[ANN] Nxt :: descendant of Bitcoin

[cunicula]

With the corrected targeting formula, the 10% stake attacker will take 9 times as long as the main chain to generate blocks without any manipulation.

I have no idea exactly how long it takes to cycle through addresses, but I'm pretty sure that cycling will be feasible with 10% stake.

If you can cycle through enough adresses per minute to generate a hits that are 9 times lower than the average hit, then you can beat the main chain's 90% stake with 10% stake augmented by brute forced attack addresses. This gives the attacker permanent control of the main chain.

It's a serious issue, no area 51 needed.

Again, the solution is to not generate hits based on user-generated addresses. If the seed depends on a user controlled variable, it will end up as a PoW coin.

I hope you adopt my suggested solution.

[1713251434]

1713251434

[1713251434]

1713251434

[1713251434]

1713251434

[bybitcoin]

And a whitepaper before end of October is the must need and appreciated, I am curious to know which POS model will you use.

Heh, seems I'm the only who pays attention to technical details in this thread...

By whitepaper I mean a full formal specification with diagrams and details

[bybitcoin]

The main issue I see is distributing the coins to enough people.

Agree. Without at least 100 users on start the whole currency is pointless. I would spend collected bitcoins for advertising instead of development of advanced features.

I agree with this 100%. Once the word gets out you run the risk of a few big players sending you large amounts of btc (100+, or even higher). The bonus idea is a good one. With MasterCoin, right at the end in the last few days some big amounts were sent in - 400 btc etc. That could potentially kill this coin.

Maybe you could add a maximum amount people can send you too. Just an idea, to help spread the NXT around more evenly.

I'd say a 100 users is the bare minimum to start. 250 users each having btc amounts under 1btc, with an average of about 0.25btc each, would give you a good chance of success. If someone dumped 100 btc on you, NXT would be stillborn.

What is the difference between a user sending in 1 transaction of 100 BTC compared to the same user sending in 100 transactions of 1 BTC each?

The main difference would be the amount of time and hassle required to repeat the procedure 100 times. If the send could somehow be connected to a user profile on this forum, that would limit the number of multiples quite a bit too.

Maybe the dev has another idea. I just think with a POS coin it's best to spread the coins around at the start, and with Mastercoin some big whales joined the party right at the end. Some way to limit excessively large single holdings is a good goal. Once the close time approaches some people might get greedy.

I agree with this. There should be a cap for investment, and yes sending 1 BTC 100times is less probable than sending 100 BTC at once. I guess 1 BTC is a good cap. This POS coin will certainly die if we do not approach a more normalized way of distributing the genesis block coins..

[Come-from-Beyond]

Let's suppose you have 10% of stake and an alien's computer stolen from Area 51.  Odds to generate 60 block long chain at the rate of 1 block a minute are very small (something like 1/10000000000000...)  

If you can cycle through enough adresses per minute to generate a hits that are 9 times lower than the average hit...

Guys, where do u get these numbers from?

Anyway, what is necessary to generate accounts that will hit the target within 1 minute timeframe in average (necessary to outpace benevolent miners):

1. Generate a private key (~0 ms)
2. Calculate a public key (~0.005 ms on a high-end CPU, numbers taken from http://ed25519.cr.yp.to/)
3. Sign the generation signature of a previous block (~0.005 ms)
4. Calculate SHA-256 of the signature (~0 ms, sorry for disassembling the Nxt byte-code )
5. Compare first 8 bytes to the target (~0 ms)
6. Repeat #4 and #6 lot of times (~???, whole Bitcoin network would hit the target in a few milliseconds)

So 1 CPU will loop thru say 0.001 key/sec. We can't run a botnet with 1 million computers to get 1000 key/sec coz this task CAN NOT be parallelized. Each iteration requires data from the previous one.

Conclusion: we will have problems only if someone uses a quantum/alien computer, until that noone can succeed at such the attack.

[cunicula]

Let's suppose you have 10% of stake and an alien's computer stolen from Area 51.  Odds to generate 60 block long chain at the rate of 1 block a minute are very small (something like 1/10000000000000...)  

If you can cycle through enough adresses per minute to generate a hits that are 9 times lower than the average hit...

Guys, where do u get these numbers from?

Anyway, what is necessary to generate accounts that will hit the target within 1 minute timeframe in average (necessary to outpace benevolent miners) will always be a function of how much stake the attacker deploys. You seem to have forgotten this

1. Generate a private key (~0 ms)
2. Calculate a public key (~0.005 ms on a high-end CPU, numbers taken from http://ed25519.cr.yp.to/)
3. Sign the generation signature of a previous block (~0.005 ms)
4. Calculate SHA-256 of the signature (~0 ms, sorry for disassembling the Nxt byte-code )
5. Compare first 8 bytes to the target (~0 ms)
6. Repeat #4 and #6 lot of times (~???, whole Bitcoin network would hit the target in a few milliseconds)

So 1 CPU will loop thru say 0.001 key/sec. We can't run a botnet with 1 million computers to get 1000 key/sec coz this task CAN NOT be parallelized. Each iteration requires data from the previous one.

