Proof that Proof of Stake is either extremely vulnerable or totally centralised

[kushti]

That so-called "History attack" is discussed in the "Interactive Proof-of-stake" paper of mine http://arxiv.org/abs/1601.00275

[1714028769]

1714028769

[1714028769]

1714028769

[1714028769]

1714028769

[1714028769]

1714028769

[monsterer]

Do you want objective analysis, or just unthinking agreement to whatever you post?

If the latter, you can always make some sockpuppets. I just respond with my analysis using the meager resources at my disposal. And to my simplistic thinking, postulating an economically motivated attack that assumes all the victims will mindlessly just give the ability to attack is essentially the "send me all your crypto" attack. Hey, if they do, it works so it is rational and viable.

James

To be honest, I'd prefer actual analysis rather than just hyperbole and denial.

I don't think it's at all reasonable to expect all users of a PoS currency to have to understand the inner workings of blockchain consensus. Such a requirement is to require that real everyday people do not use your currency.

[jl777]

Do you want objective analysis, or just unthinking agreement to whatever you post?

If the latter, you can always make some sockpuppets. I just respond with my analysis using the meager resources at my disposal. And to my simplistic thinking, postulating an economically motivated attack that assumes all the victims will mindlessly just give the ability to attack is essentially the "send me all your crypto" attack. Hey, if they do, it works so it is rational and viable.

James

To be honest, I'd prefer actual analysis rather than just hyperbole and denial.

I don't think it's at all reasonable to expect all users of a PoS currency to have to understand the inner workings of blockchain consensus. Such a requirement is to require that real everyday people do not use your currency.

I prefer to add BTC security into PoS chain

[allwelder]

I believe I covered the re-org depth mitigation in the OP? It doesn't help for two reasons:

1. The re-org from this attack could easily be less than the maximum depth
2. Re-orgs greater than this depth will still be accepted by all syncing nodes, and the the attacker can impersonate a majority of nodes for ~0 cost, leading to all syncing nodes accepting his version of history, which eventually leads to it becoming the canonical chain.

Reorg depth limit is one of many ways to do the job. Economic cluster participants could use something else.

What 's it?
Just like the delegates in DPoS?

[Come-from-Beyond]

What 's it?

Publication of last blocks by economic giants like Walmart. Because of https://en.wikipedia.org/wiki/Six_degrees_of_separation those who are tricked into a wrong chain will return to the legit one after human intervention.

[jl777]

What 's it?

Publication of last blocks by economic giants like Walmart. Because of https://en.wikipedia.org/wiki/Six_degrees_of_separation those who are tricked into a wrong chain will return to the legit one after human intervention.

But didnt you see that Walmart itself will be forced onto the fake chain due to the inevitable forces of entropy? Surely, they wont have 100% uptime, so their server will need to be restarted and murphy's law GUARANTEES that they will lose not just the local copy of the blockchain, but absolutely all backups. And inevitably as surely as day follows night, they will connect to the attacker's node and sync to the fake history where their balance is zero.

However, there is at the same time a mass hypnosis spell being cast on all data center operators, so they dont notice they have a zero balance and then the critical Walmart nodes are now part of the attacker's network. And it is unstoppable, after Walmart, all the other companies realize that they too are on the wrong network and immediately switch to the attacker's network. Management is useless as they dont understand the tech at all and just writeoff all the lost funds as a business expense. None of the customers impacted by this make a single complaint so it is impossible for anybody at all to notice something is wrong. And thus the attacker's network is 100% guaranteed to takeover completely. The exact time for this is not possible to know, but typically it would happen within a few hours, maybe 10 hours at most, so dont talk about any 720 block thing.

And there is no point to say that any single assumption in the above is unlikely to happen. It will happen, this is by assertion. So it must happen and therefore the above is not unlikely at all. How can you say that any of the above is unlikely when it is assumed that it would happen?

James

[allwelder]

So The EC is much like a big centralized server for PoS coin(NXT) network,it's so big that we assume it's a legit block generator.

[Come-from-Beyond]

So The EC is much like a big centralized server for PoS coin(NXT) network,it's so big that we assume it's a legit block generator.

Kinda. And there is no an alternative even for a 100% decentralized cryptocoin other than to adopt the chain of the EC.

[watashi-kokoto]

Kinda ironic that Proof of Anti-stake may work

the idea is, that user destroys it's coins and by doing so confirms a block

[allwelder]

So The EC is much like a big centralized server for PoS coin(NXT) network,it's so big that we assume it's a legit block generator.

Kinda. And there is no an alternative even for a 100% decentralized cryptocoin other than to adopt the chain of the EC.

Cryptoers blame bitcoin for over centralization,NXT seems also did not solve this problem better ,in contrast it need such a centralization to solve the primary security problem.

Hmm,not good.

And if like this,DPoS is much decentralized compared to EC,at least there are many delegates(101 in BTS).

[monsterer]

Kinda ironic that Proof of Anti-stake may work

the idea is, that user destroys it's coins and by doing so confirms a block

That's called Proof of burn and it doesn't work either. The chief reason is that you burn coins to participate in the consensus process, but the burn transactions require consensus, so you have a chicken and egg problem.

[kokojie]

Theorycraft all you want, in the real world it's demonstrated many times, that PoS alt coins are much more secure than PoW alt coins. Most PoW crypto avoided the PoW insecurity by being very big. ie BTC/LTC  smaller PoW crypto are usually DOA by being attacked to death.

Even better, is a hybrid system of PoS + PoW + DPoS, to attack a hybrid system, you need to completely overwhelm at least 2 of the 3 mining methods. Which is nearly impossible even for the US government.

[funkenstein]

Theorycraft all you want, in the real world it's demonstrated many times, that PoS alt coins are much more secure than PoW alt coins. Most PoW crypto avoided the PoW insecurity by being very big. ie BTC/LTC  smaller PoW crypto are usually DOA by being attacked to death.
you

Kokojie has it, at least from an empirical standpoint.  However you leave out that the security you mention is more like stability.  The instability that altcoin creators are avoiding by using PoS is due to hash rate variance, especially when there exist many much more massive hash farms than your network rate due to other larger coins (secured with the same hash function). 

Anyway, history attacks are still a vaporvuln as are various PoS doublespends, until somebody figures out how to actually do them.  I for one wish you luck. 

[coretechs]

To be honest, I'd prefer actual analysis rather than just hyperbole and denial.

I don't think it's at all reasonable to expect all users of a PoS currency to have to understand the inner workings of blockchain consensus. Such a requirement is to require that real everyday people do not use your currency.

Nxt has been running over 2 years and you are now soapboxing the same arguments that have been refuted over and over.  If you think you can easily attack it we have a testnet and plenty of people who would gladly provide you with all the testnet stake you need.  No hyperbole and no harm done, go ahead and prove your claims.  You might want to read the paper that kushti posted first.  The best that you can probably do is a short-range attack that is still impractical.

I expect that you know blockchain consensus is not a purely technical in nature.  Blockchain consensus relies heavily on economic incentives to influence human behavior, whether you are using PoW or PoS.  In the impossible attack you are imagining, many user accounts would cease to exist, which would clearly indicate to any normal user that they are on a fork.  Its no different that imagining that someone secretly breaks SHA256 and mines a new Bitcoin blockchain that outpaces the existing chain.  How do you think people people would react when their bitcoin addresses no longer have any balance?  The chain would be perfectly valid according to the consensus rules.  Would everyone simply shrug their shoulders and accept the loss of all their BTC?

[monsterer]

Nxt has been running over 2 years and you are now soapboxing the same arguments that have been refuted over and over.  

This particular one has not been refuted to my knowledge.

In the impossible attack you are imagining, many user accounts would cease to exist, which would clearly indicate to any normal user that they are on a fork.

That's not true in the least; in fact, nothing out of the ordinary would happen unless the attacker started abusing his power; he could just sit there producing blocks all by himself forever, taking 100% of transaction fees.

[stdset]

That's not true in the least; in fact, nothing out of the ordinary would happen unless the attacker started abusing his power; he could just sit there producing blocks all by himself forever, taking 100% of transaction fees.

He can't just sit and produce blocks forever. In order to be able to produce blocks he must keep balances under his control. First he must exclude transactions emptying his cheaply acquired priv keys, then he will probably want to transfer balances from that keys to his own keys, because if he doesn't do that those gullible large stakeholders who sold him their empty keys will be able transfer funds from those keys again to their new addresses. In any case, attacker's fork will look completely different.

[Come-from-Beyond]

then he will probably want to transfer balances from that keys to his own keys, because if he doesn't do that those gullible large stakeholders who sold him their empty keys will be able transfer funds from those keys again to their new addresses

In Nxt if the attacker does that then he will be unable to generate blocks for 1 day because moved coins lose the right to forge blocks for 1440 blocks. As the result branch difficulty will drop significantly because only those coins that the attacker controlled before the purchase of the keys will be allowed to forge. And the legit chain may get more weight taking over the control.

[TPTB_need_war]

Well you don't need to find historical keys (in order to rewrite the history of PoS block chains), when you can make them for nearly 0 cost.

Simply buy and sell on an exchange, and your cost will only be the spread.

Then short the coin, and start attacking.

Obviously this doesn't apply to illiquid meaningless microfloat altcoins. We are talking about whether PoS is viable for a mainstream decentralized coin. Not.

For a centralized coin, then anything works, you don't even need PoS nor PoW (except to fool people with).

[monsterer]

He can't just sit and produce blocks forever. In order to be able to produce blocks he must keep balances under his control. First he must exclude transactions emptying his cheaply acquired priv keys, then he will probably want to transfer balances from that keys to his own keys, because if he doesn't do that those gullible large stakeholders who sold him their empty keys will be able transfer funds from those keys again to their new addresses. In any case, attacker's fork will look completely different.

In that sense you are correct, yes. But the attacker would be wise to just censor the transactions sending his funds away and just keep on trucking.

[stdset]

Simply buy and sell on an exchange, and your cost will only be the spread.

Simply buy 50% of available coins, withdraw them from exchanges, deposit them back and finally sell them. Surely it will cost you next to nothing.