Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research)

[xyzzyx]

Hmmm....if I get some spare time I'll fire up a NAS node and see how the network looks.

I wasn't able to connect to any peers.  You have any better luck?

[1715137646]

1715137646

[1715137646]

1715137646

[1715137646]

1715137646

[cynicSOB]

Could you describe attack scenario in details? After reproducing it in simulation we would like to pay you pretty good bounty

P.S. Good description on practical impossibility of N@S by JordanLee http://www.peercointalk.org/index.php?topic=2976.msg27303#msg27303

I will elaborate on the idea against nxt.
But that link you sent regarding PPC is not about practical impossibility of N@S. It's only about practical impossiblity of the particular attack that the writer describes. This was proven by my attack on APEX. Also, it has some flaws:

"They must wait 90 days to get another optimal chance to attack after a failed attempt"

is wrong, if you mine your chain in private and publish it only when it has accumulated more work than the main chain then you can attempt this after every block.

"If you buy 1% of Peercoins and put them all in the same output (similar to an address), you might have about a 3% chance of finding the next block."

is also wrong: 1% gives you about 20% chance of a block. 5% guarantees success.

[cynicSOB]

Could you describe attack scenario in details? After reproducing it in simulation we would like to pay you pretty good bounty

please elaborate on the details of the bounty
writing a white-paper quality explanation is a time consuming task

[EvilDave]

Hmmm....if I get some spare time I'll fire up a NAS node and see how the network looks.

I wasn't able to connect to any peers.  You have any better luck?

Absolutely nothing. Looks like NAS is very dead.

[ArticMine]

Could you describe attack scenario in details? After reproducing it in simulation we would like to pay you pretty good bounty

P.S. Good description on practical impossibility of N@S by JordanLee http://www.peercointalk.org/index.php?topic=2976.msg27303#msg27303

I will elaborate on the idea against nxt.
But that link you sent regarding PPC is not about practical impossibility of N@S. It's only about practical impossiblity of the particular attack that the writer describes. This was proven by my attack on APEX. Also, it has some flaws:

"They must wait 90 days to get another optimal chance to attack after a failed attempt"

is wrong, if you mine your chain in private and publish it only when it has accumulated more work than the main chain then you can attempt this after every block.

"If you buy 1% of Peercoins and put them all in the same output (similar to an address), you might have about a 3% chance of finding the next block."

is also wrong: 1% gives you about 20% chance of a block. 5% guarantees success.

So it I understand this correctly an attacker could borrow rather than buy say 10% of the target POS coin. This could be done for example using a pirateat40 type scheme. Sell half of the borrowed POS coins short, and use the remaining 5% of the borrowed coins to launch the attack. This would cause the price of the coin to collapse creating massive profits for our short seller / attacker. There is some real Bitcoin history here that is a must for anyone either attacking or defending a POS coin. Here is a good place to start. https://bitcointalk.org/index.php?topic=50822.0. pirateat40 failed with Bitcoin but Bitcoin is POW! I can just imagine what would have happened to Bitcoin if pirateat40 could have used the borrowed XBT to launch an attack on the Bitcoin blockchain. This would indeed have been the case if Bitcoin had been POS.  

[EvilDave]

Could you describe attack scenario in details? After reproducing it in simulation we would like to pay you pretty good bounty

please elaborate on the details of the bounty
writing a white-paper quality explanation is a time consuming task

Er...I think Kushti may be getting a little bit ahead of himself here.
If you can pull off a successful attack on NXT, or an attack that works in Kushtis simulations, there will be lots of love for ya....possibly even parades!
And definitely some bounty, if you can also produce good quality documentation on the attack.  (Doesn't have to be real WP standard, but that would be up to our devs to judge.)

But: right now, we don't have a formal bounty offer already open.

I just had a thought: maybe you could run an attack on the NXT Testnet ?
Shouldn't be any problem giving you a stake of TestNXT to play with........

If you're up for it, head on over to NXTworld:
https://nxtforum.org/index.php
and we can discuss further......

[inBitweTrust]

5% to sell short and induce a "bear raid" https://en.wikipedia.org/wiki/Bear_raid 5% to wreck havoc  on the network by voting the stake against the interests of the coin. To use the 1 billion USD example. The attacker borrows 2 billion USD. The attacker has 2 billion USD and a 2 billion USD debt. The attacker sells 1 billion USD for 870 million EUR.The attacker now has 870 million EUR, 1 billion USD and 2 billion USD in debt. The attacker now uses the 1 billion USD to cause the value of the USD to go to zero. The attacker is now left with 870 million EUR, 0 USD (the 1 billion USD was spent in order to crash the price) and a debt of 2 billion USD now worth 0 for a net profit of 870 million EUR.

To clarify, you are suggesting the bear raid attack (which PoW coins are equally susceptible towards) is used to leverage a N@S attack on a PoS coin?

I.E... Someone with 1% PoS stake borrows 9% stake with many different profiles as not to arouse suspicion. They than proceed to sell 5% stake for BTC (most likely over time as not to bring suspicion and to get the most BTC), they than perform a bear raid attack with the remaining 5% and marketing FUD on the exchanges with low liquidity causing the currency to crash to almost 0 , repaying the debts on the 9% borrowed from the BTC which are now insignificant and than buying back the PoS for very cheap(from many accounts/profiles to not arouse suspicion) increasing ones stake from 10% to 30% or higher , and this manipulation can occur several times till the attacker can perform a N@S attack at will.

In reality with Nxt this attack could easily be performed by one of the original whales even more easily than above. Between 4-15 Nxt users control over 51% of the coins thus any individual whale has between a 13% to 4% stake right from the get go.

With PoW this attack is not possible because hashing power/Electricity is needed to launch an attack instead of existing stake. With PoS the attacker could actually profit off of destroying the currency. With PoW attackers need to subtract the profits generated from the bear raid from the expenses from a 51% Attack and thus the attacker is incentivized to only play market manipulation games for profit rather than attacking the currency itself.

...
...and if the attacker is unsuccessful crashing the price with his 1 billion due to to others buying the dollar then he is BK'd.  What you are describing can be applied to any asset or stock including BTC. 

Yes this would be a classic bear raid. Pirateat40 tried that with Bitcoin and failed. The crucial difference with POS is that in addition the attacker has the option of voting the borrowed stake against the interests of the coin in order to induce panic and further cause a price drop. It literally turns POS on its head since you have a major "stakeholder" with a vested interest in the coin's collapse. 

What I am suggesting is the combination of a bear raid attack using leverage with a 51% type attack on the POS network using the borrowed stake. In this scenario both attacks will feed on each other creating a positive feedback for the attack. The key is that the attacker has the actual POS coins but also has a much larger short position. The bear raid side is what pirateat40 tried with Bitcoin and failed.

[ThomasVeil]

Those posts make no sense. It's not an attack, but mere market manipulation. If you can just get 51% of a currency by repeatedly FUDding, then you're golden anyways.
From then on it's not N@S at all - because you earned 51%. It's a 51%@Stake attack. You're harming yourself.

[inBitweTrust]

Those posts make no sense. It's not an attack, but mere market manipulation. If you can just get 51% of a currency by repeatedly FUDding, then you're golden anyways.
From then on it's not N@S at all - because you earned 51%. It's a 51%@Stake attack. You're harming yourself.

Your assumption ignores the possibility of profits from shorting a currency, large bets, or eventual gains from investments in other currencies when the competition is removed.

Simply dumping a large stake on an illiquid market isn't as profitable as repeatedly manipulating the market and taking profits in another currency before taking one large exit with a leveraged short that is assured when one performs a 51% attack.

With PoW there is much less incentive to risk such a large short on the market because one cannot as easily guarantee the difficulty increase and one is more exposed to risks of others noticing the accumulation of miners and hash rate and one has to spend a great amount of resources to mount said attack.

Additionally, I am only mentioning monetary motivations for attacking ones stake, there are plenty of other reasons which may motivate someone to perform this attack as well.

[ArticMine]

Those posts make no sense. It's not an attack, but mere market manipulation. If you can just get 51% of a currency by repeatedly FUDding, then you're golden anyways.
From then on it's not N@S at all - because you earned 51%. It's a 51%@Stake attack. You're harming yourself.

No. The point is that the attacker also has a much larger short position in the currency. So while the attacker looses on the stake this is more than offset by the gains on the short position.

[ThomasVeil]

You're totally ignoring what I'm saying: It's not a nothing at stake attack. That's a technical term. You have a stake - even if you short it.

Secondly ... come on guys: I buy 51% of a POS, then I buy again 51% of the value as shorts (well, more - as I want to make profit). And then I make an attack? Genius! You just managed to make the same fricking attack we knew all along worse, since you have to invest twice as much.
It also contradicts itself - since you fudded the currency into junk to get your stake, you don't even need to attack it. And you probably wouldn't get anyone offering you shorts.

[ArticMine]

I will formulate the attack: The "Second Pirate Savings and Trust" attack on Proof-of-Stake

1. The attacker creates the "Second Pirate Savings and Trust" modelled after the "First Pirate Savings and Trust" later called "Bitcoin Savings and Trust" https://bitcointalk.org/index.php?topic=50822.msg605957#msg605957. This is done in a falling market.
2. The "trust" offers a very attractive rate of interest payable in the POS coin. This rate is significantly higher than the stake rate
3. The "trust" allows investors to leave the interest in the "trust" and roll over the investment.
4. The "trust specifically disclaims that it is a HYIP / Ponzi scam https://bitcointalk.org/index.php?topic=50822.msg605981#msg605981
5. The attacker sells a portion of the borrowed POS coin say 50% for XBT, another POW alt-coin, one or more fiat currencies etc. This will becomes the attackers profit at the end. This will also depress the price by short selling creating the "bear raid"
6. A portion of the received POS coins is used to repay interest to those investors that do not reinvest their interest. This is the "ponzi" component; however see below.
7. The rest of the borrowed POS coin is kept by the attacker, accumulated and staked.

At this point this is no different from any bear raid on a stock, fiat currency POW currency etc. If the market exchange rate falls faster than 2x the interest rate less the stake rate then in the 50% example above, the attacker is actually in the black and there is no ponzi. In the normal bear raid the attacker, if the attacker can depress the price enough and cover the short, can actually walk away with a profit. The problem with the simple bear raid is that in covering the short the exchange rate can rise sharply. This converts the bear raid into a ponzi and the scheme collapses in a rising market. This is what happened to "First Pirate Savings and Trust". It collapsed during a rise in the Bitcoin price.

It is at this point where the specific to Proof-of-Stake part of the attack comes into play.

8. The attacker continues the ponzi until he has accumulated enough stake to launch a network attack.
9. The attacker is also accumulating a greater debt in the POS coin and can even continue selling 50% of the borrowed coin to increase his profit.
10. The attacker launches the attack on the coin causing its value to fall to zero. This wipes out the attacker's stake, but more importantly also wipes out the attacker's debt. The specifics of the attack will of course depend on the particular POS coin.
11. The attacker is left with is profit in some other currency, a worthless amount of the POS coin and a debt denominated in the now worthless POS currency.

Countermeasure:
The only known countermeasure is the intervention of the state.  http://www.sec.gov/News/PressRelease/Detail/PressRelease/1370539730583#.VLncGTVVIWw.

The challenge here is to devise a countermeasure to this attack that does not involve the involvement of the state or some other centralized authority for example a corporation.

Edit: The network attack can be any attack on a POS coin that requires the attacker to have stake.

[ThomasVeil]

Yeah, you can add more detail to your attack - it's still as stupid as when you started.

That story has soo many holes - it's incredible. Most insane of all to call it Nothing-At-Stake. If all you need is to have ROI at some point, to define it as N@S, then it doesn't even have anything to do with POS at all.

Step 1 to 7 are exactly the same in any crypto. The rest is actually easier in POW. I don't even need 60% of the coin (or more as you seem to propose). A fraction of it, when sold, would be enough to buy a mining majority. I can short at the same time. A price drop would even help me, since the miners would drop out and the difficulty falls.
Still: None of this is any remotely realistic scenario.

[ArticMine]

Yeah, you can add more detail to your attack - it's still as stupid as when you started.

That story has soo many holes - it's incredible. Most insane of all to call it Nothing-At-Stake. If all you need is to have ROI at some point, to define it as N@S, then it doesn't even have anything to do with POS at all.

Step 1 to 7 are exactly the same in any crypto. The rest is actually easier in POW. I don't even need 60% of the coin (or more as you seem to propose). A fraction of it, when sold, would be enough to buy a mining majority. I can short at the same time. A price drop would even help me, since the miners would drop out and the difficulty falls.
Still: None of this is any remotely realistic scenario.

Sure the price of Bitcoin has gone down by 80% over the last year and the difficulty has gone up. https://blockchain.info/charts/difficulty. In my attack there is no additional purchase required, and is based on a scenario that has already happened.

[valarmg]

This attack requires a large % of a coin's stakeholders to be stupid enough to trust 'Pirate S+T'. Why don't you call your bank cryptodouble instead of Pirate S+T? I think cryptodouble is a catchier name, might get more suckers. In the accumulation phase, you are 100% operating a ponzi. How do you convince people to invest in the ponzi (I know, tell them it's not a ponzi, you instead intend to attack the currency)?

Explain why you can't do the same with a PoW coin? Just needs the added measure where you buy hashrate with your accumulated funds, but you would require much less funds. What % of bitcoin, what % of litecoin would it take to buy enough hashrate to attack? What % of a PoS coin would it take for you to attack that.

What happens if your attack doesn't reduce the value of the coin to zero? Does your attack merely consist of double spending?

[ThomasVeil]

In my attack there is no additional purchase required,

You don't understand your own text. I give up man.

[inBitweTrust]

This attack requires a large % of a coin's stakeholders to be stupid enough to trust 'Pirate S+T'. Why don't you call your bank cryptodouble instead of Pirate S+T? I think cryptodouble is a catchier name, might get more suckers. In the accumulation phase, you are 100% operating a ponzi. How do you convince people to invest in the ponzi (I know, tell them it's not a ponzi, you instead intend to attack the currency)?

Explain why you can't do the same with a PoW coin? Just needs the added measure where you buy hashrate with your accumulated funds, but you would require much less funds. What % of bitcoin, what % of litecoin would it take to buy enough hashrate to attack? What % of a PoS coin would it take for you to attack that

What happens if your attack doesn't reduce the value of the coin to zero? Does your attack merely consist of double spending?

All these questions have been answered in the previous page. Additionally, convincing people to invest in a ponzi is just one variation of an attack, other variations include convincing 10 % to deposit their stake in your exchange / bank, or taking 10% loans with many profiles , or simply being a large whale that already has 10% or more as is possible with NxT. Why do you act incredulous when these scenario's are commonplace within the crypto ecosystem?

The wastefulness of PoW is also a form of security because it incentivizes users to merely profit off of a bear raid and other market manipulation tactics rather than attacking the currency with a 51% attack. The difference with PoS you can attack the currency and profit in doing so and with PoW you have to take a large gamble and spend a lot of resources in order to perform a 51% attack.

In my attack there is no additional purchase required,

You don't understand your own text. I give up man.

You can start by first educating yourself from what researchers are discussing who are sympathetic towards PoS:

https://github.com/ConsensusResearch/articles-papers/blob/master/multistrategy/multistrategy.pdf

https://blog.ethereum.org/2014/11/25/proof-stake-learned-love-weak-subjectivity/
https://blog.ethereum.org/2014/10/03/slasher-ghost-developments-proof-stake/
https://blog.ethereum.org/2014/07/05/stake/

After you have done this research come back and join the conversation.

Secondly ... come on guys: I buy 51% of a POS, then I buy again 51% of the value as shorts (well, more - as I want to make profit).

You understand that one doesn't need to invest in any of the currency , or control 51% stake when performing a N@S right?

- we have formally defined nothing-at-stake attack(again, using Buterin's informal definition) and made initial simulations. We haven't included their results in paper as they are seems to be too raw, but I can reveal them here: N@S attack could happens only in short-range, e.g. for within 20 blocks for 10% stake, so with 30 confirmations we haven't observed the successful attack. Also please note the attack has pretty unpredictable nature for attacker, so he can hardly enforce it, even in theory(in practice it's even harder to get it done properly). The correlation with stake size is still the open question, but it's nearly impossible to attack a proof-of-stake currency with "1% stake even" as stated by Buterin

The above applies to NxT and other variations of TaPoS only . Other variations of PoS are susceptible to long-range attacks as well.

[achimsmile]

Please keep in mind that kushti only used his own simulation model.
I'm very interested to see real world tries on the  Nxt testnet. I imagine that the attack is more complex there because network topology and latency, behaviour of peers,  etc.

[inBitweTrust]

Please keep in mind that kushti only used his own simulation model.
I'm very interested to see real world tries on the  Nxt testnet. I imagine that the attack is more complex there because network topology and latency, behaviour of peers,  etc.

Yes, you should encourage more tests to be done.

Most of the peer review and security analysis has been focused on Bitcoin. This is one advantage Bitcoin has with having the largest mind-share, first mover advantage , and largest developer pool of any crypto-currency.

Another consideration for security one must consider that few mention involves how many different working stacks or implementations interact with your blockchain and how this is critical to security.

[ThomasVeil]

Additionally, convincing people to invest in a ponzi is just one variation of an attack, other variations include convincing 10 % to deposit their stake in your exchange / bank, or taking 10% loans with many profiles , or simply being a large whale that already has 10% or more as is possible with NxT. Why do you act incredulous when these scenario's are commonplace within the crypto ecosystem?

I highlighted the key word for you.
Yes, if you're simply already owning a stake of a size that never existed in NXT - and you additionally simply scam yourself into 41% more - and then simply buy 100% of all that value in shorts, and then simply gain another 30% so you cover your costs. Then you can attack.
Why did no one think of that before?

The wastefulness of PoW is also a form of security because it incentivizes users to merely profit off of a bear raid and other market manipulation tactics rather than attacking the currency with a 51% attack. The difference with PoS you can attack the currency and profit in doing so and with PoW you have to take a large gamble and spend a lot of resources in order to perform a 51% attack.

Clearly there is zero gambling in your perfect scheme.

You can start by first educating yourself from what researchers are discussing who are sympathetic towards PoS:

https://github.com/ConsensusResearch/articles-papers/blob/master/multistrategy/multistrategy.pdf

https://blog.ethereum.org/2014/11/25/proof-stake-learned-love-weak-subjectivity/
https://blog.ethereum.org/2014/10/03/slasher-ghost-developments-proof-stake/
https://blog.ethereum.org/2014/07/05/stake/

After you have done this research come back and join the conversation.

You gotta be kidding me. Nothing of your scenario has anything to do with any of those articles - and yes, I've read them before.
Clearly you didn't because you still don't even know what the term "nothing" means.

Does stupidity really know no limits?

Secondly ... come on guys: I buy 51% of a POS, then I buy again 51% of the value as shorts (well, more - as I want to make profit).

You understand that one doesn't need to invest in any of the currency , or control 51% stake when performing a N@S right?

Yes, and in not a single word you said you ever talked about N@S. All the links you provided actually conclude specifically that N@S does not exist, or is not realistically executable.