ppcoin POW exposure

[Jutarul]

Abstract
========

The longterm viability of the POW/POS hybrid system is discussed, in particular the exposure of ppcoin to double spend attacks facilitated by the generation of POW blocks. It is conceivable that entities or individuals with superior hashing power used to mine bitcoin have a vested interest to perform double spent attacks on a competing cryptocurrency. This is economically feasible since there are no network security trust issues with performing a double spent attack on a competing blockchain and the reduced POW requirements for ppcoin sets the bar lower for a temporary 51% attack.

Discussion
==========

While I didn't have time yet to do a thorough review of the 0.3.x changes to the POS generation in ppcoin, I'd like to discuss a feature of the hybrid POS/POW system in general. In particular I am interested in a potential vulnerability for double spending attacks which stems from the existence of a 100% POW blockchain with the SAME hashing algorithm, i.e. bitcoin.

The POW in ppcoin serves the purpose to solve the initial coin distribution problem and to set the stage for its inflation policy. It was the main generator for transaction blocks in the beginning of ppcoin, a feature which becomes more or less obsolete, now that POS is taking charge of generating blocks.

The fact that ppcoin uses the same hashing algorithm as bitcoin makes it possible for someone to easily switch between the two networks for mining. This is a curse and a blessing at the same time. While it feeds off a larger user base for mining, it also exposes ppcoin to a 51% attack vector as long as the total hashing power of ppcoin is not comparable to bitcoin. E.g. currently the hashing power of the bitcoin network is around 30 TH/s at difficulty of 4.3M and that of ppcoin is assumed to be between 10-100 GH/s at a dfficulty of 15k (the relationship between hashing power and difficulty is warped in ppcoin [https://bitcointalk.org/index.php?topic=140800.msg1499495#msg1499495]). Thus it requires a hashing power of 10-100 GH/s to gain a majority of ppcoins hashing power. This is already feasible by many players in the bitcoin mining industry, and certainly possible by individuals who own ASICs.

The question then is, how to remove this exposure. There are several options:
a) increase the incentive to mine ppcoin and raise the hashing power of ppcoin to make the economic cost for a double spent attack comparable to bitcoin
b) change the hashing algorithm
c) remove POW entirely, i.e. fade it out
d) change the rule set to make it impossible to enforce a blockchain reorganization through POW
e) ?

a) defeats the purpose of ppcoin, since it causes the energy consumption of the network to be equivalent to bitcoin. b) is an option, but the hashing algorithm has to be well chosen. Also we will likely see the same technological progression as with bitcoin, going from cpu, gpus, fpgas to asics eventually. c) is an option, but would require to revise the inflation policy entirely. d) is the most interesting option, and would require to tweak the ppcoin consensus model. Ideally an entity would require BOTH, a significant hashing power AND stake generation power to perform a successful double spent attack, instead of only one. However, using stake as a means to perform a double spent attack has network trust issues as a fallout and thus has a higher associated cost - an aspect entirely missing for POW attackers.

Conclusion
==========

The consensus model in ppcoin using a POW/POS hybrid scheme allows an entity to use either component to perform a double spent attack. This is a longterm liability for ppcoin, because it allows bitcoin miners to have a unique advantage when committing attacks in the ppcoin network. Ideally a hybrid scheme requires significant investments in both components, POW and POS, at the same time, to become a thread to the network, raising the economic cost significantly. If so, a bitcoin miner would have to acquire significant stake first, which exposes himself to economic risk.

It is worth noting that this is not a unique problem of ppcoin. All blockchains which use the POW system of bitcoin (e.g. freicoin) suffer from the same exposure. However, the hybrid POW/POS may allow for a rule set which forces an entity to have a disproportionate cost when attempting a blockchain reorganization.

It is also worth noting that checkpointing currently prevents this exposure from being exploited.

@Sunny: This is an invitation to improve the ppcoin consensus model in the long run. I'd appreciate if you could share your ideas on fixing the issue in the open. Especially since it may require a revision of the consensus model, which is not just an algorithmic tweak. Also, please correct me if I am wrong - I may have overlooked something in my analysis.

[1715545169]

1715545169

[1715545169]

1715545169

[1715545169]

1715545169

[1715545169]

1715545169

[1715545169]

1715545169

[Sunny King]

d) change the rule set to make it impossible to enforce a blockchain reorganization through POW

It has always been that proof-of-work alone cannot constitute 51% attack on ppcoin, except for the first 30 days of the network when proof-of-stake blocks were not around. The attacker must wait 30 days after he generated coins via proof-of-work and then launch attack on proof-of-stake. This is true even if checkpoint mechanism is weakened.

Code:

    CBigNum GetBlockTrust() const
    {
        CBigNum bnTarget;
        bnTarget.SetCompact(nBits);
        if (bnTarget <= 0)
            return 0;
        return (IsProofOfStake()? (CBigNum(1)<<256) / (bnTarget+1) : 1);
    }

The block trust score is added up on a branch to determine which branch should be the main chain. Note here any proof-of-work block is assigned a score of 1, while any proof-of-stake block has a minimum score of 2**32.

As the network hash rate increases with the advancement of Moore's Law, the proof-of-work mint rate is reduced, so it would be more and more difficult for such attackers to gain significant wealth via proof-of-work and then launch attack on proof-of-stake after 30 days.

