Bitcoin Forum
October 17, 2018, 05:30:04 PM *
News: Make sure you are not using versions of Bitcoin Core other than 0.17.0 [Torrent], 0.16.3, 0.15.2, or 0.14.3. More info.
 
   Home   Help Search Donate Login Register  
Pages: « 1 [2] 3 4 5 6 7 8 9 10 11 »  All
  Print  
Author Topic: Proof that Proof of Stake is either extremely vulnerable or totally centralised  (Read 11282 times)
jl777
Legendary
*
Offline Offline

Activity: 1176
Merit: 1089


View Profile WWW
March 01, 2016, 04:13:25 PM
 #21

"It was a bright cold day in April, and the clocks were striking thirteen."

Use this secret phrase to get access to Nxt account holding all the coins. Now you have all the keys you were looking for, what's next?

Sorry, I don't follow you?

In the very beginning Nxt had all the coins kept on a single account that is accessible through that phrase.

This attack doesn't work that way. It relies on contemporary private keys, from very recent history.
And this appears to contradict your conclusion. If you need a matched set of keys all having large balances from very recent history, then this is either impossible or very expensive.

Especially if there is a one day timeframe.

Since it needs to be a recent set of privkeys all with large values, it almost seems to be provable that is it impossible, unless the coin's liquidity is 20% of total marketcap per day. How would it be possible for all large stakeholders to go from being large stakeholder to not having any in a very recent history timeframe?

THAT is the fatal assumption in your attack when combined with being able to buy such keys for below market value.

I can postulate a similar nearly costless attack by saying I will just by all the mining equipment for scrap values from all the large miners right after they upgrade. Since I am buying it from all of them, even though the hardware is slower, I will have more hashpower than any of them. 51% attacker is in the bag. It will be so easy to get them to sell me their useless mining equipment for $500

Or maybe not?

A large stakeholder doesnt immediately become a non-stakeholder. Most all cases it is a gradual process.

James

http://www.digitalcatallaxy.com/report2015.html
100+ page annual report for SuperNET
1539797404
Hero Member
*
Offline Offline

Posts: 1539797404

View Profile Personal Message (Offline)

Ignore
1539797404
Reply with quote  #2

1539797404
Report to moderator
1539797404
Hero Member
*
Offline Offline

Posts: 1539797404

View Profile Personal Message (Offline)

Ignore
1539797404
Reply with quote  #2

1539797404
Report to moderator
1539797404
Hero Member
*
Offline Offline

Posts: 1539797404

View Profile Personal Message (Offline)

Ignore
1539797404
Reply with quote  #2

1539797404
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1539797404
Hero Member
*
Offline Offline

Posts: 1539797404

View Profile Personal Message (Offline)

Ignore
1539797404
Reply with quote  #2

1539797404
Report to moderator
monsterer
Legendary
*
Offline Offline

Activity: 1008
Merit: 1000


View Profile
March 01, 2016, 04:15:58 PM
 #22

How would it be possible for all large stakeholders to go from being large stakeholder to not having any in a very recent history timeframe?

By transferring their stake to another account that they own? The point is, they remain large stakeholders, all they sell are empty private keys.
Come-from-Beyond
Legendary
*
Online Online

Activity: 2058
Merit: 1007

Newbie


View Profile
March 01, 2016, 04:19:13 PM
 #23

What would you like more detail on?

The money gets value because someone accepts it as a mean of exchange. Usually this happens within boundaries of an economic cluster. "Cluster" implies some degree of centralization, if extra measures used to counteract "buy keys" attack don't increase the level of centralization then the problem of centralization doesn't even arise.

Economic cluster works this way:
- Alice wants to buy something in Walmart
- There are thousands of different versions of the same blockchain
- She does the payment on the same version that Walmart sticks to
- She doesn't care about the other versions as long as she gets what she has paid for

So, as we see even "buy keys" attack can do nothing if economic majority keeps an eye on the blockchain and doesn't allow deep reorgs. This is what happens in Nxt with its 720-block rollback limit.

The OP should has included the above text to look non-biased. As a bonus extra analysis on possibility of an eclipse attack that could split the economic cluster and lead to chaos is welcome.
monsterer
Legendary
*
Offline Offline

Activity: 1008
Merit: 1000


View Profile
March 01, 2016, 04:23:44 PM
 #24

So, as we see even "buy keys" attack can do nothing if economic majority keeps an eye on the blockchain and doesn't allow deep reorgs. This is what happens in Nxt with its 720-block rollback limit.

The OP should has included the above text to look non-biased. As a bonus extra analysis on possibility of an eclipse attack that could split the economic cluster and lead to chaos is welcome.

I believe I covered the re-org depth mitigation in the OP? It doesn't help for two reasons:

1. The re-org from this attack could easily be less than the maximum depth
2. Re-orgs greater than this depth will still be accepted by all syncing nodes, and the the attacker can impersonate a majority of nodes for ~0 cost, leading to all syncing nodes accepting his version of history, which eventually leads to it becoming the canonical chain.
jl777
Legendary
*
Offline Offline

Activity: 1176
Merit: 1089


View Profile WWW
March 01, 2016, 04:23:54 PM
 #25

How would it be possible for all large stakeholders to go from being large stakeholder to not having any in a very recent history timeframe?

By transferring their stake to another account that they own? The point is, they remain large stakeholders, all they sell are empty private keys.
So now they are low intelligence large stakeholders?

What use are empty private keys other than history attack?

Might as well postulate that miners will just let you use their facilities for a small fee, since you promise not to push any buttons.

Pick a PoS coin, any PoS. Prove this attack is possible in a cash positive way. I am sure you can get many privkeys for a dead coin, but maybe a bit of a problem short selling a dead coin.

So while this history attack is a scary sounding thing, the practical difficulties makes it not anything to worry about. Try it if you dont believe me, just try to get a single valueless empty key. Maybe post an ad somewhere for it? How exactly do you propose to get recent keys?

Getting the genesis key seems to not be of any use, so maybe you need to update the OP as being impractical and not having a single documented case of it ever working and its expected return is negative cashflow

James

http://www.digitalcatallaxy.com/report2015.html
100+ page annual report for SuperNET
jl777
Legendary
*
Offline Offline

Activity: 1176
Merit: 1089


View Profile WWW
March 01, 2016, 04:29:51 PM
 #26

So, as we see even "buy keys" attack can do nothing if economic majority keeps an eye on the blockchain and doesn't allow deep reorgs. This is what happens in Nxt with its 720-block rollback limit.

The OP should has included the above text to look non-biased. As a bonus extra analysis on possibility of an eclipse attack that could split the economic cluster and lead to chaos is welcome.

I believe I covered the re-org depth mitigation in the OP? It doesn't help for two reasons:

1. The re-org from this attack could easily be less than the maximum depth
2. Re-orgs greater than this depth will still be accepted by all syncing nodes, and the the attacker can impersonate a majority of nodes for ~0 cost, leading to all syncing nodes accepting his version of history, which eventually leads to it becoming the canonical chain.
Please tell me who your VPS is that allows unlimited use for ~0 cost.

Are you seriously claiming that you can reorg to any depth and just a passage of time will lead to the attacker chain dominating? Because, because nobody in the entire community will notice that just maybe there is a new chain? that their balances are gone?

1. is not possible due to the duration of time it takes for large stakeholders to become non-stakeholders and I think it is fair to assume they wont sell keys to a chain they still have economic interest in. So you make a statement using "easily", when it is most likely quite difficult at best

2. this is just science fiction or is it fantasy. It assumes that nobody in the community notices during the entire attack, including the exchanges which are currently NOT running the fake chain. But of course, they will upgrade to the attacker fork where there balances are gone.

THAT is what you want people to believe? PoW has some advantages over PoS, there is no need to concoct fantasy scenarios, it just looks a bit strange. I made a way for BTC to become the central clock for all the other cryptos, at that point you wont have to worry about BTC going away for a very long time

James

http://www.digitalcatallaxy.com/report2015.html
100+ page annual report for SuperNET
monsterer
Legendary
*
Offline Offline

Activity: 1008
Merit: 1000


View Profile
March 01, 2016, 04:30:26 PM
 #27

So now they are low intelligence large stakeholders?

The point is the danger of doing something like this is completely non-obvious. Why should anyone think twice about selling something which has 0 value for >0? That sounds like a win to me.

What use are empty private keys other than history attack?

Might as well postulate that miners will just let you use their facilities for a small fee, since you promise not to push any buttons.

Pick a PoS coin, any PoS. Prove this attack is possible in a cash positive way. I am sure you can get many privkeys for a dead coin, but maybe a bit of a problem short selling a dead coin.

I believe I have proved that already. I have no intention of actually carrying this attack out because I have no desire to defraud anyone. However, I think it's very important that people know what they are investing in, and the associated risks, which you have to admit are entirely opaque.

Getting the genesis key seems to not be of any use, so maybe you need to update the OP as being impractical and not having a single documented case of it ever working and its expected return is negative cashflow

The OP describes an attack unrelated to the genesis key.
Come-from-Beyond
Legendary
*
Online Online

Activity: 2058
Merit: 1007

Newbie


View Profile
March 01, 2016, 04:30:51 PM
 #28

I believe I covered the re-org depth mitigation in the OP? It doesn't help for two reasons:

1. The re-org from this attack could easily be less than the maximum depth
2. Re-orgs greater than this depth will still be accepted by all syncing nodes, and the the attacker can impersonate a majority of nodes for ~0 cost, leading to all syncing nodes accepting his version of history, which eventually leads to it becoming the canonical chain.

Reorg depth limit is one of many ways to do the job. Economic cluster participants could use something else.
monsterer
Legendary
*
Offline Offline

Activity: 1008
Merit: 1000


View Profile
March 01, 2016, 04:34:08 PM
 #29

I believe I covered the re-org depth mitigation in the OP? It doesn't help for two reasons:

1. The re-org from this attack could easily be less than the maximum depth
2. Re-orgs greater than this depth will still be accepted by all syncing nodes, and the the attacker can impersonate a majority of nodes for ~0 cost, leading to all syncing nodes accepting his version of history, which eventually leads to it becoming the canonical chain.

Reorg depth limit is one of many ways to do the job. Economic cluster participants could use something else.

If you can describe one which doesn't involve something related to a checkpoint, or human intervention, I'd be happy to add that to the OP.
jl777
Legendary
*
Offline Offline

Activity: 1176
Merit: 1089


View Profile WWW
March 01, 2016, 04:34:53 PM
 #30

So now they are low intelligence large stakeholders?

The point is the danger of doing something like this is completely non-obvious. Why should anyone think twice about selling something which has 0 value for >0? That sounds like a win to me.

What use are empty private keys other than history attack?

Might as well postulate that miners will just let you use their facilities for a small fee, since you promise not to push any buttons.

Pick a PoS coin, any PoS. Prove this attack is possible in a cash positive way. I am sure you can get many privkeys for a dead coin, but maybe a bit of a problem short selling a dead coin.

I believe I have proved that already. I have no intention of actually carrying this attack out because I have no desire to defraud anyone. However, I think it's very important that people know what they are investing in, and the associated risks, which you have to admit are entirely opaque.

Getting the genesis key seems to not be of any use, so maybe you need to update the OP as being impractical and not having a single documented case of it ever working and its expected return is negative cashflow

The OP describes an attack unrelated to the genesis key.
My estimate is that the danger to a PoS with a relatively short max reorg depth has less to worry about from a history attack than BTC has to worry from miner centralization

You have proven nothing. There is no market for formerly large stakeholding keys. But you claim by declaration that they are easy to get and at significantly below market price. And that the current mainchain will just magically switch to the attackers chain.

Making a wrong statement is not quite the usual standard that comes with the word "proof"

James

If these old keys can indeed be used for easy attacks (I have no confidence they can), then they are not useless and have value. And if it does have value, the people who have them will quickly find out about it

http://www.digitalcatallaxy.com/report2015.html
100+ page annual report for SuperNET
monsterer
Legendary
*
Offline Offline

Activity: 1008
Merit: 1000


View Profile
March 01, 2016, 04:40:15 PM
 #31

You have proven nothing. There is no market for formerly large stakeholding keys. But you claim by declaration that they are easy to get and at significantly below market price. And that the current mainchain will just magically switch to the attackers chain.

Making a wrong statement is not quite the usual standard that comes with the word "proof"

I have submitted a problem statement, which, if satisfied would enable this attack. If you disagree with the statement, let's hear your rebuttal?

I claim it would be 'easy' to acquire a historical key because it would contain no funds, and thus be worthless to the seller. That seems fairly well justified rational behaviour to me.

edit: even if it's 'hard', the attack is still possible, regardless.
Come-from-Beyond
Legendary
*
Online Online

Activity: 2058
Merit: 1007

Newbie


View Profile
March 01, 2016, 04:45:14 PM
 #32

If you can describe one which doesn't involve something related to a checkpoint, or human intervention, I'd be happy to add that to the OP.

If 10+ block reorgs are made public and require human intervention then it's enough to solve the issue. It's exactly what happened during Bitcoin Fork 2013. The knowledge that humans can intervene is enough to stop anyone buying the keys. All that is possible in this case is an expensive prank. But you decided to exclude "human intervention", well, never mind then, perhaps you have strong arguments to exclude Game theory from the security equation...
monsterer
Legendary
*
Offline Offline

Activity: 1008
Merit: 1000


View Profile
March 01, 2016, 04:50:18 PM
 #33

If you can describe one which doesn't involve something related to a checkpoint, or human intervention, I'd be happy to add that to the OP.

If 10+ block reorgs are made public and require human intervention then it's enough to solve the issue. It's exactly what happened during Bitcoin Fork 2013. The knowledge that humans can intervene is enough to stop anyone buying the keys. All that is possible in this case is an expensive prank. But you decided to exclude "human intervention", well, never mind then, perhaps you have strong arguments to exclude Game theory from the security equation...

Human intervention largely indicates a critical failure, the resolution of which must happen under centralised control, so we arrive back at the original conclusion again.

Yes, bitcoin had just such a critical failure as well, and it nearly destroyed the currency.
jl777
Legendary
*
Offline Offline

Activity: 1176
Merit: 1089


View Profile WWW
March 01, 2016, 04:51:22 PM
 #34

You have proven nothing. There is no market for formerly large stakeholding keys. But you claim by declaration that they are easy to get and at significantly below market price. And that the current mainchain will just magically switch to the attackers chain.

Making a wrong statement is not quite the usual standard that comes with the word "proof"

I have submitted a problem statement, which, if satisfied would enable this attack. If you disagree with the statement, let's hear your rebuttal?

I claim it would be 'easy' to acquire a historical key because it would contain no funds, and thus be worthless to the seller. That seems fairly well justified rational behaviour to me.
I thought in crypto economically unviable attacks are not relevant.

Did that change? I must have missed the memo.

Since you dont have any calculations about the cost of actually acquiring the recent keys, nor even a definition of what recent is, nor how even if you magically got those recent keys how you get the big active accounts to switch chains, it does not pass the common sense test.

But if you change it to reflect that you need to fool existing large stakeholders to transfer all their funds to a new account, sell them the newly emptied key. Do this half a dozen to a dozen times. All within a few days. Then create a fake chain and then make the largest accounts, like the central exchanges with lots at stake and long time accounts to all switch to the fake chain, ok, you got me. with those sets of facts, yes you can compromise a chain.

However, an equally ridiculous set of assumptions can be used to take over a PoW chain. So this is not anything specific to PoS, it is social engineering attack mixed in with mass hypnosis. Why not simply the attack where you ask everyone to just send you all their funds? That would work too

James

http://www.digitalcatallaxy.com/report2015.html
100+ page annual report for SuperNET
jl777
Legendary
*
Offline Offline

Activity: 1176
Merit: 1089


View Profile WWW
March 01, 2016, 04:52:36 PM
 #35

If you can describe one which doesn't involve something related to a checkpoint, or human intervention, I'd be happy to add that to the OP.

If 10+ block reorgs are made public and require human intervention then it's enough to solve the issue. It's exactly what happened during Bitcoin Fork 2013. The knowledge that humans can intervene is enough to stop anyone buying the keys. All that is possible in this case is an expensive prank. But you decided to exclude "human intervention", well, never mind then, perhaps you have strong arguments to exclude Game theory from the security equation...

Human intervention largely indicates a critical failure, the resolution of which must happen under centralised control, so we arrive back at the original conclusion again.

Yes, bitcoin had just such a critical failure as well, and it nearly destroyed the currency.

Instead of silly hypotheticals, what about using other blockchains as the TTP?

http://www.digitalcatallaxy.com/report2015.html
100+ page annual report for SuperNET
Come-from-Beyond
Legendary
*
Online Online

Activity: 2058
Merit: 1007

Newbie


View Profile
March 01, 2016, 04:53:27 PM
 #36

Human intervention largely indicates a critical failure.

But the knowledge that it will happen is enough to stop anyone from buying the keys. So it will (likely) never be needed.
jl777
Legendary
*
Offline Offline

Activity: 1176
Merit: 1089


View Profile WWW
March 01, 2016, 04:56:12 PM
 #37

Human intervention largely indicates a critical failure.

But the knowledge that it will happen is enough to stop anyone from buying the keys. So it will (likely) never be needed.
I think his point is that once a highly unlikely set of assumptions are accepted as a given then you can correctly make highly unlikely set of conclusions

I actually dont see a flaw with that logic.

http://www.digitalcatallaxy.com/report2015.html
100+ page annual report for SuperNET
monsterer
Legendary
*
Offline Offline

Activity: 1008
Merit: 1000


View Profile
March 01, 2016, 05:02:39 PM
 #38

However, an equally ridiculous set of assumptions can be used to take over a PoW chain. So this is not anything specific to PoS, it is social engineering attack mixed in with mass hypnosis. Why not simply the attack where you ask everyone to just send you all their funds? That would work too

What you call 'ridiculous', I call rational behaviour.

The OP shows one example of how this could be profitable, so 'economically unviable' is also unjustified.
Come-from-Beyond
Legendary
*
Online Online

Activity: 2058
Merit: 1007

Newbie


View Profile
March 01, 2016, 05:03:23 PM
 #39

I think his point is that once a highly unlikely set of assumptions are accepted as a given then you can correctly make highly unlikely set of conclusions

I actually dont see a flaw with that logic.

If it means that someone can spend millions of dollars on buying keys hoping that one day users will be tired of constant human intervention and return to USD then I can accept the claim from the title.
jl777
Legendary
*
Offline Offline

Activity: 1176
Merit: 1089


View Profile WWW
March 01, 2016, 05:13:41 PM
 #40

However, an equally ridiculous set of assumptions can be used to take over a PoW chain. So this is not anything specific to PoS, it is social engineering attack mixed in with mass hypnosis. Why not simply the attack where you ask everyone to just send you all their funds? That would work too

What you call 'ridiculous', I call rational behaviour.

The OP shows one example of how this could be profitable, so 'economically unviable' is also unjustified.
Do you want objective analysis, or just unthinking agreement to whatever you post?

If the latter, you can always make some sockpuppets. I just respond with my analysis using the meager resources at my disposal. And to my simplistic thinking, postulating an economically motivated attack that assumes all the victims will mindlessly just give the ability to attack is essentially the "send me all your crypto" attack. Hey, if they do, it works so it is rational and viable.

James

http://www.digitalcatallaxy.com/report2015.html
100+ page annual report for SuperNET
Pages: « 1 [2] 3 4 5 6 7 8 9 10 11 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!