Conclusion: we will have problems only if someone uses a quantum/alien computer, until that noone can succeed at such the attack.

What are you talking about? Sucess is not binary here. You don't need an exact match, just the ability to select a match that is better than average.

Even if it takes 1 complete second to do one interation of 4 and 5, the system is still in deep trouble.
Suppose there are two coinholders, one with 90% and the other with 10%.
Without manipulation, the guy with 90% will find blocks once every 67 seconds on average and the guy with 10% will find blocks once every 600 seconds.

Suppose the guy with 10% has time to test out 9 different addresses per minute. Each address will have a different waiting time. Picking the best among these nine candidates is sufficient to boost 10% stake up to the mining power of 90% stake.
If you can do 90 iterations per minute, then you can attack with 1%; 900 with 0.01%

Your estimate of 0.01 ms per iteration suggests that a successful attack could be pulled off with 1.67×10^-9% stake. What is that? 100 or 200 satoshi.

Obviously, this is not acceptable. Attackers should have to hold more than a few satoshis in order to mount a successful attack.

[Come-from-Beyond]

Suppose the guy with 10% has time to test out 9 different addresses per minute.

These addresses must have been funded 60 blocks ago. U can't guess what generation signature will be in 60 blocks to find addresses and fund them.

Edit: If anyone injects their block in ur chain they will disrupt the attack, or u are talking about ur private blockchain?

[Come-from-Beyond]

It's one thing if they don't believe Mastercoin will work. If it doesn't work then it probably isn't going to be worth anything, but if it does work then each Mastercoin will probably go for 2-3 Bitcoins and that is just with the most basic features of a decentralized exchange and smart property. User defined currencies and the more advanced features will bring the price to 20-30 Bitcoins a piece.

Could anyone explain why colored coins are so kewl? I agree it's a handy tool, but why ppl crazy about this feature? Do I miss something?

[cunicula]

Suppose the guy with 10% has time to test out 9 different addresses per minute.

These addresses must have been funded 60 blocks ago. U can't guess what generation signature will be in 60 blocks to find addresses and fund them.

Edit: If anyone injects their block in ur chain they will disrupt the attack, or u are talking about ur private blockchain?

Say I sell my 10% stale in nxt for btc.

I then go back to a nxt block before the sale. I build an alternate private chain in which I still own 10% of nxt.
The first 60 blocks are slow. However, they include txn which accelerate mining of subsequent blocks, allowing me to mine faster than the main chain.

I overtake the main chain and publish my secret chain.  According to protocol rules, my chain is longer and therefore the correct consensus chain. Absent manual intervention, everyone else adopts my attack chain.

I now own 10% of nxt and I also own btc from selling off 10% of nxt.

I do not care that my attack has been disrupted. I have accomplished my goal.

[Come-from-Beyond]

Say I sell my 10% stale in nxt for btc.

I then go back to a nxt block before the sale. I build an alternate private chain in which I still own 10% of nxt.
The first 60 blocks are slow. However, they include txn which accelerate mining of subsequent blocks, allowing me to mine faster than the main chain.

I overtake the main chain and publish my secret chain.  According to protocol rules, my chain is longer and therefore the correct consensus chain. Absent manual intervention, everyone else adopts my attack chain.

I now own 10% of nxt and I also own btc from selling off 10% of nxt.

I do not care that my attack has been disrupted. I have accomplished my goal.

Maybe u r right and design of Nxt is flawed. Help me to get ur idea step by step.


With 10% of the stake u'll mine 60 blocks in 600 minutes (actually u'll do it instantly, but timestamp of the 60th block will be 10 hours ahead). Agree?

The base target of ur chain at 60th block will be 9 times bigger than the base target of legit chain (because base target adjusted each block as I can see on http://88.198.210.245:7875/). Agree?

U must find 540+ accounts that let u to hit the target in 59 seconds in average (60 sec won't let u to contruct a chain with higher cumulative difficulty). Agree?

U can't find the 2nd account before u find the 1st coz u can't guess the outcome of the 1st generation signature. Agree?

Chance to hit the target ~ coins on the account, if u split ur coins on 540 parts than u have to hit a target that is 540 times smaller, which leads to 540 times more computation cycles. Agree?

To calculate a hit u have to do two EC-math operations (get public key + sign) and one SHA-256 operation. It's like 100 SHA-256 operations. Agree?

As I can see in disassembled code initial base target is 153722867 (why btw?). As I can see in the blockchain standard base target is ~20% = 30744573. It means that u have to do 2^63 / 30744573 = 3 * 10^11 computations (3 * 10^13 SHA-256 cycles). Agree?

Now u have to repeat this 539 times which gives us 1.6 * 10^15 SHA-256 operations. Agree?

If the blockchain is checkpointed each year, than u must crunch numbers at the rate 1.6 * 10^15 / 31622400 (so many seconds in a year) = 50 million SHA-256 hash/sec. Agree?


