Proof that Proof of Stake is either extremely vulnerable or totally centralised

[Zin-Zang]

So less assume there are no checkpoints to block it.

If the Main Chain is 3 months ahead of your fake chain, (because you purchased old keys)

Detail exactly how you are going to fake the time stamp on your fake chain blocks.

That's simple - you only have to write the corresponding number at the place in the block. You can put any number there.

Doubtful, but I like to see you try it.   
Especially curious to see the effect on the difficulty #s.

Detail exactly how you are going to fake the required time & hashes between blocks so it's difficulty # matches or exceeds the main chain, while also exceeding the block height.

Difficulty only matters in PoW chains. The attacker only needs to ensure that he has more than 50% of the weight ("chain trust" called in Peercoin) at the moment he forks his attack chain.

He achieves this with a double spend - instead of the original transaction of the "old key owner" he places his own transaction in the first fork block, which spends the same coins to another address he owns. From this moment on, both chains become incompatible, but it's trivial to produce the matching block hashes.

Your Fake chain has to exceed the length of the main chain and has to have a higher difficulty level for it to be accepted over the main chain.

You refer to "chain trust", not to difficulty. If you own 50% of the stake in your chain, then it's trivial to achieve high chain trust values.

I am referring to difficulty, in Proof of Stake it is the # that increases or decrease to make certain the blockspeed is maintained.
It is also part of the security in some Proof of Stake :
hashProofOfStake <= [Coin-age] x [Target Difficulty]      
[Coin-age] = [amount of coins] x [days in stake]
      

Calculating a fake chain should be no problem. If I have time I could do that with a short example, but don't expect it tomorrow.

It has been ~2 weeks now , any progress?

[d5000]

I am referring to difficulty, in Proof of Stake it is the # that increases or decrease to make certain the blockspeed is maintained.
It is also part of the security in some Proof of Stake :
hashProofOfStake <= [Coin-age] x [Target Difficulty]      
[Coin-age] = [amount of coins] x [days in stake]

OK. But that doesn't change anything. The attacker still can fake everything, with the exception of 1) the blockchain until the fork, and 2) the stake he has at the moment of the fork.
Let's see an example for one block of the fake chain, if he buys 51% of the keys at the moment of the fork:

Block 1:
- He calculates a PoS hash with the coins he has. That should be no problem, as he owns 51% of the stake.
- He creates a block header with a timestamp that's inside the allowed "target spacing" range, starting from the pre-fork block. He has total liberty to fake the timestamp, so he can use the "ideal value" to avoid that difficulty decreased.
- Instead of the original transaction that gives away his stake, he creates a double spend transaction to an address he controls and includes it in the block, so he continues to own 51% after the block.

Block 2:
- He calculates a PoS hash building it on Block 1, with the 51% he owns.
- He again fakes the timestamp, with a value inside the ideal "target spacing" range. Difficulty should stay high enough to be higher than the "honest" chain.

Block 3-X: Rinse and repeat until the chain has caught up.

What you're referring to is an analogy to PoW, but it doesn't work in PoS - the attacker has all the time of the world to create the PoS hashes, because with 51% of the stake he will eventually outrun all other stakers due to his drastically higher coin-age value, even if he starts to create the chain a whole year after the fork.

It has been ~2 weeks now , any progress?

I decided I can't do that (like Craig Wright ). It's simply not so important for me to waste an enormous amount of time I don't really have. (And now I'm only playing the Devil's advocate, because I'm not part of the anti-PoS fraction.)

But the above example should be enough. You have to prove now why the attacker cannot fake one of the steps I detailed.

[Zin-Zang]

I decided I can't do that (like Craig Wright ). It's simply not so important for me to waste an enormous amount of time I don't really have. (And now I'm only playing the Devil's advocate, because I'm not part of the anti-PoS fraction.)

But the above example should be enough. You have to prove now why the attacker cannot fake one of the steps I detailed.

LOL,
You did not demonstrate even faking the time stamps ,
and you have not given me a way to fake out a real client thru time manipulation.

It's ok, you're off the hook.

Later,
 

[d5000]

You did not demonstrate even faking the time stamps ,

But you do know how blocks (and headers, and timestamps) are written to the blockchain, don't you?

(Hint: Simply use a hex editor.)

[Zin-Zang]

You did not demonstrate even faking the time stamps ,

But you do know how blocks (and headers, and timestamps) are written to the blockchain, don't you?

(Hint: Simply use a hex editor.)

It needs to be for ~ 30000 blocks for a good test, so you have to excuse me for not wanting to manually enter each one.  
Plus, I am not the one claiming it is easy to do. 

[Ix]

It needs to be for ~ 30000 blocks for a good test, so you have to excuse me for not wanting to manually enter each one.  
Plus, I am not the one claiming it is easy to do. 

It is easy to fake timestamps, you just have your software write in a number into a block of the fake chain it is creating. It is difficult/impossible to fool existing nodes into believing the network is valid. However, an independent node (of the network) sees two equally valid histories based on the rules of the network. There is no way it can independently verify whether a timestamp was forged, it's just an integer in a block. This is also the case for Bitcoin, but the cost of creating that timestamp is governed by the PoW difficulty rather than a free digital signature given an attacker with ~50% of the network stake. And the attack can continue free of charge, whereas with Bitcoin you must keep expending resources to keep up with PoW because the most difficult chain wins.

It's a difficult attack to be sure because owning that much stake in a network is unlikely - but it is absolutely not impossible because many PoS systems especially have very lopsided distributions. Losing the ability for new nodes to know what is the "one, true chain" without needing outside information is a problem. How big of a problem is a matter for debate, but it can't just be brushed off as so unlikely as to be impossible.

[d5000]

Exactly, Ix. Couldn't have been formulated it better.

Blocks are simply data on a hard drive, and the client of the attacker will simply try to broadcast its version of the chain. Everything can be faked with a hex editor, "designing" data like timestamps, difficulty/spacing so it becomes accepted by protocol-following nodes.

There are only two ways to prevent these long-range attacks:
- checkpoints - either "hard coded", like in Bitcoin, or "flexible" like in the case of NXT, or centrally distributed, like in Peercoin before 0.5, so the clients would simply not accept a reorg which goes beyond the last checkpoint,
- a Proof of Approval or PBFT system where the majority (or supermajority, in the case of PBFT) of the stakers is always online and so there is no way to achieve them to accept a "fake chain" because the majority has to cast votes for all blocks (and so a "reorg" is impossible).

The problem with both systems are:
- with the checkpoint system, attackers could attempt a "semi-long range attack" after the checkpoint;
- a PoA/PBFT system must make sure that really the majority is online, otherwise the blockchain would simply stop working and needs a hard fork to determine a new validator set.

However, a long-range attack when you have only a short time (I think it was 48 hs in NXT) to execute it after the last checkpoint, should be extremely complicated. You would need lots of multi-chain stakers for your attack chain becoming accepted, or to be lucky that the validator set becomes unstable.

[monsterer2]

It's a difficult attack to be sure because owning that much stake in a network is unlikely - but it is absolutely not impossible because many PoS systems especially have very lopsided distributions. Losing the ability for new nodes to know what is the "one, true chain" without needing outside information is a problem. How big of a problem is a matter for debate, but it can't just be brushed off as so unlikely as to be impossible.

...and, indeed in the scope of the topic of this thread, it becomes much more problematic than just a contemporary majority stake holder turning bad, even recently emptied private keys can be used to carry off this attack as long as there is no objective way for the network to determine the true chain.

[Zin-Zang]

It's a difficult attack to be sure because owning that much stake in a network is unlikely - but it is absolutely not impossible because many PoS systems especially have very lopsided distributions. Losing the ability for new nodes to know what is the "one, true chain" without needing outside information is a problem. How big of a problem is a matter for debate, but it can't just be brushed off as so unlikely as to be impossible.

...and, indeed in the scope of the topic of this thread, it becomes much more problematic than just a contemporary majority stake holder turning bad, even recently emptied private keys can be used to carry off this attack as long as there is no objective way for the network to determine the true chain.

True chain can be determined by comparing block height with the block explorer for PoS or PoW.
As a Sybil attack can fake a chain on either PoS or PoW and only comparing to a Block Explorer can verify the true chain for a syncing node.

[monsterer2]

True chain can be determined by comparing block height with the block explorer for PoS or PoW.
As a Sybil attack can fake a chain on either PoS or PoW and only comparing to a Block Explorer can verify the true chain for a syncing node.

Have you listened to a single thing anyone had said in this thread?

Producing blocks under PoS has zero cost, therefore any desired chain height can be reached by the fake chain, making it impossible to objectively differentiate between fake and canon chains.

[d5000]

True chain can be determined by comparing block height with the block explorer for PoS or PoW.
As a Sybil attack can fake a chain on either PoS or PoW and only comparing to a Block Explorer can verify the true chain for a syncing node.

That's true only for PoS, not PoW, PoW in this case is objective enough. It's the thing Vitalik Buterin calls "weak subjectivity".

TaPoS or Economic Clustering is however an interesting way to do that task in an automated way - you can see which chain your friends / your preferred services were using when they were transacting. The drawback: Everybody using multiple addresses for better privacy does not help. However, I consider it a meaningful extension for PoS.

[Zin-Zang]

True chain can be determined by comparing block height with the block explorer for PoS or PoW.
As a Sybil attack can fake a chain on either PoS or PoW and only comparing to a Block Explorer can verify the true chain for a syncing node.

Have you listened to a single thing anyone had said in this thread?

Producing blocks under PoS has zero cost, therefore any desired chain height can be reached by the fake chain, making it impossible to objectively differentiate between fake and canon chains.

Geez, have you taken your meds today?  

Sybil attacks can place a fake chain with a lower PoW difficulty rating until a node sees the other chain with the higher difficulty and reorgs.
(@d5000 , if a node is completely blocked from seeing the other chain, thru blocking the non-sybil nodes, it can be fooled until such a time as the non-sybil nodes connect.)
(IE: If I were to hack an exchange and modify their conf file to use connect= instead of addnode= to my Sybil nodes, I could keep it on the Sybil chain for an indefinite period (until their support staff discovered it.))
(This would also allow me to double spend any PoW coins with that exchange and immediately cash out to one of the coins, that are connecting to a normal node.)  Bitmain could easily pull off the above attack on Bitcoin.

You have to buy or steal the PoS coins to stake them?
Their is a cost involved.
Also your pretense at how easy it would be is over exaggerated.
Feel free to 51% attack zeitcoin to prove how easy it is for you.  
(According to you it is a zero cost attack so nothing is stopping you.)

What I am saying is if their is a sybil attack involved and your node is being blocked from seeing the true chain,
you can use a block explorer to verify the true chain for PoS or PoW.

It is a 3rd party verification , but it works and people using PoS or PoW would be naive not to use it.

[Ix]

You have to buy or steal the PoS coins to stake them?
Their is a cost involved.

Not necessarily. Or not a necessarily large one. Someone could buy up a large amount of the currency when it was worth less than pennies, or even the currency creator could be a threat if a significant amount were distributed to them at the start. This is different from bitcoin because the cost to attack the network is always relative to how popular the network currently is. There is no early stage adopter threat to the network itself. (Although I have argued in the past that Satoshi is a significant threat to bitcoin economically because he can wipe out the market.)

Also your pretense at how easy it would be is over exaggerated.

I believe the only responses about how easy the attack is is in regards to your example about timestamps. Forging the chain itself is easy, having the signatures to do it is is where the difficulty lies - but there are many obscure factors that can make it easier.

It is a 3rd party verification , but it works and people using PoS or PoW would be naive not to use it.

There are also a number of attacks that do not create multiple chains but create chaos in more insidious ways. A 3rd party can't prove to you that a chain is being censored, for example. I agree that the general essence of the "nothing at stake" argument is pretty weak with improbable scenarios required to effect it, but it is better to be aware than to be blissful.

[Zin-Zang]

You have to buy or steal the PoS coins to stake them?
Their is a cost involved.

Not necessarily. Or not a necessarily large one. Someone could buy up a large amount of the currency when it was worth less than pennies, or even the currency creator could be a threat if a significant amount were distributed to them at the start. This is different from bitcoin because the cost to attack the network is always relative to how popular the network currently is. There is no early stage adopter threat to the network itself. (Although I have argued in the past that Satoshi is a significant threat to bitcoin economically because he can wipe out the market.)

ZEITCOIN is currently less than a penny and I firmly believe anyone attempting a 51% attack will fail.
The easy way is to try and buy the coin, which people seem to forget, that the danger there is it drives up the price and makes more people stake therefore increasing the difficulty. There have been many exchanges that zeitcoin outlived, so our host could go after one of those to try and steal old coins.

That why I offer it up to the topic host as a real world test for his theories.
If he could crash zeitcoin , he could prove to the world PoS is invalid as a consensus, but if not ,
it kind of proves their is an underlying cost in either money , time, or skill, that he was unable to meet and therefore way more difficult that speculated.

Bitcoin has had over 51% majority belonging to the chinese miners for years, and people ignore it , but yet when it comes to PoS ,
they pretend like every attack is more dangerous , when from my experience PoW has proven more vulnerable especially if you are not rich.

The Fact is PoW miners value is in their ASICS, a Proof of Stake value is in the coins itself, meaning destruction of that single coin, wipes them out , verses a PoW miner that could 51% attack bitcoin on Tuesday and move to bitcoin cash on Wednesday or vice-versa.

Now there are some proof of Stake coins that have been hit with a 51% attack. (Because their chains were weak.)
Eccoin  
Bottlecaps  * Hybrid PoS & PoW, funny thing the PoW did not protect it. *
* Want to know what is funny , even with a successful 51% attack , both of those coins survived and are still running today. *
* Also many PoW chains that have fallen to 51% attacks: Verge, Bitcoin Gold, Monacoin. *
https://news.bitcoin.com/proof-of-work-coins-on-high-alert-following-spate-of-51-attacks/

(PoS or PoW weak chain and 51% is likely.)

But zeitcoin has never fallen to a 51%, so anyone that wants to , can take their best shot for the bragging rights.  
But be forewarned it won't be zero costs.


FYI: Here is a Thought for Consideration.  
The Renting of Hash Rate makes all PoW coins Vulnerable to 51% attack.
(Which would not be zero cost either unless you hacked their miners and use their hash for free.)


Conclusion:
Security of any coin is only strong if the majority % that either mine it or stake it are altruistic toward said coin.
IE.  No real difference between PoW or PoS in that regard.

[Ix]

Bitcoin has had over 51% majority belonging to the chinese miners for years, and people ignore it , but yet when it comes to PoS ,
they pretend like every attack is more dangerous , when from my experience PoW has proven more vulnerable especially if you are not rich.

That is the propaganda you have to deal with on bitcointalk.org. You don't typically get unbiased opinions here.

Conclusion:
Security of any coin is only strong if the majority % that either mine it or stake it are altruistic toward said coin.
IE.  No real difference between PoW or PoS in that regard.

More or less. But discussing the crazier "what ifs" helps to design better protocols.

[monsterer2]

Sybil attacks can place a fake chain with a lower PoW difficulty rating until a node sees the other chain with the higher difficulty and reorgs.

That is an objective decision.

You have to buy or steal the PoS coins to stake them?
Their is a cost involved.

Buying empty private keys will be very, very cheap compared to renting hash power.

Also your pretense at how easy it would be is over exaggerated.
Feel free to 51% attack zeitcoin to prove how easy it is for you.  
(According to you it is a zero cost attack so nothing is stopping you.)

I have no motivation, nor desire to attack your shitcoin, I have better things to do with my time.

What I am saying is if their is a sybil attack involved and your node is being blocked from seeing the true chain,
you can use a block explorer to verify the true chain for PoS or PoW.

That is not only subjective, but is also human intervention. Double systematic failure.

[Zin-Zang]

You have to buy or steal the PoS coins to stake them?
Their is a cost involved.

Buying empty private keys will be very, very cheap compared to renting hash power.

True but stealing private keys or stealing control over a warehouse full of asics is closer to free.   

Also your pretense at how easy it would be is over exaggerated.
Feel free to 51% attack zeitcoin to prove how easy it is for you.  
(According to you it is a zero cost attack so nothing is stopping you.)

I have no motivation, nor desire to attack your shitcoin, I have better things to do with my time.

Ah Ha!

See there you refuse to pay the cost of the time it would take.
So you admit it is not a zero cost to attack a coin as you are unwilling to spend your time on it.  

You guys have a good day.  

[d5000]

@Zin-Zang: I have not negated that centralization at pools is a big problem for PoW currencies. Hacking of pools is of course possible. But maybe the - already mentioned - "Proof of Collaborative Work" model could decrease the incentives for pools. With this addition, my understanding is that PoW coins would be fairly safe from this kind of attack.

Hashrate renting makes 51% attacks easier. But it is still expensive - an attack on Bitcoin would still need several billions of dollars (In early/mid 2017 I estimated about 500-800 million, now it shoud be about 2-3 billion or even more due to the increased hashrate).

However, I believe a PoS attack to be in the same order of magnitude (~3-5% of market cap).

A sybil attack like you describe it is possible on PoW or PoS. Only BFT-based PoS coins are - somewhat - protected from that attack because there are no forks allowed where you could "lure" nodes into, but in a similar scenario (if the attacker tried to prevent a part of the validators from reaching consensus "blocking" them from the network) the blockchain would simply stop working until the malicious nodes become collaborative again or a hard fork happens.

[monsterer2]

However, I believe a PoS attack to be in the same order of magnitude (~3-5% of market cap).

...ignoring the threat outlined in the OP of the thread?

[d5000]

However, I believe a PoS attack to be in the same order of magnitude (~3-5% of market cap).

...ignoring the threat outlined in the OP of the thread?

No, that estimation includes the threats by long range attacks (like the attack you described - the typical "old keys attack"), bribe attacks, short-range attacks and other known N@S-related scenarios. No one of these attacks is free, most of them are highly impractical (try to find people that sell you 50% of the staking amount in some moment of time) and, thus, expensive - above all if there are "floating checkpoints" like in NXT, impeding long reorgs, which lowers your "attack window".

A "pure" PoS 51% attack without exploiting the nothing at stake problem would need about 10% of the market cap (typical "staking participation" is between 20 and 40% of the total stake), and also only be that low if you achieve to buy the needed tokens over a long time without moving up the price, or try a "shorting" attack. Otherwise I expect it to be closer to 15-20%.