Pages:
Author

Topic: Decentralized Timestamp - page 3. (Read 5325 times)

legendary
Activity: 1302
Merit: 1008
Core dev leaves me neg feedback #abuse #political
May 20, 2014, 01:32:45 PM
#52
telepathetic,

 not to mention that there is a (unknown and likely linear) relationship between intrinsic value of BTC and cost and presence of hashing power. 

Somewhat.

There was high correlation until the price crashed after gox.  Now prices are half of what they were, yet hashing power has increased.
sr. member
Activity: 280
Merit: 257
bluemeanie
May 20, 2014, 01:19:47 PM
#51
telepathetic,

 not to mention that there is a (unknown and likely linear) relationship between intrinsic value of BTC and cost and presence of hashing power.  Thus this means that, at best we need to have a certain amount of hash power present and running in order to support what Color Coins wants to support.  If this hash power fails to emerge, then you will have a huge catastrophe.

 another point- why do we need to run an ASIC for every bond issued in the universe when models such as NXT remove this requirement?  Then we can expand the economy indefinitely.

 it goes back to the gold bug mentality.  They insist that we must base our economy on gold because gold is valuable[1], however they ignore the fact that it is only valuable because we agree that it's valuable.  How valuable is gold to a chimpanzee?

-bm


[1] we must base a cryptocoin on hashing because hashing is hard
jr. member
Activity: 56
Merit: 1
May 20, 2014, 01:01:38 PM
#50
this problem is compounded by the Color Coins technologies that carry asset notes on the BTC block chain.  It's going to make such an attack practically inevitable.

-bm

Also satoshi didn't envisage mining like it is today. It is possible for the hashing power of all inefficient (uses more power than would gain in rewards) mining machines (and hence not connected to the network) to outnumber the hashing power of all mining machines on the network. This requires low block rewards in real terms, expensive electricity costs in real terms and a relatively small difference in efficiency between the inefficient and the efficient mining machines. In this case an attacker could gain 51% hashing power very easily  to perform a double spend since unused miners are virtually worthless (satoshi didn't envision this).

We need much more discussion about the security assumptions of bitcoin. New technologies may allow us to gain more security/decentralisation in some areas but at a potential trade off with other areas.
sr. member
Activity: 280
Merit: 257
bluemeanie
May 20, 2014, 12:58:09 PM
#49

This is too bad that you're losing patience, because I was enjoying the
conversation


and he knows that- that's what's making him angry.

-bm
legendary
Activity: 1302
Merit: 1008
Core dev leaves me neg feedback #abuse #political
May 20, 2014, 12:56:25 PM
#48
Here you are admitting that Bitcoin as it stands has a significant weakness.

This kind of shit makes me just not want to post at all.  No it isn't an admission like that.  All security models involve assumptions.  The assumption for Bitcoin is that the attacker will not gain 51% of the network hashrate and that gaining that would be prohibitively expensive.   You will notice the words "I believe", it isn't "I know".  An alternate security model will be a tradeoff.  There is no guarantee the modified assumptions will make the network more secure.  Security is ALWAYS about compromise.  The system which is most secure from an attacker with significant resources would be where an absolute central authority that manages the network.  No 51% is possible but you now need absolute trust in the central authority.  Although it solves one problem it creates another and I wouldn't consider that an acceptable tradeoff.

Do you get tired of being a shill?  Don't you ever just want to think and discuss?  Why not just read the post and agree or disagree without looking for some angle?  Don't you find it tedious and small?  At one time this forum (especially this section) was a place to learn, think and explore.  I guess that is dead now.  Honestly I don't give a shit anymore.  This will be my last post.

This is too bad that you're losing patience, because I was enjoying the
conversation and we need people like you who really know what
they are talking about in the discussion.

Competing cryptocurrencies are potentially disruptive to bitcoin, and
Its no secret bluemeanie is part of the NXT development team, so
I would suggest not to take it personally.  I wouldn't quite agree
he is shilling.

