Nothing at stake in proof of stake

[kiklo]

The issue with PoS is the Sibyl Attack.
An attacker generates an army of fake nodes, has them all create a fake blockchain from a fake genesis block, use fake timestamps to "mine" it, and tries to push this fake blockchain to all nodes.
When someone the attacker is trying to scam starts up a wallet, the wallet asks the nodes for blockchain data, and has no way of knowing which chain is genuine.
Anyone using PoS coins risks getting a sackful of worthless coins that only exist on a fake chain generated by the attacker.
PoS is green and [sarcasm] anti-china (The evil Chinese miners are destroying Bitcoin! It was all good when ghash.io was taking over, because they are Americans, therefore they have good intentions, but the Chinese want to boycott foreign transactions and double spend! We have to stop them!)[\sarcasm], but there is no way to protect against Sybil attacks without introducing even more centralization (checkpoint server = Federal Reserve system).

LOL,  

You do realize that PoW or PoS coins are both Protected from the little story you just described by the Checkpoints written directly in the program code.  
Does not matter how long or how high the difficulty of the Fake Chain , that itty bitty checkpoint stops that shameless hussy know as Sybil Cold.

I sorry but the Scary Sybil story, can't overpower a simple checkpoint. Which is why PoW coins & PoS coins both use them in their program code.

I do agree that a check point server is centralized and should be avoided as a single point of failure.

However the checkpoints in the source code or even what is know as a rolling checkpoint (simply not allowing reorgs after a certain # of blocks) ,
both allow the coin to stay Decentralized and Protected.  


 

FYI:
PressTab brought up an excellent point.

Thats why it is always good to check out the community block explorer or an exchange to see what chain they are on.
Hell, this is standard procedure for any coin whether is PoS or PoW.

[iamnotback]

Since no one here can seem to articulate the issues properly and seem to have completely ignored my prior post in this thread with links off to expert points, I am forced to post because there is so much disinformation being posted in this thread.

The nothing-at-stake issue manifests itself in numerous different ways. For example in PoS but not in DPoS, it can manifest in a stake grinding attack, which converts PoS into PoW. So you've achieved nothing with PoS. Checkpoints don't help to stop stake-enabled malfeasance in real-time, i.e. there is nothing-at-stake to attempt attacks in between checkpoints. There are various schemes that purport to deal with certain attacks and we even have NEM's Proof-of-Importance which obfuscates that it is really attackable by nothing-at-stake. To respond to each of these with details on the different varieties of nothing-at-stake vulnerabilities for every hyped NAOD (nonsense algorithm of the day), is more time than I can waste right now. But if you read my rebuttal of Dan Larimer linked below, you will get some flavor for the fact that it is indeed possible to find egregious, insoluble flaws in all these PoS variants. In short, none of the consensus systems (including PoW) invented thus far are robust enough. I wrote about this yesterday:

https://steemit.com/blockchain/@anonymint/future-of-decentralized-currency-is-not-bitcoin
https://medium.com/@shelby_78386/future-of-decentralized-currency-is-not-bitcoin-eec2e9c39a0a

Both PoS and DPoS have the nothing-at-stake flaw that it can be in some scenarios more liquid (on a time opportunity cost basis) to attack and short the coin, than it can be to protect one's stake for the long-term investment. Thus the stake is really nothing-at-stake. Whereas, for "the one chain to rule them" on non-repurposable ASICs, the PoW mining farms have at stake their huge sunk costs and long-term leases which they can't recover with shorting and overt attacking. However, for lesser PoW chains and those without an ASIC, they can in theory be attacked by renting hashrate and/or botnets. This is all covered in great detail in my whitepaper which will hopefully be released within Q1 2017.

Note even Dan Larimer could not refute my summary of attacks on his DPoS. Make sure you click that link and get a little bit of the flavor of the deep level of inspection of issues you will get with my coming whitepaper.

IOHK and Charles Hoskinson did not solve the problem that the stake concentrates in a power vacuum and that 51% of the stake can still do malfeasance.

...However, these "wolverine federated systems in an illusory democratic sheepskin" are more computationally efficient than systems which employ proof-of-work.

IOHK has proved security for a PoS system, but the assumption remains that the majority of the stake is not colluding to violate the Nash equilibrium and a majority of the stake remain online at all times. I don't see what IOHK's PoS accomplishes which isn't already accomplished by DPoS? Is it more objective w.r.t. to violations of Nash equilibrium since in DPoS the majority of the stake can be offline so can't observe first-hand any violations? DPoS is presumably provably secure if a majority of the delegates adhere to the Nash equilibrium.

So in summary, we can hide "wolverine federated systems in an illusory democratic sheepskin" and gain computational efficiency. But the security problems (or more realistically the economic centralization problem since large stake holders need insidious means as there isn't sufficient shorting liquidity for them to scorch their earth) shift to the power vacuum of political economics and the inviolable power-law distribution of wealth (beget by economies-of-scale). Yet Satoshi's design also has these centralization problems due to the power vacuum of political economics and the inviolable power-law distribution of wealth (beget by economies-of-scale).

Will anyone find another class of solution which provides long-term stable resistance to the centralization inherent in the power vacuum of political economics and the inviolable power-law distribution of wealth (beget by economies-of-scale)? Is (D)PoS already more realistically resistant to insidious effects of centralization of vested interests "stake" than Satoshi's design?

This is the Holy Grail we seek because centralized ecosystems don't scale due to the stifling politics and vested interests. In my opinion (which is probably an analysis many others share), this is what is holding back Bitcoin lately.

Sorry I don't have time to waste arguing on the forum. It is time to get something accomplished, which I can't do it I am going back and forth here.

If any of you have something important to debate, write a white paper. Do some deep research. Write a comprehensive document. All this n00bs pontification from their armchairs is actually spreading disinformation.

I am not claiming kiklo is a n00b, but he is not telling you everything he knows when he replies. He is just telling you the part that makes PoS look favorable.

kiklo is correct that in theory the lesser PoW chains and especially those without ASICs in theory need checkpoints, but that doesn't even protect them from rented hashrate attacks. However his point does not apply to Bitcoin. Bitcoin has checkpoints to be extremely paranoid such as if for example there was breakage of SHA256 such as a quantum computer attack such as the one described at the end of Iota's Tangle white paper.

[kiklo]

We ignore you old friend , because you're too long winded.  

Checkpoints stop longer range history attacks and the between Difficulty # and waiting for confirmations PoS is safe to use.
And I don't want to waste time arguing with you either, so instead of writing a Book , pick a PoS coin and Prove your Exploits.
Don't talk theory , Prove it Real World , until then , I will trust the checkpoints and Difficulty #, and wait for the required confirmations.

Don't forget a year ago , you were against all forms of PoS and now you are promising your new coin will be a form of DPOS (with your fixes of course.)  

By the way your talk of Shorting a coin (like shorting a stock) , like I told you in the past, if you think Shorting is that easy,
Pick a coin and show me how you kill it by shorting it, (It is not as easy as you make out.) .


 

FYI:  Now you claim to Know , what you think I Know.   

I am not claiming kiklo is a n00b, but he is not telling you everything he knows when he replies.

[kiklo]

kiklo is correct that in theory the lesser PoW chains and especially those without ASICs in theory need checkpoints, but that doesn't even protect them from rented hashrate attacks. However his point does not apply to Bitcoin. Bitcoin has checkpoints to be extremely paranoid such as if for example there was breakage of SHA256 such as a quantum computer attack such as the one described at the end of Iota's Tangle white paper.

Here is theory for you to tangle with.

Quantum Computer creates a Virtual System , that has time emulated where 1 nanosecond emulates 1 normal second in the real world.
Inside this virtual system the time is set back to a month before btc was created.
Using the Quantum computer abilities, it creates a PoW blockchain that is longer with more difficulty in a fraction of the time.

* And the only thing that stops it from overwriting the Bitcoin PoW blockchain are those little checkpoints. * 

PoW or PoS face many of the same dangers.


 

[iamnotback]

and the between Difficulty # and waiting for confirmations PoS is safe to use.

By the way your talk of Shorting a coin (like shorting a stock) , like I told you in the past, if you think Shorting is that easy,
Pick a coin and show me how you kill it by shorting it, (It is not as easy as you make out.)

There is a reason there is not a $12 billion mcap PoShit coin[1]. If ever there is, then you will find out that your "security" is not. Read my rebuttal of Dan linked in my prior post. I will not respond again. You use unfalsified claims, which is not science.

I am eagerly awaiting Ethereum to blow itself up with Casper "the Friendly Ghost".

Don't forget a year ago , you were against all forms of PoS and now you are promising your new coin will be a form of DPOS (with your fixes of course.)  

I am not embracing PoShit. My design is not PoShit.


[1] And it isn't just because of security fears, but also because PoS is a political clusterfuck from the start. Network effects are destroyed by politics. Take Nxt, Steem, Bitshares as pertainent examples. Then again, Bitcoin has now reached the point of centralization and has also entered a political clusterfuck too. But PoW did at least scale before it became centralized by China + Blockstream and reached the upper limit of the volume it could do decentralized.

[freshman777]

Something like what Theymos proposed here should be the most robust and secure solution: https://bitcointalk.org/index.php?topic=1654457

[kiklo]

I am not embracing PoShit. My design is not PoShit.

Currently your design is just shit, but I still give you the benefit of the doubt that it will evolve into something better.  

Just because the top coin is not currenly PoS , does not mean it won't happen in the future.  

I trust my PoS coins more than any PoW coin especially BTC, considering the mining Pools can delay or refuse transactions and basically hold my PoW coins hostage at will.
Plus right at this very moment the Chinese Mining Pools have the Power to Overwrite the last 8 to 12 hours of transactions at will.
Funny how no one worries about that.  

 

[ArcCsch]

However the checkpoints in the source code or even what is know as a rolling checkpoint (simply not allowing reorgs after a certain # of blocks) ,
both allow the coin to stay Decentralized and Protected.  

Yes, the fake chain would not be able to convert honest nodes, but anyone new joining the network would have no basis for deciding which nodes are honest and which are Sybil nodes.
This includes new nodes and any lightweight client that may house a wallet.
PoS turns into a p***ing contest between the true chain and fake chains generated by attackers, and eventually degrades into a messy PoW system that defeats the purpose of PoS.
PoS is a good dream, but the best we can do in a "decentralized and protected" fashion is to shift the PoW from power-bound work to hardware-bound work systems where the mining gear must lie unused for most of the time (BurstCoin, Bitcoin Tic-Tac Coopetition mining, My cyclic PoW scheme) or to recycle the computing power using protein folding PoW (questionable security) or prime chains.

Decentralization can be increased by providing miners with an extra, non-transferable incentive that the user does not need much of (marginal utility declines with amount) such as reserved space in blocks. This may require signature based PoW.

[presstab]

However the checkpoints in the source code or even what is know as a rolling checkpoint (simply not allowing reorgs after a certain # of blocks) ,
both allow the coin to stay Decentralized and Protected.  

anyone new joining the network would have no basis for deciding which nodes are honest and which are Sybil nodes.

Coins usually have a seed node hard coded into the wallet. That seed node points new syncers to nodes. If the seed node is an honest node, which it should be because it is typically commissioned by the developers, then as you admit.... an honest node is hard to fool. If that seed node is not easily fooled, it will also only be connected to other honest nodes. This means that new syncers will be pointed towards honest nodes.

But, I will reiterate. Whether you are syncing bitcoin for the first time, or whether you are syncing the smallest PoS coin for the first time. It would be awfully stupid not to check that you are on the correct chain when you are done syncing.

[ArcCsch]

If the seed node is an honest node, which it should be because it is typically commissioned by the developers, then as you admit.... an honest node is hard to fool.

If you have an honest node, why not just have the node control everyone's balance and sign all transactions?
The key premise of a decentralized system is that there is no hub node that can be trusted.

[Ayers]

is this kind of attack possible only with standard pos coin like diamond, or with new type of pos coin like decred and especially etheruem? i think etehruem work in different way right we should be safe with it?

[presstab]

If the seed node is an honest node, which it should be because it is typically commissioned by the developers, then as you admit.... an honest node is hard to fool.

If you have an honest node, why not just have the node control everyone's balance and sign all transactions?
The key premise of a decentralized system is that there is no hub node that can be trusted.

I accidentally used the wrong term. I meant DNS seed, not seed node. DNS seed points to peers, seed node is just a node that is usually connected to the network.

bitcoin uses DNS seeds nodes too... right now they have 6 of them.
https://github.com/bitcoin/bitcoin/blob/master/src/chainparams.cpp#L120

There has to be a network discovery mechanism. This is universal for any type of proof system. Or for that matter, any peer to peer software.

Edit - The old way of network discovery was for the wallet client to join an irc channel and announce that you are seeking peers. This I suppose could have been more decentralized than the current version (although the centralization becomes the irc channel), but now is looked at as more of a security risk than anything else.

[kiklo]

However the checkpoints in the source code or even what is know as a rolling checkpoint (simply not allowing reorgs after a certain # of blocks) ,
both allow the coin to stay Decentralized and Protected.  

Yes, the fake chain would not be able to convert honest nodes, but anyone new joining the network would have no basis for deciding which nodes are honest and which are Sybil nodes.

PressTab already answered that one, Check the Block Explorer after you sync for the 1st time. PoS or PoW  
GetPeerinfo tells you what height the other peers are on.

This includes new nodes and any lightweight client that may house a wallet.

New Nodes, (PressTab's Answer) ,
Lightweight clients are linked thru electrum, which has a synced block chain monitored by professionals that compare it with the Block Explorer.

PoS turns into a p***ing contest between the true chain and fake chains generated by attackers, and eventually degrades into a messy PoW system that defeats the purpose of PoS.
PoS is a good dream, but the best we can do in a "decentralized and protected" fashion is to shift the PoW from power-bound work to hardware-bound work systems where the mining gear must lie unused for most of the time (BurstCoin, Bitcoin Tic-Tac Coopetition mining, My cyclic PoW scheme) or to recycle the computing power using protein folding PoW (questionable security) or prime chains.

WTF, dude mail me some of what you are smoking , I want some.  

Proof of Stake has been out long enough, and no one has even pulled off an actual sybil attack
I am sorry it is like freaking out that a black hole it going to open and destroy the Planet Earth in the next 24 hours.
Is it Possible, sure many things are Possible,
Is it Probable , odds are against it.

Sybil while in theory Possible, is Very Improbable , Thanks to Checkpoints , Honest Nodes, & Just Checking the block explorer to compare chains.  
You going to need a better Boogeyman to scare the Proof of Stake Community.

Personally for boogeymen , I prefer the Legend of Wooley Swamp.  
https://www.youtube.com/watch?v=gSM7voOCkU0

 

[spartak_t]

I am in favor of PoS, though I've been always saying that I'm not a coder.

[iamnotback]

but the best we can do in a "decentralized and protected" fashion is to shift the PoW from power-bound work to hardware-bound work systems where the mining gear must lie unused for most of the time (BurstCoin, Bitcoin Tic-Tac Coopetition mining, My cyclic PoW scheme)

BurstCoin's PoC is PoS or PoW. You were refuted at your other two linked above.

Your knowledge is insufficient. You are not even making the strong arguments against PoS, which I already pointed out. Arguing against checkpoints is the weakest argument you can make against PoS.

[alkan]

There exist multiple variations of N@S weaknesses of non-PoW coins:
#1 Selfish nodes have an incentive to double-mine on multiple forks
#2 Stakeholders have an incentive to sell old, unused keys as they have nothing to lose anymore
#3 An attacker can rent or short +50% of the existing coins without taking any risk (no unrecoverable sunk costs as opposed to PoW)

All three scenarios make it easier and less costly to double-spend or to disrupt the currency, so that an attacker doesn't need to have +50% of the stake in order to carry out his plot.

Double-mining itself (#1) can occur in two different forms:
- Actual double-mining where the node is creating and broadcasting separate blocks on two or more chain forks.
- Probabilistic double-mining where the node tries to mine on top of every chain fork he is aware of, but only broadcasts one single block. PoS coins often foresee a block selection rule that decides which fork to mint on if both have the same length. According to the protocol, you would only mint on top of the fork that you received first. But you have the incentive to modify your client so that you will try to mint on both to maximize your chances of finding a valid block.

