A(nother) downside to Proof-of-Stake?

[tacotime]

Is this implemented in any current PoS systems?

Yes, I implemented it in MC2, although currently that is in testing and not available publicly. The paper for that needs to be entirely rewritten too, so I guess there will be a lot more information when it's actually FOSSd.

My security assumption is: "PoW provides the primary security of the system even with PoS enabled. If PoS breaks the system, we hardfork back to PoW."

[1715018014]

1715018014

[1715018014]

1715018014

[1715018014]

1715018014

[1715018014]

1715018014

[work2heat]

Then you are introducing trust assumptions and new attack vectors. There are no universally trusted parties to provide checkpoints.

Yes, I'm introducing trust of large scale society itself, but not a particular institution. We already trust society implicitly with basically everything we do.

And if somebody has hacked Facebook or Twitter? Or put pressure on them from some USG agency? Or has compromised your access to them? Or maybe you just don't trust them because they routinely censor data and besides treat their users as data crops?

Exactly. It's not just facebook and twitter. It's them, and hacker news, and slashdot, and the various subreddits, and this forum, and wikipedia, and the google homepage, and the local grocery store's bulletin board, and the lcd display above the central square, and everyone who cares to participate's website or other medium. You'd have to break all of them - reduce the world to the Truman Show. Good luck!

Granted, it may increase the potential for consensus failure, if the USG posts a different hash than Russia, or w/e. But at least it will be much clearer which agencies are vying for which consensus outcomes.

The idea has obviously not been fully fleshed out. But I think these kinds of things are worth thinking about to the extent that internet based consensus systems can be reflected off the real world.  There's more to this than simply accelerating the heat death of the universe

[kokojie]

I am curious to hear other's opinions on Vitalik's PoS proposals that attempt to address these severe security weaknesses:

https://blog.ethereum.org/2014/10/03/slasher-ghost-developments-proof-stake/

These proposals do not address the fundamental concerns in the document that gmaxwell posted. They do add a fair bit of complexity, making them hard to analyze (and making a concrete attack too intricate to describe). IIRC Vitalik has backed away from these proposals because they do not provide the security benefits he originally thought they did.

It's worth noting that by writing a well-defined security model and working toward it, it is possible to create a "working" PoS which is only broken when the assumptions of the security model are violated. If one were to do this, it would then be easy to point out how the security model is not applicable to the real world. But Vitalik's posts --- and no PoS writeups that I'm aware of --- actually do this.

No PoS system that I'm aware of, has actually been attacked, all the theories remain theories, the real world has said "no I can't attack a PoS system".

Many PoW systems have been attacked, the real world has provided many successful attacks, lots of PoW systems have basically been attacked to death.

How can anyone still claim PoW security is superior to PoS?

PoS may not be a perfectly secure system, but it's clearly superior in a security sense and also economical sense.

PoS scales beautifully, while PoW struggles to waste more hardware and electricity, and transfers more value out of a crypto eco-system.

[inBitweTrust]

No PoS system that I'm aware of, has actually been attacked, all the theories remain theories, the real world has said "no I can't attack a PoS system".

Many PoW systems have been attacked, the real world has provided many successful attacks, lots of PoW systems have basically been attacked to death.

How can anyone still claim PoW security is superior to PoS?

PoS may not be a perfectly secure system, but it's clearly superior in a security sense and also economical sense.

PoS scales beautifully, while PoW struggles to waste more hardware and electricity, and transfers more value out of a crypto eco-system.

You have some flawed reasoning with regards to security.

1) Just because no case of a 51% attack has been successful with Bitcoin doesn't mean that Bitcoin is secure from such an attack in the future. The same reasoning can be applied to any PoS with NaS. When it comes to security, analyzing all possible attack vectors is of utmost importance.

2) To only focus on NaS attacks PoS/DPoS critics are not accurately reflecting all the possible attack vectors in which these currencies are vulnerable to.

I.E...  Some would consider Bitshares to be recently attacked with a "51% democratic attack by delegates" which decided to change BTSX from a deflationary currency to an inflationary currency and upsetting a minority group of investors who were sold on the idea of a deflationary currency.

[achimsmile]

I still don't see how a nothing at stake attack could succeed.

Maybe if you read my PoS paper where I actually give a specific attack?

Buying majority of PoS coin supply isn't exactly nothing,

It isn't exactly anything, either. "majority of PoS coin" is not well-defined in the absence of consensus.

and finding private keys of the initial stakeholders does not help if you have checkpoints.

...yes, obviously you can create a non-distributed consensus. Humans have been doing this since before we had language.

Nxt uses a reorg window of 720 blocks. blocks older than that won't be accepted by any client. This means that checkpoints are set up in decentralized manner (each client sets its own reorg limit). You need to effectively buy 51%.

Is this actually what they do? Reorg windows simply make forks permanent. There is literally no attack they are capable of mitigating -- either you have no deep forks and they are pointless, or you do and they result in permanent partitioning of the network. (This idea has come up hundreds, if not thousands of times, and is orthogonal to the consensus mechanism.)

I would like to see a nothing at stake attack succeed,

Stake-grinding is an example of a NaS attack. See peercoin or the original NXT for examples.

so far I only saw 51% attacks on low hashrate PoW coins. Also I don't see how decentralized consensus should not be possible in PoS?

Maybe if you read my PoS paper?

I see it working in real world while the "consensus is not possible" statement is theoretical.

I see this claim, along with its variant ""consensus is not possible" statement is bullshit", a lot. But this paper has been out for over six months, has been read by thousands of people, has changed the discourse around PoS to the point where I was accused of strawmanning after its last appearance on Reddit since "nobody is actually proposing distributed consensus by PoS", and yet there have been exactly zero counterarguments. I'm getting tired of these sorts of proudly uninformed comments.

Your paper is too vague.

an attacker with enough past signing keys can modify the
history he has direct control over, causing future signer selections to always happen in his
favour. (It is likely he needs to “grind” through many choices of block before he finds one
which lets him keep control of the signer selection. In effect, he has replaced proof-of-stake
with proof-of-work, but a centralized one.)

You make it sound easy to just grind through "many" choices of blocks, yet don't provide a model of how many that excatly means. This attack vector may have been possible with peercoin and an early version of Nxt (before transparent forging was partly implemented at block height 30000, in the current version the account that will forge the next block is already known, you don't have enough time to produce a valid block and influence the desired next forging account, you would need huuuge amounts of computing power to do so).

You need to provide mathematical proof of how much cumputing power is needed to build a long enough chain and trick the network to accept your fake chain. I say (sorry only speaking about Nxt again) you'd need too much. Prove me wrong.

And Nxt does not use coin age, which released minting power to the account that signed the block, if the block was orphaned. So that attack vector is also gone.

Suppose that at some early
point in consensus time, a single person has the ability to extend history. (For example,
they have control over every key which a new block is required to be signed by.) This may
have happened organically, if this person’s keys were chosen randomly by the stake-choosing
algorithm, but it could also happen if this person tracks down the other keyholders and buys
their keys. This may happen much later in consensus time (and real time), so there is no
reason to believe these keyholders are still incentivized to keep their keys secret. Alternately,
they may have revealed the keys through some honest mistake, the chances of which increase
as time passes, backups are lost, etc

720 blocks is not "much later".

[kokojie]

No PoS system that I'm aware of, has actually been attacked, all the theories remain theories, the real world has said "no I can't attack a PoS system".

Many PoW systems have been attacked, the real world has provided many successful attacks, lots of PoW systems have basically been attacked to death.

How can anyone still claim PoW security is superior to PoS?

PoS may not be a perfectly secure system, but it's clearly superior in a security sense and also economical sense.

PoS scales beautifully, while PoW struggles to waste more hardware and electricity, and transfers more value out of a crypto eco-system.

You have some flawed reasoning with regards to security.

1) Just because no case of a 51% attack has been successful with Bitcoin doesn't mean that Bitcoin is secure from such an attack in the future. The same reasoning can be applied to any PoS with NaS. When it comes to security, analyzing all possible attack vectors is of utmost importance.

2) To only focus on NaS attacks PoS/DPoS critics are not accurately reflecting all the possible attack vectors in which these currencies are vulnerable to.

I.E...  Some would consider Bitshares to be recently attacked with a "51% democratic attack by delegates" which decided to change BTSX from a deflationary currency to an inflationary currency and upsetting a minority group of investors who were sold on the idea of a deflationary currency.

Bitcoin is not a mining algorithm by itself, it uses the same PoW algorithm as many other PoW crypto, and since other systems with the same PoW algorithm has been attacked, therefore it's already proven Bitcoin can be attacked in the same manner. Bitcoin has the advantage of being an order of magnitude larger than any other crypto, that's another form of security, unrelated to PoW.

For example, yahoo and my personal blog site, both can be DDoS attacked, but yahoo being so big, it's much more difficult to DDoS it. It doesn't mean yahoo has good anti-DDoS measures at all, my personal blog site might have better anti-DDoS measures, but since it's small, it's easier to attack.

The fact that ZERO PoS systems have been attacked, even though many of them are tiny, speaks volumes about PoS security. ALL of your attack vectors remains a theory at best. If you want to prove your point, the best method is not theorycraft further, but actually go and attack one currently public and working PoS system, you can even pick a tiny one if you wish.

I don't want to get into another discussion with you about Bitshares, since it's pointless to discuss Bitshares with your vivid imagination. You are calling a community voted and approved change by the developer team an "attack", that's just too funny. Can I call Gavin's "block size" increase of 50% per year an attack? I didn't even get to vote on it. I would have preferred another way of handling the block size, damn I'm now alienated and upset!

Btw, Bitcoin with PoW is currently and will always be inflationary at least 10% annually, it is much more inflationary than Bitshares. Due to the 10% PoW mining tax. Bitcoin value will rise only with constant inflow of new money, otherwise Bitcoin value will naturally decrease by at least 10% annually.

[inBitweTrust]

....(before transparent forging was partly implemented at block height 30000, in the current version the account that will forge the next block is already known, you don't have enough time to produce a valid block and influence the desired next forging account, you would need huuuge amounts of computing power to do so).

You need to provide mathematical proof of how much cumputing power is needed to build a long enough chain and trick the network to accept your fake chain. I say (sorry only speaking about Nxt again) you'd need too much. Prove me wrong.

And Nxt does not use coin age, which released minting power to the account that signed the block, if the block was orphaned. So that attack vector is also gone.

Is their even a Whitepaper available that details the security of Nxt Transparent forging yet? If not than how can we even discuss it?

[inBitweTrust]

The fact that ZERO PoS systems have been attacked, even though many of them are tiny, speaks volumes about PoS security. ALL of your attack vectors remains a theory at best. If you want to prove your point, the best method is not theorycraft further, but actually go and attack one currently public and working PoS system, you can even pick a tiny one if you wish.

I'm not blackhat and won't go around commiting crimes to prove a point. My logic is sound and eventually some blackhat may perform a NaS. I don't believe NaS is a likely attack vector for PoS and never claimed as much however ignoring the possibility is irresponsible.

I don't want to get into another discussion with you about Bitshares, since it's pointless to discuss Bitshares with your vivid imagination. You are calling a community voted and approved change by the developer team an "attack", that's just too funny. Can I call Gavin's "block size" increase of 50% per year an attack? I didn't even get to vote on it. I would have preferred another way of handling the block size, damn I'm now alienated and upset!

I would consider anything that strayed from the central tenets of Bitcoins purpose/ideals to be an attack. Increasing the transaction volume was actually an intended improvement while some investors where sold that Bitshares was a "true deflationary" currency by many promoters including yourself which is a big deal.

BTSX recent short term price drop compared to Bitcoin isn't even my main concern but the trust and credibility of the currency is now tarnished as new investors will always wonder when/if /and how much the next devaluation will be.

If BTC would ever increase above 21million than it would be catastrophic and many in the community would not consider the new fork "Bitcoin". As you suggested, security can come in many forms and not just the algorithm itself and the fact that Bitcoin is a certain size, has first mover advantage, has enough developers, and has a community with certain ideals (I.E... we will not inflate the currency supply) are tremendous security aspects one must consider.  

[achimsmile]

....(before transparent forging was partly implemented at block height 30000, in the current version the account that will forge the next block is already known, you don't have enough time to produce a valid block and influence the desired next forging account, you would need huuuge amounts of computing power to do so).

You need to provide mathematical proof of how much cumputing power is needed to build a long enough chain and trick the network to accept your fake chain. I say (sorry only speaking about Nxt again) you'd need too much. Prove me wrong.

And Nxt does not use coin age, which released minting power to the account that signed the block, if the block was orphaned. So that attack vector is also gone.

Is their even a Whitepaper available that details the security of Nxt Transparent forging yet? If not than how can we even discuss it?

Well I agree with you, it would be nice to have an independent in-dept review on the security of transparent forging. But it doesn't actually change the forging algo, which was reviewed here:
http://www.docdroid.net/ahms/forging0-4-1.pdf.html

and the crypto behind it looks sound (https://gist.github.com/doctorevil/9521116)

It just let's you know the next forger (in it's current state). How would that negatively impact security? It makes it much harder to compute a longer fake chain.

(quoting Come-from-Beyond)

• Do http://localhost:7876/nxt?requestType=getState to get value of "lastBlock"
• Do http://localhost:7876/nxt?requestType=getBlock&block=10621696942372068326 (assuming 10621696942372068326 is the value of "lastBlock")
• Convert "generationSignature" into binary, and append the public key bytes returned by getAccountPublicKey
• Calculate SHA256 (generationSignature, publicKey)
• The first 8 bytes of this value, as an unsigned long in little-endian notation, is the "HIT" value
• The value of "baseTarget", multiplied by the effective balance of the account, is STATIC_TARGET
• Repeat steps 3-6 for each active account, and find the one with lowest HIT/STATIC_TARGET ratio. This account will forge the next block

[achimsmile]

I'm not blackhat and won't go around commiting crimes to prove a point. My logic is sound and eventually some blackhat may perform a NaS. I don't believe NaS is a likely attack vector for PoS and never claimed as much however ignoring the possibility is irresponsible.

Apart from the likeliness of the attack, I'm agreeing with you, ignoring an attack vector is irresponsible.

[inBitweTrust]

Well I agree with you, it would be nice to have an independent in-dept review on the security of transparent forging. But it doesn't actually change the forging algo, which was reviewed here:
http://www.docdroid.net/ahms/forging0-4-1.pdf.html

and the crypto behind it looks sound (https://gist.github.com/doctorevil/9521116)

The paper you cited doesn't refer to transparent forging algorithm except as a footnote link which shows a forum post where there is a proposed algorithm.

It would be nice if a Whitepaper is available discussing transparent forging in detail otherwise the use of the term is mostly marketing fluff.

It just let's you know the next forger (in it's current state). How would that negatively impact security? It makes it much harder to compute a longer fake chain.

How does this protect you from 7-12 compromised stakeholders?

I'm not blackhat and won't go around commiting crimes to prove a point. My logic is sound and eventually some blackhat may perform a NaS. I don't believe NaS is a likely attack vector for PoS and never claimed as much however ignoring the possibility is irresponsible.

Apart from the likeliness of the attack, I'm agreeing with you, ignoring an attack vector is irresponsible.

So you are disagreeing with me and are suggesting a NaS attack is likely?

[instagibbs]

The fact that ZERO PoS systems have been attacked, even though many of them are tiny, speaks volumes about PoS security. ALL of your attack vectors remains a theory at best. If you want to prove your point, the best method is not theorycraft further, but actually go and attack one currently public and working PoS system, you can even pick a tiny one if you wish.

Security through No One Gives a Fig.

That's a new one.

[instagibbs]

It would be nice if a Whitepaper is available discussing transparent forging in detail otherwise the use of the term is mostly marketing fluff.

No need to read it. Just listen to the scraping of goalposts moving on the ground and you'll get the idea. I've tried countless times.

gmaxwell calls it Security against Cryptoanalysis  

I do love that it's considered "Transparent" Forging though.

[kokojie]

The fact that ZERO PoS systems have been attacked, even though many of them are tiny, speaks volumes about PoS security. ALL of your attack vectors remains a theory at best. If you want to prove your point, the best method is not theorycraft further, but actually go and attack one currently public and working PoS system, you can even pick a tiny one if you wish.

Security through No One Gives a Fig.

That's a new one.

Not really, many tiny PoW systems have been attacked, actually being tiny increase the likelihood of an attack for PoW systems.

[achimsmile]

Well I agree with you, it would be nice to have an independent in-dept review on the security of transparent forging. But it doesn't actually change the forging algo, which was reviewed here:
http://www.docdroid.net/ahms/forging0-4-1.pdf.html

and the crypto behind it looks sound (https://gist.github.com/doctorevil/9521116)

The paper you cited doesn't refer to transparent forging algorithm except as a footnote link which shows a forum post where there is a proposed algorithm.

It would be nice if a Whitepaper is available discussing transparent forging in detail otherwise the use of the term is mostly marketing fluff.

No, it means you are too lazy to try out if one can really know the account  that will forge the next block (transparent). I provided you a step by step guide on how to verify. I feel like there's a pudding in front of me and I'm telling you it's there, but you keep your eyes closed and pretend it's not, you wan't to read an abstract first that proofs that the pudding exists.

How does this protect you from 7-12 compromised stakeholders?

It does not, and I never said otherwise. This is a different argument. Thank you for not answering anything to my criticism against the anti-PoS paper. The attack you describe has nothing to do with a technical weakness, but with size of community and distribution.

I'll be fair and calculate which accounts you'd need to compromise:

Current estimated active stake in Nxt is 413,042,354 NXT. Meaning you'd roughly need to control private keys of 207M Nxt at the moment (if inactive holders don't start forging which they probably would if they noticed an attack).
If you're only after the largest stakeholders, you'll need to find out who the following accounts belong to, where they live, and where they store their private keys, and then steal them.


NXT-THLJ-CYAL-JQST-6FNS5
NXT-4GSE-75S2-TVVP-3N2YV
NXT-R3V3-2S79-F3ZM-BVXKZ
NXT-GQPU-UKGD-H89L-EUWFN
NXT-MRBN-8DFH-PFMK-A4DBM
NXT-A2Q2-N6JD-AAEW-GYTT8

Yay, only 6 accounts, pretty easy. They have a combined amount of 223'155'189. Good luck in finding them (hint, they might use Tor and have their private keys in cold storage hidden anywhere in the world since not all of them are forging).

I think it could be easier to just put a gun to the head of the 3 operators of Discus Fish, Ghash.io and KnC Mining pool. Since BTC is worth way more, this approach would be more profitable.

Disclaimer: I am against any voilence and unethical stuff such as stealing or threatening, both approaches are disgusting.

So you are disagreeing with me and are suggesting a NaS attack is likely?

No.

[inBitweTrust]

No, it means you are too lazy to try out if one can really know the account  that will forge the next block (transparent).

I'll wait till all the changes are sorted out with transparent forging and the developers publish a whitepaper before making any assumptions upon the security direction Nxt is headed.

 From reading the material and from your statements the security concerns I bring up aren't addressed from this partial implementation of transparent forging. It appears you are resigned to believe that it is near impossible to find and identify any of those 15 top stakeholders which is a bit disconcerting. Some other concerns deal with bugs creeping into Nxt that allow for an exploit of some/everyone's stake.

I still am interested from an academic perspective in the future whitepaper but not Nxt as a currency because I consider the way it was launched an attack on the credibility of the network right from the start so don't hold out much hope for Nxt itself. PoS /DPoS future I'm not so certain about.

[Ix]

Maybe if you read my PoS paper where I actually give a specific attack?

I'm curious to hear your thoughts on the whitepaper I have recently posted: https://bitcointalk.org/index.php?topic=845827.0