A(nother) downside to Proof-of-Stake?

[thorjag]

Please correct me if I'm wrong, but doesn't PoS require the miners to keep their private keys online on the machine doing block validation? Isn't this a major security flaw, since if a vulnerability in the software is found that allows an attacker to extract the private key, he can clean out pretty much all miners wallets, making it a breeze to gain >50% stake?

[1715197944]

1715197944

[TierNolan]

Please correct me if I'm wrong, but doesn't PoS require the miners to keep their private keys online on the machine doing block validation?

A workaround would be for each output to have 2 keys, a spending key and a POS key.

This would allow users to upload their POS key(s) to a mining pool without that pool being able to spend their money.

[thorjag]

Is this implemented in any current PoS systems?

[achimsmile]

Are you talking about a specific PoS implementation?

Only speaking about Nxt:
Don't confuse private and public keys. Private keys are only needed for things like opening an account, sending Nxt, signing messages etc. They are not stored on the machine, nor are they ever transmitted online, if you run Nxt on your local machine.

https://wiki.nxtcrypto.org/wiki/Whitepaper:Nxt#The_Forging_Algorithm

[gmaxwell]

A workaround would be for each output to have 2 keys, a spending key and a POS key.
This would allow users to upload their POS key(s) to a mining pool without that pool being able to spend their money.

Yup, But doing that also eliminates some of the incentive alignment arguments in the first place: E.g. that you'll take care of your keys, and not delegate (or do so only cautiously), not leak them, etc.. because your funds depend on them.

Sort of moot because the whole approach seems fundamentally unsound (or at least none of its advocates have stated a clear set of reasonable assumptions under which their system is secure (and where a centralized ledger wouldn't be)). https://download.wpsoftware.net/bitcoin/pos.pdf

[inBitweTrust]

Sort of moot because the whole approach seems fundamentally unsound (or at least none of its advocates have stated a clear set of reasonable assumptions under which their system is secure (and where a centralized ledger wouldn't be)). https://download.wpsoftware.net/bitcoin/pos.pdf

I am curious to hear other's opinions on Vitalik's PoS proposals that attempt to address these security weaknesses:

https://blog.ethereum.org/2014/10/03/slasher-ghost-developments-proof-stake/

[andytoshi]

I am curious to hear other's opinions on Vitalik's PoS proposals that attempt to address these severe security weaknesses:

https://blog.ethereum.org/2014/10/03/slasher-ghost-developments-proof-stake/

These proposals do not address the fundamental concerns in the document that gmaxwell posted. They do add a fair bit of complexity, making them hard to analyze (and making a concrete attack too intricate to describe). IIRC Vitalik has backed away from these proposals because they do not provide the security benefits he originally thought they did.

It's worth noting that by writing a well-defined security model and working toward it, it is possible to create a "working" PoS which is only broken when the assumptions of the security model are violated. If one were to do this, it would then be easy to point out how the security model is not applicable to the real world. But Vitalik's posts --- and no PoS writeups that I'm aware of --- actually do this.

[inBitweTrust]

IIRC Vitalik has backed away from these proposals because they do not provide the security benefits he originally thought they did.

Thanks for the information. The post I linked is from this month so what you are discussing must be fairly recent. Do you know where i can look to find him backing away from PoS so I can review those arguments?

As far as I'm aware he is favorable to Slasher ghost but doesn't want to trust untested algos on Ethereum and is opting to roll in PoS later on(how will be interesting)

[andytoshi]

Oh, my bad, I thought you had linked to an earlier one.

The one you posted was his backing-away post: (a) he makes comments like "actually implementing a proof of stake algorithm that is effective is proving to be surprisingly complex" (this was not surprising, by the way --- the pos.pdf document that gmaxwell linked had been published before any of Vitalik's posts); (b) he says "we will relax our assumptions somewhat: we will say that we are only concerned with maintaining consensus between a static set of nodes that are online at least once every N days". This latter point is him changing the security model to be dramatically different from Bitcoin's, since it no longer aims to provide a decentralized publicly verifiable view of history. I think it's possible to get distributed consensus, for this definition of distributed consensus.

Given this, I can't make a meaningful comparison between Bitcoin's distributed consensus and the PoS stuff that Vitalik is talking about. They solve different problems. (Though IMHO Bitcoin's problem is a real one, while Vitalik's is a contrived one designed to make PoS work .)

[work2heat]

As andytoshi points out, all of these analyses are complicated by the specific model assumptions and therefore the different systems are not necessarily directly comparable. However, it would be interesting to work towards a formal proof under a standard bitcoin model that shows PoW is the only way to achieve secure consensus.

I'm still not completely convinced this is true, though. So long as the protocol is entirely self-contained, perhaps, but supposing we can rely on "reflecting" the consensus off reality (through social networks and other media), I think we can actually solve this in the real world.

The main issue with PoS is so-called nothing at stake. Slasher can mitigate this effectively for its temporal range (Vitalik likes 3000 blocks), but is subject to long-range attacks. Long-range attacks can be mitigated by check-pointing, so the problem becomes one of secure check-pointing (say every 3000 blocks). One approach would be a proof-of-work based checkpointing mechanism in an otherwise fully proof-of-stake system. The PoS people probably won't like that, and it could be very dangerous (I literally just thought of it). The other approach is stake based check-pointing on chains of progressively higher security (where security is effectively measured by the size of the security deposits that must be put up to be eligible for signing/checkpointing). So the question can be reduced further to one of secure-checkpointing on the most secure chain (we are assuming here an interweb of chains, where lower security chains checkpoint on higher security chains). The highest security chain then checkpoints against the real world, by literally broadcasting hashes on facebook and twitter and so on.

It's a little ridiculous, but it has an interesting appeal in that in brings the consensus full circle by embedding it back in reality. Of course it already is semi embedded in reality due to the nature of software development (clients are not developed according to a protocol, they are made by humans who do their best, but are not infallible).

Either way, it will be interesting to see this field play out!

As to your original question, hardware devices that do not export keys but simply allow inputs to be signed and spit those out can mostly mitigate your concern. Stay tuned!

[achimsmile]

The main issue with PoS is so-called nothing at stake.

I still don't see how a nothing at stake attack could succeed. Buying majority of PoS coin supply isn't exactly nothing, and finding private keys of the initial stakeholders does not help if you have checkpoints.

Nxt uses a reorg window of 720 blocks. blocks older than that won't be accepted by any client. This means that checkpoints are set up in decentralized manner (each client sets its own reorg limit). You need to effectively buy 51%.

I would like to see a nothing at stake attack succeed, so far I only saw 51% attacks on low hashrate PoW coins. Also I don't see how decentralized consensus should not be possible in PoS? I see it working in real world while the "consensus is not possible" statement is theoretical.

[inBitweTrust]

I still don't see how a nothing at stake attack could succeed. Buying majority of PoS coin supply isn't exactly nothing, and finding private keys of the initial stakeholders does not help if you have checkpoints.

Nxt uses a reorg window of 720 blocks. blocks older than that won't be accepted by any client. This means that checkpoints are set up in decentralized manner (each client sets its own reorg limit). You need to effectively buy 51%.

I would like to see a nothing at stake attack succeed, so far I only saw 51% attacks on low hashrate PoW coins. Also I don't see how decentralized consensus should not be possible in PoS? I see it working in real world while the "consensus is not possible" statement is theoretical.

Setting checkpoints merely constrains the attack window which is trivial if an attack can happen near-instantly with compromised stakeholders.  PoS advocates seem to be fixated upon the need for external threats attacking their ecosystem by purchasing stake which is ignoring other attack vectors altogether. The lack of historical examples of NaS attacks does not negate the risk of such an event occurring and really highlights the lack of seriousness some people have about security.

[coretechs]

Please correct me if I'm wrong, but doesn't PoS require the miners to keep their private keys online on the machine doing block validation?

NXT allows you to lease the balance of your account to another account for forging.  This way you can lease your balance to an empty proxy account that can remain unlocked/online without any risk.  If the account is compromised, you simply issue a new lease transaction for a new account, or move the coins out of the leasing account.  A lease only becomes effective after 1440 blocks to prevent a number of exploits that would otherwise be possible.

http://wiki.nxtcrypto.org/wiki/Nxt_API#Lease_Balance

[achimsmile]

Setting checkpoints merely constrains the attack window which is trivial if an attack can happen near-instantly with compromised stakeholders.

Attack may be trivial, but compromising private keys of majority of stakeholders looks a tad bit harder.

[inBitweTrust]

Attack may be trivial, but compromising private keys of majority of stakeholders looks a tad bit harder.

Would you consider the risk of compromising only 7-12 stakeholders who likely know each other and work together (thus compromising one would likely lead to compromising multiple) a secure arrangement for a currency ?

P.S....What is funny about all this is Nxt was already attacked in a fundamental way even before being released and thus has little hope of widespread adoption. Speaking about the security and viability of PoS variants is one thing , but IMHO Nxt was doomed from the start. Bitshares seems to have taken a dangerous recent precedent as well with the "merger" which is effectively switching the currency from a deflationary one to an inflationary one.

[achimsmile]

Would you consider the risk of compromising only 7-12 stakeholders who likely know each other and work together (thus compromising one would likely lead to compromising multiple) a secure arrangement for a currency ?

P.S....What is funny about all this is Nxt was already attacked in a fundamental way even before being released and thus has little hope of widespread adoption.

You used the word "likely" two times too much. Vague assumptions are not enough to base an attack on.
Many (anon) stakeholders have their PoS private keys in cold storage. Good luck in finding them.

[inBitweTrust]

You used the word "likely" two times too much. Vague assumptions are not enough to base an attack on.
Many (anon) stakeholders have their PoS private keys in cold storage. Good luck in finding them.

The "crypto-currency" community is small enough of a network let alone the Nxt stakeholder community...sheesh. We are not talking about 6 degrees of separation here but 1-2 degrees to connect most individuals.

15 stakeholders hold over 75% of Nxt:

http://charts.nxt.org/cDistribution.aspx

Are you suggesting that these stakeholders are likely not some of the same creators and early investors who know each other?

The reason I use qualifiers is because I am honest about the possibilities and realities of security and there exists a very small probability that those 15 largest stakeholders are complete strangers. I'd be inclined to suggest that over half of the 15 are friends and collaborators. What do you think?

[andytoshi]

I still don't see how a nothing at stake attack could succeed.

Maybe if you read my PoS paper where I actually give a specific attack?

Buying majority of PoS coin supply isn't exactly nothing,

It isn't exactly anything, either. "majority of PoS coin" is not well-defined in the absence of consensus.

and finding private keys of the initial stakeholders does not help if you have checkpoints.

...yes, obviously you can create a non-distributed consensus. Humans have been doing this since before we had language.

Nxt uses a reorg window of 720 blocks. blocks older than that won't be accepted by any client. This means that checkpoints are set up in decentralized manner (each client sets its own reorg limit). You need to effectively buy 51%.

Is this actually what they do? Reorg windows simply make forks permanent. There is literally no attack they are capable of mitigating -- either you have no deep forks and they are pointless, or you do and they result in permanent partitioning of the network. (This idea has come up hundreds, if not thousands of times, and is orthogonal to the consensus mechanism.)

I would like to see a nothing at stake attack succeed,

Stake-grinding is an example of a NaS attack. See peercoin or the original NXT for examples.

so far I only saw 51% attacks on low hashrate PoW coins. Also I don't see how decentralized consensus should not be possible in PoS?

Maybe if you read my PoS paper?

I see it working in real world while the "consensus is not possible" statement is theoretical.

I see this claim, along with its variant ""consensus is not possible" statement is bullshit", a lot. But this paper has been out for over six months, has been read by thousands of people, has changed the discourse around PoS to the point where I was accused of strawmanning after its last appearance on Reddit since "nobody is actually proposing distributed consensus by PoS", and yet there have been exactly zero counterarguments. I'm getting tired of these sorts of proudly uninformed comments.

[work2heat]

andytoshi, what do you think about saving PoS by bouncing checkpoints/blockhashes off reality?

You want to know the top of the chain that everyone is using? Check facebook and twitter. Seeing something different in your client? Someone's trolling you ...

[andytoshi]

andytoshi, what do you think about saving PoS by bouncing checkpoints/blockhashes off reality?

Then you are introducing trust assumptions and new attack vectors. There are no universally trusted parties to provide checkpoints.

You want to know the top of the chain that everyone is using? Check facebook and twitter. Seeing something different in your client? Someone's trolling you ...

And if somebody has hacked Facebook or Twitter? Or put pressure on them from some USG agency? Or has compromised your access to them? Or maybe you just don't trust them because they routinely censor data and besides treat their users as data crops?