Punitive schemes such as Slasher are proposed to defend against actual double-mining by requiring minters to make a depositive that is destroyed if a minter is caught double-minting later on (other minters can prove the fact by making an evidence transaction). The probabilistic mining strategy can be avoided if the next minter is decided before a fork starts. To that end, on can have a protocol in which it's not the current block n that determines the next miner, but an older block down the chain (n - k). This way you either have the opportunity to mint on both or neither fork (provided that the fork is not longer than k blocks).

NeuCoin uses a different punitive scheme in which both blocks of the double-minter are simply discarded by the other nodes.

Concerning #2, the linked paper also shows (p. 30) how difficult it is for an attacker to rewrite the history as he needs (virtual) time to catch up with the network.

In addition, in double spend attacks where the attacker is using a stake that he actually owns (say 20% of all staked coins), the rest of the
network with which he competes owns the remaining 80%. However, when using old private keys to 20% of the staked coins, the attacker is competing against not 80% of the staked coins but against 100% of them, because the attacker’s old coins are now owned by new parties who mine on the main chain.

attempting to rewrite history over a long range makes things much harder. For example, an attacker controlling private keys over 60% of the coins 2 days in the past would have ∼ 10^−141 chance of ever catching up with the network. To be able to rewrite history over a significant period of time (a few days or more), the attacker actually needs to own old private keys giving control over more coins than are currently staking on the main chain.

It appears that N&S attacks of the types #1 and #2 can be successfully prevented by incorporating appropriate incentive/disincentive mechanisms in the protocol.
On the other hand, I'm not aware of any cryptocurrency (or white paper) that solves or at least tackles issue #3. That's why I'm currently working on my own proposal to solve (or at least mitigate) this fundamental problem.

[cypherblock]

There exist multiple variations of N@S weaknesses of non-PoW coins:
#1 Selfish nodes have an incentive to double-mine on multiple forks
#2 Stakeholders have an incentive to sell old, unused keys as they have nothing to lose anymore
#3 An attacker can rent or short +50% of the existing coins without taking any risk (no unrecoverable sunk costs as opposed to PoW)

I'm just 'catching up' with POS so apologies in advance.

For #1, if I mine on one fork, doesn't that fork immediately become the one that will get most likely get accepted by the network? If so why even bother with mining on both?  Unless of course my blocks are getting delayed in the network so much that there is risk another POS miner would be selected due to some timeout, then it might make sense to mine on multiple forks in the hope that one of those blocks makes it to the rest of the network in time. But with proper timeouts, this seems unlikely. Plus don't some proposals punish this multiple fork mining behavior?

For #2, when is this attack used, during initial block download? Is the idea to use this stake to try to perform a stake grinding attack in advance and send those blocks to a syncing node instead of real chain?

For #3, I can't obtain access to 50% of coins without exchanging for other tokens, fiat or goods/services can I (with the exception of #2)? Those are sunk costs that I can't recover if I cause problems with POS chain.

[kiklo]

There exist multiple variations of N@S weaknesses of non-PoW coins:
#1 Selfish nodes have an incentive to double-mine on multiple forks
#2 Stakeholders have an incentive to sell old, unused keys as they have nothing to lose anymore
#3 An attacker can rent or short +50% of the existing coins without taking any risk (no unrecoverable sunk costs as opposed to PoW)

#1 Fails is Bullshit  (This was covered on the 1st page of this topic already.)
https://bitcointalk.org/index.php?topic=1709776.msg17135430#msg17135430
https://bitcointalk.org/index.php?topic=1709776.msg17136990#msg17136990

#2 Fails is Bullshit
Between the increased Difficulty, and hard coded checkpoints in the Software, # 2 fails.

#3 An attacker can rent or short +50% of the existing coins without taking any risk (no unrecoverable sunk costs as opposed to PoW)

LMAO ,    the mythical Short attack, which again I call Bullshit!
Anything , stocks or coins PoW or PoS can be Shorted. But you guys always act like it is so easy.
Fact is YOU HAVE TO PUT UP COLLATERAL TO BORROW AGAINST THE SHORT, and if your short attempts fails, (which there are ZERO Guarantees it will Work.) ,
You lost all of your Collateral and failed in your attempt to hurt the coin. (That is when you realize you were STUPID for thinking shorting was easy.)  
Please pick a coin and show us how easy this is to pull off, until then I am calling it BULLSHIT!


