Proof-of-stake and unlimited alternate chains attack

[jonald_fyookball]

Yes there is coin age and a target that decreases (presumably so that it's progressively easier to find a block: the network doesn't get stuck).

What does that have to do with preventing alternate chains?

Sure 10% is smaller than 90%, however not all the transactions in a chain are going to be using all the stake/coin age at any given time, plus its possible for the 10% to have more stake age than the 90%... Seems to me the attacker simply has to wait for the right moment while checking the blockchain constantly with a program.

To explain it more clearly:  The issue for the 90% who wants to stop the attacker is that if they are constantly sending coins to each other, then none of their coins gain much age.  And if they save up coin age, those coins aren't used in a transaction until they are used, so the attacker can sneak in before that.  Very hard to set up a system where there's no "holes", even if all the participants are cooperating.

To simplify things, let's say that there is no coin age involved, as suggested by @achimsmile in a previous post.  It's a simple constant to change in the source code anyway.

Could you try to explain to me a bit more in detail in what circumstances the alternate chains could get a chain trust superior to the network one?

To be successful do we agree that these alternate chains should be at least 6 blocks long?

If there's no coin age, then its a totally different implementation right?
So "how to get a superior chain" depends on how the protocol defines it.

In fact you could totally remove coinage from Peercoin without changing implementation.

Just set STAKE_MAX_AGE = STAKE_MIN_AGE +1 and you'll get a time weight of 1: https://github.com/ppcoin/ppcoin/blob/v0.4.0ppc/src/kernel.cpp#L328

The "how to get a superior chain" is described in detail in the Peercoin chain trust wiki page.

In Peercoin block chain trust is calculated by adding current block trust to previous block chain trust.

As described in the wiki page block trust is directly related to the minted stake coin-days.

I guess we agree that these alternate chains should be at least 6 blocks long.

I think you may be missing my point.  Even if the change is a single line of code in a config file, or whatever,
by eliminating coinage as a security component, the implementation of PoS changes, thus changing how
the coin would be attacked.
   
Talking about different implementations can be very draining and go on forever.
You are already talking in circles because first you suggested removing coinage,
then I told you if you did that, the superior chain would be based on the protocol
rules, and then you referred me back to the peercoin rules which do use coinage.

To make it clear: Either the code as implemented considers coin age or it doesn't. 
If it doesn't, then there would have to be an alternate method of deciding what
chain is best.


 

[mably]

Yes there is coin age and a target that decreases (presumably so that it's progressively easier to find a block: the network doesn't get stuck).

What does that have to do with preventing alternate chains?

Sure 10% is smaller than 90%, however not all the transactions in a chain are going to be using all the stake/coin age at any given time, plus its possible for the 10% to have more stake age than the 90%... Seems to me the attacker simply has to wait for the right moment while checking the blockchain constantly with a program.

To explain it more clearly:  The issue for the 90% who wants to stop the attacker is that if they are constantly sending coins to each other, then none of their coins gain much age.  And if they save up coin age, those coins aren't used in a transaction until they are used, so the attacker can sneak in before that.  Very hard to set up a system where there's no "holes", even if all the participants are cooperating.

To simplify things, let's say that there is no coin age involved, as suggested by @achimsmile in a previous post.  It's a simple constant to change in the source code anyway.

Could you try to explain to me a bit more in detail in what circumstances the alternate chains could get a chain trust superior to the network one?

To be successful do we agree that these alternate chains should be at least 6 blocks long?

If there's no coin age, then its a totally different implementation right?
So "how to get a superior chain" depends on how the protocol defines it.

In fact you could totally remove coinage from Peercoin without changing implementation.

Just set STAKE_MAX_AGE = STAKE_MIN_AGE +1 and you'll get a time weight of 1: https://github.com/ppcoin/ppcoin/blob/v0.4.0ppc/src/kernel.cpp#L328

The "how to get a superior chain" is described in detail in the Peercoin chain trust wiki page.

In Peercoin block chain trust is calculated by adding current block trust to previous block chain trust.

As described in the wiki page block trust is directly related to the minted stake coin-days.

I guess we agree that these alternate chains should be at least 6 blocks long.

I think you may be missing my point.  Even if the change is a single line of code in a config file, or whatever,
by eliminating coinage as a security component, the implementation of PoS changes, thus changing how
the coin would be attacked.
    
Talking about different implementations can be very draining and go on forever.
You are already talking in circles because first you suggested removing coinage,
then I told you if you did that, the superior chain would be based on the protocol
rules, and then you referred me back to the peercoin rules which do use coinage.

To make it clear: Either the code as implemented considers coin age or it doesn't.  
If it doesn't, then there would have to be an alternate method of deciding what
chain is best.

I'm removing coin age just to concentrate on the potential weaknesses that could exist for Peercoin besides the coinage one.

As I told you it's really easy to remove coinage from Peercoin rules just Neucoin did, just two characters to change, don't tell me that is a totally different story or you'll deceive me there.

Coin protocols keep evolving everyday, Peercoin has evolved a lot, v5 of the protocol will be release in the coming weeks, so let's be open and continue to investigate further.

We still need to write down that concrete attack scenario against a "without coinage" Peercoin protocol version X

[jonald_fyookball]

Can you tell me in 1 simple sentence, in plain english (no links to code please):
If you remove coinage, what determines the best chain?

[mably]

Can you tell me in 1 simple sentence, in plain english (no links to code please):
If you remove coinage, what determines the best chain?

stake coin-days consumed

[jonald_fyookball]

Can you tell me in 1 simple sentence, in plain english (no links to code please):
If you remove coinage, what determines the best chain?

stake coin-days consumed

How is that different from coinage?  Is it the total stake owned and regardless of whats in the transactions of the chain? Or what?

[mably]

Can you tell me in 1 simple sentence, in plain english (no links to code please):
If you remove coinage, what determines the best chain?

stake coin-days consumed

How is that different from coinage?  Is it the total stake owned and regardless of whats in the transactions of the chain? Or what?

Yep exactly, it's the number of coins in the stakes you use to mint.  No -days coz we are not taking time weight into account here.

[jonald_fyookball]

I think the same basic problem remains.   The attacker just stores up stake age while everyone else is constantly forging.

[mably]

I think the same basic problem remains.   The attacker just stores up stake age while everyone else is constantly forging.

We said we are not taking coin age into account here, coinage is absolutely not needed for PoS to work, Peercoin has it only for some kind of incentive to mint or something...

[jonald_fyookball]

I think the same basic problem remains.   The attacker just stores up stake age while everyone else is constantly forging.

We said we are not taking coin age into account here, coinage is absolutely not needed for PoS to work, Peercoin has it only for some kind of incentive to mint or something...

so then you are saying every coin has equal chance to stake , regardless of age.

[mably]

I think the same basic problem remains.   The attacker just stores up stake age while everyone else is constantly forging.

We said we are not taking coin age into account here, coinage is absolutely not needed for PoS to work, Peercoin has it only for some kind of incentive to mint or something...

so then you are saying every coin has equal chance to stake , regardless of age.

That's the idea, but no regardless of quantity.

[jonald_fyookball]

I think the same basic problem remains.   The attacker just stores up stake age while everyone else is constantly forging.

We said we are not taking coin age into account here, coinage is absolutely not needed for PoS to work, Peercoin has it only for some kind of incentive to mint or something...

so then you are saying every coin has equal chance to stake , regardless of age.

That's the idea, but no regardless of quantity.

In that case there must be some deterministic process for qualification to stake and the attacker just computes chains and keep trying them.  He can try endless combinations sending different coins to himself and also take advantage of the fact that there must be some kind of decreasing target.

[mably]

I think the same basic problem remains.   The attacker just stores up stake age while everyone else is constantly forging.

We said we are not taking coin age into account here, coinage is absolutely not needed for PoS to work, Peercoin has it only for some kind of incentive to mint or something...

so then you are saying every coin has equal chance to stake , regardless of age.

That's the idea, but no regardless of quantity.

In that case there must be some deterministic process for qualification to stake and the attacker just computes chains and keep trying them.  He can try endless combinations sending different coins to himself and also take advantage of the fact that there must be some kind of decreasing target.

Could you be more precise please?  I would like to map your attack scheme to Peercoin.

[jonald_fyookball]

Well as I said, PPC is a different implementation, using coinage.  Every poS coin must use some deterministic process (it cannot be random because there would no one trusted to produce random numbers in a distributed system). 

but let's say you're not using coinage...let's just say for example that your process is this:

HASH(staking address + blockheader +timestamp) * staking balance
must be greater than some target. 

The attacker just keeps trying different block headers until he gets a block.  Then he repeats until his chain as is long as desired.

The peercoin white paper says this:

However an important difference is that the hashing operation is done over a limited search space (more specifically one hash per unspent wallet-output per second) instead of an unlimited search space as in proof-of-work, thus no significant consumption of energy is involved.

However, this idea of limiting the search space doesn't work when you can create endless combinations of inputs.

[mably]

Well as I said, PPC is a different implementation, using coinage.  Every poS coin must use some deterministic process (it cannot be random because there would no one trusted to produce random numbers in a distributed system).  

but let's say you're not using coinage...let's just say for example that your process is this:

HASH(staking address + blockheader +timestamp) * staking balance
must be greater than some target.  

The attacker just keeps trying different block headers until he gets a block.  Then he repeats until his chain as is long as desired.

The peercoin white paper says this:

However an important difference is that the hashing operation is done over a limited search space (more specifically one hash per unspent wallet-output per second) instead of an unlimited search space as in proof-of-work, thus no significant consumption of energy is involved.

However, this idea of limiting the search space doesn't work when you can create endless combinations of inputs.

Peercoin doesn't hash the block header, here is an excerpt of a code comment: https://github.com/ppcoin/ppcoin/blob/v0.4.0ppc/src/kernel.cpp#L293

Code:

hash(nStakeModifier + txPrev.block.nTime + txPrev.offset + txPrev.nTime + txPrev.vout.n + nTime)

txPrev is the stake transaction, nTime the timestamp of the block we are creating (in seconds).

Code:

nStakeModifier is the result of a complex scramble computation to make it very difficult to precompute future proof-of-stake at the time of the coin's confirmation

[jonald_fyookball]

Maybe it doesn't need to because it uses coinage. 

[mably]

Maybe it doesn't need to because it uses coinage. 

No, it's not related.  Most PoS coins if not all don't use hash of block header to avoid that.

[jonald_fyookball]

Maybe it doesn't need to because it uses coinage. 

No, it's not related.  Most PoS coins if not all don't use hash of block header to avoid that.

so it's hashing the transactions not the header in the code you posted.  You're getting lost in the minutiae.

[mably]

Maybe it doesn't need to because it uses coinage.  

No, it's not related.  Most PoS coins if not all don't use hash of block header to avoid that.

so it's hashing the transactions not the header in the code you posted.  You're getting lost in the minutiae.

It's hashing the stake transaction which is at minima 30 days old yep.