Pages:
Author

Topic: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) - page 3. (Read 15428 times)

hero member
Activity: 574
Merit: 500
Further research published into Nothing at Stake- "tails switching":

We have updated our github repository https://github.com/ConsensusResearch/ForgingSimulation with a new version of the PoS simulation haskell code.
It now included two branches, master - for the single branch classical Nxt based code and "multibranch-experimental" - for the multibranch forging simulation. Recently
new algorithm for regulating tails switching effect is proposed and implemented. With it, a possibility of the N@S attack becomes also regulated as we now can introduce deducible  parameter of confirmations needed to stabilize recent blocks tails. The idea of regulating is straightforward - from time to time the node "forgets" almost all the branches and prolong only those whose cumulativeDifficulty measure is above some retargeting threshold. This threshold changes discretely, starting from 0. Unlike the Bitcoin difficulty param, the threshold always grows as the best block cumulativeDifficulty exceeds the previous threshold+delta. So nodes work as multibranch almost all the time, but sometimes becomes "single-branch" for a short time (one tick). This approach allows to have all the multibranch benefits and also get the network with regulating convergence. With a certain confirmation number  calculated, we can propose the strong resistance to the N@S as the long tails switching become very-very unlikely after the confirmations. We'll present the N@S simulation results ASAP.

There are more possible regulation procedures, for sure. Basing on the idea that sometimes nodes switch to the single-branch behavior one can introduce any verifiable quasi-random algorithm to do this. The proposed is the simple but efficient one, however more complicated algos (e.g. based on some nice hashes) could  secure the system more likely.

New paper on tails switching effect had been publicly released (https://github.com/ConsensusResearch/articles-papers/tree/master/switching). However the results of the simulations presented in the paper have been already renewed by the simulation software at https://github.com/ConsensusResearch/ForgingSimulation/tree/multibranch-experimental with the proposed threshold algorithm. As expected the algorithm allows to have confirmation number parameter deducible from the system constants and prevents the prolongation of similar branches. With it the resistance to the N@S becomes feasible and measurable! The results of N@S simulation + switching tails length distribution are coming.

hero member
Activity: 574
Merit: 500
Bump. Testcoin with modified forging algo is still in development. Kushti will have more time after release of version 1.5 of Nxt.

is that for the challenge to break a nxt clone? if so, why modify the forging algo? would a straight clone not be the best candidate so as to acquire the most accurate results?

Two separate projects. CynicSOB still thinks he can break Nxt and is still trying AFAIK. Kushti is testing improvements that could be adopted by Nxt, all being well.
hero member
Activity: 574
Merit: 500
Bump. Testcoin with modified forging algo is still in development. Kushti will have more time after release of version 1.5 of Nxt.
hero member
Activity: 574
Merit: 500
Hi Kushti  Grin

Do you plan to write these findings...

https://bitcointalksearch.org/topic/m.10152632

... up into a 4th paper?


Or shall I just add the link to the post to the 'Nxt Whitepaper' thread?

hero member
Activity: 658
Merit: 501
let's wait until someome tries to attack Nxt testnet. I'm sure the community would be glad to give out some teststake.

If anyone wants to have a try, please go to nxtforum.org and ask for testnxt.

We can talk again after some guys tried and report their findings, ok?

And I'll do nxt next (testnet or a clone) but it'll take some time because it's a very different thing I need to get used to.
legendary
Activity: 1225
Merit: 1000
let's wait until someome tries to attack Nxt testnet. I'm sure the community would be glad to give out some teststake.

If anyone wants to have a try, please go to nxtforum.org and ask for testnxt.

We can talk again after some guys tried and report their findings, ok?
hero member
Activity: 574
Merit: 500

That is the article I linked to which indicates you can perform short range N@S attacks with 10% stake. When kushti published it he even admitted such:


- we have formally defined nothing-at-stake attack(again, using Buterin's informal definition) and made initial simulations. We haven't included their results in paper as they are seems to be too raw, but I can reveal them here: N@S attack could happens only in short-range, e.g. for within 20 blocks for 10% stake, so with 30 confirmations we haven't observed the successful attack. Also please note the attack has pretty unpredictable nature for attacker, so he can hardly enforce it, even in theory(in practice it's even harder to get it done properly). The correlation with stake size is still the open question, but it's nearly impossible to attack a proof-of-stake currency with "1% stake even" as stated by Buterin


I believe what is happening now is Nxt Supporters are now suggesting N@S is impossible because they are interpreting "Nothing" literally and indicating only short range attacks are possible. If you want to play word games that is fine, lets call it a bear raid and short range attack combo.


That article isn't the latest information, this post from 14th Jan is..

To summarize the discussion, known claimed attacks on proof-of-stake distributed consensus algorithm(and concrete implementations) at the moment:

*snipped*

3. Nothing-at-stake attack - not possible at the moment! Will be possible when a lot of forgers will use multiple-branch forging  to increase profits. Then attacker can contribute to all the chains(some of them e.g. containing a transaction) then start to contribute to one chain only behind the best(containing no transaction) making it winner.  Previous statements on N@S attack made with assumption it costs nothing to contribute to an each fork possible and that makes N@S attack a disaster. In fact, it's not possible at all to contribute to each fork possible, as number of forks growing exponentially with time. So the only strategy for a multibranch forger is to contribute to N best forks. In such scenario attack is possible only within short-range e.g. with 25 confirmations needed 10% attacker can't make an attack. And attack is pretty random in nature, it's impossible to predict whether 2 forks will be within N best forks(from exponentially growing set) for k confirmations. So from our point of view the importance of the attack is pretty overblown.

*snipped*

When he published the multistrategy paper in Dec, the post indicated that he thought the N@S was overblown and explicitly stated that he hadn't included these results in that paper.

Kushti's research shows that the Nothing @ Stake attacked described by Vitalik (as he was the only one to describe it in any detail) is BS. If you have a different attack, you'll need a different name  Cheesy

legendary
Activity: 1092
Merit: 1010
The original blockchain explorer reflected granularity from 10 million to 1,000,000,000 instead of 1 million to  1,000,000,000 as shown here: https://nxtblocks.info/#section/blockexplorer_distribution

The first explorer is still very much active: http://nxtexplorer.com/



I was referring to this:

http://charts.nxtcrypto.org/cDistribution.aspx
https://web.archive.org/web/20140928121336/http://charts.nxtcrypto.org/charts/cDistribution.png

On the old site you could also see the exact amount of users wallets in the 10 million to 100 million category.

This only reflected the amount of coins per wallet so even some of those few wallets at the top which contained between 10million-100 million could have been held by the same individuals.

That site wasn't "taken down", but abandoned by the person running the charts.
Small difference, and you could not know that. Smiley
We're working on getting them back up. It's good info to have available.
hero member
Activity: 658
Merit: 501
So earlier, that Buterin had thoroughly studied the vulnerabilities and found PoS wanting made it clear to you that PoS had insufficient security.

Now, when you find out that Buterin has decided that PoS is the best option (but is dissuaded by others from using it), Buterin is clearly wrong despite his thorough study.

So there are probably no arguments or studies or science that could persuade you that PoS is secure, right? It's more of a faith thing, and we might as well be arguing evolution with right wing catholics, maybe?


First of all, we don't know if Buterin prefers TaPoS over PoW... I am simply open to evidence and am willing to admit it is plausible. The point still stands with Ethereum whether it comes from Gavin or Vitalik.

Secondly, as I have stated numerous times in this thread, I like TaPoS, and think it offers some security differences, benefits, and weaknesses to PoW and would like to see it integrated as a layer on top of Bitcoin for added security and other benefits.

Just because I can find critical flaws within PoS variants doesn't mean I see no security or benefits from such consensus mechanisms. I have been vary critical of bitcoins weaknesses, PoW weaknesses, and Bitcoin companies throughout my post history.

I am not interested in trading one set of problems for another but rather discussing methods of strengthening crypto-currencies security and understanding inherent weaknesses.
full member
Activity: 237
Merit: 100
Source? As I understand it, he is still deciding between a PoS/PoW combo and full PoS.

 https://www.youtube.com/watch?v=qPsCGvXyrP4
More specifically, Ethereum will be a hashimoto dagger IO bound PoW consensus mechanism.
The latest under review is here under PoC7:

https://github.com/ethereum/cpp-ethereum/wiki
http://gavwood.com/Paper.pdf

He may use both however:
https://blog.ethereum.org/2015/01/10/light-clients-proof-stake/

Whether he uses straight PoW or PoW/TaPoS the point to consider is that he has thoroughly studied the vulnerabilities within PoS variations and deems them to have insufficient security alone without PoW.


Quote from: inBitweTrust
Quote
From what I know Vitalik wants to go PoS, but Gavin Wood et al refuse to do anything other than PoW.
Interesting and plausible. Gavin is a wise man if so.

So earlier, that Buterin had thoroughly studied the vulnerabilities and found PoS wanting made it clear to you that PoS had insufficient security.

Now, when you find out that Buterin has decided that PoS is the best option (but is dissuaded by others from using it), Buterin is clearly wrong despite his thorough study.

So there are probably no arguments or studies or science that could persuade you that PoS is secure, right?
hero member
Activity: 658
Merit: 501
The original blockchain explorer reflected granularity from 10 million to 1,000,000,000 instead of 1 million to  1,000,000,000 as shown here: https://nxtblocks.info/#section/blockexplorer_distribution

The first explorer is still very much active: http://nxtexplorer.com/



I was referring to this:

http://charts.nxtcrypto.org/cDistribution.aspx
https://web.archive.org/web/20140928121336/http://charts.nxtcrypto.org/charts/cDistribution.png

On the old site you could also see the exact amount of users wallets in the 10 million to 100 million category.

This only reflected the amount of coins per wallet so even some of those few wallets at the top which contained between 10million-100 million could have been held by the same individuals.
legendary
Activity: 1092
Merit: 1010
The original blockchain explorer reflected granularity from 10 million to 1,000,000,000 instead of 1 million to  1,000,000,000 as shown here: https://nxtblocks.info/#section/blockexplorer_distribution

The first explorer is still very much active: http://nxtexplorer.com/

hero member
Activity: 658
Merit: 501

That is the article I linked to which indicates you can perform short range N@S attacks with 10% stake. When kushti published it he even admitted such:


- we have formally defined nothing-at-stake attack(again, using Buterin's informal definition) and made initial simulations. We haven't included their results in paper as they are seems to be too raw, but I can reveal them here: N@S attack could happens only in short-range, e.g. for within 20 blocks for 10% stake, so with 30 confirmations we haven't observed the successful attack. Also please note the attack has pretty unpredictable nature for attacker, so he can hardly enforce it, even in theory(in practice it's even harder to get it done properly). The correlation with stake size is still the open question, but it's nearly impossible to attack a proof-of-stake currency with "1% stake even" as stated by Buterin


I believe what is happening now is Nxt Supporters are now suggesting N@S is impossible because they are interpreting "Nothing" literally and indicating only short range attacks are possible. If you want to play word games that is fine, lets call it a bear raid and short range attack combo.


From what I know Vitalik wants to go PoS, but Gavin Wood et al refuse to do anything other than PoW.

Interesting and plausible. Gavin is a wise man if so.
legendary
Activity: 826
Merit: 1002
amarha
From what I know Vitalik wants to go PoS, but Gavin Wood et al refuse to do anything other than PoW.
hero member
Activity: 574
Merit: 500
I like how the Nothing@Stake attack keeps mutating as time passes  Cheesy
legendary
Activity: 1225
Merit: 1000
hero member
Activity: 658
Merit: 501
... which would take about 5 seconds to verify. It's public info (in fact in the blockchain) and 3rd grade math. No user could have had close to 10% of the stake.

It is a premined ICO with only ~70 participants. The original blockchain explorer reflected granularity from 10 million to 100 million  instead of 1 million to  1,000,000,000 as shown here: https://nxtblocks.info/#section/blockexplorer_distribution

I was able to calculate that between 4-14 individuals control 51% stake in NxT at the time which indicates there could be a few people with over 10% stake. In fact it would be surprising that a couple of the developers didn't hold onto at least 10% of the premine.

No user could have had close to 10% of the stake.

How could you possibly know that?


This isn't a research paper refuting the previous work but just a statement just like below:


https://nxtforum.org/consensus-research/multibranch-forging-approach/?PHPSESSID=qi7nicmsk2cmc6ri87mtrstcd6

Quote
And I agree,  all Proof-o-Stake currencies share N@S concern. Even more, they share much more. So it will be cool to share research efforts as well.

Or are you just playing a semantic games and claiming that a little effort is expended in performing a N@S attack therefore it technically shouldn't use the word "nothing".
legendary
Activity: 1092
Merit: 1010
If you are speaking about the past years this simply isn't factual. PoS coins have almost all proven to be ICO scams or pump and dump opportunities.

This is true. I wondered if most ICO scams choose PoS variants because they cannot easily get network backing using PoW?

My guess would be that PoS is a useful "buzz word" that few people have actually researched, but that seems to be really cool.

Marketing 101. Smiley

It's one of the reasons I am glad research that is verifiable is finally being done. It's a lot harder to make claims when there are verifiable counter arguments around.
sr. member
Activity: 252
Merit: 250
You seemed to me to be somewhat defensive and reactionary. Are you upset that Nxt and Bitshares are losing ground and dying?

Because I like a good discussion it grinds my gears if someone pretends to engage in one, and then doesn't do the most minimal diligence - not even spending 2 seconds thinking. Posting links and completely misrepresenting what they say. It's disrespectful.
Or this stuff:

Buying one or two forging pools and one mining facility should totally do the job. I don't see how I miss costs there... those likely run profitable or close to.
Note how for a state actor all this would be in fact easy, undetectable - and basically free.

States are porous and leak secrets all the time. Most people in IT knew of the Snowden revelations years before he became a whistleblower.

...or diverting into completely unrelated topics, ignoring the issue.

The paper you linked doesn't say that. In the blog links you posted he doesn't say that. You're chasing me in circles with your fake references. I'll end responding.
In fact most your links say: he leans towards POS (which checkpoints of several months of age), which you don't want to explain. You're not living up to your own standards.

I will concede he changes his mind often

Or concessions like that.
legendary
Activity: 1225
Merit: 1000
If you are speaking about the past years this simply isn't factual. PoS coins have almost all proven to be ICO scams or pump and dump opportunities.

This is true. I wondered if most ICO scams choose PoS variants because they cannot easily get network backing using PoW?
cough cough paycoin cough
Pages:
Jump to: