Pages:
Author

Topic: Noob Q: Can bitcoin be turned into POS? (Read 3925 times)

legendary
Activity: 3906
Merit: 6249
Decentralization Maximalist
April 10, 2017, 11:17:12 AM
#95
Rolling checkpoints offer no protection from a fake chain, right after the checkpoint, only before the checkpoint.

True. That is why I mentioned the TaPoS/Clustering mechanism. Here every client could maintain a list of big economic players (he can check them manually) and in the case of a fork, see in an automatized way on which chain they are.

Quote
Longest Chain with the most Difficulty  Smiley

Yes, but there is the "Long Range Attack" with emptied adresses and this way the attacker can fake difficulty and stake. That's the hard problem of PoS (although we have already said that this attack is highly impractical). But I think you know that already.

It would be cool if we could investigate further the possible "delete both transactions if there is a double spend at the same block height" solution I mentioned in an earlier post. The problem is that there are some few "legit ways" to double spend, like the "double spend if your TX doesn't go through" hack which gained prominence in the block size debate. But with RBF and CPFP this hack could be obsolete. I'm however aware that someone could have considered this solution already and dismissed it.

But if not (or the problems with the approach are solvable), then dino's "set concept" + "ignoring double spends at the same height" + "finalization" (blockchain inmutability after a certain point, e.g. by rolling checkpoints, "gravity" or a "final stake vote") seems to be a way which could be explored further to see if there's a PoS algorithm secure enough for Bitcoin - that means, where no long range attack is possible except with >50% of the stake.

I think the current problems with ASICBOOST are pushing us in this direction. Yes, we could switch to another PoW mechanism but as we must be prepared that it could also have similar "flaws", it will be possible that another "optimization" of this kind will emerge for the new algorithm - maybe even a worse one that would enable a mining group to 51% the Bitcoin blockchain.
legendary
Activity: 1092
Merit: 1000
April 08, 2017, 08:10:59 PM
#94
No. The "fake chain" problem is another one - it's also solvable by Economic Clustering or TaPoS, and also by reorg prohibition ("rolling checkpoints"). Simply "checking your chain at a block explorer" can be risky, because the block explorer could be on the fake chain (intentionally or unintentionally). That's the "weak subjectivity" problem but attacks on it are very difficult or expensive, because you must trick most block explorers to display the fake chain.

My question was referring only to the specific design proposed by dinofelis. In his design there are no alternative chains because all "alternative blocks" would become merged into one single chain. But in this design, if a double spend occurs, I don't know how he'll manage to tell which one of the transactions occured first or how to "prune" the conflicting transaction. Although, sincerily, an attack based on that problem seems difficult, too.

A practical way to forbid double spends in dinofelis' design could be that if there are two conflicting transactions, both could be ignored - so if you double spend none of your two outputs would be confirmed.

Ok,
My references are directly to how PoS currently works.

I'll leave you & Dino to Discuss his specific designs.


 Cool

FYI:
Rolling checkpoints offer no protection from a fake chain, right after the checkpoint, only before the checkpoint.
So any chain can be faked PoW or PoS after the checkpoint ,
if I can block you from seeing the True Chain and only seeing my chain,
there is absolutely nothing you can do aside from 3rd party confirmation with the block explorer or exchanges to confirm the correct chain.
Example:
Sync up a PoW or PoS blockchain on 3 PCs
After Syncing, disconnect from the internet
and on the PoW chain , mine it normally on 1 PC
and on the PoS chain , Stake normally
Both of which add blocks to your now forked chain.
Once you have done 20 blocks or so,

Now as long as you keep the Longer Chain with more difficulty hidden, you will continue on the fake fork you created.
But reconnect the internet , where the longer chain can be see, and restart your PoW & PoS wallets , and both of these wallets will reorg and wipe out your false fork.
Because the group chain is stronger than your chain.

Now if you have more asics or more staking coins than the rest of the network, your chain would overwrite either, (as long as no checkpoints are blocking)
as in reality, there is no real true or fake chain, only this determines which will be consider the true chain
Longest Chain with the most Difficulty  Smiley

legendary
Activity: 3906
Merit: 6249
Decentralization Maximalist
April 08, 2017, 07:58:57 PM
#93
No. The "fake chain" problem is another one - it's also solvable by Economic Clustering or TaPoS, and also by reorg prohibition ("rolling checkpoints"). Simply "checking your chain at a block explorer" can be risky, because the block explorer could be on the fake chain (intentionally or unintentionally). That's the "weak subjectivity" problem but attacks on it are very difficult or expensive, because you must trick most block explorers to display the fake chain.

My question was referring only to the specific design proposed by dinofelis. In his design there are no alternative chains because all "alternative blocks" would become merged into one single chain. But in this design, if a double spend occurs, I don't know how he'll manage to tell which one of the transactions occured first or how to "prune" the conflicting transaction. Although, sincerily, an attack based on that problem seems difficult, too.

A practical way to forbid double spends in dinofelis' design could be that if there are two conflicting transactions, both could be ignored - so if you double spend none of your two outputs would be confirmed.
legendary
Activity: 1092
Merit: 1000
April 08, 2017, 07:02:05 PM
#92
I'm referring to this problem (Source):

Quote from: Andrew Poelstra, "On Stake and Consensus"
The answer is that there is no well-defined clock time in a distributed system.   Network la-
tency gives a finite speed of information propagation, which we know from special relativity means
different observers cannot agree on the time-ordering of events that occur closely in time
[...]
Users who are new to the network or have been offline recently need access to historical
data.   But  there  is  no  way  to  verify  after-the-fact  what  order  transactions  occurred  in,  so
they cannot be assured that the transactions they are receiving actually occurred before any
conflicting ones.

