Bitcoin Forum
November 12, 2018, 09:22:42 PM *
News: Latest Bitcoin Core release: 0.17.0 [Torrent].
 
   Home   Help Search Login Register More  
Pages: « 1 2 3 4 5 [6] 7 8 9 10 11 »  All
  Print  
Author Topic: Proof that Proof of Stake is either extremely vulnerable or totally centralised  (Read 11292 times)
Come-from-Beyond
Legendary
*
Offline Offline

Activity: 2072
Merit: 1007

Newbie


View Profile
March 04, 2016, 09:18:04 PM
 #101

Glad to see you recognize why your proposal can't function if centralization doesn't exist.

I'm talking about Nxt, not about Iota.

PS: The point was that economic relationships already enforce some level of centralization. Nxt doesn't add extra bits of centralization, it fits into existing limits.
1542057762
Hero Member
*
Offline Offline

Posts: 1542057762

View Profile Personal Message (Offline)

Ignore
1542057762
Reply with quote  #2

1542057762
Report to moderator
1542057762
Hero Member
*
Offline Offline

Posts: 1542057762

View Profile Personal Message (Offline)

Ignore
1542057762
Reply with quote  #2

1542057762
Report to moderator
1542057762
Hero Member
*
Offline Offline

Posts: 1542057762

View Profile Personal Message (Offline)

Ignore
1542057762
Reply with quote  #2

1542057762
Report to moderator
Once a transaction has 6 confirmations, it is extremely unlikely that an attacker without at least 50% of the network's computation power would be able to reverse it.
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
monsterer
Legendary
*
Offline Offline

Activity: 1008
Merit: 1000


View Profile
March 04, 2016, 11:46:17 PM
 #102

That's when you find out that you were talking to the same guy, and you bought the same private key twice.

Why wouldn't you get them to sign a their msg with each of their private keys to prove that they owned them and that they were both separate?
monsterer
Legendary
*
Offline Offline

Activity: 1008
Merit: 1000


View Profile
March 05, 2016, 12:06:17 AM
 #103

The miners have the most skin-in-the-game and can therefore be trusted to behave in the best interests of the system.  The flaw in the design is more apparent than ever right now with the blocksize debate.  Essentially we have non-miners who also have skin-in-the-game in the form of STAKE in the system (e.g. Coinbase, Blockstream, BitPay, users wanting "cheap" transactions, etc.) that are at odds with the incentives of miners.

Miners create the value in the system which is then invested in by stakeholders. The value is the continually reinforced consensus which cements a partial order of transactions with asymptotic finality.

If you remove the miners, you are investing in nothing. That is PoS in a nutshell.
BARR_Official
Hero Member
*****
Offline Offline

Activity: 630
Merit: 500


View Profile
March 05, 2016, 01:23:12 AM
 #104

That's when you find out that you were talking to the same guy, and you bought the same private key twice.

Why wouldn't you get them to sign a their msg with each of their private keys to prove that they owned them and that they were both separate?



They can prove that they own a receiving address, but any number of receiving addresses can belong to the same private key. 

They can't prove that their private key is different from someone else's without revealing the private key.

Burning Altcoins for Redemption and Reduction - http://barr.me
LiQio
Legendary
*
Offline Offline

Activity: 1174
Merit: 1002



View Profile
March 05, 2016, 08:32:14 AM
 #105

If you remove the miners, you are investing in nothing. That is PoS in a nutshell.

As long as you believe this, any discussion is pointless.
It's economic nonsense, plain and simple.
Blocktree
Full Member
***
Offline Offline

Activity: 185
Merit: 100



View Profile
March 05, 2016, 08:59:38 AM
 #106

In any case, arguing that old private keys have value is to say that PoS doesn't work, since the transfer of value isn't reinforced sufficiently.

I don't argue on this. I argue that it's not easy to buy private keys even if users don't understand how blockchain works. Also, according to the market laws if someone starts buying keys publicly they will raise in price. And I'm more than sure that after you privately buy 100 keys the world will know that someone is buying them.
Nxt only have 73 original keys,so attack happened before the world know.

