Poll - Should Proof of Stake be implemented in Litecoin?

[tgsrge]

as far as i understand it this puts too much power into the hands of the people who own the most ltcs.

for example lets say there is a 51% attack, conflicting blocks and the biggest coin holders sign the blocks of the attacker anyway.

what then?


and before you ask stuff like "but if they hold the most amount of coins, why would they want to destroy their investment?"
idk, maybe they are even more heavily invested into bitcoins and another cryptocurrency being succesful is not in their interests?maybe the attacker convinced them it was for the best ?maybe they got their investment "refunded" by the attacker in bitcoins?there are countless other possibilities as well. humans are complex machines.


also again the biggest pool is being ddosed (so this show people with bots (which i might add atleast iirc are or were the biggest bitcoin holders) are clearly willing to go to any lengths to attack the network.) what happens if when the person releases his 51%ed chain into the network he ddoses the biggest stake holders?wouldnt this make the entire POS thing useless?

as for you checkpointing i am fine with that because you are the developer.

if i said anything too wrong you are free to correct me.

[1714801939]

1714801939

[1714801939]

1714801939

[1714801939]

1714801939

[coblee]

as far as i understand it this puts too much power into the hands of the people who own the most ltcs.

for example lets say there is a 51% attack, conflicting blocks and the biggest coin holders sign the blocks of the attacker anyway.

what then?


and before you ask stuff like "but if they hold the most amount of coins, why would they want to destroy their investment?"
idk, maybe they are even more heavily invested into bitcoins and another cryptocurrency being succesful is not in their interests?maybe the attacker convinced them it was for the best ?maybe they got their investment "refunded" by the attacker in bitcoins?there are countless other possibilities as well. humans are complex machines.


also again the biggest pool is being ddosed (so this show people with bots (which i might add atleast iirc are or were the biggest bitcoin holders) are clearly willing to go to any lengths to attack the network.) what happens if when the person releases his 51%ed chain into the network he ddoses the biggest stake holders?wouldnt this make the entire POS thing useless?

as for you checkpointing i am fine with that because you are the developer.

if i said anything too wrong you are free to correct me.

Your arguments are using too many what ifs. The point is that proof of stake makes a 51% attack cost more financially to the attacker. You argument is like an argument against proof of work: what if the attacker can convince everyone else to stop mining while he performs that attack? The point is that the incentives aren't there. Could the attacker convince one large stake holder to sign his block? Sure. But the chances that he can convince a majority of stake holders to sign his block is slim to none. And the chance that the majority of stake holders are heavily invested in Bitcoin and would be willing to see their Litecoin investment go to 0 just to see it die is slim to none. As Litecoins grow in value, this will cost even more. Also realize that exchanges have a lot of incentives to prevent a 51% attack and they will have a lot of litecoins. So they will likely sign all the signature blocks on the chain that their withdrawal/deposits are on.

How would someone DDoS the biggest stake holders? You wouldn't know which IPs they are at. Even if if you do, there would be hundreds or thousands of IPs that make up the largest stake holders. Are you going to DDoS all of them?

[tgsrge]

i have made my point. i do not consider the trade off to be worth it, or to be one i am willing to make.

specially when the 51% is still possible (just harder) lets say there is another 51% "attack" threat, do we just keep centralizing the litecoin more and more until we end up with something that doesnt even look remotely like a cryptocurrency is supposed to be?

others have said this as well as me, but cryptocurrencies are succeptible to 51% "attacks", period. if you do not like being succeptible to 51% "attacks" do not deal with cryptocurrencies, or dump in as much hasing power as you can yourself to protect your investment. there is no easy way out.

(even though i would like a magical solution to the problem that doesnt actually change what cryptocurrencies are, there is no such magical solution thus far propossed and i doubt there will be one.)

the same thing has been propposed for bitcoins and it failed to get ANY serious support at all. this speaks for itself.

[iddo]

as far as i understand it this puts too much power into the hands of the people who own the most ltcs.

for example lets say there is a 51% attack, conflicting blocks and the biggest coin holders sign the blocks of the attacker anyway.

what then?

I've tried to explain specifically why this comment of yours isn't meaningful, both in the previous thread and in my first reply in this thread.
I think that there's some barrier in the way that people who are familiar with the Bitcoin protocol think about this proof-of-stake idea, which causes some confusion.

Again: an attacker with 51% hashpower who releases his forked branch and get it signed by the high coin holders didn't actually attack anything, because his forked branch is just as legitimate as the competing branch of all the other distributed hashpower. The attacker has to start his forked branch after the last signed checkpoint block, and everyone who wishes to protect himself from double-spending can simply wait until the next special checkpoint block in order to be sure that the relevant transactions until this next checkpoint block cannot be reversed. Therefore, the attacker cannot double-spend, the worst that the attacker can do is not including other transactions in his forked branch, but he gains nothing (if he participated normally along with the other miners then he'd both earn more and have less risk that his hashpower goes to waste).

[tgsrge]

not including other transactions in his forked branch is still a VERY VERY BAD thing to happen.

edit
ok you want a reason for the big stake holders to sign the blocks of the attacker/cooperate with the attacker/attack? fine, i will give it to you.

so the signing is not reversible. this is fine.
you do  the "attack", get the big stake holders to sign it through whatever means. you then list litecoins for sale in an exchange. the attacker does not include these transactions in his forked branch at all.
when the next checkpoint is reached, whoever bought/exchanged these litecoins will then be left with IMAGINARY LITECOINS, but a real money/btc loss.

this provides a clear incentive for the big stake holders and the attacker to collaborate, and provides a good example as to why centralization (whether or not you want to call it something else is another matter) grows to serve its own interests rather than the interests of the network.

[coblee]

not including other transactions in his forked branch is still a VERY VERY BAD thing to happen.

edit
ok you want a reason for the big stake holders to sign the blocks of the attacker/cooperate with the attacker/attack? fine, i will give it to you.

so the signing is not reversible. this is fine.
you do  the "attack", get the big stake holders to sign it through whatever means. you then list litecoins for sale in an exchange. the attacker does not include these transactions in his forked branch at all.
when the next checkpoint is reached, whoever bought/exchanged these litecoins will then be left with IMAGINARY LITECOINS, but a real money/btc loss.

this provides a clear incentive for the big stake holders and the attacker to collaborate.

Yes, you just described a 51% attack with a double spend. Trust in Litecoin then quickly disappears and price of Litecoin goes to 0. All the stake holders just lost a lot of money. Tell me why any one of the big stake holders would want to do that, let alone most of them doing it together at the same time.

[Tittiez]

Are you basing this statement on this poll alone or have you talked to a lot of Litecoin users about this? I think a lot of people are against this because they actually don't understand the proof of stake proposal.  People think that with proof of stake, it means we give the control back to the wealthy and it's no different than what we currently have with fiat currencies. This is not true. (At least with Meni's implentation) Please read the wiki page: https://en.bitcoin.it/wiki/Proof_of_Stake

With the proof of stake proposal, blocks are found the same way as they are currently with hashrate. And every 100 block, there will be a signature block. People who have a lot at stake (a lot of coins) sign signature blocks. They want to do that so that they protect their investment. If there are more than one block for that signature block, then block with the most signatures weighted by coins wins. Think of it in terms of checkpointing. Right now, one person (me) decides which blocks are checkpointed. With proof of stake, people how have a lot at stake gets to checkpoint signature blocks. So they can't control which transactions are included when. Miners still control that. All that the stake holders can do is that if there are more than one fork (if there's an attacker trying to 51% the chain), they can sign the signature blocks to help make sure that the fork with no malicious attack is the "true" chain.

That helps me understand this concept a lot more. I personally like the idea, it would be no different then you releasing your own checkpoint and having the network agree to that, except this way is much more decentralized because the largest parts of the network still has to agree to it. I think?

[tgsrge]

Yes, you just described a 51% attack with a double spend. Trust in Litecoin then quickly disappears and price of Litecoin goes to 0. All the stake holders just lost a lot of money. Tell me why any one of the big stake holders would want to do that, let alone most of them doing it together at the same time.

this is just one example i could come up with in less than 5 minutes as to why the biggest stake holders could be incentivized to collaborate with the attacker or even BE the attacker.

the reason is clear:
financial benefit from selling imaginary litecoins that will no longer exist when they sign the next checkpoint.

also, trust in litecoins wouldnt be ruined because of it (the attack) unless they did it to a really big number of people (or with a really big number of litecoins), just as a single bank being robbed doesnt create a bank run.

