Author

Topic: Discussing the differences between POW and POS from a network security POV (Read 802 times)

hero member
Activity: 574
Merit: 500
Oh wow that keys to the past trick is killer!


It certainly explains why checkpoints were introduced! Nxt et. al. improved checkpoints by making transactions irreversible after 720 blocks. In fact, cynicSOB was invited to try attacking Nxt after he managed to double-spend a minor PoS alt.

Thanks to you both for your informative replies.

I should point out that these are decentralised checkpoints: every client is hardcoded not to allow reorganisations more than 720 blocks deep. Any attempt to do so for behind this (i.e. 'simply' take the keys of old accounts and build 'a better chain') are prevented from doing so.

I am surprised at cynicSOB's comments since this has been discussed with him previously. I for one would like him to finish his work if possible > https://nxtforum.org/testnet/nxt-security-audit-attack-simulations-on-testnet/

I don't think Nxt is as he expected it but would still like a small write up of any findings (none of his claims have stood up to scrutiny so far). I find many people talk about POS but don't realise there are multiply implementations of it. Akin to me asserting there are serious issues with scrypt POW and using that as evidence as why Bitcoin isn't secure.
hero member
Activity: 574
Merit: 500
I thought there was some way you could run umpteen daemons or something like that, each basically hoping to be the lucky instance that gets a block, all using the same wallet/stake since there is nothing preventing you using the same wallet/stake in billions of separate copies of the program?

Try a billion times to form the next block, and whichever copy succeeds thats cool, all the copies that failed cost you no coins they are in effect just a kind of hashing, a doing of work, the more different attempts you make to form the next block the greater your chance of doing so, while it costs you no additional stake since all the copies are all using the same stake. Its only the one that actually gets lucky and finds a block that anyone else sees.

As I recall it didn't actually require umpteen copies of the daemon, at least when it was first discussed years ago; you just modify the code to multiply your attempts at successfully finding a block with your stake.

I do not know the details as proof of stake was shot down when Sunny King came out with Peercoin and there has been no word since of anyone ever actually fixing the problem other than Sunny King making some vague handwavings smakescreens or whatever so it all amounted to oh pooh pooh who cares we are all making money so fuck it no oen actually cares that the whole thing is utterly broken from first principles.

The basic problem being it costs no stake to "use" stake for mining so you can use it in parallel as many times as you have RAM and CPU etc enough to do.

-MarkM-


This is known as stake grinding, mining on all chains your see. In concrete implementations of POS, this makes the attack harder as the number of branches you see increases exponentially with time. Attempting this tends towards POW in terms of computer cycles.

You may find this thread interesting: https://bitcointalksearch.org/topic/nothing-at-stake-long-range-attack-on-proof-of-stake-consensus-research-897488

The OP gives a summary of the findings and is updated here: https://bitcointalksearch.org/topic/m.10152632
legendary
Activity: 924
Merit: 1000
Oh wow that keys to the past trick is killer!


It certainly explains why checkpoints were introduced! Nxt et. al. improved checkpoints by making transactions irreversible after 720 blocks. In fact, cynicSOB was invited to try attacking Nxt after he managed to double-spend a minor PoS alt.

Thanks to you both for your informative replies.
legendary
Activity: 2940
Merit: 1090
Oh wow that keys to the past trick is killer!

A pre-mine could be sold off then its keys used to change the past to sell it off again, rinse and repeat until the suckers eventually maybe figure out the whole coin was ntohing but a scam from the start, meanwhile you've alreaqdy spammed out a few hundred more POS coins to run the same scam again and again...

Anyone who runs out of coins can get an extra little tip by selling their old keys to collectors looking to change the past...

How does anyone take POS coins seriously at all?

At least with Proof of Work you can have one family of merged mined coins per algorithm that might actually manage to have more than 50% of the world's hashing power of that algorithm securing them thus have some chance of actually being secure... Though even in Proof of Work one keeps seeing idiots falling for coins that re-use an established algorithm without supporting merged mining...

-MarkM-
member
Activity: 106
Merit: 10
yes, sometimes I'm a cynical SOB
Try a billion times to form the next block, and whichever copy succeeds thats cool, all the copies that failed cost you no coins they are in effect just a kind of hashing, a doing of work, the more different attempts you make to form the next block the greater your chance of doing so, while it costs you no additional stake since all the copies are all using the same stake. Its only the one that actually gets lucky and finds a block that anyone else sees.

No, that's not how POS works. Some early POS coins may have had bugs that allowed you to do something similar to that, but nowadays that's not possible. If you try a billion times in parallel with the same stake, you either fail a billion times or succeed a billion times (a billion successes all in the same block, so they are as useful as only one - ie you find the exact same block a billion times).

There are two problems with POS that I'd care about, and I think both have been called "nothing at stake" at least once, but they are different issues:
- One is that in POW finding a block or not depends on the (hash of the) transactions of the new block. But in POS, once you find a block you can create another one (at the same height) with different tx's for free.
- The other one is a history rewrite: in POW, if I own in the present 51% of the hashrate of some point in the past, I can do nothing with that. For example you can buy some ASIC that has more hashrate than all the network combined had in some moment of 2011. But that's useless. However in POS if I have control in the present of the private keys to a stake larger than 51% in some past then I can use that to rewrite the blockchain from that time until the present (overriding the tx's in which that 51% changed hands).

Many coins take measures to mitigate -with different levels of success- the consecuences of these two problems. However it's hard to deny that they are security weaknesses inherent to POS.
legendary
Activity: 2940
Merit: 1090
I thought there was some way you could run umpteen daemons or something like that, each basically hoping to be the lucky instance that gets a block, all using the same wallet/stake since there is nothing preventing you using the same wallet/stake in billions of separate copies of the program?

Try a billion times to form the next block, and whichever copy succeeds thats cool, all the copies that failed cost you no coins they are in effect just a kind of hashing, a doing of work, the more different attempts you make to form the next block the greater your chance of doing so, while it costs you no additional stake since all the copies are all using the same stake. Its only the one that actually gets lucky and finds a block that anyone else sees.

As I recall it didn't actually require umpteen copies of the daemon, at least when it was first discussed years ago; you just modify the code to multiply your attempts at successfully finding a block with your stake.

I do not know the details as proof of stake was shot down when Sunny King came out with Peercoin and there has been no word since of anyone ever actually fixing the problem other than Sunny King making some vague handwavings smakescreens or whatever so it all amounted to oh pooh pooh who cares we are all making money so fuck it no oen actually cares that the whole thing is utterly broken from first principles.

The basic problem being it costs no stake to "use" stake for mining so you can use it in parallel as many times as you have RAM and CPU etc enough to do.

-MarkM-
legendary
Activity: 924
Merit: 1000
It doesn't actually cost you stake to do proof of stake mining though, does it?

So can't you spawn billions of alternates each hoping to get lucky with the same stake?

Alternate timelines kind of thing?

-MarkM-


I don't really see how those "billions of alternates" would help you "get lucky with the same stake" as all of those coins have blockchains too. Are you talking about some kind of time-warp attack?
legendary
Activity: 2940
Merit: 1090
It doesn't actually cost you stake to do proof of stake mining though, does it?

So can't you spawn billions of alternates each hoping to get lucky with the same stake?

Alternate timelines kind of thing?

-MarkM-
legendary
Activity: 924
Merit: 1000
Surprisingly serene in here,...

That's because we've yet to read a post on this thread from you-know-who. Wink
hero member
Activity: 574
Merit: 500
Surprisingly serene in here, good work folks  Grin Good discussion.
legendary
Activity: 924
Merit: 1000
There is an attack vector here; against operators of exchanges, particularly instant exchanges like shapeshift.io - if you attack a POS coin and double spend, you can get away with the converted currency twice, if you point the double spend at a different instant exchange. In that case you get away scott free and end up dumping all your attacked stake at the same time.

You could do the same thing in POW coins as well, but the cost of the attack is higher because of the electricity cost (this is after you've acquired your stake, or mining equipment / hash rentals).

edit: I have no particular leaning towards one scheme or the other, this discussion is just for the purposes of the uncovering the key distinction which never seems to be discussed directly.

