Bitcoin Forum
November 14, 2024, 12:19:10 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Poll
Question: Should Proof of Stake be implemented in Litecoin?
Yes, ASAP - 29 (27.6%)
No, Never - 31 (29.5%)
Maybe someday - 16 (15.2%)
Just implement PoS as a separate blockchain - 11 (10.5%)
PoS is not a good idea - 18 (17.1%)
Total Voters: 85

Pages: « 1 2 [3] 4 5 »  All
  Print  
Author Topic: Poll - Should Proof of Stake be implemented in Litecoin?  (Read 4708 times)
ripper234 (OP)
Legendary
*
Offline Offline

Activity: 1358
Merit: 1003


Ron Gross


View Profile WWW
July 31, 2012, 07:01:44 AM
 #41

The reason for this coin & bounty is because at least a proof-of-concept coin needs to be implemented before it's integrated into Bitcoin/Litecoin. This needs to be designed & developed.

The bounty is to "pay" for this work. The coin doesn't necessarily need to be an investment vehicle, just a playground. The goal is to test this coin for a bit, and then integrate the ideas/code from it into other chains.

Please do not pm me, use ron@bitcoin.org.il instead
Mastercoin Executive Director
Co-founder of the Israeli Bitcoin Association
Etlase2
Hero Member
*****
Offline Offline

Activity: 798
Merit: 1000


View Profile
July 31, 2012, 08:05:18 AM
 #42

I am going to point out some the clear differences and advantages I see in using a days destroyed weighted block chain over proof of stake. I am going to go by some of the things I see written in the wiki as reference to PoS.

Proof of stake problems:

* Monopoly is still possible under proof-of-stake. ... [A] proof-of-stake monopolist is more likely to behave benevolently exactly because of his stake in Bitcoin.
The idea can already be written off as a joke.
* stakeholders (people who have bitcoins) are expected to sign it by using a private key associated with their address which contains coins to sign the block hash.
So everybody who owns a bitcoin is supposed to sign? Are there any minimums on this? This is just left wide open. How many thousands of extra transactions and signature verifications will this take? This may be an extreme imposition on the entire network.
* The signatures are broadcast on the network and included in a future block.
Or not. A miner has no incentive to put signatures in a block. Verifying them is work, they add lots of data to the miner's payload, and if the signatures are signing a block-chain different from the one he's working on, he will simply drop them. This is a problem because nodes may never see these signatures.
* Cementing is a node's reluctance to do a blockchain reorganization. A node will reject any new block found if it contradicts a 6-block deep branch it is already aware of and currently considers valid. That is, once a node receives 6 confirmations for a block, it will not accept a competing block even if it is part of a longer branch.
This does not require any form of proof of stake and can be implemented on its own. It is inherent in the design of a proper algorithm for a days destroyed weighted block-chain.
* In a pure PoW system this is problematic to do because a node could be stuck on "the wrong version" - if an attacker isolates the node and feeds him bogus data, it will not embrace the true, longer chain when he learns of it. However, using PoS to have the final say in such situations makes this possible.
PoS only has the final say when? When 51% of all coins in existence have signed one chain or another? This is insanity.
* If an address signs two conflicting blocks, its weight is reset to 0. This is to limit the power of malicious stakeholders.
Where exactly is all of this information going to be stored? How much immense amounts of data will this add to the block-chain? Denials of service attacks will be everywhere.

Days destroyed weighted block-chain advantages:

* Clients have a say in the matter. Every client. Miners are forced to include every transaction possible because if someone else comes along and does them one better, their block may be invalidated. Even if only a single miner is doing the right thing, the clients will be using his chain over a malicious one. So as long as one miner is honest, the honest network wins.
* Clients have the power to choose which block-chain is the correct one, not basing it off of hashing power. This is the ultimate blow to any 51% attack. Want to create a monopoly? Oh well someone else came along and is offering cheaper tx fees, goodbye.
* Absolutely no additional data is added to the block-chain. Nothing to keep track of except mini-forks which may be slightly more likely depending on how the final algorithm works.
* Money is given no more power than it already has. There is a veritable check and balance system between clients, miners, and the wealthy.
* Difficulty CAN GO DOWN without opening the network to attack. This means transaction fees can go down. And stakeholders don't have to be paid to cancel out this effect.


