I think we must distinguish two things:
#1 Can an attacker obtain enough private keys (for transactions) to forge the block chain?
#2 Will the forged block chain be accepted by the current stake holders?
#1 Despite the game theoretic incentive described by Vitalik, it is not plausible to assume that such an attack can be carried out in practice if the initial coin distribution is appropriately decentralized.
Agreed.
#2 I'm not sure if the resistance is sufficient in any case. What happens if an attacker builds an alternative block chain that rewards the majority of current stake holders with a (somewhat) larger stake, while double-spends the minority to gain an undue advantage? In such a scenario, the majority has an incentive to accept the forged chain.
You might even argue that in my design of burning transaction fees that since the attacker could recover the 99+% of the money supply that had been burned, he could definitely entice current stake holders to take a bribe.
But you are arguing that the attacker doesn't need a majority of the historic private keys (to overcome TaPoS), so therefor the number of attackers are unbounded. Thus there is no objectivity between unbounded forks. Thus of course the current stake holders must refuse, lest their entire stake be worthless.
Yet the attacker who controlled the private keys for the
only quantity of historic stake larger than all the historic stake burned (when that uniqueness scenario presented itself) could do a long-range chain attack by double-spending more than all burned historic stake, because there would only be one attack which could objectively burn more transaction fees than the honest chain. Yet not only is this event going to have to be an extremely long-range attack which makes it a rare possible event, but makes it entirely implausible that the community will accept it because it would crash the value of the tokens. How does the ecosystem want a bribe that destroys the ecosystem? Not all of those bribed can short simultaneously. It is implausible to attack an ecosystem in a public manner like this. It is analogous to saying the Federal Reserve could print money and bribe every dollar holder to accept a bribe denominated in dollars that would destroy the dollar. It is an attack that can't be hidden, because some participants will squeal.
3.2.2 Statistical Detection
Transactions can reference blocks belonging to the canonical blockchain, thus implicitely signing the chain. An attacker attempting to forge a long reorganization
can only produce transactions involving coins he controlled as off the last checkpoint. A long, legitimate, chain would typically show activity in a larger fraction of the coins and can thus be distinguished, statistically, from the forgery.
This family of techniques (often called TAPOS, for “transactions as proof of stake”) does not work well for short forks where the sample is too small to perform a reliable statistical test. However, they can be combined with a technique dealing with short term forks to form a composite selection algorithm robust to both type of forks.
Agreed. That is why TaPoS is a viable security mechanism against long-range attacks. Statistically the current stake holders will choose the most objectively correct one, not the attacker's long-range attack chain.
I'm not sure if I understand this. How can the burned fees approach 100% of the stake? Without new money supply, the money would finally disappear if all the fees are burned. Or are you rather referring to some sort of statistical detection as quoted below?
If fees are a percentage and the tokens are infinitely divisible, then the money supply will never be exactly 0.
I am doing something somewhat analogous to the following for storing token amounts:
https://en.wikipedia.org/wiki/Kahan_summation_algorithm
