Proof-of-stake and unlimited alternate chains attack

[mably]

« The basic problem with all PoS vs PoW is that it doesn't take real time to construct unlimited alternate chains which can then be used for attacks. »

Here we are Jonald, let's start to build our attack scenario here.

I'll try to synchronize with the wiki page simultaneously: https://wiki.peercointalk.org/index.php?title=Unlimited_alternate_chains_attack
I'll also try to update the original post to synthesize things there.

We need to describe step by step how it is going to happen, where do we start?

First some info about our greedy minter, let's say he owns 10% of currently minting stakes, would be too easy if he owned 51% of them

The greedy minter plans to construct alternate chains to attack the consensus of the network.

[jonald_fyookball]

Construction of alternate chains is the way to attack the consensus of the network.  Do we agree on that?

[mably]

Construction of alternate chains is the way attack the consensus of the network.  Do we agree on that?

Sounds ok to me.  Let's focus on one of those alternate chain then.

[jonald_fyookball]

Construction of alternate chains is the way attack the consensus of the network.  Do we agree on that?

Sounds ok to me.

Another assumption is we use the longest chain rule for consensus.  right?

[mably]

Construction of alternate chains is the way attack the consensus of the network.  Do we agree on that?

Sounds ok to me.

Another assumption is we use the longest chain rule for consensus.  right?

In PoS coins like peercoin and most forks of peercoin we use the notion of chain trust.  Shorter chains may have higher chain trust.

https://github.com/ppcoin/ppcoin/blob/v0.4.0ppc/src/main.cpp#L1808

[jonald_fyookball]

Construction of alternate chains is the way attack the consensus of the network.  Do we agree on that?

Sounds ok to me.

Another assumption is we use the longest chain rule for consensus.  right?

In PoS coins like peercoin and most forks of peercoin we use the notion of chain trust.  Shorter chains may have higher chain trust.

https://github.com/ppcoin/ppcoin/blob/v0.4.0ppc/src/main.cpp#L1808

So you have some fixed formula for determining the "best" chain?  

[mably]

Construction of alternate chains is the way attack the consensus of the network.  Do we agree on that?

Sounds ok to me.

Another assumption is we use the longest chain rule for consensus.  right?

In PoS coins like peercoin and most forks of peercoin we use the notion of chain trust.  Shorter chains may have higher chain trust.

https://github.com/ppcoin/ppcoin/blob/v0.4.0ppc/src/main.cpp#L1808

So you have some fixed formula for determining the "best" chain?  

Exactly, here are excerpts from the peercoin white paper:

« The hash target that stake kernel must meet is a target per unit coin age (coin-day) consumed in the kernel (in contrast to Bitcoin's proof-of-work target which is a fixed target value applying to every node). Thus the more coin age consumed in the kernel, the easier meeting the hash target protocol. »

« The protocol for determining which competing block chain wins as main chain has been switched over to use consumed coin age. Here every transaction in a block contributes its consumed coin age to the score of the block. The block chain with highest total consumed coin age is chosen as main chain. »

http://peercoin.net/assets/paper/peercoin-paper.pdf on page 3

[jonald_fyookball]

So, then given that

a) Creating alternate chains attacks the network, and
b) Chains don't take signficant time to produce, and
c) the "best" chain is accepted by the network

All you need to do is keep creating chains and broadcasting
them until one is accepted.

What would prevent that?

[mably]

So, then given that

a) Creating alternate chains attacks the network, and
b) Chains don't take signficant time to produce, and
c) the "best" chain is accepted by the network

All you need to do is keep creating chains and broadcasting
them until one is accepted.

What would prevent that?

Ok, we now need to detail the creation of one of these chains to verify if there is a chance of it being accepted by the network.

It's a bit late here, so I'll do that tomorrow. Ciao.

[rtrtcrypto]

Guys, this thread is so 2013... get with the current research, please.

Look and you will find multiple studies on why these things fail, at least on most of the established PoS protocols.

Best,

[jonald_fyookball]

Guys, this thread is so 2013... get with the current research, please.

Look and you will find multiple studies on why these things fail, at least on most of the established PoS protocols.

Best,

maybe you can post some links as it would save us time.