It's not a big number IMO. It can be fixed though. Waiting a whole day before someone gets the right to generate blocks will change 50 million to 1.2 billion. Using Scrypt instead of SHA-256 we'll get roughly 1000 billion. Now it's better. We may go further and do checkpointing each month to increase the number by 12 times.

Comments?

[bybitcoin]

May I ask BCNext and also Cunicula about how relevant or necessary it is to put a cap for sending bitcoin to 1BCN address?
Although one can still send 1BTC 100 times instead of 100 BTC once, but the hassles and complications of sending 100 times makes the first option less probable and harder keeping the track of, for the sender.
Our main concern is about a normal distribution of the genesis block coins to more users, we don't want to have some people owning 100M coins each at the launch point, because it will either kill the coin life cycle and bring a lot of security concerns as it is a pure POS coin, or will make it very unattractive for future users (remember ripple)
BCNext said cap will be the common sense, but Mastercoin kikckstarter in past August showed us that there is not such a thing as a common sensed cap among potential members of this community. For you and me the common sensed cap might be 1 BTC, but for somebody else who may join in the last day or last minute before the deadline, the common sense might be 1000 BTC.
So BCNext and Cunicula please address this concerning point and analyze and clear it out now!

[BCNext]

Comments?

We can't rely on assumption that 1000 billion is a big enough number.

[BCNext]

Obviously, this is not acceptable. Attackers should have to hold more than a few satoshis in order to mount a successful attack.

If I increase maturity period to 1440 blocks and add a rule that the blockchain can't be rolled for more than 720 blocks back?  Can you attack it now if you have less than 50% of coins?

[BCNext]

Although one can still send 1BTC 100 times instead of 100 BTC once, but the hassles and complications of sending 100 times makes the first option less probable and harder keeping the track of, for the sender.

Let's set the cap to 1 BTC.

[bybitcoin]

Although one can still send 1BTC 100 times instead of 100 BTC once, but the hassles and complications of sending 100 times makes the first option less probable and harder keeping the track of, for the sender.

Let's set the cap to 1 BTC.

Nice So you better mention it in the OP post before anybody send a >1BTC patch

[bybitcoin]

One more question: Can someone who already sent X BTC to BCNext address, send another pack of Y BTC to BCNext with the same address and hash, for a total of X+Y BTC sending? Of course X+Y should still be <= 1 BTC, and of course the bonus reward of X and Y sending each may differ as it would be calculated separately based on the date of each of these sending packs. Is this possible or not?

[Come-from-Beyond]

One more question: Can someone who already sent X BTC to BCNext address, send another pack of Y BTC to BCNext with the same address and hash, for a total of X+Y BTC sending? Of course X+Y should still be <= 1 BTC, and of course the bonus reward of X and Y sending each may differ as it would be calculated separately based on the date of each of these sending packs. Is this possible or not?

Good question coz someone already sent the same hash twice (582b5913811586bbb73e1f70309ca2778da74bcb055bdc86668b2d7de08a08f0).

[BCNext]

I see no problem if someone sends multiple transactions with the same hash and total amount not greater than the cap.  My parsing script handles this correctly.

[cunicula]

In PoW currency you can remine a block to build a longer chain.  In Nxt the order of generating accounts is determined, you can't create a long chain that contains blocks generated solely by you.  With 51% of the stake the odds to generate a longer chain with 10 blocks are less than 0.1%.  If someone buys a car with NXT they can wait a little bit longer to counteract even 90% attack.

I like that you plan to make things deterministic. My ideas for pure PoS have also been deterministic.

There is a potential problem here though.

How do you deal with AWOL coin-owners? If I can't make a winning chain with 51%, then can the chain continue at all if 49% of coins are lost?

Looking forward to the details so I can see how you address this and other issues.

It's a good chance to tell the details...

Each block has "generationSignature" parameter.  An active account signs "generationSignature" of the previous block with its private key.  This gives 64 bytes which are hashed with SHA256.  The first 8 bytes of the hash gives a number (I call it a "hit").  The hit is compared to the current "target" (64bit number).  If the hit is lower than the target then next block can be generated.

The target for each account is proportional to the balance.  Someone holding 1000 coins gets a 50 times bigger target than someone with 20 coins. Thus the owner of 1000 coins will generate 50 times more blocks than the owner of 20 coins (in the long run).

The target is not constant, it grows each second passed since the timestamp of the previous block.  If noone generated a block on the first second then the target becomes 2 times bigger and so on.  The base target is the target on the 60 second mark.  If there is only a few active accounts then after a long time someone will generate a block because the target will become very big.  If you open the client and log with any funded account you can see a ticking timer in BLOCKS widget.  It shows when the target will become greater than your hit.

Where does a block's generation signature parameter come from?

[boomboom]

Although one can still send 1BTC 100 times instead of 100 BTC once, but the hassles and complications of sending 100 times makes the first option less probable and harder keeping the track of, for the sender.

Let's set the cap to 1 BTC.

Good move dude!!

[BCNext]

Where does a block's generation signature parameter come from?

It's the generation signature of a previous block signed by the generator of a current block.