Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research)

[inBitweTrust]

I highlighted the key word for you.
Yes, if you're simply already owning a stake of a size that never existed in NXT - and you additionally simply scam yourself into 41% more - and then simply buy 100% of all that value in shorts, and then simply gain another 30% so you cover your costs. Then you can attack.
Why did no one think of that before?

10% is needed for an attack. Re-read the research paper sir. None of that 10% needs to be owned either as we have discussed.

Clearly there is zero gambling in your perfect scheme.

There are risks with all attacks. We are discussing a specific scenario where attacking PoS is far less risky than a similar attack with PoW.

Clearly you didn't because you still don't even know what the term "nothing" means.

You also understand that in physics "nothing" does not have the same connotation as within philosophy?
Of course some effort is needed to perform a N@S attack. I am using the definition as defined by Buterin and kushti.

Yes, and in not a single word you said you ever talked about N@S. All the links you provided actually conclude specifically that N@S does not exist, or is not realistically executable.

Vitalik is going with PoW for ethereum despite all his research into TaPoS and weak subjectivity. Why?

- we have formally defined nothing-at-stake attack(again, using Buterin's informal definition) and made initial simulations. We haven't included their results in paper as they are seems to be too raw, but I can reveal them here: N@S attack could happens only in short-range, e.g. for within 20 blocks for 10% stake, so with 30 confirmations we haven't observed the successful attack. Also please note the attack has pretty unpredictable nature for attacker, so he can hardly enforce it, even in theory(in practice it's even harder to get it done properly). The correlation with stake size is still the open question, but it's nearly impossible to attack a proof-of-stake currency with "1% stake even" as stated by Buterin

All this being said, TaPoS has some security differences, advantages and disadvantages to PoW and would nicely compliment Bitcoin as an additional wallet layer or sidechain.

[valarmg]

This attack requires a large % of a coin's stakeholders to be stupid enough to trust 'Pirate S+T'. Why don't you call your bank cryptodouble instead of Pirate S+T? I think cryptodouble is a catchier name, might get more suckers. In the accumulation phase, you are 100% operating a ponzi. How do you convince people to invest in the ponzi (I know, tell them it's not a ponzi, you instead intend to attack the currency)?

Explain why you can't do the same with a PoW coin? Just needs the added measure where you buy hashrate with your accumulated funds, but you would require much less funds. What % of bitcoin, what % of litecoin would it take to buy enough hashrate to attack? What % of a PoS coin would it take for you to attack that

What happens if your attack doesn't reduce the value of the coin to zero? Does your attack merely consist of double spending?

All these questions have been answered in the previous page. Additionally, convincing people to invest in a ponzi is just one variation of an attack, other variations include convincing 10 % to deposit their stake in your exchange / bank, or taking 10% loans with many profiles , or simply being a large whale that already has 10% or more as is possible with NxT. Why do you act incredulous when these scenario's are commonplace within the crypto ecosystem?

The wastefulness of PoW is also a form of security because it incentivizes users to merely profit off of a bear raid and other market manipulation tactics rather than attacking the currency with a 51% attack. The difference with PoS you can attack the currency and profit in doing so and with PoW you have to take a large gamble and spend a lot of resources in order to perform a 51% attack.

I'm incredulous about it being easy/cheap to get 10% of a stake of a well functioning coin. If you can get 10% of a stake without buying and want to profit from it, the easiest way is not to give back the 10%, and sell the coins on the market.

If you have the resources to get 10% of a PoS coin, often the price to buy enough hashrate to control a PoW coin is much less than 10%. I don't see how the incentives are drastically different. Usually owning a coin gives more incentive to not damage the coin than owning hardware does. For example, say bitcoin falls more, and lots of bitcoin mining rigs get shut off. Someone who doesn't own any bitcoin, and has lots of unprofitable bitcoin miners could just launch an attack at very low cost. Maybe put money on some shorts on bitfinex to offset the cost of electricity while attacking.

[valarmg]

Vitalik is going with PoW for ethereum despite all his research into TaPoS and weak subjectivity. Why?

Source? As I understand it, he is still deciding between a PoS/PoW combo and full PoS.

- we have formally defined nothing-at-stake attack(again, using Buterin's informal definition) and made initial simulations. We haven't included their results in paper as they are seems to be too raw, but I can reveal them here: N@S attack could happens only in short-range, e.g. for within 20 blocks for 10% stake, so with 30 confirmations we haven't observed the successful attack. Also please note the attack has pretty unpredictable nature for attacker, so he can hardly enforce it, even in theory(in practice it's even harder to get it done properly). The correlation with stake size is still the open question, but it's nearly impossible to attack a proof-of-stake currency with "1% stake even" as stated by Buterin

So just extend the number of confirmations to 30, then short range attack becomes impossible. (6 confirmations on bitcoin is an hour, so a shorter block PoS coin would still take less time than bitcoin confirmation)

[inBitweTrust]

I'm incredulous about it being easy/cheap to get 10% of a stake of a well functioning coin. If you can get 10% of a stake without buying and want to profit from it, the easiest way is not to give back the 10%, and sell the coins on the market.

If you have the resources to get 10% of a PoS coin, often the price to buy enough hashrate to control a PoW coin is much less than 10%. I don't see how the incentives are drastically different. Usually owning a coin gives more incentive to not damage the coin than owning hardware does. For example, say bitcoin falls more, and lots of bitcoin mining rigs get shut off. Someone who doesn't own any bitcoin, and has lots of unprofitable bitcoin miners could just launch an attack at very low cost. Maybe put money on some shorts on bitfinex to offset the cost of electricity while attacking.

Banks and exchanges already have far greater than 10% stake for certain PoS coins right now. I am not discussing a hypothetical. It is also likely that a few Nxt users have over 10% stake.

Source? As I understand it, he is still deciding between a PoS/PoW combo and full PoS.

 https://www.youtube.com/watch?v=qPsCGvXyrP4
More specifically, Ethereum will be a hashimoto dagger IO bound PoW consensus mechanism.
The latest under review is here under PoC7:

https://github.com/ethereum/cpp-ethereum/wiki
http://gavwood.com/Paper.pdf

He may use both however:
https://blog.ethereum.org/2015/01/10/light-clients-proof-stake/

Whether he uses straight PoW or PoW/TaPoS the point to consider is that he has thoroughly studied the vulnerabilities within PoS variations and deems them to have insufficient security alone without PoW.

So just extend the number of confirmations to 30, then short range attack becomes impossible. (6 confirmations on bitcoin is an hour, so a shorter block PoS coin would still take less time than bitcoin confirmation)

20 Blocks , not confirmations. The attack would have still occurred whether you wait for more confirmations or not. waiting for 30 confirmations simply means that you could avoid participating in an illegitimate transaction, but the attack still occurred.  20 blocks is merely the window the attack needs to occur in for NxT, once the attack occurs the network will need to perform a hardfork, or rollback the blockchain to recover which has its own set of problems.

--------------------------------------------------------------------------------


TaPoS can be used with PoW to improve the security of Bitcoin like one example I provided:

Sidechain or not. No need for burning bitcoins, as someone could simply create a TaPoS blockchain that mirrored and synced the distribution of BTC and than have a wallet acknowledge both blockchains but have the TaPoS layer hidden where only BTC is used and the TaPoS layer acts to add another form of security that could have 1-30 second confirmation times in addition to PoW 10 min confirmation times.

I.E... pay for a cup of Coffee the confirmations start rolling in this way:
TaPoS 1 second confirmation, TaPoS 3 second confirmation, TaPoS 5 second confirmation, TaPoS 10 second confirmation, TaPoS 30 second confirmation, TaPoS 1 min confirmation, TaPoS 3min confirmation, TaPoS 5 min confirmation,TaPoS 7min confirmation, PoW Bitcoin 1st confirmation ~10min, TaPoS 13min confirmation, ect...

This would allow you to have instant confirmations and better security because now you are trusting full nodes and miners and you could detect a PoW 51% attack if the TaPoS confirmations weren't confirming while the PoW confirmations were.

You wouldn't even need a softfork or hardfork to accomplish this, just a TapoS blockchain and a wallet that acknowledged it.

[ab8989]

I'm incredulous about it being easy/cheap to get 10% of a stake of a well functioning coin. If you can get 10% of a stake without buying and want to profit from it, the easiest way is not to give back the 10%, and sell the coins on the market.

These things are not mutually exclusive. The selling that you brought up to discussion could be one part of the plan. Actually I think the selling of the coins is going to be prominent part of most of the attacks. Let me remind that selling of a big stash usually does not happen instantenously when talking about a large stash like 10%. There is quite typically first a contract signed that there is going to be a sale and some time after that the coins actually change owners.

The period between signing the contract of the sale and the actual transfer of the coins is a perfect place to attack the coin where the seller has nothing to lose and in many cases quite a lot of to win by doing so. And there are situations where the timegap between those events is naturally quite long like months. A well functioning monetary system allows all kinds of transactions including ones where somebody can buy a big stash of coins in such a way for example in a situation where a whole bank/exchange business is up for a sale.

In PoS economy it is very risky to buy a big bank or exchange business from its previous owner. Think about a situation where the owner of a bank/exchange with big stash of customer coins in their possession has decided that he is more a risktaker entrepenour type of person instead of a person that runs an established mature boring business and he wants to cash out and start over from scratch and take new risks on some other competing emerging new kind of coin. Quite natural event that I guarantee is going to happen thousands of times.

[valarmg]

20 Blocks , not confirmations. The attack would have still occurred whether you wait for more confirmations or not. waiting for 30 confirmations simply means that you could avoid participating in an illegitimate transaction, but the attack still occurred.  20 blocks is merely the window the attack needs to occur in for NxT, once the attack occurs the network will need to perform a hardfork, or rollback the blockchain to recover which has its own set of problems.

Can you explain this, please. An attack happens, someone generates an incorrect chain of 20 blocks. Now, everyone waits for 30 confirmations, so they then see that the fork is invalid and no one accepts an transactions. Why is a rollback or hardfork required? 

From this: https://blog.ethereum.org/2015/01/10/light-clients-proof-stake/

"Hence, it may make sense for a proof of stake algorithm to still require a small amount of proof of work on each block, ensuring that an attacker must spend some computational effort in order to even slightly inconvenience light clients."

I believe Nxt requires a single SHA256 hash for each block. So it already has an element of PoW as suggested there.

Whether he uses straight PoW or PoW/TaPoS the point to consider is that he has thoroughly studied the vulnerabilities within PoS variations and deems them to have insufficient security alone without PoW.

I know the initial intention of ethereum was to be mainly PoW, but with every blog post, Vitalik seems to embrace PoS more, so I'll be interested to see what the final version comes out with. With his last few posts, he seems to find very few problems with PoS (he learned to love weak subjectivity). I guess some others in ethereum might have different views to Buterin.

So I take the fact that Buterin, and now kushti/andruiman have taken a thorough look at PoS and they are seeing problems, sure, but also seeing solutions to those. If there is no fundamental reasons why PoW is better than PoS, then PoS will win out due to lower cost (imho). So I'm hoping that investigations into PoS continue, and that better solutions emerge, whether it be a stronger PoS algo, a PoS/PoW combo or a TaPoS addition.

[valarmg]

I'm incredulous about it being easy/cheap to get 10% of a stake of a well functioning coin. If you can get 10% of a stake without buying and want to profit from it, the easiest way is not to give back the 10%, and sell the coins on the market.

In PoS economy it is very risky to buy a big bank or exchange business from its previous owner. Think about a situation where the owner of a bank/exchange with big stash of customer coins in their possession has decided that he is more a risktaker entrepenour type of person instead of a person that runs an established mature business and he wants to cash out and start over from scratch and take new risks on some other competing emerging new kind of coin. Quite natural event that I guarantee is going to happen thousands of times.

You understand that long range attacks have proven impossible in simulations. So if a bank buys a large chunk of coins and waits the required number of confirmations, then the previous owner cannot launch any attacks. Or am I misunderstanding your premise?

[ab8989]

I am talking about a situation where first a contract is signed where the whole bank is being sold including the stash of coins in their possession. A month later the actual change of ownership of the whole bank happens when new owner gets his personnel to take over. During that month the previous owner still has complete control of the bank but he has nothing to lose if the coins in the banks possession collapse in value. He still can transfer the 100 million coins to the new owner of the bank a month later like it says on the contract and he could not care less whether the coins have value or not.

Note that there does not have to be an actual attack. All that is needed is market to know that a big bank is changing ownership and the whole market knows that the stability of the whole economy is hanging by a thread during this month. Maybe somebody else sees this as an perfect opportunity to perform an actual attack and they also do not need to be nothing else than big nasty rumours that cause panic.

[inBitweTrust]

Can you explain this, please. An attack happens, someone generates an incorrect chain of 20 blocks. Now, everyone waits for 30 confirmations, so they then see that the fork is invalid and no one accepts an transactions. Why is a rollback or hardfork required?  

The consensus algo is what accepts the fork and this is where the weak subjectivity of the users and or developers would need to step in and correct the invalid fork. This has its own set of problems.

I believe Nxt requires a single SHA256 hash for each block. So it already has an element of PoW as suggested there.

This has nothing to do with PoW consensus mechanisms. Next you are going to insinuate hashing itself is "work" thus one should consider all PoS to incorporate the PoW consensus mechanism.

If there is no fundamental reasons why PoW is better than PoS, then PoS will win out due to lower cost (imho).

Yet despite Bitcoin being in a death spiral of capitulation both Bitshares and Nxt have lost far more against bitcoin in the last year. Perhaps there are other factors that are far more prescient than the mining costs to secure the network?

You understand that long range attacks have proven impossible in simulations. So if a bank buys a large chunk of coins and waits the required number of confirmations, then the previous owner cannot launch any attacks. Or am I misunderstanding your premise?

There are many different variants of PoS, and some of them are indeed susceptible to long range attacks. Stop generalizing.

[ThomasVeil]

I highlighted the key word for you.
Yes, if you're simply already owning a stake of a size that never existed in NXT - and you additionally simply scam yourself into 41% more - and then simply buy 100% of all that value in shorts, and then simply gain another 30% so you cover your costs. Then you can attack.
Why did no one think of that before?

10% is needed for an attack. Re-read the research paper sir. None of that 10% needs to be owned either as we have discussed.

Which paper? The papers say there is no viable 10% attack.
There also is no 10% whale or exchange in NXT - you crossing it out doesn't make a fact disappear, you know.

We are discussing a specific scenario where attacking PoS is far less risky than a similar attack with PoW.

Not sure what you mean with "we".
We know that PoW would be easier to attack if you magically get a 10% stake - since that would likely buy you 51% of all mining.

Clearly you didn't because you still don't even know what the term "nothing" means.

You also understand that in physics "nothing" does not have the same connotation as within philosophy?

Physics? Really? I hope you're just kidding.

Vitalik is going with PoW for ethereum despite all his research into TaPoS and weak subjectivity. Why?

You're lying, or again proving that you're not even reading the links you provide.
And since you're wrong: You should answer the "why" question yourself.

https://blog.ethereum.org/2015/01/10/light-clients-proof-stake/

Whether he uses straight PoW or PoW/TaPoS the point to consider is that he has thoroughly studied the vulnerabilities within PoS variations and deems them to have insufficient security alone without PoW.

A small proof of work component is exactly what NXT (and Blackcoin... and others) do.
Again, it would help if you read what you link - would waste less of everyone's time.

[inBitweTrust]

Which paper? The papers say there is no viable 10% attack.
There also is no 10% whale or exchange in NXT - you crossing it out doesn't make a fact disappear, you know.

https://github.com/ConsensusResearch/articles-papers/blob/master/multistrategy/multistrategy.pdf

A previous block explorer, now taken down in favor of one with less granularity, showed that between 4-14 members controlled over 51% of the Nxt stake.

Not sure what you mean with "we".
We know that PoW would be easier to attack if you magically get a 10% stake - since that would likely buy you 51% of all mining.

Incorrect as you assume that markets aren't dynamic, ignoring the costs of electricity, ignoring the alarms raised from amassing such large amounts of asics , ignoring the cost of setting up and maintaining the equipment and doing so in secrecy, ect...

A small proof of work component is exactly what NXT does.
Again, it would help if you read what you link - would waste less of everyone's time.

This has nothing to do with PoW consensus mechanisms. Next you are going to insinuate hashing itself is "work" thus one should consider all PoS to incorporate the PoW consensus mechanism. If we must use your twisted definition of PoW than the point still stands: Why does Vitalik insist upon a much more inefficient version of PoW with a hashimoto dagger IO bound PoW consensus mechanism?

[achimsmile]

I think what ThomasVeil was hinting at is that the amount of work required to forge on all possible chains grows exponentially over time.

[inBitweTrust]

I think what ThomasVeil was hinting at is that the amount of work required to forge on all possible chains grows exponentially over time.

Research Paper correcting/revising the one I cited?

[achimsmile]

yes

[inBitweTrust]

yes

Link so I can review?

[valarmg]

I am talking about a situation where first a contract is signed where the whole bank is being sold including the stash of coins in their possession. A month later the actual change of ownership of the whole bank happens when new owner gets his personnel to take over. During that month the previous owner still has complete control of the bank but he has nothing to lose if the coins in the banks possession collapse in value. He still can transfer the 100 million coins to the new owner of the bank a month later like it says on the contract and he could not care less whether the coins have value or not.

Note that there does not have to be an actual attack. All that is needed is market to know that a big bank is changing ownership and the whole market knows that the stability of the whole economy is hanging by a thread during this month. Maybe somebody else sees this as an perfect opportunity to perform an actual attack and they also do not need to be nothing else than big nasty rumours that cause panic.

Ok, you are referring to a bank that has 10%+ of coins. This should not happen much/at all in a flourishing PoS economy. However, if this is happening, and the market knows the possible problems, the buyer can yet put specifications on his sale such as seller destroying the assets prior to the sale can invalidate the sale.

[kushti]

Could you describe attack scenario in details? After reproducing it in simulation we would like to pay you pretty good bounty

please elaborate on the details of the bounty
writing a white-paper quality explanation is a time consuming task

No WP quality needed, just step-by-step instructions. And why should I trust you made successful attack on Apexcoin? Please provide proof of that then we can start talk about the details

[valarmg]

If there is no fundamental reasons why PoW is better than PoS, then PoS will win out due to lower cost (imho).

Yet despite Bitcoin being in a death spiral of capitulation both Bitshares and Nxt have lost far more against bitcoin in the last year. Perhaps there are other factors that are far more prescient than the mining costs to secure the network?

I wouldn't say far more. There are more forces at work than mining cost, certainly. Bitcoin is the big daddy of crypto and in a world of it's own in terms of price and network effect. But if you compare PoS coins versus non-bitcoin PoW coins over the last year, I'd expect PoS coins to come up on top.

You understand that long range attacks have proven impossible in simulations. So if a bank buys a large chunk of coins and waits the required number of confirmations, then the previous owner cannot launch any attacks. Or am I misunderstanding your premise?

There are many different variants of PoS, and some of them are indeed susceptible to long range attacks. Stop generalizing.

Well, I agree that some PoS algorithms are most likely much worse than PoW. I'm more interested in the potential of PoS, how secure it could be if best practices are followed. PoS is still growing up, Bitcoin is much further ahead in terms of protocol security.

(Edited to remove something I was wrong about.)

[ThomasVeil]

Which paper? The papers say there is no viable 10% attack.
There also is no 10% whale or exchange in NXT - you crossing it out doesn't make a fact disappear, you know.

https://github.com/ConsensusResearch/articles-papers/blob/master/multistrategy/multistrategy.pdf

Dude, you're killing me. Reposting the link doesn't help if it doesn't contain what you're claiming.

A previous block explorer, now taken down in favor of one with less granularity, showed that between 4-14 members controlled over 51% of the stake.

Learn basic math. 
Some common sense would also help: That block explorer probably showed the forging stake, not the coin ownership.

We know that PoW would be easier to attack if you magically get a 10% stake - since that would likely buy you 51% of all mining.

Incorrect as you assume that markets aren't dynamic, ignoring the costs of electricity, ignoring the alarms raised from amassing such large amounts of asics , ignoring the cost of setting up and maintaining the equipment and doing so in secrecy, ect...

Buying one or two forging pools and one mining facility should totally do the job. I don't see how I miss costs there... those likely run profitable or close to.
Note how for a state actor all this would be in fact easy, undetectable - and basically free.

A small proof of work component is exactly what NXT does.
Again, it would help if you read what you link - would waste less of everyone's time.

This has nothing to do with PoW consensus mechanisms. Next you are going to insinuate hashing itself is "work" thus one should consider all PoS to incorporate the PoW consensus mechanism.

I don't "insinuate" - it's a straight up fact: hashing is work. It has a difficulty  - used as protection mechanism. You can't provide blocks for free.

If we must use your twisted definition of PoW than the point still stands: Why does Vitalik insist upon a much more inefficient version of PoW with a hashimoto dagger IO bound PoW consensus mechanism?

The paper you linked doesn't say that. In the blog links you posted he doesn't say that. You're chasing me in circles with your fake references. I'll end responding.
In fact most your links say: he leans towards POS (which checkpoints of several months of age), which you don't want to explain. You're not living up to your own standards.

[inBitweTrust]

But if you compare PoS coins versus non-bitcoin PoW coins over the last year, I'd expect PoS coins to come up on top.

If you are speaking about the past years this simply isn't factual. PoS coins have almost all proven to be ICO scams or pump and dump opportunities.

Well, I agree that some PoS algorithms are most likely much worse than PoW. I'm more interested in the potential of PoS, how secure it could be if best practices are followed. PoS is still growing up, Bitcoin is much further ahead in terms of protocol security.

I agree and would like a TaPoS layer or sidechain added to bitcoin as an option for added security.