Escrow attack on Proof-of-Stake | Bitcointalksearch.org

passerby

member

Activity: 112

Merit: 10

Quote from: astor on April 19, 2013, 11:09:04 PM

Quote from: passerby on April 19, 2013, 06:15:27 AM

The reason for compensating miners (with fees, subsidy, or anything at all) is that because in a PoW scheme they provide a service that is vital to the entire market.

In a scheme where solving progressively complex cryptopuzzles does not serve to secure the ledger against doublespends and other shenanigans, mining is, frankly speaking, a waste and should have been replaced with a more reasonable initial wealth distribution routine - of which there are many options (including collusion-proof cryptographic lotteries)

In fact, mining provides outright perverse initial wealth distribution in pure PoS because you are essentially rewarding folks for the investment they have made into another, different crypto-currency scheme (by buying BTC mining equipment), an investment that has been likely already paid off via that other scheme.

That's like if Microsoft started paying me money for the fact that I own Google shares Wink

Interesting point, and I agree with the wealth distribution argument. However this can be fixed by not using SHA256 which is not designed to be a technology-neutral algorithm.

Well, yeah, a different PoW might have alleviated the issue a bit, though designing a PoW that would be hostile to modern mining equipment turns out to be a pretty hard task it seems...

Quote from: astor on April 19, 2013, 11:09:04 PM

Regarding a crypto lottery, where is the collusion-proof cryptographic lottery that is immune to a sybil attack?

Immune ? No.

But significant sybil-resistance could be achieved by various tricks (an obvious and somewhat imperfect one would be to use v4 IPs as "identities". Admittedly, you can still sybil a lot, especially if you are a botty op, but during initial wealth distribution a botnet is not likely to show up and anyone who honestly buys a crapton of IPs just to win MORE PPCOINS is probably an individual with quite a bit of interest in your specific coin)

astor

newbie

Activity: 39

Merit: 0

Quote from: passerby on April 19, 2013, 06:15:27 AM

The reason for compensating miners (with fees, subsidy, or anything at all) is that because in a PoW scheme they provide a service that is vital to the entire market.

In a scheme where solving progressively complex cryptopuzzles does not serve to secure the ledger against doublespends and other shenanigans, mining is, frankly speaking, a waste and should have been replaced with a more reasonable initial wealth distribution routine - of which there are many options (including collusion-proof cryptographic lotteries)

In fact, mining provides outright perverse initial wealth distribution in pure PoS because you are essentially rewarding folks for the investment they have made into another, different crypto-currency scheme (by buying BTC mining equipment), an investment that has been likely already paid off via that other scheme.

That's like if Microsoft started paying me money for the fact that I own Google shares Wink

Interesting point, and I agree with the wealth distribution argument. However this can be fixed by not using SHA256 which is not designed to be a technology-neutral algorithm.

Regarding a crypto lottery, where is the collusion-proof cryptographic lottery that is immune to a sybil attack?

passerby

member

Activity: 112

Merit: 10

The reason for compensating miners (with fees, subsidy, or anything at all) is that because in a PoW scheme they provide a service that is vital to the entire market.

In a scheme where solving progressively complex cryptopuzzles does not serve to secure the ledger against doublespends and other shenanigans, mining is, frankly speaking, a waste and should have been replaced with a more reasonable initial wealth distribution routine - of which there are many options (including collusion-proof cryptographic lotteries)

In fact, mining provides outright perverse initial wealth distribution in pure PoS because you are essentially rewarding folks for the investment they have made into another, different crypto-currency scheme (by buying BTC mining equipment), an investment that has been likely already paid off via that other scheme.

That's like if Microsoft started paying me money for the fact that I own Google shares Wink

Sunny King

legendary

Activity: 1205

Merit: 1010

Quote from: passerby on April 19, 2013, 02:56:08 AM

Quote from: Sunny King on April 18, 2013, 03:10:11 PM

Miners don't have a play in double-spending attack, unless they wait and become stake owner. Security comes from proof-of-stake, proof-of-work only provides minting. Please don't confuse ppcoin's design with other proof-of-stake proposals. Our design is the only one that gives full respect to the concept of proof-of-stake and is the only one that actually has an implementation rather than just talks.

So, basically, this entire ppcoin thing is a bit like Solidcoin sans massive egotism and with less retarded pignode implementation?

Why not discard the PoW component altogether, if it has no "say" in choosing which chain is "goodchain" ?

P.S.:
Disclosure - passerby is affectionately fond of hybrid PoW/PoS things, and hybrid things in general

From FAQ:

Quote

How is it energy-efficient when there is still mining?

The energy efficiency we refer to is long-term energy efficiency, as in long term we do not require the use of energy to sustain the network.

Currently proof-of-work remains the most practical way of providing initial minting of a crypto-currency. So we decided to keep it as part of our hybrid design.

Ripple founders chose to do just that, eliminating proof-of-work and using a centralized model of initial minting and distribution, which I found against the spirit of bitcoin. I am not against people making profit, but in a larger picture, cryptocurrency is way more important than the success of one company or a small group of people. Putting the distribution in a central administration makes the currency highly vulnerable to confiscation as there is no plausible deniability.

passerby

member

Activity: 112

Merit: 10

Quote from: xorxor on April 18, 2013, 10:59:57 PM

Quote from: Balthazar on April 18, 2013, 03:17:24 PM

Quote from: astor on April 18, 2013, 12:12:31 PM

Thus any large escrow service would be a threat to the network, in addition to large miners.

Yes, they can, but technically it will be suicide for them. Anyway, it's possible to prevent such attacks by implementing another REORGANIZE algo.

why reorganize? it is still harder and extremally expensive to 51% a PoS blockchain, than a PoW only one.

beauty of PoS concept is that atacker to be succesfuf has to attack himself.

Because clearly, all human creatures are rational (or at least L-rational) and economically motivated.

"man shall not live by bread alone" - said no human, ever Roll Eyes

Quote from: Sunny King on April 18, 2013, 03:10:11 PM

Miners don't have a play in double-spending attack, unless they wait and become stake owner. Security comes from proof-of-stake, proof-of-work only provides minting. Please don't confuse ppcoin's design with other proof-of-stake proposals. Our design is the only one that gives full respect to the concept of proof-of-stake and is the only one that actually has an implementation rather than just talks.

So, basically, this entire ppcoin thing is a bit like Solidcoin sans massive egotism and with less retarded pignode implementation?

Why not discard the PoW component altogether, if it has no "say" in choosing which chain is "goodchain" ?

P.S.:
Disclosure - passerby is affectionately fond of hybrid PoW/PoS things, and hybrid things in general

xorxor

sr. member

Activity: 476

Merit: 253

Quote from: Balthazar on April 18, 2013, 03:17:24 PM

Quote from: astor on April 18, 2013, 12:12:31 PM

Thus any large escrow service would be a threat to the network, in addition to large miners.

Yes, they can, but technically it will be suicide for them. Anyway, it's possible to prevent such attacks by implementing another REORGANIZE algo.

why reorganize? it is still harder and extremally expensive to 51% a PoS blockchain, than a PoW only one.

beauty of PoS concept is that atacker to be succesfuf has to attack himself.

Balthazar

legendary

Activity: 3108

Merit: 1359

Quote from: astor on April 18, 2013, 12:12:31 PM

Thus any large escrow service would be a threat to the network, in addition to large miners.

Yes, they can, but technically it will be suicide for them. Anyway, it's possible to prevent such attacks by implementing another REORGANIZE algo.

Sunny King

legendary

Activity: 1205

Merit: 1010

Quote from: astor on April 18, 2013, 12:12:31 PM

In a Proof-of-Stake system similar to bitcoin, a large number of coins could lie dormant and accrue 'coin days'. If these coins are in escrow, like on Mt.Gox, their 'coin days' could be used to do an attack on the network.

Thus any large escrow service would be a threat to the network, in addition to large miners.

Thus either escrow services must pay interest, or the need for escrow should be eliminated by a better block chain design and p2p exchanges.

It's true that an exchange or wallet service could use it's wallet to launch attack on proof-of-stake, although unlikely. The current plan is to implement reorg depth limit and relegate checkpoint to be advisory be default, so if this type of attack (considered to be equivalence of 51% attack on proof-of-work) occurrs users can subscribe to checkpoint so that transaction processing can continue on block chain.

Miners don't have a play in double-spending attack, unless they wait and become stake owner. Security comes from proof-of-stake, proof-of-work only provides minting. Please don't confuse ppcoin's design with other proof-of-stake proposals. Our design is the only one that gives full respect to the concept of proof-of-stake and is the only one that actually has an implementation rather than just talks.

Balthazar

legendary

Activity: 3108

Merit: 1359

Quote from: Sunny King on April 18, 2013, 03:00:13 PM

More confirmations means more security from double-spend. It's same for proof-of-stake.

Yes, because it decreases a risk and makes attacker costs higher. But you still can't say that N confirmations amount provides you the 100% protection against double-spend. Risk still exists, it can be 0.00000000001%, but it still exists. But everyday life is a complex of balanced risks, anyway.

Sunny King

legendary

Activity: 1205

Merit: 1010

Quote from: Balthazar on April 18, 2013, 02:50:49 PM

Quote from: tacotime on April 18, 2013, 02:40:32 PM

How do exchanges implement confirmation, then? How do exchanges implement confirmation, then?

Merchant operator usually selects fixed confirmations amount and takes a risk of double-spend. This is the fundamental problem, one can't say what the chain is correct, if there are no another chains for trust score comparison. And it doesn't matter how many confirmations do you have, 6 or even 600.

More confirmations means more security from double-spend. It's same for proof-of-stake.

Balthazar

legendary

Activity: 3108

Merit: 1359

Quote from: Balthazar on April 18, 2013, 02:50:49 PM

Merchant operator usually selects fixed confirmations amount and takes a risk of double-spend. This is the fundamental problem, one can't say what the chain is correct, if there are no another chains for trust score comparison. And it doesn't matter how many confirmations do you have, 6 or even 600.

... but it's possible to estimate risks and select confirmations amount for your own situation. If attack costs more than transaction volume, you can trust it with lower amount of confirmations, for example.

tacotime

legendary

Activity: 1484

Merit: 1005

Okay, thank you for your answer.

Balthazar

legendary

Activity: 3108

Merit: 1359

Quote from: tacotime on April 18, 2013, 02:40:32 PM

How do exchanges implement confirmation, then? How do exchanges implement confirmation, then?

Merchant operator usually selects fixed confirmations amount and takes a risk of double-spend. This is the fundamental problem, one can't say what the chain is correct, if there are no another chains for trust score comparison. And it doesn't matter how many confirmations do you have, 6 or even 600.

tacotime

legendary

Activity: 1484

Merit: 1005

Quote

All systems ignores the number of blocks. The both PoW and PoS systems calculates "trust score" for each block.

In BTC-like systems, for example, this "trust score" comes from nBits field. You can't overwrite current chain with your own, if you have not enough "trust score" aka bnChainWork. Even if you generated 100x longer chain.

I see, thank you for taking the time to answer my questions. How do exchanges implement confirmation, then? As you worked with BTC-e with NovaCoin, you must know.

Balthazar

legendary

Activity: 3108

Merit: 1359

Quote from: tacotime on April 18, 2013, 02:28:33 PM

unless there's some kind of "block trust score" system that ignores the number of blocks and just calculates how much to trust each stake block.

All systems ignores the number of blocks. The both PoW and PoS systems calculates "trust score" for each block.

In BTC-like systems, for example, this "trust score" comes from nBits field. You can't overwrite current chain with your own, if you have not enough "trust score" aka bnChainWork. Even if you generated 100x longer chain.

tacotime

legendary

Activity: 1484

Merit: 1005

^^ Thanks for the criticism. Here's your enlightening weekly update:

Quote

v0.3.0 has been released. Upgrade should be performed before protocol switch on March 20th. A block chain re-download is necessary for the upgrade. See the 0.3 release thread for detailed instruction: https://bitcointalksearch.org/topic/ann-ppc-ppcoin-030-release-upgrade-required-144964
v0.3 protocol involves several changes, first the proof-of-stake hash modifier is switched to one computed from roughly 9 days worth of blocks. The blocks are grouped and 64 blocks are selected based on a 'selection hash'. Then each selected block contributes one bit to the modifier. The purpose of stake modifier is to prevent stake owner from manipulating future stake generation at the time the coin is confirmed into block chain.
Two other protocol changes are made: stake hash weight now starts from 0 at 30-day minimum age requirement; coinstake timestamp now must match block timestamp.

The 0.3 release thread for detailed instruction:

Quote

The protocol upgrade in 0.3.0 includes a new algorithm to derive proof-of-stake hash modifier, the entity that scrambles computation for stake owners, which replaces the current proof-of-stake difficulty used as modifier in 0.2 protocol. The design was started late September last year, when I first began to realize the issues with using difficulty as modifier. Honorary mention also goes to Jutarul, who independently discovered and verified an issue with using difficulty as modifier and published on bitcointalk in December last year, while successfully executed a demo attack on the block chain. Other changes in the protocol include starting hash weight from 0 at the 30-day mininum age, and requirement that coinstake timestamp must equal block timestamp. Overall 0.3 protocol should significantly strengthen the proof-of-stake protection and resolve the current known vulnerabilities.

https://bitcointalksearch.org/topic/ann-ppc-ppcoin-030-release-upgrade-required-144964

Here is your enlightening answer as to what these 400 lines of code accomplish in kernel.cpp:

Quote

Thanks. Surely you have already touched upon the reasons of what you refer to as 'opaque' development, mostly, due to lack of resources, secondly, for security concerns. I only have time to discuss the design with trusted peers before release. I hope you can understand that there is lot of work involved and it's not trivial work to even understand the design and its intricacies. There is no separate document, I have put some comments into the source code, it's not long at all, only about 400 lines in kernel.cpp and some of it is preexisting code in v0.2. Interested parties can take time to look at it, and discuss it maybe in my disclosure thread. I'll try to answer some of the questions along the way.

edit: Diff for anyone interested, took me a while to dig up
https://github.com/ppcoin/ppcoin/commit/b0b7eb2ecad409a2a98f6aa35bf99a4fb247ff35

Sunny King

legendary

Activity: 1205

Merit: 1010

For those of you who can't be bothered to read (only a few hundred lines of) source code and constantly fault me for not teaching the new algorithm in fine detail, I am sorry I cannot take you seriously as a critic as I think to be a good critic you need to seriously spend some effort as well. Besides I have already outlined the algorithm in my weekly updates but some people don't read it either before throwing complaints.

I am very busy and continue to work hard in order to better compete in the cryptocurrency market. So get some coffee and start reading before I can start taking you seriously.

tacotime

legendary

Activity: 1484

Merit: 1005

Right. But, you need 6 blocks to double spend (unless there's some kind of "block trust score" system that ignores the number of blocks and just calculates how much to trust each stake block).

Balthazar

legendary

Activity: 3108

Merit: 1359

Quote from: tacotime on April 18, 2013, 02:18:35 PM

So the number of stake blocks that would be generated after bringing them online after a 90 day period is the same?

It's almost the same as 100 mhash/s vs. 100 x 1 mhash/s for PoW system.

For example:

PoW diff-1 is ~ 4.29 * 10^9 hashes per block
PoS diff-1 is ~ 4.29 * 10^9 coin-day-second per block

P.S. I was wrong about reward, sorry.

tacotime

legendary

Activity: 1484

Merit: 1005

Quote from: Balthazar on April 18, 2013, 02:11:10 PM

There is no difference between "1 wallet" and "500 wallets" configurations.

So the number of stake blocks that would be generated after bringing them online after a 90 day period is the same?

Topic: Escrow attack on Proof-of-Stake (Read 1705 times)