PPCoin Criticism / Security / etc

[scrybe]

Replying from mobile, so no elaborate quoting.

On timing, I think it is true that you do not care about absolute time, you do care about approximate time of intervals however. With the transaction based timing mechanism you described I believe that block time would get shorter and shorter as the network was busier, not a steady flow. Setting and trying to maintain a regular block interval is important, IMHO, and should be a mechanism that is as far from being manipulated as possible.

I also think asking or encouraging folks to keep their coins online is a mistake. Even if everyone tries, there will be plenty of times that less than 50% of coins are offline, especially if folks want to protect them. So if the currency is successful the majority will disappear.

Simpler is better, this last suggestion is so complex it will take a lot of testing to check every possible angle.

[1714890803]

1714890803

[1714890803]

1714890803

[Sunny King]

I've been thinking about this a lot lately. The point of PoW in PPC is as a Clock, and an initial coin minter. Without PoW PPC does not know when 10 minutes has elapsed. Checkpoints are there to ensure that nobody does a double-spend before the network gets big enough to defend itself, as well as provide a clock of last resort (IIRC) I believe that sunny-king did mention removing check-pointing in and upcoming build. (note, I'm not reading the code, using my memory of descriptions)

The Clock aspect of PoW makes it almost impossible to move away from, or at least replace. Using an external timeserver would open up all sorts of network vulnerabilities and attacks, same with checkpoint servers, or any other centralized mechanism.

This is a misunderstanding. Proof-of-work blocks do not act as clock for proof-of-stake blocks. Proof-of-stake blocks have their own difficulty and will adjust toward target spacing of 10 minutes all by their own.

[Bitcoin Oz]

The real security problem with ppcoin ?  The possibility that Sunny King = realSolid

[cunicula]

This is a misunderstanding. Proof-of-work blocks do not act as clock for proof-of-stake blocks. Proof-of-stake blocks have their own difficulty and will adjust toward target spacing of 10 minutes all by their own.

Is the PoW clock just ignored then for blockchain validity purposes? If so, good idea. That means you can toss PoW entirely.

What do you do about PoS miners who report blockchains from the future? A lot of coin-age can be destroyed if we allow 2025 to reported as occurring tomorrow, even if only a tiny % of coins did the mining.

 

[tacotime]

PoS as implemented is by block number, not time, hence time attacks do not affect it.  It looks like you can just mine a PoS transaction at 1 diff after a certain number of blocks have passed

What I don't understand so much is how they're signed for securely

[cunicula]

Replying from mobile, so no elaborate quoting.

On timing, I think it is true that you do not care about absolute time, you do care about approximate time of intervals however. With the transaction based timing mechanism you described I believe that block time would get shorter and shorter as the network was busier, not a steady flow. Setting and trying to maintain a regular block interval is important, IMHO, and should be a mechanism that is as far from being manipulated as possible.

The optimal timing probably depends on network characteristics and technology. It doesn't make much sense to fix a permanent timing in the protocol. At some point, if there is enough txn volume to pay for the bandwidth/storage and the scheduling technology is there, confirmations could be almost instantaneous.

For now, suppose we want to target a 10 iterations every 10 minutes. Just give clients the following instructions.

For every second (based on the client's private clock), push a txn to stir the pot with probability x, where x is some small number. If there are less then 5 iterations announced over the past 10 minutes, then increase x by 10%. If there are more than 15 iterations announced, then decrease x by 10%. If everyone does, this you will end up with about 1 iteration per minute. One individual could spend money to speed this up temporarily, but it won't help him in any significant way. Any small action, is countered by negative feedback. If the network is running smoothly, he is better off relying on others to do the work. Large actions are costly and infeasible unless you have a lot of coin.

I also think asking or encouraging folks to keep their coins online is a mistake. Even if everyone tries, there will be plenty of times that less than 50% of coins are offline, especially if folks want to protect them. So if the currency is successful the majority will disappear.

I don't agree with you at all here. The right approach is to make keeping coins online safe from significant theft. We need this anyways to solve the theft issues that plague bitcoin. How to do this is kind of orthogonal to the discussion here.

Briefly, it is not hard to implement limited keys that place periodic withdrawal limits on txns. This is what real-world banks do. These are the keys that need to be online. Keys that can do anything are like your ID and bank account book. You can keep those in a safe.

[cunicula]

PoS as implemented is by block number, not time, hence time attacks do not affect it.  It looks like you can just mine a PoS transaction at 1 diff after a certain number of blocks have passed

What I don't understand so much is how they're signed for securely

In PPCoin, the PoS contains both a coin-age element (value of inputs, block number) and a time-stamping element (time is used as a random number seed).

I am suggesting using the # of large txns as a random number seed rather than time. (i.e. take time out of the protocol entirely)

As far how blocks are signed securely, that is simple. You just need to sign with your private key showing that you control the relevant inputs. It is just like securely signing a txn except the txn mines a block.

[Sunny King]

What do you do about PoS miners who report blockchains from the future? A lot of coin-age can be destroyed if we allow 2025 to reported as occurring tomorrow, even if only a tiny % of coins did the mining.

Block timestamp is subject to the same bitcoin protocol of max two hours in the future.