[coblee]

Are you basing this statement on this poll alone or have you talked to a lot of Litecoin users about this? I think a lot of people are against this because they actually don't understand the proof of stake proposal.  People think that with proof of stake, it means we give the control back to the wealthy and it's no different than what we currently have with fiat currencies. This is not true. (At least with Meni's implentation) Please read the wiki page: https://en.bitcoin.it/wiki/Proof_of_Stake

With the proof of stake proposal, blocks are found the same way as they are currently with hashrate. And every 100 block, there will be a signature block. People who have a lot at stake (a lot of coins) sign signature blocks. They want to do that so that they protect their investment. If there are more than one block for that signature block, then block with the most signatures weighted by coins wins. Think of it in terms of checkpointing. Right now, one person (me) decides which blocks are checkpointed. With proof of stake, people how have a lot at stake gets to checkpoint signature blocks. So they can't control which transactions are included when. Miners still control that. All that the stake holders can do is that if there are more than one fork (if there's an attacker trying to 51% the chain), they can sign the signature blocks to help make sure that the fork with no malicious attack is the "true" chain.

That helps me understand this concept a lot more. I personally like the idea, it would be no different then you releasing your own checkpoint and having the network agree to that, except this way is much more decentralized because the largest parts of the network still has to agree to it. I think?

Yes, it's decentralized. Basically the concept is that every 100 blocks, there will be a signature block, which is like the checkpoint blocks. And the stake holders (people who own litecoins) decide to sign the block or not. If there is a competing signature block, then the block signed by the most coins wins out and is accepted as part of the real chain. And if so happens that more stake holders sign an attacker's signature block, then that chain will win out. But if you think about it... if the majority stake holders agree that the attacking chain is the "right" chain, so it makes sense for it to be accepted as the "right" chain. So it's equivalent to if BCX came out last week and released a new version of the Litecoin binaries with his/her chain checkpointed AND the majority of Litecoin users decided to run his binary instead of the binary I released. Then BCX's chain is the "right" chain and I'm the "attacker". But with proof of stake, instead of one client getting one vote, it's just one coin gets one vote.

[coblee]

Yes, you just described a 51% attack with a double spend. Trust in Litecoin then quickly disappears and price of Litecoin goes to 0. All the stake holders just lost a lot of money. Tell me why any one of the big stake holders would want to do that, let alone most of them doing it together at the same time.

this is just one example i could come up with in less than 5 minutes as to why the biggest stake holders could be incentivized to collaborate with the attacker or even BE the attacker.

the reason is clear:
financial benefit from selling imaginary litecoins that will no longer exist when they sign the next checkpoint.

also, trust in litecoins wouldnt be ruined because of it (the attack) unless they did it to a really big number of people (or with a really big number of litecoins), just as a single bank being robbed doesnt create a bank run.

Did you not see that a single threat of a 51% attack caused massive panic and for the price to be almost halved. If a real attack happened, it's not going to be pretty. If you had 1,000,000 litecoins, would you attack the network to steal 10,000 coins and risk it?

Also, your criticism applies to the current proof of work. Currently if you have 51% of the network, you can perform this double spend attack. With proof of stake, you need both 51% of hashrate and 51% of stake. So how is it worse than Today?

[tgsrge]

Did you not see that a single threat of a 51% attack caused massive panic and for the price to be almost halved. If a real attack happened, it's not going to be pretty. If you had 1,000,000 litecoins, would you attack the network to steal 10,000 coins and risk it?

Also, your criticism applies to the current proof of work. Currently if you have 51% of the network, you can perform this double spend attack. With proof of stake, you need both 51% of hashrate and 51% of stake. So how is it worse than Today?

it is worse because holding the biggest amount of coins is not supposed to be a way the network determines whether or not something is valid in a cryptocurrency, and because you are giving different nodes different weights (AKA SUPERNODES) whether or not you want to admit it, too.

supernodes are BAD BAD BAD, normal currencies already have super nodes (the government, banks) and this would work the same way.


cryptocurrencies are not supposed to be assigning different weights to different nodes.

