, let's say he owns 10% of currently minting stakes, would be too easy if he owned 51% of them Wink

The greedy minter plans to construct alternate chains to attack the consensus of the network.
jonald_fyookball
Legendary
*
Offline Offline

Activity: 1302
Merit: 1008


Core dev leaves me neg feedback #abuse #political


View Profile
April 23, 2015, 11:39:57 PM
 #2

Construction of alternate chains is the way to attack the consensus of the network.  Do we agree on that?

mably (OP)
Sr. Member
****
Offline Offline

Activity: 380
Merit: 266



View Profile
April 23, 2015, 11:41:13 PM
 #3

Construction of alternate chains is the way attack the consensus of the network.  Do we agree on that?
Sounds ok to me.  Let's focus on one of those alternate chain then.
jonald_fyookball
Legendary
*
Offline Offline

Activity: 1302
Merit: 1008


Core dev leaves me neg feedback #abuse #political


View Profile
April 23, 2015, 11:44:39 PM
 #4

Construction of alternate chains is the way attack the consensus of the network.  Do we agree on that?
Sounds ok to me.

Another assumption is we use the longest chain rule for consensus.  right?

mably (OP)
Sr. Member
****
Offline Offline

Activity: 380
Merit: 266



View Profile
April 23, 2015, 11:47:02 PM
 #5

Construction of alternate chains is the way attack the consensus of the network.  Do we agree on that?
Sounds ok to me.

Another assumption is we use the longest chain rule for consensus.  right?

In PoS coins like peercoin and most forks of peercoin we use the notion of chain trust.  Shorter chains may have higher chain trust.

https://github.com/ppcoin/ppcoin/blob/v0.4.0ppc/src/main.cpp#L1808
jonald_fyookball
Legendary
*
Offline Offline

Activity: 1302
Merit: 1008


Core dev leaves me neg feedback #abuse #political


View Profile
April 23, 2015, 11:56:12 PM
 #6

Construction of alternate chains is the way attack the consensus of the network.  Do we agree on that?
Sounds ok to me.

Another assumption is we use the longest chain rule for consensus.  right?

In PoS coins like peercoin and most forks of peercoin we use the notion of chain trust.  Shorter chains may have higher chain trust.

https://github.com/ppcoin/ppcoin/blob/v0.4.0ppc/src/main.cpp#L1808

So you have some fixed formula for determining the "best" chain?  

mably (OP)
Sr. Member
****
Offline Offline

Activity: 380
Merit: 266



View Profile
April 23, 2015, 11:57:50 PM
 #7

Construction of alternate chains is the way attack the consensus of the network.  Do we agree on that?
Sounds ok to me.

Another assumption is we use the longest chain rule for consensus.  right?

In PoS coins like peercoin and most forks of peercoin we use the notion of chain trust.  Shorter chains may have higher chain trust.

https://github.com/ppcoin/ppcoin/blob/v0.4.0ppc/src/main.cpp#L1808

So you have some fixed formula for determining the "best" chain?  

Exactly, here are excerpts from the peercoin white paper:

« The hash target that stake kernel must meet is a target per unit coin age (coin-day) consumed in the kernel (in contrast to Bitcoin's proof-of-work target which is a fixed target value applying to every node). Thus the more coin age consumed in the kernel, the easier meeting the hash target protocol. »

« The protocol for determining which competing block chain wins as main chain has been switched over to use consumed coin age. Here every transaction in a block contributes its consumed coin age to the score of the block. The block chain with highest total consumed coin age is chosen as main chain. »

http://peercoin.net/assets/paper/peercoin-paper.pdf on page 3
jonald_fyookball
Legendary
*
Offline Offline

Activity: 1302
Merit: 1008


Core dev leaves me neg feedback #abuse #political


View Profile
April 24, 2015, 12:11:03 AM
 #8

So, then given that

a) Creating alternate chains attacks the network, and
b) Chains don't take signficant time to produce, and
c) the "best" chain is accepted by the network

All you need to do is keep creating chains and broadcasting
them until one is accepted.

What would prevent that?

mably (OP)
Sr. Member
****
Offline Offline

Activity: 380
Merit: 266



View Profile
April 24, 2015, 12:17:01 AM
 #9

So, then given that

a) Creating alternate chains attacks the network, and
b) Chains don't take signficant time to produce, and
c) the "best" chain is accepted by the network

All you need to do is keep creating chains and broadcasting
them until one is accepted.

What would prevent that?


Ok, we now need to detail the creation of one of these chains to verify if there is a chance of it being accepted by the network.

It's a bit late here, so I'll do that tomorrow. Ciao.
rtrtcrypto
Hero Member
*****
Offline Offline

Activity: 627
Merit: 500


View Profile
April 24, 2015, 01:11:27 AM
 #10

Guys, this thread is so 2013... get with the current research, please.

Look and you will find multiple studies on why these things fail, at least on most of the established PoS protocols.

Best,
jonald_fyookball
Legendary
*
Offline Offline

Activity: 1302
Merit: 1008


Core dev leaves me neg feedback #abuse #political


View Profile
April 24, 2015, 01:41:10 AM
Last edit: April 24, 2015, 02:51:04 AM by jonald_fyookball
 #11

Guys, this thread is so 2013... get with the current research, please.

Look and you will find multiple studies on why these things fail, at least on most of the established PoS protocols.

Best,

maybe you can post some links as it would save us time.

The reason why using coin age as chain priority doesn't work is that if others are beating you, (meaning their chains are accepted and yours aren't) then their coins lose their coin age while your coins keep getting older, so eventually you gain the advantage.  Pretty simple I think.

barbierir
Hero Member
*****
Offline Offline

Activity: 515
Merit: 502



View Profile WWW
April 24, 2015, 06:37:48 AM
 #12

I think rtrtcrypto is referring to the following:

1) The formal study made by the Consensus Research group, led by Alexander Chepurnoy (a.k.a. Kushti), you can also find an indepth description of a Nxt-type PoS algorithm on his blog. The first paper was published in december and you can read the 8-pages Bitcointalk thread here. Please revive the discussion if you have still questions. The group is still working on more research.

2) The Neucoin whitepaper that says to rebut al N@S objections. The Bitcointalk thread is here.


◈▣ KOMODO ● Set Your Ideas Free ▣◈
.......AN ECOSYSTEM FOR NATIVE BLOCKCHAINS.......
Blockchain Generator | Decentralized Crowdfunding | Decentralized Exchange | Bitcoin Security | Zero-Knowledge Proofs | Blockchain Interoperability | Scalable Infrastructure
mably (OP)
Sr. Member
****
Offline Offline

Activity: 380
Merit: 266



View Profile
April 24, 2015, 06:56:32 AM
Last edit: April 24, 2015, 10:51:34 AM by mably
 #13

The reason why using coin age as chain priority doesn't work is that if others are beating you, (meaning their chains are accepted and yours aren't) then their coins lose their coin age while your coins keep getting older, so eventually you gain the advantage.  Pretty simple I think.

May be we have a point here: coin age is maxed at 90 days in Peercoin protocol, you won't get any advantage after 90 days over other minters.

https://github.com/ppcoin/ppcoin/blob/v0.4.0ppc/src/kernel.cpp#L328
https://github.com/ppcoin/ppcoin/blob/v0.4.0ppc/src/main.h#L46

Once you have minted a block, your coin age goes back to zero and you have to wait 90 more days if you want to have it maximized again to mint the next block.

So is it possible to create a fork having a better chain trust with only 10% of the minting stakes (in our scenario, cf OP) ?  That's what we need to verify.

I have setup a page on the Peercoin wiki which explains the Peercoin chain trust mechanism: https://wiki.peercointalk.org/index.php?title=Peercoin_chain_trust

We can see there that the nBits block target value which is used to calculate block trust and chain trust can't be manipulated as it will be verified by receiving peers.

This ensures that PoS blocks are generated every 10 minutes (on average) and that the associated difficulty/target can't be faked.
achimsmile
Legendary
*
Offline Offline

Activity: 1225
Merit: 1000


View Profile
April 24, 2015, 07:31:31 AM
 #14

guys, keep in mind that only peercoin and its derivatives use coin age. Newer PoS coins (since 2013) don't use it, because of its weaknesses.

And the algo for selecting the best chain differs in various implementations.
mably (OP)
Sr. Member
****
Offline Offline

Activity: 380
Merit: 266



View Profile
April 24, 2015, 08:06:59 AM
 #15

guys, keep in mind that only peercoin and its derivatives use coin age. Newer PoS coins (since 2013) don't use it, because of its weaknesses.

And the algo for selecting the best chain differs in various implementations.

Hi achimsmile, I'm focusing on Peercoin here as it is the coin I know the best.
I'm trying to setup a page describing the attack on the Peercoin wiki: https://wiki.peercointalk.org/index.php?title=Unlimited_alternate_chains_attack
mably (OP)
Sr. Member
****
Offline Offline

Activity: 380
Merit: 266



View Profile
April 24, 2015, 12:47:35 PM
 #16

Here is what I have summarized on the peercoin wiki:

Let's say a greedy minter owns 10% of currently minting stakes.

The greedy minter plans to construct alternate chains to attack the consensus of the network.

First, it's necessary to have a good understanding of how the Peercoin chain trust mechanism works.

We now know that an alternate chain will have to respect the block target calculation if it wants to be accepted by the network.  This implies for example that the greedy minter won't be able to shorten the average 10 minutes PoS blocks spacing or fake the block trust.

As we can see in the code below, the ability to mint (technically find a valid stake kernel hash) is directly related to the number of coin-days used for minting (bnCoinDayWeight in code below):

https://github.com/ppcoin/ppcoin/blob/v0.4.0ppc/src/kernel.cpp#L364

Code:
// Now check if proof-of-stake hash meets target protocol
if (CBigNum(hashProofOfStake) > bnCoinDayWeight * bnTargetPerCoinDay)

We know that our bnCoinDayWeight is 10% of global network coin-days.  To keep up the rate of 10 minutes spacing for PoS blocks on our alternate chain, the target bnTargetPerCoinDay will have to be increased consequently and so the corresponding block trust decreased.

We now understand that with 10% of minting stakes we won't be able to compete with the other 90%, our alternate chain will never be accepted as our chain trust value will be way below the network one.
jonald_fyookball
Legendary
*
Offline Offline

Activity: 1302
Merit: 1008


Core dev leaves me neg feedback #abuse #political


View Profile
April 24, 2015, 01:37:06 PM
Last edit: April 24, 2015, 01:48:37 PM by jonald_fyookball
 #17

Yes there is coin age and a target that decreases (presumably so that it's progressively easier to find a block: the network doesn't get stuck).

What does that have to do with preventing alternate chains?

Sure 10% is smaller than 90%, however not all the transactions in a chain are going to be using all the stake/coin age at any given time, plus its possible for the 10% to have more stake age than the 90%... Seems to me the attacker simply has to wait for the right moment while checking the blockchain constantly with a program.

To explain it more clearly:  The issue for the 90% who wants to stop the attacker is that if they are constantly sending coins to each other, then none of their coins gain much age.  And if they save up coin age, those coins aren't used in a transaction until they are used, so the attacker can sneak in before that.  Very hard to set up a system where there's no "holes", even if all the participants are cooperating.

mably (OP)
Sr. Member
****
Offline Offline

Activity: 380
Merit: 266



View Profile
April 24, 2015, 02:00:28 PM
Last edit: April 24, 2015, 02:23:47 PM by mably
 #18

Yes there is coin age and a target that decreases (presumably so that it's progressively easier to find a block: the network doesn't get stuck).

What does that have to do with preventing alternate chains?

Sure 10% is smaller than 90%, however not all the transactions in a chain are going to be using all the stake/coin age at any given time, plus its possible for the 10% to have more stake age than the 90%... Seems to me the attacker simply has to wait for the right moment while checking the blockchain constantly with a program.

To explain it more clearly:  The issue for the 90% who wants to stop the attacker is that if they are constantly sending coins to each other, then none of their coins gain much age.  And if they save up coin age, those coins aren't used in a transaction until they are used, so the attacker can sneak in before that.  Very hard to set up a system where there's no "holes", even if all the participants are cooperating.

To simplify things, let's say that there is no coin age involved, as suggested by @achimsmile in a previous post.  It's a simple constant to change in the source code anyway.

Could you try to explain to me a bit more in detail in what circumstances the alternate chains could get a chain trust superior to the network one?

To be successful do we agree that these alternate chains should be at least 6 blocks long?
jonald_fyookball
Legendary
*
Offline Offline

Activity: 1302
Merit: 1008


Core dev leaves me neg feedback #abuse #political


View Profile
April 24, 2015, 02:45:59 PM
 #19

Yes there is coin age and a target that decreases (presumably so that it's progressively easier to find a block: the network doesn't get stuck).

What does that have to do with preventing alternate chains?

Sure 10% is smaller than 90%, however not all the transactions in a chain are going to be using all the stake/coin age at any given time, plus its possible for the 10% to have more stake age than the 90%... Seems to me the attacker simply has to wait for the right moment while checking the blockchain constantly with a program.

To explain it more clearly:  The issue for the 90% who wants to stop the attacker is that if they are constantly sending coins to each other, then none of their coins gain much age.  And if they save up coin age, those coins aren't used in a transaction until they are used, so the attacker can sneak in before that.  Very hard to set up a system where there's no "holes", even if all the participants are cooperating.

To simplify things, let's say that there is no coin age involved, as suggested by @achimsmile in a previous post.  It's a simple constant to change in the source code anyway.

Could you try to explain to me a bit more in detail in what circumstances the alternate chains could get a chain trust superior to the network one?

To be successful do we agree that these alternate chains should be at least 6 blocks long?

If there's no coin age, then its a totally different implementation right?
So "how to get a superior chain" depends on how the protocol defines it.




mably (OP)
Sr. Member
****
Offline Offline

Activity: 380
Merit: 266



View Profile
April 24, 2015, 02:52:53 PM
 #20

Yes there is coin age and a target that decreases (presumably so that it's progressively easier to find a block: the network doesn't get stuck).

What does that have to do with preventing alternate chains?

Sure 10% is smaller than 90%, however not all the transactions in a chain are going to be using all the stake/coin age at any given time, plus its possible for the 10% to have more stake age than the 90%... Seems to me the attacker simply has to wait for the right moment while checking the blockchain constantly with a program.

To explain it more clearly:  The issue for the 90% who wants to stop the attacker is that if they are constantly sending coins to each other, then none of their coins gain much age.  And if they save up coin age, those coins aren't used in a transaction until they are used, so the attacker can sneak in before that.  Very hard to set up a system where there's no "holes", even if all the participants are cooperating.

To simplify things, let's say that there is no coin age involved, as suggested by @achimsmile in a previous post.  It's a simple constant to change in the source code anyway.

Could you try to explain to me a bit more in detail in what circumstances the alternate chains could get a chain trust superior to the network one?

To be successful do we agree that these alternate chains should be at least 6 blocks long?

If there's no coin age, then its a totally different implementation right?
So "how to get a superior chain" depends on how the protocol defines it.

In fact you could totally remove coinage from Peercoin without changing implementation.

Just set STAKE_MAX_AGE = STAKE_MIN_AGE +1 and you'll get a time weight of 1: https://github.com/ppcoin/ppcoin/blob/v0.4.0ppc/src/kernel.cpp#L328

The "how to get a superior chain" is described in detail in the Peercoin chain trust wiki page.

In Peercoin block chain trust is calculated by adding current block trust to previous block chain trust.

As described in this Peercoin wiki page block trust is directly related to the minted stake coin-days.

I guess we agree that these alternate chains should be at least 6 blocks long.
Pages: [1] 2 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!