In my understanding, that could be solved by the technique known as "Economic Clustering" or "TaPoS", where every participant must sign his transactions with the hash of a recent block. So if there is a chain split because of two conflicting transactions, you can see on which one of the conflicting chains/blocks the economic majority is. The exact order (which occured before) would become irrelevant, only the transaction included in the "right block" would be the valid one.

But as "dinofelis" concept would have no "conflicting chains" (because all "conflicting blocks" or "stale blocks" would be integrated in the main chain) but only "conflicting transactions", I don't know how this problem could be solved there. He says that nodes should not accept back-dated transactions, but how can they know if they are back-dated if there is no universal time?

I read in the Casper history series that there could be an alternative approach with a "heartbeat" that dictates universal time in a PoS system, but I don't know this proposal (and its pros and cons) in detail.


OK, I got you now,

You are basically saying what if someone created a fake chain, how does your wallet know which is the true network chain.

A new user wallet is just as susceptible to a fake chain on PoS or PoW, no difference.
Both are looking for the longest chain, if someone has found a way to block you from seeing the true chain , either PoW or PoS would download the incorrect chain.
(Basically implying a Sybil attack)

The simple Answer is PoW or PoS, whenever you Sync a new client, you should always check the Blockexplorer for that coin and compare your Block height, and contents of said block, if the block information does not match then you are on a fake chain. To be additionally safe, you can always compare the block height of the exchange you are sending and receiving too.  No internal code like the heartbeat mentioned would stop a fake chain attack, as if they can fake the chain, they can also fake the heartbeat.
So just confirm with the block explorer or exchange, for PoS or PoW before sending or receiving coins.  Smiley

 Cool

FYI:
Both PoS & PoW clients look for the longest chain with the highest difficulty,
In BTC , Proof of Work computations secures the chain,
In PoS coins, the chain is secured by hashProofOfStake <= [Coin-age] x [Target]      
[Coin-age] = [amount of coins] x [days in stake]      

Simply put,
PoW secured by ASICS
PoS secured by the (# of Coins * their Age) in a staked block

Also Both use Hard coded Checkpoints in the clients, so no fake chains can be created from the genesis block, fake chains can only be created from the last hard coded checkpoint. So anyone creating a whole new fake chain is completely impossible on PoS or PoW, as the hard coded checkpoint in the client would not allow a chain to move past the checkpoint if it did not match.  Wink
legendary
Activity: 3906
Merit: 6249
Decentralization Maximalist
April 08, 2017, 03:41:26 PM
#91
I'm referring to this problem (Source):

Quote from: Andrew Poelstra, "On Stake and Consensus"
The answer is that there is no well-defined clock time in a distributed system.   Network la-
tency gives a finite speed of information propagation, which we know from special relativity means
different observers cannot agree on the time-ordering of events that occur closely in time
[...]
Users who are new to the network or have been offline recently need access to historical
data.   But  there  is  no  way  to  verify  after-the-fact  what  order  transactions  occurred  in,  so
they cannot be assured that the transactions they are receiving actually occurred before any
conflicting ones.

In my understanding, that could be solved by the technique known as "Economic Clustering" or "TaPoS", where every participant must sign his transactions with the hash of a recent block. So if there is a chain split because of two conflicting transactions, you can see on which one of the conflicting chains/blocks the economic majority is. The exact order (which occured before) would become irrelevant, only the transaction included in the "right block" would be the valid one.

But as "dinofelis" concept would have no "conflicting chains" (because all "conflicting blocks" or "stale blocks" would be integrated in the main chain) but only "conflicting transactions", I don't know how this problem could be solved there. He says that nodes should not accept back-dated transactions, but how can they know if they are back-dated if there is no universal time?

I read in the Casper history series that there could be an alternative approach with a "heartbeat" that dictates universal time in a PoS system, but I don't know this proposal (and its pros and cons) in detail.
legendary
Activity: 1092
Merit: 1000
April 08, 2017, 05:07:09 AM
#90

Here I have a question. How does a node that's new or wasn't online for a while know which transactions are "back-dated", so he can ignore them? It's a known problem for PoS systems that they have no "synchronizing clock" like PoW with their difficulty/target system.



Hmm,

In a PoS system, transactions are included in the mempool and when you stake those transactions are removed from the mempool and included in that staked block.
The Blocks in some PoS System can not be more usually than 1 minute time difference off from the other nodes.
(Time varies for different coins, ZEIT is 1 minute & Blackcoin is 15 seconds.
PoS do use the Clock , ie: if a PC clock is set to an incorrect time, it will be unable to stake and the other nodes will refuse any block generated by that PC,
until its time is a ~ match for theirs.

Back to the mempool:
The Transaction is merely entered into the mempool, and then entered into a staked block.
If your Transaction is a double spend, it will fail, since the coins have already been sent.
If your transaction failed for some unknown reason and was never included in a block , you can always resubmit it to the mempool at a later time.
mempool holds transactions for up to 72 hours

If that does not clear it up for you, give me an example of your back-dated transaction question, and I will try and make it clearer for you.


 Cool

FYI:
If you sent out a transaction and it was confirmed in a block, you can not resend that exact same transaction again, as those coins have been spent.
legendary
Activity: 3906
Merit: 6249
Decentralization Maximalist
April 08, 2017, 12:41:19 AM
#89
Well as already said I re-read your proposal.

You have fundamentally these "innovations" respect to traditional PoS systems:
- no rewards
- transactions from orphan blocks get included in the canonical chain (or "bag") as long as they aren't conflicting with them ("set" instead of "sequence" paradigm).
- if there is a double spend in two conflicting blocks, the transaction in the block with more stake wins the race (OK, that's the way most PoS systems work now, too).
- and this:
If there are no rewards, things become much simpler, because the only incentives are directly "wanting to maintain the system" or "wanting to game the system", and there are no "proxies of being honest" (getting rewards and not getting punished).

Yes that could be true. NXT, at least, with its almost-no-reward policy is working quite well, I haven't heard of any double spends there (until a short-range attack is, in theory, possible there). Maybe then Ethereum is wrong with their over-complicated Casper proposal.

I'm not totally convinced, though. What if most stakeholders are simply lazy and don't keep their wallet online and staking? That's why I would still favour a minimal reward (like in Peercoin or NXT).

The other thing that worries me is the power of exchanges and online wallet providers in a pure PoS system. That's why I consider Proof of Burn could be a complement of an advanced PoS system. The chain would have to alternate between PoS and PoB blocks, and exchanges and other "holders of other people's funds" then would have no advantage (at least, if they're not running a fractional reserve system) for one half of the blocks.

Quote
Well, there is one thing that PoW is good for: seigniorage.  Creating coins with PoW is not a bad thing ; [...] One could have PoW coin creation *independent* of block chain security.

Only a note: That's exactly what Peercoin and its 999+ clones do Wink

Quote
And finally, if you REALLY want to end up with 21 million coins, you could pseudo-RANDOMLY distribute coins over past addresses.

I thought about that solution, but it would encourage sybil attacks. I ignored the word "past".

Quote
In any case, it is a fundamental change to the protocol, and hence it destroys immutability.  So strictly speaking, it is not "bitcoin".  Bitcoin is what it is now.  The guy that bought for half a million dollars ASICS to mine will think he got screwed, and he'd be right.

That's just what we're seeing now with the Asicboost/Segwit/Blocksize discussion. PoS would be a more radical change, but as long as the 21 millions are not touched, I think there is a small possibility for an algorithm change to PoS, also because even in Bitcoin's actual system rewards will end in the future and high fees as an alternative could be undesirable because it would give advantages to competitors.
hero member
Activity: 770
Merit: 629
April 02, 2017, 01:34:19 PM
#88
(first part)

Interesting concept. It has some similarities with TaPoS but also with Ethereum's proposed Casper algorithm, although they continue to use the "chain" paradigm. There, the PoS validators "bet" on a set of transactions (or block) if there is a fork. So the fork on which most PoS validators agree is selected.

But at difference to your concept Casper has rewards (and punishments if nodes misbehave).


From the moment you give out rewards and punishments, the system becomes a strategically complicated rule set of which it is very difficult to show that no strategy can be thought off so as to game the system.  For instance, if you can inflict punishments on your rivals by tricking them into signing off a chain that is to be orphaned before they realize etc...

If there are no rewards, things become much simpler, because the only incentives are directly "wanting to maintain the system" or "wanting to game the system", and there are no "proxies of being honest" (getting rewards and not getting punished).

Quote
Do you think miners would accept to destroy their source of income for only ten times their daily earnings? I think it would be much more you must give to them.

You can say the same about the people lending out their stake.  If you rent hash rate, the seller of hash rate doesn't really know what you are going to do with it.

Quote
With cloud mining, I think this would be more doable. Let's do the math: hashflare.io is charging 1,20$ per 10 Ghash/s. The bitcoin network currently has 3,5 Exahash/s (3.500.000.000 GH/s). So you would need 350.000.000 * 1,20 $ = ~420 million USD to buy enough hashrate for an 51% attack. So ok, you are right ... that's ~400.000 BTC and much less than for a PoS 51% attack.

That surprised me. I never did that math. If that's true, PoW is really more insecure than I thought. Are these cloud mining prices per month or per day or what?

--> they say: lifetime contract as long as it is profitable !  But there's a daily fee of $0.0035 which is the real price.

Grossly, the EARNINGS of bitcoin miners are supposed to finance the PoW.  That's BY DEFINITION (much) less than the whole market cap !  Otherwise, you'd burn the whole market cap each year or so just to, eh, keep the value of the market cap.
That's about like paying 3 times the price of your car a year to insure it against theft.

PoW is a VERY BAD cryptographic security.  I knew that but I also only realized the last few months HOW bad.

You have to waste HUGE amounts of resources for very WEAK security ; in fact, the security is simply that your enemy will not waste as much as you are doing !

Quote
Quote
My point is that by the time that you can do things that make the system already an economic failure, the technical security doesn't matter any more.

Yes, I agree - these attacks are possible, but highly impractical. Nevertheless I wouldn't ignore them for a PoS design that really could replace Bitcoin's PoW.

In fact, I even think it is positive that a coin whose economic system has become totally corrupted, becomes also cryptographically insecure and will most probably fail.  This is a kind of self-destruction poison pill for when the thing goes economically wrong, in order not to keep a Frankenstein's monster alive.

Quote
Another problem if we really want to replace Bitcoin's PoW by PoS and not creating another coin: A big item in Bitcoin's social agreement is the limitation to 21 million coins. If there is no reward, what to do with the remaining coins?

Well, there is one thing that PoW is good for: seigniorage.  Creating coins with PoW is not a bad thing ; but the error in bitcoin and many other PoW coins, is that this PoW that serves to make people fight to make new coins, is also used as a cryptographic security mechanism for the consensus.  That's silly.  One could have PoW coin creation *independent* of block chain security.

On the other hand, I would think that limiting bitcoin to LESS than the planned 21 million coins is not a problem.  The problem was rather not to make more of them.  And finally, if you REALLY want to end up with 21 million coins, you could pseudo-RANDOMLY distribute coins over past addresses.  

Quote
You could say that Bitcoiners should be happy if the supply stops at - let's say - 17 million, as the share of every Bitcoin holder with respect to the total amount would grow. But it would nevertheless be perceived as an attack to Bitcoin's fundamentals by some, I think. Well, you could redistribute the 4 resting millions to all shareholders but that would be pointless.

In any case, it is a fundamental change to the protocol, and hence it destroys immutability.  So strictly speaking, it is not "bitcoin".  Bitcoin is what it is now.  The guy that bought for half a million dollars ASICS to mine will think he got screwed, and he'd be right.

legendary
Activity: 3906
Merit: 6249
Decentralization Maximalist
April 02, 2017, 12:10:23 PM
#87
(first part)

Interesting concept. It has some similarities with TaPoS but also with Ethereum's proposed Casper algorithm, although they continue to use the "chain" paradigm. There, the PoS validators "bet" on a set of transactions (or block) if there is a fork. So the fork on which most PoS validators agree is selected.

But at difference to your concept Casper has rewards (and punishments if nodes misbehave).

I will re-read your concept (it's a bit difficult to evaluate in a couple of minutes) in a couple of days and see if I discover a crucial flaw. I have still problems with the no-reward concept as I'm still caught in the "monetary incentive" paradigm Wink

Quote
Quote
There is one problem with this assumption: the attacker could lend stake.

This is in fact a universal attack that can work against just any system.  PoW included: you can lend hash power, you can lend nodes, you can lend about anything. [...]

Suppose that I lend 200000 bitcoin, then I pay the 5 most important mining pools 10 times their daily earnings if I can lend their hash power for half a day, then I do a 51% attack on bitcoin, I buy now 200 500 coins on the market for a few dollars, now that bitcoin has crashed, and I pay back the unlucky bag holders their 200 500 coins with interest.

Do you think miners would accept to destroy their source of income for only ten times their daily earnings? I think it would be much more you must give to them.

With cloud mining, I think this would be more doable. Let's do the math: hashflare.io is charging 1,20$ per 10 Ghash/s. The bitcoin network currently has 3,5 Exahash/s (3.500.000.000 GH/s). So you would need 350.000.000 * 1,20 $ = ~420 million USD to buy enough hashrate for an 51% attack. So ok, you are right ... that's ~400.000 BTC and much less than for a PoS 51% attack.

That surprised me. I never did that math. If that's true, PoW is really more insecure than I thought. Are these cloud mining prices per month or per day or what?

Quote
My point is that by the time that you can do things that make the system already an economic failure, the technical security doesn't matter any more.

Yes, I agree - these attacks are possible, but highly impractical. Nevertheless I wouldn't ignore them for a PoS design that really could replace Bitcoin's PoW.

Another problem if we really want to replace Bitcoin's PoW by PoS and not creating another coin: A big item in Bitcoin's social agreement is the limitation to 21 million coins. If there is no reward, what to do with the remaining coins?

You could say that Bitcoiners should be happy if the supply stops at - let's say - 17 million, as the share of every Bitcoin holder with respect to the total amount would grow. But it would nevertheless be perceived as an attack to Bitcoin's fundamentals by some, I think. Well, you could redistribute the 4 resting millions to all shareholders but that would be pointless.

OK, the last problem, I think, is a minor one.
hero member
Activity: 770
Merit: 629
April 01, 2017, 08:00:48 AM
#86
Nope Wasting Energy is Bullshit, while the asics miners are starting to drive up the rates for people in residential areas.
ASICS are to wasteful to succeed in the long run. Time will prove this to you.

I am with you on this one.  PoW is a crazy cryptographic "security" : "I waste more, so I am right" is about the biggest silliness one can think of.

That said, PoW was a good idea to start crypto.   What we will keep of it is that we now have a lot of secret-public key pairs distributed over a lot of people, which is bitcoin's great contribution.
legendary
Activity: 1092
Merit: 1000
April 01, 2017, 04:50:49 AM
#85
what about the notorious case of mintcoin and mint exchange, where users were holding the majority of their coins in the exchange, who was then hacked and therefore there was the possibility to do an attack because the hacker had the majority of the coins under his control?

it's dangerous for pos to have all the coins in the same place, and with people rushing to sell them at certain price they end deposit a large amount on the exchange

What about it, it had nothing to do with N@S.

PoS or PoW Coin gets hacked, odds are the thief will sell on another exchange and crash the market.
Time Passes and the price recovers or the coin dies , no difference PoS or PoW.

or are you afraid of 1 entity controlling network.
Hate to break it to you , all PoW coins will become over 51% controlled by 1 entity. (Due to economic factors.)
BTC with China having ~67% for over a year now. (already happened) Wink

PoS Coins not as big a deal, because the ones that use coin age ,
PoS coins deactivate after staking for a prescribed amount of time, unlike ASICS where they maintain the exact same % of ASICS.
So you can have 60% of the coins and someone else with a higher coin age per block can outstake you,
PoS is in constant flux, not static like PoW.  Cheesy

 Cool

it's not the same, pow coins can't be controlled by one entity because you know they can't mine with their coins on exchange like with pos coins, where the exchange who control more can also mint more

with pow they are equally distributed among the exchange and mienrs that hold a good portion of the total coins

with pos you have an exchange that keep minting and dumping or accumulating for an attack, because you know again those coins are free so he can attack the network without thinking it twice,

unlike with pow where you are not mining for free and the consumption is a good deterrent that prevent this, so wasting energy it's actually a good thing in crypto contrary to the popular belief

Methinks you are missing the Point , China is a Single Entity and they can control the Chinese Mining Pools , therefore the ASICS, and if you noticed recently CHina has exerted their control over the Chinese Exchanges.  China controls BTC, LTC & Doge all PoW coins.

You also miss the point , PoS is not constant , can an extremely large holder lead the chain for a little while , sure, but it can only be done for a limited time,
the more control exerted the more of their coins go offline, until they reach minimum stake age again.
Also exchanges have alot of coin transferred in & out, so those coins never reach staking maturity.
PoS coins don't usually allow the user to pick and choose which transactions are included in the block like a PoW coin, so even if an exchange stakes, they will process transactions like everyone else. Why are they going to crash a coin that they are making free money off of.
Exchanges don't want to destroy PoS coins for the same reasons ASICS miners are not trying to destroy BTC.

Quote
so wasting energy it's actually a good thing in crypto

Nope Wasting Energy is Bullshit, while the asics miners are starting to drive up the rates for people in residential areas.
ASICS are to wasteful to succeed in the long run. Time will prove this to you.
The reason so many american farmers go bankrupt , is they ignore the Input costs,
BTC price is already too high and it is losing market share, study the BTC dominance on coinmarketcap , it has lost ~30% in a few months.
BTC is Pricing itself out of the markets. Other coins will begin filling it's utility uses, if it price does not half in the coming year.

 Cool
hero member
Activity: 770
Merit: 629
April 01, 2017, 01:58:29 AM
#84
To me, the N@S problem can be formulated as follows:

"there are an unlimited amount of different, correct block chains under a PoS rule that can fork off from a given common point using a relatively small amount of stake, and given a finite set of transactions signed by the other stake holders"

I think that's reasonably correct. I would only add that the amount cannot be infinitely small but still must be high enough to ensure that you could trick others to think it is the "longest chain".

There is a difference in the required stake size between "secretly mined alternative chains" like those used in the infamous "History Attack" and "publicly mined alternative chains". Secretly mined chains require much more stake to become the "longest chain" as they can't trick other users to sign them with their stake while minting, but if they win they are more dangerous, because they also can use "double-spent stake" (emptied addresses that at a moment had large balances).

Quote
The trick is to define an ordering over that amount of block chains such that the chain including most transactions of the other stake holders wins with high probability unless the amount of stake that has to collude becomes significant (at which point, the coin is essentially in the hands of a colluding set of cheaters, at which point, it doesn't matter any more that it fails technically, because it failed already economically).

Yes, I think that is very similar to the "Economic Clustering" feature NXT wanted to implement at some point and was first released as a part of the "TaPoS" proposal by Daniel Larimer. Bitshares, I think, had implemented it but then switched to DPOS. The trick in this system is that the payer has to add a signed hash of a recent block to all transactions. So you could see exactly on which chain every actor is - e.g. if you are on the same chain like the largest exchanges or payment providers.

An attacker then couldn't fake a secret chain anymore, because in the case of a reorg all nodes would see that no important actors were active in the attack chain. What he could to instead is to try to create a "public" double spending chain and lure the network into a reorg to this chain after the victim has confirmed payment. That is what kushti considered the most dangerous N@S variant (and suggested to increase the amount of required confirmations in PoS currencies). But without rewards it's pretty difficult to attack this way if you haven't a LOT of stake because the attacker on most blocks would have to use his own stake to mint it and not many others would "help" him.

This goes a long way in the right direction.  This is also what I tend to conclude: that many attacks lose their potential or their incentive if there are no rewards, because most stake holders have no incentive to cooperate with any "chain reorg" of significance.  I would even go further, and say that we have to go away from the "chain" concept as a whole, and go to a "bag" concept (mathematically, a set instead of a sequence).  The only sets that are disallowed, are sets with forbidden transactions (double transactions or transactions without valid inputs).  
As such, if you have to consider two sets A and B, and you have to come to consensus over them, you try to come to consensus over their union.  If their union is a valid set, then that's the best consensus, but A and B are not anti-consensus, they are partial consensus.  That is, one doesn't REJECT A and B individually, but one considers their union, and hence also all the valid subsets of their union.

The only place where consensus cannot happen is if A is a valid set, B is a valid set, but A U B isn't.  That is simply because A and B contain a double spend.   In that case, there must be a deterministic way to prune A U B of the double spends, and the most logical way is to keep the spend which has most PoS to it.  If A has a certain amount of PoS to it, and B another, which is smaller, then A U B will be pruned by leaving out the conflicting B spends (and ONLY the conflicting B spends).  
Note that if there is no reward for staking, many stakers can stake in parallel, so that you get the same transaction in different blocks signed by different stakers, which adds to the total stake of those transactions.

If I receive a block A from Joe, with stake 0.2% and I receive a block B from Mary with stake 0.3%, then for the transactions that are in both, I consider that they have a weight of 0.5%, as a receiving node.  

In the end, the time stamp on a transaction becomes the most important one.  You cannot accept a transaction that is "back-dated" for more than a small multiple than the maximal propagation delay on the network (say, half a day).  

You don't consider re-organizing transactions that are 2 days old, say.  So you don't even need to keep their history !

After all, if you are new to the network, you *don't care* about its transaction history.  You want to know the "current state".  And if you aren't new to the network, you have the last old history you consider correct ; but you only care about 2 things:
1) that your old balance is still valid
2) that there hasn't been any non-legit coin creation

You don't care about what happened to the other coins in between.  You don't have to decide upon the past transactions of coins that were transacted when you weren't on-line: if the total amount of coins is OK, and YOUR coins are OK, then that's all you need to know and you care about.

You can of course only "stake" when you are "up and running and online" for a certain while.

Quote
There is one problem with this assumption: the attacker could lend stake. If there is a Bitfinex-like market so big that he would be able to lend - let's say - 20% of the total stake, then it becomes dangerous. He could try to attack and fork the currency, trying to crash the market because of the "malfunctioning" currency and then give the coins back to the original holders for a small fraction of its price.

This is in fact a universal attack that can work against just any system.  PoW included: you can lend hash power, you can lend nodes, you can lend about anything.  If your only goal is to DESTROY a system and you are willing to spend value on it, you can always succeed if you can lend a large part of the system.

Suppose that I lend 200000 bitcoin, then I pay the 5 most important mining pools 10 times their daily earnings if I can lend their hash power for half a day, then I do a 51% attack on bitcoin, I buy now 200 500 coins on the market for a few dollars, now that bitcoin has crashed, and I pay back the unlucky bag holders their 200 500 coins with interest.
I need to lend much much less to obtain potentially a majority of PoW than I need PoS: I would have to lend 3 million BTC to do what you propose, and with 200 000 coins I can do my PoW lending attack.

If you can lend an important fraction of the stake, honestly, the system is just as economically insecure as it is technically insecure, because when I lend 20% of the stash, I can DUMP IT in the morning, buy back the coins at noon when the price crashed to hell, and make a lot of benefit ; much better than trying to do a double spend.


Quote
This attack has also been called the "Pirate attack" because it could also be accomplished running a HYIP scheme like "Pirateat40" and secretly selling the coins on exchanges before you have to return them to their owners. It is also a very unlikely attack, but it is not impossible, like most of the N@S variants, and it could be devastating to the currency.

My point is that by the time that you can do things that make the system already an economic failure, the technical security doesn't matter any more.  If you can lend easily 20% of the stash, that would mean that I can lend easily 3 million BTC.  You imagine the damage I can do with 3 million LENDED BTC on the market ?  I dump them all at once and I buy back more when the price has crashed (with the fiat I made when dumping them) and when all the weak hands are selling too.  I give back the 3 million BTC + interest, and what I have more is in my pocket.  

If you can lend 20% of the stash, the system is already economically dead.
legendary
Activity: 3248
Merit: 1070
April 01, 2017, 12:57:18 AM
#83
what about the notorious case of mintcoin and mint exchange, where users were holding the majority of their coins in the exchange, who was then hacked and therefore there was the possibility to do an attack because the hacker had the majority of the coins under his control?

it's dangerous for pos to have all the coins in the same place, and with people rushing to sell them at certain price they end deposit a large amount on the exchange

What about it, it had nothing to do with N@S.

PoS or PoW Coin gets hacked, odds are the thief will sell on another exchange and crash the market.
Time Passes and the price recovers or the coin dies , no difference PoS or PoW.

or are you afraid of 1 entity controlling network.
Hate to break it to you , all PoW coins will become over 51% controlled by 1 entity. (Due to economic factors.)
BTC with China having ~67% for over a year now. (already happened) Wink

PoS Coins not as big a deal, because the ones that use coin age ,
PoS coins deactivate after staking for a prescribed amount of time, unlike ASICS where they maintain the exact same % of ASICS.
So you can have 60% of the coins and someone else with a higher coin age per block can outstake you,
PoS is in constant flux, not static like PoW.  Cheesy

 Cool

it's not the same, pow coins can't be controlled by one entity because you know they can't mine with their coins on exchange like with pos coins, where the exchange who control more can also mint more

with pow they are equally distributed among the exchange and mienrs that hold a good portion of the total coins

with pos you have an exchange that keep minting and dumping or accumulating for an attack, because you know again those coins are free so he can attack the network without thinking it twice,

unlike with pow where you are not mining for free and the consumption is a good deterrent that prevent this, so wasting energy it's actually a good thing in crypto contrary to the popular belief
legendary
Activity: 3906
Merit: 6249
Decentralization Maximalist
April 01, 2017, 12:47:12 AM
#82
To me, the N@S problem can be formulated as follows:

"there are an unlimited amount of different, correct block chains under a PoS rule that can fork off from a given common point using a relatively small amount of stake, and given a finite set of transactions signed by the other stake holders"

I think that's reasonably correct. I would only add that the amount cannot be infinitely small but still must be high enough to ensure that you could trick others to think it is the "longest chain".

There is a difference in the required stake size between "secretly mined alternative chains" like those used in the infamous "History Attack" and "publicly mined alternative chains". Secretly mined chains require much more stake to become the "longest chain" as they can't trick other users to sign them with their stake while minting, but if they win they are more dangerous, because they also can use "double-spent stake" (emptied addresses that at a moment had large balances).

Quote
The trick is to define an ordering over that amount of block chains such that the chain including most transactions of the other stake holders wins with high probability unless the amount of stake that has to collude becomes significant (at which point, the coin is essentially in the hands of a colluding set of cheaters, at which point, it doesn't matter any more that it fails technically, because it failed already economically).

Yes, I think that is very similar to the "Economic Clustering" feature NXT wanted to implement at some point and was first released as a part of the "TaPoS" proposal by Daniel Larimer. Bitshares, I think, had implemented it but then switched to DPOS. The trick in this system is that the payer has to add a signed hash of a recent block to all transactions. So you could see exactly on which chain every actor is - e.g. if you are on the same chain like the largest exchanges or payment providers.

An attacker then couldn't fake a secret chain anymore, because in the case of a reorg all nodes would see that no important actors were active in the attack chain. What he could to instead is to try to create a "public" double spending chain and lure the network into a reorg to this chain after the victim has confirmed payment. That is what kushti considered the most dangerous N@S variant (and suggested to increase the amount of required confirmations in PoS currencies). But without rewards it's pretty difficult to attack this way if you haven't a LOT of stake because the attacker on most blocks would have to use his own stake to mint it and not many others would "help" him.

Quote
As to "check points", I think they defeat the purpose, as they are also a consensus mechanism.  However, there's something much simpler concerning the equivalent of check points: every staker is *supposed* not to stake on a chain that is in contradiction with his OLD BLOCKS he KNOWS ABOUT.  In practice, that would be true: if you have a node running that has been following the block chain since about a year, and suddenly, your peer nodes tell you to orphan half a year of block and to stake on top of the new chain, you should bluntly refuse to stake.   Every node is having his own check points, depending on his own presence on the network.  New nodes cannot know ; but old nodes can refuse to stake on a historically re-written chain.

Yes, this mechanism is known as "rolling checkpoints" or "reorg prohibition" and is implemented in NXT. There is even a more "smooth" idea: the "Soft Checkpoint" system like the "exponential subjective scoring" described here by V. Buterin in his "famous" article about Weak Subjectivity.

Quote
When there are no rewards, you are not incentivized to "stake nevertheless, to get the reward if that chain wins".  Your only goal is to help the system run correctly, because that protects the stake you hold in it.

There is one problem with this assumption: the attacker could lend stake. If there is a Bitfinex-like market so big that he would be able to lend - let's say - 20% of the total stake, then it becomes dangerous. He could try to attack and fork the currency, trying to crash the market because of the "malfunctioning" currency and then give the coins back to the original holders for a small fraction of its price.

This attack has also been called the "Pirate attack" because it could also be accomplished running a HYIP scheme like "Pirateat40" and secretly selling the coins on exchanges before you have to return them to their owners. It is also a very unlikely attack, but it is not impossible, like most of the N@S variants, and it could be devastating to the currency.
sr. member
Activity: 333
Merit: 250
March 30, 2017, 05:36:10 PM
#81
Hi guys.
Plz don't kill me for asking.

I see a lot of hype around alt-coins.
When asked, many will point out POS as a plus vs bitcoin.

I was wondering:

1. Can Bitcoin change to POS if wanted to by the community?
2. Is POS really an advantage (if it is - is it an advantage because it saves energy, or because it diffuses power)?

Thank you!

Sure it can be do it by hard fork coins like Blackcoin/Peercoin/Mintcoin have moved from mining period to full POS system and are living today.
Switching is not hat hard you just turn off POW and move into POS.

2. Is POS really an advantage (if it is - is it an advantage because it saves energy, or because it diffuses power)?

POS is energy eficient and more decentralized in mining power. In BTC bitmain produce 75%+ asics on market and   currently using its influence it blocks segwit/LN so this is prooven that decentralization in power is important. With BTC one guy can HOLD BTC or kicks its Balls.
However BTC POW makes BTC backed by energy while ETH is backed by technology behind smart-contract and platform.
In POS miners want higer value of TOKEN not higher fees like BTC miners.
Looks like BTC system is broken today and without ETH making like 40%market cap of BTC they will keep BTC in stagnation since icreasing blocksize doesn't bring any big value to system.
Cheap solution cost you more in future than quality one.

legendary
Activity: 1092
Merit: 1000
March 30, 2017, 05:18:06 PM
#80
Meaning since the guy above had to paid to have his transaction entered,
PoW is not permissionless, if it requires payment to the miners. Therefore PoS is also not permissionless since transaction fees are also charged.

Ok, since you destroyed the useful meaning of the word "permissionless" for decentralized systems, let's call it clonck.  BTW, you can also object to the word decentralized, because no matter what, those systems will be centralized on earth, within the hands of (for the moment) members of the species Homo Sapiens.  So let us replace "decentralized" by blunck.  As "trustless" is also impossible, because you had to trust your mother when she gives birth to you, let us call the new notion flanck.

So we are trying to build systems that are clonck, blunck, and flanck.  Better now ?

We define clonck as those systems for which there is no official authorisation to be demanded, and granted by a specific institution, in order to be able to try to participate in them with a non-zero chance of success.  That is, a random external entity has a reasonable probability to succeed in participating in the system without any specially granted permission by any institution.

We define blunck as those systems where at least 3, but preferentially very many non-colluding entities participate in such a way that they cannot, individually, determine most of what happens in the system.

We define flanck as those systems that still have a reasonable chance to function correctly, even if an important fraction (to be determined) of the non-colluding entities (see the blunck property)  are trying to cheat on the system or try to sabotage it and bring it down.

There. 


LOL,  Cheesy
Looking forward to the 1st Print of the Dinofelis CryptoDictionary.

 Cool
hero member
Activity: 770
Merit: 629
March 30, 2017, 06:52:57 AM
#79
Meaning since the guy above had to paid to have his transaction entered,
PoW is not permissionless, if it requires payment to the miners. Therefore PoS is also not permissionless since transaction fees are also charged.

Ok, since you destroyed the useful meaning of the word "permissionless" for decentralized systems, let's call it clonck.  BTW, you can also object to the word decentralized, because no matter what, those systems will be centralized on earth, within the hands of (for the moment) members of the species Homo Sapiens.  So let us replace "decentralized" by blunck.  As "trustless" is also impossible, because you had to trust your mother when she gives birth to you, let us call the new notion flanck.

So we are trying to build systems that are clonck, blunck, and flanck.  Better now ?

We define clonck as those systems for which there is no official authorisation to be demanded, and granted by a specific institution, in order to be able to try to participate in them with a non-zero chance of success.  That is, a random external entity has a reasonable probability to succeed in participating in the system without any specially granted permission by any institution.

We define blunck as those systems where at least 3, but preferentially very many non-colluding entities participate in such a way that they cannot, individually, determine most of what happens in the system.

We define flanck as those systems that still have a reasonable chance to function correctly, even if an important fraction (to be determined) of the non-colluding entities (see the blunck property)  are trying to cheat on the system or try to sabotage it and bring it down.

There. 
legendary
Activity: 1092
Merit: 1000
March 30, 2017, 05:03:25 AM
#78
You haven't looked at the link, did you.

Scanned it , you are ignoring the fact that everyone is using the computers and the software , aren't you.  Wink

You never answered my question, if I gave away a PoS coin is it Permissionless?

 Cool

FYI:
Your Guy in the link
Quote
I paid a fee of 0.0001 bitcoins, approximately 8 cents or 10% of my transaction.
He paid for permission to have his transaction entered.


FYI2:
The Definition of the Word Permissionless : Without permission.

The Definition of the Word Permission :  
1. authorization granted to do something; formal consent:
2. the act of permitting.


You guys are the ones trying to redefine a word , that already has a definition.
Sorry Webster Dictionary was here 1st.  Wink


You're being ridiculous on purpose.  


LOL,  Smiley

No ,
some people are trying to redefine a word that already has a definition.

The incorrect one , they are trying to propagate
Quote
PERMISSIONLESS

In order to contribute to the processing of transactions and have your ‘vote’ counted, you do not need a previous relationship with the ledger, and your vote does not depend on having a prior identity of any kind within the ledger.

The Correct one is
The Definition of the Word Permissionless : Without permission.

The Definition of the Word Permission :  
1. authorization granted to do something; formal consent:
2. the act of permitting.


Meaning since the guy above had to paid to have his transaction entered,
PoW is not permissionless, if it requires payment to the miners. Therefore PoS is also not permissionless since transaction fees are also charged.

In Crypto the Miners or Stakers Grant Permission to enter transactions into a block by charging transaction fees.
Then the Nodes Grant Permission for that Block to be Entered into the BlockChain.
At both points , Miners & Stakers, and then the Nodes are all authorizing or committing the act or permitting entry.

Permission is accurate.  Permissionless is some made up fairy tale, by people that don't look at the system deeply enough.  Cheesy
That is why it is a personal pet peeve of mine.

 Cool

FYI:
Quote
The word "ring" also existed before mathematicians defined what an algebraic ring was.
By placing the word algebraic in front of the word ring, you give it a different meaning.
There is no additional word placement in front of permissonless that allows them to redefine the definition of the word.
They are using the direct word and it's direct definition is counter to their claims.
hero member
Activity: 770
Merit: 629
March 30, 2017, 04:51:01 AM
#77
You haven't looked at the link, did you.

Scanned it , you are ignoring the fact that everyone is using the computers and the software , aren't you.  Wink

You never answered my question, if I gave away a PoS coin is it Permissionless?

 Cool

FYI:
Your Guy in the link
Quote
I paid a fee of 0.0001 bitcoins, approximately 8 cents or 10% of my transaction.
He paid for permission to have his transaction entered.


FYI2:
The Definition of the Word Permissionless : Without permission.

The Definition of the Word Permission :  
1. authorization granted to do something; formal consent:
2. the act of permitting.


You guys are the ones trying to redefine a word , that already has a definition.
Sorry Webster Dictionary was here 1st.  Wink


You're being ridiculous on purpose.  
The word "ring" also existed before mathematicians defined what an algebraic ring was.
hero member
Activity: 770
Merit: 629
March 30, 2017, 04:47:52 AM
#76
You never answered my question, if I gave away a PoS coin is it Permissionless?

Only if the coin is anonymous.

But in a certain way, it ends up being permissionless, because sooner or later, you can stake.  And then, you can decide to include this transaction.  So sooner or later, you can give away a PoS coin, even if all others don't want you to do so.

The reason why an anon coin IS permissionless is that nobody knows what transaction has to do with whom.  Then transactions are fungible. And you cannot single out a user to deny him access.
Pages:
Jump to: