Sorry, finally getting some time to spend sitting down and thinking about this for a couple hours.
But the way to mitigate the attack is similar to what you described (I'm not sure why you described it as the square root of the difficulties?), but just assign a blockchain score of:
block=1{summation}block=n of (PoW Difficulty in Block 1 * (PoS Difficulty in Block 1)^-1) + ... + (PoW Difficulty in Block n * (PoS Difficulty in Block n)^-1)
I don't get this. This is the weight for the total blockchain right?
PoS difficulty is the price of a ticket in terms of % of total coins available. The price is adjusted to sell a constant # of tickets. If the PoS Difficulty is low (tickets are cheap), then only a small fraction of total coins are participating in the lottery. The chain should be penalized for this. Your formula rewards the attacker for lowering PoS Difficulty, making the problem worse not better.
Again I suggest you use:
block=1{summation}block=n of (PoW Difficulty in Block 1)^0.5 * (PoS Difficulty in Block 1)^0.5 + ... + (PoW Difficulty in Block n)^0.5 * (PoS Difficulty in Block n)^0.5
Yeah, now I get it.
The only time you can get absolute certainty that a double spend can succeed is with 51% PoW and 51% PoS. But you suspect there is a flaw in this logic...
Nothing to lose sleep over. Even though your logic is flawed, it does not reflect a fundamental flaw in your design. One chain will always be either better, equal to, or worse than another chain. The algorithm evaluates proof chains to decide this.
One group's chain controls a fraction x PoW and a fraction y PoS. The other group then has corresponding fractions 1-x PoW and 1-y PoS. The groups use their resources to construct long proof chains. Let f be a function evaluating the proof in a chain constructed using a PoW and PoS pair over a long time span. Of course PoW outcomes are random, but let's just ignore that to keep things simple.
We must have f (x, y) > f (1-x, 1-y) or f (x, y) = f (1-x, 1-y) or f (x, y) < f (1-x, 1-y). That is the first group wins, it is a tie, or the first group loses. The winning group gets complete control over which txns enter PoW blocks. The losing group becomes completely irrelevant.
f (x, y) = f (1-x, 1-y) describes a boundary on 0 <=x <=1 and 0 <=y <=1. If one group (good or bad) is on this boundary and adds on just a little bit of hashing power or a little bit of stake, then this group wins.
Bitcoin uses the boundary x = 0.5
My ideal boundary is y = 0.5 (that's what you approach as the number of signatories per block increases)
Your boundary needs to simulated because of the two difficulties.
But if we ignore that (only matters over long intervals anyway) and make an additional assumption, we can calculate it.
Here's the assumption:
You are including invalidated empty blocks in the block chain. If these empty blocks contribute to proof just like normal blocks, a 51% PoW attacker can select the winning chain, even with 0% stake. This makes PoS close to pointless. To avoid this, I'm going to assume that the empty blocks do not contribute to proof at all.
Then:
A PoW block contributes to proof iff it has at least 3 stake votes.
Proof Creation Rate = (Rate at Which Group Creates PoW Blocks) * (Probability Group Controls 3, 4, or 5 Stake Votes)
Probability Group Controls 3, 4, or 5 Stake Votes is a binomial distribution with Pr (X>=3) for a binomial distribution with parameters n=5 and p=y for group 1 and p=1-y for group 2.
http://en.wikipedia.org/wiki/Binomial_distributionPr (X>=3) = Pr (X=3)+Pr(X=4)+Pr(X=5)= 10y³(1-y)²+5y⁴(1-y)+y⁵ for group 1
Rate at which Group 1 creates PoW blocks is x*(total hash rate of both groups / PoW difficulty).
So we have,
Group 1 Proof Creation Rate = f(x,y) = (10y³(1-y)²+5y⁴(1-y)+y⁵) * (x) * (total hash rate of both groups / PoW difficulty)
Group 2 Proof Creation Rate = f(1-x,1-y) = (10(1-y)³(y)²+5(1-y)⁴(y)+(1-y)⁵) * (1-x) * (total hash rate of both groups / PoW difficulty)
The two groups are tied if
(10y³(1-y)²+5y⁴(1-y)+y⁵) * (x) * (total hash rate of both groups / PoW difficulty) = (10(1-y)³(y)²+5(1-y)⁴(y)+(1-y)⁵) * (1-x) * (total hash rate of both groups / PoW difficulty)
Solving for x gives us the boundary
x = -6y⁵+15y⁴-10y³+1 on 0<=y<=1
In table form:
x y
1 0
0.99144 0.1
0.94208 0.2
0.83692 0.3
0.68256 0.4
0.5 0.5
0.31744 0.6
0.16308 0.7
0.05792 0.8
0.00856 0.9
0 1
So yes, you probably weren't aware that you could win with 90% stake and 0.9% work. But why is that a problem?
I guess it's not really a problem.
If we include total number of stakeholder votes in a separate weighting function, you may also be able to attenuate double spends by any stakeholder less than 51%. Such a weighting function might be described as
block=1{summation}block=n of (Stakeholder Votes in Block 1) + ... + (Stakeholder Votes in Block n)
The attacker wishes to double spend and the exchange requires three secured (3+ Yea votes) blocks for confirmation. Now, he must mine a chain in secret and achieve 3 or more secured blocks. In the meantime, the main chain must have three secured blocks to actually get the money to the exchange. However, this honest chain will have great difficulty actually achieving valid blocks without the help of the attacker, who can not dump his alternative chain onto the network unless the sum of his votes on his dishonest chain are greater than for the honest chain. The attacker must now wait a long time to achieve his double spend attack, although it's still not impossible.
With two weighting functions, you then end up with four conditions of the network when there are two chains in comparison with one another represented by (0,0), (0,1), (1,0), and (1,1). The first value indicates the condition of chain A being preferred over chain B using the first weighting metric, and the second value indicates the condition of chain A being preferred over chain B using the second weighting metric. For both conditions that are mixed, how should the main chain be selected? Is there some way you can think of to integrate the two weighting functions without further complicating things?
You are correct in that invalidated blocks will not contribute to the blockchain for the calculation above. They do, however, contribute the following:
1) Stakeholder tickets used within them are invalidated and their invalidation is included in the blockchain (can't spend stakeholder tickets twice).
2) Entropy from the block header hash is used to calculate ticket selection/lottery (as the block header still represents actual work).
There is a new attack that I just thought of if you force stakeholders to use their tickets when the lottery calls them. A PoW miner can submit blocks to the network full of garbage and use them to destroy PoS tickets, because the group of stakeholders in the next block will be sure to invalidate this block. This is a problem. How can this be mitigated? You could return the stakeholder tickets (so long as they actually voted) and let them be used again sometime in the future to validate a different block. Non-reporting stakeholder tickets should still be destroyed.
This makes sense. PoS miners should not be penalized for voting correctly on the previous block when the present block is garbage.
edit:
There is another problem I think, which is recursive invalidation of the blockchain if you invalidate the previous block. It is what it sounds like; once you invalidate a block previous in a string of valid blocks, all the blocks before it become invalidated because that block confirms all of these blocks reverse sequentially. There needs to be a way to keep the PoS transactions free from the manipulative harm of the PoW chain in some way.
I need to think about this some more, can't think of an easy solution off the top of my head. Perhaps just to have these stakeholders vote on the last block and then sign the one in which they are included in once it is submitted to the network is enough.