The reason why using coin age as chain priority doesn't work is that if others are beating you, (meaning their chains are accepted and yours aren't) then their coins lose their coin age while your coins keep getting older, so eventually you gain the advantage.  Pretty simple I think.

[barbierir]

I think rtrtcrypto is referring to the following:

1) The formal study made by the Consensus Research group, led by Alexander Chepurnoy (a.k.a. Kushti), you can also find an indepth description of a Nxt-type PoS algorithm on his blog. The first paper was published in december and you can read the 8-pages Bitcointalk thread here. Please revive the discussion if you have still questions. The group is still working on more research.

2) The Neucoin whitepaper that says to rebut al N@S objections. The Bitcointalk thread is here.

[mably]

The reason why using coin age as chain priority doesn't work is that if others are beating you, (meaning their chains are accepted and yours aren't) then their coins lose their coin age while your coins keep getting older, so eventually you gain the advantage.  Pretty simple I think.

May be we have a point here: coin age is maxed at 90 days in Peercoin protocol, you won't get any advantage after 90 days over other minters.

https://github.com/ppcoin/ppcoin/blob/v0.4.0ppc/src/kernel.cpp#L328
https://github.com/ppcoin/ppcoin/blob/v0.4.0ppc/src/main.h#L46

Once you have minted a block, your coin age goes back to zero and you have to wait 90 more days if you want to have it maximized again to mint the next block.

So is it possible to create a fork having a better chain trust with only 10% of the minting stakes (in our scenario, cf OP) ?  That's what we need to verify.

I have setup a page on the Peercoin wiki which explains the Peercoin chain trust mechanism: https://wiki.peercointalk.org/index.php?title=Peercoin_chain_trust

We can see there that the nBits block target value which is used to calculate block trust and chain trust can't be manipulated as it will be verified by receiving peers.

This ensures that PoS blocks are generated every 10 minutes (on average) and that the associated difficulty/target can't be faked.

[achimsmile]

guys, keep in mind that only peercoin and its derivatives use coin age. Newer PoS coins (since 2013) don't use it, because of its weaknesses.

And the algo for selecting the best chain differs in various implementations.

[mably]

guys, keep in mind that only peercoin and its derivatives use coin age. Newer PoS coins (since 2013) don't use it, because of its weaknesses.

And the algo for selecting the best chain differs in various implementations.

Hi achimsmile, I'm focusing on Peercoin here as it is the coin I know the best.
I'm trying to setup a page describing the attack on the Peercoin wiki: https://wiki.peercointalk.org/index.php?title=Unlimited_alternate_chains_attack

[mably]

Here is what I have summarized on the peercoin wiki:

Let's say a greedy minter owns 10% of currently minting stakes.

The greedy minter plans to construct alternate chains to attack the consensus of the network.

First, it's necessary to have a good understanding of how the Peercoin chain trust mechanism works.

We now know that an alternate chain will have to respect the block target calculation if it wants to be accepted by the network.  This implies for example that the greedy minter won't be able to shorten the average 10 minutes PoS blocks spacing or fake the block trust.

As we can see in the code below, the ability to mint (technically find a valid stake kernel hash) is directly related to the number of coin-days used for minting (bnCoinDayWeight in code below):

https://github.com/ppcoin/ppcoin/blob/v0.4.0ppc/src/kernel.cpp#L364

Code:

// Now check if proof-of-stake hash meets target protocol
if (CBigNum(hashProofOfStake) > bnCoinDayWeight * bnTargetPerCoinDay)

We know that our bnCoinDayWeight is 10% of global network coin-days.  To keep up the rate of 10 minutes spacing for PoS blocks on our alternate chain, the target bnTargetPerCoinDay will have to be increased consequently and so the corresponding block trust decreased.

We now understand that with 10% of minting stakes we won't be able to compete with the other 90%, our alternate chain will never be accepted as our chain trust value will be way below the network one.

[jonald_fyookball]

Yes there is coin age and a target that decreases (presumably so that it's progressively easier to find a block: the network doesn't get stuck).

What does that have to do with preventing alternate chains?

Sure 10% is smaller than 90%, however not all the transactions in a chain are going to be using all the stake/coin age at any given time, plus its possible for the 10% to have more stake age than the 90%... Seems to me the attacker simply has to wait for the right moment while checking the blockchain constantly with a program.

