Nothing at stake robust Pure Proof of stake

[benjamin_bit]

What do you guys think of Staked Proof of Work? https://docs.google.com/document/d/1LzY_dQz4jVDrHZq6BawSzT9rNRx_CaZou_fpEcu6CU4/edit?usp=sharing (ignore the Polychains part - that is really a separate technology).

That document is very short on specifics, which is a negative signal. It seems to be some form of mixed proof of stake \ proof of work.
If you go that (and it is a sensible route IMO), then iddo et al.'s proof of activity seems like a better choice.
See the link I provided in a previous post.
Note: There is no currently released coin using iddo et al.'s system.

[spartacusrex]

Trust.

BUT - he is saying that's no problem.

I disagree.

Do you have any reason for disagreeing, or just stubbornness? In my paper on the Decrits consensus algorithm, I called it common sense, because that's exactly what it is -- not trust. In bitcoin, in lieu of common sense, you have an algorithm that will idiotically allow anyone with enough hash power to commit fraud against you. To reduce the likelihood of this fraud, hundreds of millions and what will eventually be billions of dollars of wasted electricity and capital must be spent annually to make it more difficult. In stake algorithms, you have virtually no cost to protect against this, you must only rely on the user to be modestly aware of what millions or billions of other people who were watching the network think is the correct chain of events, and this is only if you specifically are being targeted for fraud. And how are you being targeted if you aren't even watching the network?

And with the DCA I even solved the problem so that you don't have to even use common sense if you haven't monitored the network recently -- except if a massive, one-time attack has occurred in the mean time. And again, it only matters if you were being targeted. Unlikely that you would part with a massive amount of goods without monitoring the network, though.

Etlase2! (That is you ?) hello.. 

Love that you're still plugging Decrits.

As for this POS/POW conundrum, I am realising that this is a psychological/philosophical argument. Mathematically some people will not be swayed - on both sides 

POS systems need a startup value to initialise (basically). That's fine. But where this 'number' comes from, always troubles me. Average Joe User will not be anywhere near it. His software client will deal with it, and that will come from some github repo that someone else has compiled. Probably the same main repo most people use. That is the weak link and where the eventual attack will come IMHO.

And that's about it. However you wrap it up, some of us find that discomforting just as some find POW untenable.

You cannot hack a POW chain in this way. The chain itself is INDEPENDENT of the software, unlike POS systems. POW chains can be compared to another POW chain on it's own merits/work.

I'm thinking that eventually the attack on POS will come from a large POW stake holder. Sort of like currency wars. One coin attacking another.

Sounds exciting.
 

[benjamin_bit]

If a Trojan horse in the github repo is the source of the attack vulnerability, then bitcoin is just as vulnerable.
It's not worth discussing this issue further because it has no theoretical content. 

[spartacusrex]

If a Trojan horse in the github repo is the source of the attack vulnerability, then bitcoin is just as vulnerable.

No, it is not.

As I said - the VALID POW chain can still be determined without any outside assistance.

Once you have hacked the repo - i can always / later verifiably proove that this POW chain is better than that one. By summing the work.

You can't with POS.

[benjamin_bit]

One simple way of thinking about this is as follows.

1) Fork the current bitcoin blockchain to produce a genesis block with diffuse ownership. Call the genesis block, block 0.
2) Order all satoshi in the genesis block from 1 to N, where N is the total number of satoshi.
3) Allow satoshi that have never moved since genesis to mint blocks.
4) All nodes agree on the current minute. If not, then replace minute in what follows with some larger unit of time that all nodes can agree on.
5) Satoshi 1 can build a block during the first minute since genesis. Call this block 1.
    Satoshi 2 can build a block during the second minute since genesis. (provided it didn't move in block 1)
    Satoshi 3 can build a block during the third minute since genesis. (provided it didn't move in blocks 1 or 2)
    Satoshi 4 can build a block during the fourth minute since genesis. (provided it didn't move in blocks 1, 2, or 3)
    ...
6) If Satoshi x mints a block on one chain at minute x and sends a txn on a fork at a time x-t, where t>=0, then this satoshi is blacklisted. To verify this, we can require that txn include a block number y and prohibit inclusion of txns in a block minted by satoshi x when y<x.
7) If Satoshi x mints blocks on multiple chains at minute x, then this satoshi is blacklisted.
Given a comparison set of competing chains U, define the value of a specific blockchain, u in U, as V(u). Compute V(u) as
V(u) = the total number of blocks on blockchain u - the number of blocks on blockchain u minted by blacklisted satoshi
9) Whichever blockchain has the highest V(u) is the main chain.

I claim that, as long as at least one minting satoshi is not blacklisted, this system generates a long-run consensus.

We can think about incentives to avoid blacklisting and ways of replenishing the set of minting satoshis later.
The point is that there is a well-defined consensus here. There is no nothing@stake problem because anyone who attempts to use a minting satoshi for multiple purposes gets ignored during chain selection.    

Note: if you want to know if Vitalik 'agrees' with this, then you should ask him to read the specific statement written above.

Ideally, I'd like someone knowledgeable to comment on this AND either
a) agree that the system defines a long-run consensus that is robust to nothing@stake.
b) disagree and explain how a nothing@stake attack would disrupt consensus

If (b), then we could debate a substantive issue.
If (a), then we could move on to replenishing minting Satoshi. It's an interesting issue. However, there is no point in discussing it if we don't reach consensus on the existence of consensus here.

[benjamin_bit]

If a Trojan horse in the github repo is the source of the attack vulnerability, then bitcoin is just as vulnerable.

No, it is not.

As I said - the VALID POW chain can still be determined without any outside assistance.

Once you have hacked the repo - i can always / later verifiably proove that this POW chain is better than that one. By summing the work.

You can't with POS.

In the thread, I defined chain selection criteria that allow you to do exactly this. So yes, you can do this with POS. That is the whole point of this thread.
If you don't think I have defined criteria that allow proof that one POS chain is better than other chains in a comparison set, please explain why not.  

There is some distinction in that the ordering over sets of POW chains are transitive.
Orderings over sets of POS chains are not transitive. However, given a set of pos chains with at least one clean Satoshi, there is a well-defined ordering of chains from best to worst within the reference set. 
 

[gatra]

Pick whichever chain, u, has the highest value for V(u) as the valid chain. This is the chain that is the most strongly supported by 'clean inputs.'

I think it doesn't work.

1) If I get control of a private key that in the past had lots of coins that were used for staking, by creating a parallel chain I can make some inputs of the valid chain "unclean", effectively reducing its V(u).

2) If I get control of a private key that in the past had lots of coins that were not used for staking, then my coins are "clean" and I can rewrite history from that moment in time by creating a chain with more V(u).

By combining 1 and 2, the nothing at stake problem is still a problem.

I'm working on a variation of PoS that will help with this. Please wait for it, the whitepaper is still being reviewed.

[ShroomsKit_Disgrace]

You can't with POS.

The more I read your posts the more retarded I become 

[gatra]

...
2) If I get control of a private key that in the past had lots of coins that were not used for staking, then my coins are "clean" and I can rewrite history from that moment in time by creating a chain with more V(u).
...

...
(2) is a misunderstanding. You could not use (2) for any form of attack as far as I am aware. The private key that had lost of old coins in the past must have signed an outgoing txn. If not, it would still own the coins. I mentioned in one of the previous posts that spending on one chain and signing on another is grounds for blacklisting, but I wasn't clear enough.
...

ok, I didn't understand blacklisting worked this way. I'll have to think about it a little more, but this at least gives me a new way to blacklist coins in the "valid" chain, now I have two methods for making it's V(u) lower.

For V(u) you should count accumulated work according to difficulty, not number of blocks.

[Daedelus]

i can always / later verifiably proove that this POW chain is better than that one. By summing the work.

What makes you think the same isn't true in some POS implementations

Which POS are you criticising, an actual one or a straw man you invented?

[Daedelus]

Just realised I posted this in the wrong thread earlier...



Just so you don't miss it benjamin_bit...

https://nxtforum.org/consensus-research/multibranch-forging-approach/

First findings of the POS research group.

[spartacusrex]

i can always / later verifiably proove that this POW chain is better than that one. By summing the work.

What makes you think the same isn't true in some POS implementations

Which POS are you criticising, an actual one or a straw man you invented?

Pure POS.

I'm not trying to debunk POS. I really like certain aspects of it. Just some points, as with POW, still seem unfinished \ problematic.

This thread is about pure POS N@S resistance, and I have not seen an answer to that yet. Anywhere..

Can you refer me to \ explain a version of POS which can compare valid chains without any external 'number' to bootstrap the process?

(I'm not talking short range attacks, but long-range-total-chain rewrites)

Thanks.

[gatra]

i can always / later verifiably proove that this POW chain is better than that one. By summing the work.

What makes you think the same isn't true in some POS implementations

Which POS are you criticising, an actual one or a straw man you invented?

Pure POS.

I'm not trying to debunk POS. I really like certain aspects of it. Just some points, as with POW, still seem unfinished \ problematic.

This thread is about pure POS N@S resistance, and I have not seen an answer to that yet. Anywhere..

Can you refer me to \ explain a version of POS which can compare valid chains without any external 'number' to bootstrap the process?

(I'm not talking short range attacks, but long-range-total-chain rewrites)

Thanks.

I find your criticism valid and it applies to all forms of POS that I know of. However I don't see it as problematic, as long as you have a way to get that "external 'number'" in a secure/trusted/decentralized enough way.

[benjamin_bit]

I also agree that you need some sort of arbitrary assignment of initial ownership to bootstrap a PoS currency. That is not my focus here.

My point is as follows:
Given the txn rules I defined, the current owners of the majority of clean inputs always control long-run chain selection. Attackers can exploit past input ownership to blacklist current inputs. This reduces the set of clean inputs and therefore reduces attack costs. However, you can never attack soley through past input ownership. Attackers always need current input ownership as well, otherwise their attack will fail.

Does anyone disagree with the bolded statement at this point? Or have we reached consensus on this point?


If we accept these ideas, I will describe a system for removing inputs from the blacklist.


 

[SlyWax]

An attacker can blacklist his coin by signing multiple chain,
then he can switch his coin for new ones on an exchange,
and then blacklist them again,
rise and repeat.

Most of the coin would end up been blacklisted -> centralization -> poor security.

[SlyWax]

As a side note, if you prevent multiple input, you will end up with blockchain bloat very quickly.

[spartacusrex]

I find your criticism valid and it applies to all forms of POS that I know of. However I don't see it as problematic, as long as you have a way to get that "external 'number'" in a secure/trusted/decentralized enough way.

Thanks gatra. That about covers my worries for long range attacks.

Thinking about the internal chain consensus rules, maybe a different approach might produce some new ideas.

It seems the 'issue' is that a rational miner will try to mine multiple chains, not just because he can, but more importantly because he might make more money that  way.

Why not remove that incentive altogether instead of punishing/blacklisting him for trying.

Currently in Pure POS systems, the miners still 'compete' for who gets to mint the next block. Whoever does, gets the spoils. Thereby incentivising multiple chain mining. I know TF in NXT picks a miner, but that does not stop miners trying to extend earlier chains in history to find a different TF path through the miners. If you see what I mean..

What if you say anyone can mint the next block, and then pay EVERYONE, EVERY block. Therefore every chain pays the same. Therefore there is no incentive to mine multiple chains.

You could use a 'Hash Clock' to pick a miner at random every 10 seconds or so (Like POW but more hashing power has no effect), and then you would calculate the value BLOCK FEES / TOTAL COINS.

This would give you a tiny percentage that you could multiply ALL ACCOUNT balances by to spread the fees proportionally to everyone..

So if the block fees were 1 unit, and the coin had 100 coins in all, every account would increase by 1/100, 1%.

This would mean that you would not need to actually run a node to be paid, BUT, if you were a large stakeholder and wanted your investment to be secured, why wouldn't you run a node ?

I can see that there are issues with the idea, why anyone would run a node, as there would be no gain financially from doing so.

The network would not run if enough miners did not choose to run a node. So I wonder - would stake holders choose to run a node - for the good/health of the network ?
 

[Crestington]

I find your criticism valid and it applies to all forms of POS that I know of. However I don't see it as problematic, as long as you have a way to get that "external 'number'" in a secure/trusted/decentralized enough way.

Thanks gatra. That about covers my worries for long range attacks.

Thinking about the internal chain consensus rules, maybe a different approach might produce some new ideas.

It seems the 'issue' is that a rational miner will try to mine multiple chains, not just because he can, but more importantly because he might make more money that  way.

Why not remove that incentive altogether instead of punishing/blacklisting him for trying.

Currently in Pure POS systems, the miners still 'compete' for who gets to mint the next block. Whoever does, gets the spoils. Thereby incentivising multiple chain mining. I know TF in NXT picks a miner, but that does not stop miners trying to extend earlier chains in history to find a different TF path through the miners. If you see what I mean..

What if you say anyone can mint the next block, and then pay EVERYONE, EVERY block. Therefore every chain pays the same. Therefore there is no incentive to mine multiple chains.

You could use a 'Hash Clock' to pick a miner at random every 10 seconds or so (Like POW but more hashing power has no effect), and then you would calculate the value BLOCK FEES / TOTAL COINS.

This would give you a tiny percentage that you could multiply ALL ACCOUNT balances by to spread the fees proportionally to everyone..

So if the block fees were 1 unit, and the coin had 100 coins in all, every account would increase by 1/100, 1%.

This would mean that you would not need to actually run a node to be paid, BUT, if you were a large stakeholder and wanted your investment to be secured, why wouldn't you run a node ?

I can see that there are issues with the idea, why anyone would run a node, as there would be no gain financially from doing so.

The network would not run if enough miners did not choose to run a node. So I wonder - would stake holders choose to run a node - for the good/health of the network ?
 

I have an idea about changing they way the fees work in a pure POS currency.

Could you smooth the amount of fees generated over time alongside Proof of Stake as a low curve over a long medium of time such as a couple weeks? The way I see this working is that it would create a type of floating number which is the difference between the expected inflation and it's actual inflation and could be used to check past work through checks of the oldest, most trusted nodes? I feel like this kind of stuff will be some of the bigger changes to Proof of Stake, because then every block gets paid a minimum amount of fees depending on the amount of volume in a period. Make the whole general consensus that either you are supporting it's security or you are losing a small amount per year. Say you have lower inflation but higher fees then all nodes would be incentivized to claim their blocks and support consensus.

[gatra]

I also agree that you need some sort of arbitrary assignment of initial ownership to bootstrap a PoS currency. That is not my focus here.

My point is as follows:
Given the txn rules I defined, the current owners of the majority of clean inputs always control long-run chain selection. Attackers can exploit past input ownership to blacklist current inputs. This reduces the set of clean inputs and therefore reduces attack costs. However, you can never attack soley through past input ownership. Attackers always need current input ownership as well, otherwise their attack will fail.

Does anyone disagree with the bolded statement at this point? Or have we reached consensus on this point?


If we accept these ideas, I will describe a system for removing inputs from the blacklist.

I'm still not convinced... I have problems with the following:

6) If Satoshi x mints a block on one chain at minute x and sends a txn on a fork at a time x-t, where t>=0, then this satoshi is blacklisted.

So if you send and then mint you get blacklisted. But that doesn't cover all the cases. If I get past ownership of coins that never minted, I can use that to mint in a second chain, at least up to the moment were those coins changed ownership. So I used "past input ownership" to create part of a second chain. By jumping thru different past ownerships I can get very close to the present and accumulate more work in my chain to the point that I might not even need current ownership.

7) If Satoshi x mints blocks on multiple chains at minute x, then this satoshi is blacklisted.

you say "this satoshi" however there are no satoshis, only ins and outs. You can have colored coins and forbid loss of color, and that would be ok, but unless you color every satoshi (which is not practical), I don't see how you could match one satoshi from one chain to one in another chain. Colored coins can track coins in one chain, but when you have 2 competing forks, it's not that straightforward

[gatra]

What if you say anyone can mint the next block, and then pay EVERYONE, EVERY block. Therefore every chain pays the same. Therefore there is no incentive to mine multiple chains.

the incentive to mine multiple chains is not only the payout for finding a block, but the possibility to perform a double spend!

This would give you a tiny percentage that you could multiply ALL ACCOUNT balances by to spread the fees proportionally to everyone..

So if the block fees were 1 unit, and the coin had 100 coins in all, every account would increase by 1/100, 1%.

if you give something to everyone, it's the same as doing nothing. Everyone ends up with the same % of the market cap. So this doesn't make much sense.