Pages:
Author

Topic: [ANN] [PPC] PPCoin Released! - First Long-Term Energy-Efficient Crypto-Currency - page 34. (Read 684839 times)

legendary
Activity: 3906
Merit: 6249
Decentralization Maximalist
@Sentinelrv: Only my 50 cents: I would use the new thread for all current announcements and link to the old thread in the OP. That's not only because of the problem you've had with Sunny's account, but also because in very big threads it becomes very difficult to search information.

@Nagalim: There's something I could comment on your answer regarding the long range attack but for now I stop my "rants". I think Peercoin is reasonably secure - it's only that it could be so even more ...

However, it would be cool if you got more information with respect to a reorg limit. As I'm not a coder (I know a little bit of scripting, mainly in Python, but am not familiar enough with C/C++ to understand a cryptocurrency) it would be difficult for me to investigate the dynamic stake modifier commit ...
member
Activity: 156
Merit: 10
sr. member
Activity: 649
Merit: 318
I need to ask for feedback from the community here. I had previously created a separate Peercoin thread on Bitcointalk here. The purpose of it was so that I could control the content of the first post by adding in important links and info about Peercoin. It would also let me edit the title every time there was news, which would draw new people into the thread.

While people did use the new thread and post in it, it was still competing with this original release thread by Sunny, even though the current team was no longer posting in it. Eventually I gave up on the new thread and came back to this one several months ago.

Since then I have come to an arrangement with Sunny King. He agreed to share access with me to his Bitcointalk account. This would let us retain the history of this thread, yet it would allow me to edit the original post like we needed to. Everything was great until I tried logging into his profile. I got the following error message...

Quote from: Bitcointalk
“Sorry Guest, you are banned from using this forum! Your account is locked because it sat inactive for years after the password hashes were leaked in 2015, and was therefore at high risk of being hacked. Email [email protected] to get it unlocked.”

Apparently Sunny had not logged into his account for quite a while and it had gotten locked because he never changed his password after Bitcointalk got hacked. So I asked Sunny to email the address listed and request that they unlock the account. He received no reply. So I contacted a moderator here asking what to do and they told me to PM Theymos, so I did.

That was three weeks ago. I have sent a PM every week to Theymos asking for him to get into contact with Sunny so we can get his account unlocked and I haven’t had a single reply back from him. Sunny has emailed that address twice and has also received no reply. I tried contacting the previous moderator I talked to and he said there wasn’t much he could do.

I realize maybe the guy is just really busy, but his account is online all the time. I’m starting to feel as if he’s ignoring me on purpose and trying to hurt a competitor by keeping its founder locked out of his account.

Regardless of the real reasons, what are our options here? I really would like to keep using this thread because of its history, helpful content and links that have been posted over the years, but if the administrator of Bitcointalk refuses to help us regain control of the thread, what are we to do? I’d love to hear your thoughts in case anyone had any ideas that could remedy the situation.
sr. member
Activity: 649
Merit: 318
member
Activity: 156
Merit: 10
full member
Activity: 336
Merit: 102
Peercoin is mooning.  I’m hearing there’s some sort of fork?
newbie
Activity: 48
Merit: 0
Really promissing. Keep my eye on
hero member
Activity: 1039
Merit: 510
As mentioned, the economics are hard to parse.  But think of this: there can be multiple people with >50% of the current Bitcoin hashpower, but there can only be one person with >50% of the coins.  While you are correct that there is far from 100% minting, I do think this highlights an interesting perspective, which is that hash power is limitless while coin ownership is intrinsically limited.  One can have 500% of the current PoW hashpower, for example.  The point I'm trying to make here is that purchasing enough hardware to control Bitcoin likely will not drive hardware prices through the roof, while purchasing a large percentage of the Peercoins on the open market (remember that a large % will likely never sell, or are lost) will surely drive the price per coin to insane levels.

