Security analysis of PoW/PoS hybrids with low PoW reward

[Soepkip]

So basically the claim is that because of this vulnerability it is possible to complete a 51% attack.

Is that or is that not also a possibility with pure PoS coins?

I'm not seeing how the security status of blackcoin is any different than the security status of mintcoin, as both are supposedly vulnerable to this attack. Which from what i gather is quite expensive to launch successfully and therefore highly unlikely in the first place.

Okay, for your understanding:

1) All coins ever created are suspectable to 51% attacks.
2) Mintcoin is PoW/PoS hybrid
3) We have succesfully tested a hypothesis that prevents PoS blocks from being accepted. - This means that MintCoin was PoW-only for one full hour.
4) Due to the low rewards on the Mintcoin PoW chain the hashrate is low. This means that during that time that MintCoin is PoW-only it is very easy to perform a 51% attack.

[mgburks77]

So basically the claim is that because of this vulnerability it is possible to complete a 51% attack.

Is that or is that not also a possibility with pure PoS coins?

I'm not seeing how the security status of blackcoin is any different than the security status of mintcoin, as both are supposedly vulnerable to this attack. Which from what i gather is quite expensive to launch successfully and therefore highly unlikely in the first place.

In the event of a fork, whether the fork is accidental or a malicious attempt to rewrite history and reverse a transaction, the optimal strategy for any miner is to mine on every chain, so that the miner gets their reward no matter which fork wins. Thus, assuming a large number of economically interested miners, an attacker may be able to send a transaction in exchange for some digital good (usually another cryptocurrency), receive the good, then start a fork of the blockchain from one block behind the transaction and send the money to themselves instead, and even with 1% of the total stake the attacker's fork would win because everyone else is mining on both.

What if everyone else IS NOT mining both?

[tacotime]

tacotime can you please link some info about peercoin pos weaknesses?

ok
https://github.com/ethereum/wiki/wiki/Problems (See 5. Create an incentive-compatible proof-of-stake currency) and also here: http://blog.ethereum.org/2014/01/15/slasher-a-punitive-proof-of-stake-algorithm/

https://bitcointalk.org/index.php?topic=131940.0 (addressed by the creation of kernel.h and kernel.cpp which compute the stake modifier, which has its own problems)

Thanks a lot, this is very interesting. To problem #1: What exactly is meant with consensus failure and how does it affect network security? So if I have a faked time stamp that is t seconds in the future, how much less coins do I need to perform a 51% attack?

This is the means to generating hashes for PoS for PPC (paraphrased a little):

Code:

int64 nTimeWeight = min((int64)nTimeTx - txPrev.nTime, (int64)STAKE_MAX_AGE) - nStakeMinAge);
CBigNum bnCoinDayWeight = CBigNum(nValueIn) * nTimeWeight / COIN / (24 * 60 * 60);
if (!GetKernelStakeModifier(blockFrom.GetHash(), nStakeModifier, nStakeModifierHeight, nStakeModifierTime, fPrintProofOfStake))
    return false;
ss << nStakeModifier;
ss << nTimeBlockFrom << nTxPrevOffset << txPrev.nTime << prevout.n << nTimeTx;
hashProofOfStake = Hash(ss.begin(), ss.end());
if (CBigNum(hashProofOfStake) > bnCoinDayWeight * bnTargetPerCoinDay){
    return hashProofOfStake; } // Golden "nonce" found, we have a block!
else {return false;}

You can game this in a bunch of ways.  If you're building your own chain of blocks, you can manipulate the timestamp; BlackCoin uses 10 minute intervals, so there's another 600 chances right there (+ 10 min).  If you want to build lots of blocks, you need coinstake distributed in lots of places (nTimeBlockFrom << nTxPrevOffset << txPrev.nTime << prevout.n).

Now you can bruteforce a chain of length whatever privately so long as you have a bunch of coinstake at different addresses, and then doublespend using that.  Unless everyone is trying to do this, you don't need 51% stake to do this -- just the hoarding of a bunch of stake and some bruteforcing at an exacting time and you can doublespend.  This is why PoS in PPC and friends defaults to PoW; you're just manipulating a bunch of different factors in search of golden "nonces" (manipulations of non-nonce parameters) in a chain of blocks instead of simply increasing the nonce.

Using PoW blocks to make stake modifiers can also help prevent you from being able to game this a bit from the "if (!GetKernelStakeModifier(blockFrom.GetHash(), nStakeModifier, nStakeModifierHeight, nStakeModifierTime, fPrintProofOfStake)) return false;" portion, but I don't think it completely eliminates the risk.

Sunny King at some point mentioned changing confirmation rules from number of blocks that have passed to the amount of coinage that has been included in blocks since a transaction has taken place ("trust score").  But this still doesn't solve the "nothing at stake" forking problem, and you can still likely doublespend in that case with <51% stake.

[tacotime]

What if everyone else IS NOT mining both?

As soon as someone doublespends successfully on the network using the current PoS protocol, any node that is even modestly intelligent is going to switch to a more belligerent protocol that better defends the value of their coins.  Then you run into this problem.

[willowfoot]

so Tacotime,

for a newbie which coin Mintcoin/Blackcoin is more vulnerable to attack, with Blackcoin being Pure POS and Mintcoin being a POW/POS hybrid?

[mgburks77]

What if everyone else IS NOT mining both?

As soon as someone doublespends successfully on the network using the current PoS protocol, any node that is even modestly intelligent is going to switch to a more belligerent protocol that better defends the value of their coins.  Then you run into this problem.

OK, but can they doublespend if some miners are already only doing PoW only mining for a hybrid PoS coin?

[tacotime]

What if everyone else IS NOT mining both?

As soon as someone doublespends successfully on the network using the current PoS protocol, any node that is even modestly intelligent is going to switch to a more belligerent protocol that better defends the value of their coins.  Then you run into this problem.

OK, but can they doublespend if some miners are already only doing PoW mining for a hybrid PoS coin?

No, so long as the PoW difficulty is high enough to actually secure the network.  This requires subsidy (block reward) to be high enough to justify lots of people mining the chain.  Hence why PeerCoin works.

[tacotime]

so Tacotime,

for a newbie which coin Mintcoin/Blackcoin is more vulnerable to attack, with Blackcoin being Pure POS and Mintcoin being a POW/POS hybrid?

They both are vulnerable.  PeerCoin is what is (sort of) functional.

[markm]

The big problem is simply that none of the scamcoin devs care, because if one scam fails it is so easy to simply launch another.

So bullshitting and bluffing and yelling "FUD!" and so on ensues until someone actually does trash the value of the scam's coins enough to make pasting another announce of another launch seem more worthwhile than posting claims of FUD.

Sunny is simply the first of many such scam "devs", notice he never did even bother to try to justify in what way his fix was a fix, he just went like oh yeah ok its true my idea was utterly broken butv thats okay I fixed it now. With nothing explaining how exactly the supposedly fix actualyl fixed anything.

Also tore a leaf from the solidcoin book, putting in a centralised privileged node.

It is more centralised that solidcoin as it uses just one privileged node it seems at least realsolid had a token decentralisation in the form of having more than one privileged node. But nonetheless solidcoin was laughed out of town so to speak, but nowadays the pronzi-players want a constant stream of new scams to get in on the bottom of and promote, so don't care anymore that all the coins coming out are scams because they are themselves scammers looking for scams to promote to scam money out of people so all these scams are just fine for their purposes.

Except for all the facts, which they decry as "FUD", because they think that if the people they are promoting the scams to knew for a fact they were scams less suckers might fall for them. Knowing it is a scam causes people to fear being a victim of the scam, be uncertain whether they can profit from the scam fast enough instead of being one of the victims, and doubt whether they can suck in enough new victims to ensure their own profit. Hence, "FUD".

-MarkM-

[mgburks77]

Well, I guess there needs to be an actual attack to prove it.

Until then it's FUD

[Soepkip]

Well, I guess there needs to be an actual attack to prove it.

Until then it's FUD

There was an actual attack, the proof if it is in the blockchain. Watch from 203198 and up. Look at the timestamps. Look at the type of blocks.
We have no reason to break mintcoin's chain. We have merely proofed it takes about 5 minutes to turn mintcoin into PoW only for 1 hour+.

[markm]

See, they don't even care if it is attacked, in fact they urge an attack, insist jupon an attack as the only way they will even admit that they are running a scam.

They don't care if it gets attacked because they can clone hundreds more identical scams with different names and images and other similar minor details changed and claim oh this one is different, until someone actually pulls off an attack this one is not a scam...

Oops missed prior post.

I guess they also don't care if there is an attack because they will just claim that the attack does not matter, so what we are a scam uh I mean were demonstrably successfully attacked, we are making money, suckers are falling for the scam, so fooey on you you FUDster, suckers are gonna get suckered no matter what you do, so hahaha I win.

-MarkM-

[sargecap]

so Tacotime,

for a newbie which coin Mintcoin/Blackcoin is more vulnerable to attack, with Blackcoin being Pure POS and Mintcoin being a POW/POS hybrid?

An attack has been demonstrated against Mintcoin that disabled pos mining and only allowed pow mining, leaving it wide open to a 51% attack. The first stage of this was demonstrated. The second stage only wasn't executed out of manners (51% attacking a coin with 0.1 difficulty is easy).

No such attack has been demonstrated against Blackcoin. In fact the above attack by definition isn't possible since there isn't any pow mining.

[mgburks77]

See, they don't even care if it is attacked, in fact they urge an attack, insist jupon an attack as the only way they will even admit that they are running a scam.

They don't care if it gets attacked because they can clone hundreds more identical scams with different names and images and other similar minor details changed and claim oh this one is different, until someone actually pulls off an attack this one is not a scam...

-MarkM-

What the hell are you talking about?

You have to prove you can double spend or it's FUD and that's all there is to that.

[mgburks77]

Why should anyone take the claims of sock puppet accounts seriously?

You guys seem pretty knowledgeable about this stuff for a bunch of newbies lol

[thisisit]

i agree. well done.

+1

[sargecap]

Why should anyone take the claims of sock puppet accounts seriously?

You guys seem pretty knowledgeable about this stuff for a bunch of newbies lol

um the original post by the blackcoin developer lists the blocks which were successfully attacked. Those blocks were forced to proof of work only and proof of work only blocks have close to 0 difficulty. Only thing which protects from a 51% attack is high difficulty.

I would be shitting my pants if I held mintcoin right now hence why the price is crashing

[mgburks77]

I would be shitting my pants if I held mintcoin right now hence why the price is crashing

ha ha the price is exactly the same as it was when this thread was posted

I have some mintcoin and I say do the double spend attack, if you can. I want to see if I am going to put more money into this or not.

[stormia]

This is a joke. Nice try to spread FUD about other coins, rat4, to try and promote your pure PoS blackcoin. How is it that Blackcoin prevents attack forks as a pure PoS coin, again?

You say "a sequential chain of PoW blocks can be mined in a flash."
Which is not true. Sure, you could mine all of the PoW blocks that occur sequentially, but there will be many, many more PoS blocks that interrupt those far and few apart PoW blocks.
....

I think you should apologize now rat4, thank him and pay him BIG bounty for helping Mintcoin and others for founding bugs...
And even bigger bounty for solving issue...

PS:He just mined 1h in POW Mintcoin you want more evidence... ? Do you want double spend ?

I already said I regretted how I originally addressed rat4, it was rude, why not include that? Not to mention this is an entirely different problem, so everything I said up until now was concerning "attack 1". Thank you for finding the bug, rat4. But, as far as I can see he has not provided a fix for the issue. He has publicly displayed a security flaw thereby allowing anybody to now take advantage of it, and allowing the entire BC community to use this to defame Mint thread and others. So I still doubt his motives were in the right place, I won't be thanking him for that.

[maarx]

This is a joke. Nice try to spread FUD about other coins, rat4, to try and promote your pure PoS blackcoin. How is it that Blackcoin prevents attack forks as a pure PoS coin, again?

You say "a sequential chain of PoW blocks can be mined in a flash."
Which is not true. Sure, you could mine all of the PoW blocks that occur sequentially, but there will be many, many more PoS blocks that interrupt those far and few apart PoW blocks.
....

I think you should apologize now rat4, thank him and pay him BIG bounty for helping Mintcoin and others for founding bugs...
And even bigger bounty for solving issue...

PS:He just mined 1h in POW Mintcoin you want more evidence... ? Do you want double spend ?

I already said I regretted how I originally addressed rat4, it was rude, why not include that? Not to mention this is an entirely different problem, so everything I said up until now was concerning "attack 1". Thank you for finding the bug, rat4. But, as far as I can see he has not provided a fix for the issue. He has publicly displayed a security flaw thereby allowing anybody to now take advantage of it, and allowing the entire BC community to use this to defame Mint thread and others. So I still doubt his motives were in the right place, I won't be thanking him for that.

Maybe ask the MINT devs to fix this?