Bitcoin Forum
November 03, 2024, 06:18:49 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1] 2 3 »  All
  Print  
Author Topic: Nothing at stake in proof of stake  (Read 2982 times)
suyogm (OP)
Newbie
*
Offline Offline

Activity: 5
Merit: 0


View Profile
December 09, 2016, 03:57:00 PM
 #1

Hi Bitcoiners

This is my first post on the forum, please be kind  Smiley

I recently read up about impossibility of proof of stake and nothing at stake problem. I still do not follow what is so fundamental about it. Why can't we have a 'rule' that a node can generate only one block at given height and a running 'black-list' of public keys to enforce that rule. We can have black-listing someone as a mining operation with rewards several times block reward so that black-listing would be an equilibrium strategy.
presstab
Legendary
*
Offline Offline

Activity: 1330
Merit: 1000


Blockchain Developer


View Profile
December 09, 2016, 08:43:01 PM
 #2

Hi Bitcoiners

This is my first post on the forum, please be kind  Smiley

I recently read up about impossibility of proof of stake and nothing at stake problem. I still do not follow what is so fundamental about it. Why can't we have a 'rule' that a node can generate only one block at given height and a running 'black-list' of public keys to enforce that rule. We can have black-listing someone as a mining operation with rewards several times block reward so that black-listing would be an equilibrium strategy.

One node can have as many public keys as it wants. Public keys are not assigned to nodes.

Projects I Contribute To: libzerocoin | Veil | PIVX | HyperStake | Crown | SaluS
kiklo
Legendary
*
Offline Offline

Activity: 1092
Merit: 1000



View Profile
December 09, 2016, 08:52:23 PM
 #3

Hi Bitcoiners

This is my first post on the forum, please be kind  Smiley

I recently read up about impossibility of proof of stake and nothing at stake problem. I still do not follow what is so fundamental about it. Why can't we have a 'rule' that a node can generate only one block at given height and a running 'black-list' of public keys to enforce that rule. We can have black-listing someone as a mining operation with rewards several times block reward so that black-listing would be an equilibrium strategy.


Post a link to the one you read, and I will Rip it apart for you.  Smiley
Everyone I have read so far has been B.S. propaganda spread by PoW miners.

Proof of Stake is not only as secure as PoW , but with coin age has greater protection from 51% attack.
Which even at the time of this post , Chinese mining pools have over 51% control of Bitcoin.


 Cool

jwinterm
Legendary
*
Offline Offline

Activity: 3136
Merit: 1116



View Profile
December 09, 2016, 09:01:21 PM
 #4

See the criticism section for a quick overview:
https://en.m.wikipedia.org/wiki/Proof-of-stake
xcn
Newbie
*
Offline Offline

Activity: 51
Merit: 0


View Profile
December 09, 2016, 09:09:17 PM
 #5

Nothing At Stake Explained In 4 Minutes
https://www.youtube.com/watch?v=pzIl3vmEytY
Cryptotraider16
Sr. Member
****
Offline Offline

Activity: 420
Merit: 250

http://www.leocoinapp.com/


View Profile WWW
December 09, 2016, 09:20:26 PM
 #6

Hi Bitcoiners

This is my first post on the forum, please be kind  Smiley

I recently read up about impossibility of proof of stake and nothing at stake problem. I still do not follow what is so fundamental about it. Why can't we have a 'rule' that a node can generate only one block at given height and a running 'black-list' of public keys to enforce that rule. We can have black-listing someone as a mining operation with rewards several times block reward so that black-listing would be an equilibrium strategy.

try LEOcoin pos! you need to have at least 1000leocoin in wallet to receive 10% a year pos! coin need to be minimum 24h old and maxx 5 years!
if you hold 5000 cloins in wallet you got 15%..but if you hold 50k in wallet,then you receive 20%..its come approx 27 coins a day!

http://www.leocoin.info - LEOcoin info App!
LEOcoin - traded on 8 exchanges! more coming - Solo POS coin!
synthgauge
Hero Member
*****
Offline Offline

Activity: 1150
Merit: 502


View Profile
December 09, 2016, 10:21:57 PM
 #7

In fact all nodes follow everything in stake model which here in my corner works nicely Grin . From what u wrote its clear u misunderstood how proof of stake works.
kiklo
Legendary
*
Offline Offline

Activity: 1092
Merit: 1000



View Profile
December 10, 2016, 01:35:11 AM
Last edit: December 10, 2016, 02:18:48 AM by kiklo
 #8

Quote
Some authors[15][16] argue that proof-of-stake is not an ideal option for a distributed consensus protocol. One problem is usually called the "nothing at stake" problem, where (in the case of a consensus failure) block-generators have nothing to lose by voting for multiple blockchain-histories, which prevents the consensus from ever resolving. Because there is little cost in working on several chains (unlike in proof-of-work systems), anyone can abuse this problem to attempt to double-spend (in case of blockchain reorganization) "for free".[17]

Ok , above is the quote from the wiki.