 

FYI:
You can tell you don't know much about Proof of Stake,
in your Shorting Myth you say 50% of the existing coins.
Proof of Stake using Coin Age, means you have to have 51% of coin age, not 51% of the coin supply.
You may have 60% of the coin supply, but if the other 40% has a higher coin age, the PoS coin will be able to resist your 51% attack.  
Also the second you start staking , your coin age % starts dropping, so even if you have 51% of the coinage , once you mine 2% only, you are down to 49% and that is the end of your attack. Which is why Proof of Stake is more resistant to 51% attacks than PoW.  

PoW is an Adversarial Consensus System, which is fighting each other using hash rate.

PoS is a Cooperative Consensus System, where we take turns leading the blockchain,
like a group of runners when one gets tire another leads, together we create the Strongest Chain.

[alkan]

For #1, if I mine on one fork, doesn't that fork immediately become the one that will get most likely get accepted by the network?

If a) the protocol foresees a "first seen"-rule that prefers blocks that you received first, b) everybody is abiding to this rule (not using modified clients) and c) network latency is evenly distributed among the nodes, then probably yes.

If so why even bother with mining on both?

As I explained in the probabilistic approach, you don't even have to actually mine on both and send two blocks. It's even extremely unlikely that you will succeed on both. To maxime your chances it suffices to just check and see if you can mine on any of the two blocks, no matter which one you received first. Such a behaviour can distrupt consensus.

Plus don't some proposals punish this multiple fork mining behavior?

Yes, please check out the links in my previous post for further details.

For #2, when is this attack used, during initial block download? Is the idea to use this stake to try to perform a stake grinding attack in advance and send those blocks to a syncing node instead of real chain?

Ideally, you would try to buy coins from early adopters when the coin wasn't popular already. That should make it "easier" to buy keys representing a large precentage of stake that existed at that early stage. However, as pointed out in the NeuCoin paper I cited, even if you possess a majority of historic stake it seems that you still have no realistic chances to win the battle since you'd still have to compete with 100% of the stake.

For #3, I can't obtain access to 50% of coins without exchanging for other tokens, fiat or goods/services can I (with the exception of #2)? Those are sunk costs that I can't recover if I cause problems with POS chain.

If there is a a big-enough market for short selling the coins, you could sell at a predefined price without the need of buying the stake beforehand. So, the subsequent devaluation of the coin caused by your attack wouldn't affect this price.

Another attack vector (that is even working wihtout the possibility of short selling) is to regularly buy 51% of the coin and launch lower scale attacks that remain largely uncovered and thus don't have a negative impact on the market price.

[presstab]

For #1, if I mine on one fork, doesn't that fork immediately become the one that will get most likely get accepted by the network?

If a) the protocol foresees a "first seen"-rule that prefers blocks that you received first

It is usually based on difficulty. Not a first seen basis. It does I suppose have an element of first seen, in that you can only orphan so many blocks.. usually 6 or 12 at a time.

If so why even bother with mining on both?

As I explained in the probabilistic approach, you don't even have to actually mine on both and send two blocks. It's even extremely unlikely that you will succeed on both. To maxime your chances it suffices to just check and see if you can mine on any of the two blocks, no matter which one you received first. Such a behaviour can distrupt consensus.

If you are within the same modifier interval, then it is actually extremely likely that you will get the same stake kernel on both chains. Why wouldn't you?

For #2, when is this attack used, during initial block download? Is the idea to use this stake to try to perform a stake grinding attack in advance and send those blocks to a syncing node instead of real chain?

Ideally, you would try to buy coins from early adopters when the coin wasn't popular already. That should make it "easier" to buy keys representing a large precentage of stake that existed at that early stage. However, as pointed out in the NeuCoin paper I cited, even if you possess a majority of historic stake it seems that you still have no realistic chances to win the battle since you'd still have to compete with 100% of the stake.

This only works if the coin has never had any checkpoints added to it. And even if it hasn't had checkpoints added, then it would have to be a coin that uses coin age, which a lot of the modern PoS clones don't do.

Really all you have to do is add a checkpoint after the coins have had a decent distribution, and then this argument #2 is pretty much void.