Proof that Proof of Stake is either extremely vulnerable or totally centralised

[monsterer]

You're assuming that regular people need to know the inner workings of blockchain consensus - this is not a reasonable thing to expect, IMO.

People know that they shouldn't give their Facebook passwords to strangers. They will reflect the same experience to money-on-blockchain. They don't know how blockchain consensus works so they will be afraid that the stranger will know their actual password knowing the old one.

Perhaps, perhaps not. What is the use of an old password? Zero, I'd say.

[1713562837]

1713562837

[1713562837]

1713562837

[1713562837]

1713562837

[1713562837]

1713562837

[Come-from-Beyond]

Perhaps, perhaps not. What is the use of an old password? Zero, I'd say.

So if someone walks to you and says "Hey, dude, gimme your empty wallet, I'll give you 20 bucks for it" you will do the deal right away without asking yourself why would anyone want to pay money for a useless thing? Hard to believe.

[monsterer]

Perhaps, perhaps not. What is the use of an old password? Zero, I'd say.

So if someone walks to you and says "Hey, dude, gimme your empty wallet, I'll give you 20 bucks for it" you will do the deal right away without asking yourself why would anyone want to pay money for a useless thing? Hard to believe.

On the street? Depends how much you need the money, doesn't it?

[Come-from-Beyond]

On the street? Depends how much you need the money, doesn't it?

I mean that the offer raises a red flag, it's that easy to conduct.

[monsterer]

On the street? Depends how much you need the money, doesn't it?

I mean that the offer raises a red flag, it's that easy to conduct.

Why should it? It's obvious to the seller that the wallet is worthless when it contains nothing.

[Come-from-Beyond]

Why should it? It's obvious to the seller that the wallet is worthless when it contains nothing.

To me it stops being obvious if someone wants my wallet and offers money for that.

[monsterer]

Why should it? It's obvious to the seller that the wallet is worthless when it contains nothing.

To me it stops being obvious if someone wants my wallet and offers money for that.

This is plainly ridiculous. How much do you sell an empty cardboard box for which once contained £10?

[Come-from-Beyond]

This is plainly ridiculous. How much do you sell an empty cardboard box for which once contained £10?

I'm not sure the analogy is correct.

[monsterer]

This is plainly ridiculous. How much do you sell an empty cardboard box for which once contained £10?

I'm not sure the analogy is correct.

In any case, arguing that old private keys have value is to say that PoS doesn't work, since the transfer of value isn't reinforced sufficiently.

[Come-from-Beyond]

In any case, arguing that old private keys have value is to say that PoS doesn't work, since the transfer of value isn't reinforced sufficiently.

I don't argue on this. I argue that it's not easy to buy private keys even if users don't understand how blockchain works. Also, according to the market laws if someone starts buying keys publicly they will raise in price. And I'm more than sure that after you privately buy 100 keys the world will know that someone is buying them.

[BARR_Official]

Let's say you contact the owners of 2 large addresses -
their names are Balthius Oathsworn and Jello Bananus.

They each sign a message proving that they own each respective address.  The messages also include disgusting vulgarities which make you vomit and weep, because of the shocking imagery that haunts your mind when you close your eyes.  

But you just think it must be normal for the internet,
so you proceed with your spiteful and masturbatory plan to ruin the staking network of EuroCatzSharesDark.

You pay them, escrow it, however you want, and then they send you the private keys.

That's when you find out that you were talking to the same guy, and you bought the same private key twice.

WHAT DO YOU DO?

Balthius - under his main alt account named Caramelt Deluscious,
has already started bragging about ripping you off, over at EuroCatzSharesDarkTalk.
Everyone is laughing at you and preparing redundant waves of 5-node server clusters
that automatically take turns online, offline, backup, checkpoint, and mecha-deployment mode.

Are you still going to wage network warfare against the same people who just outsmarted you?

What makes you think they don't have even more tricks you've never thought of?

Caramelt isn't even their top guy!  
Remember, this coin attracts a lot more hackers than regular EuroCatzShares.
If they get into a good-natured contest over there to show off their skills,
you could find yourself with more pizzas being delivered to your house than you could eat.  EVER.

[coretechs]

We are interested in trustless, decentralized crypto currency. That is what Satoshi pitched to us in his white paper. Satoshi's design is also flawed though.

Besides this does nothing to stop the attack monsterer outlined. Whose stake is valid? Whose is current, the reorganized block chain or the reorganized one? Which one was the reorganized one? You see proof-of-shit is self-referential and thus can't prove anything about itself.

Trustless decentralized crypto-currency is probably impossible.*  (http://www.links.org/files/decentralised-currencies.pdf)

No matter what the design, in the end you have to trust human beings at some level.  Satoshi's design provided strong incentives for human behavior via costs of physical resources consumption.  The miners have the most skin-in-the-game and can therefore be trusted to behave in the best interests of the system.  The flaw in the design is more apparent than ever right now with the blocksize debate.  Essentially we have non-miners who also have skin-in-the-game in the form of STAKE in the system (e.g. Coinbase, Blockstream, BitPay, users wanting "cheap" transactions, etc.) that are at odds with the incentives of miners.  All want Bitcoin to succeed in different ways, and there is no clear path for miners to decide which is better for them to profit because it is an economic uncertainty that falls outside of the bounds of technical knowledge.

Proof-of-stake consensus gives us a similar situation, but it does so with far less centralization than proof-of-work.  A participant in a proof-of-stake system like Nxt has direct representation and never has their voting rights diluted, and therefore the system can maintain a higher level of decentralization than proof-of-work, where it is inevitable.  Mining today is effectively a barrier-to-entry for anyone who wants to participate in consensus, which is good for some attack vectors (expensive) but bad for others - Bitcoin stakeholders/companies/users have no choice but to lobby centralized miner overlords, which results in social & economic attacks like BitcoinXT/Classic/etc.  If the threat of a fork by a majority of users exists, is there any justification in burning energy?

In my opinion the security trade-offs in proof-of-stake favor decentralization.  The active research in consensus protocols may give us new tools and techniques to sufficiently increase the security of PoS to practical levels of "trustlessness".  The energy efficiency of proof-of-stake consensus as well as the low barrier-to-entry for participants make it a worthwhile pursuit in my opinion, and in the long run Bitcoin itself will benefit from proof-of-stake experimentation.

[Moloch]

Why not just use the easy 51% attack on PoS?  There is no need to buy all these old wallets, etc... you can 51% attack PoS with 5% of the coin

All PoS coins forked from PPCoin are vulnerable... I can't say for sure if non-forks like nxt are vulnerable in the same way, but I'll explain the method


Separate the 5% you own into 5 wallets each containing 1% of the total supply of coins

Take 4 of the 5 wallets offline, and wait a day or 3

Spend the coins in the online wallet, and wait for 2 confirms (and credit on a 2-confirm website/exchange)

Bring the other 4 wallets online with a modified wallet code to reject the last 3 blocks, and start a competing chain to double-spend your 1% of the coin

Since your 4 staking wallets were offline for a few days, they have accumulated "staking weight"/"coin days", and will find a block almost instantly... you are nearly guaranteed to find 4 blocks in a row... 51% attack with only 5% of the coin!

[TPTB_need_war]

It is so tiring to reply to the hordes of ignorant trolls.

I wrote upthread that one could buy and sell the coins on an exchange. They would then hold the historic private keys to attack with. This would only cost them the average spread between buy and sell prices, so they don't actually have to buy 50%.

Even monsterer doesn't claim that collecting historic priv keys is a viable attack vector. It was explained why it isn't. He claims that it's easy to collect enough priv keys for this attack in a short timeframe.

There is no way to objectively distinguish a historic key that is respent from a historic transaction that had spent that historic key. This is a double-spend with two chains arguing about which was first.

The only way to distinguish which was first is either a decentralized objectivity which is the PoW longest-chain-rule, or for PoS a centralized objectivity such as community/developer checkpoints.

Please stop wasting my time with nonsense replies.

[TPTB_need_war]

max reorg depth in NXT is 720 blocks

Checkpoints are centralization.

Mex reorg depth isn't checkpoints.

It is if you expect it to be honored objectively by offline nodes (propagation isn't objective proof because it can be Sybil attacked). I will let monsterer explain that to you, if you don't understand.

May be you will explain us what exactly is centralised in a cryptocurrency (doesn't matter PoS or PoW) whose nodes reject reorgs if they are deeper than the max allowed depth?

Maybe first you can explain why you are too ignorant to understand what I wrote which thus makes your reply irrelevant noise.

I like to quote such sentences for posterity.

Now on the matter. If your node discovers a fork that is longer that the max reorg depth you can interpret that like if the node rejects to resolve the conflict in automatic manner, it prefers to stay on the fork it was before the conflict was discovered and lets you resolve it manually.

You still fail to understand what I wrote the first time. Which is that offline nodes see two chains which disagree, and they don't know which one was first. And they can be lied to by the nodes which claim they were online.

The only solution is to use centralized community/developer checkpoints.

You are very slow minded.

And you can be sure, in the case of such a major attack there will be a lot of forum threads, news, buzz, and it won't be difficult to detect which fork is a legit one.

That is centralization because you must trust some authority to make a decision as to which community decisions should be enacted. The Bitcoin block size debate is an example for you about community consensus not working without a dictator.

You don't have a fucking clue. And you are wasting my time.

[Come-from-Beyond]

The only way to distinguish which was first is either a decentralized objectivity which is the longest-chain-rule, or a centralized objectivity such as community/developer checkpoints.

There is a 3rd way, Economic Clustering and in Nxt it's implemented in a way that doesn't require human intervention after initial setting.

[TPTB_need_war]

We are interested in trustless, decentralized crypto currency. That is what Satoshi pitched to us in his white paper. Satoshi's design is also flawed though.

Besides this does nothing to stop the attack monsterer outlined. Whose stake is valid? Whose is current, the reorganized block chain or the reorganized one? Which one was the reorganized one? You see proof-of-shit is self-referential and thus can't prove anything about itself.

Trustless decentralized crypto-currency is probably impossible.*  (http://www.links.org/files/decentralised-currencies.pdf)

Section 4 of that white paper is written by an idiot who doesn't understand economics.

51% attacking a coin requires it to be economic. The attacker must be able to make gains which exceed his costs of attacking. The problem for the attacker in PoW is that the attack is only sustained for as long as the attacker continues to spend on electricity. Thus shorting the coin is probably not going to work, since everyone knows the attacker has to sustain a negative income situation indefinitely. Contrasted with PoS where you only need to have owned the coins once (even if you've already spent them!). 

The attacker can attempt to double-spend his coins, but the community is very like to blacklist his double-spent coins thus removing his income.

The viable 51% attack is the one that forces KYC on all transactions or changes the protocol in ways that the masses don't object to. The State is the one who has the incentive to do this attack.

Or in Bitcoin's example for the mining cartel to block protocol updates such as block size increases to increase their profits via rising transaction fees.

I have a solution for the latter two economic attacks which also will reduce the electricity consumption to an insignificant level.

No matter what the design, in the end you have to trust human beings at some level.

Not in my design.

In my opinion the security trade-offs in proof-of-stake favor decentralization.  The active research in consensus protocols may give us new tools and techniques to sufficiently increase the security of PoS to practical levels of "trustlessness".  The energy efficiency of proof-of-stake consensus as well as the low barrier-to-entry for participants make it a worthwhile pursuit in my opinion, and in the long run Bitcoin itself will benefit from proof-of-stake experimentation.

You are ignorant.

[TPTB_need_war]

The only way to distinguish which was first is either a decentralized objectivity which is the longest-chain-rule, or a centralized objectivity such as community/developer checkpoints.

There is a 3rd way, Economic Clustering and in Nxt it's implemented in a way that doesn't require human intervention after initial setting.

Thus you mean centralization. Otherwise you get non-convergence of consensus (e.g. three clusters of 33% each). You keep making the same design error, which you've repeated with Iota.

[Come-from-Beyond]

Thus you mean centralization. Otherwise you get non-convergence of consensus (e.g. three clusters of 33% each). You keep making the same design error, which you've repeated with Iota.

I find your lack of Economics knowledge suspicious. Has real AnonyMint sold you one of his accounts? It's Economics 101 that money can't function outside of an economic cluster boundaries.

[TPTB_need_war]

money can't function outside of an economic cluster boundaries.

Glad to see you recognize why your proposal can't function if centralization doesn't exist.