Here is what is wrong with it.

BadGuy has 50 coins ,   GoodGuy1 has 10 Coin  , GoodGuy2 also staking 10 coins

GoodGuy1 is staking
[10] on the block 500 on Fork1

At the same moment another block is created by GoodGuy2
[10] on the block 500 on Fork2


Now the BadGuy
Since he has nothing to Lose , Stakes his 50 Coins on both Forks

So Now
Fork1 [60]  & Fork2 [60]

Which means by trying to stake on both blocks at the Same Time, all he did was Negate his Staking Power by adding to Both.  Cheesy

Which Fork is chosen will be decided by someone else , not trying to play both sides.
He makes his staking power irrelevant.

The other flaw with the Nothing at Stake Lie, which must be beyond the concept of PoW miners.
When Proof of Stake stakes a Block , Coin Age is used up, meaning those coins will now be offline and unable to stake until their minimum stake age is reached again.
It would be the same as when a PoW miner mined a coin and then immediately turned off his ASICS for a prescribed amount of time.
Which would mean he could mine no other block until , he was allowed to turn his ASICS back on.
Which is why PoS is superior to PoW , as random Chaos is entered into it.
PoW miners can maintain the ~ same HashRate thruout mining while a PoS Staker Amounts & Coin Age are in constant Flux every time they stake.
So what is burned when you stake, Coin Age & Staking Weight is burned, and it takes a minimum stake age before it can be recovered.

 Cool

FYI:
As far as the DoubleSpend , PoW or PoS is susceptible to doublespend with Zero Confirmations .
Solutions for both PoW & PoS is to wait the prescribed amount of Confirmations, and never accept Zero Confirmations.
suyogm (OP)
Newbie
*
Offline Offline

Activity: 5
Merit: 0


View Profile
December 10, 2016, 05:02:25 AM
Last edit: December 10, 2016, 05:20:39 AM by suyogm
 #9

Hi Bitcoiners

This is my first post on the forum, please be kind  Smiley

I recently read up about impossibility of proof of stake and nothing at stake problem. I still do not follow what is so fundamental about it. Why can't we have a 'rule' that a node can generate only one block at given height and a running 'black-list' of public keys to enforce that rule. We can have black-listing someone as a mining operation with rewards several times block reward so that black-listing would be an equilibrium strategy.

One node can have as many public keys as it wants. Public keys are not assigned to nodes.

Yes I had thought about it. We can, for example, require some offline PoW to white-list a public key.
It seems to me that it is central assumption behind bitcoin design that buying 'pseudo-identity' is free and I fail to see why it needs to be the case.

Those who support PoS, I would like to believe that PoS actually works but lot of smart people seem to think otherwise, others seem to propose overly involved scheme to 'work-around' it's limitations. So I joined this forum to find out what I am missing.
suyogm (OP)
Newbie
*
Offline Offline

Activity: 5
Merit: 0


View Profile
December 10, 2016, 05:39:14 AM
 #10

Quote
Some authors[15][16] argue that proof-of-stake is not an ideal option for a distributed consensus protocol. One problem is usually called the "nothing at stake" problem, where (in the case of a consensus failure) block-generators have nothing to lose by voting for multiple blockchain-histories, which prevents the consensus from ever resolving. Because there is little cost in working on several chains (unlike in proof-of-work systems), anyone can abuse this problem to attempt to double-spend (in case of blockchain reorganization) "for free".[17]

Ok , above is the quote from the wiki.

Here is what is wrong with it.

BadGuy has 50 coins ,   GoodGuy1 has 10 [Suspicious link removed]dGuy2 also staking 10 coins

GoodGuy1 is staking
[10] on the block 500 on Fork1

At the same moment another block is created by GoodGuy2
[10] on the block 500 on Fork2


Now the BadGuy
Since he has nothing to Lose , Stakes his 50 Coins on both Forks

So Now
Fork1 [60]  & Fork2 [60]

Which means by trying to stake on both blocks at the Same Time, all he did was Negate his Staking Power by adding to Both.  Cheesy

Which Fork is chosen will be decided by someone else , not trying to play both sides.
He makes his staking power irrelevant.

The other flaw with the Nothing at Stake Lie, which must be beyond the concept of PoW miners.
When Proof of Stake stakes a Block , Coin Age is used up, meaning those coins will now be offline and unable to stake until their minimum stake age is reached again.
It would be the same as when a PoW miner mined a coin and then immediately turned off his ASICS for a prescribed amount of time.
Which would mean he could mine no other block until , he was allowed to turn his ASICS back on.
Which is why PoS is superior to PoW , as random Chaos is entered into it.
PoW miners can maintain the ~ same HashRate thruout mining while a PoS Staker Amounts & Coin Age are in constant Flux every time they stake.
So what is burned when you stake, Coin Age & Staking Weight is burned, and it takes a minimum stake age before it can be recovered.

 Cool

FYI:
As far as the DoubleSpend , PoW or PoS is susceptible to doublespend with Zero Confirmations .
Solutions for both PoW & PoS is to wait the prescribed amount of Confirmations, and never accept Zero Confirmations.

In nothing at stake attack, as I understand, attackers doesn't stake on both forks. They argue that stable strategy for all honest miners is to mine on all the fork. Then attacker assumes that everyone is doing this and stakes on the double spend fork (or whatever he wants to use instead of main-chain). That is why it doesn't matter how much attacker has. I do find this valid objection, just something not fundamental and trivial to prevent, hence I started this thread.
kiklo
Legendary
*
Offline Offline

Activity: 1092
Merit: 1000



View Profile
December 10, 2016, 06:59:25 AM
Last edit: December 10, 2016, 08:05:27 AM by kiklo
 #11

In nothing at stake attack, as I understand, attackers doesn't stake on both forks. They argue that stable strategy for all honest miners is to mine on all the fork. Then attacker assumes that everyone is doing this and stakes on the double spend fork (or whatever he wants to use instead of main-chain). That is why it doesn't matter how much attacker has. I do find this valid objection, just something not fundamental and trivial to prevent, hence I started this thread.


OK , so you think

Attacker has 1 coin ,   GoodGuy1 has 10 coins GoodGuy2 also staking 10 coins

Fork1
GoodGuy1 is staking
GoodGuy2 is staking
[20]  

At the same moment on Fork2
GoodGuy1 is staking
GoodGuy2 is staking
[20]

Now the Attacker
Places a transaction on Fork1
Stakes his 1 coin on Fork 2

So Now
Fork1 [20] only 2 blocks & Fork2 [21] 3 blocks

Fork2 now has more coins in 3 Blocks, and becomes the longest chain with the most difficulty.

All of this in an attempt at a double spend.
1st off
Standard PoS wallets don't Multi-stake, you would have to code one your self.

Let's say you do and it works exactly as you described and you spend coins on Fork1 and overwrote it when Fork2 became the longest Chain.
Basically a History rewrite.

This is why it will Fail.  Once the fork2 becomes the longest chain, all of the wallets will reorg to fork2 and it will be the correct chain.
This means the coins you sent in the transaction on fork1 will not confirm, and the wallet you sent it too will not reach even 1 confirmation.

Longest chain with the most difficulty wins , just wait the recommend # of confirmations and all zero confirmation attacks fail.


 Cool

FYI:
Double spending if someone accepts zero confirmations is easy on Proof of Work.
I don't even need to be a miner, just paid a higher transaction fee to pull it off.
I had 2 devices with the same BTC wallet , send the coins from the 1st device to the vendor with no fee,
then send all of my BTC from the same wallet on 2nd device to another BTC address I control, including a high fee for faster transactions.
If the Vendor accepts Zero confirmations, he will see the BTC sent from the 1st device, and I exit the store with his product for free.
5 to 10 minutes later after the 1 confirmation, all of my BTC will have arrived at my other BTC address and the Vendor just saw his payment never Confirmed.
Moral is PoW or PoS wait the recommend confirmations.  Wink
suyogm (OP)
Newbie
*
Offline Offline

Activity: 5
Merit: 0


View Profile
December 10, 2016, 08:05:23 AM
 #12

In nothing at stake attack, as I understand, attackers doesn't stake on both forks. They argue that stable strategy for all honest miners is to mine on all the fork. Then attacker assumes that everyone is doing this and stakes on the double spend fork (or whatever he wants to use instead of main-chain). That is why it doesn't matter how much attacker has. I do find this valid objection, just something not fundamental and trivial to prevent, hence I started this thread.


OK , so you think

Attacker has 1 [Suspicious link removed]dGuy1 has 10 coins GoodGuy2 also staking 10 coins

Fork1
GoodGuy1 is staking
GoodGuy2 is staking
[20]  

At the same moment on Fork2
GoodGuy1 is staking
GoodGuy2 is staking
[20]

Now the Attacker
Places a transaction on Fork1
Stakes his 1 coin on Fork 2

So Now
Fork1 [20] only 2 blocks & Fork2 [21] 3 blocks

Fork2 now has more coins in 3 Blocks, and becomes the longest chain with the most difficulty.

All of this in an attempt at a double spend.
1st off
Standard PoS wallets don't Multi-stake, you would have to code one your self.

Let's say you do and it works exactly as you described and you spend coins on Fork1 and overwrote it when Fork2 became the longest Chain.
Basically a History rewrite.

This is why it will Fail.  Once the fork2 becomes the longest chain, all of the wallets will reorg to fork2 and it will be the correct chain.
This means the coins you sent in the transaction on fork1 will not confirm, and the wallet you sent it too will not reach even 1 confirmation.

Longest chain with the most difficulty wins ,just wait the recommend # of confirmations and all zero confirmation attacks fail.


 Cool

FYI:
Double spending if someone accepts zero confirmations is easy on Proof of Work.
I don't even need to be a miner, just paid a higher transaction fee to pull it off.
I had 2 devices with the same BTC wallet , send the coins from the 1st device to the vendor with no fee,
then send all of my BTC from the same wallet on 2nd device to another BTC address I control, including a high fee for faster transactions.
If the Vendor accepts Zero confirmations, he will see the BTC sent from the 1st device, and I exit the store with his product for free.
5 to 10 minutes later after the 1 confirmation, all of my BTC will have arrived at my other BTC address and the Vendor just saw his payment never Confirmed.
Moral is PoW or PoS wait the recommend confirmations.  Wink

From what I understand, attacker will delay using his stake until accepted number of confirmations are passed and later use it to rewrite the history. Anyway I will leave defending it to those who 'know' this stuff while I wait resolution of the original question   Smiley
kiklo
Legendary
*
Offline Offline

Activity: 1092
Merit: 1000



View Profile
December 10, 2016, 08:11:56 AM
 #13

From what I understand, attacker will delay using his stake until accepted number of confirmations are passed and later use it to rewrite the history. Anyway I will leave defending it to those who 'know' this stuff while I wait resolution of the original question   Smiley

Hmm,

Nope , every Block that passed increases the Difficulty.
Meaning your Attacker has to have enough weight to rewrite the chain from a previous point.
That is called a History Rewrite attack not a Nothing at Stake.

 Cool
lurker10
Sr. Member
****
Offline Offline

Activity: 378
Merit: 250


View Profile
December 10, 2016, 08:16:23 AM
 #14

https://www.youtube.com/watch?v=whdUSchadEs by our chief scientist Aggelos Kiayas. Enjoy


https://github.com/kushti/common-pos

https://github.com/ConsensusResearch
https://github.com/ConsensusResearch/articles-papers/blob/master/multistrategy/multistrategy.pdf

kiklo
Legendary
*
Offline Offline

Activity: 1092
Merit: 1000



View Profile
December 10, 2016, 08:29:23 AM
Last edit: December 10, 2016, 08:41:03 AM by kiklo
 #15

Hi Bitcoiners

This is my first post on the forum, please be kind  Smiley

I recently read up about impossibility of proof of stake and nothing at stake problem. I still do not follow what is so fundamental about it. Why can't we have a 'rule' that a node can generate only one block at given height and a running 'black-list' of public keys to enforce that rule. We can have black-listing someone as a mining operation with rewards several times block reward so that black-listing would be an equilibrium strategy.


I think , I answered why the nothing at stake is nothing to worry about.
However you want the part in blue answered.

Nothing is stopping anyone from making a wallet that stakes 1 block and then does not allow that same wallet to stake for a few more block.
Just as someone could design a Checkpoint server to enforce a checkpoint after every single block, meaning their can never be a reorg.

These things are not done, because it is not really a problem. Just a made up propaganda story by G.Maxwell that fools many people.

If any of it were truth, checkpoint servers would be implemented on all PoS coins overnight, but they are not , because using the difficulty # which increases with every block, it is unnecessary.    Smiley

Longest Chain with the Most Difficulty Wins.  Wink

 Cool


FYI:
Personally ,
I would be more concerned with the fact the Chinese Mining Pools could overwrite the last 8 to 12 hours of BTC transaction history for the last year and no one can stop them.

FYI2:
Checkpoint Servers can choose which fork a wallet will take no matter the difficulty, which is why they are considered a single point of failure.
Control the Checkpoint server and you can control the coin.  Tongue
iamnotback
Sr. Member
****
Offline Offline

Activity: 336
Merit: 265



View Profile
December 11, 2016, 08:08:44 PM
 #16

https://steemit.com/crypto/@heiditravels/crypto-tips-proof-of-work-vs-proof-of-stake#@anonymint/re-heiditravels-crypto-tips-proof-of-work-vs-proof-of-stake-20161211t193723096z

https://github.com/cosmos/cosmos/issues/43#issuecomment-264969234
rapazev
Full Member
***
Offline Offline

Activity: 210
Merit: 100



View Profile
December 11, 2016, 08:58:38 PM
 #17

sometimes i see from pow miner this argument:
"At pos, whales mine everything... small fishes doesnt take nothing", "it's a Rich get richer scheme".

well, i do agree with that... but the question is: is pow different? can i mine bitcoin using my old desktop(an small investment)? of course not.
to mine coins using PoW i have to make a huge investment in hardware. and to mine coins at PoS i have to make this same investment but in coins..

nemgun
Hero Member
*****
Offline Offline

Activity: 882
Merit: 533



View Profile WWW
December 11, 2016, 10:21:19 PM
 #18

sometimes i see from pow miner this argument:
"At pos, whales mine everything... small fishes doesnt take nothing", "it's a Rich get richer scheme".

well, i do agree with that... but the question is: is pow different? can i mine bitcoin using my old desktop(an small investment)? of course not.
to mine coins using PoW i have to make a huge investment in hardware. and to mine coins at PoS i have to make this same investment but in coins..



I Agree with you about the POS, it all depends on the weight, but as far as i remember POSV3 should solve this problem. Now for POW, it is a simple capitalist sheme, invest more to earn more. Consider POS reward as a bonus, not as a way to earn money and everything will go well.
Doesn't banks give fixed 2%/year rate ? it is a bonus right ? it is the same here.
ArcCsch
Full Member
***
Offline Offline

Activity: 224
Merit: 117


▲ Portable backup power source for mining.


View Profile
December 12, 2016, 03:19:51 AM
 #19

The issue with PoS is the Sibyl Attack.
An attacker generates an army of fake nodes, has them all create a fake blockchain from a fake genesis block, use fake timestamps to "mine" it, and tries to push this fake blockchain to all nodes.
When someone the attacker is trying to scam starts up a wallet, the wallet asks the nodes for blockchain data, and has no way of knowing which chain is genuine.
Anyone using PoS coins risks getting a sackful of worthless coins that only exist on a fake chain generated by the attacker.
PoS is green and [sarcasm] anti-china (The evil Chinese miners are destroying Bitcoin! It was all good when ghash.io was taking over, because they are Americans, therefore they have good intentions, but the Chinese want to boycott foreign transactions and double spend! We have to stop them!)[\sarcasm], but there is no way to protect against Sybil attacks without introducing even more centralization (checkpoint server = Federal Reserve system).

If you don't have sole and complete control over the private keys, you don't have any bitcoin!  Signature campaigns are OK, zero tolorance for spam!
1JGYXhfhPrkiHcpYkiuCoKpdycPhGCuswa
presstab
Legendary
*
Offline Offline

Activity: 1330
Merit: 1000


Blockchain Developer


View Profile
December 12, 2016, 06:26:50 AM
 #20

The issue with PoS is the Sibyl Attack.
An attacker generates an army of fake nodes, has them all create a fake blockchain from a fake genesis block, use fake timestamps to "mine" it, and tries to push this fake blockchain to all nodes.
When someone the attacker is trying to scam starts up a wallet, the wallet asks the nodes for blockchain data, and has no way of knowing which chain is genuine.
Anyone using PoS coins risks getting a sackful of worthless coins that only exist on a fake chain generated by the attacker.
PoS is green and [sarcasm] anti-china (The evil Chinese miners are destroying Bitcoin! It was all good when ghash.io was taking over, because they are Americans, therefore they have good intentions, but the Chinese want to boycott foreign transactions and double spend! We have to stop them!)[\sarcasm], but there is no way to protect against Sybil attacks without introducing even more centralization (checkpoint server = Federal Reserve system).

Thats why it is always good to check out the community block explorer or an exchange to see what chain they are on. Hell, this is standard procedure for any coin whether is PoS or PoW.

Projects I Contribute To: libzerocoin | Veil | PIVX | HyperStake | Crown | SaluS
Pages: [1] 2 3 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!