Bitcoin Forum
November 09, 2024, 01:20:06 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1] 2 »  All
  Print  
Author Topic: What challenges would a pure Proof-of-stake coin face?  (Read 5676 times)
Cryddit (OP)
Legendary
*
Offline Offline

Activity: 924
Merit: 1132


View Profile
October 23, 2013, 06:47:32 PM
 #1

I want to make an altcoin that runs on pure proof-of-stake.  That is, with no significant "speed contest" for solving hashes or scrypt. 

The desired result I have in mind is that each public key representing more than one coin that's been held more than a month is eligible to mine, where each attempt at mining has a chance of success proportional to the product of

The amount of coin that the key represents
The amount of time (in seconds) since the most recent block was found.

The mechanism for doing this would be that you multiply these things together, then multiply by the current 'difficulty', and that's your target.  And this means you have to find a positive nonce less than the target which, when concatenated with the coin key and the signature on the most recent block, hashes to a value with some (fixed) small number of leading zeros.  The 'difficulty' would be adjusted periodically to keep the rate of block generation consistent, but depending on the amount of coin that a key represents, you would have an opportunity to mine on that key (ie, a new nonce becomes acceptable for that key) once per hour or minute or second or whatever that the system goes without finding a block. 

Anyway, if you mine successfully, you then need to collect some (four? six?) signatures from coin addresses that depend on the hash you found, so you don't get to pick people you're colluding with.  Each 'signer' would be signing to the effect that yes, it is after the time when the nonce would become valid, and no, no other block with a lower nonce has been seen yet at the current block height. The signers would get a small share of the block reward.  Any two blocks at the same height would be decided in favor of whichever hashed using the lower nonce. 

There would be a series of giveaways to put coins out there in the universe to bootstrap the process; one thing I'm thinking of would be to pick a date in the bitcoin blockchain, then give people a fixed amount of time (maybe six months) to prove they owned a certain amount of bitcoin on that date and collect a proportional amount of the new coins.  (no, there is no need to send any bitcoin anywhere, no need for an "exit address", no need to pollute the bitcoin blockchain with tiny transactions to prove ownership of the coins they come from, etc.  Just demonstrate that you can decrypt a message encrypted with the key that represents that bitcoin, and that is enough.)   

Does anyone see an obvious problem that will result in such an altcoin becoming unusable? 


wedge
Full Member
***
Offline Offline

Activity: 187
Merit: 100


View Profile
October 23, 2013, 07:54:06 PM
 #2

How would the coins be initially distributed?  That's one thing I've never understood about a pure POS coin.

Edit (just read all the way to the bottom):
There would be a series of giveaways to put coins out there in the universe to bootstrap the process; one thing I'm thinking of would be to pick a date in the bitcoin blockchain, then give people a fixed amount of time (maybe six months) to prove they owned a certain amount of bitcoin on that date and collect a proportional amount of the new coins.  (no, there is no need to send any bitcoin anywhere, no need for an "exit address", no need to pollute the bitcoin blockchain with tiny transactions to prove ownership of the coins they come from, etc.  Just demonstrate that you can decrypt a message encrypted with the key that represents that bitcoin, and that is enough.)   

Does anyone see an obvious problem that will result in such an altcoin becoming unusable? 

Um yeah, I see a problem with that.  Wouldn't that just be a "and the rich get richer" situation?  Anyone lucky enough to have a lot of bitcoins on a random/arbitrary date, will suddenly get a ton of new coins for free?  That doesn't sound like a very fair distribution method.

miffman
Legendary
*
Offline Offline

Activity: 1904
Merit: 1005


PGP ID: 78B7B84D


View Profile
October 23, 2013, 07:57:58 PM
 #3

Distribution would probably be your only problem














 

 

█ 
█ 
█ 
█ 
█ 
█ 
█ 
█ 
█ 
█ 
█ 
BitBlender 

 













 















 












 
█ 
█ 
█ 
█ 
█ 
█ 
█ 
█ 
█ 
█ 
█ 
miffman
Legendary
*
Offline Offline

Activity: 1904
Merit: 1005


PGP ID: 78B7B84D


View Profile
October 23, 2013, 08:01:38 PM
 #4

Oh and apparently CGB might go PoS only in time to come. They are still considering it though














 

 

█ 
█ 
█ 
█ 
█ 
█ 
█ 
█ 
█ 
█ 
█ 
BitBlender 

 













 















 












 
█ 
█ 
█ 
█ 
█ 
█ 
█ 
█ 
█ 
█ 
█ 
Hazard
Legendary
*
Offline Offline

Activity: 980
Merit: 1000



View Profile WWW
October 23, 2013, 08:01:47 PM
 #5

It won't work.

Buffer Overflow
Legendary
*
Offline Offline

Activity: 1652
Merit: 1016



View Profile
October 23, 2013, 08:03:55 PM
 #6

Yes the initial distribution of the coins is the problem. You'd end up doing a Ripple.

QuantPlus
Sr. Member
****
Offline Offline

Activity: 280
Merit: 250



View Profile
October 23, 2013, 08:07:49 PM
 #7

There would be a series of giveaways to put coins out there in the universe to bootstrap the process; one thing I'm thinking of would be to pick a date in the bitcoin blockchain, then give people a fixed amount of time (maybe six months) to prove they owned a certain amount of bitcoin on that date and collect a proportional amount of the new coins.  (no, there is no need to send any bitcoin anywhere, no need for an "exit address", no need to pollute the bitcoin blockchain with tiny transactions to prove ownership of the coins they come from, etc.  Just demonstrate that you can decrypt a message encrypted with the key that represents that bitcoin, and that is enough.)   

Now there's some creative thinking (!!)...
But with BTC you are getting largely Bitcoin Monolopists.

Instead, do exactly this with your choice of several Alt Coin blockchains...
And also make sure that these addresses have RECENTLY MINED AN ALT COIN...
That way you are bootstrapping with known, committed Alt Miners. 
Cryddit (OP)
Legendary
*
Offline Offline

Activity: 924
Merit: 1132


View Profile
October 23, 2013, 08:15:50 PM
 #8

So there are vague notions that it is unsafe but nobody has a specific reason why?

The initial distribution is the biggest problem, I think. The thing about a proof of stake system is that until someone has coin, nobody can get coin.   It operates more like interest than pay for work.

I do not really have a solution for that.  But rich get richer really is how the world works.

Anyway I'm open to all the suggestions people come up with, but most of the obvious ideas fail in the presence of sybil attacks. All that it has to be is  verifiable via software and not farmable. And there is nothing that requires that there be only one giveaway.

Hazard
Legendary
*
Offline Offline

Activity: 980
Merit: 1000



View Profile WWW
October 23, 2013, 08:21:29 PM
 #9

So there are vague notions that it is unsafe but nobody has a specific reason why?
Because unlike proof of work, proof of stakes are reuseable. An attacker can reuse the same stakes an infinite amount of times until he succeeds. And he doesnt lose anything and isnt penalized in the process.

wedge
Full Member
***
Offline Offline

Activity: 187
Merit: 100


View Profile
October 23, 2013, 08:34:07 PM
 #10

So there are vague notions that it is unsafe but nobody has a specific reason why?

The initial distribution is the biggest problem, I think. The thing about a proof of stake system is that until someone has coin, nobody can get coin.   It operates more like interest than pay for work.

I do not really have a solution for that.  But rich get richer really is how the world works.

Anyway I'm open to all the suggestions people come up with, but most of the obvious ideas fail in the presence of sybil attacks. All that it has to be is  verifiable via software and not farmable. And there is nothing that requires that there be only one giveaway.

An alternate is to have a different kind of proof-of-work.  Instead of hashing, have people actually contribute somehow.  Reward coin to people that resolve software bugs, or offer services, or contribute to an official wiki, or even just for advertising in their sig (all proportionally of course).  That way you kill two birds will one stone.  It would handle the distribution, and it would make the coin bigger/stronger all at once.

It was my idea.  I get the first reward.

iGotSpots
Legendary
*
Offline Offline

Activity: 2548
Merit: 1054


CPU Web Mining 🕸️ on webmining.io


View Profile WWW
October 23, 2013, 08:36:23 PM
 #11

So there are vague notions that it is unsafe but nobody has a specific reason why?

The initial distribution is the biggest problem, I think. The thing about a proof of stake system is that until someone has coin, nobody can get coin.   It operates more like interest than pay for work.

I do not really have a solution for that.  But rich get richer really is how the world works.

Anyway I'm open to all the suggestions people come up with, but most of the obvious ideas fail in the presence of sybil attacks. All that it has to be is  verifiable via software and not farmable. And there is nothing that requires that there be only one giveaway.

An alternate is to have a different kind of proof-of-work.  Instead of hashing, have people actually contribute somehow.  Reward coin to people that resolve software bugs, or offer services, or contribute to an official wiki, or even just for advertising in their sig.  That way you kill two birds will one stone.  It would handle the distribution, and it would make the coin bigger/stronger all at once.

It was my idea.  I get the first reward.

Only if you can find Biggs

wedge
Full Member
***
Offline Offline

Activity: 187
Merit: 100


View Profile
October 23, 2013, 08:36:34 PM
 #12

So there are vague notions that it is unsafe but nobody has a specific reason why?
Because unlike proof of work, proof of stakes are reuseable. An attacker can reuse the same stakes an infinite amount of times until he succeeds. And he doesnt lose anything and isnt penalized in the process.

Isn't that kinda how POS works in the first place?  That's not an attack, that's just the POS process...?  but I'm sure I misunderstand something.

wedge
Full Member
***
Offline Offline

Activity: 187
Merit: 100


View Profile
October 23, 2013, 08:38:00 PM
 #13


Only if you can find Biggs

Biggs is dead.  Wedge is a survivor.  He knows when is the right time to pull out.

Hazard
Legendary
*
Offline Offline

Activity: 980
Merit: 1000



View Profile WWW
October 23, 2013, 08:44:14 PM
 #14

So there are vague notions that it is unsafe but nobody has a specific reason why?
Because unlike proof of work, proof of stakes are reuseable. An attacker can reuse the same stakes an infinite amount of times until he succeeds. And he doesnt lose anything and isnt penalized in the process.

Could you elaborate? When you generate a proof of stake the source input is locked for a while.
When double spending or denying transactions. You can reuse stakes until it succeeds. If the attack fails your stakes get reverted back to the age they were before.

wedge
Full Member
***
Offline Offline

Activity: 187
Merit: 100


View Profile
October 23, 2013, 09:02:45 PM
 #15

So there are vague notions that it is unsafe but nobody has a specific reason why?
Because unlike proof of work, proof of stakes are reuseable. An attacker can reuse the same stakes an infinite amount of times until he succeeds. And he doesnt lose anything and isnt penalized in the process.

Could you elaborate? When you generate a proof of stake the source input is locked for a while.
When double spending or denying transactions. You can reuse stakes until it succeeds. If the attack fails your stakes get reverted back to the age they were before.

What prevents anyone from doing that in any existing POW/POS system?

kelsey
Legendary
*
Offline Offline

Activity: 1876
Merit: 1000


View Profile
October 24, 2013, 12:13:50 AM
 #16

Distribution would probably be your only problem


lol and thats not becoming a problem with POW Wink
Hazard
Legendary
*
Offline Offline

Activity: 980
Merit: 1000



View Profile WWW
October 24, 2013, 12:15:41 AM
 #17

So there are vague notions that it is unsafe but nobody has a specific reason why?
Because unlike proof of work, proof of stakes are reuseable. An attacker can reuse the same stakes an infinite amount of times until he succeeds. And he doesnt lose anything and isnt penalized in the process.

Could you elaborate? When you generate a proof of stake the source input is locked for a while.
When double spending or denying transactions. You can reuse stakes until it succeeds. If the attack fails your stakes get reverted back to the age they were before.

What prevents anyone from doing that in any existing POW/POS system?
Nothing.

It'd just be easier under a PoS only system.

Cryddit (OP)
Legendary
*
Offline Offline

Activity: 924
Merit: 1132


View Profile
October 24, 2013, 03:43:30 AM
 #18

Okay, I may be dense here, but I'm not seeing what there is about a Proof-of-stake system that makes this attack any easier. 

I don't want to launch a crapcoin that dies to a protocol disaster in the first few days, so I really do need to know exactly what threat I'm defending against here. 

The whole point of a double spend attack is reusing coins (reusing stake).  There's no penalty for making the attempt in Bitcoin nor any other Proof-of-Work chain. 

And the way I've outlined it above, there is no need for anyone to even have all the claimed transactions in a block to reject it if it's bogus, so there's no way to attack bandwidth.  All you have to do is check the coin address that the payout would go to, the hash of the last block, and the claimed nonce.  Make a single hash, see that it doesn't meet the target or match the claimed hash, and reject the block.   In fact, the signers can reject invalid blocks more cheaply than the attacker can create them (because the attacker is also constrained by bandwidth). 

So .... just not seeing a DoS problem here that's worse than with any other coin.
Hazard
Legendary
*
Offline Offline

Activity: 980
Merit: 1000



View Profile WWW
October 24, 2013, 03:53:54 AM
 #19

The whole point of a double spend attack is reusing coins (reusing stake).  There's no penalty for making the attempt in Bitcoin nor any other Proof-of-Work chain.  
There is a penalty. One must expend resources (hashing power) to attempt such an attack in a PoW system. No such overhead exists in PoS. See the following:

https://bitcointalk.org/index.php?topic=289946.msg3104704#msg3104704
https://bitcointalk.org/index.php?topic=143221.msg2392797#msg2392797
https://bitcointalk.org/index.php?topic=206577.msg2521367#msg2521367
https://bitcointalk.org/index.php?topic=152809.msg2014924#msg2014924

If you don't understand the basic pros/cons to these two protocols you don't have any business launching a coin. Technical issues aside, there are a host of logistical issues that make such a system infeasible.

r3wt
Hero Member
*****
Offline Offline

Activity: 686
Merit: 504


always the student, never the master.


View Profile
October 24, 2013, 04:17:46 AM
 #20

instead of proof of work

each wallet can only have one address. this address is pregenerated with a "seedcoin". this is an unspendable input(is that even possible).

stake can be generated from this one coin, over two hour periods, but stake can not be generated on its own, it has to be generated by some form of work. one solution for this work, would be boinc. in this setup, the seedcoin would be the parent and the stake would be the children, and are spendable inputs. stake is generated based on boinc utilization scores over a two hour period, similar to grid coin but different as boinc its self serves as a pseudo-proofofwork. in order to secure the stake chain, all clients are coded to compute work using no greater than 1% cpu of host machine.

My negative trust rating is reflective of a personal vendetta by someone on default trust.
Pages: [1] 2 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!