LOL Grin

   SEMUX   -   An innovative high-performance blockchain platform   
▬▬▬▬▬      Powered by Semux BFT consensus algorithm      ▬▬▬▬▬
Github    -    Discord    -    Twitter    -    Telegram    -    Get Free Airdrop Now!
anon_giraffe
Member
**
Offline Offline

Activity: 63
Merit: 10


View Profile
March 05, 2016, 12:42:14 PM
 #107

How many possible staking inputs do these addresses have?
What is the min/max staking age of this coin?
How long a chain will they need to create to be longer?

Any such addresses need to have enough inputs to support not just a functional chain,
also with enough aged inputs to generate a long string of blocks with obscenely fast transaction time,
and also be "young" enough to ensure the chain necessary is not very long.


Not forgetting many PoS coins already have centralised checkpointing hard coded, and that active coins have regular checkpoints added to the source - so such centralisation is already a given.

not a sig
monsterer
Legendary
*
Offline Offline

Activity: 1008
Merit: 1000


View Profile
March 05, 2016, 01:52:14 PM
 #108

If you remove the miners, you are investing in nothing. That is PoS in a nutshell.

As long as you believe this, any discussion is pointless.
It's economic nonsense, plain and simple.

Check the OP - that is what this entire discussion is about.
BARR_Official
Hero Member
*****
Offline Offline

Activity: 630
Merit: 500


View Profile
March 05, 2016, 02:01:28 PM
 #109

If you remove the miners, you are investing in nothing. That is PoS in a nutshell.

As long as you believe this, any discussion is pointless.
It's economic nonsense, plain and simple.

Check the OP - that is what this entire discussion is about.



PoS is mining.  It's cpu-mining, not much different than what satoshi designed for Bitcoin.

But while anyone can attack a PoW coin, nobody can attack a PoS coin without investing first.  Even in your scenario.

Burning Altcoins for Redemption and Reduction - http://barr.me
funkenstein
Legendary
*
Offline Offline

Activity: 1029
Merit: 1010


Khazad ai-menu!


View Profile WWW
March 05, 2016, 02:30:16 PM
 #110

If you remove the miners, you are investing in nothing. That is PoS in a nutshell.

As long as you believe this, any discussion is pointless.
It's economic nonsense, plain and simple.

Check the OP - that is what this entire discussion is about.



PoS is mining.  It's cpu-mining, not much different than what satoshi designed for Bitcoin.

But while anyone can attack a PoW coin, nobody can attack a PoS coin without investing first.  Even in your scenario.


Anyone can mine a PoW coin, nobody can mine a PoS coin without investing first.

FTFY

"Give me control over a coin's checkpoints and I care not who mines its blocks."
http://vtscc.org  http://woodcoin.info
monsterer
Legendary
*
Offline Offline

Activity: 1008
Merit: 1000


View Profile
March 05, 2016, 02:47:57 PM
 #111

PoS is mining.  It's cpu-mining, not much different than what satoshi designed for Bitcoin.

But while anyone can attack a PoW coin, nobody can attack a PoS coin without investing first.  Even in your scenario.

That's entirely inaccurate. The whole point of this thread is to get people to realise that PoS does not reinforce consensus; that's what PoW miners do.
Come-from-Beyond
Legendary
*
Offline Offline

Activity: 2072
Merit: 1007

Newbie


View Profile
March 05, 2016, 02:56:12 PM
 #112

That's entirely inaccurate. The whole point of this thread is to get people to realise that PoS does not reinforce consensus; that's what PoW miners do.

ASIC speed grows in bursts. Eventually one of the bursts will allow to rewrite the whole blockchain from the genesis within a day. I wouldn't say that PoW is that secure as you think.
monsterer
Legendary
*
Offline Offline

Activity: 1008
Merit: 1000


View Profile
March 05, 2016, 03:26:39 PM
 #113

ASIC speed grows in bursts. Eventually one of the bursts will allow to rewrite the whole blockchain from the genesis within a day. I wouldn't say that PoW is that secure as you think.

That would be a 51% attack.
Come-from-Beyond
Legendary
*
Offline Offline

Activity: 2072
Merit: 1007

Newbie


View Profile
March 05, 2016, 03:58:13 PM
 #114

That would be a 51% attack.

Ah, right. I didn't notice that you emphasized on achieving a consensus, not on security. My bad.
BARR_Official
Hero Member
*****
Offline Offline

Activity: 630
Merit: 500


View Profile
March 05, 2016, 04:08:19 PM
 #115

PoS is mining.  It's cpu-mining, not much different than what satoshi designed for Bitcoin.

But while anyone can attack a PoW coin, nobody can attack a PoS coin without investing first.  Even in your scenario.

That's entirely inaccurate.


Then why does your attack require buying a private key that has mined on the network?

Burning Altcoins for Redemption and Reduction - http://barr.me
monsterer
Legendary
*
Offline Offline

Activity: 1008
Merit: 1000


View Profile
March 05, 2016, 04:36:08 PM
 #116

That would be a 51% attack.

Ah, right. I didn't notice that you emphasized on achieving a consensus, not on security. My bad.

Your point doesn't make any sense in any other context. Mining is necessarily a competition, so if ASIC performance spikes then unless one entity has control of more than 50% of the network then they cannot rewrite the blockchain from the genesis, since all miners complete to create blocks.
nexern
Hero Member
*****
Offline Offline

Activity: 597
Merit: 500



View Profile
March 05, 2016, 04:37:57 PM
 #117

ASIC speed grows in bursts. Eventually one of the bursts will allow to rewrite the whole blockchain from the genesis within a day. I wouldn't say that PoW is that secure as you think.

That would be a 51% attack.

pos is much more secure than pow. you can't attack pos without notice or real world feedback but you can on pow.
on pow an evil entity could easily aggregate +50% silent, in the dark, without any chance to prevent this.
even without any new fancy, more powerfull asic design, this attack could occur anytime and compared to a pos
with a similar macap it would also be cheap, very cheap.

to follow your crude 'pico-probabillity-attack-vectors' on pos, here is a crude pow one for you. just imagine that
for whatever reason, the power-lines to the three chinese mining-warehouses randomly gets broken. i guess in this
case the attack would be much cheaper, perhaps close to free compared to pos and as said, just out of the dark
without any chance or sign to prevent it. this is impossible with pos.

however, whatever possible attack vector you are constructing, it boils down to this. if you try to find a solution to fix users,
having the goal to destroy their own stuff serving them (your gen key example) you will fail, no matter how fancy your math is.
there is no solution for lunatic or planed selfdestroying behaviour simple because even if it would, it has no value because the
target and reason for this solution dissapears.

freshman777
Sr. Member
****
Offline Offline

Activity: 406
Merit: 250


View Profile WWW
March 06, 2016, 11:41:26 AM
 #118

to follow your crude 'pico-probabillity-attack-vectors' on pos, here is a crude pow one for you. just imagine that
for whatever reason, the power-lines to the three chinese mining-warehouses randomly gets broken. i guess in this
case the attack would be much cheaper, perhaps close to free compared to pos and as said, just out of the dark
without any chance or sign to prevent it. this is impossible with pos.


ARDOR - Blockchain as a Service. Three birds with one stone. /// Do not hold NXT at exchanges, NXT wallets: core+lite, mobile Android
bumbacoin
Legendary
*
Offline Offline

Activity: 1400
Merit: 1006



View Profile
March 07, 2016, 10:12:45 AM
 #119

ASIC speed grows in bursts. Eventually one of the bursts will allow to rewrite the whole blockchain from the genesis within a day. I wouldn't say that PoW is that secure as you think.

That would be a 51% attack.

pos is much more secure than pow. you can't attack pos without notice or real world feedback but you can on pow.
on pow an evil entity could easily aggregate +50% silent, in the dark, without any chance to prevent this.
even without any new fancy, more powerfull asic design, this attack could occur anytime and compared to a pos
with a similar macap it would also be cheap, very cheap.

to follow your crude 'pico-probabillity-attack-vectors' on pos, here is a crude pow one for you. just imagine that
for whatever reason, the power-lines to the three chinese mining-warehouses randomly gets broken. i guess in this
case the attack would be much cheaper, perhaps close to free compared to pos and as said, just out of the dark
without any chance or sign to prevent it. this is impossible with pos.

however, whatever possible attack vector you are constructing, it boils down to this. if you try to find a solution to fix users,
having the goal to destroy their own stuff serving them (your gen key example) you will fail, no matter how fancy your math is.
there is no solution for lunatic or planed selfdestroying behaviour simple because even if it would, it has no value because the
target and reason for this solution dissapears.




the reason Bumbacoin switched to PoS was to protect against PoW random hashes.

any shitcoin that is not worth people pointing mega-peta-hashes at the chain is at risk of multi-pools or even random arse's with a bunch of miners in their spare room.

BCX? used to make a thing about attacking shit coins, that capability is with in the hands of many more people now. even with apparently fancy difficulty re-targeting algorithms , the chain will still get shat on when mega-hash gets pointed at it.

💦☔️🐳💚💖💛
go to
cryptobetfair.com
ask for a voucher

████████████████
██████████████
█████████████
██████████████
██████████████
███████████
█████████
███████████
████████████
████████████
███████████
█████████████
██████████████
███████████████
████████████████
████████████████
🐠👻🍗🌳🐵
stdset
Hero Member
*****
Offline Offline

Activity: 573
Merit: 500



View Profile
March 07, 2016, 10:24:21 AM
 #120

It is so tiring to reply to the hordes of ignorant trolls.

I wrote upthread that one could buy and sell the coins on an exchange. They would then hold the historic private keys to attack with. This would only cost them the average spread between buy and sell prices, so they don't actually have to buy 50%.
Even monsterer doesn't claim that collecting historic priv keys is a viable attack vector. It was explained why it isn't. He claims that it's easy to collect enough priv keys for this attack in a short timeframe.

There is no way to objectively distinguish a historic key that is respent from a historic transaction that had spent that historic key. This is a double-spend with two chains arguing about which was first.

The only way to distinguish which was first is either a decentralized objectivity which is the PoW longest-chain-rule, or for PoS a centralized objectivity such as community/developer checkpoints.

Please stop wasting my time with nonsense replies.
The problem is not to acquire a historic key and make a doublespending transaction, the problem is to acquire enough historic keys to outweigh the honest stake. When you acquire the first key, you must start your fork before it was emptied. In the scenario you describe, your fork must start very far in the past, but that's not a problem. The problem is, you now have a transaction that must be censored on your fork (in your scenario it's the transaction that deposits the funds back to an exchange). Since this transaction (let's call it transaction A) is excluded from your fork, you must exclude all transactions that depend on it, i.e. a transaction B that spends that output, and all descendant transactions (that's all on your fork, the main fork continues to function as it supposed to). Now, when you make the second withdrawal from the exchange, it may happen, that you must exclude this withdrawal on your fork too, because it indirectly depends on the transaction A, so you fail to acquire new keys this time. If the second withdrawal doesn't depend on transaction A, than OK, you got the second key, but you must again censor depositing transaction on your fork, therefore your fork inevitably drifts away from the main fork and it becomes more and more difficult to find suitable keys. Given that for a successful attack you need a lot of stake/keys, the only plausible scenario is to acquire them all in a very short timeframe.

P.S. I don't know, whether my explanation is easy to understand, English isn't my native language. If it's not clear enough, maybe other people may help you (most people here seem to understand this issue with this kind of attack).

Pages: « 1 2 3 4 5 [6] 7 8 9 10 11 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!