Security analysis of PoW/PoS hybrids with low PoW reward

[rat4]

Security analysis of PoW/PoS hybrids with low PoW reward

Low PoW reward doesn't attract miners. This leads to ridiculously low PoW difficulty.

A pair of examples:
Mintcoin scrypt diff 0.1 (vs Litecoin 5677)
SHACoin sha256 diff 1427 (vs Bitcoin 5006860589)

At such difficulty PoW blocks can be mined with speed of light.

Attack I

It is possible to build sequential chain of PoW blocks to confirm a transaction. Only 4 blocks for Mintcoin and 10 for SHACoin.

Is it hard to orphan the chain of PoW blocks?
One PoS block is enough. In both Mintcoin and SHACoin one PoS block may orphan a few millions of PoW blocks.
If at the same time the main chain will get a competing stake, attacker's chain can be enlarged with PoW.
This dramatically increases chance to success in comparison to pure PoW attack.

Ability to confirm a transaction and then orphan confirmations is ability to double spend.

Summary: double spend attack requires 1 PoS block and low hashing power.

Visualization: https://i.imgur.com/Pyrw75q.png

Attack II

Current implementation of stake miner gives up if median time of last blocks is in future.
This temporarily makes the whole network PoW-only and opens well known 51% PoW attack.

Attacker needs only 6 of 11 last blocks.

Successfully tested on Mintcoin: no PoS blocks from 203231 up to 203441, more than 1 hour of real time.

[sixteendigits]

Where is Sunny King?  I will take this as nothing more than FUD until the godfather weighs in.

[futile-resistance]

Security analysis of PoW/PoS hybrids with low PoW reward

Low PoW reward doesn't attract miners. This leads to ridiculously low PoW difficulty.

A pair of examples:
Mintcoin scrypt diff 0.1 (vs Litecoin 5677)
SHACoin sha256 diff 1427 (vs Bitcoin 5006860589)

At such difficulty a sequential chain of PoW blocks can be mined in a flash.
Even long enough to confirm a transaction. Only 4 blocks for Mintcoin and 10 for SHACoin.

Is it hard to orphan the chain of PoW blocks?
One PoS block is enough. In both Mintcoin and SHACoin one PoS block may orphan a few millions of PoW blocks.
If at the same time the main chain will get a competing stake, attacker's chain can be enlarged with PoW.
This dramatically increases chance to success in comparison to pure PoW attack.

Ability to confirm a transaction and then orphan confirmations is ability to double spend.

Summary: double spend attack requires 1 PoS block and low hashing power.

Visualization: https://i.imgur.com/Pyrw75q.png

Can anyone test or confirm?

[emelac]

I was wondering if there have been any successful PoS attacks yet. PoS is new to me.

[Zzzack]

Security analysis of PoW/PoS hybrids with low PoW reward

Low PoW reward doesn't attract miners. This leads to ridiculously low PoW difficulty.

A pair of examples:
Mintcoin scrypt diff 0.1 (vs Litecoin 5677)
SHACoin sha256 diff 1427 (vs Bitcoin 5006860589)

At such difficulty a sequential chain of PoW blocks can be mined in a flash.
Even long enough to confirm a transaction. Only 4 blocks for Mintcoin and 10 for SHACoin.

Is it hard to orphan the chain of PoW blocks?
One PoS block is enough. In both Mintcoin and SHACoin one PoS block may orphan a few millions of PoW blocks.
If at the same time the main chain will get a competing stake, attacker's chain can be enlarged with PoW.
This dramatically increases chance to success in comparison to pure PoW attack.

Ability to confirm a transaction and then orphan confirmations is ability to double spend.

Summary: double spend attack requires 1 PoS block and low hashing power.

Visualization: https://i.imgur.com/Pyrw75q.png

Can anyone test or confirm?

Very true. POW is necessary for these coins to secure the network...and when minted coins are low (with little value), miners have an incentive to mine a different coin and sell it for their coin of choice. Few miners = low network hash = poorly protected public ledger. And, after all, we are investing in systems that maintain the public ledger in different ways.

I'm all in on cryptos, but the network strength of bitcoin is what gives it value right now over the cryptos.

[brokedummy]

Not really a big deal, if it is an issue just fork it to not accept any more POW blocks.

[Bit_Happy]

PoW/PoS hybrids are supposed to be immune to attack. (at least CGB is/claims to be)
CryptogenicBullion has a good explanation on their site.

[mgburks77]

attack one and see what happens

[gonzoucab]

POW has been proved

POW POS Hybrid have been proved, Sunny made a really nice software

POS only have never been proved,  have less programers dedicated to.

Thats the true.

[stormia]

This is a joke. Nice try to spread FUD about other coins, rat4, to try and promote your pure PoS blackcoin. How is it that Blackcoin prevents attack forks as a pure PoS coin, again?

You say "a sequential chain of PoW blocks can be mined in a flash."
Which is not true. Sure, you could mine all of the PoW blocks that occur sequentially, but there will be many, many more PoS blocks that interrupt those far and few apart PoW blocks. In a PoS/PoW hybrid there is no way to predict or control whether or not the next block will be PoS or PoW and therefore you cannot guarantee you will be in control of a long stream of blocks unless you have 51% of the PoW and PoS power.

Now, this brings up an issue with pure PoS coins such as your Blackcoin... That I have yet to be seen answered in any technical detail. How, when it is pure PoS and it IS known that every block in a row will be PoS, can you prevent an attack such as the one anonymousg64 brings up:

im still on the fence


can someone explain how this stops someone from generating lots of PoS blocks 20 days in the future from a bunch of TX's with small interval, whether through one or multiple wallets

Code:

ss << nStakeModifier;
ss << nTimeBlockFrom << nTxPrevOffset << txPrev.nTime << prevout.n << nTimeTx;
hashProofOfStake = Hash(ss.begin(), ss.end());
if(CBigNum(hashProofOfStake) > bnCoinDayWeight * bnTargetPerCoinDay)
    return false;

im not well enough versed with the code to know what these variable names imply

Without PoW blocks to interrupt such an attack, how is it prevented?

This thread of yours is in really bad taste, rat4, you should find better ways of promoting your coin.

I await your reply, and your explanation as to how PoS coins are safe from a TX/coinage attack.

[greentea]

pretty obvious that a hybrid POW/POS is more secure than a pure POS ...

to make an attack you have to control hash and coin age in a POW/POS hyrbid, while a pure POS coin like blackcoin
only need to control coin age ... thus inferior

so what happen here with blackcoin:
http://www.blackcoin.co/wallet-2/official-statement-regarding-blockchain-problems-23rd-of-march/

[Bit_Happy]

attack one and see what happens

I'll trust this for now
https://bitcointalk.org/index.php?topic=551861.msg6010168#msg6010168

[Soepkip]

Yes, this is purely a discussion for us. The connection to BlackCoin is purely rat4 being the dev of it.

The earlier blockchain stuck we had for BlackCoin has nothing to do with this and is not adding to the discussion so far. We are talking hybrid PoW/PoS coins and their security.

[stormia]

Yes, this is purely a discussion for us. The connection to BlackCoin is purely rat4 being the dev of it.

The earlier blockchain stuck we had for BlackCoin has nothing to do with this and is not adding to the discussion so far. We are talking hybrid PoW/PoS coins and their security.

Well, now we are also talking pure PoS coins and their security- which is much less tested and founded. I still await a technical response as to how pure PoS prevents the type of transaction/coinage attacks that anonymousg64 has outlined before.

[stormia]

1. Mint is not a person.
2. SHACoin is not a person.
3. rat4 is not actively promoting PoS or blackcoin

This thread is about a potential security issue with PoW/PoS hybrids. Maybe it's true, maybe not. I don't know the technicals.

Same for PoS. I dont know how secure it is. I dont know the technicals.

I have asked many times on the blackcoin thread, and so have others, as to how pure PoS is safe. No reply, other than directing me to Sunny's answers, which actually only pertain to PoS/PoW hybrids if I am not mistaken.

[gonzoucab]

The Blackcoin DEV dont wanna answer..

He throws the rock and hides the hand.

[morfans]

The Blackcoin DEV dont wanna answer..

He throws the rock and hides the hand.

maybe hes AFK?

[gonzoucab]

The Blackcoin DEV dont wanna answer..

He throws the rock and hides the hand.

maybe hes AFK?

He started the Thread minutes ago!!!!!!!

[Soepkip]

Or he is sleeping.

This is not an attack on either Mint or Shacoin, this is purely an observation on hybrid pow/pos systems. If you want to discuss PoS security i do invite you to join IRC ##blackcoin on freenode and seek out rat4 there when he is awake.

Also, i'm not the dev of blackcoin

[Jabulon]

Or he is sleeping.

This is not an attack on either Mint or Shacoin, this is purely an observation on hybrid pow/pos systems. If you want to discuss PoS security i do invite you to join IRC ##blackcoin on freenode and seek out rat4 there when he is awake.

Also, i'm not the dev of blackcoin

Yeah, as a professional he has more important business than engaging in this peeing contest. Make what you will of his analysis, do your own due diligence and try to come to rational conclusions based on what you learn rather than your emotional ties to this or that coin.

You guys are to be called out for the blatant and utter hypocrisy of Fudding the Blackcoin thread for days with inflammatory dirt, and then having hissy-fits when the Blackcoin dev weighs in with a technical statement, and you crying "fud, fud!"

Shame on you all for your childishness and abysmal conduct, which only hinders the progress of cryptocurrency. Examine your motivations more thoroughly.