Re: Proof of stake instead of proof of work

[jonald_fyookball]

I think they are saying you could 'roll back' on your own node to a point where you did have coin age, and try to attack from that point.

But it's not clear how you would get very far because there would be a longer chain soon and your coin age would be used up fast.

[DeathAndTaxes]

I think they are saying you could 'roll back' on your own node to a point where you did have coin age, and try to attack from that point.

But it's not clear how you would get very far because there would be a longer chain soon and your coin age would be used up fast.

That is like saying you can't 51% attack a PoW network because the main chain is growing.   Yeah if you have less computing power than the "good guys" you can't but what if you have more?  With more than half of the network computing power you will eventually build the longest chain.  With a PoS you will eventually build the longest chain if you have more than half of the network stake.

So on a hypothetical coin say in block 4,000 I (or a cartel of attackers) had more than half of the network stake.  We sell these coins (exchange, p2p trades, spending, etc) and as of block 4,0001 the cartel has no coins however in block 4,000 we did.   So despite the fact that the main chain is growing and may be ahead starting from block 4,000 and with over half of the network stake it is a mathematical inevitability that the attack chain will be longer.  We double spend the sales in block 4,001 and eventually we will have a longer chain at which point it is published to the network, the network reorgs and we performed an attack with 0 cost and 0 risk.

[DeathAndTaxes]

on another point, NXT appears to be 100% POS and has not been forked or hacked by anyone to date. Further it Appears that the network swiftly punishes miner that try to undertake dubious activity, like producing dogey blocks.

All PoS coins (including NXT) prevent this "history attack" by centralized checkpoints.  The developer has absolute control over the network.   If centralized checkpoints were removed it would be beyond trivial to attack the network with no risk and no cost.   So PoS "works" as long as you want a centrally controlled and secured "decentralized" currency.

[jonald_fyookball]

I think they are saying you could 'roll back' on your own node to a point where you did have coin age, and try to attack from that point.

But it's not clear how you would get very far because there would be a longer chain soon and your coin age would be used up fast.

That is like saying you can't 51% attack a PoW network because the main chain is growing.   Yeah if you have less computing power than the "good guys" you can't but what if you have more?  With more than half of the network computing power you will eventually build the longest chain.  With a PoS you will eventually build the longest chain if you have more than half of the network stake.

True. In both cases a majority ownership either in stake or hashing power would make an attack possible. 
But how does that make PoS inferior ?

[DeathAndTaxes]

I think they are saying you could 'roll back' on your own node to a point where you did have coin age, and try to attack from that point.

But it's not clear how you would get very far because there would be a longer chain soon and your coin age would be used up fast.

That is like saying you can't 51% attack a PoW network because the main chain is growing.   Yeah if you have less computing power than the "good guys" you can't but what if you have more?  With more than half of the network computing power you will eventually build the longest chain.  With a PoS you will eventually build the longest chain if you have more than half of the network stake.

True. In both cases a majority ownership either in stake or hashing power would make an attack possible.  
But how does that make PoS inferior ?

The attack has no cost or risk.  

Very simplified example:
The network stake is 2M xCoins.
I acquired 1.1M xCoins as of block 1,000.
I sell you 1.1 M xCoins for $$$$$$$ and the transfer is recorded in block 1,001.
I now no longer have any xCoins (effective block 1,001+), I have no cost as I received $$$$$$ in return for the 1.1M xCoins.
I start building an attack chain as of block 1,000 double spending my transfer.

Eventually even if the main chain has a head start, my attack chain will be longer.  This is no different than a 51% attack on a PoW based network however my attack has no cost and no risk.   I already sold the coins.  I am merely using my history of prior ownership to attack the network.

Compare that to PoW.  I build a hashing farm with 51% of network capacity.  If I attack with it then the attack has cost and risk.  The farm wasn't free, I may not succeed in which case I would lose all the legit blocks I could build.   If I sell the hashing farm I can't engage in an attack based on the history that at one point in the past I had more hashing power than the rest of the network.

Both are vulnerable to a 51% attack however PoS allows the attacker to exploit the history (your security mechanism is recorded in the very thing you are attempting to secure) to attack without cost or risk.

[jonald_fyookball]

Doesn't it depend how far ahead the network is and how many transactions are going on?

Let's say that in your example, 100,000 coins trade hands daily.
That means in 11 days, there would be more coin days than you have.
You only have 1.1 million coin days assuming you had your coins for a day.

[DeathAndTaxes]

Doesn't it depend how far ahead the network is and how many transactions are going on?

Transactions destroy not create coins days so not getting your point on that.  

I guess you may be indicating that while in theory with >50% of the hashpower (or stake) the attack chain will become the longest chain, that there are some practical limits on the attacker based on the attackers share and the block deficit.  That is correct.   Still this is no different than PoW.  While we call it is a 51% attack, the attacker probably isn't going to attack with 50% + 1 hash of the total hashrate.  If starting behind say 10,000 blocks with a 50% + 1 hash while in theory one would eventually catch up (given an infinite amount of time), the attackers margin of a mere 1 hash per second combined with effect of variance and the large block deficit means it could be a very long time (potentially centuries) before the attacker passes.  Related to that, the attacker can never be sure the network hashrate (or network stake) won't increase.  In the dubious 50% + 1 hash example, if the hashrate of the network rose by a mere 2 h/s (hashes per second) the attacker would never catch up.   So while we say "51%" attack, in the real world no attacker is going to perform an attack with such a small margin, if you got that kind of resources, planning, and capabilities you are going to smash the network with an attack that gives you a comfortable margin (say a 70% attack).

Coming full circle in this respect PoS and PoW are no different.  The major difference is I can't attack the Bitcoin network based on the history that at one point since the genesis block I had (past tense) >50% of the network hashrate.

[jonald_fyookball]

oops, yeah that was a bit of convoluted thinking as far as the example,
but you get my drift.

Point is, PoS attack would have limitations and you would only
have a window of time to manipulate the ledger.  If you had
initially held your coins for a long time, you could try to
do a double spend, but you could only do it once because
after that you would have much less coin days.  Any scenario
that you tried to rewrite history by sending your coins to other
addresses would leave you with low number of coin days.

Another difference between the Pos and PoW is that
if you wanted an ongoing monopoly, it gets more potentially more
expensive with PoS, because you would have to keep buying those
coins back, whereas with PoW, once you own the mining gear,
you can just keep using it to stay on top.

[DeathAndTaxes]

Well the PoW attack has the same "window" and limitations.   It isn't a difference they are exactly the same.  In either system with a large enough stake or enough computing power you could build a longer chain all the way back to the genesis block.  Since you don't know how much stake a cartel of potentially unlimited number of people have ever had since the genesis block, no amount of blocks can be deemed safe (just like with PoW).

Remember the whole point of waiting for a certain number of confirmations is that assuming the attacker doesn't have more than half the network resource (computing power or stake) is that the probability that transaction can be reorged rapidly approaches zero.  However if the attacker has more than half there is number of blocks that are safe.   There are practical limits if the attacker is just barely ahead but we don't know for sure that is the case.  The attacker may have a massive advantage in resources (computing power or stake).   So 6 blocks, 100 blocks, 10,000 blocks there is no point where you put the probability of a reversal below say 0.1%.   To do that you would need to know the upper bound of the attackers resources which is unknown.

Also the attacker doesn't need to buy more/new stake.  I think you are forgetting that both for the attacker and the legit miners coin days are both accruing and being destroyed.  There is no difference, they are in equilibrium.  If the attacker has more than half the network stake then the attacker's attack can continue forever.  Just like an attacker with more than half the computing power can continue an attack forever and eventually the attackers chain will be longer.  Once again this is no different than PoW.

The one massive difference, is that in a PoS system you have the ability to attack without cost or risk.

[jonald_fyookball]

As for needing to buy more coins you seem to forget that age of the age of the attacker's stake is continually being replenished (just like anyone's stake).  If the attacker has more than half the network stake then the attacker's attack can continue forever.  Just like an attacker with more than half the computing power can continue an attack forever.  Once again there is no difference there.
 

I think that really depends on how the PoS is implemented.  (How are the coin "days" being timestamped/calculated?)  If you initially spent your coins on Jan 1,
and then on Jan 5th tried to rewrite history, you wouldn't be able to do it forever if other coins are getting older as the month goes on, and the network
is aware of this.

[DeathAndTaxes]

As for needing to buy more coins you seem to forget that age of the age of the attacker's stake is continually being replenished (just like anyone's stake).  If the attacker has more than half the network stake then the attacker's attack can continue forever.  Just like an attacker with more than half the computing power can continue an attack forever.  Once again there is no difference there.
 

I think that really depends on how the PoS is implemented.  (How are the coin "days" being timestamped/calculated?)  If you initially spent your coins on Jan 1,
and then on Jan 5th tried to rewrite history, you wouldn't be able to do it forever if other coins are getting older as the month goes on, and the network
is aware of this.

I think you may not understand how PoS works.   It isn't oldest coin wins.   

For the attacker.  Coin age of stake is reduced when blocks are created.  Coin age increases with time.
For the "good guys".  Coin age of stake is reduced when blocks are created.  Coin age increases with time.

It isn't like coin age only declines or coin age isn't reduced for the good guys when the mint new blocks.  If the attacker has more than half of the network stake then he WILL outrun the legit miners.  I mean saying "it really depends" is like saying PoW is immune to a 51% attack it just really depends on how you do it.

PoS Axiom: If the attacker has more than half of the network stake he will eventually create the longest chain.
PoW Axiom: If the attacker has more than half of the network hashrate he will eventually create the longest chain.

We can make it generic for a  Proof of X system.
PoX Axiom: If the attacker has more than half of the critical resource he will eventually create the longest chain.

[jonald_fyookball]

Yeah but the problem with this model is that
the critical resource gets used up when you
move the coins.

In PoS, you lose your stake (you lose coin days),
when you do a double spend, versus in PoW,
you do not lose your critical resource.

Example:

Dec 21: You buy 1.1M coins.
Jan 1: You have 11M coin days.
(assume the network also has 10M coin days)

You sell your coins.  Now you have 0 coins, 0 coin days.

Jan 5th: assuming nothing else moved to simplifiy the example,
the network now has 15M coin days,
you try to rollback your node's activity
to Jan 1st, and send the coins to yourself.
(double spend)... On your version of
the chain, on Jan5th, you now only have
5.5M coin days, but the network has still 15M.

(BTW, I'm not proclaiming there is any magic bullet here
for either system)


 

[DeathAndTaxes]

What?  The attack chain would be started prior to when the coins were sold.  The attacker starts from Jan 1 when it has 11M coin days (more than 50% of the total network stake) it wouldn't pick a date/block which reduces its stake.It is like saying in PoW the attacker sells coins in a tx in block 1000 now if the attacker builds an alternate chain from block 1,001+ then the tx can't be double spent.  Well of course it can't but the attacker is going to decide where to build the attack chain from.  How about block 999.

I don't think I can explain it further and responses like the last thee make me think you are still thinking the mechanics of a reorg to double spend in PoS is somehow different than the mechanics to reorg a double spend in PoW by some undefined reasons.  They are identical.  I am going to take a break.  I think at this point further responses aren't going to be effective.

[jonald_fyookball]

What?  The attack chain would be started prior to when the coins were sold.  The attacker starts from Jan 1 when it has 11M coin days (more than 50% of the total network stake).  The attacker is rewriting history.  In the attackers chain the transaction selling the coins never exists.   It is double spending that event in its history.  Otherwise what would be the point, to make a parallel but otherwise exactly identical chain?  It is like saying in PoW the attacker sells coins in a tx in block 1000 now if the attacker builds an alternate chain from block 1,001+ then the tx can't be double spent.  Well of course it can't but the attacker is going to decide where to build the attack chain from.  How about block 999.

I don't think I can explain it further and responses like the last thee make me think you are still thinking a reorg to double spend in PoS is somehow different than a reorg to double spend in PoW by some undefined reasons.  They are identical.  I am going to take a break.  I think at this point further responses aren't going to be effective.

I will have to think about this more, and I apologize for the confusion.

However, please note:  I wasn't saying you can't double spend.
I'm saying you can't do multiple double spends because of
the coin days.  Yes you would do the attack back on Jan 1
before you spend the coins intially, but after that, you are
out of coin days.

Tell you what:  Give me an example scenario where you
can double spend a large number of coins MORE THAN ONCE,
and I'll be satisfied.

[DeathAndTaxes]

Tell you what:  Give me an example scenario where you
can double spend a large number of coins MORE THAN ONCE,
and I'll be satisfied.

Um that isn't the standard.   The attacker has just double spent the network and defrauded buyers of the coins.   Saying "well he can't do more" is really moving the goal posts wouldn't you say.

Still it would seem you missed the obvious.  The scenario started with the attacker having 11M coins.   The scenario ends with the attacker having 11M coins (plus the value stolen from the value of the double spend).  There is no reason the attacker can't repeat the cycle all over again as many times as he wishes (as long as he has half the network stake).  Each time it will cost him nothing and he will have nothing at risk.

[jonald_fyookball]

Yes I missed that.  Obvious now, Ty. 

I do remember reading something where a coin could defend against even a 90% attack although I don't recall what it was.

[DeathAndTaxes]

Yes I missed that.   Obvious now, Ty.  

It gets worse the more you think about it.  An attacker could acquire coins (if he didn't already have them) by buying private keys which have no coins today but which had significant balances at one point in the past.   Imagine you at one time had 100,000 peercoins but no longer have any.  The private keys are worthless to you but to an attacker which intends to rewrite the chain back from that point they may have some value.  So he gives you 100 PPC equivalent for the private keys which "had" 100,000 PPC.  In this case the attacker isn't attacking for free but he is doing so at very low cost.  He doesn't even need to have already owned or buy up a significant stake and then try to sell them off before the attack he can just attack for millibits on the coin.

[hashman]

Yes I missed that.   Obvious now, Ty.  

It gets worse the more you think about it.  An attacker could acquire coins (if he didn't already have them) by buying private keys which have no coins today but which had significant balances at one point in the past.   Imagine you at one time had 100,000 peercoins but no longer have any.  The private keys are worthless to you but to an attacker which intends to rewrite the chain back from that point they may have some value.  So he gives you 100 PPC equivalent for the private keys which "had" 100,000 PPC.  In this case the attacker isn't attacking for free but he is doing so at very low cost.  He doesn't even need to have already owned or buy up a significant stake and then try to sell them off before the attack he can just attack for millibits on the coin.

   !

Wow, thanks DaT..  for getting me all paranoid.  I guess this is avoided in PoW by difficulty weighting.  In other words, if I say here take a look at my big chain 400,000 blocks also starting from the same satoshi genesis that I produced in 1 hour falsifying timestamps, this is longer than the current chain use me!   a node would say:  yeah great, but the difficulty was 0.001 the whole time that is not really a longer chain than our current BTC chain.  At least, I sure hope that's in the code.     

Unfortunately stake difficulty doesn't represent real work so it can always be faked in a reorg going back to some substantial early stake as you point out to us.

[Dusty]

Wow, thanks DaT..  for getting me all paranoid.  I guess this is avoided in PoW by difficulty weighting.  In other words, if I say here take a look at my big chain 400,000 blocks also starting from the same satoshi genesis that I produced in 1 hour falsifying timestamps, this is longer than the current chain use me!   a node would say:  yeah great, but the difficulty was 0.001 the whole time that is not really a longer chain than our current BTC chain.  At least, I sure hope that's in the code.

Yes: the best chain is selected not for its length but for the amount of work it carries with it.

[oakpacific]

The cost(work) it takes to produce a PoS chain, is the cost it takes to duplicate("fake") one, that's probably all there needs to be said about it.