Bitcoin Forum
December 12, 2024, 12:55:00 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Interactive Proof-of-Stake  (Read 1100 times)
kushti (OP)
Full Member
***
Offline Offline

Activity: 317
Merit: 103


View Profile WWW
January 05, 2016, 02:55:58 PM
 #1

I would like to present a paper of mine on a new kind of pure Proof-of-Stake protocol, Interactive Proof-of-Stake. It is uploaded to Arxiv: http://arxiv.org/abs/1601.00275 . Simulation tools are on github https://github.com/kushti/common-pos .

I would like to got a feedback(heavy but constructive criticism is preferable). A next step is to develop hybrid PoW+IPoS consensus protocol, result will be like Bitcoin-NG, but with all the network(precisely, stakeholders) working on microblocks instead of a single miner.

Ergo Platform core dev. Previously IOHK Research / Nxt core dev / SmartContract.com cofounder.
monsterer
Legendary
*
Offline Offline

Activity: 1008
Merit: 1007


View Profile
January 07, 2016, 08:46:00 AM
Last edit: January 07, 2016, 11:29:38 AM by monsterer
 #2

I would add the following POS attacks to your list:

* Custodial stake

Exchanges and other large services which store user funds in their own wallets gather a very large stake, which often would give them majority power of POS block generation if they were to abuse it.

* Chain freeze

Once a majority stake holder becomes the dominant block producer, they can withhold all blocks forever, bringing the entire chain to a permanent halt, correctable only with a hard fork.

* Shorting attack

A whale takes out a large short of a POS coin at the same time he buys an equal portion of stake, such that his overall position is neutral.

He then uses his stake to double spend by creating blocks continuously (whenever he is permitted to do so) thereby driving the price of the currency down until he is ready to close his short in profit.

In addition, I would say the chief disadvantage of POS over POW is that the security model in POS is much weaker than POW; block generation probability/cost is a constant in the amount of stake you own, whereas in POW the cost of block generation is super linear in the number of blocks. This makes attacking a POS chain cost free under the shorting attack described above.
monsterer
Legendary
*
Offline Offline

Activity: 1008
Merit: 1007


View Profile
January 07, 2016, 09:16:57 AM
 #3

Regarding feedback on the idea proposed in the paper:

* As you mention in the paper, if you require multiple accounts to generate one block, the optimal strategy for a stakeholder is to split their stake between multiple accounts. For this idea to be optimal, they should have less probability of generating a block under this new scheme than they would have had under a single account model. Can you prove it?

* You state that this protocol is immune up to a 28% attack. How does that compare with Nxt?
kushti (OP)
Full Member
***
Offline Offline

Activity: 317
Merit: 103


View Profile WWW
January 08, 2016, 08:26:18 PM
 #4

* Custodial stake

Exchanges and other large services which store user funds in their own wallets gather a very large stake, which often would give them majority power of POS block generation if they were to abuse it.

PoS must avoid stake centralization via decentralized exchanges and other infrastructure services. Aside of that, I see no way how to resolve this technically. It's the same as economy of scale working against PoW(a guys with special hardware is getting better $$/computation rate than an ordinary user).

* Chain freeze

Once a majority stake holder becomes the dominant block producer, they can withhold all blocks forever, bringing the entire chain to a permanent halt, correctable only with a hard fork.

In IPoS even small part of the network can generate tickets successfully. However, a party holding critical part of online stake will freeze a network by generating a better chain of empty blocks. It's the same as empty blocks generating with 50+% hashing power in PoW.


* Shorting attack

A whale takes out a large short of a POS coin at the same time he buys an equal portion of stake, such that his overall position is neutral.

He then uses his stake to double spend by creating blocks continuously (whenever he is permitted to do so) thereby driving the price of the currency down until he is ready to close his short in profit.

Any idea how to model and study this? I don't have, to say honestly.


* As you mention in the paper, if you require multiple accounts to generate one block, the optimal strategy for a stakeholder is to split their stake between multiple accounts. For this idea to be optimal, they should have less probability of generating a block under this new scheme than they would have had under a single account model. Can you prove it?

* You state that this protocol is immune up to a 28% attack. How does that compare with Nxt?

Nxt has similar resistance against naive private forks, simulation is also published: https://github.com/kushti/common-pos/blob/master/src/main/scala/cpos/simulation/NxtSimulator.scala . But in Nxt it is possible to amplify attack with time drifting increasing cumulative difficulty of a chain.
I don't know how to precisely model this.


Please note, IPoS doesn't resolve main concerns of PoS.
A random number to choose a miner(s) still depends on miner(s)(the possible negative effects are reduced with multiple generators though). And still there's no chain enforcement. Nevertheless, IPoS could be useless for a private chains(where majority of nodes using canonical implementation could be assumed, see "Security Through Default Implementation"), and also it could be used in hybrid protocols(again, imagine Bitcoin-NG with thousands of nodes working on microblocks instead of a single miner).

Ergo Platform core dev. Previously IOHK Research / Nxt core dev / SmartContract.com cofounder.
monsterer
Legendary
*
Offline Offline

Activity: 1008
Merit: 1007


View Profile
January 09, 2016, 12:42:45 PM
 #5

PoS must avoid stake centralization via decentralized exchanges and other infrastructure services. Aside of that, I see no way how to resolve this technically. It's the same as economy of scale working against PoW(a guys with special hardware is getting better $$/computation rate than an ordinary user).

This isn't at all like centralisation of mining. The equivalent in POW would be for the miners to physically give their hardware to the exchanges when they make a deposit there. This is a fundamental difference between POS and POW.

Quote
In IPoS even small part of the network can generate tickets successfully. However, a party holding critical part of online stake will freeze a network by generating a better chain of empty blocks. It's the same as empty blocks generating with 50+% hashing power in PoW.

Again, not the same. In POW this attack in unsustainable because it has a high cost associated with it; that of the electricity used in generating a block. In POS, there is zero cost and again this is a fundamental difference between POS and POW.

Quote
Any idea how to model and study this? I don't have, to say honestly.

Modelling it, I'm not sure... But it should be easy to see that the shorting attack can be cost free for the attacker.
kushti (OP)
Full Member
***
Offline Offline

Activity: 317
Merit: 103


View Profile WWW
January 11, 2016, 08:45:27 PM
 #6

Again, not the same. In POW this attack in unsustainable because it has a high cost associated with it; that of the electricity used in generating a block. In POS, there is zero cost and again this is a fundamental difference between POS and POW.

In case of constant deep chain reorgs + empty blocks big stakeholders will lose a lot due to exchange rates crash. Probably more than in case of PoW(current price to take 50+% miming power is $200-300M, so just 3-4% of stake).

But hey, we're going into old debates, while I want to take discussion to the new level of understanding.


P.S. Thanks to mthcl found a problem with a ticket's score formula. IPoS is resistant to 1/3 online stake now. Paper update is being uploading to Arxiv

Ergo Platform core dev. Previously IOHK Research / Nxt core dev / SmartContract.com cofounder.
kushti (OP)
Full Member
***
Offline Offline

Activity: 317
Merit: 103


View Profile WWW
January 12, 2016, 04:31:30 PM
 #7

New version of the paper is on Arxiv: http://arxiv.org/abs/1601.00275 . The main change: ticket score formula is updated to m * log2(b).

Ergo Platform core dev. Previously IOHK Research / Nxt core dev / SmartContract.com cofounder.
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!