Proof that Proof of Stake is either extremely vulnerable or totally centralised

[Come-from-Beyond]

Glad to see you recognize why your proposal can't function if centralization doesn't exist.

I'm talking about Nxt, not about Iota.

PS: The point was that economic relationships already enforce some level of centralization. Nxt doesn't add extra bits of centralization, it fits into existing limits.

[1714050510]

1714050510

[1714050510]

1714050510

[1714050510]

1714050510

[1714050510]

1714050510

[1714050510]

1714050510

[monsterer]

That's when you find out that you were talking to the same guy, and you bought the same private key twice.

Why wouldn't you get them to sign a their msg with each of their private keys to prove that they owned them and that they were both separate?

[monsterer]

The miners have the most skin-in-the-game and can therefore be trusted to behave in the best interests of the system.  The flaw in the design is more apparent than ever right now with the blocksize debate.  Essentially we have non-miners who also have skin-in-the-game in the form of STAKE in the system (e.g. Coinbase, Blockstream, BitPay, users wanting "cheap" transactions, etc.) that are at odds with the incentives of miners.

Miners create the value in the system which is then invested in by stakeholders. The value is the continually reinforced consensus which cements a partial order of transactions with asymptotic finality.

If you remove the miners, you are investing in nothing. That is PoS in a nutshell.

[BARR_Official]

That's when you find out that you were talking to the same guy, and you bought the same private key twice.

Why wouldn't you get them to sign a their msg with each of their private keys to prove that they owned them and that they were both separate?

They can prove that they own a receiving address, but any number of receiving addresses can belong to the same private key. 

They can't prove that their private key is different from someone else's without revealing the private key.

[LiQio]

If you remove the miners, you are investing in nothing. That is PoS in a nutshell.

As long as you believe this, any discussion is pointless.
It's economic nonsense, plain and simple.

[Blocktree]

In any case, arguing that old private keys have value is to say that PoS doesn't work, since the transfer of value isn't reinforced sufficiently.

I don't argue on this. I argue that it's not easy to buy private keys even if users don't understand how blockchain works. Also, according to the market laws if someone starts buying keys publicly they will raise in price. And I'm more than sure that after you privately buy 100 keys the world will know that someone is buying them.

Nxt only have 73 original keys,so attack happened before the world know.

LOL

[anon_giraffe]

How many possible staking inputs do these addresses have?
What is the min/max staking age of this coin?
How long a chain will they need to create to be longer?

Any such addresses need to have enough inputs to support not just a functional chain,
also with enough aged inputs to generate a long string of blocks with obscenely fast transaction time,
and also be "young" enough to ensure the chain necessary is not very long.


Not forgetting many PoS coins already have centralised checkpointing hard coded, and that active coins have regular checkpoints added to the source - so such centralisation is already a given.

[monsterer]

If you remove the miners, you are investing in nothing. That is PoS in a nutshell.

As long as you believe this, any discussion is pointless.
It's economic nonsense, plain and simple.

Check the OP - that is what this entire discussion is about.

[BARR_Official]

If you remove the miners, you are investing in nothing. That is PoS in a nutshell.

As long as you believe this, any discussion is pointless.
It's economic nonsense, plain and simple.

Check the OP - that is what this entire discussion is about.

PoS is mining.  It's cpu-mining, not much different than what satoshi designed for Bitcoin.

But while anyone can attack a PoW coin, nobody can attack a PoS coin without investing first.  Even in your scenario.

[funkenstein]

If you remove the miners, you are investing in nothing. That is PoS in a nutshell.

As long as you believe this, any discussion is pointless.
It's economic nonsense, plain and simple.

Check the OP - that is what this entire discussion is about.

PoS is mining.  It's cpu-mining, not much different than what satoshi designed for Bitcoin.

But while anyone can attack a PoW coin, nobody can attack a PoS coin without investing first.  Even in your scenario.

Anyone can mine a PoW coin, nobody can mine a PoS coin without investing first.

FTFY

[monsterer]

PoS is mining.  It's cpu-mining, not much different than what satoshi designed for Bitcoin.

But while anyone can attack a PoW coin, nobody can attack a PoS coin without investing first.  Even in your scenario.

That's entirely inaccurate. The whole point of this thread is to get people to realise that PoS does not reinforce consensus; that's what PoW miners do.

[Come-from-Beyond]

That's entirely inaccurate. The whole point of this thread is to get people to realise that PoS does not reinforce consensus; that's what PoW miners do.

ASIC speed grows in bursts. Eventually one of the bursts will allow to rewrite the whole blockchain from the genesis within a day. I wouldn't say that PoW is that secure as you think.

[monsterer]

ASIC speed grows in bursts. Eventually one of the bursts will allow to rewrite the whole blockchain from the genesis within a day. I wouldn't say that PoW is that secure as you think.

That would be a 51% attack.

[Come-from-Beyond]

That would be a 51% attack.

Ah, right. I didn't notice that you emphasized on achieving a consensus, not on security. My bad.

[BARR_Official]

PoS is mining.  It's cpu-mining, not much different than what satoshi designed for Bitcoin.

But while anyone can attack a PoW coin, nobody can attack a PoS coin without investing first.  Even in your scenario.

That's entirely inaccurate.

Then why does your attack require buying a private key that has mined on the network?

[monsterer]

That would be a 51% attack.

Ah, right. I didn't notice that you emphasized on achieving a consensus, not on security. My bad.

Your point doesn't make any sense in any other context. Mining is necessarily a competition, so if ASIC performance spikes then unless one entity has control of more than 50% of the network then they cannot rewrite the blockchain from the genesis, since all miners complete to create blocks.

[nexern]

ASIC speed grows in bursts. Eventually one of the bursts will allow to rewrite the whole blockchain from the genesis within a day. I wouldn't say that PoW is that secure as you think.

That would be a 51% attack.

pos is much more secure than pow. you can't attack pos without notice or real world feedback but you can on pow.
on pow an evil entity could easily aggregate +50% silent, in the dark, without any chance to prevent this.
even without any new fancy, more powerfull asic design, this attack could occur anytime and compared to a pos
with a similar macap it would also be cheap, very cheap.

to follow your crude 'pico-probabillity-attack-vectors' on pos, here is a crude pow one for you. just imagine that
for whatever reason, the power-lines to the three chinese mining-warehouses randomly gets broken. i guess in this
case the attack would be much cheaper, perhaps close to free compared to pos and as said, just out of the dark
without any chance or sign to prevent it. this is impossible with pos.

however, whatever possible attack vector you are constructing, it boils down to this. if you try to find a solution to fix users,
having the goal to destroy their own stuff serving them (your gen key example) you will fail, no matter how fancy your math is.
there is no solution for lunatic or planed selfdestroying behaviour simple because even if it would, it has no value because the
target and reason for this solution dissapears.

[freshman777]

to follow your crude 'pico-probabillity-attack-vectors' on pos, here is a crude pow one for you. just imagine that
for whatever reason, the power-lines to the three chinese mining-warehouses randomly gets broken. i guess in this
case the attack would be much cheaper, perhaps close to free compared to pos and as said, just out of the dark
without any chance or sign to prevent it. this is impossible with pos.

[bumbacoin]

ASIC speed grows in bursts. Eventually one of the bursts will allow to rewrite the whole blockchain from the genesis within a day. I wouldn't say that PoW is that secure as you think.

That would be a 51% attack.

pos is much more secure than pow. you can't attack pos without notice or real world feedback but you can on pow.
on pow an evil entity could easily aggregate +50% silent, in the dark, without any chance to prevent this.
even without any new fancy, more powerfull asic design, this attack could occur anytime and compared to a pos
with a similar macap it would also be cheap, very cheap.

to follow your crude 'pico-probabillity-attack-vectors' on pos, here is a crude pow one for you. just imagine that
for whatever reason, the power-lines to the three chinese mining-warehouses randomly gets broken. i guess in this
case the attack would be much cheaper, perhaps close to free compared to pos and as said, just out of the dark
without any chance or sign to prevent it. this is impossible with pos.

however, whatever possible attack vector you are constructing, it boils down to this. if you try to find a solution to fix users,
having the goal to destroy their own stuff serving them (your gen key example) you will fail, no matter how fancy your math is.
there is no solution for lunatic or planed selfdestroying behaviour simple because even if it would, it has no value because the
target and reason for this solution dissapears.

the reason Bumbacoin switched to PoS was to protect against PoW random hashes.

any shitcoin that is not worth people pointing mega-peta-hashes at the chain is at risk of multi-pools or even random arse's with a bunch of miners in their spare room.

BCX? used to make a thing about attacking shit coins, that capability is with in the hands of many more people now. even with apparently fancy difficulty re-targeting algorithms , the chain will still get shat on when mega-hash gets pointed at it.

[stdset]

It is so tiring to reply to the hordes of ignorant trolls.

I wrote upthread that one could buy and sell the coins on an exchange. They would then hold the historic private keys to attack with. This would only cost them the average spread between buy and sell prices, so they don't actually have to buy 50%.

Even monsterer doesn't claim that collecting historic priv keys is a viable attack vector. It was explained why it isn't. He claims that it's easy to collect enough priv keys for this attack in a short timeframe.

There is no way to objectively distinguish a historic key that is respent from a historic transaction that had spent that historic key. This is a double-spend with two chains arguing about which was first.

The only way to distinguish which was first is either a decentralized objectivity which is the PoW longest-chain-rule, or for PoS a centralized objectivity such as community/developer checkpoints.

Please stop wasting my time with nonsense replies.

The problem is not to acquire a historic key and make a doublespending transaction, the problem is to acquire enough historic keys to outweigh the honest stake. When you acquire the first key, you must start your fork before it was emptied. In the scenario you describe, your fork must start very far in the past, but that's not a problem. The problem is, you now have a transaction that must be censored on your fork (in your scenario it's the transaction that deposits the funds back to an exchange). Since this transaction (let's call it transaction A) is excluded from your fork, you must exclude all transactions that depend on it, i.e. a transaction B that spends that output, and all descendant transactions (that's all on your fork, the main fork continues to function as it supposed to). Now, when you make the second withdrawal from the exchange, it may happen, that you must exclude this withdrawal on your fork too, because it indirectly depends on the transaction A, so you fail to acquire new keys this time. If the second withdrawal doesn't depend on transaction A, than OK, you got the second key, but you must again censor depositing transaction on your fork, therefore your fork inevitably drifts away from the main fork and it becomes more and more difficult to find suitable keys. Given that for a successful attack you need a lot of stake/keys, the only plausible scenario is to acquire them all in a very short timeframe.

P.S. I don't know, whether my explanation is easy to understand, English isn't my native language. If it's not clear enough, maybe other people may help you (most people here seem to understand this issue with this kind of attack).