rpietila Altcoin Observer

[jwinterm]

Long term forging has been constant for a long time at around 41%

http://nxtexplorer.com/nxt/nxt.cgi?action=160


Bter was the biggest exchange for nxt up until very recently. At the height of the hack, they held only ~5% (check the crypto press at the time.) Most nxters keep their nxt 'online' as it gives them access to asset exchange, digital goods store, encrypted messaging etc.Nxt is moving toward non centralised exchanges like multigateway.org and instantdex.

There was never a risk of 51% for the hack due to the high percentage forging (remember you will never get 100% as coins need to be in an account for 1440 blocks after being spent) and there is no depository, even at any centralised exchanges, that has enough to do any damage to the network. I guess an attacker could buy them..  

Veri I don't know anything about except it isn't the same POS as Nxt.

If I understand the numbers in your link correctly, there's currently around 6.3B NXT (total amounts) and about 416M currently staking (current average peer forging). That amounts to less than 10%, about 6.6%, about the amount stolen from Bter. Please let me know if I'm reading the stats wrong, but I don't see how you get 40%.

You just read the bolded 'curr[ent] ave[rage] peer forging' in the top left corner > 415,700,146 = ~41% of 1billion (total nxt that will ever be)

It is a live number so will vary with time to reflect those forging. Not sure where you got 6.3B tho

Just clicked on stats in the same link and it says 6.3B for "total amounts". Anyway, I see 1B is total amount now, but I still think it's not a bad example of the potential issue, not as good an example as Vericoin, but not out of the realm of possibility.

[Daedelus]

Where do you see the 210, 000, 000 NXT needed for this coming from? If you see that is a potential issue, you must also worry constantly that the top 4 mining pools will collude?

[jwinterm]

Where do you see the 210, 000, 000 NXT needed for this coming from? If you see that is a potential issue, you must also worry constantly that the top 4 mining pools will collude?

I can't find any charts showing network staking weight or amount of coins staking versus time, but I'd guess that when there is a price spike the amount of coins staking decreases, as people move their coins to exchanges. So, I don't think it's out of the question that a single exchange hack could lead to 51% of staking coins being available to the hacker. This seems to be basically what happened with Vericoin.

I don't think the top four mining pools colluding is as much of an issue as this, especially for ASIC mined coins such as bitcoin and litecoin. At least several of the top ten pools own significant amounts/all of the hardware mining on their pool: KnC, ghash, antpool (?), and possibly others. If any of these pools conspire to attack the network, they are basically conspiring to destroy the value of the hardware that they have invested so much money in, since presumably bitcoin would suffer a huge price drop and may or may not recover.

In the case of someone stealing a bunch of PoS coins and double-spending, their goal is presumably to sell out for bitcoin asap, so there's certainly no similar risk to a hacker who steals a boatload of coins. I think it is probably more likely that a top exchange or several top exchanges could collude to perform a 51% attack on a PoS coin than top mining pools colluding. Bter seems to be the poster child for shady exchanges, but there certainly doesn't seem to be a shortage of them. They are (possibly) risking their reputation, but not risking the value of physical assets (ASIC miners). I put 'possibly' in parentheses since they could pretend that they were hacked and then the "hacker" could perform the 51% attack. Bter seemed to do quite OK for a while after the NXT hack, just the more recent BTC hack that seems to have caused people to abandon them.

I'm not saying that any of these scenarios are very likely, but just that I think the 51% on a well established PoS coin (NXT) is more likely than a 51% attack on a well established PoW coin (BTC or LTC).

[Daedelus]

I'm not saying that any of these scenarios are very likely, but just that I think the 51% on a well established PoS coin (NXT) is more likely than a 51% attack on a well established PoW coin (BTC or LTC).

Ok, fair enough. I disagree but also believe both are very unlikely. But it doesn't really seem worthwhile to continue.

[dewdeded]

PoS is inherently flawed from a network security perspective, lets say a big hack happen in an exchange and large amount of POS coins are now in the hands of a single person, the hacker not only will control large part of the coins but subsequently of the network.

As I said right after the one sentence you quoted, the PoS algorithms we've seen so far are inherently flawed.  That's one of the flaws.  It can be fixed, but not in any of the ways people have done so far.

How?

[herzmeister]

PoS is inherently flawed from a network security perspective, lets say a big hack happen in an exchange and large amount of POS coins are now in the hands of a single person, the hacker not only will control large part of the coins but subsequently of the network.

As I said right after the one sentence you quoted, the PoS algorithms we've seen so far are inherently flawed.  That's one of the flaws.  It can be fixed, but not in any of the ways people have done so far.

How?

It seems it's the Byzantine's Generals' problem you guys are trying to solve here. I'm wondering if anyone in computer science has found a solution to that one yet. *cough*

[cAPSLOCK]

PoS is inherently flawed from a network security perspective, lets say a big hack happen in an exchange and large amount of POS coins are now in the hands of a single person, the hacker not only will control large part of the coins but subsequently of the network.

As I said right after the one sentence you quoted, the PoS algorithms we've seen so far are inherently flawed.  That's one of the flaws.  It can be fixed, but not in any of the ways people have done so far.

How?

It seems it's the Byzantine's Generals' problem you guys are trying to solve here. I'm wondering if anyone in computer science has found a solution to that one yet. *cough*

Lol.  That pretty much sums it up.

[Cryddit]

Resources committed exclusively to a _single_branch_ of the block chain in any fork are the key to any block chain security (including proof-of-stake) that doesn't immediately fail. 

The 0@S problem is basically exploiting the lack of that property in the PoS systems so far implemented. 

The only thing I can come up with that is limited in the way that committing it to a single branch would be meaningful, is transactions.  And that's why I advocate transactions-as-proof-of-stake.  A transaction would have to be committed to some particular block of the recent block chain, and would not be valid in any branch not including that block.  In resolving conflicts between branches of a fork, you'd look at the relative fractions of the money supply used in transactions committed to each branch.  That is, unspent txOuts that existed before the fork, spent in transactions committed to blocks after the fork.   The result is that in a normally circulating economy, where txOuts are spent in combinations,  will rapidly have stake representing close to the whole money supply.  Whereas the guy who had 51% of the money supply at some point six years ago, can never make on his own a block chain in which more than 51% of the money supply has been spent since the fork. 

It's not without its problems;  While secure against the Nothing-at-Stake problem in the long run, it's very sensitive to big spends in the short run.  Second, transactions committed to a losing branch of the fork, disappear instead of getting added into the winning branch.  That combination opens up all kinds of games an attacker can play trying to get people to accept his spends and then make a big spend in a branch forked before the block the tx are committed to, 'unspending' his txOuts.  Not too much unlike the double-spend attempts in a PoW system, but much more reliable if the attacker controls any significant fraction of the money supply. 

In order to "smooth out" the unevenness of spending volume at least somewhat, you'd need long block times, to gather a bigger sample of transactions (smaller standard deviation in spending volume) into each block.   And you need it to be pretty hard or pretty unlikely to be able to form a valid block whenever you want to, in order to limit short-term opportunities to make forks to play attack games with.  Finally, ou'd need to have it very widely distributed among a group of people actively using it to make transactions instead of just holding.  Getting to that point could take years and years.

Distribution, in particular, is key.  Having a small group of initial holders and no way for anyone else to get any other than by buying it from them, would not set up a scenario in which any kind of PoS, including TaPoS, would be likely to be successful.  So, if you're doing an initial Proof-of-Work mining phase, it should last for years, not days.  And you shouldn't make initial distribution via sale or IPO; if you do that you're not going to get anybody other than speculators who will NOT be using it for daily transactions, and who therefore won't be contributing to the security of the leading chain. 

TL:DR; Proof-of-Stake can work if you do it in a way that isn't a blatant scam.

[Daedelus]

@cryddit, I didn't see any comments on the Consensus Research findings I posted relating to Nothing at Stake. Did I miss them?

[Cryddit]

Nobody who looks into this problem seriously can possibly be unaware of Nothing-At-Stake.  If they pretended not to know about it, then they were not actually looking into the problem.  Instead, you may conclude, as I did, that they are doing "research" about as valid as that of climate change deniers and creation-science shills.

In other words, that was "motivated" research, with the agenda of convincing people of something untrue.  Ask yourself whose motives it aligns with, and you will find the man behind the curtain.

[Daedelus]

So you haven't read it? All of it is about Nothing at Stake, where did you get the impression they are unaware of it?

Anyone can reproduce their findings with the models they published, if they were motivated to. I didn't think anyone took N@S seriously anymore, at least no one has put forward anything approaching a rebuttal to what they have done.

[jcrubino]

Resources committed exclusively to a _single_branch_ of the block chain in any fork are the key to any block chain security (including proof-of-stake) that doesn't immediately fail. 

The only thing I can come up with that is limited in the way that committing it to a single branch would be meaningful, is transactions.  And that's why I advocate transactions-as-proof-of-stake. 

Does Reddcoins Proof of Stake Proof  / Proof of Velocity fit transactions-as-proof-of-stake?
FWIW, Factom is plannig to use the same or similar PO* model.

[opennux]

Nobody who looks into this problem seriously can possibly be unaware of Nothing-At-Stake.  If they pretended not to know about it, then they were not actually looking into the problem.  Instead, you may conclude, as I did, that they are doing "research" about as valid as that of climate change deniers and creation-science shills.

In other words, that was "motivated" research, with the agenda of convincing people of something untrue.  Ask yourself whose motives it aligns with, and you will find the man behind the curtain.

Be careful of putting yourself or others in one camp.

[dewdeded]

It seems it's the Byzantine's Generals' problem you guys are trying to solve here. I'm wondering if anyone in computer science has found a solution to that one yet. *cough*

Are you suggesting there are A) solution proposals for the "Byzantine's Generals' problem" in CS in general or B) there are (solution) proposals for a better, secured (not flawed) PoS available in the scientific world?

If you meant A), there is a an obvious misunderstanding, because obvious I (as many people do) know about them.

[Daedelus]

So you haven't read it? All of it is about Nothing at Stake, where did you get the impression they are unaware of it?

Anyone can reproduce their findings with the models they published, if they were motivated to. I didn't think anyone took N@S seriously anymore, at least no one has put forward anything approaching a rebuttal to what they have done.

Also, hot off the press and related, Vitalik's latest paper includes a few pages about Nxt's algo and he seems to believe that Nxt is 'cryptoeconomically secure'

https://bitcointalk.org/index.php?topic=1015354.0

More "motivated" "research" perhaps? Probably not worth reading..

[Este Nuno]

Nobody who looks into this problem seriously can possibly be unaware of Nothing-At-Stake.  If they pretended not to know about it, then they were not actually looking into the problem.  Instead, you may conclude, as I did, that they are doing "research" about as valid as that of climate change deniers and creation-science shills.

In other words, that was "motivated" research, with the agenda of convincing people of something untrue.  Ask yourself whose motives it aligns with, and you will find the man behind the curtain.

It's funny that you say this, because in my experience I get the impression that the "motivated" research is done by all the detractors with a financial interest in Bitcoin and/or PoW.

All else being equal, a robust PoS system would be vastly superior to PoW. And looking at it objectively as a Bitcoin user you would think that people would be actively pursuing even the slightest possibility of establishing PoS in Bitcoin. The 'stakes' are massive, the amount of waste both literally in terms of energy and economic waste is huge. But in general Bitcoiners are derisive and dismissive of even entertaining the idea that PoS should be considered or researched.

Even if it doesn't work out the potential benefits are huge. PoS is the most important invention in cryptocurrency since Bitcoin itself. There's no single idea with a higher expected economic value to cryptocurrency than PoS.

[achimsmile]

Nobody who looks into this problem seriously can possibly be unaware of Nothing-At-Stake.  If they pretended not to know about it, then they were not actually looking into the problem.  Instead, you may conclude, as I did, that they are doing "research" about as valid as that of climate change deniers and creation-science shills.

In other words, that was "motivated" research, with the agenda of convincing people of something untrue.  Ask yourself whose motives it aligns with, and you will find the man behind the curtain.

Do you agree that, for Nxt (don't know others):

1. N@S attack is possible (let's say to generate all blocks with only 1% of stake)
2. criticism of n@s attack is "agenda of convincing people of something untrue"
3. There is financial or ideological incentive to do N@S
4. Successful n@s attack has never been observed in reality

This looks paradox, no?
Possible explanations for 4.:

- Nobody ever tried (improbable, because 3.)
- Some guys tried, but weren't successful

If the latter, then either n@s is too tricky and no hacker in the world has been able to do it up to now, or it's impossible.

[rpietila]

Nobody who looks into this problem seriously can possibly be unaware of Nothing-At-Stake.  If they pretended not to know about it, then they were not actually looking into the problem.  Instead, you may conclude, as I did, that they are doing "research" about as valid as that of climate change deniers and creation-science shills.

In other words, that was "motivated" research, with the agenda of convincing people of something untrue.  Ask yourself whose motives it aligns with, and you will find the man behind the curtain.

Do you agree that, for Nxt (don't know others):

1. N@S attack is possible (let's say to generate all blocks with only 1% of stake)
2. criticism of n@s attack is "agenda of convincing people of something untrue"
3. There is financial or ideological incentive to do N@S
4. Successful n@s attack has never been observed in reality

This looks paradox, no?
Possible explanations for 4.:

- Nobody ever tried (improbable, because 3.)
- Some guys tried, but weren't successful

If the latter, then either n@s is too tricky and no hacker in the world has been able to do it up to now, or it's impossible.

In my understanding, n@s is a capability you don't lose. So it's better to wait until there is something to gain.

[achimsmile]

In my understanding, n@s is a capability you don't lose. So it's better to wait until there is something to gain.

So you attack point 3. and say that currently, an attacker would not gain anything?

edit: Note that market cap for Nxt has been 100M in the past

[Este Nuno]

In my understanding, n@s is a capability you don't lose. So it's better to wait until there is something to gain.

So you attack point 3. and say that currently, an attacker would not gain anything?

edit: Note that market cap for Nxt has been 100M in the past

One argument that I'm not particularly fond of, but is often used by supporters of PoS is the "if an attack is possible, why hasn't anyone done it yet?". I think that's a pretty weak deflection and it reminds be of recent Darkcoin supporters defending their anonymity implementation with the same logic, i.e. "why hasn't anyone deanonymized a Darksend transaction yet?".

Kushti's recent research seems to indicate that long range N@S attacks aren't an issue on NXT at least. I really would like to see more people from #bitcoin-wizards and others who are capable of academic level criticism take the time to give some proper responses and critiques. Since it seems like it should be a pretty big deal that the perceived major flaw of PoS isn't really much of an issue in reality. The lack of responses might indicate something positive, but I'd still rather see some more people take some shots at it even if it turns out to be flawed in some aspects. It's the only way the technology can progress.