[tacotime]

As the network hash rate increases with the advancement of Moore's Law, the proof-of-work mint rate is reduced, so it would be more and more difficult for such attackers to gain significant wealth via proof-of-work and then launch attack on proof-of-stake after 30 days.

Does that mean the chain can easily be forked by buying a lot of coins and holding them, then?  Allowing a person with a vast majority of coins to manipulate transactions along with the rest of the block chain so long as they possessed some of the proof of work?

[Sunny King]

Does that mean the chain can easily be forked by buying a lot of coins and holding them, then?  Allowing a person with a vast majority of coins to manipulate transactions along with the rest of the block chain so long as they possessed some of the proof of work?

Yes, you can always buy the coins and attack on proof-of-stake, and you don't even need any proof-of-work. That will take some time though (30~90 days) by design. And it would take significant amount of purchase.

The thesis is that the cost of launching proof-of-stake attack should be comparable to the cost of launching 51% proof-of-work attack, if both networks have comparable market capitalization, more and more so as bitcoin network's miner income drops.

Also my approach is a little different from Gavin's and I have no problem adopting something like max reorg depth to protect the market in general from the turmoil caused by a 51% attack, and then take emergency measures like broadcasting quick checkpoints. This is not to say that I disagree with Gavin's approach, not at all. In fact I think he is doing a great service to the bitcoin and cryptocurrency community and bitcoin should be maintained with maximum decentralization as it is.

[Jutarul]

d) change the rule set to make it impossible to enforce a blockchain reorganization through POW

The block trust score is added up on a branch to determine which branch should be the main chain. Note here any proof-of-work block is assigned a score of 1, while any proof-of-stake block has a minimum score of 2**32.

Nice. Please confirm my conclusions then:
a) the client always selects the branch which holds more proof of stake blocks
b) you can not overtake a publicized chain with a pure POW fork
c) if you want to overtake a publicized chain you need to have at least as much POS blocks in the fork
d) using POW to generate new coins in order to attack at a later stage with POS has the same economic costs as doing a pure POS attack

If all the above is true, I assume the issue is closed.

[Sunny King]

Nice. Please confirm my conclusions then:
a) the client always selects the branch which holds more proof of stake blocks
b) you can not overtake a publicized chain with a pure POW fork
c) if you want to overtake a publicized chain you need to have at least as much POS blocks in the fork
d) using POW to generate new coins in order to attack at a later stage with POS has the same economic costs as doing a pure POS attack

If all the above is true, I assume the issue is closed.

b) and d)  are true, a) and c) are roughly true given a short time window but not exact, as the sum is proportional to the sum of proof-of-stake difficulty, not the number of proof-of-stake blocks.

[Jutarul]

a) and c) are roughly true given a short time window but not exact, as the sum is proportional to the sum of proof-of-stake difficulty, not the number of proof-of-stake blocks.

should be good enough, because this quantity still scales well with the number of stake blocks

[AndyRossy]

good to hear

[tacotime]

As the network hash rate increases with the advancement of Moore's Law, the proof-of-work mint rate is reduced, so it would be more and more difficult for such attackers to gain significant wealth via proof-of-work and then launch attack on proof-of-stake after 30 days.

Question regarding this from an economic and technological standpoint:
Are you assuming that the proof of work rate will increase exponentially given time?

Unlike Bitcoin there is no hard cap on the amount of coins that will be created. Bitcoin is limited to 21 million coins where PPCoin only has a hard cap of 2 billion coin in the code. There is no intention to limit the amount of coins that can be generated.

It seems there is no long term method to limit the generation of coins in PPC.  If the hash rate of the network were to suddenly fall, coin generation increases exponentially to a maximum, correct?

Additionally, if there is a dependence on the network for PoW to generate less and less coins over time (if proof of work rate somehow crashes, a great number of coins are produced and will potentially destabilize the PoS system after 30-90 days), what makes the chain more energy efficient than a PoW-only chain?

Is the intention to keep the network at the same amount of energy over time by assuming technology will increase hash rates but, from PPC's difficulty algorithm, doing so will decrease reward?

[Sunny King]

Yes, that is known as Moore's Law and is explained in the design paper.

[tacotime]

Yes, that is known as Moore's Law and is explained in the design paper.

Right, but you didn't address what happens to PPC if the hash rate suddenly plummets, for instance, if there is some economic destabilization unrelated to PPC's code which causes people to stop mining.  Because of the exponential increase in PPC's reward as hardcoded, if the rapid generation of PPC is large enough won't the PoS system eventually be compromised by the PoW system?

[Sunny King]

Yes, that is known as Moore's Law and is explained in the design paper.

Right, but you didn't address what happens to PPC if the hash rate suddenly plummets, for instance, if there is some economic destabilization unrelated to PPC's code which causes people to stop mining.  Because of the exponential increase in PPC's reward as hardcoded, if the rapid generation of PPC is large enough won't the PoS system eventually be compromised by the PoW system?

The reduction is reasonably slow, 16x difficulty = 1 halving. Yes the mint rate would pick back up if hash rate drops, but over a period of time it just average out.

As I said, the mint rate design is very low future inflation comparable to bitcoin, but with non-deterministic money supply. It more closely resembles gold actually in my opinion.