To explain it more clearly:  The issue for the 90% who wants to stop the attacker is that if they are constantly sending coins to each other, then none of their coins gain much age.  And if they save up coin age, those coins aren't used in a transaction until they are used, so the attacker can sneak in before that.  Very hard to set up a system where there's no "holes", even if all the participants are cooperating.

[mably]

Yes there is coin age and a target that decreases (presumably so that it's progressively easier to find a block: the network doesn't get stuck).

What does that have to do with preventing alternate chains?

Sure 10% is smaller than 90%, however not all the transactions in a chain are going to be using all the stake/coin age at any given time, plus its possible for the 10% to have more stake age than the 90%... Seems to me the attacker simply has to wait for the right moment while checking the blockchain constantly with a program.

To explain it more clearly:  The issue for the 90% who wants to stop the attacker is that if they are constantly sending coins to each other, then none of their coins gain much age.  And if they save up coin age, those coins aren't used in a transaction until they are used, so the attacker can sneak in before that.  Very hard to set up a system where there's no "holes", even if all the participants are cooperating.

To simplify things, let's say that there is no coin age involved, as suggested by @achimsmile in a previous post.  It's a simple constant to change in the source code anyway.

Could you try to explain to me a bit more in detail in what circumstances the alternate chains could get a chain trust superior to the network one?

To be successful do we agree that these alternate chains should be at least 6 blocks long?

[jonald_fyookball]

Yes there is coin age and a target that decreases (presumably so that it's progressively easier to find a block: the network doesn't get stuck).

What does that have to do with preventing alternate chains?

Sure 10% is smaller than 90%, however not all the transactions in a chain are going to be using all the stake/coin age at any given time, plus its possible for the 10% to have more stake age than the 90%... Seems to me the attacker simply has to wait for the right moment while checking the blockchain constantly with a program.

To explain it more clearly:  The issue for the 90% who wants to stop the attacker is that if they are constantly sending coins to each other, then none of their coins gain much age.  And if they save up coin age, those coins aren't used in a transaction until they are used, so the attacker can sneak in before that.  Very hard to set up a system where there's no "holes", even if all the participants are cooperating.

To simplify things, let's say that there is no coin age involved, as suggested by @achimsmile in a previous post.  It's a simple constant to change in the source code anyway.

Could you try to explain to me a bit more in detail in what circumstances the alternate chains could get a chain trust superior to the network one?

To be successful do we agree that these alternate chains should be at least 6 blocks long?

If there's no coin age, then its a totally different implementation right?
So "how to get a superior chain" depends on how the protocol defines it.

[mably]

Yes there is coin age and a target that decreases (presumably so that it's progressively easier to find a block: the network doesn't get stuck).

What does that have to do with preventing alternate chains?

Sure 10% is smaller than 90%, however not all the transactions in a chain are going to be using all the stake/coin age at any given time, plus its possible for the 10% to have more stake age than the 90%... Seems to me the attacker simply has to wait for the right moment while checking the blockchain constantly with a program.

To explain it more clearly:  The issue for the 90% who wants to stop the attacker is that if they are constantly sending coins to each other, then none of their coins gain much age.  And if they save up coin age, those coins aren't used in a transaction until they are used, so the attacker can sneak in before that.  Very hard to set up a system where there's no "holes", even if all the participants are cooperating.

To simplify things, let's say that there is no coin age involved, as suggested by @achimsmile in a previous post.  It's a simple constant to change in the source code anyway.

Could you try to explain to me a bit more in detail in what circumstances the alternate chains could get a chain trust superior to the network one?

To be successful do we agree that these alternate chains should be at least 6 blocks long?

If there's no coin age, then its a totally different implementation right?
So "how to get a superior chain" depends on how the protocol defines it.

In fact you could totally remove coinage from Peercoin without changing implementation.

Just set STAKE_MAX_AGE = STAKE_MIN_AGE +1 and you'll get a time weight of 1: https://github.com/ppcoin/ppcoin/blob/v0.4.0ppc/src/kernel.cpp#L328

The "how to get a superior chain" is described in detail in the Peercoin chain trust wiki page.

In Peercoin block chain trust is calculated by adding current block trust to previous block chain trust.

As described in this Peercoin wiki page block trust is directly related to the minted stake coin-days.

I guess we agree that these alternate chains should be at least 6 blocks long.