Guard against 51% attack?

[TierNolan]

If you're willing to accept a system who's "consensus" is determined by some guy's cryptographic signature fiat you can build something _far_ more efficient than a Bitcoin like system.

Again, the checkpoint is a once off thing.  Once passed, it is part of the protocol.

[oakpacific]

Then there must also be some authoritative, central places for distributing the client as well, these sites have to stay up and running as long as the network is, when billions of dollars are at stake or the governments get involved I don't think they will hold up so well.

That is true for bitcoin too.  The point of signing the checkpoint is so that v1.0 clients will accept blocks after the checkpoint time.

The software could simply be set to refuse to accept new blocks after a certain height.  This would fork everyone to update at the same time, which has security implications.  

There is no difference between having the dev sign a new client and simply sign the checkpoint.  Signing the checkpoint used up much less bandwidth.

Once the checkpoint has been passed, all clients, from the original dev or others, will simply hardcode the same checkpoint for the 50,000th block.

The checkpoint is part of the protocol.

What would happen to me if I have a possibly tampered Bitcoin client and a network with more malicious nodes than honest ones? I can always only give the client only the key for a test address, with a very small balance(which I got for free, say from a faucet) for a test transaction, then I will check all possible third-party soruces for the newest raw blocks(e.g., blockexplorer.com) if my transaction is mined, and have them verified locally using a random SHA256 implementation to see if these blocks truly meet a certain difficulty target. If they collaborate against me then it's not going to pass, if not then I have the real newest blocks and I can tell which nodes are honest to me, the worst outcome is I will lose my test coins.

If I use a PoS coin, then if I have more bad nodes then good in the network, a possibly tampered client, and all third-party sources collaborating against me I probably have no way to tell if I am getting the right chain, after all the first 50,000 PoW blocks are easy to forge after a few years with Moore's law.

Also with PoS what's really important is only the developer's signature, however many people you have to sign the checkpoint it's only the client signature validating them to be true.

[TierNolan]

What would happen to me if I have a possibly tampered Bitcoin client and a network with more malicious nodes than honest ones?

This would count as forking the chain.  A normal/honest client simply wouldn't accept any chain other than the one with the official checkpoint.

Also with PoS what's really important is only the developer's signature, however many people you have to sign the checkpoint it's only the client signature validating them to be true.

Again, the signature for the checkpoint was just a convenience.  It just saved downloading an updated client.

A better way to think about it is that there are 2 clients.

The "beta" client is a POW based client, but it won't accept any blocks after 70000.

Once 60000 blocks have been found, then 50000th block becomes locked in and a brand new "release" client is created.  

The new client has the 50000th checkpoint hardcoded.  This is no less vulnerable than bitcoin, which has the genesis block hardcoded.

If someone sends you a client with a fake genesis block, then you will mine on their (fake) bitcoin chain too.

The only POS coin running at the moment has a developer based checkpoint system to prevent roll back, but that isn't strictly required.

[oakpacific]

What would happen to me if I have a possibly tampered Bitcoin client and a network with more malicious nodes than honest ones?

This would count as forking the chain.  A normal/honest client simply wouldn't accept any chain other than the one with the official checkpoint.

Also with PoS what's really important is only the developer's signature, however many people you have to sign the checkpoint it's only the client signature validating them to be true.

Again, the signature for the checkpoint was just a convenience.  It just saved downloading an updated client.

A better way to think about it is that there are 2 clients.

The "beta" client is a POW based client, but it won't accept any blocks after 70000.

Once 60000 blocks have been found, then 50000th block becomes locked in and a brand new "release" client is created.  

The new client has the 50000th checkpoint hardcoded.  This is no less vulnerable than bitcoin, which has the genesis block hardcoded.

If someone sends you a client with a fake genesis block, then you will mine on their (fake) bitcoin chain too.

The only POS coin running at the moment has a developer based checkpoint system to prevent roll back, but that isn't strictly required.

They could certainly send me a fake chain, but it would took them more than millions to convince me if I simply check the difficulty. The whole point of Bitcoin as stated in Satoshi's paper is voting by IP doesn't work, malicious nodes shouldn't win just by numbers.

[frobley]

they could easily increase their fees to lose a few miners, but no....

[TierNolan]

They could certainly send me a fake chain, but it would took them more than millions to convince me if I simply check the difficulty. The whole point of Bitcoin as stated in Satoshi's paper is voting by IP doesn't work, malicious nodes shouldn't win just by numbers.

To send a fake POS chain, they need to control more than half of the stake from before the lock-in.

The point of the POW stage is to make sure that this is well distributed.

Obtaining the POS coins would be made harder, since a lot of the owners of that stake would no longer be on the network and/or would have lost their keys.

The devil is in the details though and PPCoin is the only attempt to do it and that isn't a pure POS coin.

[porcupine87]

they could easily increase their fees to lose a few miners, but no....

This would be the best solution. CEX.io said, they have no interest in getting the 50%, because then Bitcoin would be in danger and they would not want that. So why they don't just raise the fees until they get back to 30% (or whatever might be tolerable)

[oakpacific]

They could certainly send me a fake chain, but it would took them more than millions to convince me if I simply check the difficulty. The whole point of Bitcoin as stated in Satoshi's paper is voting by IP doesn't work, malicious nodes shouldn't win just by numbers.

To send a fake POS chain, they need to control more than half of the stake from before the lock-in.

The point of the POW stage is to make sure that this is well distributed.

Obtaining the POS coins would be made harder, since a lot of the owners of that stake would no longer be on the network and/or would have lost their keys.

The devil is in the details though and PPCoin is the only attempt to do it and that isn't a pure POS coin.

The POW blocks can still be faked, I am able to mine the first 50,000 Bitcoin blocks in a matter of days using my hardware, in fact, one KnC miner equals the total hashpower of the network in the spring of 2011, other than that it's just a problem of faking the signatures.

[oakpacific]

Can we possibly just make it tweakable for the miners to not accept sudden reorg involving large number of blocks? Even those who have vast mining resources at their whim should know to deploy them gradually, so as to not 51% attack the network.

[CatCoin]

Greed seems to have created an uphill battle that I'm not sure crypto can win in current form.  I really hope I'm wrong, but until shady pools catering to greedy miners and botnets are dealt with somehow, things are probably going to get a lot worse before they get any better.

Saving 2% in fees might end up costing people a hell of a lot more than 2% in the end.  In fact, since the scumbags on the exchanges have already started to use 51% fear to try to cause the price of BTC to crash, it already has.

[TierNolan]

Can we possibly just make it tweakable for the miners to not accept sudden reorg involving large number of blocks?

That doesn't work.  The point is that a new user must be able to tell which chain is the correct one.

Clients could be programmed to give a big warning if a massive re-org happens.  That would help protect them in the short term.

Even those who have vast mining resources at their whim should know to deploy them gradually, so as to not 51% attack the network.

When a 51% attack happens, even if 100% of the rest of the miners agree, they can't displace the alternative fork.

[oakpacific]

Can we possibly just make it tweakable for the miners to not accept sudden reorg involving large number of blocks?

That doesn't work.  The point is that a new user must be able to tell which chain is the correct one.

Clients could be programmed to give a big warning if a massive re-org happens.  That would help protect them in the short term.

Even those who have vast mining resources at their whim should know to deploy them gradually, so as to not 51% attack the network.

When a 51% attack happens, even if 100% of the rest of the miners agree, they can't displace the alternative fork.

I intend to mean both methods combined, the miners may have to give in in the end, but there will be a period during which all operations are suspended pending further information. Also for an old user telling which chain is the one being attacked is much easier, new users will just be given the warning.

[TierNolan]

I intend to mean both methods combined, the miners may have to give in in the end, but there will be a period during which all operations are suspended pending further information. Also for an old user telling which chain is the one being attacked is much easier, new users will just be given the warning.

That came up at the last fork discussions.  I think broadcasting all headers that have POW similar to the leaf of the chain would be helpful in providing everyone info about the state of the system.

If there was a fork, clients would have to verify that your transaction was present in both forks for at least 6 confirms before saying things were ok.

Alternatively, the client just prints a massive warning.  This "emergency" state is provable to new nodes that connect, but they won't be able to tell which is the "true" chain.