Good point - but that would require a very liquid market to absorb the dump. Since liquidity tends to correlate with market cap, you've bumped into the consilience bit: you'd need a lot of $$$ to buy enough of the alt to make the double-spend feasible.

There is one kind of alt that is vulnerable to this double-spend technique: a wildly pumped coin which has great but temporary liquidity due to it being hyperpumped. Then, you could nail it with that kind of double-spend and get out of Dodge without much of a loss. If you play it right & are very lucky, you might escape with a gain.

But to pull it off in the wild, you'd not only need the technical skill but also the psychological skill of coldly dumping the coin when it's white-hot. That latter skill is not that easy to acquire, but some have it.   
legendary
Activity: 1008
Merit: 1007
You can't repurpose, so there's no value except salvage value. The only way an attack of this sort makes economic sense is if you're the type of quasi-masochistic person who launches a PoS attack in order to load up on very cheap coins so as to take the coin over.

There is an attack vector here; against operators of exchanges, particularly instant exchanges like shapeshift.io - if you attack a POS coin and double spend, you can get away with the converted currency twice, if you point the double spend at a different instant exchange. In that case you get away scott free and end up dumping all your attacked stake at the same time.

You could do the same thing in POW coins as well, but the cost of the attack is higher because of the electricity cost (this is after you've acquired your stake, or mining equipment / hash rentals).

edit: I have no particular leaning towards one scheme or the other, this discussion is just for the purposes of the uncovering the key distinction which never seems to be discussed directly.
legendary
Activity: 924
Merit: 1000
There is a subtle difference between the resources needed for attacks on a PoW coin and one on a PoS coin. With regard to the former, with regard to SHA & scrypt coins (at least), all you need are general-purpose ASICs that can be converted to mining another coin of the same type. If you have a ****-ton of scrypt ASICs, you can 51% a Litecoin clone and then go back to mining Litecoin normally. Same goes for a Bitcoin clone and SHA-256 ASICs. 51%ing is going to take a lot of $$$, but the ASICs used in the attack have a repurposing value.

On the other hand: with a PoS attack, you need to be a whale with a huge haunch of the specific coin being attacked. A coin with no repurposing value, only salvage value. That means, your 'investment' in attack resources is more-or-less a write-off after your attack works. You can't repurpose, so there's no value except salvage value. The only way an attack of this sort makes economic sense is if you're the type of quasi-masochistic person who launches a PoS attack in order to load up on very cheap coins so as to take the coin over. As we all know, a compromised altcoin is typically a dead duck: a "hostile takeover" of this sort is a lot like deliberately loading up and bagholding a zombie coin so as to take it over.

Which system is favoured tells you a lot about the person doing the favouring. A techie is most likely to boost PoW and slag PoS; an economist type prefers PoS. The above two paragraphs should tell you what type I am. Wink

At the top of the respective heaps, there's an interesting singularity. If someone loads up on a ****-ton of ASICs to attack Bitcoin itself or Litecoin itself, then the resale/repurposing values of those ASICs are going to be wrecked. So, a PoW attack on the top-of-the-respective-heap coin amounts to shooting your pocketbook in the foot: it's an economic-kamikaze attack. Same thing goes for an attack on a PoS coin, in particular one with a huge market cap. Funny how a huge market cap is the best defense against an attack regardless of the network system.
legendary
Activity: 1008
Merit: 1007
If you discard the obvious differences between Proof Of Work and Proof Of Stake, you could be forgiven for drawing a lot of parallels between the two in terms of network attack cost:

* In both schemes, for an outsider considering attacking the network, a considerable investment in the network itself must be made in order to gain enough hashing power, or actual stake to have an influence on block production

* Once the attacker has enough resources inside the network, there is the common argument that an attack against the network is also an attack against the value he has just invested in it

There is, however, one critical difference between the two schemes which is this:

In POW, a network attack costs energy resources for every single block which gets produced. In POS, this is not the case - it doesn't cost you any of your actual stake to produce a block.

To be truly equivalent, POS would need to have a scheme more like Proof Of Burn, whereby producing blocks costs the producer some of his actual stake.

Thoughts?

Jump to: