Proof that Proof of Stake is either extremely vulnerable or totally centralised

[monsterer]

Introduction

This is an very informal proof, because I wanted it to be as readable as possible for the majority of readers. I hope this will finally show why Proof of Stake (PoS) is not a viable consensus design.

This particular attack is called 'keys from the past', or the 'history attack' and is endemic to the design of PoS.

Recap of Proof of Stake

PoS requires bonded stake in order to generate a block. The more bonded stake, the higher the probability you can generate a block and this probability is linear in stake and is also a constant over any amount of time. It is possible for a majority stake holder to have a 100% probability of generating every block; this is something like 33% of all stake. The attack works like this:

The attack

1. The attacker simultaneously purchases a majority of old staking private keys, which were very recently used to stake with and are now empty and as such valueless to the seller(s)
2. He uses these historical keys to generate a new chain of history starting just before the keys were emptied and which is longer in cumulative difficulty than the canonical chain. He can do this first time with 100% probability since he has a majority of historical stake
3. He can then either steal the coins back to himself and carry on, or can bring the entire chain to a total halt by excluding all transactions.

Motivation

By taking out a massive short on an exchange before he carries out this attack, he can make it even more profitable. He can also hold the chain to ransom by excluding transactions at will, or by charging extra fees to include them.


Mitigations

It doesn't even matter if the chain itself has a re-org depth limit because it is quite possible that he can generate this new history in under the limit of the reorg depth. Even if he can't, it doesn't matter because all syncing nodes will be vulnerable to accepting his fake history as genuine and since impersonating a general network node has ~0 cost, he can impersonate a majority of nodes such that any syncing node querying at random will find his fake nodes with fake history. Given sufficient time, his history becomes canonical.

Checkpoints

The only mitigation for this attack is to enforce checkpoints from some trusted location. At this point, the currency has totally ceased to be decentralised, since the consensus result has been reduced to a consensus of one, which is the same as having no consensus at all. This is the antithesis of decentralisation.

Conclusion

The cost of this attack is very low since empty private keys have no value. All PoS chains are vulnerable to this attack because the cost of block production is close to zero, which is the chief reason this is possible. A reorg depth limit is ineffective at preventing this attack for the reasons described.
Checkpoints completely fail to be decentralised or trustless in any way; the network of nodes are reduced to simple database replication slaves in a system with far higher cost and inconvenience, lower performance and the same level of security as a centralised service.

[1715624709]

1715624709

[1715624709]

1715624709

[jl777]

Where can I buy these keys? I am interested to buy up any PoS using this method and then short sell it

Theoretical vs Practical issues.

Also, what if the PoS chain utilized a PoW chain, like BTC? By effectively using BTC blockhashes directly in a PoS, you can get at least a backstop level of protection. By putting in a moving checkpoint onto the BTC blockchain, then you can create a decentralized and verifiable PoS chain.

Use BTC at the trusted party. Now maybe that changes it from a pure PoS, but maybe you can see a way to attack that too? The assumption is that all nodes are directly monitoring the BTC blockchain and the PoS staking node also puts data into the BTC blockchain, maybe once per hour or so.

James

[monsterer]

Where can I buy these keys? I am interested to buy up any PoS using this method and then short sell it

Theoretical vs Practical issues.

Also, what if the PoS chain utilized a PoW chain, like BTC? By effectively using BTC blockhashes directly in a PoS, you can get at least a backstop level of protection. By putting in a moving checkpoint onto the BTC blockchain, then you can create a decentralized and verifiable PoS chain.

Use BTC at the trusted party. Now maybe that changes it from a pure PoS, but maybe you can see a way to attack that too? The assumption is that all nodes are directly monitoring the BTC blockchain and the PoS staking node also puts data into the BTC blockchain, maybe once per hour or so.

James

Imagine the temptation for any stakeholder being presented with an offer to buy his empty private key for $1000? It has no value to him, he gets 'free' money and is unaware of the risks.

Using BTC as a provider of sidechains for PoS candidates has been discussed before, of course. I haven't studied it well enough to form any conclusions on the viability of combined consensus techniques.

[jl777]

Where can I buy these keys? I am interested to buy up any PoS using this method and then short sell it

Theoretical vs Practical issues.

Also, what if the PoS chain utilized a PoW chain, like BTC? By effectively using BTC blockhashes directly in a PoS, you can get at least a backstop level of protection. By putting in a moving checkpoint onto the BTC blockchain, then you can create a decentralized and verifiable PoS chain.

Use BTC at the trusted party. Now maybe that changes it from a pure PoS, but maybe you can see a way to attack that too? The assumption is that all nodes are directly monitoring the BTC blockchain and the PoS staking node also puts data into the BTC blockchain, maybe once per hour or so.

James

Imagine the temptation for any stakeholder being presented with an offer to buy his empty private key for $1000? It has no value to him, he gets 'free' money and is unaware of the risks.

Using BTC as a provider of sidechains for PoS candidates has been discussed before, of course. I haven't studied it well enough to form any conclusions on the viability of combined consensus techniques.

Imagine the difficulty of contacting enough such stakeholders. So with a very long term horizon and actively targeting a coin and aggressively buying keys (has anyone every actually done even a single sale) from ex-whales, then at some point you have enough keys, but you cant go back in time with a one day moving checkpoint. So now you need to setup a zillion nodes to sucker in newbies and exchanges?

also the lack of any large short selling market. My estimate is the manual labor cost to do this makes it have a negative expected return and as such is in the same category of economically nonviable endeavors.

Anyway, my interest on this topic is not about pure PoS, but a way to allow all of crypto to benefit from the electricity BTC is using.

I wrote up a little bit on how to use BTC as a unversal sequence server, like a clock for all of crypto.
https://bitcointalk.org/index.php?topic=1372879.msg14034846#msg14034846

It came out of a post  made the other day, so I am sure it is not perfect, but I am pretty sure that weak PoS chains can be made a lot more secure by utilizing BTC. It would make BTC the heart of all these hybrid BTC/PoS and should appeal to the BTC maximalists.

As always, I am agnostic. I just seek the truth to find the best solution for each specific case

James

[monsterer]

Imagine the difficulty of contacting enough such stakeholders. So with a very long term horizon and actively targeting a coin and aggressively buying keys (has anyone every actually done even a single sale) from ex-whales, then at some point you have enough keys, but you cant go back in time with a one day moving checkpoint. So now you need to setup a zillion nodes to sucker in newbies and exchanges?

I just imagine setting up a forum post to get the key stake holders together with a trusted escrow to action it in one go. Can't see that being difficult, or expensive.

Remember, these are not ex-whales, these are current whales and they're not selling their stake, they're selling old private keys which are now empty and thus valueless.

In addition, the one day moving checkpoint you're describing is a reorg-depth limit, not a checkpoint. A checkpoint is a block hash and a height.

[jl777]

Imagine the difficulty of contacting enough such stakeholders. So with a very long term horizon and actively targeting a coin and aggressively buying keys (has anyone every actually done even a single sale) from ex-whales, then at some point you have enough keys, but you cant go back in time with a one day moving checkpoint. So now you need to setup a zillion nodes to sucker in newbies and exchanges?

I just imagine setting up a forum post to get the key stake holders together with a trusted escrow to action it in one go. Can't see that being difficult, or expensive.

Remember, these are not ex-whales, these are current whales and they're not selling their stake, they're selling old private keys which are now empty and thus valueless.

In addition, the one day moving checkpoint you're describing is a reorg-depth limit, not a checkpoint. A checkpoint is a block hash and a height.

what I suggest is a moving checkpoint, utilizing BTC blockhashes

[stdset]

This attack is known for years, just the first link from google: https://bitcointalk.org/index.php?topic=1019320.0
It's not easy to carry it out though.
Imagine you bought a key k1. In order to keep it's balance, the latest point where you can start building you fork is right before the key was emptied. Now you can buy another empty (on the main chain) key k2, but what state the key k2 is on your fork? Your history is different (on your branch you must exclude all transactions that depend on transaction that spends k1), maybe k2 was never funded on your fork, if it was, OK you buy it, but your history inevitably drifts away from the main history more and more and it becomes more and more difficult to find suitable keys from the main chain to buy.
Also I can't agree, that setting a limit on the reorg depth doesn't help. In the case of such a major attack node owners will have to manually choose what branch they want to stay on, and likely it will be easy to see which branch is a legit one.

[monsterer]

This attack is known for years, just the first link from google: https://bitcointalk.org/index.php?topic=1019320.0
It's not easy to carry it out though.
Imagine you bought a key k1. In order to keep it's balance, the latest point where you can start building you fork is right before the key was emptied.
Now you can buy another empty (on the main chain) key k2, but what state the key k2 is on your fork? Your history is different, maybe k2 was never

The attacker buys all keys at once, or very close together as stated in the description.

Also I can't agree, that setting a limit on the reorg depth doesn't help. In the case of such a major attack node owners will have to manually choose what branch they want to stay on, and likely it will be easy to see which branch is a legit one.

How can they be sure which branch is legitimate? If the re-org depth is very small, it will be indistinguishable from a regular re-org. In any case, such manual intervention is equivalent to centralised control, and we're back to the same conclusion again.

[jl777]

This attack is known for years, just the first link from google: https://bitcointalk.org/index.php?topic=1019320.0
It's not easy to carry it out though.
Imagine you bought a key k1. In order to keep it's balance, the latest point where you can start building you fork is right before the key was emptied. Now you can buy another empty (on the main chain) key k2, but what state the key k2 is on your fork? Your history is different, maybe k2 was never funded on your fork, if it was, OK you buy it, but your history inevitably drifts away from the main history more and more and it becomes more and more difficult to find suitable keys from the main chain to buy.
Also I can't agree, that setting a limit on the reorg depth doesn't help. In the case of such a major attack node owners will have to manually choose what branch they want to stay on, and likely it will be easy to see which branch is a legit one.

I have a use case of needing to have many weak chains all be able to do atomic swaps between each other and to be as secure as possible. The problem is that there probably will only be a dozen nodes per chain and PoS is the only practical way to secure these chains. While it would be great to have an unlimited electricity budget, these nodes wont, especially the ones running off of batteries.

So, while the ultimate super duper security is by doing a zillion hashes and PoW, I dont think anybody debates this. The issue is that not all networks can afford this, so the choice is not between PoW and PoS, the choice is between PoS and no network at all.

My idea is to infuse these weak chains with BTC's security. Not for every tx of course, but certainly a backstop from reorgs that go too deep is one protection. Just knowing that after X amount of time, it cant be changed, regardless of how smart/powerful an attacker comes around.

The other thing that BTC can provide via a few consensus rules is a common clock. By segmenting time periods to match the BTC blocktimes (probably grouped into batches of 10 or so), then all the different chains can have a verifiable common reference. The mere presence of a BTC blockhash proves an "after" time relationship.

To get the "before", the weak chains will need a consensus rule to either reject or add any later BTC blockhash that is available. Only "permanent" BTC blockhashes are used, ie 10+ blocks to avoid confusions from small reorgs. maybe it needs to be 30 blocks, but some amount where we can be pretty certain that it will never get reorged.

With a leeway of one to account for lag time that happens when a new block arrives, all chains can have at least a +/- 1 btc block resolution. The consensus rules still need to be completely worked out, but so far, nobody has found a fatal flaw. Which means even the weakest chain with enough confirmations will be able to trade with other weak chains and still with enough confirms (past the max reorg allowed), all can pretend they have BTC level security. Of course prior to reaching the permanent point, any weak chain is subject to all the usual suspects of attacks

including the fantasy one of buying old keys for $5 or $500 or whatever token amount is supposed to be possible. It just isnt so easy to buy something at significantly less than what they are worth from rich crypto traders. Arguably, anybody with a privkey that used to be a large enough stake you want to obtain it, is smart enough to ask for market value. So the cost of the private keys will trade at the expected value for them, with a bit of a discount. And it would not be a contingent payment as once the privkey is delivered there is no way to collect. So now we are looking at not $5 for "worthless" keys, but $X upfront, where X is some discount from the expected value, ie chance of success * size of successful attack. So this goes from a riskless attack to one that rapidly approaches some sort of breakeven level, but uncertain proposition.

The bigger attack that any coin PoW or PoS has is the hardfork attack. This attack is when the parties that control the hardfork version can transfer value from one part of the system to themselves. Their self interest assures they will do this if such a hardfork is available. What this means is that ALL derived cryptos are totally insecure from the hardfork attack.

James

[Come-from-Beyond]

"It was a bright cold day in April, and the clocks were striking thirteen."

Use this secret phrase to get access to Nxt account holding all the coins. Now you have all the keys you were looking for, what's next?

[monsterer]

"It was a bright cold day in April, and the clocks were striking thirteen."

Use this secret phrase to get access to Nxt account holding all the coins. Now you have all the keys you were looking for, what's next?

Sorry, I don't follow you?

[jl777]

"It was a bright cold day in April, and the clocks were striking thirteen."

Use this secret phrase to get access to Nxt account holding all the coins. Now you have all the keys you were looking for, what's next?

you could have gotten a BTC for it!

now the history attack is all but completed. Just need to run 1000 nodes with a fake (but somewhat believable history), then make all new accounts use the fake chain, and please ignore the long running nodes on the mainchain, that chain is not relevant anymore. Only the attacker's chain matters, so all the exchanges and blockexplorers will simply move to the attackers chain.

Happens all the time. Wont cost anything at all for this free attack.

James

[Come-from-Beyond]

"It was a bright cold day in April, and the clocks were striking thirteen."

Use this secret phrase to get access to Nxt account holding all the coins. Now you have all the keys you were looking for, what's next?

Sorry, I don't follow you?

In the very beginning Nxt had all the coins kept on a single account that is accessible through that phrase.

[jl777]

"It was a bright cold day in April, and the clocks were striking thirteen."

Use this secret phrase to get access to Nxt account holding all the coins. Now you have all the keys you were looking for, what's next?

Sorry, I don't follow you?

He saved you thousands of dollars for the privkey. that privkey is the one for the original genesis account. with it you can make any new chain you want

[jl777]

I look forward to the proof of the OP's conclusion "The cost of this attack is very low"

[monsterer]

"It was a bright cold day in April, and the clocks were striking thirteen."

Use this secret phrase to get access to Nxt account holding all the coins. Now you have all the keys you were looking for, what's next?

Sorry, I don't follow you?

In the very beginning Nxt had all the coins kept on a single account that is accessible through that phrase.

This attack doesn't work that way. It relies on contemporary private keys, from very recent history.

[Come-from-Beyond]

He saved you thousands of dollars for the privkey. that privkey is the one for the original genesis account. with it you can make any new chain you want

Yes, but the point is that I'd like to know what next steps are. I suspect that security is not broken completely once someone has the keys, some other factors should be taken into account, but the corresponding analysis is not presented in the OP.

[Come-from-Beyond]

This attack doesn't work that way. It relies on contemporary private keys, from very recent history.

I still don't agree with "totally centralised" part. I feel something lacks in the analysis.

[Coryvmcs1]

How does this affect PoW/ Pos Systems. Or is this just PoS only chains?

[monsterer]

He saved you thousands of dollars for the privkey. that privkey is the one for the original genesis account. with it you can make any new chain you want

Yes, but the point is that I'd like to know what next steps are. I suspect that security is not broken completely once someone has the keys, some other factors should be taken into account, but the corresponding analysis is not presented in the OP.

What would you like more detail on?

[jl777]

"It was a bright cold day in April, and the clocks were striking thirteen."

Use this secret phrase to get access to Nxt account holding all the coins. Now you have all the keys you were looking for, what's next?

Sorry, I don't follow you?

In the very beginning Nxt had all the coins kept on a single account that is accessible through that phrase.

This attack doesn't work that way. It relies on contemporary private keys, from very recent history.

And this appears to contradict your conclusion. If you need a matched set of keys all having large balances from very recent history, then this is either impossible or very expensive.

Especially if there is a one day timeframe.

Since it needs to be a recent set of privkeys all with large values, it almost seems to be provable that is it impossible, unless the coin's liquidity is 20% of total marketcap per day. How would it be possible for all large stakeholders to go from being large stakeholder to not having any in a very recent history timeframe?

THAT is the fatal assumption in your attack when combined with being able to buy such keys for below market value.

I can postulate a similar nearly costless attack by saying I will just by all the mining equipment for scrap values from all the large miners right after they upgrade. Since I am buying it from all of them, even though the hardware is slower, I will have more hashpower than any of them. 51% attacker is in the bag. It will be so easy to get them to sell me their useless mining equipment for $500

Or maybe not?

A large stakeholder doesnt immediately become a non-stakeholder. Most all cases it is a gradual process.

James

[monsterer]

How would it be possible for all large stakeholders to go from being large stakeholder to not having any in a very recent history timeframe?

By transferring their stake to another account that they own? The point is, they remain large stakeholders, all they sell are empty private keys.

[Come-from-Beyond]

What would you like more detail on?

The money gets value because someone accepts it as a mean of exchange. Usually this happens within boundaries of an economic cluster. "Cluster" implies some degree of centralization, if extra measures used to counteract "buy keys" attack don't increase the level of centralization then the problem of centralization doesn't even arise.

Economic cluster works this way:
- Alice wants to buy something in Walmart
- There are thousands of different versions of the same blockchain
- She does the payment on the same version that Walmart sticks to
- She doesn't care about the other versions as long as she gets what she has paid for

So, as we see even "buy keys" attack can do nothing if economic majority keeps an eye on the blockchain and doesn't allow deep reorgs. This is what happens in Nxt with its 720-block rollback limit.

The OP should has included the above text to look non-biased. As a bonus extra analysis on possibility of an eclipse attack that could split the economic cluster and lead to chaos is welcome.

[monsterer]

So, as we see even "buy keys" attack can do nothing if economic majority keeps an eye on the blockchain and doesn't allow deep reorgs. This is what happens in Nxt with its 720-block rollback limit.

The OP should has included the above text to look non-biased. As a bonus extra analysis on possibility of an eclipse attack that could split the economic cluster and lead to chaos is welcome.

I believe I covered the re-org depth mitigation in the OP? It doesn't help for two reasons:

1. The re-org from this attack could easily be less than the maximum depth
2. Re-orgs greater than this depth will still be accepted by all syncing nodes, and the the attacker can impersonate a majority of nodes for ~0 cost, leading to all syncing nodes accepting his version of history, which eventually leads to it becoming the canonical chain.

[jl777]

How would it be possible for all large stakeholders to go from being large stakeholder to not having any in a very recent history timeframe?

By transferring their stake to another account that they own? The point is, they remain large stakeholders, all they sell are empty private keys.

So now they are low intelligence large stakeholders?

What use are empty private keys other than history attack?

Might as well postulate that miners will just let you use their facilities for a small fee, since you promise not to push any buttons.

Pick a PoS coin, any PoS. Prove this attack is possible in a cash positive way. I am sure you can get many privkeys for a dead coin, but maybe a bit of a problem short selling a dead coin.

So while this history attack is a scary sounding thing, the practical difficulties makes it not anything to worry about. Try it if you dont believe me, just try to get a single valueless empty key. Maybe post an ad somewhere for it? How exactly do you propose to get recent keys?

Getting the genesis key seems to not be of any use, so maybe you need to update the OP as being impractical and not having a single documented case of it ever working and its expected return is negative cashflow

James

[jl777]

So, as we see even "buy keys" attack can do nothing if economic majority keeps an eye on the blockchain and doesn't allow deep reorgs. This is what happens in Nxt with its 720-block rollback limit.

The OP should has included the above text to look non-biased. As a bonus extra analysis on possibility of an eclipse attack that could split the economic cluster and lead to chaos is welcome.

I believe I covered the re-org depth mitigation in the OP? It doesn't help for two reasons:

1. The re-org from this attack could easily be less than the maximum depth
2. Re-orgs greater than this depth will still be accepted by all syncing nodes, and the the attacker can impersonate a majority of nodes for ~0 cost, leading to all syncing nodes accepting his version of history, which eventually leads to it becoming the canonical chain.

Please tell me who your VPS is that allows unlimited use for ~0 cost.

Are you seriously claiming that you can reorg to any depth and just a passage of time will lead to the attacker chain dominating? Because, because nobody in the entire community will notice that just maybe there is a new chain? that their balances are gone?

1. is not possible due to the duration of time it takes for large stakeholders to become non-stakeholders and I think it is fair to assume they wont sell keys to a chain they still have economic interest in. So you make a statement using "easily", when it is most likely quite difficult at best

2. this is just science fiction or is it fantasy. It assumes that nobody in the community notices during the entire attack, including the exchanges which are currently NOT running the fake chain. But of course, they will upgrade to the attacker fork where there balances are gone.

THAT is what you want people to believe? PoW has some advantages over PoS, there is no need to concoct fantasy scenarios, it just looks a bit strange. I made a way for BTC to become the central clock for all the other cryptos, at that point you wont have to worry about BTC going away for a very long time

James

[monsterer]

So now they are low intelligence large stakeholders?

The point is the danger of doing something like this is completely non-obvious. Why should anyone think twice about selling something which has 0 value for >0? That sounds like a win to me.

What use are empty private keys other than history attack?

Might as well postulate that miners will just let you use their facilities for a small fee, since you promise not to push any buttons.

Pick a PoS coin, any PoS. Prove this attack is possible in a cash positive way. I am sure you can get many privkeys for a dead coin, but maybe a bit of a problem short selling a dead coin.

I believe I have proved that already. I have no intention of actually carrying this attack out because I have no desire to defraud anyone. However, I think it's very important that people know what they are investing in, and the associated risks, which you have to admit are entirely opaque.

Getting the genesis key seems to not be of any use, so maybe you need to update the OP as being impractical and not having a single documented case of it ever working and its expected return is negative cashflow

The OP describes an attack unrelated to the genesis key.

[Come-from-Beyond]

I believe I covered the re-org depth mitigation in the OP? It doesn't help for two reasons:

1. The re-org from this attack could easily be less than the maximum depth
2. Re-orgs greater than this depth will still be accepted by all syncing nodes, and the the attacker can impersonate a majority of nodes for ~0 cost, leading to all syncing nodes accepting his version of history, which eventually leads to it becoming the canonical chain.

Reorg depth limit is one of many ways to do the job. Economic cluster participants could use something else.

[monsterer]

I believe I covered the re-org depth mitigation in the OP? It doesn't help for two reasons:

1. The re-org from this attack could easily be less than the maximum depth
2. Re-orgs greater than this depth will still be accepted by all syncing nodes, and the the attacker can impersonate a majority of nodes for ~0 cost, leading to all syncing nodes accepting his version of history, which eventually leads to it becoming the canonical chain.

Reorg depth limit is one of many ways to do the job. Economic cluster participants could use something else.

If you can describe one which doesn't involve something related to a checkpoint, or human intervention, I'd be happy to add that to the OP.

[jl777]

So now they are low intelligence large stakeholders?

The point is the danger of doing something like this is completely non-obvious. Why should anyone think twice about selling something which has 0 value for >0? That sounds like a win to me.

What use are empty private keys other than history attack?

Might as well postulate that miners will just let you use their facilities for a small fee, since you promise not to push any buttons.

Pick a PoS coin, any PoS. Prove this attack is possible in a cash positive way. I am sure you can get many privkeys for a dead coin, but maybe a bit of a problem short selling a dead coin.

I believe I have proved that already. I have no intention of actually carrying this attack out because I have no desire to defraud anyone. However, I think it's very important that people know what they are investing in, and the associated risks, which you have to admit are entirely opaque.

Getting the genesis key seems to not be of any use, so maybe you need to update the OP as being impractical and not having a single documented case of it ever working and its expected return is negative cashflow

The OP describes an attack unrelated to the genesis key.

My estimate is that the danger to a PoS with a relatively short max reorg depth has less to worry about from a history attack than BTC has to worry from miner centralization

You have proven nothing. There is no market for formerly large stakeholding keys. But you claim by declaration that they are easy to get and at significantly below market price. And that the current mainchain will just magically switch to the attackers chain.

Making a wrong statement is not quite the usual standard that comes with the word "proof"

James

If these old keys can indeed be used for easy attacks (I have no confidence they can), then they are not useless and have value. And if it does have value, the people who have them will quickly find out about it

[monsterer]

You have proven nothing. There is no market for formerly large stakeholding keys. But you claim by declaration that they are easy to get and at significantly below market price. And that the current mainchain will just magically switch to the attackers chain.

Making a wrong statement is not quite the usual standard that comes with the word "proof"

I have submitted a problem statement, which, if satisfied would enable this attack. If you disagree with the statement, let's hear your rebuttal?

I claim it would be 'easy' to acquire a historical key because it would contain no funds, and thus be worthless to the seller. That seems fairly well justified rational behaviour to me.

edit: even if it's 'hard', the attack is still possible, regardless.

[Come-from-Beyond]

If you can describe one which doesn't involve something related to a checkpoint, or human intervention, I'd be happy to add that to the OP.

If 10+ block reorgs are made public and require human intervention then it's enough to solve the issue. It's exactly what happened during Bitcoin Fork 2013. The knowledge that humans can intervene is enough to stop anyone buying the keys. All that is possible in this case is an expensive prank. But you decided to exclude "human intervention", well, never mind then, perhaps you have strong arguments to exclude Game theory from the security equation...

[monsterer]

If you can describe one which doesn't involve something related to a checkpoint, or human intervention, I'd be happy to add that to the OP.

If 10+ block reorgs are made public and require human intervention then it's enough to solve the issue. It's exactly what happened during Bitcoin Fork 2013. The knowledge that humans can intervene is enough to stop anyone buying the keys. All that is possible in this case is an expensive prank. But you decided to exclude "human intervention", well, never mind then, perhaps you have strong arguments to exclude Game theory from the security equation...

Human intervention largely indicates a critical failure, the resolution of which must happen under centralised control, so we arrive back at the original conclusion again.

Yes, bitcoin had just such a critical failure as well, and it nearly destroyed the currency.

[jl777]

You have proven nothing. There is no market for formerly large stakeholding keys. But you claim by declaration that they are easy to get and at significantly below market price. And that the current mainchain will just magically switch to the attackers chain.

Making a wrong statement is not quite the usual standard that comes with the word "proof"

I have submitted a problem statement, which, if satisfied would enable this attack. If you disagree with the statement, let's hear your rebuttal?

I claim it would be 'easy' to acquire a historical key because it would contain no funds, and thus be worthless to the seller. That seems fairly well justified rational behaviour to me.

I thought in crypto economically unviable attacks are not relevant.

Did that change? I must have missed the memo.

Since you dont have any calculations about the cost of actually acquiring the recent keys, nor even a definition of what recent is, nor how even if you magically got those recent keys how you get the big active accounts to switch chains, it does not pass the common sense test.

But if you change it to reflect that you need to fool existing large stakeholders to transfer all their funds to a new account, sell them the newly emptied key. Do this half a dozen to a dozen times. All within a few days. Then create a fake chain and then make the largest accounts, like the central exchanges with lots at stake and long time accounts to all switch to the fake chain, ok, you got me. with those sets of facts, yes you can compromise a chain.

However, an equally ridiculous set of assumptions can be used to take over a PoW chain. So this is not anything specific to PoS, it is social engineering attack mixed in with mass hypnosis. Why not simply the attack where you ask everyone to just send you all their funds? That would work too

James

[jl777]

If you can describe one which doesn't involve something related to a checkpoint, or human intervention, I'd be happy to add that to the OP.

If 10+ block reorgs are made public and require human intervention then it's enough to solve the issue. It's exactly what happened during Bitcoin Fork 2013. The knowledge that humans can intervene is enough to stop anyone buying the keys. All that is possible in this case is an expensive prank. But you decided to exclude "human intervention", well, never mind then, perhaps you have strong arguments to exclude Game theory from the security equation...

Human intervention largely indicates a critical failure, the resolution of which must happen under centralised control, so we arrive back at the original conclusion again.

Yes, bitcoin had just such a critical failure as well, and it nearly destroyed the currency.

Instead of silly hypotheticals, what about using other blockchains as the TTP?

[Come-from-Beyond]

Human intervention largely indicates a critical failure.

But the knowledge that it will happen is enough to stop anyone from buying the keys. So it will (likely) never be needed.

[jl777]

Human intervention largely indicates a critical failure.

But the knowledge that it will happen is enough to stop anyone from buying the keys. So it will (likely) never be needed.

I think his point is that once a highly unlikely set of assumptions are accepted as a given then you can correctly make highly unlikely set of conclusions

I actually dont see a flaw with that logic.

[monsterer]

However, an equally ridiculous set of assumptions can be used to take over a PoW chain. So this is not anything specific to PoS, it is social engineering attack mixed in with mass hypnosis. Why not simply the attack where you ask everyone to just send you all their funds? That would work too

What you call 'ridiculous', I call rational behaviour.

The OP shows one example of how this could be profitable, so 'economically unviable' is also unjustified.

[Come-from-Beyond]

I think his point is that once a highly unlikely set of assumptions are accepted as a given then you can correctly make highly unlikely set of conclusions

I actually dont see a flaw with that logic.

If it means that someone can spend millions of dollars on buying keys hoping that one day users will be tired of constant human intervention and return to USD then I can accept the claim from the title.

[jl777]

However, an equally ridiculous set of assumptions can be used to take over a PoW chain. So this is not anything specific to PoS, it is social engineering attack mixed in with mass hypnosis. Why not simply the attack where you ask everyone to just send you all their funds? That would work too

What you call 'ridiculous', I call rational behaviour.

The OP shows one example of how this could be profitable, so 'economically unviable' is also unjustified.

Do you want objective analysis, or just unthinking agreement to whatever you post?

If the latter, you can always make some sockpuppets. I just respond with my analysis using the meager resources at my disposal. And to my simplistic thinking, postulating an economically motivated attack that assumes all the victims will mindlessly just give the ability to attack is essentially the "send me all your crypto" attack. Hey, if they do, it works so it is rational and viable.

James

[kushti]

That so-called "History attack" is discussed in the "Interactive Proof-of-stake" paper of mine http://arxiv.org/abs/1601.00275

[monsterer]

Do you want objective analysis, or just unthinking agreement to whatever you post?

If the latter, you can always make some sockpuppets. I just respond with my analysis using the meager resources at my disposal. And to my simplistic thinking, postulating an economically motivated attack that assumes all the victims will mindlessly just give the ability to attack is essentially the "send me all your crypto" attack. Hey, if they do, it works so it is rational and viable.

James

To be honest, I'd prefer actual analysis rather than just hyperbole and denial.

I don't think it's at all reasonable to expect all users of a PoS currency to have to understand the inner workings of blockchain consensus. Such a requirement is to require that real everyday people do not use your currency.

[jl777]

Do you want objective analysis, or just unthinking agreement to whatever you post?

If the latter, you can always make some sockpuppets. I just respond with my analysis using the meager resources at my disposal. And to my simplistic thinking, postulating an economically motivated attack that assumes all the victims will mindlessly just give the ability to attack is essentially the "send me all your crypto" attack. Hey, if they do, it works so it is rational and viable.

James

To be honest, I'd prefer actual analysis rather than just hyperbole and denial.

I don't think it's at all reasonable to expect all users of a PoS currency to have to understand the inner workings of blockchain consensus. Such a requirement is to require that real everyday people do not use your currency.

I prefer to add BTC security into PoS chain

[allwelder]

I believe I covered the re-org depth mitigation in the OP? It doesn't help for two reasons:

1. The re-org from this attack could easily be less than the maximum depth
2. Re-orgs greater than this depth will still be accepted by all syncing nodes, and the the attacker can impersonate a majority of nodes for ~0 cost, leading to all syncing nodes accepting his version of history, which eventually leads to it becoming the canonical chain.

Reorg depth limit is one of many ways to do the job. Economic cluster participants could use something else.

What 's it?
Just like the delegates in DPoS?

[Come-from-Beyond]

What 's it?

Publication of last blocks by economic giants like Walmart. Because of https://en.wikipedia.org/wiki/Six_degrees_of_separation those who are tricked into a wrong chain will return to the legit one after human intervention.

[jl777]

What 's it?

Publication of last blocks by economic giants like Walmart. Because of https://en.wikipedia.org/wiki/Six_degrees_of_separation those who are tricked into a wrong chain will return to the legit one after human intervention.

But didnt you see that Walmart itself will be forced onto the fake chain due to the inevitable forces of entropy? Surely, they wont have 100% uptime, so their server will need to be restarted and murphy's law GUARANTEES that they will lose not just the local copy of the blockchain, but absolutely all backups. And inevitably as surely as day follows night, they will connect to the attacker's node and sync to the fake history where their balance is zero.

However, there is at the same time a mass hypnosis spell being cast on all data center operators, so they dont notice they have a zero balance and then the critical Walmart nodes are now part of the attacker's network. And it is unstoppable, after Walmart, all the other companies realize that they too are on the wrong network and immediately switch to the attacker's network. Management is useless as they dont understand the tech at all and just writeoff all the lost funds as a business expense. None of the customers impacted by this make a single complaint so it is impossible for anybody at all to notice something is wrong. And thus the attacker's network is 100% guaranteed to takeover completely. The exact time for this is not possible to know, but typically it would happen within a few hours, maybe 10 hours at most, so dont talk about any 720 block thing.

And there is no point to say that any single assumption in the above is unlikely to happen. It will happen, this is by assertion. So it must happen and therefore the above is not unlikely at all. How can you say that any of the above is unlikely when it is assumed that it would happen?

James

[allwelder]

So The EC is much like a big centralized server for PoS coin(NXT) network,it's so big that we assume it's a legit block generator.

[Come-from-Beyond]

So The EC is much like a big centralized server for PoS coin(NXT) network,it's so big that we assume it's a legit block generator.

Kinda. And there is no an alternative even for a 100% decentralized cryptocoin other than to adopt the chain of the EC.

[watashi-kokoto]

Kinda ironic that Proof of Anti-stake may work

the idea is, that user destroys it's coins and by doing so confirms a block

[allwelder]

So The EC is much like a big centralized server for PoS coin(NXT) network,it's so big that we assume it's a legit block generator.

Kinda. And there is no an alternative even for a 100% decentralized cryptocoin other than to adopt the chain of the EC.

Cryptoers blame bitcoin for over centralization,NXT seems also did not solve this problem better ,in contrast it need such a centralization to solve the primary security problem.

Hmm,not good.

And if like this,DPoS is much decentralized compared to EC,at least there are many delegates(101 in BTS).

[monsterer]

Kinda ironic that Proof of Anti-stake may work

the idea is, that user destroys it's coins and by doing so confirms a block

That's called Proof of burn and it doesn't work either. The chief reason is that you burn coins to participate in the consensus process, but the burn transactions require consensus, so you have a chicken and egg problem.

[kokojie]

Theorycraft all you want, in the real world it's demonstrated many times, that PoS alt coins are much more secure than PoW alt coins. Most PoW crypto avoided the PoW insecurity by being very big. ie BTC/LTC  smaller PoW crypto are usually DOA by being attacked to death.

Even better, is a hybrid system of PoS + PoW + DPoS, to attack a hybrid system, you need to completely overwhelm at least 2 of the 3 mining methods. Which is nearly impossible even for the US government.

[funkenstein]

Theorycraft all you want, in the real world it's demonstrated many times, that PoS alt coins are much more secure than PoW alt coins. Most PoW crypto avoided the PoW insecurity by being very big. ie BTC/LTC  smaller PoW crypto are usually DOA by being attacked to death.
you

Kokojie has it, at least from an empirical standpoint.  However you leave out that the security you mention is more like stability.  The instability that altcoin creators are avoiding by using PoS is due to hash rate variance, especially when there exist many much more massive hash farms than your network rate due to other larger coins (secured with the same hash function). 

Anyway, history attacks are still a vaporvuln as are various PoS doublespends, until somebody figures out how to actually do them.  I for one wish you luck. 

[coretechs]

To be honest, I'd prefer actual analysis rather than just hyperbole and denial.

I don't think it's at all reasonable to expect all users of a PoS currency to have to understand the inner workings of blockchain consensus. Such a requirement is to require that real everyday people do not use your currency.

Nxt has been running over 2 years and you are now soapboxing the same arguments that have been refuted over and over.  If you think you can easily attack it we have a testnet and plenty of people who would gladly provide you with all the testnet stake you need.  No hyperbole and no harm done, go ahead and prove your claims.  You might want to read the paper that kushti posted first.  The best that you can probably do is a short-range attack that is still impractical.

I expect that you know blockchain consensus is not a purely technical in nature.  Blockchain consensus relies heavily on economic incentives to influence human behavior, whether you are using PoW or PoS.  In the impossible attack you are imagining, many user accounts would cease to exist, which would clearly indicate to any normal user that they are on a fork.  Its no different that imagining that someone secretly breaks SHA256 and mines a new Bitcoin blockchain that outpaces the existing chain.  How do you think people people would react when their bitcoin addresses no longer have any balance?  The chain would be perfectly valid according to the consensus rules.  Would everyone simply shrug their shoulders and accept the loss of all their BTC?

[monsterer]

Nxt has been running over 2 years and you are now soapboxing the same arguments that have been refuted over and over.  

This particular one has not been refuted to my knowledge.

In the impossible attack you are imagining, many user accounts would cease to exist, which would clearly indicate to any normal user that they are on a fork.

That's not true in the least; in fact, nothing out of the ordinary would happen unless the attacker started abusing his power; he could just sit there producing blocks all by himself forever, taking 100% of transaction fees.

[stdset]

That's not true in the least; in fact, nothing out of the ordinary would happen unless the attacker started abusing his power; he could just sit there producing blocks all by himself forever, taking 100% of transaction fees.

He can't just sit and produce blocks forever. In order to be able to produce blocks he must keep balances under his control. First he must exclude transactions emptying his cheaply acquired priv keys, then he will probably want to transfer balances from that keys to his own keys, because if he doesn't do that those gullible large stakeholders who sold him their empty keys will be able transfer funds from those keys again to their new addresses. In any case, attacker's fork will look completely different.

[Come-from-Beyond]

then he will probably want to transfer balances from that keys to his own keys, because if he doesn't do that those gullible large stakeholders who sold him their empty keys will be able transfer funds from those keys again to their new addresses

In Nxt if the attacker does that then he will be unable to generate blocks for 1 day because moved coins lose the right to forge blocks for 1440 blocks. As the result branch difficulty will drop significantly because only those coins that the attacker controlled before the purchase of the keys will be allowed to forge. And the legit chain may get more weight taking over the control.

[TPTB_need_war]

Well you don't need to find historical keys (in order to rewrite the history of PoS block chains), when you can make them for nearly 0 cost.

Simply buy and sell on an exchange, and your cost will only be the spread.

Then short the coin, and start attacking.

Obviously this doesn't apply to illiquid meaningless microfloat altcoins. We are talking about whether PoS is viable for a mainstream decentralized coin. Not.

For a centralized coin, then anything works, you don't even need PoS nor PoW (except to fool people with).

[monsterer]

He can't just sit and produce blocks forever. In order to be able to produce blocks he must keep balances under his control. First he must exclude transactions emptying his cheaply acquired priv keys, then he will probably want to transfer balances from that keys to his own keys, because if he doesn't do that those gullible large stakeholders who sold him their empty keys will be able transfer funds from those keys again to their new addresses. In any case, attacker's fork will look completely different.

In that sense you are correct, yes. But the attacker would be wise to just censor the transactions sending his funds away and just keep on trucking.

[stdset]

Simply buy and sell on an exchange, and your cost will only be the spread.

Simply buy 50% of available coins, withdraw them from exchanges, deposit them back and finally sell them. Surely it will cost you next to nothing.

[stdset]

He can't just sit and produce blocks forever. In order to be able to produce blocks he must keep balances under his control. First he must exclude transactions emptying his cheaply acquired priv keys, then he will probably want to transfer balances from that keys to his own keys, because if he doesn't do that those gullible large stakeholders who sold him their empty keys will be able transfer funds from those keys again to their new addresses. In any case, attacker's fork will look completely different.

In that sense you are correct, yes. But the attacker would be wise to just censor the transactions sending his funds away and just keep on trucking.

He will need to censor also all transactions that depend on transactions sending his funds away, and that will soon be a lot of transactions.

[monsterer]

He will need to censor also all transactions that depend on transactions sending his funds away, and that will soon be a lot of transactions.

Not at all. For transaction sequence A->B->C and A is censored, B and C become invalid if they depend on A.

[stdset]

He will need to censor also all transactions that depend on transactions sending his funds away, and that will soon be a lot of transactions.

Not at all. For transaction sequence A->B->C and A is censored, B and C become invalid if they depend on A.

They are valid on the main fork.
Even in the case of a very swift attack, as it was mentioned, max reorg depth in NXT is 720 blocks, that's about 12 hours, there will be many transactions that will need to be censored because they depend on transactions transferring funds from the attacker's addresses. And, if you ask me, I can't imagine how it's possible to collect priv keys for stake enough for such attack in such short time frame.

[TPTB_need_war]

max reorg depth in NXT is 720 blocks

Checkpoints are centralization.

For a centralized coin, then anything works, you don't even need PoS nor PoW (except to fool people with).

If we don't have decentralization, then the entire plot has been lost.

Do you need an example? Here you go (remember the Chinese mining cartel allegedly controls 65% of the Bitcoin hashrate):

https://www.reddit.com/r/btc/comments/48nnaw/the_truth_comes_out_core_devs_have_convinced/

[monsterer]

They are valid on the main fork.
Even in the case of a very swift attack, as it was mentioned, max reorg depth in NXT is 720 blocks, that's about 12 hours, there will be many transactions that will need to be censored because they depend on transactions transferring funds from the attacker's addresses. And, if you ask me, I can't imagine how it's possible to collect priv keys for stake enough for such attack in such short time frame.

The attack scenario sees the main fork being orphaned. Whether you can't see how its done or not is kind of irrelevant. The risk is there, the cost is virtually zero and chance of success is very high IMO.

[stdset]

max reorg depth in NXT is 720 blocks

Checkpoints are centralization.

Mex reorg depth isn't checkpoints.

[TPTB_need_war]

max reorg depth in NXT is 720 blocks

Checkpoints are centralization.

Mex reorg depth isn't checkpoints.

It is if you expect it to be honored objectively by offline nodes (propagation isn't objective proof because it can be Sybil attacked). I will let monsterer explain that to you, if you don't understand.

[stdset]

max reorg depth in NXT is 720 blocks

Checkpoints are centralization.

Mex reorg depth isn't checkpoints.

It is if you expect it to be honored objectively by offline nodes (propagation isn't objective proof because it can be Sybil attacked). I will let monsterer explain that to you, if you don't understand.

May be you will explain us what exactly is centralised in a cryptocurrency (doesn't matter PoS or PoW) whose nodes reject reorgs if they are deeper than the max allowed depth?

[stdset]

They are valid on the main fork.
Even in the case of a very swift attack, as it was mentioned, max reorg depth in NXT is 720 blocks, that's about 12 hours, there will be many transactions that will need to be censored because they depend on transactions transferring funds from the attacker's addresses. And, if you ask me, I can't imagine how it's possible to collect priv keys for stake enough for such attack in such short time frame.

The attack scenario sees the main fork being orphaned.

Almost all attacks see the main fork being orphaned. Thank you for stating that, captain.

Whether you can't see how its done or not is kind of irrelevant. The risk is there, the cost is virtually zero and chance of success is very high IMO.

"IMO" - yes, this is your opinion.

[kokojie]

Well you don't need to find historical keys (in order to rewrite the history of PoS block chains), when you can make them for nearly 0 cost.

Simply buy and sell on an exchange, and your cost will only be the spread.

Then short the coin, and start attacking.

Obviously this doesn't apply to illiquid meaningless microfloat altcoins. We are talking about whether PoS is viable for a mainstream decentralized coin. Not.

For a centralized coin, then anything works, you don't even need PoS nor PoW (except to fool people with).

So let's say if Bitcoin was PoS, your attack plan is:
step 1: buy up 50% of all available Bitcoin?

uh good luck with that.

[monsterer]

Almost all attacks see the main fork being orphaned. Thank you for stating that, captain.

Sorry, I fail to see the point of your question if you assume that.

[coretechs]

max reorg depth in NXT is 720 blocks

Checkpoints are centralization.

Mex reorg depth isn't checkpoints.

It is if you expect it to be honored objectively by offline nodes (propagation isn't objective proof because it can be Sybil attacked). I will let monsterer explain that to you, if you don't understand.

Nodes can identify themselves by cryptographically linking their IP address with an account (called "hallmarking" in Nxt) which mitigates Sybil attacks.  The client can be configured to only download blocks from a subset of nodes linked with known accounts and/or a minimum stake threshold.  In an attack scenario this would allow offline nodes to filter out malicious nodes and sync with the proper chain.  It's basically an optionally enabled reputation layer for trusting nodes linked to known accounts, not a silver bullet because of the flaws with all reputation systems (long term planned exploit) but still helpful as another layer of security.

https://nxtportal.org/peers  ("weight" is the stake of the account linked to the peer)

Example:
https://nxtportal.org/nxt?requestType=getPeer&peer=192.3.196.10

https://nxtportal.org/nxt?requestType=decodeHallmark&hallmark=65758c584d6eba44d405277a76bd58adb7c3f78744300e61ef4d12136539940a0c003139322e332e3139362e313064000000659e33010257b14003389b2904476641824dd076810210aea2f354d5ade07352a8d636f50974a2dd0641d38d5f3ec819f76d8cfd8ed1faff94112dc1269944a91b90267fe4

[BARR_Official]

The problem with using someone else's privkeys is that they can still have the same privkeys and undo anything you can do.

They also have the same actual coins you'll be using on your fork.
So even if you control enough stake to generate every new block,
there is still equal or greater stake on the main chain that can do the same thing.
You haven't explained how you can use someone else's coins to out-stake them,
when someone else is simultaneously staking the same coins (plus more) on the main chain.

Also, in order to offer $1000 for particular private keys, you would need to make a public offer.
There is no way to make a public offer to buy private keys without raising suspicion,
because everyone knows you could already get as many legitimate private keys as you want for free.
Therefore, everyone would know that you want those specific keys for an illegitimate reason,
and then they would either refuse, or find a way to get your money while anticipating and preventing your attack.

Another problem is that many PoS coins already develop persistent forks that never get resolved.
Just because you can create a fork doesn't mean that all nodes will accept it.

Also, all exchanges could block your forked nodes and resync as soon as they lose coins.  
If anyone wants to trade, they'll have to be on the same fork as the exchanges;
people will do what it takes to get on the same chain as their exchange.

If empty private keys are valuable, then so are offline nodes that haven't seen your attack yet.
The exchanges are already in everyone's peers anyway, while your nodes are not.
The wallet doesn't accept the longest chain in the world, just the longest chain among its own peers.

You'll also need to carefully plan your timestamping -
how many blocks ahead can your fake chain get and still arrive at a matching current time on the network?
Your chain might be longer, but users' wallets just received a new block 30 seconds ago.
They know they're not 12 hours behind, so there's a limit to how far ahead your chain can get.

There are already stake modifiers and multiple safeguards against timejacking/clock drift,
and valid blocks are also required to be within the median time of the most recent blocks.

In order to create a significantly longer chain, you'll have to present a chain of valid blocks that are timestamped to appear faster than the sequence of blocks on the real chain.  Have you run any numbers to estimate how high you'll be driving the difficulty to squeeze those extra blocks into the same period of time?  For your blocks to be valid, you will have to follow the same difficulty adjustments as if you were actually staking on the network with your limited amount of coins and stakeweight.  

Since difficulty would increase with each artificially faster block time,
while your stakeweight would decrease with each block that uses only your coins,
the time it takes you to hash the next block would grow exponentially.
It might take you so long to calculate that you would never catch up with the main chain.

The only way to decrease difficulty would be to put more time in-between your blocks;
but the main chain still has a stable average blocktime, so your chain wouldn't be longer.

And there might be a problem with your idea of "holding the chain ransom" -
if you successfully forked the network and invalidated all the transactions,
then everyone else but you would instantly have all the coin age and stakeweight.
Because you've just made it so that none of their coins have moved since your forked chain began.

[TPTB_need_war]

max reorg depth in NXT is 720 blocks

Checkpoints are centralization.

Mex reorg depth isn't checkpoints.

It is if you expect it to be honored objectively by offline nodes (propagation isn't objective proof because it can be Sybil attacked). I will let monsterer explain that to you, if you don't understand.

May be you will explain us what exactly is centralised in a cryptocurrency (doesn't matter PoS or PoW) whose nodes reject reorgs if they are deeper than the max allowed depth?

Maybe first you can explain why you are too ignorant to understand what I wrote which thus makes your reply irrelevant noise.

Hint: how can an offline node reject that which it wasn't online to detect? How does an offline know from the history which is presented to it, which chain (past the 720 limit) occurred first? Basic things you need to grasp before you post on this thread. An offline node is ignorant about the propagation order that occurred which the online nodes observed. Those who claim they were online, can be a Sybil attack lie. The only proof is what can be cryptographically stored in the block chain history. I so tired of replying to those who don't know a damn thing about what they are writing about yet are so damn boastful.

[TPTB_need_war]

Well you don't need to find historical keys (in order to rewrite the history of PoS block chains), when you can make them for nearly 0 cost.

Simply buy and sell on an exchange, and your cost will only be the spread.

Then short the coin, and start attacking.

Obviously this doesn't apply to illiquid meaningless microfloat altcoins. We are talking about whether PoS is viable for a mainstream decentralized coin. Not.

For a centralized coin, then anything works, you don't even need PoS nor PoW (except to fool people with).

So let's say if Bitcoin was PoS, your attack plan is:
step 1: buy up 50% of all available Bitcoin?

uh good luck with that.

It is so tiring to reply to the hordes of ignorant trolls.

I wrote upthread that one could buy and sell the coins on an exchange. They would then hold the historic private keys to attack with. This would only cost them the average spread between buy and sell prices, so they don't actually have to buy 50%.

[TPTB_need_war]

Nodes can identify themselves by cryptographically linking their IP address with an account (called "hallmarking" in Nxt) which mitigates Sybil attacks.  The client can be configured to only download blocks from a subset of nodes linked with known accounts and/or a minimum stake threshold.  In an attack scenario this would allow offline nodes to filter out malicious nodes and sync with the proper chain.  It's basically an optionally enabled reputation layer for trusting nodes linked to known accounts, not a silver bullet because of the flaws with all reputation systems (long term planned exploit) but still helpful as another layer of security.

You are trusting those with stake to not lie. But remember they can short the coin and destroy the value of their stake and still profit.

We are interested in trustless, decentralized crypto currency. That is what Satoshi pitched to us in his white paper. Satoshi's design is also flawed though.

Besides this does nothing to stop the attack monsterer outlined. Whose stake is valid? Whose is current, the reorganized block chain or the reorganized one? Which one was the reorganized one? You see proof-of-shit is self-referential and thus can't prove anything about itself.

[stdset]

It is so tiring to reply to the hordes of ignorant trolls.

I wrote upthread that one could buy and sell the coins on an exchange. They would then hold the historic private keys to attack with. This would only cost them the average spread between buy and sell prices, so they don't actually have to buy 50%.

Even monsterer doesn't claim that collecting historic priv keys is a viable attack vector. It was explained why it isn't. He claims that it's easy to collect enough priv keys for this attack in a short timeframe.

The attacker buys all keys at once, or very close together as stated in the description.

[stdset]

max reorg depth in NXT is 720 blocks

Checkpoints are centralization.

Mex reorg depth isn't checkpoints.

It is if you expect it to be honored objectively by offline nodes (propagation isn't objective proof because it can be Sybil attacked). I will let monsterer explain that to you, if you don't understand.

May be you will explain us what exactly is centralised in a cryptocurrency (doesn't matter PoS or PoW) whose nodes reject reorgs if they are deeper than the max allowed depth?

Maybe first you can explain why you are too ignorant to understand what I wrote which thus makes your reply irrelevant noise.

I like to quote such sentences for posterity.

Now on the matter. If your node discovers a fork that is longer that the max reorg depth you can interpret that like if the node rejects to resolve the conflict in automatic manner, it prefers to stay on the fork it was before the conflict was discovered and lets you resolve it manually.
And you can be sure, in the case of such a major attack there will be a lot of forum threads, news, buzz, and it won't be difficult to detect which fork is a legit one.

[monsterer]

The problem with using someone else's privkeys is that they can still have the same privkeys and undo anything you can do.

They also have the same actual coins you'll be using on your fork.
So even if you control enough stake to generate every new block,
there is still equal or greater stake on the main chain that can do the same thing.

Of course, but it isn't coordinated. If I have a majority of stake, enough to generate every block I can coordinate my attack much better than the set of uncoordinated honest nodes on the network. I'm fairly sure this is equivalent to a 51% attack and there is nothing which can be done at that point.
 

Therefore, everyone would know that you want those specific keys for an illegitimate reason,
and then they would either refuse, or find a way to get your money while anticipating and preventing your attack.

You're assuming that regular people need to know the inner workings of blockchain consensus - this is not a reasonable thing to expect, IMO.

In order to create a significantly longer chain, you'll have to present a chain of valid blocks that are timestamped to appear faster than the sequence of blocks on the real chain.  Have you run any numbers to estimate how high you'll be driving the difficulty to squeeze those extra blocks into the same period of time?

Timestamps can be faked; as long as the fakery still fits within the acceptability window, online nodes will accept the fork. Offline nodes have no way to tell, and will accept the fake fork regardless.

[Come-from-Beyond]

You're assuming that regular people need to know the inner workings of blockchain consensus - this is not a reasonable thing to expect, IMO.

People know that they shouldn't give their Facebook passwords to strangers. They will reflect the same experience to money-on-blockchain. They don't know how blockchain consensus works so they will be afraid that the stranger will know their actual password knowing the old one.

[monsterer]

You're assuming that regular people need to know the inner workings of blockchain consensus - this is not a reasonable thing to expect, IMO.

People know that they shouldn't give their Facebook passwords to strangers. They will reflect the same experience to money-on-blockchain. They don't know how blockchain consensus works so they will be afraid that the stranger will know their actual password knowing the old one.

Perhaps, perhaps not. What is the use of an old password? Zero, I'd say.

[Come-from-Beyond]

Perhaps, perhaps not. What is the use of an old password? Zero, I'd say.

So if someone walks to you and says "Hey, dude, gimme your empty wallet, I'll give you 20 bucks for it" you will do the deal right away without asking yourself why would anyone want to pay money for a useless thing? Hard to believe.

[monsterer]

Perhaps, perhaps not. What is the use of an old password? Zero, I'd say.

So if someone walks to you and says "Hey, dude, gimme your empty wallet, I'll give you 20 bucks for it" you will do the deal right away without asking yourself why would anyone want to pay money for a useless thing? Hard to believe.

On the street? Depends how much you need the money, doesn't it?

[Come-from-Beyond]

On the street? Depends how much you need the money, doesn't it?

I mean that the offer raises a red flag, it's that easy to conduct.

[monsterer]

On the street? Depends how much you need the money, doesn't it?

I mean that the offer raises a red flag, it's that easy to conduct.

Why should it? It's obvious to the seller that the wallet is worthless when it contains nothing.

[Come-from-Beyond]

Why should it? It's obvious to the seller that the wallet is worthless when it contains nothing.

To me it stops being obvious if someone wants my wallet and offers money for that.

[monsterer]

Why should it? It's obvious to the seller that the wallet is worthless when it contains nothing.

To me it stops being obvious if someone wants my wallet and offers money for that.

This is plainly ridiculous. How much do you sell an empty cardboard box for which once contained £10?

[Come-from-Beyond]

This is plainly ridiculous. How much do you sell an empty cardboard box for which once contained £10?

I'm not sure the analogy is correct.

[monsterer]

This is plainly ridiculous. How much do you sell an empty cardboard box for which once contained £10?

I'm not sure the analogy is correct.

In any case, arguing that old private keys have value is to say that PoS doesn't work, since the transfer of value isn't reinforced sufficiently.

[Come-from-Beyond]

In any case, arguing that old private keys have value is to say that PoS doesn't work, since the transfer of value isn't reinforced sufficiently.

I don't argue on this. I argue that it's not easy to buy private keys even if users don't understand how blockchain works. Also, according to the market laws if someone starts buying keys publicly they will raise in price. And I'm more than sure that after you privately buy 100 keys the world will know that someone is buying them.

[BARR_Official]

Let's say you contact the owners of 2 large addresses -
their names are Balthius Oathsworn and Jello Bananus.

They each sign a message proving that they own each respective address.  The messages also include disgusting vulgarities which make you vomit and weep, because of the shocking imagery that haunts your mind when you close your eyes.  

But you just think it must be normal for the internet,
so you proceed with your spiteful and masturbatory plan to ruin the staking network of EuroCatzSharesDark.

You pay them, escrow it, however you want, and then they send you the private keys.

That's when you find out that you were talking to the same guy, and you bought the same private key twice.

WHAT DO YOU DO?

Balthius - under his main alt account named Caramelt Deluscious,
has already started bragging about ripping you off, over at EuroCatzSharesDarkTalk.
Everyone is laughing at you and preparing redundant waves of 5-node server clusters
that automatically take turns online, offline, backup, checkpoint, and mecha-deployment mode.

Are you still going to wage network warfare against the same people who just outsmarted you?

What makes you think they don't have even more tricks you've never thought of?

Caramelt isn't even their top guy!  
Remember, this coin attracts a lot more hackers than regular EuroCatzShares.
If they get into a good-natured contest over there to show off their skills,
you could find yourself with more pizzas being delivered to your house than you could eat.  EVER.

[coretechs]

We are interested in trustless, decentralized crypto currency. That is what Satoshi pitched to us in his white paper. Satoshi's design is also flawed though.

Besides this does nothing to stop the attack monsterer outlined. Whose stake is valid? Whose is current, the reorganized block chain or the reorganized one? Which one was the reorganized one? You see proof-of-shit is self-referential and thus can't prove anything about itself.

Trustless decentralized crypto-currency is probably impossible.*  (http://www.links.org/files/decentralised-currencies.pdf)

No matter what the design, in the end you have to trust human beings at some level.  Satoshi's design provided strong incentives for human behavior via costs of physical resources consumption.  The miners have the most skin-in-the-game and can therefore be trusted to behave in the best interests of the system.  The flaw in the design is more apparent than ever right now with the blocksize debate.  Essentially we have non-miners who also have skin-in-the-game in the form of STAKE in the system (e.g. Coinbase, Blockstream, BitPay, users wanting "cheap" transactions, etc.) that are at odds with the incentives of miners.  All want Bitcoin to succeed in different ways, and there is no clear path for miners to decide which is better for them to profit because it is an economic uncertainty that falls outside of the bounds of technical knowledge.

Proof-of-stake consensus gives us a similar situation, but it does so with far less centralization than proof-of-work.  A participant in a proof-of-stake system like Nxt has direct representation and never has their voting rights diluted, and therefore the system can maintain a higher level of decentralization than proof-of-work, where it is inevitable.  Mining today is effectively a barrier-to-entry for anyone who wants to participate in consensus, which is good for some attack vectors (expensive) but bad for others - Bitcoin stakeholders/companies/users have no choice but to lobby centralized miner overlords, which results in social & economic attacks like BitcoinXT/Classic/etc.  If the threat of a fork by a majority of users exists, is there any justification in burning energy?

In my opinion the security trade-offs in proof-of-stake favor decentralization.  The active research in consensus protocols may give us new tools and techniques to sufficiently increase the security of PoS to practical levels of "trustlessness".  The energy efficiency of proof-of-stake consensus as well as the low barrier-to-entry for participants make it a worthwhile pursuit in my opinion, and in the long run Bitcoin itself will benefit from proof-of-stake experimentation.

[Moloch]

Why not just use the easy 51% attack on PoS?  There is no need to buy all these old wallets, etc... you can 51% attack PoS with 5% of the coin

All PoS coins forked from PPCoin are vulnerable... I can't say for sure if non-forks like nxt are vulnerable in the same way, but I'll explain the method


Separate the 5% you own into 5 wallets each containing 1% of the total supply of coins

Take 4 of the 5 wallets offline, and wait a day or 3

Spend the coins in the online wallet, and wait for 2 confirms (and credit on a 2-confirm website/exchange)

Bring the other 4 wallets online with a modified wallet code to reject the last 3 blocks, and start a competing chain to double-spend your 1% of the coin

Since your 4 staking wallets were offline for a few days, they have accumulated "staking weight"/"coin days", and will find a block almost instantly... you are nearly guaranteed to find 4 blocks in a row... 51% attack with only 5% of the coin!

[TPTB_need_war]

It is so tiring to reply to the hordes of ignorant trolls.

I wrote upthread that one could buy and sell the coins on an exchange. They would then hold the historic private keys to attack with. This would only cost them the average spread between buy and sell prices, so they don't actually have to buy 50%.

Even monsterer doesn't claim that collecting historic priv keys is a viable attack vector. It was explained why it isn't. He claims that it's easy to collect enough priv keys for this attack in a short timeframe.

There is no way to objectively distinguish a historic key that is respent from a historic transaction that had spent that historic key. This is a double-spend with two chains arguing about which was first.

The only way to distinguish which was first is either a decentralized objectivity which is the PoW longest-chain-rule, or for PoS a centralized objectivity such as community/developer checkpoints.

Please stop wasting my time with nonsense replies.

[TPTB_need_war]

max reorg depth in NXT is 720 blocks

Checkpoints are centralization.

Mex reorg depth isn't checkpoints.

It is if you expect it to be honored objectively by offline nodes (propagation isn't objective proof because it can be Sybil attacked). I will let monsterer explain that to you, if you don't understand.

May be you will explain us what exactly is centralised in a cryptocurrency (doesn't matter PoS or PoW) whose nodes reject reorgs if they are deeper than the max allowed depth?

Maybe first you can explain why you are too ignorant to understand what I wrote which thus makes your reply irrelevant noise.

I like to quote such sentences for posterity.

Now on the matter. If your node discovers a fork that is longer that the max reorg depth you can interpret that like if the node rejects to resolve the conflict in automatic manner, it prefers to stay on the fork it was before the conflict was discovered and lets you resolve it manually.

You still fail to understand what I wrote the first time. Which is that offline nodes see two chains which disagree, and they don't know which one was first. And they can be lied to by the nodes which claim they were online.

The only solution is to use centralized community/developer checkpoints.

You are very slow minded.

And you can be sure, in the case of such a major attack there will be a lot of forum threads, news, buzz, and it won't be difficult to detect which fork is a legit one.

That is centralization because you must trust some authority to make a decision as to which community decisions should be enacted. The Bitcoin block size debate is an example for you about community consensus not working without a dictator.

You don't have a fucking clue. And you are wasting my time.

[Come-from-Beyond]

The only way to distinguish which was first is either a decentralized objectivity which is the longest-chain-rule, or a centralized objectivity such as community/developer checkpoints.

There is a 3rd way, Economic Clustering and in Nxt it's implemented in a way that doesn't require human intervention after initial setting.

[TPTB_need_war]

We are interested in trustless, decentralized crypto currency. That is what Satoshi pitched to us in his white paper. Satoshi's design is also flawed though.

Besides this does nothing to stop the attack monsterer outlined. Whose stake is valid? Whose is current, the reorganized block chain or the reorganized one? Which one was the reorganized one? You see proof-of-shit is self-referential and thus can't prove anything about itself.

Trustless decentralized crypto-currency is probably impossible.*  (http://www.links.org/files/decentralised-currencies.pdf)

Section 4 of that white paper is written by an idiot who doesn't understand economics.

51% attacking a coin requires it to be economic. The attacker must be able to make gains which exceed his costs of attacking. The problem for the attacker in PoW is that the attack is only sustained for as long as the attacker continues to spend on electricity. Thus shorting the coin is probably not going to work, since everyone knows the attacker has to sustain a negative income situation indefinitely. Contrasted with PoS where you only need to have owned the coins once (even if you've already spent them!). 

The attacker can attempt to double-spend his coins, but the community is very like to blacklist his double-spent coins thus removing his income.

The viable 51% attack is the one that forces KYC on all transactions or changes the protocol in ways that the masses don't object to. The State is the one who has the incentive to do this attack.

Or in Bitcoin's example for the mining cartel to block protocol updates such as block size increases to increase their profits via rising transaction fees.

I have a solution for the latter two economic attacks which also will reduce the electricity consumption to an insignificant level.

No matter what the design, in the end you have to trust human beings at some level.

Not in my design.

In my opinion the security trade-offs in proof-of-stake favor decentralization.  The active research in consensus protocols may give us new tools and techniques to sufficiently increase the security of PoS to practical levels of "trustlessness".  The energy efficiency of proof-of-stake consensus as well as the low barrier-to-entry for participants make it a worthwhile pursuit in my opinion, and in the long run Bitcoin itself will benefit from proof-of-stake experimentation.

You are ignorant.

[TPTB_need_war]

The only way to distinguish which was first is either a decentralized objectivity which is the longest-chain-rule, or a centralized objectivity such as community/developer checkpoints.

There is a 3rd way, Economic Clustering and in Nxt it's implemented in a way that doesn't require human intervention after initial setting.

Thus you mean centralization. Otherwise you get non-convergence of consensus (e.g. three clusters of 33% each). You keep making the same design error, which you've repeated with Iota.

[Come-from-Beyond]

Thus you mean centralization. Otherwise you get non-convergence of consensus (e.g. three clusters of 33% each). You keep making the same design error, which you've repeated with Iota.

I find your lack of Economics knowledge suspicious. Has real AnonyMint sold you one of his accounts? It's Economics 101 that money can't function outside of an economic cluster boundaries.

[TPTB_need_war]

money can't function outside of an economic cluster boundaries.

Glad to see you recognize why your proposal can't function if centralization doesn't exist.

[Come-from-Beyond]

Glad to see you recognize why your proposal can't function if centralization doesn't exist.

I'm talking about Nxt, not about Iota.

PS: The point was that economic relationships already enforce some level of centralization. Nxt doesn't add extra bits of centralization, it fits into existing limits.

[monsterer]

That's when you find out that you were talking to the same guy, and you bought the same private key twice.

Why wouldn't you get them to sign a their msg with each of their private keys to prove that they owned them and that they were both separate?

[monsterer]

The miners have the most skin-in-the-game and can therefore be trusted to behave in the best interests of the system.  The flaw in the design is more apparent than ever right now with the blocksize debate.  Essentially we have non-miners who also have skin-in-the-game in the form of STAKE in the system (e.g. Coinbase, Blockstream, BitPay, users wanting "cheap" transactions, etc.) that are at odds with the incentives of miners.

Miners create the value in the system which is then invested in by stakeholders. The value is the continually reinforced consensus which cements a partial order of transactions with asymptotic finality.

If you remove the miners, you are investing in nothing. That is PoS in a nutshell.

[BARR_Official]

That's when you find out that you were talking to the same guy, and you bought the same private key twice.

Why wouldn't you get them to sign a their msg with each of their private keys to prove that they owned them and that they were both separate?

They can prove that they own a receiving address, but any number of receiving addresses can belong to the same private key. 

They can't prove that their private key is different from someone else's without revealing the private key.

[LiQio]

If you remove the miners, you are investing in nothing. That is PoS in a nutshell.

As long as you believe this, any discussion is pointless.
It's economic nonsense, plain and simple.

[Blocktree]

In any case, arguing that old private keys have value is to say that PoS doesn't work, since the transfer of value isn't reinforced sufficiently.

I don't argue on this. I argue that it's not easy to buy private keys even if users don't understand how blockchain works. Also, according to the market laws if someone starts buying keys publicly they will raise in price. And I'm more than sure that after you privately buy 100 keys the world will know that someone is buying them.

Nxt only have 73 original keys,so attack happened before the world know.

LOL

[anon_giraffe]

How many possible staking inputs do these addresses have?
What is the min/max staking age of this coin?
How long a chain will they need to create to be longer?

Any such addresses need to have enough inputs to support not just a functional chain,
also with enough aged inputs to generate a long string of blocks with obscenely fast transaction time,
and also be "young" enough to ensure the chain necessary is not very long.


Not forgetting many PoS coins already have centralised checkpointing hard coded, and that active coins have regular checkpoints added to the source - so such centralisation is already a given.

[monsterer]

If you remove the miners, you are investing in nothing. That is PoS in a nutshell.

As long as you believe this, any discussion is pointless.
It's economic nonsense, plain and simple.

Check the OP - that is what this entire discussion is about.

[BARR_Official]

If you remove the miners, you are investing in nothing. That is PoS in a nutshell.

As long as you believe this, any discussion is pointless.
It's economic nonsense, plain and simple.

Check the OP - that is what this entire discussion is about.

PoS is mining.  It's cpu-mining, not much different than what satoshi designed for Bitcoin.

But while anyone can attack a PoW coin, nobody can attack a PoS coin without investing first.  Even in your scenario.

[funkenstein]

If you remove the miners, you are investing in nothing. That is PoS in a nutshell.

As long as you believe this, any discussion is pointless.
It's economic nonsense, plain and simple.

Check the OP - that is what this entire discussion is about.

PoS is mining.  It's cpu-mining, not much different than what satoshi designed for Bitcoin.

But while anyone can attack a PoW coin, nobody can attack a PoS coin without investing first.  Even in your scenario.

Anyone can mine a PoW coin, nobody can mine a PoS coin without investing first.

FTFY

[monsterer]

PoS is mining.  It's cpu-mining, not much different than what satoshi designed for Bitcoin.

But while anyone can attack a PoW coin, nobody can attack a PoS coin without investing first.  Even in your scenario.

That's entirely inaccurate. The whole point of this thread is to get people to realise that PoS does not reinforce consensus; that's what PoW miners do.

[Come-from-Beyond]

That's entirely inaccurate. The whole point of this thread is to get people to realise that PoS does not reinforce consensus; that's what PoW miners do.

ASIC speed grows in bursts. Eventually one of the bursts will allow to rewrite the whole blockchain from the genesis within a day. I wouldn't say that PoW is that secure as you think.

[monsterer]

ASIC speed grows in bursts. Eventually one of the bursts will allow to rewrite the whole blockchain from the genesis within a day. I wouldn't say that PoW is that secure as you think.

That would be a 51% attack.

[Come-from-Beyond]

That would be a 51% attack.

Ah, right. I didn't notice that you emphasized on achieving a consensus, not on security. My bad.

[BARR_Official]

PoS is mining.  It's cpu-mining, not much different than what satoshi designed for Bitcoin.

But while anyone can attack a PoW coin, nobody can attack a PoS coin without investing first.  Even in your scenario.

That's entirely inaccurate.

Then why does your attack require buying a private key that has mined on the network?

[monsterer]

That would be a 51% attack.

Ah, right. I didn't notice that you emphasized on achieving a consensus, not on security. My bad.

Your point doesn't make any sense in any other context. Mining is necessarily a competition, so if ASIC performance spikes then unless one entity has control of more than 50% of the network then they cannot rewrite the blockchain from the genesis, since all miners complete to create blocks.

[nexern]

ASIC speed grows in bursts. Eventually one of the bursts will allow to rewrite the whole blockchain from the genesis within a day. I wouldn't say that PoW is that secure as you think.

That would be a 51% attack.

pos is much more secure than pow. you can't attack pos without notice or real world feedback but you can on pow.
on pow an evil entity could easily aggregate +50% silent, in the dark, without any chance to prevent this.
even without any new fancy, more powerfull asic design, this attack could occur anytime and compared to a pos
with a similar macap it would also be cheap, very cheap.

to follow your crude 'pico-probabillity-attack-vectors' on pos, here is a crude pow one for you. just imagine that
for whatever reason, the power-lines to the three chinese mining-warehouses randomly gets broken. i guess in this
case the attack would be much cheaper, perhaps close to free compared to pos and as said, just out of the dark
without any chance or sign to prevent it. this is impossible with pos.

however, whatever possible attack vector you are constructing, it boils down to this. if you try to find a solution to fix users,
having the goal to destroy their own stuff serving them (your gen key example) you will fail, no matter how fancy your math is.
there is no solution for lunatic or planed selfdestroying behaviour simple because even if it would, it has no value because the
target and reason for this solution dissapears.

[freshman777]

to follow your crude 'pico-probabillity-attack-vectors' on pos, here is a crude pow one for you. just imagine that
for whatever reason, the power-lines to the three chinese mining-warehouses randomly gets broken. i guess in this
case the attack would be much cheaper, perhaps close to free compared to pos and as said, just out of the dark
without any chance or sign to prevent it. this is impossible with pos.

[bumbacoin]

ASIC speed grows in bursts. Eventually one of the bursts will allow to rewrite the whole blockchain from the genesis within a day. I wouldn't say that PoW is that secure as you think.

That would be a 51% attack.

pos is much more secure than pow. you can't attack pos without notice or real world feedback but you can on pow.
on pow an evil entity could easily aggregate +50% silent, in the dark, without any chance to prevent this.
even without any new fancy, more powerfull asic design, this attack could occur anytime and compared to a pos
with a similar macap it would also be cheap, very cheap.

to follow your crude 'pico-probabillity-attack-vectors' on pos, here is a crude pow one for you. just imagine that
for whatever reason, the power-lines to the three chinese mining-warehouses randomly gets broken. i guess in this
case the attack would be much cheaper, perhaps close to free compared to pos and as said, just out of the dark
without any chance or sign to prevent it. this is impossible with pos.

however, whatever possible attack vector you are constructing, it boils down to this. if you try to find a solution to fix users,
having the goal to destroy their own stuff serving them (your gen key example) you will fail, no matter how fancy your math is.
there is no solution for lunatic or planed selfdestroying behaviour simple because even if it would, it has no value because the
target and reason for this solution dissapears.

the reason Bumbacoin switched to PoS was to protect against PoW random hashes.

any shitcoin that is not worth people pointing mega-peta-hashes at the chain is at risk of multi-pools or even random arse's with a bunch of miners in their spare room.

BCX? used to make a thing about attacking shit coins, that capability is with in the hands of many more people now. even with apparently fancy difficulty re-targeting algorithms , the chain will still get shat on when mega-hash gets pointed at it.

[stdset]

It is so tiring to reply to the hordes of ignorant trolls.

I wrote upthread that one could buy and sell the coins on an exchange. They would then hold the historic private keys to attack with. This would only cost them the average spread between buy and sell prices, so they don't actually have to buy 50%.

Even monsterer doesn't claim that collecting historic priv keys is a viable attack vector. It was explained why it isn't. He claims that it's easy to collect enough priv keys for this attack in a short timeframe.

There is no way to objectively distinguish a historic key that is respent from a historic transaction that had spent that historic key. This is a double-spend with two chains arguing about which was first.

The only way to distinguish which was first is either a decentralized objectivity which is the PoW longest-chain-rule, or for PoS a centralized objectivity such as community/developer checkpoints.

Please stop wasting my time with nonsense replies.

The problem is not to acquire a historic key and make a doublespending transaction, the problem is to acquire enough historic keys to outweigh the honest stake. When you acquire the first key, you must start your fork before it was emptied. In the scenario you describe, your fork must start very far in the past, but that's not a problem. The problem is, you now have a transaction that must be censored on your fork (in your scenario it's the transaction that deposits the funds back to an exchange). Since this transaction (let's call it transaction A) is excluded from your fork, you must exclude all transactions that depend on it, i.e. a transaction B that spends that output, and all descendant transactions (that's all on your fork, the main fork continues to function as it supposed to). Now, when you make the second withdrawal from the exchange, it may happen, that you must exclude this withdrawal on your fork too, because it indirectly depends on the transaction A, so you fail to acquire new keys this time. If the second withdrawal doesn't depend on transaction A, than OK, you got the second key, but you must again censor depositing transaction on your fork, therefore your fork inevitably drifts away from the main fork and it becomes more and more difficult to find suitable keys. Given that for a successful attack you need a lot of stake/keys, the only plausible scenario is to acquire them all in a very short timeframe.

P.S. I don't know, whether my explanation is easy to understand, English isn't my native language. If it's not clear enough, maybe other people may help you (most people here seem to understand this issue with this kind of attack).

[nexern]

pow isn't bad in general but a monetary based incentive model doesn't work. it may on the paper, in theory
but you have to deal with humans here and they have totally different demands (mostly accumulation driven).
i mean, is there really any doubt that this model already lead into a very unhealthy centralization?

perhaps for those denying reality, granted, but assuming this centralization is the case you have to accept
that pow is much, much more vulnerable by bad actors than other models. i am talking not about the weird
double spending scenarious contructed here, which are nonsense simple due to a horrible risk/reward ratio.
i you just think a minute about the details necessary to initiate an attack (real world) it comes clear nobody
would do this just for some doublespends but they would, if the goal is to create controlled mayhem.

taking this into account you can ask yourself now what gives you more confidence for a multi-billion
ecosystem. pos, where an attacker has to reveal his intention by positioning building* to get the majority
thru a very expensive asymptotically nearing or a handfull powerlines driven by an even smaller number
of miners?

well, for me this is a no-brainer. sad how things are evolved but i would bet the probability an attacker
could get the control on pos by buying old gen keys is magnitude smaller than satoshi is heavily pissed off
how things are going and therefore switching his 1mio btc stash into ethereum.

*silent positioning building is pretty hard, even in traditional markets, where most parts of the books
are closed but in crypto this much harder since most data is visible and many tracking tools already
looking exactly for those kind of pattern.

[funkenstein]

pow isn't bad in general but a monetary based incentive model doesn't work. it may on the paper, in theory
but you have to deal with humans here and they have totally different demands (mostly accumulation driven).
i mean, is there really any doubt that this model already lead into a very unhealthy centralization?

Absolutely there is doubt.  There are what 15 million bitcoins worth of doubt.  Most of the value of PoS coins also is also based on that doubt as well, as PoW is the underlying creation of the tokens which are then staked.  I see no signs of unhealthy centralization as of yet, though this doesn't mean we shouldn't be concerned it could happen in the future and consider how to avoid / be ready. 

perhaps for those denying reality, granted, but assuming this centralization is the case you have to accept
that pow is much, much more vulnerable by bad actors than other models.

What are these attacks on PoW coins which you refer?  Curious. 

taking this into account you can ask yourself now what gives you more confidence for a multi-billion
ecosystem. pos, where an attacker has to reveal his intention by positioning building* to get the majority
thru a very expensive asymptotically nearing or a handfull powerlines driven by an even smaller number
of miners?

*silent positioning building is pretty hard, even in traditional markets, where most parts of the books
are closed but in crypto this much harder since most data is visible and many tracking tools already
looking exactly for those kind of pattern.

Show me some tracking tools that could figure out that one person had control of any amount of hashpower or stakepower.  If they don't choose to reveal anything about the keys they control, we know nothing. 

well, for me this is a no-brainer. sad how things are evolved but i would bet the probability an attacker
could get the control on pos by buying  old gen keys is magnitude smaller than satoshi is heavily pissed off
how things are going and therefore switching his 1mio btc stash into ethereum.

lol!  well certainly this is true if the coin has a max_depth_reorg parameter. 

[kushti]

This is an very informal proof, because I wanted it to be as readable as possible for the majority of readers. I hope this will finally show why Proof of Stake (PoS) is not a viable consensus design.

Ok, now please provide a formal proof for minority of readers who can't understand an informal one (e.g. me).

[jl777]

This is an very informal proof, because I wanted it to be as readable as possible for the majority of readers. I hope this will finally show why Proof of Stake (PoS) is not a viable consensus design.

Ok, now please provide a formal proof for minority of readers who can't understand an informal one (e.g. me).

@kushti i think the logic used in this thread is that given that we assume A inevitably leads to B, since A is self-evident, then B is too.

It is hard to argue with that sort of logic as it allows to prove conclusively that B is true, it doesnt matter what B is, just as long as A is self-evident.

Like this:

We will assume that above absolute zero temperatures it is inevitable that the moon is made of cheese.

Since we are not all frozen at absolute zero, it is clear that the moon is made of cheese.

I think formally it would be: Assume A -> B and A is true, therefore B is true

James

[Mashuri]

This is an very informal proof, because I wanted it to be as readable as possible for the majority of readers. I hope this will finally show why Proof of Stake (PoS) is not a viable consensus design.

Ok, now please provide a formal proof for minority of readers who can't understand an informal one (e.g. me).

@kushti i think the logic used in this thread is that given that we assume A inevitably leads to B, since A is self-evident, then B is too.

It is hard to argue with that sort of logic as it allows to prove conclusively that B is true, it doesnt matter what B is, just as long as A is self-evident.

Like this:

We will assume that above absolute zero temperatures it is inevitable that the moon is made of cheese.

Since we are not all frozen at absolute zero, it is clear that the moon is made of cheese.

I think formally it would be: Assume A -> B and A is true, therefore B is true

James

Well then the burden is to prove A. Why is it assumed "self evident"?

[jl777]

This is an very informal proof, because I wanted it to be as readable as possible for the majority of readers. I hope this will finally show why Proof of Stake (PoS) is not a viable consensus design.

Ok, now please provide a formal proof for minority of readers who can't understand an informal one (e.g. me).

@kushti i think the logic used in this thread is that given that we assume A inevitably leads to B, since A is self-evident, then B is too.

It is hard to argue with that sort of logic as it allows to prove conclusively that B is true, it doesnt matter what B is, just as long as A is self-evident.

Like this:

We will assume that above absolute zero temperatures it is inevitable that the moon is made of cheese.

Since we are not all frozen at absolute zero, it is clear that the moon is made of cheese.

I think formally it would be: Assume A -> B and A is true, therefore B is true

James

Well then the burden is to prove A. Why is it assumed "self evident"?

Because it is in the OP, so it has to be true

[monsterer]

This is an very informal proof, because I wanted it to be as readable as possible for the majority of readers. I hope this will finally show why Proof of Stake (PoS) is not a viable consensus design.

Ok, now please provide a formal proof for minority of readers who can't understand an informal one (e.g. me).

What don't you understand?

[kushti]

What don't you understand?

What you have provided is not a proof at all. We can go into meaningless and long discussions, and that crap is not what you can get by providing a (formal) proof. So please provide a real (i.e. formal) proof.

[monsterer]

What you have provided is not a proof at all. We can go into meaningless and long discussions, and that crap is not what you can get by providing a (formal) proof. So please provide a real (i.e. formal) proof.

The only point of disagreement in general has been centered on the difficulty of acquiring a majority of recent private keys. That is sadly unprovable.

[ustin]

Sorry for necroposting, but my considerations was moderated to AltCoins board and drown.
So, the problem simplifies to needing trusted third-party for checkpointing POS network and it is preferable to be independent from developer (because in this scenario most presumable evil is near coin developer).
Please follow https://bitcointalk.org/index.php?topic=2895120 - is this conception implementable?

[Ucy]

Everything about PoS is creepy though. Where in the Universe is creating Value without Energy possible?
Well, I don't know much about the technical side of PoS but I have a feeling it'll be massively Centralized by government and the elites. Won't be surprised if this is the original goal.



Wonder if there are maths that support the PoS concept? Is stuff like that even possible in real World without burning massive amount of Energy.

[ustin]

Everything about PoS is creepy though.

Wonder if there are maths that support the PoS concept? Is stuff like that even possible in real World without burning massive amount of Energy.

All depends of consensus.
So, records in various registries are not costs anything, but trusting them is result of consensus.
Question is cost of possibitily to change it in hindsight.

Blockchain is immutable by cryptographics only within consensus agreement borders.
I can build alternate branch of bitcoin in my kitchen, but it will be only satisfied to my kitchen consensus, no one of widespreaded nodes approve my branch. It means, that main chain is shielded by computer work in single consensus concept of bitcoin network.

POS consensus is so less harmful, but vulnerable for a number of attacks, which can be simplified in majority to absence independent trusted authority inside network, as i can see. If we can verify some checkpoint independently, we can prevent, in particular, subj historical attack.

One question is how to find and automate this authority, and it was  proposition to bind POS blockchain to other blockchains, that I wish to discuss

[cloud.runner]

Instead of Proof of Stake, I would like to vote for Proof of Work. It is not only for creating blocks, but also for making consensus, which is a great advantage.

[monsterer2]

ironic that Proof of Anti-stake may work
the idea is, that user destroys it's coins and by doing so confirms a block

Doesn't work because to burn stake you must send a transaction, and you cannot come to a consensus on the current set of valid transactions by sending more transactions, it's a chicken and egg problem.

I did some analysis on it a while back, and long story short, it degenerates into PoS.

[yj1190590]

I've found a solution in an other post for this problem that might help.
https://bitcointalk.org/index.php?topic=3603859.msg36995026#msg36995026

First of all the reorganizition is designed to prevent forks. Under normal circumstances,  some stakeholders would be active(trading or mining) in both branches (caused by NaS too) if there appears a fork. According to the probability there will be similar stake proportion of "double-active" users between both branches.

But if the branch is a fake chain built by the attackers, they will be disproportionate —— the proportion mentioned above in the mainchain will be much less than that in the fake one, unless you have bought every account, which is impossible. Under this circumstance, the branch should never be accepted no matter how long it is. This operation is also nessesary to prevent some group of users from getting extra advantage by unfair means when forks come.

By the way, the situation you have mentioned:"any syncing node querying at random will find his fake nodes with fake history" could be resolved by controling the p2p links——

each node only needs to build connection with a certain number of nodes with the fastest response speed.

The attacker needs to try through a lot of past blocks so that the longer range he seeks, the better chance he would success. But the longer range he starts the fork, the more obvious the disproportion will be. I think that might increase the difficulty you launch an attack, after all you gain those private keys by "buying".

[AnnSerg77]

I have 3 q. How many possible staking inputs do these addresses have?
What is the min/max staking age of this coin?
How long a chain will they need to create to be longer?

[inashed]

Would change anything if two miners were picked by proof of stake or proof of hold (lowest amount of coin wallet had at some point of time at the last X days is the stake), and then select the real miner between those 2 miners by using proof of work?

[metro.software]

ironic that Proof of Anti-stake may work
the idea is, that user destroys it's coins and by doing so confirms a block

Doesn't work because to burn stake you must send a transaction, and you cannot come to a consensus on the current set of valid transactions by sending more transactions, it's a chicken and egg problem.

I did some analysis on it a while back, and long story short, it degenerates into PoS.

Perhaps coins can be burned on a POW sidechain, e.g. Litecoin.
I guess in this scenario Proof-of-Sacrifice would work.

[desmodiAN]

2. He uses these historical keys to generate a new chain of history starting just before the keys were emptied and which is longer in cumulative difficulty than the canonical chain. He can do this first time with 100% probability since he has a majority of historical stake

Read about finality in proof of stake. a once written and accepted block cannot be exchanged or rewritten. only with a big financial loss of 2/3rds of all validators.

"
The intention is to make 51% attacks extremely expensive, so that even a majority of validators working together cannot roll back finalized blocks without undertaking an extremely large economic loss — a loss so large that a successful attack would likely on net increase the price of the underlying cryptocurrency as the market would more strongly react to the reduction in total coin supply than it would to the need for an emergency hard fork to correct the attack
"

vitalik continued with an example of the loss:
"
A fully "finalized" block is one where > 2/3 of Casper validators will lose their entire deposits if the block ends up being not in the main chain (estimate this at being ~2-20 million ETH depending on how many people stake).
"

...

[Traxo]

ironic that Proof of Anti-stake may work
the idea is, that user destroys it's coins and by doing so confirms a block

Doesn't work because to burn stake you must send a transaction, and you cannot come to a consensus on the current set of valid transactions by sending more transactions, it's a chicken and egg problem.

@anonymint says that your conclusion is not quite right or let's say it's incomplete.
After sufficient time the TaPoS combined with burning has inertia because users don't want to have the tokens reverted by a fork.
So essentially it's a more decentralized variant of checkpointing.
Will not help objectify consensus in the short-range case though.

I had relayed what @anonymint wrote about proof-of-stake:
https://gist.github.com/shelby3/e0c36e24344efba2d1f0d650cd94f1c7#oligarchy-if-pos-is-functioning

[Codesinthedark]

The attack

1. The attacker simultaneously purchases a majority of old staking private keys, which were very recently used to stake with and are now empty and as such valueless to the seller(s)
2. He uses these historical keys to generate a new chain of history starting just before the keys were emptied and which is longer in cumulative difficulty than the canonical chain. He can do this first time with 100% probability since he has a majority of historical stake
3. He can then either steal the coins back to himself and carry on, or can bring the entire chain to a total halt by excluding all transactions.

This can be easily mitigated: Do not make bitcoin purely PoS protocol. Make it mandatory that every 10th block must be created by PoW.

In that case someone would need to have a lot of processing power as well as a lot of stake.

[Zin-Zang]

The Term : Rolling Checkpoints, where after a certain # of confirmations a Reorg is not allowed seem to block this issue outright and still allow a coin to stay decentralized.
Examples:
Blackcoin allows reorgs no deeper than 500 blocks.
NXT allows reorgs no deeper than 720 blocks.

My question is this:
Let's say their are no checkpoints , rolling or coded.

Someone buy the old private keys or at some point just actually owned over 51% of a coin total.

Say they try your attempt , but it was 3 months earlier when they owned coins.

The Blockchain has 3 months of confirmations ahead of them at a rated say 1 minute interval.

How do they ever catch up , with the block height of the main chain, won't they always be ~3 months behind?

* Now if you say it is possible to trick the time setting and somehow condense those 3 months into a day, please provide details or proof on how that is done.*
 

Thanks.

[monsterer2]

My question is this:
Let's say their are no checkpoints , rolling or coded.

Someone buy the old private keys or at some point just actually owned over 51% of a coin total.

Say they try your attempt , but it was 3 months earlier when they owned coins.

The Blockchain has 3 months of confirmations ahead of them at a rated say 1 minute interval.

How do they ever catch up , with the block height of the main chain, won't they always be ~3 months behind?

* Now if you say it is possible to trick the time setting and somehow condense those 3 months into a day, please provide details or proof on how that is done.*

Because block production has zero cost, and there is no way to objectively verify any given block as being created at time T.

[Zin-Zang]

My question is this:
Let's say their are no checkpoints , rolling or coded.

Someone buy the old private keys or at some point just actually owned over 51% of a coin total.

Say they try your attempt , but it was 3 months earlier when they owned coins.

The Blockchain has 3 months of confirmations ahead of them at a rated say 1 minute interval.

How do they ever catch up , with the block height of the main chain, won't they always be ~3 months behind?

* Now if you say it is possible to trick the time setting and somehow condense those 3 months into a day, please provide details or proof on how that is done.*

Because block production has zero cost, and there is no way to objectively verify any given block as being created at time T.

Cost is not the issue, Each Block has a defined target of say 1 minute between blocks.

Your chain is 3 months behind, and still has a target time of 1 minute,  your block height will always be ~ the same 3 months behind and as such never a threat to causing a reorg, because a reorg can only happen if your block height # exceeds the main chain.

So how do you make up the 3 months time difference?

FYI:
Any change to the code to modify the time target between blocks could allow faster blocks, would lower the target difficulty making it a weaker chain and also break consensus with the other nodes, therefore making sure it would never be accepted over the main chain.

FYI2:
The phrase (block production has zero cost) , is incorrect.
There actually is a cost , it is time.  
Your block has to wait the coded time before block generation can occur, and those coins go dormant for a coded period, another time factor.
The Time between blocks is hard coded which affects the difficulty # in proof of stake coins, thus defining the strength or weakness of a chain.

[Zin-Zang]

Hmm,

Are their any Virtual or Physical Machines that can allow me to run applications at a different time scale than normal time.
Basically scaling 24 hours in 24 seconds and the application be none the wiser.

Therefore truly tricking an application about the speed of time.

Does anyone have any links to such a thing?


FYI:
OK, just to sum up.
To run this attack,

1.  One has to Buy or Steal old Private Keys totaling over 51% of a Proof of Stake Coin.
2.  Have a Virtual Machine that can fake time, so the wallet client can run unmodified.
3.  Create a Longer Chain with more difficulty on their virtual machine.
4.  Run Multiple PCs with their new chain on the coin network to replace the main chain.

* Still other factors that could block the fake chain from taking over,
Coin Age may keep the main chain with a higher difficulty, even if the attacker has actual 51% of coins.
Many Coins refuse blocks created too far ahead of the main chain, blocking the attacker's chain.
So timing has to be perfect.

Actually looks like a lot of personal time and expense to really accomplish nothing.
Say the attacker chain actually does rewrite the main chain.
Such a thing will be noticed immediately.

So the coin community releases the main chain with a hard coded check point blocking the attacker's chain.
People redownload the main chain and updated code and are back to normal within a day.

This attack , causes all Proof of Stake coins to implement rolling checkpoints as a safeguard and the whole attack proves to be a NON-EVENT.  

The attacker however has wasted his time and money on an attack , that never had any real chance of destroying a proof of stake network.  



FYI2:  Little thought for the PoW Crowd.  
The Largest ASICS Producer could have a major breakthrough and run NEW ASICS in their factory in Parallel to the main chain
for a few months creating a Longer chain with higher difficulty at their factory than the public bitcoin chain.
Releasing the ASICS Attack chain to overwrite the Bitcoin Network Main Chain.
And what would they do to repair things, release a download of the main chain and a updated client with a hard coded check point ,
and most likely implement rolling check points to prevent that from happening again.  

[philipma1957]

Hmm,

Are their any Virtual or Physical Machines that can allow me to run applications at a different time scale than normal time.
Basically scaling 24 hours in 24 seconds and the application be none the wiser.

Therefore truly tricking an application about the speed of time.

Does anyone have any links to such a thing?


FYI:
OK, just to sum up.
To run this attack,

1.  One has to Buy or Steal old Private Keys totaling over 51% of a Proof of Stake Coin.
2.  Have a Virtual Machine that can fake time, so the wallet client can run unmodified.
3.  Create a Longer Chain with more difficulty on their virtual machine.
4.  Run Multiple PCs with their new chain on the coin network to replace the main chain.

* Still other factors that could block the fake chain from taking over,
Coin Age may keep the main chain with a higher difficulty, even if the attacker has actual 51% of coins.
Many Coins refuse blocks created too far ahead of the main chain, blocking the attacker's chain.
So timing has to be perfect.

Actually looks like a lot of personal time and expense to really accomplish nothing.
Say the attacker chain actually does rewrite the main chain.
Such a thing will be noticed immediately.

So the coin community releases the main chain with a hard coded check point blocking the attacker's chain.
People redownload the main chain and updated code and are back to normal within a day.

This attack , causes all Proof of Stake coins to implement rolling checkpoints as a safeguard and the whole attack proves to be a NON-EVENT.  

The attacker however has wasted his time and money on an attack , that never had any real chance of destroying a proof of stake network.  



FYI2:  Little thought for the PoW Crowd.  
The Largest ASICS Producer could have a major breakthrough and run NEW ASICS in their factory in Parallel to the main chain
for a few months creating a Longer chain with higher difficulty at their factory than the public bitcoin chain.
Releasing the ASICS Attack chain to overwrite the Bitcoin Network Main Chain.
And what would they do to repair things, release a download of the main chain and a updated client with a hard coded check point ,
and most likely implement rolling check points to prevent that from happening again.  

does not work like this at all.


to attack  you don't need a cloned block chain as it is not the blockchain you are attacking .

to attack the  BTC  chain  at 51% you need about 2.5 billion usd in hard gear .    that is if you have  s-9s.

the network right now is  42,616,425,761gh   so to do a 51% attack you need 45,000,000,000 gh in gear.  that is 3,214,285 s9's

you also need 4,500,000,000 in watts.

that is 4,500,000 kwatts  or 4,500 mega watts  which is about all of the Niagra falls power plant

http://nyfalls.com/niagara-falls/faq5/

New york city uses about 6,000 mega watts

So a direct 51% on BTC  would be really hard to do.  Unless you build a new miner that  is about 1000x better then an s9

but If bitmain build a 1000x more efficient miner  they absolutely would not want to do a 51% attack.

They could expand hash nest and claim their new miner is too large to sell  they could say it is 50th and uses 2000 watts.

then just sell shares of hash nest   and they would make a fortune doing that

[Zin-Zang]

Hmm,

Are their any Virtual or Physical Machines that can allow me to run applications at a different time scale than normal time.
Basically scaling 24 hours in 24 seconds and the application be none the wiser.

Therefore truly tricking an application about the speed of time.

Does anyone have any links to such a thing?


FYI:
OK, just to sum up.
To run this attack,

1.  One has to Buy or Steal old Private Keys totaling over 51% of a Proof of Stake Coin.
2.  Have a Virtual Machine that can fake time, so the wallet client can run unmodified.
3.  Create a Longer Chain with more difficulty on their virtual machine.
4.  Run Multiple PCs with their new chain on the coin network to replace the main chain.

* Still other factors that could block the fake chain from taking over,
Coin Age may keep the main chain with a higher difficulty, even if the attacker has actual 51% of coins.
Many Coins refuse blocks created too far ahead of the main chain, blocking the attacker's chain.
So timing has to be perfect.

Actually looks like a lot of personal time and expense to really accomplish nothing.
Say the attacker chain actually does rewrite the main chain.
Such a thing will be noticed immediately.

So the coin community releases the main chain with a hard coded check point blocking the attacker's chain.
People redownload the main chain and updated code and are back to normal within a day.

This attack , causes all Proof of Stake coins to implement rolling checkpoints as a safeguard and the whole attack proves to be a NON-EVENT.  

The attacker however has wasted his time and money on an attack , that never had any real chance of destroying a proof of stake network.  



FYI2:  Little thought for the PoW Crowd.  
The Largest ASICS Producer could have a major breakthrough and run NEW ASICS in their factory in Parallel to the main chain
for a few months creating a Longer chain with higher difficulty at their factory than the public bitcoin chain.
Releasing the ASICS Attack chain to overwrite the Bitcoin Network Main Chain.
And what would they do to repair things, release a download of the main chain and a updated client with a hard coded check point ,
and most likely implement rolling check points to prevent that from happening again.  

does not work like this at all.


to attack  you don't need a cloned block chain as it is not the blockchain you are attacking .

to attack the  BTC  chain  at 51% you need about 2.5 billion usd in hard gear .    that is if you have  s-9s.

the network right now is  42,616,425,761gh   so to do a 51% attack you need 45,000,000,000 gh in gear.  that is 3,214,285 s9's

you also need 4,500,000,000 in watts.

that is 4,500,000 kwatts  or 4,500 mega watts  which is about all of the Niagra falls power plant

http://nyfalls.com/niagara-falls/faq5/

New york city uses about 6,000 mega watts

So a direct 51% on BTC  would be really hard to do.  Unless you build a new miner that  is about 1000x better then an s9

but If bitmain build a 1000x more efficient miner  they absolutely would not want to do a 51% attack.

They could expand hash nest and claim their new miner is too large to sell  they could say it is 50th and uses 2000 watts.

then just sell shares of hash nest   and they would make a fortune doing that

I did say New Breakthrough ASICS, which implies extremely better Energy & Hashing Performance.

Plus the CEO of Bitmain is Jihan Wu. (Major Bitcoin Cash Supporter)

If he could destroy bitcoin and replace it with Bitcoin Cash which BitMain has been stockpiling since it's creation.

So if he triggered a flippening making bitcoin cash the #1 coin , bitmain and his profit potential would be thru the roof.

So how much do you trust Mr. WU?  



As Much as you used to trust Mr. Ver

[monsterer2]

Cost is not the issue, Each Block has a defined target of say 1 minute between blocks.

Your chain is 3 months behind, and still has a target time of 1 minute,  your block height will always be ~ the same 3 months behind and as such never a threat to causing a reorg, because a reorg can only happen if your block height # exceeds the main chain.

So how do you make up the 3 months time difference?

FYI:
Any change to the code to modify the time target between blocks could allow faster blocks, would lower the target difficulty making it a weaker chain and also break consensus with the other nodes, therefore making sure it would never be accepted over the main chain.

FYI2:
The phrase (block production has zero cost) , is incorrect.
There actually is a cost , it is time.  
Your block has to wait the coded time before block generation can occur, and those coins go dormant for a coded period, another time factor.
The Time between blocks is hard coded which affects the difficulty # in proof of stake coins, thus defining the strength or weakness of a chain.

I really hope you're not the developer of that coin in your sig, because you seem to have some fundamental misconceptions about consensus design.

1) I have already said this above, but I'm going to restate it in plain terms: any concept of time elapsed in a trustless system is utterly unverifiable without an objective measure such as PoW, which is an unforgable proxy for elapsed time

2) In PoS block production has zero cost, see 1)

[Sonellion]

Cost is not the issue, Each Block has a defined target of say 1 minute between blocks.

Your chain is 3 months behind, and still has a target time of 1 minute,  your block height will always be ~ the same 3 months behind and as such never a threat to causing a reorg, because a reorg can only happen if your block height # exceeds the main chain.

So how do you make up the 3 months time difference?

FYI:
Any change to the code to modify the time target between blocks could allow faster blocks, would lower the target difficulty making it a weaker chain and also break consensus with the other nodes, therefore making sure it would never be accepted over the main chain.

FYI2:
The phrase (block production has zero cost) , is incorrect.
There actually is a cost , it is time.  
Your block has to wait the coded time before block generation can occur, and those coins go dormant for a coded period, another time factor.
The Time between blocks is hard coded which affects the difficulty # in proof of stake coins, thus defining the strength or weakness of a chain.

What exactly would make a block of a POS coin invalid, e.g. timestamp too late, compared to timestamp of previous block?
A POW coin can have a target time of 1 minute but could be stalled for days. Some shitty ones regularly do this.

If a block has to wait the coded time of 1 minute before block generation can occur, then every node must have really exact system time. Not like Bitcoin

A timestamp is accepted as valid if it is greater than the median timestamp of previous 11 blocks, and less than the network-adjusted time + 2 hours. "Network-adjusted time" is the median of the timestamps returned by all nodes connected to you.

(quoted from wiki)

[Zin-Zang]

Cost is not the issue, Each Block has a defined target of say 1 minute between blocks.

Your chain is 3 months behind, and still has a target time of 1 minute,  your block height will always be ~ the same 3 months behind and as such never a threat to causing a reorg, because a reorg can only happen if your block height # exceeds the main chain.

So how do you make up the 3 months time difference?

FYI:
Any change to the code to modify the time target between blocks could allow faster blocks, would lower the target difficulty making it a weaker chain and also break consensus with the other nodes, therefore making sure it would never be accepted over the main chain.

FYI2:
The phrase (block production has zero cost) , is incorrect.
There actually is a cost , it is time.  
Your block has to wait the coded time before block generation can occur, and those coins go dormant for a coded period, another time factor.
The Time between blocks is hard coded which affects the difficulty # in proof of stake coins, thus defining the strength or weakness of a chain.

What exactly would make a block of a POS coin invalid, e.g. timestamp too late, compared to timestamp of previous block?
A POW coin can have a target time of 1 minute but could be stalled for days. Some shitty ones regularly do this.

If a block has to wait the coded time of 1 minute before block generation can occur, then every node must have really exact system time. Not like Bitcoin

A timestamp is accepted as valid if it is greater than the median timestamp of previous 11 blocks, and less than the network-adjusted time + 2 hours. "Network-adjusted time" is the median of the timestamps returned by all nodes connected to you.

(quoted from wiki)

With some PoS coins it is a requirement that all nodes be within a certain time frame.
It used to be 2 hours , but a flaw was discovered that allowed people to gain a staking advantage by having such a large time window.
So the window was lowered to 1 minute or lower for most coins to stop the unfair staking advantage.
So if your PC time is >1 minute off from the actual time, any block your system created was refused by the Proof of Stake network.

* Even Bitcoin Requires blocks to be within that 2 hour window to be accepted in their network.*
https://bitcoin.stackexchange.com/questions/5076/what-stops-miners-nodes-lying-about-what-time-a-block-was-mined

Cost is not the issue, Each Block has a defined target of say 1 minute between blocks.

Your chain is 3 months behind, and still has a target time of 1 minute,  your block height will always be ~ the same 3 months behind and as such never a threat to causing a reorg, because a reorg can only happen if your block height # exceeds the main chain.

So how do you make up the 3 months time difference?

FYI:
Any change to the code to modify the time target between blocks could allow faster blocks, would lower the target difficulty making it a weaker chain and also break consensus with the other nodes, therefore making sure it would never be accepted over the main chain.

FYI2:
The phrase (block production has zero cost) , is incorrect.
There actually is a cost , it is time. 
Your block has to wait the coded time before block generation can occur, and those coins go dormant for a coded period, another time factor.
The Time between blocks is hard coded which affects the difficulty # in proof of stake coins, thus defining the strength or weakness of a chain.

I really hope you're not the developer of that coin in your sig, because you seem to have some fundamental misconceptions about consensus design.

1) I have already said this above, but I'm going to restate it in plain terms: any concept of time elapsed in a trustless system is utterly unverifiable without an objective measure such as PoW, which is an unforgable proxy for elapsed time

2) In PoS block production has zero cost, see 1)

What I am telling you is , you are wrong.

If you modify the wallet client to place false time date in the blocks , all you are doing is making a hard fork that the other nodes will ignore.

I telling you , you have to run the wallet code unmodified to create the blocks so that the real network would even think about accepting them.

So can you give me a virtual machine that lets me run a wallet application tricking it into thinking 24 seconds is 24 hours.
Because unlike you , I plan on doing some real world testing with it , not limited to speculative discussion.

If you can't provide me with such a virtual machine, then you are nothing more than chicken little running around screaming the sky is falling.

[vert12020]

Kinda ironic that Proof of Anti-stake may work. The idea is, that user destroys it's coins and by doing so confirms a block

[monsterer2]

What I am telling you is , you are wrong.

If you modify the wallet client to place false time date in the blocks , all you are doing is making a hard fork that the other nodes will ignore.

That's called 'weak subjectivity'. You really need to do some more research.

[Zin-Zang]

What I am telling you is , you are wrong.

If you modify the wallet client to place false time date in the blocks , all you are doing is making a hard fork that the other nodes will ignore.

That's called 'weak subjectivity'. You really need to do some more research.

I find it amazing , that you PoW zealots , always say someone else needs to do more research.
When you are always the ones unable to prove your point.

The fact is I ask a very simple question, how does one make up the 3 months,
you come back with a pretense that you can just fake the timestamp and think the other nodes will fall for it with zero proof.

And you can't even post a link to a VM that fakes time so we can real world test your weak speculations.

My research on you is complete, as expected you are just spreading fud with no logic , just fear mongering.

Seems to me you need to get your act together Mr. Little.  



You just sprout more random talk trying to cover up the fact ,
that you are really clueless and not even able to test a real world attack simulation of what you claim is almost certain destruction of a PoS coin.

Enjoy your useless fud , you wasted enough of my time.

[Ix]

The fact is I ask a very simple question, how does one make up the 3 months,
you come back with a pretense that you can just fake the timestamp and think the other nodes will fall for it with zero proof.

The core argument is that there is no objectively determined network. A node that was not around during the time the "honest network" progressed has no basis of knowledge for which fork to choose when presented with equally valid options. In this case, "making up 3 months" is as simple as creating the blocks near instantly with only a signature as proof and no immediate cost. With PoW this immediate cost is very high for bitcoin, but can drop dramatically for many altcoins.

However, the argument started as a criticism of NXT and Peercoin where there is literally no downside to staking several competing forks. It has been reformulated several times over to apply to any proof of stake system (including ones that punish bad behavior)--somewhat successfully in my opinion, but only given some highly implausible (but not impossible) conditions. There is *a lot* of manipulation in the cryptocurrency sphere, so discounting implausible scenarios as impossible seems like a logical mistake. However, I think the future of cryptocurrency security will be in currencies that are more PoS-like than PoW-like.

[Michael_Token]

Proof of stake is pretty reliable, because to take control of the chain, it would be necessary to control a huge part of the coins.

[d5000]

If you modify the wallet client to place false time date in the blocks , all you are doing is making a hard fork that the other nodes will ignore.

No, monsterer is right here. You cannot differentiate a blockchain with "fake" timestamp and one with "real" timestamps.

The blockchain is a relatively simple database. It's only possible to check if the hashes correspond to a real block.

Things would be different if, at every block, a majority of the staking participants (=those holding 50%+1) would have to sign a message that the last block they received was received in a certain time interval, and all these messages would be included in the next block. This is basically what Proof of Approval is wanting to achieve. The downside is that a majority of all coin holders must be always online.

This isn't the case in "traditional PoS", where you can simply write your blockchain to the disk, when you want. You can even build it in something like Excel, based on previous blockchain data, and then save it

I still believe traditional, "naive" Proof of Stake is pretty secure if certain conditions are met, the most important being no incentives to stake multiple chains at once - staking algorithms like Peercoin with coin-age based rewards (not to be confused with coin-age based weight!) achieve that. A N@S attack is not impossible, but I think it is so difficult to carry out that it becomes extremely expensive, in the same order of magnitude than a 50+1% PoW attack.

The basic question is: how to buy old keys or bribe the stakeholders holding the  50+1%?

I already heard some ideas, like distributing a fake wallet client which is praised to give holders a "higher minting reward" but steals their coins or ensures in other ways that the network consensus gets corrupted. But people with significant holdings ("whales") would not be easily tricked into this. And if the code is open source then the hack will be discovered soon.

It could also be tried to buy the old keys at a black marketplace, but if the coin is mature enough, you would never get near even 10% of the holdings - at least if rolling checkpoints are implemented.

The only relevant option I know until now is the "shorting attack", but it is extremely expensive and risky. And it works with PoW coins, too, if you buy mining hardware/hashrate instead of coins.

[Zin-Zang]

If you modify the wallet client to place false time date in the blocks , all you are doing is making a hard fork that the other nodes will ignore.

No, monsterer is right here. You cannot differentiate a blockchain with "fake" timestamp and one with "real" timestamps.

The blockchain is a relatively simple database. It's only possible to check if the hashes correspond to a real block.

So less assume there are no checkpoints to block it.

If the Main Chain is 3 months ahead of your fake chain, (because you purchased old keys)

Detail exactly how you are going to fake the time stamp on your fake chain blocks.

Detail exactly how you are going to fake the required time & hashes between blocks so it's difficulty # matches or exceeds the main chain, while also exceeding the block height.

Your Fake chain has to exceed the length of the main chain and has to have a higher difficulty level for it to be accepted over the main chain.

* Feel free to demonstrate on any PoS coin you own, and prove your theory. *
* We'll need copies of the main chain and your fake chain as proof. *


FYI:
If someone steals coins with a fake wallet download, the incentive is to sell the stolen coins for profit, not waste effort trying to destroy their ill gotten gain.
It be the same as robbing a bank and then setting the money on fire.  

FYI2:
N@S is not impossible, just an extreme waste of time and resources, which is why no one has ever even bothered to write a multistaking client.
The supposed benefits are mere hype and bullshit. It won't grant anything worth the time or effort of running one.
You drive up your needed resources for no real benefits.

[d5000]

So less assume there are no checkpoints to block it.

If the Main Chain is 3 months ahead of your fake chain, (because you purchased old keys)

Detail exactly how you are going to fake the time stamp on your fake chain blocks.

That's simple - you only have to write the corresponding number at the place in the block. You can put any number there.

Detail exactly how you are going to fake the required time & hashes between blocks so it's difficulty # matches or exceeds the main chain, while also exceeding the block height.

Difficulty only matters in PoW chains. The attacker only needs to ensure that he has more than 50% of the weight ("chain trust" called in Peercoin) at the moment he forks his attack chain.

He achieves this with a double spend - instead of the original transaction of the "old key owner" he places his own transaction in the first fork block, which spends the same coins to another address he owns. From this moment on, both chains become incompatible, but it's trivial to produce the matching block hashes.

Your Fake chain has to exceed the length of the main chain and has to have a higher difficulty level for it to be accepted over the main chain.

You refer to "chain trust", not to difficulty. If you own 50% of the stake in your chain, then it's trivial to achieve high chain trust values.

* Feel free to demonstrate on any PoS coin you own, and prove your theory. *
* We'll need copies of the main chain and your fake chain as proof. *

That's the point where I disagree with monsterer, I think carrying out the attack is extremely difficult and expensive - not the part "calculating the fake chain", but the part "buying 50% of old keys" or "bribing the holders of 50% of the stake".

Calculating a fake chain should be no problem. If I have time I could do that with a short example, but don't expect it tomorrow.

If someone steals coins with a fake wallet download, the incentive is to sell the stolen coins for profit, not waste effort trying to destroy their ill gotten gain.
It be the same as robbing a bank and then setting the money on fire.  

He can combine his attack with a short sell, as written in my last post.

N@S is not impossible, just an extreme waste of time and resources, which is why no one has ever even bothered to write a multistaking client.

Here I mostly agree.

[inashed]

Kinda ironic that Proof of Anti-stake may work. The idea is, that user destroys it's coins and by doing so confirms a block

This already sort of exist and is called proof of burn, people send coins to a wallet X that no one is the owner, the amount of coins you send to this wallet X is your stake.

The way you talk about it, the closest thing from your idea would be a proof of burn coin where you send some amount of coins Y to someplace and each minute Y/(43200 [amount of minutes in 30 days) coins go to wallet X (that are removed from wallet X and sent to wallet Z after 1 minute).
The amount of coins at wallet X now would be the stake.

[mczhopa]

"It was a bright cold day in April, and the clocks were striking thirteen."

Use this secret phrase to get access to Nxt account holding all the coins. Now you have all the keys you were looking for, what's next?

okaay

[Zin-Zang]

So less assume there are no checkpoints to block it.

If the Main Chain is 3 months ahead of your fake chain, (because you purchased old keys)

Detail exactly how you are going to fake the time stamp on your fake chain blocks.

That's simple - you only have to write the corresponding number at the place in the block. You can put any number there.

Doubtful, but I like to see you try it.   
Especially curious to see the effect on the difficulty #s.

Detail exactly how you are going to fake the required time & hashes between blocks so it's difficulty # matches or exceeds the main chain, while also exceeding the block height.

Difficulty only matters in PoW chains. The attacker only needs to ensure that he has more than 50% of the weight ("chain trust" called in Peercoin) at the moment he forks his attack chain.

He achieves this with a double spend - instead of the original transaction of the "old key owner" he places his own transaction in the first fork block, which spends the same coins to another address he owns. From this moment on, both chains become incompatible, but it's trivial to produce the matching block hashes.

Your Fake chain has to exceed the length of the main chain and has to have a higher difficulty level for it to be accepted over the main chain.

You refer to "chain trust", not to difficulty. If you own 50% of the stake in your chain, then it's trivial to achieve high chain trust values.

I am referring to difficulty, in Proof of Stake it is the # that increases or decrease to make certain the blockspeed is maintained.
It is also part of the security in some Proof of Stake :
hashProofOfStake <= [Coin-age] x [Target Difficulty]      
[Coin-age] = [amount of coins] x [days in stake]
      

Calculating a fake chain should be no problem. If I have time I could do that with a short example, but don't expect it tomorrow.

It has been ~2 weeks now , any progress?

[d5000]

I am referring to difficulty, in Proof of Stake it is the # that increases or decrease to make certain the blockspeed is maintained.
It is also part of the security in some Proof of Stake :
hashProofOfStake <= [Coin-age] x [Target Difficulty]      
[Coin-age] = [amount of coins] x [days in stake]

OK. But that doesn't change anything. The attacker still can fake everything, with the exception of 1) the blockchain until the fork, and 2) the stake he has at the moment of the fork.
Let's see an example for one block of the fake chain, if he buys 51% of the keys at the moment of the fork:

Block 1:
- He calculates a PoS hash with the coins he has. That should be no problem, as he owns 51% of the stake.
- He creates a block header with a timestamp that's inside the allowed "target spacing" range, starting from the pre-fork block. He has total liberty to fake the timestamp, so he can use the "ideal value" to avoid that difficulty decreased.
- Instead of the original transaction that gives away his stake, he creates a double spend transaction to an address he controls and includes it in the block, so he continues to own 51% after the block.

Block 2:
- He calculates a PoS hash building it on Block 1, with the 51% he owns.
- He again fakes the timestamp, with a value inside the ideal "target spacing" range. Difficulty should stay high enough to be higher than the "honest" chain.

Block 3-X: Rinse and repeat until the chain has caught up.

What you're referring to is an analogy to PoW, but it doesn't work in PoS - the attacker has all the time of the world to create the PoS hashes, because with 51% of the stake he will eventually outrun all other stakers due to his drastically higher coin-age value, even if he starts to create the chain a whole year after the fork.

It has been ~2 weeks now , any progress?

I decided I can't do that (like Craig Wright ). It's simply not so important for me to waste an enormous amount of time I don't really have. (And now I'm only playing the Devil's advocate, because I'm not part of the anti-PoS fraction.)

But the above example should be enough. You have to prove now why the attacker cannot fake one of the steps I detailed.

[Zin-Zang]

I decided I can't do that (like Craig Wright ). It's simply not so important for me to waste an enormous amount of time I don't really have. (And now I'm only playing the Devil's advocate, because I'm not part of the anti-PoS fraction.)

But the above example should be enough. You have to prove now why the attacker cannot fake one of the steps I detailed.

LOL,
You did not demonstrate even faking the time stamps ,
and you have not given me a way to fake out a real client thru time manipulation.

It's ok, you're off the hook.

Later,
 

[d5000]

You did not demonstrate even faking the time stamps ,

But you do know how blocks (and headers, and timestamps) are written to the blockchain, don't you?

(Hint: Simply use a hex editor.)

[Zin-Zang]

You did not demonstrate even faking the time stamps ,

But you do know how blocks (and headers, and timestamps) are written to the blockchain, don't you?

(Hint: Simply use a hex editor.)

It needs to be for ~ 30000 blocks for a good test, so you have to excuse me for not wanting to manually enter each one.  
Plus, I am not the one claiming it is easy to do. 

[Ix]

It needs to be for ~ 30000 blocks for a good test, so you have to excuse me for not wanting to manually enter each one.  
Plus, I am not the one claiming it is easy to do. 

It is easy to fake timestamps, you just have your software write in a number into a block of the fake chain it is creating. It is difficult/impossible to fool existing nodes into believing the network is valid. However, an independent node (of the network) sees two equally valid histories based on the rules of the network. There is no way it can independently verify whether a timestamp was forged, it's just an integer in a block. This is also the case for Bitcoin, but the cost of creating that timestamp is governed by the PoW difficulty rather than a free digital signature given an attacker with ~50% of the network stake. And the attack can continue free of charge, whereas with Bitcoin you must keep expending resources to keep up with PoW because the most difficult chain wins.

It's a difficult attack to be sure because owning that much stake in a network is unlikely - but it is absolutely not impossible because many PoS systems especially have very lopsided distributions. Losing the ability for new nodes to know what is the "one, true chain" without needing outside information is a problem. How big of a problem is a matter for debate, but it can't just be brushed off as so unlikely as to be impossible.

[d5000]

Exactly, Ix. Couldn't have been formulated it better.

Blocks are simply data on a hard drive, and the client of the attacker will simply try to broadcast its version of the chain. Everything can be faked with a hex editor, "designing" data like timestamps, difficulty/spacing so it becomes accepted by protocol-following nodes.

There are only two ways to prevent these long-range attacks:
- checkpoints - either "hard coded", like in Bitcoin, or "flexible" like in the case of NXT, or centrally distributed, like in Peercoin before 0.5, so the clients would simply not accept a reorg which goes beyond the last checkpoint,
- a Proof of Approval or PBFT system where the majority (or supermajority, in the case of PBFT) of the stakers is always online and so there is no way to achieve them to accept a "fake chain" because the majority has to cast votes for all blocks (and so a "reorg" is impossible).

The problem with both systems are:
- with the checkpoint system, attackers could attempt a "semi-long range attack" after the checkpoint;
- a PoA/PBFT system must make sure that really the majority is online, otherwise the blockchain would simply stop working and needs a hard fork to determine a new validator set.

However, a long-range attack when you have only a short time (I think it was 48 hs in NXT) to execute it after the last checkpoint, should be extremely complicated. You would need lots of multi-chain stakers for your attack chain becoming accepted, or to be lucky that the validator set becomes unstable.

[monsterer2]

It's a difficult attack to be sure because owning that much stake in a network is unlikely - but it is absolutely not impossible because many PoS systems especially have very lopsided distributions. Losing the ability for new nodes to know what is the "one, true chain" without needing outside information is a problem. How big of a problem is a matter for debate, but it can't just be brushed off as so unlikely as to be impossible.

...and, indeed in the scope of the topic of this thread, it becomes much more problematic than just a contemporary majority stake holder turning bad, even recently emptied private keys can be used to carry off this attack as long as there is no objective way for the network to determine the true chain.

[Zin-Zang]

It's a difficult attack to be sure because owning that much stake in a network is unlikely - but it is absolutely not impossible because many PoS systems especially have very lopsided distributions. Losing the ability for new nodes to know what is the "one, true chain" without needing outside information is a problem. How big of a problem is a matter for debate, but it can't just be brushed off as so unlikely as to be impossible.

...and, indeed in the scope of the topic of this thread, it becomes much more problematic than just a contemporary majority stake holder turning bad, even recently emptied private keys can be used to carry off this attack as long as there is no objective way for the network to determine the true chain.

True chain can be determined by comparing block height with the block explorer for PoS or PoW.
As a Sybil attack can fake a chain on either PoS or PoW and only comparing to a Block Explorer can verify the true chain for a syncing node.

[monsterer2]

True chain can be determined by comparing block height with the block explorer for PoS or PoW.
As a Sybil attack can fake a chain on either PoS or PoW and only comparing to a Block Explorer can verify the true chain for a syncing node.

Have you listened to a single thing anyone had said in this thread?

Producing blocks under PoS has zero cost, therefore any desired chain height can be reached by the fake chain, making it impossible to objectively differentiate between fake and canon chains.

[d5000]

True chain can be determined by comparing block height with the block explorer for PoS or PoW.
As a Sybil attack can fake a chain on either PoS or PoW and only comparing to a Block Explorer can verify the true chain for a syncing node.

That's true only for PoS, not PoW, PoW in this case is objective enough. It's the thing Vitalik Buterin calls "weak subjectivity".

TaPoS or Economic Clustering is however an interesting way to do that task in an automated way - you can see which chain your friends / your preferred services were using when they were transacting. The drawback: Everybody using multiple addresses for better privacy does not help. However, I consider it a meaningful extension for PoS.

[Zin-Zang]

True chain can be determined by comparing block height with the block explorer for PoS or PoW.
As a Sybil attack can fake a chain on either PoS or PoW and only comparing to a Block Explorer can verify the true chain for a syncing node.

Have you listened to a single thing anyone had said in this thread?

Producing blocks under PoS has zero cost, therefore any desired chain height can be reached by the fake chain, making it impossible to objectively differentiate between fake and canon chains.

Geez, have you taken your meds today?  

Sybil attacks can place a fake chain with a lower PoW difficulty rating until a node sees the other chain with the higher difficulty and reorgs.
(@d5000 , if a node is completely blocked from seeing the other chain, thru blocking the non-sybil nodes, it can be fooled until such a time as the non-sybil nodes connect.)
(IE: If I were to hack an exchange and modify their conf file to use connect= instead of addnode= to my Sybil nodes, I could keep it on the Sybil chain for an indefinite period (until their support staff discovered it.))
(This would also allow me to double spend any PoW coins with that exchange and immediately cash out to one of the coins, that are connecting to a normal node.)  Bitmain could easily pull off the above attack on Bitcoin.

You have to buy or steal the PoS coins to stake them?
Their is a cost involved.
Also your pretense at how easy it would be is over exaggerated.
Feel free to 51% attack zeitcoin to prove how easy it is for you.  
(According to you it is a zero cost attack so nothing is stopping you.)

What I am saying is if their is a sybil attack involved and your node is being blocked from seeing the true chain,
you can use a block explorer to verify the true chain for PoS or PoW.

It is a 3rd party verification , but it works and people using PoS or PoW would be naive not to use it.

[Ix]

You have to buy or steal the PoS coins to stake them?
Their is a cost involved.

Not necessarily. Or not a necessarily large one. Someone could buy up a large amount of the currency when it was worth less than pennies, or even the currency creator could be a threat if a significant amount were distributed to them at the start. This is different from bitcoin because the cost to attack the network is always relative to how popular the network currently is. There is no early stage adopter threat to the network itself. (Although I have argued in the past that Satoshi is a significant threat to bitcoin economically because he can wipe out the market.)

Also your pretense at how easy it would be is over exaggerated.

I believe the only responses about how easy the attack is is in regards to your example about timestamps. Forging the chain itself is easy, having the signatures to do it is is where the difficulty lies - but there are many obscure factors that can make it easier.

It is a 3rd party verification , but it works and people using PoS or PoW would be naive not to use it.

There are also a number of attacks that do not create multiple chains but create chaos in more insidious ways. A 3rd party can't prove to you that a chain is being censored, for example. I agree that the general essence of the "nothing at stake" argument is pretty weak with improbable scenarios required to effect it, but it is better to be aware than to be blissful.

[Zin-Zang]

You have to buy or steal the PoS coins to stake them?
Their is a cost involved.

Not necessarily. Or not a necessarily large one. Someone could buy up a large amount of the currency when it was worth less than pennies, or even the currency creator could be a threat if a significant amount were distributed to them at the start. This is different from bitcoin because the cost to attack the network is always relative to how popular the network currently is. There is no early stage adopter threat to the network itself. (Although I have argued in the past that Satoshi is a significant threat to bitcoin economically because he can wipe out the market.)

ZEITCOIN is currently less than a penny and I firmly believe anyone attempting a 51% attack will fail.
The easy way is to try and buy the coin, which people seem to forget, that the danger there is it drives up the price and makes more people stake therefore increasing the difficulty. There have been many exchanges that zeitcoin outlived, so our host could go after one of those to try and steal old coins.

That why I offer it up to the topic host as a real world test for his theories.
If he could crash zeitcoin , he could prove to the world PoS is invalid as a consensus, but if not ,
it kind of proves their is an underlying cost in either money , time, or skill, that he was unable to meet and therefore way more difficult that speculated.

Bitcoin has had over 51% majority belonging to the chinese miners for years, and people ignore it , but yet when it comes to PoS ,
they pretend like every attack is more dangerous , when from my experience PoW has proven more vulnerable especially if you are not rich.

The Fact is PoW miners value is in their ASICS, a Proof of Stake value is in the coins itself, meaning destruction of that single coin, wipes them out , verses a PoW miner that could 51% attack bitcoin on Tuesday and move to bitcoin cash on Wednesday or vice-versa.

Now there are some proof of Stake coins that have been hit with a 51% attack. (Because their chains were weak.)
Eccoin  
Bottlecaps  * Hybrid PoS & PoW, funny thing the PoW did not protect it. *
* Want to know what is funny , even with a successful 51% attack , both of those coins survived and are still running today. *
* Also many PoW chains that have fallen to 51% attacks: Verge, Bitcoin Gold, Monacoin. *
https://news.bitcoin.com/proof-of-work-coins-on-high-alert-following-spate-of-51-attacks/

(PoS or PoW weak chain and 51% is likely.)

But zeitcoin has never fallen to a 51%, so anyone that wants to , can take their best shot for the bragging rights.  
But be forewarned it won't be zero costs.


FYI: Here is a Thought for Consideration.  
The Renting of Hash Rate makes all PoW coins Vulnerable to 51% attack.
(Which would not be zero cost either unless you hacked their miners and use their hash for free.)


Conclusion:
Security of any coin is only strong if the majority % that either mine it or stake it are altruistic toward said coin.
IE.  No real difference between PoW or PoS in that regard.

[Ix]

Bitcoin has had over 51% majority belonging to the chinese miners for years, and people ignore it , but yet when it comes to PoS ,
they pretend like every attack is more dangerous , when from my experience PoW has proven more vulnerable especially if you are not rich.

That is the propaganda you have to deal with on bitcointalk.org. You don't typically get unbiased opinions here.

Conclusion:
Security of any coin is only strong if the majority % that either mine it or stake it are altruistic toward said coin.
IE.  No real difference between PoW or PoS in that regard.

More or less. But discussing the crazier "what ifs" helps to design better protocols.

[monsterer2]

Sybil attacks can place a fake chain with a lower PoW difficulty rating until a node sees the other chain with the higher difficulty and reorgs.

That is an objective decision.

You have to buy or steal the PoS coins to stake them?
Their is a cost involved.

Buying empty private keys will be very, very cheap compared to renting hash power.

Also your pretense at how easy it would be is over exaggerated.
Feel free to 51% attack zeitcoin to prove how easy it is for you.  
(According to you it is a zero cost attack so nothing is stopping you.)

I have no motivation, nor desire to attack your shitcoin, I have better things to do with my time.

What I am saying is if their is a sybil attack involved and your node is being blocked from seeing the true chain,
you can use a block explorer to verify the true chain for PoS or PoW.

That is not only subjective, but is also human intervention. Double systematic failure.

[Zin-Zang]

You have to buy or steal the PoS coins to stake them?
Their is a cost involved.

Buying empty private keys will be very, very cheap compared to renting hash power.

True but stealing private keys or stealing control over a warehouse full of asics is closer to free.   

Also your pretense at how easy it would be is over exaggerated.
Feel free to 51% attack zeitcoin to prove how easy it is for you.  
(According to you it is a zero cost attack so nothing is stopping you.)

I have no motivation, nor desire to attack your shitcoin, I have better things to do with my time.

Ah Ha!

See there you refuse to pay the cost of the time it would take.
So you admit it is not a zero cost to attack a coin as you are unwilling to spend your time on it.  

You guys have a good day.  

[d5000]

@Zin-Zang: I have not negated that centralization at pools is a big problem for PoW currencies. Hacking of pools is of course possible. But maybe the - already mentioned - "Proof of Collaborative Work" model could decrease the incentives for pools. With this addition, my understanding is that PoW coins would be fairly safe from this kind of attack.

Hashrate renting makes 51% attacks easier. But it is still expensive - an attack on Bitcoin would still need several billions of dollars (In early/mid 2017 I estimated about 500-800 million, now it shoud be about 2-3 billion or even more due to the increased hashrate).

However, I believe a PoS attack to be in the same order of magnitude (~3-5% of market cap).

A sybil attack like you describe it is possible on PoW or PoS. Only BFT-based PoS coins are - somewhat - protected from that attack because there are no forks allowed where you could "lure" nodes into, but in a similar scenario (if the attacker tried to prevent a part of the validators from reaching consensus "blocking" them from the network) the blockchain would simply stop working until the malicious nodes become collaborative again or a hard fork happens.

[monsterer2]

However, I believe a PoS attack to be in the same order of magnitude (~3-5% of market cap).

...ignoring the threat outlined in the OP of the thread?

[d5000]

However, I believe a PoS attack to be in the same order of magnitude (~3-5% of market cap).

...ignoring the threat outlined in the OP of the thread?

No, that estimation includes the threats by long range attacks (like the attack you described - the typical "old keys attack"), bribe attacks, short-range attacks and other known N@S-related scenarios. No one of these attacks is free, most of them are highly impractical (try to find people that sell you 50% of the staking amount in some moment of time) and, thus, expensive - above all if there are "floating checkpoints" like in NXT, impeding long reorgs, which lowers your "attack window".

A "pure" PoS 51% attack without exploiting the nothing at stake problem would need about 10% of the market cap (typical "staking participation" is between 20 and 40% of the total stake), and also only be that low if you achieve to buy the needed tokens over a long time without moving up the price, or try a "shorting" attack. Otherwise I expect it to be closer to 15-20%.

[monsterer2]

No, that estimation includes the threats by long range attacks (like the attack you described - the typical "old keys attack"), bribe attacks, short-range attacks and other known N@S-related scenarios. No one of these attacks is free, most of them are highly impractical (try to find people that sell you 50% of the staking amount in some moment of time) and, thus, expensive

Not sure I'd completely agree with that. More like between 0% and 3% would be a more accurate estimate.

[vanbang2cdduoc]

The attacker buys all keys at once, or very close together as stated in the description.

[d5000]

No, that estimation includes the threats by long range attacks (like the attack you described - the typical "old keys attack"), bribe attacks, short-range attacks and other known N@S-related scenarios. No one of these attacks is free, most of them are highly impractical (try to find people that sell you 50% of the staking amount in some moment of time) and, thus, expensive

Not sure I'd completely agree with that. More like between 0% and 3% would be a more accurate estimate.

If it was 0%, we would have seen many more attacks to Proof-of-Stake currencies.

I agree though that attacking small/weak Proof of stake currencies should be (in theory) very easy, as they mostly have a a very unequal distribution and few real persons behind the "stakers". So the attacker can be lucky to find a 10%-stakeholder who agrees to sell him his emptied keys for a low amount.

[WhiteOutMashups]

Yes everyone knew that PoS is a PoS :poo: since anyone with money can take it over

[d5000]

anyone with money can take it over

That is also true for PoW and all known consensus algorithms

The challenge is to obtain a high attack cost. PoS attack costs are more difficult to calculate than PoW's. But they're not necessarily lower. Social engineering is not free.

I've got some ideas how to achieve a serious estimation for PoS (or any other weak-subjectivity-based algorithm with N@S problem) attack costs, taking into account, for example, the current cost of fake social media accounts, hacking of websites (e.g. block explorers), malware distribution and also the cost of shorting large parts of the currency. One could also fake a request for "old keys" (simulating to be an attacker) to get some numbers about how many people would accept such an offer and how much they would like to get paid.

Imo, in PoS currencies the security level (=attack cost) is much more dependant on a healthy ecosystem than for PoW currencies.

[Zin-Zang]

Attacker sends request to PoS user for old keys,

PoS user agrees to sell/send old keys to Attacker only upon receipt of payment for keys.

PoS user informs the PoS Dev of sold keys, before the attacker can launch his attack ,

PoS Dev updates checkpoint thru program update, making the attacker purchase of old keys useless.

Now the attacker has the useless keys and lost his payment  , and the PoS User & Dev are Laughing at the attacker's attempt.
 
*What is funny is the attacker whom is attempting to do harm with a dishonest heart, thinks the PoS User will be honest with him.*  

This might be the primary reason , no one ever tries to buy old keys.  
Because it is so easy to turn the attacker into the Chump.

[monsterer2]

PoS user informs the PoS Dev of sold keys, before the attacker can launch his attack ,

PoS Dev updates checkpoint thru program update, making the attacker purchase of old keys useless.

Now the attacker has the useless keys and lost his payment  , and the PoS User & Dev are Laughing at the attacker's attempt.
 
*What is funny is the attacker whom is attempting to do harm with a dishonest heart, thinks the PoS User will be honest with him.*  

This might be the primary reason , no one ever tries to buy old keys.  
Because it is so easy to turn the attacker into the Chump.

What is funny is trusting any form of money where you have to rely on a hard fork in order to retain any sense of security.

[d5000]

In this case, if the checkpoint is included before the attacker "liberates" his attack chain, it's still not a hard fork. It's simply a typical "weak subjectivity" scenario.

But if he was successful and the reorganization to the attacker's chain would have taken place, then it is. This would be similar to Ethereum's ETH/ETC fork.

However, these scenarios are scenarios of last resort. They can also occur in Bitcoin, if a miner majority (or a minority, in the case of a soft fork) attempts to block an important upgrade, for example. I think most of us remember the "nuclear option" in 2017

The goal for PoS currencies is to avoid this scenario. I think it's difficult enough already in mature currencies. (Edit: And the mere possibility - and high probability - of it to happen already lowers the EV of PoS attacks, and thus the incentives for it.)

[aliashraf]

Attacker sends request to PoS user for old keys,

PoS user agrees to sell/send old keys to Attacker only upon receipt of payment for keys.

PoS user informs the PoS Dev of sold keys, before the attacker can launch his attack ,

PoS Dev updates checkpoint thru program update, making the attacker purchase of old keys useless.

Now the attacker has the useless keys and lost his payment  , and the PoS User & Dev are Laughing at the attacker's attempt.
 
*What is funny is the attacker whom is attempting to do harm with a dishonest heart, thinks the PoS User will be honest with him.*  

This might be the primary reason , no one ever tries to buy old keys.  
Because it is so easy to turn the attacker into the Chump.

Actually, it is not a mitigation by any means.

Suppose, I have a dominant share of a PoS coin. I exchange my coins with a decent PoW coin ( ) and cash out, now I'm able to commit a long range attack against the network or participate in such an attack using my old private keys with zero cost.

[Ix]

Suppose, I have a dominant share of a PoS coin. I exchange my coins with a decent PoW coin ( ) and cash out, now I'm able to commit a long range attack against the network or participate in such an attack using my old private keys with zero cost.

This is misleading. It isn't possible to just hit the sell button on a "dominant share" of a coin. The market will likely collapse on the way to the exit which may already accomplish what you wanted to do anyway as a dominant shareholder. It is a criticism of lopsided distribution, not PoS. If distribution were not lopsided, then to achieve a dominant share there was a significant cost associated, and exiting that market will absolutely not be free.

Deride weak subjectivity all you want, but software checkpoints have zero actual cost and very low social and philosophical costs to anyone that isn't beating the PoW drum (which costs billions of actual dollars every year). Transactions will be dramatically cheaper on PoS and that will ultimately decide what people use - at least as an actual currency.

[Zin-Zang]

Suppose, I have a dominant share of a PoS coin. I exchange my coins with a decent PoW coin ( ) and cash out, now I'm able to commit a long range attack against the network or participate in such an attack using my old private keys with zero cost.

You purchase a dominant share of a PoS coin at higher market prices,
if you do a massive dump you crash those prices , meaning you LOST a Large % of your original investment.  
So that is a Huge Cost $$$.  

Now, the exchange that you sold on, most likely stakes their PoS coins, most do.
So all of those coins will be staking on that exchange until the buyers remove them.
Meaning the staking % of others plus the Staking % of the coins you sold on the exchange are staking.
Your old Private keys alone won't be enough to outstake your sold %, in addition to the other %.
Also other factors that would hurt your attempt is the fact proof of stake coins go dormant for different lengths of time according to their individual specs.

Never as easy as it seems , is it?  


FYI:
Even if someone crashes the price of a Proof of Stake coin,
Proof of Stake coins network require less than a few $1000 per month to operate,
and their Stakers can easily weather extremely long terms of a low price ,
as they can easily meet the monthly costs to continue a PoS coin until prices return to normal.

In Contrast :
If a PoW coin price crashes ,
PoW miners can only sustain their network for a short amount of time ,
less than 3 or 6 months on average for the majority before they have to shut down those energy wasting ASICS.
IE:
If the input cost to mine a Bitcoin is $3000, and the miners can only receive $1000 per bitcoin,
within a few months the bitcoin network will be dead as the miners can only afford to lose money per block for a Limited time.
Where as Proof of Stakers can continue indefinitely to keep their network running.
Which is why in Business a person always needs to monitor input costs , if they want to keep their business.  

*If someone ever compromised Satoshi ~1 million coin Bitcoin Wallet, they could easily keep bitcoin price in the unprofitable range long enough to kill it.*
Plus Satoshi Wallet is less than 5% of the total 21 million coin allowed, which means PoW coins are more susceptible to being destroyed by as little as 5% to make the coin production unprofitable and kill it's network, due to their insane input costs.  

*Just another reason Proof of Stake is superior to Proof of Work in the long run, INPUT COSTS to maintain their networks.*  

[monsterer2]

In this case, if the checkpoint is included before the attacker "liberates" his attack chain, it's still not a hard fork. It's simply a typical "weak subjectivity" scenario.

But if he was successful and the reorganization to the attacker's chain would have taken place, then it is. This would be similar to Ethereum's ETH/ETC fork.

I agree with everything you've written, apart from the fact that it gives validation to the idea that having the community vote to create a hard fork is in any way acceptable for a currency that's supposed to be decentralised.

[seoincorporation]

I read some good points on this thread, the attack isn't easy at all, but is possible. And the attacker doesn't need more than 51% of the network to make the attack, he only need the old addys, and as you say, this is a big vuln based on the main characteristics of the PoS system.

Honestly i don't think we will see this attack, but is good to know it's possible, maybe that way developers can think about what to fix in the next update.

[d5000]

I agree with everything you've written, apart from the fact that it gives validation to the idea that having the community vote to create a hard fork is in any way acceptable for a currency that's supposed to be decentralised.

I consider it acceptable as a "measure of last resort", as I wrote - and as a way to dis-incentive these kinds of attacks. I also think UASF's are legit as a last resort protection from malicious miners, and both measures are pretty similar.

What @aliashraf wrote is, technically, very close to a "51% stake attack". You would need to hold at least 10% - more likely about 15% - of the currency in one moment. And in this case I agree with Zin-Zang that the acquisition and also the selling of the coins would be very difficult, even including shorting, because of the influence on price (and more so if there are rolling checkpoints and your attack window is small).

I think for a PoS attacker it is more promising to continuously try short-range attacks and confuse the currency holders about the "best chain" to follow, and then launch a larger attack, shorting a large number of coins - in this case 3 to 5% of the stake should be enough to create a lot of confusion and potentially be successful with the attack, leaving a hard fork as last resort. In a chain applying TaPoS/Economic Clustering (like NXT/Ardor) however that becomes more difficult as nodes would simply follow the chain of the big exchanges, and in some algorithms like Cardano it may be close to impossible.

[Zin-Zang]

So much for PoW Security.  

https://cointelegraph.com/news/bittrex-to-delist-bitcoin-gold-by-mid-september-following-18-million-hack-of-btg-in-may

While Bittrex has blamed BTG’s Proof-of-Work (PoW) consensus as a factor that led to the double-spending attack,

Crypto exchange Bittrex will delist Bitcoin Gold (BTG), a hard fork of Bitcoin (BTC), by September 14 following an $18 million hack of the BTG network in May, The Next Web reported September 3.

Founded in 2007, the hard fork cryptocurrency Bitcoin Gold has suffered a “double-spending” hacking attack that reportedly allowed the unknown hijackers to take control of more than 51 percent of the BTG hashrate.
The attack, which reportedly started on May 18, 2018, has managed to amass more than $18 million in Bitcoin Gold from various exchanges, including Bittrex.

Following the hack,
the Bitcoin Gold team explained that the attacker was deploying the combination of a 51 percent and double-spend attack in order to defraud crypto exchanges.
They noted that the hacker was targeting exchanges since they “accept large deposits automatically, allow the user to trade into a different coin quickly, and then withdraw automatically.”

Specifically, the attacker was making large BTG deposits on exchanges, at the same time sending the same funds to his own crypto wallet.
By the time the exchanges realized that the transaction was invalid, the hacker had already withdrawn funds from the exchange and doubled his original funds.

https://www.ccn.com/bitcoin-gold-hit-by-double-spend-attack-exchanges-lose-millions/

The last transaction was sent on May 18, but
the attacker could theoretically attempt to resume it if they still have access to enough hashpower to gain control of the blockchain.

Bitcoin gold’s developers advised exchanges to address the attack by increasing the number of confirmations required before they credit deposits to customer accounts.
Blockchain data indicates that the attacker successfully reversed transactions as far back as 22 blocks

As CCN reported, a miner manipulated two of privacy coin verge’s five hashing algorithms to maliciously mine more than 35 million XVG — worth ~$1.75 million — in just a few hours.
Previously, Japanese cryptocurrency monacoin was hit by an apparent block withholding attack after a miner gained as much as 57 percent of the network’s hashrate.

[d5000]

PoW attacks are, indeed, very easy in coins using an algorithm where mining is possible with ASICs used also to mine Bitcoin or another major coin. The owners of a large farm only have to mine a coin with a "matching" algorithm, double-spend, 51% it and go on to the next one.

But this is not something that affects PoW as a consensus principle. Bitcoin is safe from this kind of attacks, Ethereum too, and even Litecoin.

As most other coins are not safe from the "chain-hopping" attack, a PoS addition may have even a positive effect. While it doesn't add much security (because small PoS coins are also very weak), the attack becomes more complex because the attacker also has to acquire coins or old keys.

[Zin-Zang]

PoW attacks are, indeed, very easy in coins using an algorithm where mining is possible with ASICs used also to mine Bitcoin or another major coin. The owners of a large farm only have to mine a coin with a "matching" algorithm, double-spend, 51% it and go on to the next one.

But this is not something that affects PoW as a consensus principle. Bitcoin is safe from this kind of attacks, Ethereum too, and even Litecoin.

That my friend is the illusion that is a false belief.

Bitcoin or Ethereum or Litecoin are only as safe as the miners that collude to form at least a 51% majority.

If at anytime , the profit / incentive sways from protecting Bitcoin or Ethereum or Litecoin to attacking them ,
since the PoW miners are selfish in motive (Greed/Profit), they will switch as they consider their ASICS more valuable than the coins they produce.

IE: Bitcoin is Completely Safe as long as the Chinese Miners Agree it is.
Just as Paypal is safe as long as their centralized control agrees it is.
In both cases we are trusting 3rd parties to secure our transactions. [In Proof of Stake , we can buy enough coins to secure our own transactions.]

You are not Trusting the PoW Consensus design , you are trusting the over 51% colluding ASICS miners to secure the coin.

Which is one problem with PoW Design , if you have over 51% you can maintain constant control over the network,
while a PoS design your % is always in flux, as when you stake your coins go dormant for a length of time , removing your ability to control the network.

While a PoW network can be controlled 100% of the time, by over 51% collusion,
A PoS network in contrast can only be controlled for a limited time due to the dormancy requirement after staking.    
* Plus you can sell your PoW coins and have no effect on your 51% PoW dominance, while in Proof of Stake selling coins decreases your PoS %.*



FYI:
https://www.coindesk.com/blockchain-immutability-myth/

Nonetheless, it's important to remember that each node is running on a computer system owned and controlled by a particular person or organization, so the blockchain cannot force it to do anything.
The purpose of the chain is to help honest nodes to stay in sync,
but if enough of its participants choose to change the rules, no earthly power can stop them.

That's why we need to stop asking whether a particular blockchain is truly and absolutely immutable, because the answer will always be no.
Instead, we should consider the conditions under which a particular blockchain can be modified, and then check if we're comfortable with those conditions for the use case we have in mind.

FYI2:
Currently with PoW, people pay a transaction fee to have their transaction included in a block.
What if the miners decided it was more profitable to offer others the ability to pay to block an address from completing a transaction, and make people bid against each other one person trying to include a transaction and the other wanting it excluded.  
By doing so they increase their profit margin, and they are selfish miners after all.

So if you did not have the ability to add transactions to blocks, you be suffering at their whims.

IE:
You own the bank a payment on your credit card on tuesday , , you send the bitcoins to their payment address on monday.
What you don't know is they paid the colluding miners a fee to delay any transactions going to their payment address for a few days.
The Bitcoins you sent are stuck in transit , just being ignored and not released.
After the time limit has passed the credit card payment is allowed to arrive , but not before you have been hit with late penalties and additional fees.

[d5000]

If at anytime , the profit / incentive sways from protecting Bitcoin or Ethereum or Litecoin to attacking them ,
since the PoW miners are selfish in motive (Greed/Profit), they will switch as they consider their ASICS more valuable than the coins they produce.

IE: Bitcoin is Completely Safe as long as the Chinese Miners Agree it is.
Just as Paypal is safe as long as their centralized control agrees it is.

There is no way to create a 100% safe coin. That's why I also wrote that I consider a "last resort hardfork" or UASF, changing the mining algorithm (to throw off the miners using a distinct ASIC model) a legitimate action.

However, I still consider PoW superior to PoS, because attack cost is more predictable. I have written that I estimate attack costs to be similar between PoW and PoS. But in PoS, the calculation is not easy, because there are much more variables to take into account. Perhaps monsterer is right and a certain variable combination results in a comparatively cheap attack.

My favourite for the moment is the combination of PoW, PoS and PoB.

Which is one problem with PoW Design , if you have over 51% you can maintain constant control over the network,
while a PoS design your % is always in flux, as when you stake your coins go dormant for a length of time , removing your ability to control the network.

If you mean 51% of total stake, this is false. If you can control 51% for a certain time, you can easily secure permanent 51%. It is even worse than with PoW, because in PoW you need to waste electricity to preserve the 51%, in PoS you don't.

If you were referring to an attack with e.g. 10-15% of the total stake having 51% of the "currently active stake", then you may be right - the other coin holders could connect to the network and stop the attack.

A PoS network in contrast can only be controlled for a limited time due to the dormancy requirement after staking.

No. Nothing stops the attacker to use several addresses for his attack.

* Plus you can sell your PoW coins and have no effect on your 51% PoW dominance, while in Proof of Stake selling coins decreases your PoS %.*

OK, this is true. But a single 51% attack may cause enough damage that the confidence in the coin would be severily affected. Even if it doesn't mean it "dies", it may never recover its original importance.

And the attacker could even preserve his (emptied) keys to launch "long term attacks" like the one monsterer described.

[Zin-Zang]

There is no way to create a 100% safe coin. That's why I also wrote that I consider a "last resort hardfork" or UASF, changing the mining algorithm (to throw off the miners using a distinct ASIC model) a legitimate action.

However, I still consider PoW superior to PoS, because attack cost is more predictable. I have written that I estimate attack costs to be similar between PoW and PoS. But in PoS, the calculation is not easy, because there are much more variables to take into account. Perhaps monsterer is right and a certain variable combination results in a comparatively cheap attack.

My favourite for the moment is the combination of PoW, PoS and PoB.

Combining Consensus methods does not combine their strengths , it combines their weakness.
 

Which is one problem with PoW Design , if you have over 51% you can maintain constant control over the network,
while a PoS design your % is always in flux, as when you stake your coins go dormant for a length of time , removing your ability to control the network.

If you mean 51% of total stake, this is false. If you can control 51% for a certain time, you can easily secure permanent 51%. It is even worse than with PoW, because in PoW you need to waste electricity to preserve the 51%, in PoS you don't.

If you were referring to an attack with e.g. 10-15% of the total stake having 51% of the "currently active stake", then you may be right - the other coin holders could connect to the network and stop the attack.

If you have 51% and stake 6% , you are now only at 45% until the dormant period has passed, and the other 49% now outstakes you until their % drops below yours.
Which is why I say PoS 51% is only in control for a limited time and the staking % drops as soon as you use it for a specified time period.
Even with 51% you can't control a PoS coin 100% of the time like a PoW coin.
PoS coins with coin age are even harder to predict, as one old friend said , Proof of Stake is Secured by Chaos itself.

A PoS network in contrast can only be controlled for a limited time due to the dormancy requirement after staking.

No. Nothing stops the attacker to use several addresses for his attack.

Addresses are irrelevant,
once staked PoS coins go dormant for a preset time, anywhere from 24 hours to 90 days depending on the specs.
They can't generate new blocks until they are no longer dormant.

And the attacker could even preserve his (emptied) keys to launch "long term attacks" like the one monsterer described.

monsterer lack of understanding of what is required is mind blowing.
Long range attacks are more complicated that what has been mentioned.
Target difficulty / Modifier Intervals / Coin Age /  Blocks required / Block Propagation timing / Tricking nodes into a reorg

Not only is it incredibly complicated, it can all be blocked with Random Checkpoints or rolling checkpoints
or even if the main chain just maintains a higher coin age than the attacker's chain.
*Also the fact that the sold coins will probably be staking on the main chain after being sold, gets lost in translation.*

So forgive me, when I ignore his concerns, I did offer him the opportunity to prove his theories, but he declined.  
 

FYI:
As you mentioned in an earlier post , Short Range attacks are the best chance for an attacker, but that is in PoS or PoW.
The complications of a Long Range attack grow with every day that passes, for PoS or PoW.

[monsterer2]

monsterer lack of understanding of what is required is mind blowing.
Long range attacks are more complicated that what has been mentioned.

Have you even read the OP? This attack is not long range, its short range - below your precious reorg depth limit.

Even the most pessimistic cost assessment puts this attack at 3% stake.

[Zin-Zang]

monsterer lack of understanding of what is required is mind blowing.
Long range attacks are more complicated that what has been mentioned.

Have you even read the OP? This attack is not long range, its short range - below your precious reorg depth limit.

Even the most pessimistic cost assessment puts this attack at 3% stake.

All of the previous mentions were talking about getting old keys , weeks or months old, and people such as yourself claimed faking the time stamp meant there was no time limit preventing a long range attack, whether you came out and said it , it was implied.

Exactly how many blocks do you think a short range attack can be?
10?  20?  30? 40?  100?

FYI: Double Spends
Bitcoin Gold ,PoW only,  22 blocks were rewritten
Bottlecaps   , PoW/PoS,  66 blocks were rewritten

 

[d5000]

Combining Consensus methods does not combine their strengths , it combines their weakness.

I know this theory, but I don't agree. If you design the algorithm well, then at least you'll have a consensus method which is similarly secure, but with a more complex attack strategy required, e.g.: the original Slasher algorithm, or even easier: simply require 1 PoS block each 5 PoW blocks, keep the PoS reward low (like in Peercoin) and increase the PoW reward by 1/5 to increase the incentive to mine and thus the hashrate with a similar supply inflation.

If you have 51% and stake 6% , you are now only at 45% until the dormant period has passed, and the other 49% now outstakes you until their % drops below yours.

You could stake with several addresses, each one owning 0,5% in this situation, or even 0,1%, so almost nothing gets blocked. The only chance you have to avoid this is to employ an algorithm which benefits bigger staking addresses in a disproportionate way, but this would even be worse - with the exception of there being several big whales stopping you.

Addresses are irrelevant,
once staked PoS coins go dormant for a preset time, anywhere from 24 hours to 90 days depending on the specs.

OK, instead of addresses I should have written UTXOs ("coins").

monsterer lack of understanding of what is required is mind blowing.

No, he's basically right, but I think he underestimates the complexity of the attack. If he launches it as a short-range attack, then it's very similar to a regular 51% attack as your only realistic chance is to buy the coins yourself and then sell them, which should be very expensive.

It could be possible and relatively cheap with stake pools, however. That's why I don't like LPoS and similar approaches.

[Zin-Zang]

If you have 51% and stake 6% , you are now only at 45% until the dormant period has passed, and the other 49% now outstakes you until their % drops below yours.

You could stake with several addresses, each one owning 0,5% in this situation, or even 0,1%, so almost nothing gets blocked. The only chance you have to avoid this is to employ an algorithm which benefits bigger staking addresses in a disproportionate way, but this would even be worse - with the exception of there being several big whales stopping you.

Addresses are irrelevant,
once staked PoS coins go dormant for a preset time, anywhere from 24 hours to 90 days depending on the specs.

OK, instead of addresses I should have written UTXOs ("coins").

Hmm,
ok, you're not getting it.

It does not matter, how many address you split your 51% into,
it can be in 1 or 1 million , no difference.
It is the total % that matters.

Rest of the network is staking 49% of the total coins,  You are using your 51% to dominate the network and stake every block and refusing the allow new transactions in the block, once 3% of your coins have staked, (again it does not matter if 1 address or 1 million),
those 3% of your coins go dormant for a specified time.  So now the rest of the network have 49% and you only have 48%, so the others can now stake a block over you and include all of the transactions you blocked.

In truth it is not even that easy , as blocks with different coin amount can stake on one and then the other and as long as the network is not exceeding it's transaction capacity , doubtful anyone even notices.

Now you could attempt a double spend with your 51%, but as long as enough confirmations are required, the double spend would fail.

* The real question becomes how long can you dominate the blocks, which is tricky to discern since PoS coins have different blockspeeds & recovery times before staking.  For a Double Spend you have to be able to dominate long enough to exceed the number of confirmations required for a normal send to an exchange.
Which that means usually for PoS coin anywhere from 20 to 200 confirmations. *

PoW in comparison is easy to dominate if you have 51% of the mining capacity , because you maintain the 51% the entire time and go lower Only if more ASICS are added to the mining Pools. Much easier to calculate and much easy to dominate a PoW coin.
Bitcoin is only safe because the Chinese miners already have ~70%, and at the current point of time, they believe it would cost them more if they abused it.
But that is a belief , not an iron clad rule, and under certain circumstances their alliances could change, and then bitcoin goes from being the most secure to the least secure literally overnight. The people that believe the store of value nonsense, will be in for a rude awakening.

[d5000]

Well, let's have an example (with a "chain trust" based coin):

You're staking with 21 UTXOs of 1% each and 1 UTXO of 30% of the total staking capacity each (51% total).
You want to trick an exchange, double spending some coins, and need a fake chain of 21 blocks.
Now you double-spend. Then you privately mint the 21 blocks with the relatively small 1% stakes.
Block 22 is crucial, because there you must trick the other nodes into a re-org. So for block 22, you use the 30% stake, to boost chain trust. Now you publish the fake chain. The 30% stake now gets "dormant", but after the fake chain was published, you don't need any stakes to be "live" because you already tricked the other nodes to use your fake chain.

You have a high probability that your chain becomes the longest chain (with most chain-trust) then, because the accumulated stake in the fake chain is exactly 51% and the rest of the nodes only can accumulate 49% on the "honest chain", because they also are affected by the "dormant stake" rule.

If not (there is a certain probability for it), you can repeat the attack after all the "dormant" periods have expired. There is zero cost for that. There is a high probability that you eventually will succeed.

[Zin-Zang]

Well, let's have an example (with a "chain trust" based coin):

You're staking with 21 UTXOs of 1% each and 1 UTXO of 30% of the total staking capacity each (51% total).
You want to trick an exchange, double spending some coins, and need a fake chain of 21 blocks.
Now you double-spend. Then you privately mint the 21 blocks with the relatively small 1% stakes.
Block 22 is crucial, because there you must trick the other nodes into a re-org. So for block 22, you use the 30% stake, to boost chain trust. Now you publish the fake chain. The 30% stake now gets "dormant", but after the fake chain was published, you don't need any stakes to be "live" because you already tricked the other nodes to use your fake chain.

You have a high probability that your chain becomes the longest chain (with most chain-trust) then, because the accumulated stake in the fake chain is exactly 51% and the rest of the nodes only can accumulate 49% on the "honest chain", because they also are affected by the "dormant stake" rule.

If not (there is a certain probability for it), you can repeat the attack after all the "dormant" periods have expired. There is zero cost for that. There is a high probability that you eventually will succeed.

Good, now you see the dormant period.  

And the Attacker has to wait for the dormant period to elapse,
but if the Proof of stake coin uses coin age he also has to wait for the maximum coin age, so time wise he has to wait anywhere from 20 to 90 days for maximum coin weight for his next attempt. (Depend on the coins specs, some have unlimited coin age, some limit it to between a max 20 to 90 day weight.)

Which as you surmised, he can attempt a double spend again at the optimal time.
But unlike PoW , what he can Never do , is maintain 51% control and block transactions from being added to the blockchain indefinitely.

So that negates the transactions censorship danger from PoS 51% attacks that is almost certain with PoW 51% attacks.

So for PoS the only real threat is the double spend, which can be blocked by increasing the required transactions confirmations or to be 100% certain waiting until the confirmation # exceeds the rolling checkpoint blocking all reorgs.

To be honest , all PoS coin could institute a 1 hour rolling checkpoint and be guarantee no doublespend after 1 hour.
(Ending the only threat a 51% attack poses toward a PoS coin.)

PoW coins could do the same as rolling checkpoints are a easy way to block reorgs while staying decentralized.
However it still would not protect a PoW coin from a 51% attack where the attacker goal was blocking new transactions from entering the chain.

* Another reason Proof of Stake is a superior consensus method to Proof of Work. *  
 

[d5000]

but if the Proof of stake coin uses coin age he also has to wait for the maximum coin age, so time wise he has to wait anywhere from 20 to 90 days for maximum coin weight for his next attempt.[...]
But unlike PoW , what he can Never do , is maintain 51% control and block transactions from being added to the blockchain indefinitely.

If his attempt fails, his stake won't be blocked, because his chain wouldn't be selected at all. It's as if the attack didn't happen. So he doesn't have to wait.

Where you're right is that with a majority as low as 51% it is probably difficult to control a chain permanently. But that only applies if the other 49% all mint actively. With two thirds of the active stake it should be possible to control the chain permanently and censor transactions, regardless of dormant periods.

Now even with "only" 51% the attack can do a lot of harm. The attacker can try to attack/double-spend again and again. No exchange would be safe, and so the coin would be probably delisted from all exchanges until the 51% scenario ceases - or exchanges would have to set, as you wrote, the confirmation threshold to 100% of the reorg limit, which are typically days. If the attacker doesn't sell his coins because his intention is to destroy it (e.g. because he short-sold coins before) then the only way to stop that scenario (that makes the coin de facto unusable) is a complicated hard fork "tainting" all UTXOs that have been part of the attack and block all tainted UTXOs.

To be honest , all PoS coin could institute a 1 hour rolling checkpoint and be guarantee no doublespend after 1 hour.
(Ending the only threat a 51% attack poses toward a PoS coin.)

At a first glance this approach looks good - but why is no PoS coin doing that? I think that it's possible this approach could add attack vectors for limited short-range attacks using network disruptions to confuse badly-connected nodes.

However it still would not protect a PoW coin from a 51% attack where the attacker goal was blocking new transactions from entering the chain.

A miner with 51% of the hashrate would not get all blocks, so he also cannot censor transactions.

[Zin-Zang]

but if the Proof of stake coin uses coin age he also has to wait for the maximum coin age, so time wise he has to wait anywhere from 20 to 90 days for maximum coin weight for his next attempt.[...]
But unlike PoW , what he can Never do , is maintain 51% control and block transactions from being added to the blockchain indefinitely.

If his attempt fails, his stake won't be blocked, because his chain wouldn't be selected at all. It's as if the attack didn't happen. So he doesn't have to wait.

Valid Point , But he is failing so no one cares.  
If he does succeed , then he has to wait 20 to 90 days before another optimal window is open to try again, if coin age is involved.
Giving the community time to take steps to block future attempts, thru required increased confirmations or rolling checkpoints (decentralized) or even a checkpoint server (centralized) depending on their opinion of the value of decentralization.

PoW miner has no such wait period and can run continuous succeeding attacks with no wait time.
Unless the PoW community required increased confirmations or rolling checkpoints (decentralized) or even a checkpoint server (centralized).
But the PoW attacker can get in many more attacks before a PoW community could protect itself.

Where you're right is that with a majority as low as 51% it is probably difficult to control a chain permanently.
But that only applies if the other 49% all mint actively. With two thirds of the active stake it should be possible to control the chain permanently and censor transactions, regardless of dormant periods.

It does not have to be all of the other 49%, with every stake , more of our attacker coins go dormant until whatever the other amount is, exceeds his.
He can not indefinitely block transactions unless he owns all of the coins, which if he did no one else would care, as no one else owns any.  
I don't care if the guy own 80% of a proof of stake coin, by combining all of my coins into a single block, and using max coin age, I could get 1 block added per dormant period and he can't stop me therefore including my transactions in the blockchain.
He has to spread his coins thin trying to block every single opportunity , and all I have to do is focus all of my coins into a single block that can pierce his efforts, with the help of coin age.    

Now even with "only" 51% the attack can do a lot of harm. The attacker can try to attack/double-spend again and again. No exchange would be safe, and so the coin would be probably delisted from all exchanges until the 51% scenario ceases - or exchanges would have to set, as you wrote, the confirmation threshold to 100% of the reorg limit, which are typically days. If the attacker doesn't sell his coins because his intention is to destroy it (e.g. because he short-sold coins before) then the only way to stop that scenario (that makes the coin de facto unusable) is a complicated hard fork "tainting" all UTXOs that have been part of the attack and block all tainted UTXOs.

Not really,
Bottlecaps is a prime example, it was 51% attacked multiple times,
all they did was reimburse Cryptopia for the double spend coins, and as of today it is still trading there,
with increased required confirmations to 200 and running a checkpoint server.
(They could have done a rolling checkpoint and stayed decentralized, but they choose a centralized solution.)

To be honest , all PoS coin could institute a 1 hour rolling checkpoint and be guarantee no doublespend after 1 hour.
(Ending the only threat a 51% attack poses toward a PoS coin.)

At a first glance this approach looks good - but why is no PoS coin doing that? I think that it's possible this approach could add attack vectors for limited short-range attacks using network disruptions to confuse badly-connected nodes.

I think the fear is that an attacker could focus his attack specially trying to fork the network into more than one branch.
Without the ability to reorg , all of the ones caught on the wrong fork , would have to redownload a blockchain, kind of a pain.
Easy ways to mitigate this is choose random times or allow set times in the wallets to block reorgs between a time range of between 1 hour to 2 days.
This way the attacker has no idea where to focus a fork splitting attack. Also the wallet designer could include a manual Allow Reorg Button , that lets the client reorg from any time, if they were forked so they don't have to redownload the blockchain from scratch.

*FYI: Blackcoin choose ~8.3 hours for their no reorg limit.*
Currently the lowest one, AFAIK.

However it still would not protect a PoW coin from a 51% attack where the attacker goal was blocking new transactions from entering the chain.

A miner with 51% of the hashrate would not get all blocks, so he also cannot censor transactions.

http://redpinata-development.com/bitcoin-academy/index.php/reader/items/non-technical-overview.html

Since the network always accepts the longest chain, he would end up in creating every new confirmation and getting full control over the blockchain.
But what harm can he possibly do?
He now has the power to successfully exercise double spending attacks and to censor transactions.

If a block gets added with a transaction , he does not like, he just overwrites the block by not including it in his longer chain.  
Look at the video : VIDEO: Nightmare of 51% Attack - part 2  in the above redpinata link.
PoW 51% Attacker can exclude all transactions.

PoS 51% Attacker can not because of the built in dormant period.  

Bitcoin itself had 24 blocks (6 hours) overwritten by a over 51% consensus in March 2013.
https://bitcoinmagazine.com/articles/bitcoin-network-shaken-by-blockchain-fork-1363144448/
Article by Vitalik Buterin

“safe mode alerted us there’s a problem

Interesting enough Bitcore devs killed the alert system, so the alert that warned everyone in March 2013 is no longer possible.

[d5000]

If he does succeed , then he has to wait 20 to 90 days before another optimal window is open to try again, if coin age is involved.

True, but the problem with coin-age is that it's very easy to accumulate 51% of the active stake with much less "real stake", which makes the attack cheaper. From what I know, the PoS trend since 2014 is to refrain from coin-age for the "weight" of a stake (e.g. NXT, Blackcoin).

It's basically a tradeoff: With coin-age it may be more difficult to launch continuous attacks, but it's much easier to launch a single double-spend attack. You have to decide what is worse - a single successful attack may already make people lose confidence in the coin and bury it deep in the "shitcoin" hole.

PoW miner has no such wait period and can run continuous succeeding attacks with no wait time.

But he has to pay for the electricity all the time.

I don't care if the guy own 80% of a proof of stake coin, by combining all of my coins into a single block, and using max coin age, I could get 1 block added per dormant period and he can't stop me therefore including my transactions in the blockchain.

OK, you may have a point here. depending on the length of the "dormancy" period. But there have to be some actively minting whales for that. (Maybe Anonymint could find some trick here, however )

Bottlecaps is a prime example, it was 51% attacked multiple times,
all they did was reimburse Cryptopia for the double spend coins, and as of today it is still trading there,
with increased required confirmations to 200 and running a checkpoint server.

(They could have done a rolling checkpoint and stayed decentralized, but they choose a centralized solution.)

But only with an extremely long confirmation time, and that was my point. Bottlecaps is a very small coin and not really used for something useful. It's simply a pennystock for gambling on exchanges, so nobody cares about it requiring so many confirmations. A coin with real merchants and clients waiting for goods and services wouldn't be able to recover "as a currency" without a hard fork.

I think the fear is that an attacker could focus his attack specially trying to fork the network into more than one branch.

Agree here, but I have to investigate more.

Easy ways to mitigate this is choose random times or allow set times in the wallets to block reorgs between a time range of between 1 hour to 2 days.

Would all clients block the same reorgs? Hm, looks complicated.

Also the wallet designer could include a manual Allow Reorg Button , that lets the client reorg from any time, if they were forked so they don't have to redownload the blockchain from scratch.

Possible, but I don't like this solution - I think a client which does the "button click" automatically would be more popular, and then you have no reorg protection anymore.

*FYI: Blackcoin choose ~8.3 hours for their no reorg limit.*
Currently the lowest one, AFAIK.

Interesting, thanks. They're one of the more interesting "traditional" PoS coins out there.

Since the network always accepts the longest chain, he would end up in creating every new confirmation and getting full control over the blockchain.

OK, here it seems you're right, my bad. While others can find blocks, the dominant miner/attacker would simply orphan them. In this case PoS has a point.

I am however not sure if there is really no way to censor transactions with PoS coins. I have read something somewhere, but have to search it, I think it was a post by Anonymint.

[einax_oliver]

I think modern POS (like Casper, or deligated POS) have a solution on the majority of the issues described by OP.  Casper (should) effectively punish malicious actors if hard fork occurs, and delegated POS makes it nearly impossible for a malicious actor to gain enough support to be voted into validator position. They both have their issues (like major centralization of DPOS) but my strong belief they should be developed and tested at scale anyway.

check out Casper docs for more info https://github.com/ethereum/wiki/wiki/Proof-of-Stake-FAQs

[Zin-Zang]

PoW miner has no such wait period and can run continuous succeeding attacks with no wait time.

But he has to pay for the electricity all the time.

True, but to mount a successful 51% attack , he is already showing an access to extreme financial resources.
And he could double spend early to offset the costs.
In the VIDEO: Nightmare of 51% Attack - part 2 ,
http://redpinata-development.com/bitcoin-academy/index.php/reader/items/non-technical-overview.html
It is explained how the ASIC manufacturers could profit by 51% making all of the blocks.
Governments & Large Corporations would have the financial resources to pull off an extended 51% attack.

I don't care if the guy own 80% of a proof of stake coin, by combining all of my coins into a single block, and using max coin age, I could get 1 block added per dormant period and he can't stop me therefore including my transactions in the blockchain.

OK, you may have a point here. depending on the length of the "dormancy" period. But there have to be some actively minting whales for that.
(Maybe Anonymint could find some trick here, however )

Bottlecaps is a prime example, it was 51% attacked multiple times,
all they did was reimburse Cryptopia for the double spend coins, and as of today it is still trading there,
with increased required confirmations to 200 and running a checkpoint server.

(They could have done a rolling checkpoint and stayed decentralized, but they choose a centralized solution.)

But only with an extremely long confirmation time, and that was my point. Bottlecaps is a very small coin and not really used for something useful. It's simply a pennystock for gambling on exchanges, so nobody cares about it requiring so many confirmations. A coin with real merchants and clients waiting for goods and services wouldn't be able to recover "as a currency" without a hard fork.

We always heard that to be the case, but as long as the double spend only had a few victims, I am not so certain.
If it were fiat , it would be akin to someone using counterfeit money to buy good or services.
In real life , No one reimburses the person that sold his car for counterfeit money ,
they just try and arrest the guy who did the counterfeiting and only give back the car , if they catch the counterfeiter, and track down the car.
Replacing the doublespend amount with a hard fork implies a centralized authority making that decision,
a truly decentralized resource such as gold , no one makes the pretense that stolen gold will be replaced unless the person that stole it is apprehended.
It is funny, we want crypto to be decentralized, but we also want centralized protections.

I think the fear is that an attacker could focus his attack specially trying to fork the network into more than one branch.

Agree here, but I have to investigate more.

Easy ways to mitigate this is choose random times or allow set times in the wallets to block reorgs between a time range of between 1 hour to 2 days.

Would all clients block the same reorgs? Hm, looks complicated.

That is the trick , all clients would not block the same reorgs, (So it does need enough confirmations to be safe from a normal reorg)
it would make it incredibly complicated to focus an attack to fork a coin, if you don't know where to focus your attack.
So far no one has attacked blackcoin reorg limit, so we have little history to calculate the best settings.

*FYI: Blackcoin choose ~8.3 hours for their no reorg limit.*
Currently the lowest one, AFAIK.

Interesting, thanks. They're one of the more interesting "traditional" PoS coins out there.

Since the network always accepts the longest chain, he would end up in creating every new confirmation and getting full control over the blockchain.

OK, here it seems you're right, my bad. While others can find blocks, the dominant miner/attacker would simply orphan them. In this case PoS has a point.

I am however not sure if there is really no way to censor transactions with PoS coins. I have read something somewhere, but have to search it, I think it was a post by Anonymint.

There is only 1 way to Censor a Proof of Stake coin Transactions for an extended period,
but it is not 51% attack , it is 100% control of the full nodes, (Which is almost impossible)
the attacker has to control every single full node in existence as such he be able to accept or block whatever he wished.
But the same hold true for if an attacker controlled every single node on a PoW network,
he basically controls the consensus rules since their would be no competing viewpoints.
If that happens either coin is completely centralized to his rule system.

100% Full Node Domination can only be carried out by a collusion of the World's Governments.
If even 1 small country opted out of the collusion , the rest would fail in the attempt.

I think modern POS (like Casper, or deligated POS) have a solution on the majority of the issues described by OP.  Casper (should) effectively punish malicious actors if hard fork occurs, and delegated POS makes it nearly impossible for a malicious actor to gain enough support to be voted into validator position. They both have their issues (like major centralization of DPOS) but my strong belief they should be developed and tested at scale anyway.

check out Casper docs for more info https://github.com/ethereum/wiki/wiki/Proof-of-Stake-FAQs

Casper is a Frankenstein of proof of stake design, trying to fix @nas , when @nas is not even a real problem.
(Just a myth to scare the newbies. No one that really understands PoS is worried about @nas in the least.)
Ethereum will be crushed by it's insane blockchain bloat or its full nodes dominated by rich elite.
Vitalik's interference with multiple hard forks has proven eth to be centralized.

Delegated Proof of Stake , opens up the possibility of corruption of the Delegates nodes.
We have to look no further than the US political system to see that delegates only rule leads to disaster.  
As the Delegates vote in favor of their personal self interests and ignore the Greater Good.
We have over 200 years of proven history that delegate rule is corruptible.

[d5000]

We always heard that to be the case, but as long as the double spend only had a few victims, I am not so certain.
If it were fiat , it would be akin to someone using counterfeit money to buy good or services.
In real life , No one reimburses the person that sold his car for counterfeit money ,
they just try and arrest the guy who did the counterfeiting and only give back the car , if they catch the counterfeiter, and track down the car.

Well, if I have spent lots of time and money to attack a PoS currency, then I would try to scam all existing exchanges for the maximum amount. That would cause heavy disruptions and in most cases, delistings.

Replacing the doublespend amount with a hard fork implies a centralized authority making that decision,
a truly decentralized resource such as gold , no one makes the pretense that stolen gold will be replaced unless the person that stole it is apprehended.
It is funny, we want crypto to be decentralized, but we also want centralized protections.

A hard fork is not centralized per se, it can be the voluntary decision of the majority of the economic actors invested in the currency, in the case of a PoS coin, to run another client. While in past hard forks (ETH/ETC as the prime example) a kind of "leadership" led to the hard fork, that's not mandatory at all. It's enough if all merchants and exchanges simply use the new client.

Anyway, that would be a point against PoS, not for PoS.

There is only 1 way to Censor a Proof of Stake coin Transactions for an extended period,
but it is not 51% attack , it is 100% control of the full nodes, (Which is almost impossible)

I'm sure that with a very high supermajority (95% e.g.) it would be possible to censor transactions even with longer dormant periods -  the longer the "dormant period" is, the higher has to be the supermajority. The attacker would have to ensure that he always has enough active (non-dormant) stake to orphan blocks found by the honest minters. But that's mainly theoretical, in what you're right is that 67% is only enough if the dormant period is pretty short, and such an attack should be prohibitively expensive.

A problem that could arise, however, is that the attacker could increase his stake when he succeeds double-spending. He double-spends and with the coins he sold (scamming the exchange) simply re-buys coins "honestly" at other exchanges. He would need plenty of sockpuppets, but there may be still plenty of relatively anonymous ways to buy the coins (and if he's working for a government, he can use "real fake identities"). So once he has 51%, he probably is likely to increase his stake until he gets a supermajority - or the honest minters hard fork away in an ETH/ETC manner.

Regarding DPoS and similar approaches, we mainly agree - with the exception of Cardano which really looks interesting.

[Wind_FURY]

What about the argument that exchanges will become like banks by encouraging the users to deposit their POS coins in exchanges for a share of the block rewards?

Wouldn't that be centralizing and dangerous for the safety of those coins at the same time?

[d5000]

What about the argument that exchanges will become like banks by encouraging the users to deposit their POS coins in exchanges for a share of the block rewards?

Wouldn't that be centralizing and dangerous for the safety of those coins at the same time?

Yep. Big exchanges (above all, if one of them is "dominant"), stake pools (the scenario you describe is basically one), and other services with access to a large part of the coins being able to stake, are dangerous for Proof of Stake coins.

PoS coins need a relatively big group of non-colluding whales to work well. However, that should be no problem once the coin matures (Bitcoin's distribution would be fine, imo).

[Wind_FURY]

But if you want to stake you have to buy coins from the "stake holders". I believe that makes it less "permissionless" and more centralized than a coin that utilizes Proof of Work as a "block finding" mechanism.

[d5000]

But if you want to stake you have to buy coins from the "stake holders". I believe that makes it less "permissionless" and more centralized than a coin that utilizes Proof of Work as a "block finding" mechanism.

Normally, a cryptocurrency which has some value should be used as a means to pay for goods and services, and be listed at exchanges. So there will always be a way to "enter" the coin ecosystem, at least for small amounts.

There can be a problem, however, if there is a group of colluding whales with a supermajority of the stake wanting to control the currency. If they cooperate to block every intent to buy a substantial amount of the stake (e.g. more than 20%), then they can keep their control even if other users occasionally find a block (if the block contains a transaction they don't like, they simply orphan it). This is easier in models with a reduced validator set, like DPoS - an example for such a collusion are the "mafia-like" structures in Lisk; while there is currently no censorship there (I think) it's possible that it could occur.

However, this problem is not only solved by Proof of Work. Another mechanism that could be employed is Proof of Capacity/Space, where new participants cannot be censored by coin holders. It has, however, a (weaker) Nothing-at-Stake problem.

[Wind_FURY]

Yes, I have heard of Proof of Capacity/Space and Burstcoin/Spacemint, but it too has its own set of problems besides the "Nothing-at-Stake" problem. It might stem from a misunderstanding of the economics of cryptocurrencies. I may be biased, but Bitcoin is valuable because it is expensive to attack, modify, it is provably scarce, and because of its very high energy requirement, it's very secure.

Proof of Capacity/Space might be a good mining alternative but it would not produce coins of "high value" because hard drives are common, mining it is cheap, and little effort is made to mine it.

[d5000]

Proof of Capacity/Space might be a good mining alternative but it would not produce coins of "high value" because hard drives are common, mining it is cheap, and little effort is made to mine it.

But only if there are few people mining it. If a Proof-of-space coin got mature and it was competitive to mine it, then there will be also a high attack cost. You won't mine anything with your "free HD space" in this case, just as you won't mine anything with your CPU in the current Bitcoin network.

A bigger problem of Proof-of-space is in my opinion that "HD minting" can always be "simulated" with Proof of work (similar to the "stake grinding" problem of some PoS coins). Once a proof-of-space coin becomes harder to mine, it's possible that it will simply transition into a "de facto PoW coin".

(I'm also a big Bitcoin fan, because it's - by far - the most decentralized cryptocurrency, but I think simply one has to be open for alternative approaches to problems arising from the current way it works, e.g. energy consumption. Imo, if really some algorithm is found that provably can rival the current PoW in terms of security and is more efficient, Bitcoin should adopt it.)

[Wind_FURY]

Proof of Capacity/Space might be a good mining alternative but it would not produce coins of "high value" because hard drives are common, mining it is cheap, and little effort is made to mine it.

But only if there are few people mining it. If a Proof-of-space coin got mature and it was competitive to mine it, then there will be also a high attack cost. You won't mine anything with your "free HD space" in this case, just as you won't mine anything with your CPU in the current Bitcoin network.

But you said it yourself, there is a Nothing at Stake problem. What's to stop miners from colluding and also continue the timestamping process on a split chain, or multiple split chains.

A bigger problem of Proof-of-space is in my opinion that "HD minting" can always be "simulated" with Proof of work (similar to the "stake grinding" problem of some PoS coins). Once a proof-of-space coin becomes harder to mine, it's possible that it will simply transition into a "de facto PoW coin".

Can you explain how? What is stake grinding?

(I'm also a big Bitcoin fan, because it's - by far - the most decentralized cryptocurrency, but I think simply one has to be open for alternative approaches to problems arising from the current way it works, e.g. energy consumption.

What would you propose and how would you propose it to be implemented?

Imo, if really some algorithm is found that provably can rival the current PoW in terms of security and is more efficient, Bitcoin should adopt it.)

It is easier said than done. The Core developers would have already done it if positives outweigh the negatives. Plus mining has become very efficient through the continued development of ASICs. CPU and GPU mining are far less efficient in my opinion.

[d5000]

But you said it yourself, there is a Nothing at Stake problem. What's to stop miners from colluding and also continue the timestamping process on a split chain, or multiple split chains.

Nothing-at-stake is difficult to use profitably in an attack. In this aspect, PoS and PoC are not very different. Their main difference is that a PoC coin allows new users to become validators (even big ones) at any time because existing coin holders have no influence on validation. Existing miners can collude, like they can do in Proof of Work.

However, I wrote that the N@S problem at PoC is "weaker" than in PoS because there is a mining cost, and this is due to hard drives failing rapidly. A massive HDD mining farm would have continuously costs based on HDD failure. That means that if you mine on alternative chains (you must calculate different hashes with your HDDs) you'll have an additional cost. However, this cost + the electricity consumption of the HDDs, in relation to market cap, is probably much lower of the cost to mine an attack chain with PoW. So it's not free to attack the coin via N@S, like in Proof of Stake, but much cheaper than via PoW.

Can you explain how? What is stake grinding?

In some older Proof of Stake currencies, computing operations can be used to influence the pseudo-random selection process of the minter that finds a block. That means that if you have plenty of computing power you can (slightly) increase your chances to find blocks compared to a minter with the same stake but less computing power. This is called "stake grinding". A similar effect occurs in Proof of Space/Capacity: Instead of reading the hashes from the disk, you use your CPU/GPU/ASIC to calculate it.

What would you propose and how would you propose it to be implemented?

There is much more research on PoS or PoC needed, so I don't call for immediate action, only for a bit more openness.

It is easier said than done. The Core developers would have already done it if positives outweigh the negatives. Plus mining has become very efficient through the continued development of ASICs. CPU and GPU mining are far less efficient in my opinion.

No, this has no effect. The variable which influences energy-efficiency is not "effectiveness" of the algorithm, but the equation "attack cost/energy consumption" (the lower the energy consumption needed to reach a high attack cost, the higher the "energy-efficiency").

CPU and GPU mining do not differ from ASIC mining significantly regarding this equation. Only if a more efficient technology becomes available (e.g. new ASICs) all older technologies become less energy-efficient. But if no ASIC has been developed for algorithm X, coins with this algorithm are not less effective than a coin with algorithm Y mined by ASICs (with a similar market cap/reward scheme).