This is bluemeanie's job so to speak... to challenge us.
Whether or not his motive is promote NXT, we should
try to have the discussion. 

sr. member
Activity: 280
Merit: 257
bluemeanie
May 20, 2014, 12:55:06 PM
#47
Here you are admitting that Bitcoin as it stands has a significant weakness.

This kind of shit makes me just not want to post at all.  No it isn't an admission like that.  All security models involve assumptions.  The assumption for Bitcoin is that the attacker will not gain 51% of the network hashrate and that gaining that would be prohibitively expensive.   You will notice the words "I believe", it isn't "I know".  An alternate security model will be a tradeoff.  There is no guarantee the modified assumptions will make the network more secure.  Security is ALWAYS about compromise.  The system which is most secure from an attacker with significant resources would be where an absolute central authority that manages the network.  No 51% is possible but you now need absolute trust in the central authority.  Although it solves one problem it creates another and I wouldn't consider that an acceptable tradeoff..

tantrums aside,

#1) It's been established that an attacker needs far less than 51% of the hashing power.

#2) Hashing power is now a Liquid Commodity, as in it can readily trade hands.  This also has the effect of reducing the price of said hashing power.  Staging and executing an attack does not even require hardware procurement, the entire thing could be executed from a single internet connection anywhere in the world + a modest amount of capital.

#3) the point I keep raising- the PAYOFF for such an attack is going to increase exponentially due to Color Coins, Counterparty, etc.

it seems whenever anyone raises these points some people on this forum have a fit.

-bm
donator
Activity: 1218
Merit: 1079
Gerald Davis
May 20, 2014, 12:49:10 PM
#46
Here you are admitting that Bitcoin as it stands has a significant weakness.

This kind of shit makes me just not want to post at all.  No it isn't an admission to anyone who can read.  All security models involve assumptions upon which they derive their strength.  The assumption for Bitcoin is that the attacker will not gain 51% of the network hashrate.  If that assumption is flawed then the model can be attacked.  Likewise any other security model will involve different assumptions possible ones which are easier for an attacker to invalidate.

You will notice the words "I believe", it isn't "I know". No alternative is going to be a magic bullet which eliminates all weaknesses and creates no new ones.   It is entirely possible that I am wrong and that there is no such alternative along those lines that would result in an overall stronger network.  Security is ALWAYS about compromise.  

Guess what I can solve the "51% attack" right now.  I will give you this model for free.  A single central authority accepts transactions, verifies them, and publishes the results in the form of a ledger and diff.  These results can be verified cryptographically by any user of the network.  Transactions can be verified within seconds, nodes don't need to maintain more than a minimal amount of historical records and an attacker that isolates a node can't lie to the node it can only block information.   No amount of computing power could allow an attacker to break that system (assuming the cryptographic primitives remain strong).  It isn't 51% proof it is 100% proof.  Of course that trades the potential for an attacker to gain the majority of the computing power for the potential for the central authority to be untrustworthy.  That tradeoff is not worth it but it does "solve" most of the major limitations of the Bitcoin protocol.   Feel free to use it.

Do you get tired of being a shill?  Don't you ever just want to think and discuss?  Why not just read the post and agree or disagree without looking for some angle to exploit?  Don't you find it tedious and small?  At one time this forum (especially this section of the forum) was a place to learn, think and explore.  Lots of healthy debate, discourse, and sometimes it got heated but it was about learning.  I guess that is dead now.  Honestly I don't give a shit anymore.  This will be my last post.

On edit: edited for clarity.
sr. member
Activity: 280
Merit: 257
bluemeanie
May 20, 2014, 12:40:38 PM
#45
An attacker with 10,000 BTC could hire enough hashing power to perform a double spend for lets say 1000BTC (probably a lot less than this in reality if miners didn't mind leasing you hashing power), the other 9,000 BTC can be double spent such that the attacker ends up with 9000BTC of cash/goods/services and 9000BTC of bitcoin. The attacker has increased in worth by 8000BTC, the miners on average have increased in worth by (1000BTC - work done producing orphaned blocks) and a lot of merchants/exchanges/service providers are out of pocket by 9000BTC.

this problem is compounded by the Color Coins technologies that carry asset notes on the BTC block chain.  It's going to make such an attack practically inevitable.

-bm
legendary
Activity: 1302
Merit: 1008
Core dev leaves me neg feedback #abuse #political
May 20, 2014, 12:36:00 PM
#44
I believe PoS could be used to raise the cost for an attacker further.  To date all the concepts I have sketched out have limitations I a find unacceptable but I believe there is a solution. Imagine if someday the hardware cost to attack the network was $5B but it also required another $50B in stake as well.
Here you are admitting that Bitcoin as it stands has a significant weakness.
All things are subject to attacks, to make them stronger one need to be honest about them. Bitcoin assumes that the majority of the energy expended on its POW is not controlled by a byzantine attacker. Maybe there are things that can be twiddled to make the costs of attack higher?  But that isn't something that comes quickly or easily— most of the times tweaks increase the cost of one already effectively unachievable attack but do so at the expense of opening up a new weakness which is currently absolutely precluded.

Talking frankly about attack costs doesn't mean that anything is weak on an absolute scale.  By contrast, the systems where their authors claim there exists no attacks that they can imagine are almost certantly intolerable insecure since a lack of attacks— even infeasible ones that we can be comfortable with— means that there is either indifference to security, inadequate understanding of their own system, or simply a massive failure of imagination— any of which could be hiding quite serious attacks.

gmaxwell, not sure if you stated elsewhere, but what is your opinion of DECOR?
jr. member
Activity: 56
Merit: 1
May 20, 2014, 12:35:11 PM
#43
I believe PoS could be used to raise the cost for an attacker further.  To date all the concepts I have sketched out have limitations I a find unacceptable but I believe there is a solution. Imagine if someday the hardware cost to attack the network was $5B but it also required another $50B in stake as well.

Here you are admitting that Bitcoin as it stands has a significant weakness.


Of course bitcoin has weaknesses, to date very little modelling of how bitcoin really works economically has been done. What happens if huge transaction fees (>1000BTC) are sent to the network, what happens if you convince 50% of the network to lease you their miners at double the market rate and what happens when market influenced transaction fees dominate the block rewards.

Bitcoin is based on the assumption that no one would ever lease out hashing power because it is always beneficial to reap all future returns rather than take a short term gain where an attacker could harm the network and perform a double spend. But people do lease out hashing power because they believe that attackers won't be able to lease out 50% of the machines and perform an attack. (Is that a valid assumption? How do we tell how many machines are currently used by attacking parties?)

An attacker with 10,000 BTC could hire enough hashing power to perform a double spend for lets say 1000BTC (probably a lot less than this in reality if miners didn't mind leasing you hashing power), the other 9,000 BTC can be double spent such that the attacker ends up with 9000BTC of cash/goods/services and 9000BTC of bitcoin. The attacker has increased in worth by 8000BTC, the miners on average have increased in worth by (1000BTC - work done producing orphaned blocks) and a lot of merchants/exchanges/service providers are out of pocket by 9000BTC.
staff
Activity: 4284
Merit: 8808
May 20, 2014, 12:31:19 PM
#42
I believe PoS could be used to raise the cost for an attacker further.  To date all the concepts I have sketched out have limitations I a find unacceptable but I believe there is a solution. Imagine if someday the hardware cost to attack the network was $5B but it also required another $50B in stake as well.
Here you are admitting that Bitcoin as it stands has a significant weakness.
All things are subject to attacks, to make them stronger one need to be honest about them. Bitcoin assumes that the majority of the energy expended on its POW is not controlled by a byzantine attacker. Maybe there are things that can be twiddled to make the costs of attack higher?  But that isn't something that comes quickly or easily— most of the times tweaks increase the cost of one already effectively unachievable attack but do so at the expense of opening up a new weakness which is currently absolutely precluded.

Talking frankly about attack costs doesn't mean that anything is weak on an absolute scale.  By contrast, the systems where their authors claim there exists no attacks that they can imagine are almost certantly intolerable insecure since a lack of attacks— even infeasible ones that we can be comfortable with— means that there is either indifference to security, inadequate understanding of their own system, or simply a massive failure of imagination— any of which could be hiding quite serious attacks.
jr. member
Activity: 56
Merit: 1
May 20, 2014, 11:55:39 AM
#41
I agree with the fact that it can be attacked with less than 51% stake.  How little stake can be used depends on a couple of factors.  The time since last signing and balance are weighted in the "difficulty" of finding a hash so I am not comfortable putting an exact value on how little stake can be used.  That would require some simulations.  

In general though one could say that the structure allows a forger (any forger) to use computing power as a proxy for stake.  The effective share of the network is dependent on not just what share of the stake one has but also what share of the computing power.

NXT is completely transparent, that is you know all the public keys of the potential forgers. This allows you to know for certain if you will be the next person to be able to sign the block. To do this you have to calculate the required time in milliseconds that each public key on the network would exceed the target threshold. Admittedly this is computationally expensive. You have to compute a signature then check all the public keys to see if any of them would beat you, thankfully you can simply iterate the signature  until you have a very high likelihood of being able to sign the next block then check all the public keys to verify that you can definitely sign the next block. This will mean the next block will occur quicker than normal and therefore base_target will be reduced (not exactly sure how often it is recomputed) making the time between blocks larger and giving you more time to do your computations in order to guarantee the next block.
sr. member
Activity: 280
Merit: 257
bluemeanie
May 20, 2014, 11:42:38 AM
#40
I believe PoS could be used to raise the cost for an attacker further.  To date all the concepts I have sketched out have limitations I a find unacceptable but I believe there is a solution. Imagine if someday the hardware cost to attack the network was $5B but it also required another $50B in stake as well.

Here you are admitting that Bitcoin as it stands has a significant weakness.

-bm
donator
Activity: 1218
Merit: 1079
Gerald Davis
May 20, 2014, 11:27:36 AM
#39
The attacker doesn't even need a 51% stake. They only need a small stake, once you can forge once, you can ensure that you will always gets to forge the next block (if you have enough computational power), regardless of how small your stake is. I can easily see this attack being possible with 0.1% stake and a standard processor.

I agree with the fact that it can be attacked with less than 51% stake.  How little stake can be used depends on a couple of factors.  The time since last signing and balance are weighted in the "difficulty" of finding a hash so I am not comfortable putting an exact value on how little stake can be used.  That would require some simulations. 

In general though one could say that the structure allows a forger (any forger) to use computing power as a proxy for stake.  The effective share of the network is dependent on not just what share of the stake one has but also what share of the computing power.

While NXT claims to not be PoW if forgers aren't already using computing power to boost their returns they will.  Even non malicious miners would have no incentive to not increase their computing power in order to boost their forging rate.

Quote
Quote
As a side note: deterministic (or quasi deterministic) signing/minting/forging is an interesting idea. ... The full implications both good and bad should be looked at more closely.
The problem is that you are still vulnerable to historic attacks. ...

That is a good point.  I agree and it requires some careful analysis.  I do think it an interesting idea and has some potential.  On your idea of cummulative work it may be possible to incorporate a way to compensate those worker.  I also believe despite my reservations about PoS that there is some way it can be used in conjunction with PoW to raise the cost of an attacker.  PoW for Bitcoin is already beyond the point where any economic attack is possible however there is the non-economic attack.  The network will continue to grow and as miners become more efficient ($/GH and J/GH) the cost for an attacker will rise but eventually margins will be paper thin and further improvements will be limited to the growth of the reward (Moore's law doesn't make the network more secure as it is kinda like GH inflation).  I believe PoS could be used to raise the cost for an attacker further.  To date all the concepts I have sketched out have limitations I a find unacceptable but I believe there is a solution. Imagine if someday the hardware cost to attack the network was $5B but it also required another $50B in stake as well.
jr. member
Activity: 56
Merit: 1
May 20, 2014, 11:09:55 AM
#38
A 51% attacker would be the one generating the previous block generation signature.  If the signature doesn't produce an output that allows him to sign the next block he just changes the k value and generates a new signature.  A good CPU can do 40,000 ECDSA signatures a second (per core).  When he finds one that allows one of his accounts (51% of the stake) to sign the next block he moves on to the next block.

The attacker doesn't even need a 51% stake. They only need a small stake, once you can forge once, you can ensure that you will always gets to forge the next block (if you have enough computational power), regardless of how small your stake is. I can easily see this attack being possible with 0.1% stake and a standard processor.

As a side note: deterministic (or quasi deterministic) signing/minting/forging is an interesting idea.  It has some advantages (outside of a 51% attack) if combined with a PoW.  It would make long reorgs with a minority of the hashrate more difficulty to achieve which means confirmations have more "weight".  It also allows "legit" miners to achieve consensus quicker.  In the case where two miners produce blocks at the same block height it could provide a fair and deterministic manner for all nodes to choose one over the other. If miners are confident that 51% of the network follow these rules then they would be best served by working on the "best" block not just the first one.  It is beneficial in a split to get the network behind a single chain as quickly as possible (orphaned work is simply wasted work and reduces effective network security).  The full implications both good and bad should be looked at more closely.  It isn't however some magical 51% proof shield and the "nothing at risk" issue around PoW remains unchanged when compared to other PoS systems.

The problem is that you are still vulnerable to historic attacks. Whilst doing analysis for conceptcoin I have found that deterministic proof of stake (even where the mechanism to select who gets to sign each block is unaffected by the actions of the forgers/miners) is still vulnerable to people signing two blocks at a given block height and releasing one of those blocks whilst keeping one hidden to build an attacking chain in the future. Whilst clients who are always online can tell the difference between the real and fake chain, new clients can't.

One way to tell them apart is by assigning work to the chain, this work does not decide who gets to sign blocks. I have proposed a scheme where when a block is being signed it must optionally include a piece of work which is as close to the previous block hash as possible. This work doesn't have to be produced by the signer themselves, everyone submits work to the network to show that they endorse a particular block. It is in the interest of the honest block signers to include the maximum amount of work in their blocks in order to prevent attacks.

Now new clients can see which chain is more likely to be the real one by measuring the cumulative work included in each chain. This successfully decouples proof of work from the rewards handed out, people do work as they feel necessary to secure the network. The problem is without direct economic incentives, the amount of work done and hence security may be very low.
donator
Activity: 1218
Merit: 1079
Gerald Davis
May 20, 2014, 10:35:09 AM
#37
Signatures are dependent on the data they are signing and my public key, my public key is fixed but the data I am signing is not. I can add and remove transactions to the block to change the output of the signature. (Technically with ECDSA signatures you don't even need to do that, you just change the nonce used in signing to get a different signature)

The generation signature only depends on the previous block generation signature and your public account number. Nothing more.

In a double spend attack (including a "51% attack) the attacker would be the one generating the sequence of blocks.  That means each block relies on the prior block also made by the attacker.  The attacker signs a block and if it doesn't allow him to forge the next block, just keeps resigning it until it does (as pointed out a single digest can have an infinite number of unique signatures by changing the k value). The attacker attempts signatures until he produces a one which allows him to sign the next block as well.  The attacker then moves on to the next block.  If this seems kind of like a PoW it is.

Quote
Part of the generation signature (called hit) is used to determine a queue of forgers. First in this queue is allowed to forge. If he did not, it is the turn of the second in the queue and so on.

The attacker won't be publishing his chain until it is longer. As long as one of his accounts is valid for signing the next block (and thus somewhere in the queue even last) there will be nobody ahead of him in the queue that knows about the block.  The network doesn't require a specific signer from the queue be used, it just favors a higher signer over a lower one but all signers are equally valid.  If the attacker had* >51% of the network stake e will produce the longest/best chain.  Note: it isn't actually a "queue" but this doesn't materially change the scenario.

As a side note: deterministic (or quasi deterministic) signing/minting/forging is an interesting idea.  It has some advantages but it isn't some magical 51% proof shield and the "nothing at risk" issue around PoW remains unchanged when compared to other PoS systems.

* It is "had" not "has" because in PoS the critical resource is not a physical item, it is a record in the blockchain. A miner who no longer has any hashpower can no longer mine but a forger who had but no longer has a stake can forge a parallel chain starting from where he had the stake and double spending the tx resulting in him losing the stake. An attacker with 51% of the stake as of block X can sell that stake and still perform a 51% attack starting from block X using the stake he had but no longer has on the main chain.
sr. member
Activity: 364
Merit: 250
☕ NXT-4BTE-8Y4K-CDS2-6TB82
May 20, 2014, 10:06:14 AM
#36
Signatures are dependent on the data they are signing and my public key, my public key is fixed but the data I am signing is not. I can add and remove transactions to the block to change the output of the signature. (Technically with ECDSA signatures you don't even need to do that, you just change the nonce used in signing to get a different signature)

The generation signature only depends on the previous block generation signature and your public account number. Nothing more.

Part of the generation signature (called hit) is used to determine a queue of forgers. First in this queue is allowed to forge. If he did not, it is the turn of the second in the queue and so on.
jr. member
Activity: 56
Merit: 1
May 20, 2014, 10:02:59 AM
#35
What do you mean by iterating through thousands of possible current block signatures?

Signatures are dependent on the data they are signing and my public key, my public key is fixed but the data I am signing is not. I can add and remove transactions to the block to change the output of the signature. (Technically with ECDSA signatures you don't even need to do that, you just change the nonce used in signing to get a different signature)
sr. member
Activity: 364
Merit: 250
☕ NXT-4BTE-8Y4K-CDS2-6TB82
May 20, 2014, 09:37:11 AM
#34

For the block to be excepted.

1. Hash the hash of the previous block.
2. Take the first six bytes of that. Let's call that rnd_selector
3. Take the current time since the last block in millis i.e. 100000
4. Take the effective balance of the account that generated the block.

If balance * time_in_millis > rnd_selector then the block is valid.

My understanding based on this code is that I can sign a new block if:

base_target * my_balance * time_in_millis > SHA256(previous_block_signature + my_public_key)

So you can very easily iterate through thousands of possible current block signature such that it is guaranteed that you will be the person able to mine the following block. Since the whole process is transparent (public keys and balances are known to everyone), a moderate amount of computation power and coins assures that once you get to create one block you can sign all the blocks following it.

I'm not an NXT developer so I may be wrong.


What do you mean by iterating through thousands of possible current block signatures?
jr. member
Activity: 56
Merit: 1
May 20, 2014, 08:47:14 AM
#33

For the block to be excepted.

1. Hash the hash of the previous block.
2. Take the first six bytes of that. Let's call that rnd_selector
3. Take the current time since the last block in millis i.e. 100000
4. Take the effective balance of the account that generated the block.

If balance * time_in_millis > rnd_selector then the block is valid.

My understanding based on this code is that I can sign a new block if:

base_target * my_balance * time_in_millis > SHA256(previous_block_signature + my_public_key)

So you can very easily iterate through thousands of possible current block signature such that it is guaranteed that you will be the person able to mine the following block. Since the whole process is transparent (public keys and balances are known to everyone), a moderate amount of computation power and coins assures that once you get to create one block you can sign all the blocks following it.

I'm not an NXT developer so I may be wrong.
Pages:
Jump to: