Proof-of-Approval: Version 2.0

[shunsaitakahashi]

Hello Paul,

Won't this decrease the overall network participation rate, as accidental violations will naturally occur due to latency and connectivity issues?

The scheme would have to take that into account and avoid false positives.

Shunsai

[1714032371]

1714032371

[1714032371]

1714032371

[Traxo]

Made some edits to this posts:
https://bitcointalk.org/index.php?topic=3913439.msg39309531#msg39309531


@anonymint wrote on Medium:

Hello Shunsai Takahashi.

As you know in your bitcointalk.org thread, @‍monsterer2, others, and I discussed some vulnerabilities in your Proof-of-Approval (PoA) consensus system. Specifically I pointed out that in plausible reality there’s not 100% finality because due to the requirement for 50+% of the stake to always be online that PoA analogous to all proof-of-stake systems really only function because they’re run by a 50+% oligarchy. Proof-of-stake does not function well without an oligarchy in control. Thus the 50+% attack is the norm, not the exception. Normally the oligarchy in control is benevolent in terms of double-spending and extracts their rents via other schemes. Some typical figures I’ve seen cited for stake participation are at most 30% of the stakes. The implication of this is that the table in your blog which compares your PoA system to Nakamoto proof-of-work seems disingenuous in light of all the details as I explained. Although the end-game of proof-of-work is apparently also an oligarchy. Perhaps your table’s comparison to Ouroboros was at the time of writing this message correct to claim PoA’s advantage of one (1) block transaction confirmation finality compared to Ouroboros’ 100s of blocks because Ouroboros (in the non-delegated mode) also has the same vulnerability of requiring 50+% of the stake to always be online. I need to study Ouroboros more carefully in the future, which I may do for the upcoming Part 3 of my recent blog.

Paul explained that PoA also is vulnerable to the typical nothing-at-stake (NaS aka N@S) flaw which plagues all proof-of-stake systems. The NaS attack only applies to a 50+% attack. The problem is that although Nakamoto proof-of-work is also vulnerable to a 50+% attack, unlike NaS there’s an ongoing cost to attack proof-of-work. In theory it’s plausible to recover the costs of a rented hashrate attack by double-spending, but in practice no one thinks that is very realistic on Bitcoin with its tremendous systemic hashrate. And proof-of-work is permissionless yet proof-of-stake is not.

If we could argue that 50% of the stake is difficult for an attacker to obtain and if the slot and epoch slashing (of conflicting approvals) didn’t have the boundary ambiguity problem, then AFAICT the NaS issue would be somewhat mitigated. But unfortunately, I don’t think 50% of stake is difficult for an attacker to obtain and anyway the presumption that 100% of the stake will always be live is unrealistic.

[shunsaitakahashi]

Hello Traxo,

IOW, single block proposals per slot are a semi-centralized design.

Proof-of-Approval has a limited number (10-50) but > 1 number of block producers per slot. The number is limited only to control the network traffic.

Additionally the presumption of an expiration time for slots and epochs is fundamentally flawed. ...

In Proof-of-Approval, there is no slot expiration time deadline. There was deadline in version 1 of the protocol, but not in version 2. A block creator can wait as long as they want to receive approvals to proceed to the next step of publishing approvals. Approvals received too late will be ignored.

Thus the slashing of votes by stake assumed by Proof-of-Approval is fundamentally flawed because it will be ambiguous which were slashed around the time of expiration. ...

Protocol uses the approvals stored inside the blocks that are candidates for the current slot. Parties may be looking at approvals outside of blocks (and storing them locally) in order to prepare for the block creation but the consensus uses only the approvals stored inside blocks.

Perhaps the language in the paper can be improved to avoid such confusion. I assume the rest of the comments in the post relate to the previous set of questions that I answered.
Shunsai

[Traxo]

IOW, single block proposals per slot are a semi-centralized design.

Proof-of-Approval has a limited number (10-50) but > 1 number of block producers per slot. The number is limited only to control the network traffic.

You are quoting out-of-context. Please kindly review the context in which the above quote was written.
@anonymint knows that you currently have multiple block candidates per slot in PoA.
The reference to a single-block candidate per slot was because you must change to a single block candidate to try to fix the vulnerability he explained exists with the multiple block candidates.

This discussion is going become very confusing if quoting and responding out of context.

[shunsaitakahashi]

Traxo,
My apologies - yes discussion can get confusion as I did get confused with that line.
Shunsai

[Traxo]

@anonymint replied:

Within the bounds of stated conditions Proof-of-Approval achieves finality within 1 block.

In all due respect, I presume you have not understood the vulnerability I described which I will quote again for you because AFAICT you have not responded to the specifics of the vulnerability:

The 50%+1 of honest stakeholders are divided to vote on two or more block candidates such that no block attains 50%+1 because the 50%-1 attacker can choose not to vote thus making the chain stuck. [...] So please correct your Medium post which makes that claim in comparison to Ouroboros.

I think you have not yet understood that by not approving (i.e. not voting for) any candidate blocks the attacker can make the chain stuck because the honest stake will become divided-and-conquered by voting on different candidate blocks for the same slot. The vulnerability is a little bit convoluted. Do you understand now?

Thus the math of finality will relate to the relative stake of the honest and attacker and the probability of honest stake being divided on multiple block candidates.

Remember that because you slash (delete) votes for duplicate candidates with different parents, then honest stake cannot vote for all candidates. They must choose. But how can they objectively choose? They can't.

In Proof-of-Approval, there is no slot expiration time deadline. There was deadline in version 1 of the protocol, but not in version 2. A block creator can wait as long as they want to receive approvals to proceed to the next step of publishing approvals. Approvals received too late will be ignored.

Okay thanks for the clarification.

AFAICT, this does not apply to the vulnerability of multiple block candidates dividing the honest vote which I already described, except perhaps to make it worse by proliferating forks.

However, open ended slots and epochs thus make finality indefinite. There is no longer finality within any time limit. So it is deceptive to compare finality by counting blocks when blocks can be indefinitely delayed.

Also how can subsequent blocks and epochs complete when blocks may arrive late at any time in the future? Does that mean many candidate parent forks?

My intuition is afraid this is going to open many attack vectors. But we'll need to analyze in detail.

[shunsaitakahashi]

Hello Traxo and @anonymint,

The 50%+1 of honest stakeholders are divided to vote on two or more block candidates such that no block attains 50%+1 because the 50%-1 attacker can choose not to vote thus making the chain stuck.

Just a few lines before the above sentence, you had quoted from the paper

Approvers are allowed to approve as many blocks as they choose as long as the approved blocks share the same parent. If not, the approvals are considered conflicting and cannot be used.

The honest >50% stake is not divided as you say, since they are allowed to vote for as many of the valid blocks they want with the same ancestry. It is not 1 vote per stake or party, it is multi-vote process. In fact, multiple blocks will get a quorum stake votes and the winner would be the one that got the most stake.

The chain wouldn't get stuck at all.

Regards,
Shunsai

[Traxo]

The honest >50% stake is not divided as you say, since they are allowed to vote for as many of the valid blocks they want with the same ancestry. It is not 1 vote per stake or party, it is multi-vote process. In fact, multiple blocks will get a quorum stake votes and the winner would be the one that got the most stake.

I will repeat what I wrote with emphasis:

Remember that because you slash (delete) votes for duplicate candidates with different parents, then honest stake cannot vote for all candidates. They must choose. But how can they objectively choose? They can't.

It seems your system will not converge on a single fork then. Which is the same as getting stuck.

It is impossible that you have 1 block finality and 50% quorums (in any meaningful definition of 'block'). Breaks the invariants of physics. We will find the flaw.

[shunsaitakahashi]

Hello Traxo and @anonymint,

Remember that because you slash (delete) votes for duplicate candidates with different parents, then honest stake cannot vote for all candidates. They must choose. But how can they objectively choose? They can't.

Paper's sections 2.2.20 and 2.2.22 describe that honest parties choose the parent (whose descendants to approve) as follows
1. Block with the higher approval stake, even to the smallest fractional coins, wins.
2. If the approval stakes match exactly, then the block with fewer approving parties wins. This discourages parties to split their stakes in multiple accounts.
3. If approval stakes match and the number of parties match, the block containing the smallest approval signature wins. While the approval signatures are not manipulatable, a party may benefit by splitting its stake into multiple accounts. But the previous step would discourage such an action.

Since the procedure even includes a tie-breaker, honest parties will choose one parent or the other. The honest stake does not split.

Regards,
Shunsai

[Traxo]

@shunsaitakahashi, AFAICT tie breakers within a fork does not address the situation in which the stake has numerous choices of parent forks to choose from. I think the flaw will have something to do with no definite interval in which blocks can arrive for slots.

I'm afraid we are going to need to sleep and study the paper again and come back with a more detailed explanation. I think we are talking back and forth here and not really understanding each other.

[Traxo]

I received this reply from @anonymint. Note this is corrected from a post made several hours ago by @kennyP which was quickly (within a couple of hours) deleted when @anonymint independently discovered the holistic error in his conceptualization of PoA.
Thanks to @shunsaitakahashi for deleting his reply to that rescinded post, and apologies to him for wasting his time on that rescinded reply.


PoA whitepaper Section 2.1 Summary says:

A network using this protocol publishes blocks periodically at a predefined interval called slot.

“Predefined interval” implies a time interval unless otherwise stated. Yet you wrote in this thread that block approvals never expire because block proposers (aka “creators”) can continue to accept approvals for an indefinite period of time. So I was perplexed what is the meaning of “interval” in this context. But then later on I realized that slots are intended to have an expiration interval which is much longer in duration than the typical block approval completion time. Unfortunately your whitepaper didn’t make this easy for me to grok. I had to reverse engineer this understanding as you will see below as light bulb finally came on in my head as to the holistic design of your system.

I was pondering if you meant that the interval of each slot is measured as one and only one block. And by now I realize that would be an incomplete statement and instead you really mean what I wrote in the above paragraph.

Time is divided into discrete units called slots.

1. Each party in the network has a roughly synchronized clock that indicates the current slot. Any discrepancies between the clocks are significantly smaller than the length of the time represented by a slot.
2. The length of the time represented by a slot is significantly larger than the time needed to transmit messages or blocks from one party to the other.

The item #2 obfuscates that the real point is that the slot time is significantly greater than the typical time to approve a block. That is crucial for forming the Schelling point which makes voting incentives work correctly as I will recapitulate below.

My description of your system below might help others better understand PoA.

Approvers are allowed to approve as many blocks as they choose as long as the approved blocks share the same parent. If not, the approvals are considered conflicting and cannot be used.

Nodes are allowed to approve as many candidate blocks as they choose as long as they share the same parent block. In Figure 3, a node can choose to approve either D by itself or D’ and D" for the slot. But if it were to approve D as well as D’, since those don’t share the same parent, those approvals would be called “conflicted” and are rejected during validation.

The questions I originally had until I finally grokked the holistic design of PoA were as follows. How are conflicting approvals detected if they can arrive at any indefinite time in the future? How can anything ever become final if an attacker withholds a conflicting approval and broadcasts it at some indefinite time in the future? How does the chain determine which broadcast came first since network is not perfectly synchronized? IOW, it seemed to me that PoA would still need an expiration timeout on how long of a wait before the window of conflicting approvals is final. And with an expiration time the PoA design would revert back to the flaws I identified which is the ambiguity around the boundary of an expiration time.

IOW, I intially was stuck on the thought that conflicting approvals is the analogous dilemma as double-spent transactions. I thought you shifted the problem of detecting and preventing double-spent transactions into detecting and preventing double-spent approvals. And thus AFAICT made no actual progress on a viable consensus system. And I originally thought that all that has been accomplished is obfuscation of a flaw in a complex system description.

However, then the holistic understanding finally clicked into my mind as to how the security and game theory works in PoA. So now I will explain my (I am reasonably certain now) correct understanding as follows.

If we can guarantee that all honest approvers will always vote on the same fork (i.e. never vote for candidate blocks with different parents), then at any quorum approval threshold choice above 50%, then assuming the attacker possesses less approval control than the threshold, a conflicting block can’t be produced which ends up with a higher approval at any time in the future. Thus for a 50%+1 quorum, the attacker must possess at least 50%+1 approval control in order to slash 25%+1 with conflicting approvals and approve of the attacking block with attacker’s remaining 25%. In that case, the double-spent block has 25%-1 of the remaining 75%-1 total approval and the attackers winning block has 25% of that 75%-1 total approval. There can’t exist another block that has a higher approval because the attacker controls 50%+1 which was expended.

Increasing the quorum threshold above 50% increases the safety because the attacker will need to control more than the threshold, but it reduces the liveness. For example a 80%+1 quorum, the attacker must possess at least 80%+1 approval control in order to slash 70%+1 with conflicting approvals and approve of the attacking block with attacker’s remaining 10%. In that case, the double-spent block has 10%-1 of the remaining 30%-1 total approval and the attackers block has 10% of that 30%-1 total approval. Liveness is maximized at the 50% quorum threshold because up to 50%-1 of the control can be non-responding.

The incentive mechanism in PoA posits to disincentivize honest approvers from choosing from candidate blocks with different parents. The choice of parent block is apparently dictated by network synchrony in that the live nodes will tend to have a Schelling point around approving all candidate blocks with the parent being the last approved block they saw that had met the quorum threshold. Presuming the slot interval expiration time is much larger than typical time to approve a block, then all or nearly all live nodes should have the same Schelling point choice for parent block. The tie breaker rules in Section 2.2.22 Approval Tie-Breaking Procedure A(·) are employed so that multiple competing approved blocks in a slot have only one Schelling point parent block.

The network synchrony assumption and Schelling point appear to maybe be what differentiates the incentive mechanism in PoA from Byteball’s 100% asynchronous incentive mechanism which allows Byteball to get stuck with competing witness groups even with no 50%+1 attacker. Also I need more study to determine if Byteball could ameloriate additional posited vulnerabilities when the quorum threshold is greater than 50%+1. It was originally (earlier in this thread) my lack of holistic understanding of this PoA incentive mechanism and Schelling point that caused me to believe PoA would also need ⅔ quorums for 100% finality.

Same as for Nakamoto proof-of-work, there’s no Schelling point nor Nash Equilibrium in PoA if the attacker has more than the 50% threshold control. PoA’s rules of conflicting approvals force the honest nodes to accept the attacker’s fork because the attacker records the conflicting approvals in his block that orphans the conflicting block(s). Even the attacker can’t bribe by eliding conflicting approvals of those approvers who defect to his block, because the honest conflicting block will contain the objective evidence of those signed conflicting approvals, which any node can verify thus objectively choosing the honest block as the winner (that is unless the attacker has the sufficient 50%+1 control, in which case the attacker doesn’t need to elide the conflicting approvals).

The 100% finality after one block is dependent on the attacker not having 50%+1 control of live stake. Additionally, not only can live stake be much less than total stake of the money supply, but I earlier in this thread pointed out reasons that stake can be nearly cost-free to obtain and attack with. Also @monsterer2 has pointed out that unlike proof-of-work which burns external resources, it costs nearly nothing ongoing to sustain a 50%+1 stake attack (other than the opportunity cost of holding that stake but the attacker can offset that cost with profits due to attacking, such as taking all the newly minted money supply rewards, double-spending, and/or shorting the token on exchange).

Thus it is disingenuous to compare this claimed one block 100% finality to Nakatomo proof-of-work probabilistic finality. In essense, the finality of PoA is either fragile or dependent on a benevolent attacker (oligarchy) which collects parastic rents in ways other than double-spending. For example, DPoS has elections for the delegate witnesses and to set their compensation. An oligarchy controls the elections and can extract the maximum rents the system can bear. And STEEM (running DPoS) and PoA can enable an oligarchy domination of the newly minted money supply. A 50%+1 attacker in PoA need not double-spend, he can just make sure he only includes his own approvers in blocks so that he takes all the minted tokens for the coin rolls consensus process.

Also there is no way that 100% of the stake will be participating. Thus, no blocks are likely to get 50%+1 approval! Thus the attacker will need much less than 50%+1 of the stake. Thus the presumption of 100% finality is not true in reality unless the system is run by an oligarchy which has 50%+1 of the control, and in which case the oligarchy can revert finality at-will.

In conclusion the major flaw in PoA is that it rewards all the minted money supply to the oligarchy that otherwise hopefully benevolently controls 50%+1 of the stake.

Which is roughly the same outcome as DPoS. And the latency of confirmation and unsharded scalability for PoA is unlikely to be any better than DPoS when they’re both effectively running as (distributed but) entirely centralized oligarchy systems. Since PoA doesn’t currently propose sharding, we’ll not discuss the potential issues with EOS’ (centralized oligarchy) sharding here.

Transactions include hash of a recent block and therefore are “context sensitive”[12]. This prevents transactions from being used in an attack fork.

TaPoS is probably effective against the long-range 50%+1 attacker who had 50%+1 of the stake in the distant past, unless that attacker still maintains 50%+1 of the stake in the present. Because current hodlers of UTXO are unlikely to vote for a fork that has stolen their tokens.

Thus note that if the attacker held for example 80% or 90% of the stake at inception or anytime in the distant past, then the attacker could long-range double-spend 30% or 40% of it and still defeat the TaPoS protection.

Worse yet, much of the stake may not participate in consensus voting and thus the attacker needs much less than 50%+1 of the stake in order to a 50%+1 attack on the consensus approvals. Somehow honest stakeholders must be able to delegate their stake power at all times when they are offline.

So for TaPoS to be effective is highly dependent on a non-manipulated distribution and a healthy uninterrupted market demand for the tokens, so that the normal power-law distribution of wealth with 50% held by the masses holds true. I had explained before this is usually not true in altcoins because of fraud and manipulation, such as issuers buying the ICO from themselves.


Here follows some thoughts I had before I grokked the holistic design of PoA, which have been edited to incorporate my current holistic understanding.

Each node collects approvals of its candidate block and computes its approval stake. Any approval with conflict or zero stake is ignored. If the node’s candidate block’s approval stake exceeds quorum, it broadcasts an approval block to the network.

Before I formed my holistic understanding, I was thinking PoA was designed with a presumption that once a block is broadcasted that it takes precedence to a block that is not yet broadcasted which receives a conflicting approval. But there’s no way to prove which block was broadcasted first without consensus about which block was first. Yet consensus is what PoA is trying to achieve. Thus I thought PoA had a hen-egg dilemma. This is what I referred to in one of my prior posts as quoted below:

Without clock synchronization this is the analogous flaw that I explained is in Ethereum Casper's slashing conceptualization. The conflicting approval can arrive at any time in the future. There’s no objectivity about the end of a slot or epoch unless there’s a consensus that makes the epoch final. And 100% finality requires a permissioned validator set and ⅔ quorums. Time is relative in blockchains.

That is why I wrote I thought we were not understanding each other. I thought you did not fully appreciate the significance of what I wrote before. But now with the holistic understanding of the design, I realize that unless the attacker has a 50%+1 control, then a block with 50%+1 approval is final. But the flaw is that no blocks are likely to get 50%+1 approval without 50%+1 oligarchy in control! Even if you presume multiple completing staking groups vying for mining rewards, the only equilibrium is when they come together to form an oligarchy, because the oligarchy can extract more rents than they can as competing groups. This is a Prisoner’s Dilemma.

A node can broadcast an improved version of its approval block when it receives additional approvals or when it detects approval conflict. Receiving nodes use the approval block with the most stake to create their candidate block for the next slot.

Before I formed my correct holistic understanding, I was thinking but how can the block creators for the next slot decide which approval block has the most stake when that stake can decrease if approval conflict is later detected? And when does the block creator for the next slot begin if the finality of the winning approval block is indefinite and never final? I was incorrectly thinking that the ability to slash conflicting approvals is analogous to the ability to double-spend. That it opens a liveness vulnerability which kills any finality. That it was in essence the point I’ve been making since the prior page of this thread and since 2016.

But then I realized you had side-stepped the valid concerns I had by presuming that nearly 100% of the stake would participating in all approvals. And that is sort of disingenuous assumption and circumvention of the invariants I was holding in my head. Yeah you get your 100% finality in 1 block, but effectively only under oligarchy control of the system. But that is sort of dubious because centralized systems are short-term final and long-term anti-fragile.

When the approvals exceed the required quorum stake, the block creators broadcast the collected approvals to the network.

Again here were more of my (now irrelevant) thoughts before I grokked the holistic design of PoA. How does PoA protocol force them to broadcast at that moment? What if the attacker decides to delay for an indefinite time? How does PoA penalize delays? Incentivizing with the block creation award doesn’t penalize delays because: a) block awards are never final because an attacker can send conflicting approvals at any time later, b) the attacker may not be interested in awards, because he can short the token if he can stall the progress of the chain.

The Theorem 3.2 (Weak Finality and Finality) has a correct but misleading and somewhat irrelevant (but not entirely) proof:

Proof. Theorem 3.1 shows that all honest parties have the common chain prefix for k ≥ 1. Therefore, any transaction in a block buried by one or more blocks is held by all chains of all honest parties. Therefore, any honest party will report that transaction after one or more blocks have been deposited on top of the block containing the target transaction.

The problem is that the finality of a single block may never be achieved without an oligarchy in control but an oligarchy in control breaks the security assumptions. So the problem is that the definition of finality as measured by a single block is not the complete story. Thus the proof is correct but only because it’s framed out-of-context of the flaws which make the proven theorem less relevant.


The significant weakness is the presumption that 100% of the stake will be live. Otherwise the attacker needs much less than 50+%. Also the finality of blocks can”t be attained if there is not 50+% live. So there needs to be a 50+% attacker just for it to become final, unless 50+% of honest stake is always live and always votes correctly.

Problem is that proof-of-stake does not function well without an oligarchy in control. Thus 50+% attack is the norm, not the exception. Normally the oligarchy in control is benevolent in terms of double-spending and extracts their rents via other schemes.

[monsterer2]

Hi Shunsai,

I have some ideas for you which might help your NaS problem. I developed an aborted Proof of Burn concept ages ago(*) which I've recently revisited and it might have some ideas you can use:

This is a brief summary of how it works:

* Participants compete to win block reward by burning stake
* A block can be proposed when burnt stake >= block reward
* Block reward is divided out between all participants in proportion to their burnt amounts

An attacker attempting to dominate the block generation process by proposing a block containing only his burnt stake will always lose out once his block is published, because other participants can propose a better block containing his burnt stake AND their burnt stake. So, at the limit if he burnt the block reward in his private block, what he gets back is less than his burnt stake once he published his block due to the above possibility, so he will lose money this way.

In order to double spend his only option is create a massive chain of private blocks and then submit that later. But, if we instead adopt your slot mechanism, it would be impossible for this attack to succeed because he cannot propose more than 1 block at a time.

We can also employ your double voting exclusion mechanism so that if he burns on two chains at the same time, he will lose his stake completely.

The only major problem I can see here is that there is no objective way to verify a slot and the boundary(s) thereof, so we have history attack problems.

Anyway, hope that gives you some ideas

Cheers, Paul.

edit: I still have an open question raised by shelby, if we're discarding double votes inside a slot, why don't we just do that for double spends and scratch the entire voting process completely? This is due to the subsequent invalidation cascade which would make discarded double spends cost free for the attacker

*) https://bitcointalk.org/index.php?topic=1182677.msg12446394#msg12446394

[d5000]

Hi Shunsai,

thank you for your answer and sorry for the late response. I have been trying to read through the whole discussion between you, monsterer, Traxo/anonymint, and Ix, to understand the potential and possible flaws of the proposed protocol. There are some points that I must re-read to fully grasp them (as I said I'm not really an IT guy, and English is also not my native language).

But generally, I think your proposal is a valid and interesting contribution to the proof-of-stake (or non-proof-of-work) consensus algorithm discussion. It is clear that the Nothing-at-stake problem probably cannot be fully solved without some kind of external resources consumption. But attacks on it can be made harder. Even if PoA is somewhat similar to DPoS as @anonymint notes, it is not fully permissioned (i.e. new validators can always enter, acquiring stake, and don't have to wait for a "voting cycle") so I regard it as an improvement over DPoS. The "oligarchy-rewarding-effect" is, unfortunately, a consequence of all PoS-based protocols I know.

Regarding our discussion about liveness - which in my opinion is the main challenge PoA faces: It's funny that monsterer posted a proof-of-burn-based proposal just yesterday, as I was also about to propose a proof-of-burn-related "expansion" of the protocol which could make history/N@S attacks more difficult and increase liveness. monsterer's proposal looks interesting; I have to analyze it further. I mainly know the Slimcoin protocol (very close to Iain Stewart's original PoB proposal). This protocol is more similar to traditional ("naive") proof of stake - "burners" get a score according to the quantity of burnt coins, and get the possibility to find blocks for a long time (years) - but its consequence is a relatively stable and big validator set, as "burners" will always try to be online to collect rewards because their only chance to get back the burnt stake is in the form of block rewards (it's actually very similar to "extremely long security stake deposits") . And "burners" are likely to be also "stake holders", so the inclusion of PoB would also drive liveness for block approvals - it could be a driving factor to move from the 30% "live stake" of a typical PoS coin to the 50%+ PoA requires.

The drawback of this "naive" proof-of-burn protocol is, however, that you can 51% it relatively cheaply because it's unlikely that more than 10% of the currency's supply is burnt and actively minting at the same time, and it's also vulnerable to most N@S attack variants. But what you could do is to require a minimum quantity of single PoB blocks (never more than one in a row, so 51%ing purely based on PoB becomes impossible) every X slots. Even then, the liveness-boosting effect should be achieved, and an attacker would have to care about additional double spends to create the proof-of-burn blocks he needs.

[Traxo]

Even if PoA is somewhat similar to DPoS as @anonymint notes, it is not fully permissioned (i.e. new validators can always enter, acquiring stake, and don't have to wait for a "voting cycle") so I regard it as an improvement over DPoS.

My understanding and presumption based on the mentions in the whitepaper is that PoA necessarily requires that the stake ownership and newly minted stake change slowly because otherwise presumably the proofs of conflicting approvals by way of public-key signatures would not protect against the double-spending of approvals on conflicting parent blocks. Tangentially note again from my prior post that the protection is only valid if there’s no 50%+1 (aka 50+%) attacker.

Thus AFAICT in essence it’s also a permissioned system wherein if the 50% liveness threshold is exceeded then the chain becomes stuck and there’s no way for it to move forward. Even disregarding the slow moving stake change requirement, note a 50+% attacker could indefinitely stall the consensus because he can prevent 50+% approvals (i.e. approved blocks) from being obtained. The time intervals for slots are only for forming the Schelling point on approvals around the latest slot that had an approved block, can’t be a permissionless means of transitioning to a new set of approvers, because there’s no objectivity about such passage of time if no blocks have been approved in those slots. That would be a flaw in the design if that is being proposed. Stake can’t change without block approvals so I presume that isn’t being proposed.

(Btw, this is a point that really irritates me about Dan Larimer because he tries to claim that DPoS can just replace the non-responding witnesses if the liveness is exceeded by allowing the responding witnesses to vote on the new replacements, but that breaks the math on Byzantine agreement because the old witness can be lying in wait and release a conflicting fork)


Thus if the above is correct, then we can only claim PoA is less permissioned in the sense that all of the static stake can participate. But it’s not permissionless like proof-of-work where new external resources can participate without any permission. This is why proof-of-work can never get stuck and has no liveness threshold. The only analogy to a liveness threshold in proof-of-work is that a 50+% attacker can censor transactions but can’t stop the chain from producing blocks and moving forward (well perhaps an attacker could subdivide the chain into many forks to stop finality of consensus).

My definition of permissionless in this context is that the existing stakeholders can’t stop new outside resources from coming onboard to unstuck the chain. In that case, I think PoA is not permissionless. Others may define permissionless to be the likelihood that an attacker can take control and censor transactions.

I understand you are wanting to draw a distinction from DPoS’ election process which is inherently advantageous for an attacker who has less than 50+% of the stake, because most of the stake doesn’t vote in elections, and because the honest stake trusts only themselves or close friends so they often divide-and-conquer their votes on many delegate candidates they know well who do not get elected.

So PoA doesn’t have these undesireable delegation elections, but instead has virtually implausible liveness unless a vested oligarghy is involved to always be online and prevent the chain from becoming stuck.

Regarding our discussion about liveness - which in my opinion is the main challenge PoA faces

I agree that if somehow the liveness issue could be improved, then that would be a notable advantage over DPoS. I believe in even Ouroboros has a delegated mode because it also otherwise requires 50+% of the stake to live always. Perhaps PoA is superior to Ouroboros because Ouroboros has the same liveness issue but has only probabilistic confirmation whereas PoA has 1 block confirmation if not under 50+% attack? I need to check into that and correct prior misstatements if so.

And "burners" are likely to be also "stake holders", so the inclusion of PoB would also drive liveness for block approvals - it could be a driving factor to move from the 30% "live stake" of a typical PoS coin to the 50%+ PoA requires.

I think the burning needs to be lossy so that an attacker can’t get back all he burns (to mitigate the issue I discuss below). But then would anyone be motivated to burn? A lottery effect is needed but that usually only works on irrational people, not the astute businessminded who would remain online always.


However I disagree that the liveness issue is the only main challenge...

The "oligarchy-rewarding-effect" is, unfortunately, a consequence of all PoS-based protocols I know.

The block rewards in PoA incentivize the existence of a 50+% attacker to exist even if that attacker only uses that control to take all the block rewards for himself and not to double-spend. Remember unlike proof-of-work, there’s no cost to doing an attack once the stake is obtained and stake can be obtained at low cost. The problem is that attacker then exists and can at any time do censorship and double-spends. So it is inherently not permissionless and trustless. However, in the end-game proof-of-work must be run by an oligarchy also. Proof-of-work is a transition scheme to centralized global order, not a permanent decentralization.

We can also employ your double voting exclusion mechanism so that if he burns on two chains at the same time, he will lose his stake completely.

Burning has no well defined total burn, so the Byzantine agreement math I explained can’t be applied. You would need at least 50+% of total possible burn in order to declare finality of approval, in order to slash the double-voting of burns (for burns acting as approvals).

Burning can only function in a probabilistic finality analogous to proof-of-work. Yet without the all the positive attributes. Doesn’t burn an external resource, isn’t permissionless as I defined it above, and apparently doesn’t really solving the N@S issue.

@d5000 instead appears to be proposing burning as a means of incentivizing more of the stake to be online to try to address PoA’s liveness weakness.

[shunsaitakahashi]

Hello Traxo and @anonymint,

I must admit that language and writing have never been my forte and the paper can benefit from improved writing . And I do appreciate your writing of the alternate summary + explanation which would definitely help.

Good summary of approval process in PoA:

If we can guarantee that all honest approvers will always vote on the same fork (i.e. never vote for candidate blocks with different parents), then at any quorum approval threshold choice above 50%, then assuming the attacker possesses less approval control than the threshold, a conflicting block can’t be produced which ends up with a higher approval at any time in the future. Thus for a 50%+1 quorum, the attacker must possess at least 50%+1 approval control in order to slash 25%+1 with conflicting approvals and approve of the attacking block with attacker’s remaining 25%. In that case, the double-spent block has 25%-1 of the remaining 75%-1 total approval and the attackers winning block has 25% of that 75%-1 total approval. There can’t exist another block that has a higher approval because the attacker controls 50%+1 which was expended.

Increasing the quorum threshold above 50% increases the safety because the attacker will need to control more than the threshold, but it reduces the liveness. For example a 80%+1 quorum, the attacker must possess at least 80%+1 approval control in order to slash 70%+1 with conflicting approvals and approve of the attacking block with attacker’s remaining 10%. In that case, the double-spent block has 10%-1 of the remaining 30%-1 total approval and the attackers block has 10% of that 30%-1 total approval. Liveness is maximized at the 50% quorum threshold because up to 50%-1 of the control can be non-responding.

The incentive mechanism in PoA posits to disincentivize honest approvers from choosing from candidate blocks with different parents. The choice of parent block is apparently dictated by network synchrony in that the live nodes will tend to have a Schelling point around approving all candidate blocks with the parent being the last approved block they saw that had met the quorum threshold. Presuming the slot interval expiration time is much larger than typical time to approve a block, then all or nearly all live nodes should have the same Schelling point choice for parent block. The tie breaker rules in Section 2.2.22 Approval Tie-Breaking Procedure A(·) are employed so that multiple competing approved blocks in a slot have only one Schelling point parent block.

The network synchrony assumption and Schelling point appear to maybe be what differentiates the incentive mechanism in PoA from Byteball’s 100% asynchronous incentive mechanism which allows Byteball to get stuck with competing witness groups even with no 50%+1 attacker. Also I need more study to determine if Byteball could ameloriate additional posited vulnerabilities when the quorum threshold is greater than 50%+1. It was originally (earlier in this thread) my lack of holistic understanding of this PoA incentive mechanism and Schelling point that caused me to believe PoA would also need ⅔ quorums for 100% finality.

Same as for Nakamoto proof-of-work, there’s no Schelling point nor Nash Equilibrium in PoA if the attacker has more than the 50% threshold control. PoA’s rules of conflicting approvals force the honest nodes to accept the attacker’s fork because the attacker records the conflicting approvals in his block that orphans the conflicting block(s). Even the attacker can’t bribe by eliding conflicting approvals of those approvers who defect to his block, because the honest conflicting block will contain the objective evidence of those signed conflicting approvals, which any node can verify thus objectively choosing the honest block as the winner (that is unless the attacker has the sufficient 50%+1 control, in which case the attacker doesn’t need to elide the conflicting approvals).

The 100% finality after one block is dependent on the attacker not having 50%+1 control of live stake.

Correction, the assumption is that attacker has <50% (more accurately <(ρ − δ − νc − νa − νe)) of the total stake.

The 100% finality after one block is dependent on the attacker not having 50%+1 control of live stake. Additionally, not only can live stake be much less than total stake of the money supply, but I earlier in this thread pointed out reasons that stake can be nearly cost-free to obtain and attack with. Also @monsterer2 has pointed out that unlike proof-of-work which burns external resources, it costs nearly nothing ongoing to sustain a 50%+1 stake attack (other than the opportunity cost of holding that stake but the attacker can offset that cost with profits due to attacking, such as taking all the newly minted money supply rewards, double-spending, and/or shorting the token on exchange).

Thus it is disingenuous to compare this claimed one block 100% finality to Nakatomo proof-of-work probabilistic finality. In essense, the finality of PoA is either fragile or dependent on a benevolent attacker (oligarchy) which collects parastic rents in ways other than double-spending. For example, DPoS has elections for the delegate witnesses and to set their compensation. An oligarchy controls the elections and can extract the maximum rents the system can bear. And STEEM (running DPoS) and PoA can enable an oligarchy domination of the newly minted money supply. A 50%+1 attacker in PoA need not double-spend, he can just make sure he only includes his own approvers in blocks so that he takes all the minted tokens for the coin rolls consensus process.

Also there is no way that 100% of the stake will be participating. Thus, no blocks are likely to get 50%+1 approval! Thus the attacker will need much less than 50%+1 of the stake. Thus the presumption of 100% finality is not true in reality unless the system is run by an oligarchy which has 50%+1 of the control, and in which case the oligarchy can revert finality at-will.

The protocol desires that 50%+1 stake be online all the time. (If not, slots would be missing blocks.) The only way to achieve 50%+1 stake to be online is to have that stake in cloud. The PoA incentivizes all larger stakeholders to move to cloud through block rewards. (Block rewards would be difficult to receive without node being hosted in cloud.) If the parties are rational and the incentive exceeds the cost (of moving to cloud), then a quorum stake would likely be online all the time. The cost of cloud hosting at this time can be as low as $5-10/month (https://www.digitalocean.com/pricing/).

Note that this situation is completely different from PoW protocols. In PoW, a large mining equipment is typically housed on premises of the owner and the communication latency and speed are not relevant for the rewards. Such large mining equipment couldn't be hosted in cloud or would cost a prohibitive amount. In PoA, on the other hand, a computation node with low latency and high speed wins the most rewards. A much larger computation node is unlikely to win additional rewards. The PoA tradeoff are completely different from PoW.

Due to these different tradeoffs (compared to PoW) and block rewards, I do expect most larger stakeholders to operate on cloud and be available for block approvals.

In conclusion the major flaw in PoA is that it rewards all the minted money supply to the oligarchy that otherwise hopefully benevolently controls 50%+1 of the stake.

That is correct. To my understanding, that is the basis of Proof-of-Stake.

Thus note that if the attacker held 80 or 90% of the stake at inception or anytime in the distant past, then the attacker could long-range double-spend 30 or 40% of it and still defeat the TaPoS protection.

Long rage history attack defense uses more than just TaPoS, it uses epoch and block approvals. It can be argued that TaPoS is not even needed for PoA since epoch approvals are likely to cover a large percentage of stake in the transactions.

But then I realized you had side-stepped the valid concerns I had by presuming that nearly 100% of the stake would participating in all approvals. And that is sort of disingenuous assumption and circumvention of the invariants I was holding in my head. Yeah you get your 100% finality in 1 block, but effectively only under oligarchy control of the system. But that is sort of dubious because centralized systems are short-term final and long-term anti-fragile.

PoA expect near all stake participation in epoch approvals but not in block approvals. Epoch are expected to be 3+ order of magnitude larger than slots to achieve such a high participation.

PoA expects block approval rewards to be large enough that a single roll owner would benefit from moving to cloud. Therefore, most of stakeholders owning larger stake than a roll would likely move to cloud. Assuming a Pareto like distribution, that should constitute >50% stake online to approval blocks.

The conditions to make online stake smaller than quorum would be (failure conditions)
1. Stake distribution is too uniform. In that case, the incentive provided by block rewards may not cover cloud hosting cost.
2. Parties are not rational.
3. The block reward is too small to cover cloud hosting cost. In that case, the reward would have to be increased.

The Theorem 3.2 (Weak Finality and Finality) has a correct but misleading and irrelevant proof:

Proof. Theorem 3.1 shows that all honest parties have the common chain prefix for k ≥ 1. Therefore, any transaction in a block buried by one or more blocks is held by all chains of all honest parties. Therefore, any honest party will report that transaction after one or more blocks have been deposited on top of the block containing the target transaction.

The problem is that the finality of a single block may never be achieved without an oligarchy in control but an oligarchy in control breaks the security assumptions. So the problem is that the definition of finality as measured by a single block is not the complete story. Thus the proof is correct but only because it’s framed out-of-context of the flaws which make the proven theorem less relevant.

Explanation above applies here. Under the rationality and stake distribution assumption in the paper, the theorem is correct and relevant.

Another summary: The significant weakness is the presumption that 100% of the stake will be live. Otherwise the attacker needs much less than 50+%. Also the finality of blocks can”t be attained if there is not 50+% live. So there needs to be a 50+% attacker just for it to become final, unless 50+% of stake is always live and always votes correctly.

Online stake requirement (for liveness) is only >50% not 100% and the attacker still needs more than (ρ − δ − νc − νa − νe) stake to be able to win. Blocks containing approvals below quorum are simply invalid. Attacker can own the stake for approving invalid blocks or bribe other stakeholders. Either way, the attacker needs to control an amount > (ρ − δ − νc − νa − νe) to win.

Regards,
Shunsai

[shunsaitakahashi]

Hello Paul,

I have some ideas for you which might help your NaS problem. I developed an aborted Proof of Burn concept ages ago(*) which I've recently revisited and it might have some ideas you can use:

This is a brief summary of how it works:

* Participants compete to win block reward by burning stake
* A block can be proposed when burnt stake >= block reward
* Block reward is divided out between all participants in proportion to their burnt amounts

An attacker attempting to dominate the block generation process by proposing a block containing only his burnt stake will always lose out once his block is published, because other participants can propose a better block containing his burnt stake AND their burnt stake. So, at the limit if he burnt the block reward in his private block, what he gets back is less than his burnt stake once he published his block due to the above possibility, so he will lose money this way.

In order to double spend his only option is create a massive chain of private blocks and then submit that later. But, if we instead adopt your slot mechanism, it would be impossible for this attack to succeed because he cannot propose more than 1 block at a time.

We can also employ your double voting exclusion mechanism so that if he burns on two chains at the same time, he will lose his stake completely.

The only major problem I can see here is that there is no objective way to verify a slot and the boundary(s) thereof, so we have history attack problems.

Thanks for pointing it out! I have yet to fully grasp "burning" and its implications. Therefore, I need to think about it to make a half way intelligent comment on it .

edit: I still have an open question raised by shelby, if we're discarding double votes inside a slot, why don't we just do that for double spends and scratch the entire voting process completely? This is due to the subsequent invalidation cascade which would make discarded double spends cost free for the attacker

I think what you are referring to conflicting approvals that come after a block has been placed in chain. Let's use this example of two forks separated from block D.

Code:

A B C D E F G H I J
        P Q R S T U

If there are no epochs (which are not shared) in the competing forks, the preferred fork determination procedure chooses the fork with head block containing the largest approvals. If a party were to approve block E (and the approval is stored in F) and later he decides to create a conflicting approval (for some block X not shown) in an attempt to nullify his approval for E so that his attack chain (PQRSTU) can win, that approval (for X not shown) would have no effect. The fork selection procedure would compare approvals stored inside J and U. The fork with higher stored approval wins.

Regards,
Shunsai

[Traxo]

The 100% finality after one block is dependent on the attacker not having 50%+1 control of live stake.

Correction, the assumption is that attacker has <50% (more accurately <(ρ − δ − νc − νa − νe)) of the total stake.

Actually I had asked Traxo to remove the ‘live’ then I rescinded because I was too sleepy (forehead on keyboard) to think it through. Then I forgot to come back to it.

So thinking it through now, the 50+% (aka 50%+1) threshold has to be attained for a block to be approved and proposed to be final which is what dictates the liveness issue as well, but that doesn’t guarantee all the stake is available live. Yet you’re correct that the attacker still needs to slash 25+% and have another 25% in reserve to double-spend with regardless. The decreasing amount of participation doesn’t reduce the safety. So I stand corrected on that point.

Note for readers, that your precise percentage factors in the amount of stake that is allowed to change in each slot, which is a point I mentioned in my prior post (in the part about permissioned versus permissionless). That’s why it is slightly less than 50%.

Due to these different tradeoffs (compared to PoW) and block rewards, I do expect most larger stakeholders to operate on cloud and be available for block approvals.

That is an interesting coherent point-of-view. I did argue in this thread that will become an oligarchy because there is more profit to be made from an oligarchy that can extract maximum transaction fees. You haven’t yet explained how you can prevent transaction spam without fees. However, in your defense see the comment in my prior post where I link to a detailed explanation how proof-of-work also MUST become an oligarchy:

However, in the end-game proof-of-work must be run by an oligarchy also. Proof-of-work is a transition scheme to centralized global order, not a permanent decentralization.

Have you considered allowing stakeholders to delegate their approval voting powers to other stakeholders, so they can rent it out? I think that would help you achieve near 100% liveness, especially if you could make it the default and automate it somehow.

Then you could consider increasing the safety to 67% from 50%.

Long rage history attack defense uses more than just TaPoS, it uses epoch and block approvals. It can be argued that TaPoS is not even needed for PoA since epoch approvals are likely to cover a large percentage of stake in the transactions.

Correction. The TaPoS is necessary so that the long-range attacker can’t rewrite the chain keeping most of the transactions but double-spending a minority of them. This prevents the divide-and-conquer strategy. With TaPoS, the attacker must take all of the history and can’t chop it up. @anonymint recently wrote a reply to Vitalik about this point.

PoA expect near all stake participation in epoch approvals but not in block approvals. Epoch are expected to be 3+ order of magnitude larger than slots to achieve such a high participation.

I still can’t grok that section of the whitepaper. What do you think is different about epochs that would increase participation? Anyway, maybe my idea above is better?

2. Parties are not rational.

They can be entirely rational. Their opportunity cost can be too high. We don’t have time to do everything in life. We must choose priorities. Small stake rewards is a low priority.

Explanation above applies here. Under the rationality and stake distribution assumption in the paper, the theorem is correct and relevant.

Okay maybe it becomes more relevant in light of this discussion now.

Online stake requirement (for liveness) is only >50% not 100%

Yeah that is a repeat of the error that I conceded at the top of this reply. All instances of that misstatement will be corrected.

[d5000]

Hi Traxo,

Thus if the above is correct, then we can only claim PoA is less permissioned in the sense that all of the static stake can participate. But it’s not permissionless like proof-of-work where new external resources can participate without any permission.[...]My definition of permissionless in this context is that the existing stakeholders can’t stop new outside resources from coming onboard to unstuck the chain. In that case, I think PoA is not permissionless.

Yes, there is some ambiguity about what "permissionless" means, and in general terms I support your definition. But working Proof-of-stake currencies always offer a market (otherwise they weren't currencies) where units can be traded to goods or other currencies or tokens, so in practical terms it cannot be avoided by the stakeholders that other people enter the system and become part of the validator (in this case, of the approvers) set. You are correctly pointing out that the requirement to move stake slowly means that the process is restricted. This would, however, only affect whales wanting to become part of the validator set fastly, the average user (and the average stakeholder) shouldn't be affected as the market will continue to move.

I understand you are wanting to draw a distinction from DPoS’ election process which is inherently advantageous for an attacker who has less than 50+% of the stake, because most of the stake doesn’t vote in elections, and because the honest stake trusts only themselves or close friends so they often divide-and-conquer their votes on many delegate candidates they know well who do not get elected. 

So PoA doesn’t have these undesireable delegation elections, but instead has virtually implausible liveness unless a vested oligarghy is involved to always be online and prevent the chain from becoming stuck.

That's why I wrote "not fully permissioned" - in DPoS, depending on the amount of validators, a group of whales can easily obtain total control of the validator elections, while in PoA this kind of control seems theoretically possible, but very impractical - if the liveness problem can be solved. It would need a very big group (supermajority) of colluding whales to seriously restrict newcomers being part of it.

I think the burning needs to be lossy so that an attacker can’t get back all he burns (to mitigate the issue I discuss below).

I don't understand fully - if burning is only a complement of an otherwise PoS-based algorithm which has the main goal to improve liveness then I see no problem here. The necessary rule for that is that never two PoB blocks are allowed in a row, so a "PoB-only" attacker could only trick users into a double spend that wait for one single confirmation, otherwise he must obtain a majority of the stake. In this case, in PoA, the "one-block-finality" rule would have to be modified to "one-PoA-block-finality" as PoB, as you correctly write, cannot achieve 100% finality.

[d5000]

If 50% of the state becomes non-responding, then the chain can be stuck forever. No transactions will be confirmed. And thus no stake can change, not even slowly.
[...]
The accumulated lost keys over time is serious problem that needs some solution.

OK, I overlooked that problem. You're totally right that this makes the liveness problem more severe, and I agree that in this case we would very likely need a distinction between the validator set and the total "currency-holder" set.

I seem to strongly disagree with your characterization of reality. Why do you think it is impractical for an attacker to obtain 50+% of the stake?

My argumentation in this case is based on the assumption of a mature and relatively well-distributed currency with some actual real usage, at least as much as our current Bitcoin, not like an "average altcoin". You're totally right that in most current altcoins, and more so in new ones, it's relatively easy to get a high stake participation. (That's also why I'm becoming increasingly critical to ICO-distributed cryptocurrencies, and why I started this thread for example [which got buried instantly by spam, obviously].) But in a mature currency it should be very hard to get even 25%.

All cryptocurrencies have to begin at some point and so in its early phase they will be weak to attacks if using pure PoS. In my opinion, a prolonged proof-of-work phase is the way to go for current altcoins if they want to achieve some resistance to 50+1% stake attacks, if no new ideas are found for this problem. It has to be noted that a PoW phase doesn't solve everything because mining could also be centralized (e.g. like in Steem's PoW phase) and PoW 51% attacks are also not totally uncommon as we saw recently. But for now we have nothing better, afaik.

So in general terms I think we're not so much in disagreement in this point.

Firstly, my underlying point is that if PoA is 50+% attacked normally, then the attacker will also be receiving all the burned rewards. So I wanted to find a way to reduce the rewards that a 50+% attacker receives. Secondly, given that PoB can’t be 100% final, then there’s no Schelling point for the PoA block to base on, which thus breaks the game theory that I explained allows PoA to presume that all honest approvers will vote for the same parent block. In short, your idea breaks PoA. Can’t work. Let me know if I need to explain that in more detail?

I think I understand - we would be mixing a system with probabilistic finality and a system that relies on 100% finality of every block, is that right? I'll think a bit about it and try to re-read the related points in the discussion (a problem for me is that it is advancing pretty fast ...).

[Ix]

The accumulated lost keys over time is serious problem that needs some solution. That is another reason I am proposing that stake needs to opt in to participation with an extended waiting period before becoming eligible to send approvals and becomes ineligible if not participating for an extended period of time. Then must opt-in again with another extended waiting period. Note @Ix’s Decrits suggestion of having stakeholders sign their election to become eligible and reference the parent block (i.e. TaPoS) so they can’t later issue a long-range attack from a different block without having an objectively signed conflicting election, seems to be not effective because a long-range attack could generate different public keys for stake starting from a point further back in chain time.

To clarify: the security of my idea is derived from the fact that if *any* of the stakes are honest at the start of a long-range attack, the attacker can't "sign them out" (the same process for leaving as joining) so the client can detect that one network has 100% availability and the malicious would have 99% or whatever. It doesn't matter what they do with their own stakes or how many fake stakes they create. However, if they were to buy the now-defunct private keys of stakeholders that have since signed out they could achieve this attack, but they would have to buy every single one. But it is possible to thwart this attack with very simple checkpoints long in the past. At some point after network ubiquity, it would be highly improbable to ever be able to execute such an attack even if the checkpoint is never updated again (presuming the signature scheme remains unbroken).