Bitcoin Forum
November 08, 2024, 04:41:39 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 2 3 4 5 [6] 7 8 »  All
  Print  
Author Topic: Security analysis of PoW/PoS hybrids with low PoW reward  (Read 13268 times)
Soepkip
Sr. Member
****
Offline Offline

Activity: 476
Merit: 250



View Profile
April 02, 2014, 02:13:03 PM
 #101

So basically the claim is that because of this vulnerability it is possible to complete a 51% attack.

Is that or is that not also a possibility with pure PoS coins?

I'm not seeing how the security status of blackcoin is any different than the security status of mintcoin, as both are supposedly vulnerable to this attack. Which from what i gather is quite expensive to launch successfully and therefore highly unlikely in the first place.

Okay, for your understanding:

1) All coins ever created are suspectable to 51% attacks.
2) Mintcoin is PoW/PoS hybrid
3) We have succesfully tested a hypothesis that prevents PoS blocks from being accepted. - This means that MintCoin was PoW-only for one full hour.
4) Due to the low rewards on the Mintcoin PoW chain the hashrate is low. This means that during that time that MintCoin is PoW-only it is very easy to perform a 51% attack.

████
██████████████████████
█████████████████████████
█████████████████████████
█████████████████████████
█████████████████████████
█████████████████████████
█████████████████████████

->  BLOCKTIX  ->  Ticketing platform with a dual blockchain on Ethereum for event hosting
-> WEBSITE - SLACK - TWITTER - FORUM
-> Join our community to learn about our upcoming ICO
mgburks77
Sr. Member
****
Offline Offline

Activity: 364
Merit: 250


View Profile
April 02, 2014, 02:14:50 PM
 #102

So basically the claim is that because of this vulnerability it is possible to complete a 51% attack.

Is that or is that not also a possibility with pure PoS coins?

I'm not seeing how the security status of blackcoin is any different than the security status of mintcoin, as both are supposedly vulnerable to this attack. Which from what i gather is quite expensive to launch successfully and therefore highly unlikely in the first place.

Quote
In the event of a fork, whether the fork is accidental or a malicious attempt to rewrite history and reverse a transaction, the optimal strategy for any miner is to mine on every chain, so that the miner gets their reward no matter which fork wins. Thus, assuming a large number of economically interested miners, an attacker may be able to send a transaction in exchange for some digital good (usually another cryptocurrency), receive the good, then start a fork of the blockchain from one block behind the transaction and send the money to themselves instead, and even with 1% of the total stake the attacker's fork would win because everyone else is mining on both.

What if everyone else IS NOT mining both?
tacotime
Legendary
*
Offline Offline

Activity: 1484
Merit: 1005



View Profile
April 02, 2014, 02:24:45 PM
Last edit: April 02, 2014, 03:15:56 PM by tacotime
 #103

tacotime can you please link some info about peercoin pos weaknesses?

ok
https://github.com/ethereum/wiki/wiki/Problems (See 5. Create an incentive-compatible proof-of-stake currency) and also here: http://blog.ethereum.org/2014/01/15/slasher-a-punitive-proof-of-stake-algorithm/

https://bitcointalk.org/index.php?topic=131940.0 (addressed by the creation of kernel.h and kernel.cpp which compute the stake modifier, which has its own problems)

Thanks a lot, this is very interesting. To problem #1: What exactly is meant with consensus failure and how does it affect network security? So if I have a faked time stamp that is t seconds in the future, how much less coins do I need to perform a 51% attack?

This is the means to generating hashes for PoS for PPC (paraphrased a little):
Code:
int64 nTimeWeight = min((int64)nTimeTx - txPrev.nTime, (int64)STAKE_MAX_AGE) - nStakeMinAge);
CBigNum bnCoinDayWeight = CBigNum(nValueIn) * nTimeWeight / COIN / (24 * 60 * 60);
if (!GetKernelStakeModifier(blockFrom.GetHash(), nStakeModifier, nStakeModifierHeight, nStakeModifierTime, fPrintProofOfStake))
    return false;
ss << nStakeModifier;
ss << nTimeBlockFrom << nTxPrevOffset << txPrev.nTime << prevout.n << nTimeTx;
hashProofOfStake = Hash(ss.begin(), ss.end());
if (CBigNum(hashProofOfStake) > bnCoinDayWeight * bnTargetPerCoinDay){
    return hashProofOfStake; } // Golden "nonce" found, we have a block!
else {return false;}

You can game this in a bunch of ways.  If you're building your own chain of blocks, you can manipulate the timestamp; BlackCoin uses 10 minute intervals, so there's another 600 chances right there (+ 10 min).  If you want to build lots of blocks, you need coinstake distributed in lots of places (nTimeBlockFrom << nTxPrevOffset << txPrev.nTime << prevout.n).

Now you can bruteforce a chain of length whatever privately so long as you have a bunch of coinstake at different addresses, and then doublespend using that.  Unless everyone is trying to do this, you don't need 51% stake to do this -- just the hoarding of a bunch of stake and some bruteforcing at an exacting time and you can doublespend.  This is why PoS in PPC and friends defaults to PoW; you're just manipulating a bunch of different factors in search of golden "nonces" (manipulations of non-nonce parameters) in a chain of blocks instead of simply increasing the nonce.

Using PoW blocks to make stake modifiers can also help prevent you from being able to game this a bit from the "if (!GetKernelStakeModifier(blockFrom.GetHash(), nStakeModifier, nStakeModifierHeight, nStakeModifierTime, fPrintProofOfStake)) return false;" portion, but I don't think it completely eliminates the risk.

Sunny King at some point mentioned changing confirmation rules from number of blocks that have passed to the amount of coinage that has been included in blocks since a transaction has taken place ("trust score").  But this still doesn't solve the "nothing at stake" forking problem, and you can still likely doublespend in that case with <51% stake.

Code:
XMR: 44GBHzv6ZyQdJkjqZje6KLZ3xSyN1hBSFAnLP6EAqJtCRVzMzZmeXTC2AHKDS9aEDTRKmo6a6o9r9j86pYfhCWDkKjbtcns
tacotime
Legendary
*
Offline Offline

Activity: 1484
Merit: 1005



View Profile
April 02, 2014, 02:29:10 PM
 #104

What if everyone else IS NOT mining both?

As soon as someone doublespends successfully on the network using the current PoS protocol, any node that is even modestly intelligent is going to switch to a more belligerent protocol that better defends the value of their coins.  Then you run into this problem.

Code:
XMR: 44GBHzv6ZyQdJkjqZje6KLZ3xSyN1hBSFAnLP6EAqJtCRVzMzZmeXTC2AHKDS9aEDTRKmo6a6o9r9j86pYfhCWDkKjbtcns
willowfoot
Sr. Member
****
Offline Offline

Activity: 332
Merit: 252



View Profile
April 02, 2014, 02:33:55 PM
 #105

so Tacotime,

for a newbie which coin Mintcoin/Blackcoin is more vulnerable to attack, with Blackcoin being Pure POS and Mintcoin being a POW/POS hybrid?

mgburks77
Sr. Member
****
Offline Offline

Activity: 364
Merit: 250


View Profile
April 02, 2014, 02:35:57 PM
 #106

What if everyone else IS NOT mining both?

As soon as someone doublespends successfully on the network using the current PoS protocol, any node that is even modestly intelligent is going to switch to a more belligerent protocol that better defends the value of their coins.  Then you run into this problem.

OK, but can they doublespend if some miners are already only doing PoW only mining for a hybrid PoS coin?
tacotime
Legendary
*
Offline Offline

Activity: 1484
Merit: 1005



View Profile
April 02, 2014, 02:38:04 PM
 #107

What if everyone else IS NOT mining both?

As soon as someone doublespends successfully on the network using the current PoS protocol, any node that is even modestly intelligent is going to switch to a more belligerent protocol that better defends the value of their coins.  Then you run into this problem.

OK, but can they doublespend if some miners are already only doing PoW mining for a hybrid PoS coin?

No, so long as the PoW difficulty is high enough to actually secure the network.  This requires subsidy (block reward) to be high enough to justify lots of people mining the chain.  Hence why PeerCoin works.

Code:
XMR: 44GBHzv6ZyQdJkjqZje6KLZ3xSyN1hBSFAnLP6EAqJtCRVzMzZmeXTC2AHKDS9aEDTRKmo6a6o9r9j86pYfhCWDkKjbtcns
tacotime
Legendary
*
Offline Offline

Activity: 1484
Merit: 1005



View Profile
April 02, 2014, 02:38:17 PM
 #108

so Tacotime,

for a newbie which coin Mintcoin/Blackcoin is more vulnerable to attack, with Blackcoin being Pure POS and Mintcoin being a POW/POS hybrid?

They both are vulnerable.  PeerCoin is what is (sort of) functional.

Code:
XMR: 44GBHzv6ZyQdJkjqZje6KLZ3xSyN1hBSFAnLP6EAqJtCRVzMzZmeXTC2AHKDS9aEDTRKmo6a6o9r9j86pYfhCWDkKjbtcns
markm
Legendary
*
Offline Offline

Activity: 3010
Merit: 1121



View Profile WWW
April 02, 2014, 02:39:10 PM
 #109

The big problem is simply that none of the scamcoin devs care, because if one scam fails it is so easy to simply launch another.

So bullshitting and bluffing and yelling "FUD!" and so on ensues until someone actually does trash the value of the scam's coins enough to make pasting another announce of another launch seem more worthwhile than posting claims of FUD.

Sunny is simply the first of many such scam "devs", notice he never did even bother to try to justify in what way his fix was a fix, he just went like oh yeah ok its true my idea was utterly broken butv thats okay I fixed it now. With nothing explaining how exactly the supposedly fix actualyl fixed anything.

Also tore a leaf from the solidcoin book, putting in a centralised privileged node.

It is more centralised that solidcoin as it uses just one privileged node it seems at least realsolid had a token decentralisation in the form of having more than one privileged node. But nonetheless solidcoin was laughed out of town so to speak, but nowadays the pronzi-players want a constant stream of new scams to get in on the bottom of and promote, so don't care anymore that all the coins coming out are scams because they are themselves scammers looking for scams to promote to scam money out of people so all these scams are just fine for their purposes.

Except for all the facts, which they decry as "FUD", because they think that if the people they are promoting the scams to knew for a fact they were scams less suckers might fall for them. Knowing it is a scam causes people to fear being a victim of the scam, be uncertain whether they can profit from the scam fast enough instead of being one of the victims, and doubt whether they can suck in enough new victims to ensure their own profit. Hence, "FUD".

-MarkM-

Browser-launched Crossfire client now online (select CrossCiv server for Galactic  Milieu)
Free website hosting with PHP, MySQL etc: http://hosting.knotwork.com/
mgburks77
Sr. Member
****
Offline Offline

Activity: 364
Merit: 250


View Profile
April 02, 2014, 02:41:32 PM
 #110

Well, I guess there needs to be an actual attack to prove it.

Until then it's FUD
Soepkip
Sr. Member
****
Offline Offline

Activity: 476
Merit: 250



View Profile
April 02, 2014, 02:49:27 PM
 #111

Well, I guess there needs to be an actual attack to prove it.

Until then it's FUD

There was an actual attack, the proof if it is in the blockchain. Watch from 203198 and up. Look at the timestamps. Look at the type of blocks.
We have no reason to break mintcoin's chain. We have merely proofed it takes about 5 minutes to turn mintcoin into PoW only for 1 hour+.


████
██████████████████████
█████████████████████████
█████████████████████████
█████████████████████████
█████████████████████████
█████████████████████████
█████████████████████████

->  BLOCKTIX  ->  Ticketing platform with a dual blockchain on Ethereum for event hosting
-> WEBSITE - SLACK - TWITTER - FORUM
-> Join our community to learn about our upcoming ICO
markm
Legendary
*
Offline Offline

Activity: 3010
Merit: 1121



View Profile WWW
April 02, 2014, 02:49:42 PM
 #112

See, they don't even care if it is attacked, in fact they urge an attack, insist jupon an attack as the only way they will even admit that they are running a scam.

They don't care if it gets attacked because they can clone hundreds more identical scams with different names and images and other similar minor details changed and claim oh this one is different, until someone actually pulls off an attack this one is not a scam...

Oops missed prior post.

I guess they also don't care if there is an attack because they will just claim that the attack does not matter, so what we are a scam uh I mean were demonstrably successfully attacked, we are making money, suckers are falling for the scam, so fooey on you you FUDster, suckers are gonna get suckered no matter what you do, so hahaha I win.

-MarkM-

Browser-launched Crossfire client now online (select CrossCiv server for Galactic  Milieu)
Free website hosting with PHP, MySQL etc: http://hosting.knotwork.com/
sargecap
Newbie
*
Offline Offline

Activity: 14
Merit: 0


View Profile
April 02, 2014, 02:51:37 PM
 #113

so Tacotime,

for a newbie which coin Mintcoin/Blackcoin is more vulnerable to attack, with Blackcoin being Pure POS and Mintcoin being a POW/POS hybrid?

An attack has been demonstrated against Mintcoin that disabled pos mining and only allowed pow mining, leaving it wide open to a 51% attack. The first stage of this was demonstrated. The second stage only wasn't executed out of manners (51% attacking a coin with 0.1 difficulty is easy).

No such attack has been demonstrated against Blackcoin. In fact the above attack by definition isn't possible since there isn't any pow mining.
mgburks77
Sr. Member
****
Offline Offline

Activity: 364
Merit: 250


View Profile
April 02, 2014, 02:52:16 PM
 #114

See, they don't even care if it is attacked, in fact they urge an attack, insist jupon an attack as the only way they will even admit that they are running a scam.

They don't care if it gets attacked because they can clone hundreds more identical scams with different names and images and other similar minor details changed and claim oh this one is different, until someone actually pulls off an attack this one is not a scam...

-MarkM-


What the hell are you talking about?

You have to prove you can double spend or it's FUD and that's all there is to that.
mgburks77
Sr. Member
****
Offline Offline

Activity: 364
Merit: 250


View Profile
April 02, 2014, 02:54:40 PM
 #115

Why should anyone take the claims of sock puppet accounts seriously?

You guys seem pretty knowledgeable about this stuff for a bunch of newbies lol
thisisit
Full Member
***
Offline Offline

Activity: 224
Merit: 100


View Profile
April 02, 2014, 03:00:34 PM
 #116

i agree. well done.

+1

any coin that makes me a profit.
sargecap
Newbie
*
Offline Offline

Activity: 14
Merit: 0


View Profile
April 02, 2014, 03:02:20 PM
 #117

Why should anyone take the claims of sock puppet accounts seriously?

You guys seem pretty knowledgeable about this stuff for a bunch of newbies lol

um the original post by the blackcoin developer lists the blocks which were successfully attacked. Those blocks were forced to proof of work only and proof of work only blocks have close to 0 difficulty. Only thing which protects from a 51% attack is high difficulty.

I would be shitting my pants if I held mintcoin right now hence why the price is crashing
mgburks77
Sr. Member
****
Offline Offline

Activity: 364
Merit: 250


View Profile
April 02, 2014, 03:04:47 PM
 #118


Quote
I would be shitting my pants if I held mintcoin right now hence why the price is crashing

ha ha the price is exactly the same as it was when this thread was posted

I have some mintcoin and I say do the double spend attack, if you can. I want to see if I am going to put more money into this or not.
stormia
Hero Member
*****
Offline Offline

Activity: 868
Merit: 1000


View Profile
April 02, 2014, 03:23:56 PM
 #119

This is a joke. Nice try to spread FUD about other coins, rat4, to try and promote your pure PoS blackcoin. How is it that Blackcoin prevents attack forks as a pure PoS coin, again?

You say "a sequential chain of PoW blocks can be mined in a flash."
Which is not true. Sure, you could mine all of the PoW blocks that occur sequentially, but there will be many, many more PoS blocks that interrupt those far and few apart PoW blocks.
....

I think you should apologize now rat4, thank him and pay him BIG bounty for helping Mintcoin and others for founding bugs...
And even bigger bounty for solving issue...

PS:He just mined 1h in POW Mintcoin you want more evidence... ? Do you want double spend ?



I already said I regretted how I originally addressed rat4, it was rude, why not include that? Not to mention this is an entirely different problem, so everything I said up until now was concerning "attack 1". Thank you for finding the bug, rat4. But, as far as I can see he has not provided a fix for the issue. He has publicly displayed a security flaw thereby allowing anybody to now take advantage of it, and allowing the entire BC community to use this to defame Mint thread and others. So I still doubt his motives were in the right place, I won't be thanking him for that.
maarx
Hero Member
*****
Offline Offline

Activity: 882
Merit: 517


cloverdex.io


View Profile
April 02, 2014, 03:33:43 PM
 #120

This is a joke. Nice try to spread FUD about other coins, rat4, to try and promote your pure PoS blackcoin. How is it that Blackcoin prevents attack forks as a pure PoS coin, again?

You say "a sequential chain of PoW blocks can be mined in a flash."
Which is not true. Sure, you could mine all of the PoW blocks that occur sequentially, but there will be many, many more PoS blocks that interrupt those far and few apart PoW blocks.
....

I think you should apologize now rat4, thank him and pay him BIG bounty for helping Mintcoin and others for founding bugs...
And even bigger bounty for solving issue...

PS:He just mined 1h in POW Mintcoin you want more evidence... ? Do you want double spend ?



I already said I regretted how I originally addressed rat4, it was rude, why not include that? Not to mention this is an entirely different problem, so everything I said up until now was concerning "attack 1". Thank you for finding the bug, rat4. But, as far as I can see he has not provided a fix for the issue. He has publicly displayed a security flaw thereby allowing anybody to now take advantage of it, and allowing the entire BC community to use this to defame Mint thread and others. So I still doubt his motives were in the right place, I won't be thanking him for that.

Maybe ask the MINT devs to fix this? Smiley



























.What is Cloverdex platform?.
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
ANN Thread | Website
Telegram | Twitter
Whitepaper | Reddit
Pages: « 1 2 3 4 5 [6] 7 8 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!