These are certainly interesting arguments. I never thought of it in such way before but it makes sense to me.
newbie
Activity: 33
Merit: 0
As mentioned, the economics are hard to parse.  But think of this: there can be multiple people with >50% of the current Bitcoin hashpower, but there can only be one person with >50% of the coins.  While you are correct that there is far from 100% minting, I do think this highlights an interesting perspective, which is that hash power is limitless while coin ownership is intrinsically limited.  One can have 500% of the current PoW hashpower, for example.  The point I'm trying to make here is that purchasing enough hardware to control Bitcoin likely will not drive hardware prices through the roof, while purchasing a large percentage of the Peercoins on the open market (remember that a large % will likely never sell, or are lost) will surely drive the price per coin to insane levels.

As for the max reorg depth, I don't think it's explicit in Peercoin, but I have reason to believe the way the dynamic stake modifier is chosen implies a max reorg depth.  I'm having trouble getting devs to comment on it, but I'll keep researching.  For reference we adopted the dynamic stake modifier from Neucoin in Peercoin v0.5, and I'm almost certain Neucoin has a max reorg depth.
legendary
Activity: 3906
Merit: 6249
Decentralization Maximalist
The only thing that stops a miner from crafting a chain in private is the cost associated with running the mining equipment and not claiming the block rewards.  If they have >50% hash power, then they have a near 100% chance of having the longer chain and making back the block rewards as well as their double spend.  It is very possible that a government or some large entity could mine a longer chain in private and release it to disrupt the network.  I'm not sure why you think this is not possible with PoW.  

You are probably right, my last post was not correct in this aspect - in PoW the "private mining" of an attack chain for a long time to be released later is also possible and probably the best option for a profitable 50% attack.

But there are other aspects why PoS long-range attacks are regarded as very dangerous: If the attacker manages to get (via a double spend/50% attack) more than 50% of the total coin supply (or at least a large part, e.g. 30%, so that he always will be the biggest "staker" because 100% never stake) then he can control the network. Only a hard fork can save the coin then. With PoW, the attacker would have to conserve his 50% and continue to pay electricity costs, so disrupting the coin heavily would be more complicated.

I'm not sure which attack is more expensive, but that's also why I'm interested in Peercoin and PoS - a PoS attack may be, if you add all costs, more expensive than a PoW 50% attack. But it could also be easier to make it profitable (see next paragraph).

Quote
When selling coins before the double spend, you sap the network of its value by tanking the price right before you try to extort it for value.
In my scenario, the double spend is recorded at the miner's attack chain at a block height before the sale of the coins - but is "released to the public" afterwards. So the price would tank even more after Evil Attacker sold the coins and the double spend becomes known - and so he can probably even try to lend more coins while he sells and short sell them. An "extortion" (e.g. for political reasons, or for a ransom) is not necessarily part of this attack.

Quote
You can argue about the economics of this, but I do think you are missing my point about selling the hardware after attacking a PoW coin.  In either model you can recover some of the liquidity used to attack the chain.

Probably yes, but what you cannot recover is the electricity costs, and you will not recover a big part of the attack costs. The only way to profit from a 51% attack in a PoW currency is, in my opinion, a complex (and expensive) strategy involving market manipulation, a really big double spend, and short selling just before the attack is publicly known.

In a PoS currency, the attacker can try the attack again and again once he has had his coins on his wallet (if he's caught he can mix the coins and repeat) because he isn't forced to use large amounts of electricity.

That is, I think, the second reason why PoS has so many detractors: because once you get the important part of the attack done (possess a large stash of coins) then you can attack many times - until the next hard checkpoint. With reorg depth limit or soft checkpointing, you have only a short timeframe.

Quote
I'll get back to you on whether or not there's a reorg depth limit.
That would be cool, thanks!
newbie
Activity: 33
Merit: 0
The only thing that stops a miner from crafting a chain in private is the cost associated with running the mining equipment and not claiming the block rewards.  If they have >50% hash power, then they have a near 100% chance of having the longer chain and making back the block rewards as well as their double spend.  It is very possible that a government or some large entity could mine a longer chain in private and release it to disrupt the network.  I'm not sure why you think this is not possible with PoW.  The other stuff you say about blacklisting and so on is correct, and applicable to both PoS and PoW.