[Etlase2]

What is "at the exact same time"? Bitcoin is, in fact, a timestamping service, so it's important to be specific about this.

If a 500 LTC block is released at time X, and 10-60 seconds afterwards a competing block with 700 LTC is released, that claims it was actually released at the same time. Does the 700 LTC block win? But miners have already started to work on the continuation to the 500 LTC block...

The exact same time is whatever the block acceptance rules says it is. I didn't go that far into processing this idea because I'm not using it, but the greater the days destroyed in the block that came second, the longer it has to replace, with a maximum amount of time (and blocks) before notifying the user that there is a competitor but not replacing the block.

It actually won't be fork free, but it will be impossible to fool honest users connected to the network. New users could be temporarily fooled, but once the days destroyed ran out, the real chain would eventually get a greater weight of LTC days destroyed and win out.

Sounds interesting. I can see how this makes it hard to do a sustained 51% attack. But it's still not hard to do a one time 51% attack. Let's say the attacker just needs to do 51% for about 10 blocks in order to do a double spend at the exchange. He just needs destroy enough coins to match the network for those 10 blocks.

Proof of stake does nothing to fix this either. Both solutions prevent the network from being destroyed, one solution is much simpler and compatible with existing clients.

[iddo]

edit
ok you want a reason for the big stake holders to sign the blocks of the attacker/cooperate with the attacker/attack? fine, i will give it to you.

so the signing is not reversible. this is fine.
you do  the "attack", get the big stake holders to sign it through whatever means. you then list litecoins for sale in an exchange. the attacker does not include these transactions in his forked branch at all.
when the next checkpoint is reached, whoever bought/exchanged these litecoins will then be left with IMAGINARY LITECOINS, but a real money/btc loss.

Either I've failed to understand you, or you've failed to understand me.
To "list litecoins for sale in an exchange", you have to deposit them by doing a litecoin transfer on the blockchain, so if the exchange waited for the signed checkpoint block then we agree that the deposit isn't reversible. Now you trade on the exchange and the ownership of those litecoin changes hands to someone else, who wishes to withdraw these litecoins so he tells the exchange to initiate a litecoin transfer on the blockchain to his personal litecoin address (assume again that the exchange waits until the next signed checkpoint to verify that the withdrawal transaction really took place, otherwise if the exchange sees that the withdrawal transaction was reversed so that the litecoins are back under the control of the exchange then it considers it a failed withdrawal attempt and restores the litecoins to the person's account on the exchange). If the attacker prepared a forked branch while this is going on, and didn't include this withdrawal transaction in his forked branch, then he denied the withdrawal attempt, but nobody is left with "imaginary litecoins", it's again simply an attack that denies transactions.
You should note that an attacker who just denies transaction does it at a financial loss to himself while he competes with the distributed hashpower, so such attacks cannot be sustained for long. There's no financial incentive to do such an attack, it's purely malicious, so these kinds of attacks are less likely.

[tgsrge]

Either I've failed to understand you, or you've failed to understand me.
To "list litecoins for sale in an exchange", you have to deposit them by doing a litecoin transfer on the blockchain, so if the exchange waited for the signed checkpoint block then we agree that the deposit isn't reversible. Now you trade on the exchange and the ownership of those litecoin changes hands to someone else, who wishes to withdraw these litecoins so he tells the exchange to initiate a litecoin transfer on the blockchain to his personal litecoin address (assume again that the exchange waits until the next signed checkpoint to verify that the withdrawal transaction really took place, otherwise if the exchange sees that the withdrawal transaction was reversed so that the litecoins are back under the control of the exchange then it considers it a failed withdrawal attempt and restores the litecoins to the person's account on the exchange). If the attacker prepared a forked branch while this is going on, and didn't include this withdrawal transaction in his forked branch, then he denied the withdrawal attempt, but nobody is left with "imaginary litecoins", it's again simply an attack that denies transactions.
You should note that an attacker who just denies transaction does it at a financial loss to himself while he competes with the distributed hashpower, so such attacks cannot be sustained for long. There's no financial incentive to do such an attack, it's purely malicious, so these kinds of attacks are less likely.

you assume exchanges are trustworthy. your assumption does not work with malicious exchanges.

this takes scamming/malicious exchanges to the next level.

[coblee]

Either I've failed to understand you, or you've failed to understand me.
To "list litecoins for sale in an exchange", you have to deposit them by doing a litecoin transfer on the blockchain, so if the exchange waited for the signed checkpoint block then we agree that the deposit isn't reversible. Now you trade on the exchange and the ownership of those litecoin changes hands to someone else, who wishes to withdraw these litecoins so he tells the exchange to initiate a litecoin transfer on the blockchain to his personal litecoin address (assume again that the exchange waits until the next signed checkpoint to verify that the withdrawal transaction really took place, otherwise if the exchange sees that the withdrawal transaction was reversed so that the litecoins are back under the control of the exchange then it considers it a failed withdrawal attempt and restores the litecoins to the person's account on the exchange). If the attacker prepared a forked branch while this is going on, and didn't include this withdrawal transaction in his forked branch, then he denied the withdrawal attempt, but nobody is left with "imaginary litecoins", it's again simply an attack that denies transactions.
You should note that an attacker who just denies transaction does it at a financial loss to himself while he competes with the distributed hashpower, so such attacks cannot be sustained for long. There's no financial incentive to do such an attack, it's purely malicious, so these kinds of attacks are less likely.

you assume exchanges are trustworthy. your assumption does not work with malicious exchanges.

I don't think this discussion is going anywhere. You are really throwing out too many what ifs. If the exchanges are malicious, then they can steal your coins outright without anymore having to perform a 51% attack. So the point is moot.

[tgsrge]

I don't think this discussion is going anywhere. You are really throwing out too many what ifs. If the exchanges are malicious, then they can steal your coins outright without anymore having to perform a 51% attack. So the point is moot.

i am "throwing out" too many what ifs just as you "throw out" too many assumptions to support yourself as to why this is a good thing for litecoins.


also are we REALLY going to make ANOTHER trade off in order to make this work?even MORE time to confirm transactions? really?...


bitcoin = 1 block every ten minutes so for bitcoins this would take almost (1000 minutes) 17 HOURS for every transaction to be "safe" against this.
so if litecoin takes half as much time to generate the same amount of blocks, we would need (500 minutes) 8.5 HOURS for transactions to be "safe". is this really practical ? you tell me.

[coblee]

I don't think this discussion is going anywhere. You are really throwing out too many what ifs. If the exchanges are malicious, then they can steal your coins outright without anymore having to perform a 51% attack. So the point is moot.

i am "throwing out" too many what ifs just as you "throw out" too many assumptions to support yourself as to why this is a good thing for litecoins.


also are we REALLY going to make ANOTHER trade off in order to make this work?even MORE time to confirm transactions? really?...


bitcoin = 1 block every ten minutes so for bitcoins this would take almost (1000 minutes) 17 HOURS for every transaction to be "safe" against this.
so if litecoin takes half as much time to generate the same amount of blocks, we would need (500 minutes) 8.5 HOURS for transactions to be "safe". is this really practical ? you tell me.

Litecoin blocks are 2.5 mins. So 100 blocks is about 4 hours. But you don't have to wait for a signature block for every transaction. You can choose to wait for large transactions similar to how most people don't wait for 6 confirmations.

In the end, this is just an idea that we are discussing. Nothing is set in stone. Even the 100 blocks was just something thrown out there. We could do signature blocks every 6 blocks, but we have to find a tradeoff between bloating the blockchain and the security provided by the signature blocks.

[ripper234]

+1 for coblee in this discussion, you did a really good job of explaining the idea, despite resistance.

Here is a bounty for someone to make a Proof of Stake altcoin.

[passerby]

I don't think spawning a yet-another-coin-now-with-PoS is a good idea.

Having said that, I support the general concept of PoS (assuming "decent" implementation) and I do think that litecoin should implement it. Litecoin is way overdue for some innovation...

[Tittiez]

I don't think spawning a yet-another-coin-now-with-PoS is a good idea.

Having said that, I support the general concept of PoS (assuming "decent" implementation) and I do think that litecoin should implement it. Litecoin is way overdue for some innovation...

+1