Proof of stake is a waste of time in a bitcoin-like block-chain. Completely.

coblee
Donator
Legendary
*
Offline Offline

Activity: 1654
Merit: 1351


Creator of Litecoin. Cryptocurrency enthusiast.


View Profile
July 31, 2012, 08:14:51 AM
 #43

I am going to point out some the clear differences and advantages I see in using a days destroyed weighted block chain over proof of stake. I am going to go by some of the things I see written in the wiki as reference to PoS.

Proof of stake problems:

* Monopoly is still possible under proof-of-stake. ... [A] proof-of-stake monopolist is more likely to behave benevolently exactly because of his stake in Bitcoin.
The idea can already be written off as a joke.
* stakeholders (people who have bitcoins) are expected to sign it by using a private key associated with their address which contains coins to sign the block hash.
So everybody who owns a bitcoin is supposed to sign? Are there any minimums on this? This is just left wide open. How many thousands of extra transactions and signature verifications will this take? This may be an extreme imposition on the entire network.
* The signatures are broadcast on the network and included in a future block.
Or not. A miner has no incentive to put signatures in a block. Verifying them is work, they add lots of data to the miner's payload, and if the signatures are signing a block-chain different from the one he's working on, he will simply drop them. This is a problem because nodes may never see these signatures.
* Cementing is a node's reluctance to do a blockchain reorganization. A node will reject any new block found if it contradicts a 6-block deep branch it is already aware of and currently considers valid. That is, once a node receives 6 confirmations for a block, it will not accept a competing block even if it is part of a longer branch.
This does not require any form of proof of stake and can be implemented on its own. It is inherent in the design of a proper algorithm for a days destroyed weighted block-chain.
* In a pure PoW system this is problematic to do because a node could be stuck on "the wrong version" - if an attacker isolates the node and feeds him bogus data, it will not embrace the true, longer chain when he learns of it. However, using PoS to have the final say in such situations makes this possible.
PoS only has the final say when? When 51% of all coins in existence have signed one chain or another? This is insanity.
* If an address signs two conflicting blocks, its weight is reset to 0. This is to limit the power of malicious stakeholders.
Where exactly is all of this information going to be stored? How much immense amounts of data will this add to the block-chain? Denials of service attacks will be everywhere.

Days destroyed weighted block-chain advantages:

* Clients have a say in the matter. Every client. Miners are forced to include every transaction possible because if someone else comes along and does them one better, their block may be invalidated. Even if only a single miner is doing the right thing, the clients will be using his chain over a malicious one. So as long as one miner is honest, the honest network wins.
* Clients have the power to choose which block-chain is the correct one, not basing it off of hashing power. This is the ultimate blow to any 51% attack. Want to create a monopoly? Oh well someone else came along and is offering cheaper tx fees, goodbye.
* Absolutely no additional data is added to the block-chain. Nothing to keep track of except mini-forks which may be slightly more likely depending on how the final algorithm works.
* Money is given no more power than it already has. There is a veritable check and balance system between clients, miners, and the wealthy.
* Difficulty CAN GO DOWN without opening the network to attack. This means transaction fees can go down. And stakeholders don't have to be paid to cancel out this effect.


Proof of stake is a waste of time in a bitcoin-like block-chain. Completely.

I agree that proof of stake will likely add a lot of bloat to the blockchain and possibly add a lot of strain to the network to propage all those signatures. Etlase2, I am also thinking about your days destroyed solution. It seems like a good solution, but can you think of how it can help solve the problem of an attacker forking the chain for 10 blocks so that he can do a double spend on the exchange?

Etlase2
Hero Member
*****
Offline Offline

Activity: 798
Merit: 1000


View Profile
July 31, 2012, 08:38:40 AM
Last edit: July 31, 2012, 08:49:05 AM by Etlase2
 #44

I agree that proof of stake will likely add a lot of bloat to the blockchain and possibly add a lot of strain to the network to propage all those signatures. Etlase2, I am also thinking about your days destroyed solution. It seems like a good solution, but can you think of how it can help solve the problem of an attacker forking the chain for 10 blocks so that he can do a double spend on the exchange?

This would have to be part of the design algorithm. Something that first needs to be designed, tested, and fine-tuned.

I think a good place to start is for each client to follow the block-chain back a couple thousand blocks or so and see what the typical Litecoin Days Destroyed is for each block, and use that as a base line. If 6 blocks in a row meet or beat the average LDD, the 6th block (in bitcoin terms, perhaps this would be 20 or so in litecoin, but 6 may still be fine, needs testing) in the past could be cemented in stone and can only be replaced if the user agrees to it. If the LDD is say, between 20-40% below normal, it will take perhaps 4x the 6 or 20 blocks before this block will be cemented unless 6 or 20 blocks come after that meet or beat LDD avg. If it's 40-60% below normal, then 8x, and so on.

Something along those lines. An exchange could wait a few extra blocks to be fairly sure that everyone has the block it is interested in cemented.

ripper234 (OP)
Legendary
*
Offline Offline

Activity: 1358
Merit: 1003


Ron Gross


View Profile WWW
July 31, 2012, 08:49:14 AM
 #45

Please don't hijack this thread for designing other, alternative improvement.

Can you create another dedicated thread?

Please do not pm me, use ron@bitcoin.org.il instead
Mastercoin Executive Director
Co-founder of the Israeli Bitcoin Association
Etlase2
Hero Member
*****
Offline Offline

Activity: 798
Merit: 1000


View Profile
July 31, 2012, 09:05:17 AM
 #46

Proof of stake was designed without any real thought behind it. It won't work on any reasonable scale.

passerby
Member
**
Offline Offline

Activity: 112
Merit: 11


View Profile
July 31, 2012, 09:26:06 AM
 #47

Wouldn't Coin-Day-Destroyed allow me to trigger a reorg by simply stocking up on old coins and sending them to myself without broadcasting (I'm a miner, remember) just to "increase weight" of my blocks ?


Wouldn't that make Finneys and other such small doublespend-reorgs easier to make (you just need a big stash of old coins in the right time) ?

Wouldn't it also make "deep" reorgs (and big doublespends "eating" 5 confirms or more) easier for a 51 attacker with a big stash of old coins (just increase the "weight" of your chain by stuffing your own old-coin spending tx-es into them) ?
dreamwatcher
Legendary
*
Offline Offline

Activity: 1064
Merit: 1000


View Profile WWW
July 31, 2012, 10:04:07 AM
 #48

One question that keeps coming up to me in this debate about proof of stake:

Why would those with large wallets of Litecoin, KEEP THAT WALLET/CLIENT ON LINE 24/7?

If I had a particularity large wallet of litecoins, I would keep it on an USB drive only to be used when I needed to do a transaction, and keep a much smaller wallet for quick access.

It seems to me, that this would put the exchanges and large pools in charge of signing the blocks, and we know they are susceptible to DDoS.



Etlase2
Hero Member
*****
Offline Offline

Activity: 798
Merit: 1000


View Profile
July 31, 2012, 10:10:44 AM
 #49

Wouldn't Coin-Day-Destroyed allow me to trigger a reorg by simply stocking up on old coins and sending them to myself without broadcasting (I'm a miner, remember) just to "increase weight" of my blocks ?

Assuming a thriving network, you would have to control some not insignificant portion of the network's GDP and the hashing power for this to matter.

Quote
Wouldn't that make Finneys and other such small doublespend-reorgs easier to make (you just need a big stash of old coins in the right time) ?

A big stash of old coins to pull off tiny heists, plus significant enough hashing power to create your own blocks. In the standard bitcoin and litecoin model, you only need significant hashing power.

Quote
Wouldn't it also make "deep" reorgs (and big doublespends "eating" 5 confirms or more) easier for a 51 attacker with a big stash of old coins (just increase the "weight" of your chain by stuffing your own old-coin spending tx-es into them) ?

No, because you prevent deep-reorgs without user intervention. The only time a deep reorg could ever possibly happen is in one of two scenarios: 1) the network is unhealthy and has split, 2) someone is attacking the network. 1) means there are already other massive issues, 2) means the network is being attacked and it's probably an idiotic idea to reorg but bitcoin will do it anyway for the sake of unity.

ripper234 (OP)
Legendary
*
Offline Offline

Activity: 1358
Merit: 1003


Ron Gross


View Profile WWW
July 31, 2012, 10:17:41 AM
 #50

One question that keeps coming up to me in this debate about proof of stake:

Why would those with large wallets of Litecoin, KEEP THAT WALLET/CLIENT ON LINE 24/7?

If I had a particularity large wallet of litecoins, I would keep it on an USB drive only to be used when I needed to do a transaction, and keep a much smaller wallet for quick access.

It seems to me, that this would put the exchanges and large pools in charge of signing the blocks, and we know they are susceptible to DDoS.


They wouldn't have to keep the wallet online, there are solutions to this.
You can send a network message committing your coin for the next N blocks.


Everyone, PLEASE DO NOT USE THIS THREAD TO DESIGN OTHER ALTERNATIVES.

You can open a dedicate thread an link to it, and post occasional message about them, but don't do the design work on top of this thread.

Please do not pm me, use ron@bitcoin.org.il instead
Mastercoin Executive Director
Co-founder of the Israeli Bitcoin Association
Etlase2
Hero Member
*****
Offline Offline

Activity: 798
Merit: 1000


View Profile
July 31, 2012, 10:21:46 AM
Last edit: July 31, 2012, 01:30:25 PM by Etlase2
 #51

Why are you whining? what the heck does it matter? There is a valid discussion regardless if it has strayed slightly off-topic.

tgsrge
Member
**
Offline Offline

Activity: 70
Merit: 10



View Profile
July 31, 2012, 12:29:39 PM
 #52

i think etlase's proposal sounds more decent (and less broken) if it can be implemented decently.

i still think new ideas (no matter which) should be tested in a separate test blockchain/currency to hopefuly correct any implementation errors and possibly deal with new not so intuitive attacks which were not considered during the initial discussion/implementation, though.


and also, the community needs to seriously consider whether we want to be "artificially" tougher against 51% and maybe throw the entire thing out of balance or if we should consider 51% "attacks" a feature/characteristic of sorts of the currency. any modification to the design might make it inherently unsafer. security is the lack of functionality, and complexity (even if sometimes introduced to bring in "additional security") more often than not, due to various factors leads to insecurity.
Etlase2
Hero Member
*****
Offline Offline

Activity: 798
Merit: 1000


View Profile
July 31, 2012, 01:40:03 PM
 #53

and also, the community needs to seriously consider whether we want to be "artificially" tougher against 51% and maybe throw the entire thing out of balance or if we should consider 51% "attacks" a feature/characteristic of sorts of the currency. any modification to the design might make it inherently unsafer. security is the lack of functionality, and complexity (even if sometimes introduced to bring in "additional security") more often than not, due to various factors leads to insecurity.

As the Ben Laurie hyperbole originally put it, bitcoin is not secure unless 51% of the universe's computing power is securing the network. So I don't think it is possible to come up with anything worse. 51% attacks are most certainly not a feature and saying it is is like agreeing that 640K should be enough for anybody.

markm
Legendary
*
Offline Offline

Activity: 3010
Merit: 1121



View Profile WWW
July 31, 2012, 03:04:55 PM
 #54

51% of the universe's computing power should be enough for anybody. Smiley

-MarkM-

Browser-launched Crossfire client now online (select CrossCiv server for Galactic  Milieu)
Free website hosting with PHP, MySQL etc: http://hosting.knotwork.com/
maaku
Legendary
*
Offline Offline

Activity: 905
Merit: 1012


View Profile
July 31, 2012, 04:05:41 PM
 #55

@coblee, thanks for fighting the good fight Smiley

I'm an independent developer working on bitcoin-core, making my living off community donations.
If you like my work, please consider donating yourself: 13snZ4ZyCzaL7358SmgvHGC9AxskqumNxP
iddo
Sr. Member
****
Offline Offline

Activity: 360
Merit: 251


View Profile
August 01, 2012, 07:15:19 AM
 #56

* Cementing is a node's reluctance to do a blockchain reorganization. A node will reject any new block found if it contradicts a 6-block deep branch it is already aware of and currently considers valid. That is, once a node receives 6 confirmations for a block, it will not accept a competing block even if it is part of a longer branch.
This does not require any form of proof of stake and can be implemented on its own. It is inherent in the design of a proper algorithm for a days destroyed weighted block-chain.

How do you cement a checkpoint block without proof-of-stake?
iddo
Sr. Member
****
Offline Offline

Activity: 360
Merit: 251


View Profile
August 01, 2012, 07:30:26 AM
 #57

One question that keeps coming up to me in this debate about proof of stake:

Why would those with large wallets of Litecoin, KEEP THAT WALLET/CLIENT ON LINE 24/7?

If I had a particularity large wallet of litecoins, I would keep it on an USB drive only to be used when I needed to do a transaction, and keep a much smaller wallet for quick access.

It seems to me, that this would put the exchanges and large pools in charge of signing the blocks, and we know they are susceptible to DDoS.

It's a free market, you collect fees by signing the special checkpoint blocks, so you should evaluate the risk of your wallet being stolen versus the reward. I suppose that with grandma's PC it's better to skip trying to collecting signing fees, but for someone with a properly secure computer it should be fine.
In one sense having an incentive to keep coins under your control and continuously use them actually contributes to the health of the network, because with Bitcoin there appears to be a trend to send your coins to 3rd-parties that (supposedly) give you high interest or simply the convenience of using an online wallet, and this should be even more risky than someone hacking into your personal computer.
ripper234 (OP)
Legendary
*
Offline Offline

Activity: 1358
Merit: 1003


Ron Gross


View Profile WWW
August 01, 2012, 07:35:17 AM
 #58

Updated OP:

Quote
Edit - if you support the idea, you might want to contribute to a bounty.

Please do not pm me, use ron@bitcoin.org.il instead
Mastercoin Executive Director
Co-founder of the Israeli Bitcoin Association
Etlase2
Hero Member
*****
Offline Offline

Activity: 798
Merit: 1000


View Profile
August 01, 2012, 07:49:44 AM
 #59

* Cementing is a node's reluctance to do a blockchain reorganization. A node will reject any new block found if it contradicts a 6-block deep branch it is already aware of and currently considers valid. That is, once a node receives 6 confirmations for a block, it will not accept a competing block even if it is part of a longer branch.
This does not require any form of proof of stake and can be implemented on its own. It is inherent in the design of a proper algorithm for a days destroyed weighted block-chain.

How do you cement a checkpoint block without proof-of-stake?

It's written right there in the wiki quote for proof of stake. The stake is not required to cement a block, it is up to the client. A "dumb" way to do it is to just to cement 6 blocks in the past, but this leaves everyone open to the sustained 51% attack still, though it does prevent private in parallel mining to rewrite history. A smarter way to do it is base it around LDD so that an attacker can't sustain a 51% denial of service attack.

There is the potential with proof of stake that there exist two forks and both have less than 50% stake signing it. The only penalty for abstaining from a stake signing is that you lose reputation. That is not a sufficient penalty. In this scenario, the forks can stay completely unresolved. Regardless, a competitor may offer lower tx fees but the stakeholders refuse to sign and so on. It takes power away from the people.

Using the LDD model and user intervention, the people get to decide which fork they want to use. Monopolies can be prevented. Selective transaction approval can be prevented. Sustained 51% attack can be prevented. Proof of stake does not prevent monopolies, it does not prevent selective transaction approval, and its 51% attack prevention is only as good as whatever automated code selects the correct chain for the stake signers. And if stake signers manually choose, then you may as well give that ability to everyone so that everyone can determine what is in their best interest, not a select few. Aren't we all about overthrowing the establishment and such around here? Why is anyone looking to hard-code that in?

iddo
Sr. Member
****
Offline Offline

Activity: 360
Merit: 251


View Profile
August 01, 2012, 08:21:03 AM
 #60

I don't understand, are you suggesting that each node will simply cement after seeing 6 consecutive blocks? That would cause the blockchain to fork into many branches that will never reunite.
I'm asking about the basic concept, please avoid the added complexities of cementing 6 consecutive blocks and consider the proof-of-stake cementing of the 100th signatures block. With proof-of-stake, we can cement the (say) 100th block with signatures that cannot be faked by an attacker with 51% hashpower, so everyone can protect themselves from a double-spending attack by waiting past the checkpoint signatures block in order to be sure that the relevant transactions couldn't be reversed. Do you claim that it's possible to cement a checkpoint block (with this desirable property of protecting from an attacker with 51% hashpower) without proof-of-stake? How?
What is LDD? Litecoin Days Destroyed? How is it relevant?
Pages: « 1 2 [3] 4 5 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!