When selling coins before the double spend, you sap the network of its value by tanking the price right before you try to extort it for value.  You can argue about the economics of this, but I do think you are missing my point about selling the hardware after attacking a PoW coin.  In either model you can recover some of the liquidity used to attack the chain.

As for the hard checkpoints, you're right that those are done by the devs.  I'll get back to you on whether or not there's a reorg depth limit.
legendary
Activity: 3906
Merit: 6249
Decentralization Maximalist
So you are talking about a 50% attack, which is also executable on the Bitcoin chain and basically any crypto.  It at first appears more tempting for Peercoin because it doesn't require investment in hardware like it does on Bitcoin.  However, you do invest in the digital coins, hoping to sell them before you unleash your attack chain.  This is similar to selling your Bitcoin hardware after attacking the chain, in that you can recover some of your investment and still carry out the attack.  So on its face, 50% attacking Peercoin is similar to 50% attacking any crypto, in that it requires overcoming whatever network effect the coin has generated.

The difference between a PoW 50% attack and the long-range attack I described is that in the 50% PoW attack the attacker could not mine his "longer chain" in secret - he must point all his hashpower to the chain, publicly. That's why it would be easier to "defend" against this attack - "honest" miners could instantly try to out-power the attacker few blocks after the 50% attack. And they could blacklist all coins that he earned via block rewards and try to detect the double spend before it can do harm (e.g. he is able to sell the coins at the exchange). If his attack is successful, the money he uses to buy hashrate is burnt, because if the coin is destroyed (or loses lots of value) after the attack, his hardware would not be worth much.

A PoS long-range attack is more dangerous, because the attacker can sell the coins undetected before he releases the "attack chain". But it is also probably more expensive than a 50% PoW attack, and there are certainly possibilities to design a 50% PoW attack in such a way that it may be profitable (For example, I calculated that attacking Bitcoin via a 50% attack would cost about 2% of it's supply - it may be possible to arrange a short sell of this amount).

Quote
For the specific long-range nature of the attack you describe, it is important to realize that clients will not reorg beyond a certain depth (Peercoin has two types of checkpoints: 'synchronized', which is what we've been talking about, and 'hard', which is what I'm talking about now and something that Bitcoin also has).

I know the "hard checkpoints", but aren't these only published when a new Peercoin version is released? Because the distance between two releases (several months) is enough for a long-range attack.

Obviously, if Peercoin already has a "reorg limit" of a fixed numbers of blocks (for example, NXT has 1440 blocks, roughly 24 hours because they have a 60 second block interval), then it's already protected pretty well against this type of attack. I thought it had not, but I may be wrong. Nxt's reorg limit for me seems a little bit short, I would be more happy with approximately a week.

PS: I'm not a PoS skeptic like those "critics" that think that "PoS does not work" - only I am skeptic regarding the sense of the synchronized checkpoints and would like to see them replaced with rolling checkpoints or Vitalik's "soft checkpoints".
newbie
Activity: 33
Merit: 0
So you are talking about a 50% attack, which is also executable on the Bitcoin chain and basically any crypto.  It at first appears more tempting for Peercoin because it doesn't require investment in hardware like it does on Bitcoin.  However, you do invest in the digital coins, hoping to sell them before you unleash your attack chain.  This is similar to selling your Bitcoin hardware after attacking the chain, in that you can recover some of your investment and still carry out the attack.  So on its face, 50% attacking Peercoin is similar to 50% attacking any crypto, in that it requires overcoming whatever network effect the coin has generated.

For the specific long-range nature of the attack you describe, it is important to realize that clients will not reorg beyond a certain depth (Peercoin has two types of checkpoints: 'synchronized', which is what we've been talking about, and 'hard', which is what I'm talking about now and something that Bitcoin also has).  So what you describe will cause a fork between fresh chain downloads and old nodes.  As the checkpoint server is an old node, it will not follow the attack chain and new users can follow the checkpoints to get on the old chain.  Then there can be an emergency client update that specifically bans that fork, or something similar.

A 50% attack is indeed no joke.
legendary
Activity: 3906
Merit: 6249
Decentralization Maximalist
I don's understand what you mean when you talk about 'faking chainweight'.  If you have a heavier chainweight, your chain is the 'real' chain by definition.  What is your definition of a 'fake chain'?

With "faking chainweight" I mean the chain-weight of a chain that includes an alternative transaction as a consequence of a double spend (long-range attack).

The mechanism in detail:
1) the attacker buys, mines and/or lends a large number of coins - he must calculate the approximate number of coins that are staking, and buy more than 50% of them (e.g. 15%+ of the total supply if 30% are continuously "staking")
2) He deposits the coins on a wallet (or various wallets), still without trying to "stake".
3) After some blocks he sells the coins again (this procedure can take as long as he wants if there is no reorg limit).
4) At the same block height he transferred the coins to the exchange, he (secretly) issues a double spend to a wallet he owns and disconnects his client from the network.
5) He then secretly mints an attack chain that contains this double spend (without publishing it). This attack chain would have more chain-weight than the "normal best chain": From the point of view of his wallet/client he still owns the coins and so he can use them to stake, and as in his attack chain he owns more coins than the rest of the stakers, the weight of the chain is higher.
6) When he has sold all coins (step 3 accomplished) then he publishes the attack chain - it would have more chain-weight than the "true" chain but as we have seen the weight is "faked" using the double spend.

If what you said in the previous post is true and all nodes - including the checkpoint node - always follow the chain with most weight, step 6 would lead to a re-organization on all nodes that obey the protocol and eventually all of them would follow the attack chain. The attack would have succeeded. If the attacker specifically tries to connect to the checkpoint node, then his attack would probably succeed even faster.

I know this attack is very expensive, but the attacker can design it in a way he can profit from it (e.g. if he manages to drive the price higher before he sells). And if he is very likely to succeed, then the incentive is high for a rich individual or group to try it.
newbie
Activity: 33
Merit: 0
I don's understand what you mean when you talk about 'faking chainweight'.  If you have a heavier chainweight, your chain is the 'real' chain by definition.  What is your definition of a 'fake chain'?
legendary
Activity: 3906
Merit: 6249
Decentralization Maximalist
If the attacker forms a chain with higher chainweight, checkpoints won't hinder or help the reorg.  That higher weight chain will replace all instances of the current chain, regardless of if they have checkpoints enforced or not.
In this scenario, a long-range double-spend attacker would always be successful (and checkpoints would only be helpful for short-range forks),

As far as I have understand Vitalik Buterin's "Weak Subjectivity" paradigm, this behaviour (the chain with the highest weight winning every time, even if it's a fake chain) should be avoided at all costs, because even if the attack is difficult and expensive, there is an incentive to try it if you always will be successful.

Chain-weight, unfortunately in PoS coins is not objective, because it can be faked. That's why some pure PoS coins prohibit long reorgs (the "rolling checkpoints" I mentioned before) and use techniques like Economic Clustering to know if well-known nodes like exchanges are on the same chain like you. With these mechanisms it can be avoided that the attacker "establishes" his attack chain, because most nodes won't follow him even if his chain-weight is higher. But yes, you sacrifice "objectivity" - but at the same time, you dis-incentive these attacks, so they become almost impossible.

member
Activity: 156
Merit: 10
In 2017 Many ICOs were created. When fake ico lost credibility. Investors are looking for old coins.
hero member
Activity: 770
Merit: 500
PPC is one of the oldest legacy coins out there, its like a close family friend, hope it finally has a chance to go $50 next year!
newbie
Activity: 33
Merit: 0
Cold minting will take a hardfork to accomplish.  It is possible we will see it rolled out in the next couple updates, but as it is still somewhat controversial I would rather not specify a timeline yet.
Pages:
Jump to: