Topic: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research) - page 4. (Read 15424 times)
January 17, 2015, 12:09:55 PM
January 17, 2015, 12:05:55 PM
If you are speaking about the past years this simply isn't factual. PoS coins have almost all proven to be ICO scams or pump and dump opportunities.
This is true. I wondered if most ICO scams choose PoS variants because they cannot easily get network backing using PoW?
January 17, 2015, 11:05:47 AM
Learn basic math.
Some common sense would also help: That block explorer probably showed the forging stake, not the coin ownership.
Some common sense would also help: That block explorer probably showed the forging stake, not the coin ownership.
It was coin distribution based upon the ICO.
Buying one or two forging pools and one mining facility should totally do the job. I don't see how I miss costs there... those likely run profitable or close to.
Note how for a state actor all this would be in fact easy, undetectable - and basically free.
Note how for a state actor all this would be in fact easy, undetectable - and basically free.
States are porous and leak secrets all the time. Most people in IT knew of the Snowden revelations years before he became a whistleblower.
The paper you linked doesn't say that. In the blog links you posted he doesn't say that. You're chasing me in circles with your fake references. I'll end responding.
In fact most your links say: he leans towards POS (which checkpoints of several months of age), which you don't want to explain. You're not living up to your own standards.
I will concede he changes his mind often but if you have been following the nuances of his papers and interviews you will see that he is not content with Slasher Ghost for security alone and is likely to include hashimoto dagger IO bound PoW.
I like TaPoS and think it should be added as an option to bitcoin. You seemed to me to be somewhat defensive and reactionary. Are you upset that Nxt and Bitshares are losing ground and dying?
January 17, 2015, 10:57:06 AM
But if you compare PoS coins versus non-bitcoin PoW coins over the last year, I'd expect PoS coins to come up on top.
If you are speaking about the past years this simply isn't factual. PoS coins have almost all proven to be ICO scams or pump and dump opportunities.
Well, I agree that some PoS algorithms are most likely much worse than PoW. I'm more interested in the potential of PoS, how secure it could be if best practices are followed. PoS is still growing up, Bitcoin is much further ahead in terms of protocol security.
I agree and would like a TaPoS layer or sidechain added to bitcoin as an option for added security.
January 17, 2015, 10:57:01 AM
Which paper? The papers say there is no viable 10% attack.
There also is no 10% whale or exchange in NXT - you crossing it out doesn't make a fact disappear, you know.
There also is no 10% whale or exchange in NXT - you crossing it out doesn't make a fact disappear, you know.
https://github.com/ConsensusResearch/articles-papers/blob/master/multistrategy/multistrategy.pdf
Dude, you're killing me. Reposting the link doesn't help if it doesn't contain what you're claiming.
We know that PoW would be easier to attack if you magically get a 10% stake - since that would likely buy you 51% of all mining.
Incorrect as you assume that markets aren't dynamic, ignoring the costs of electricity, ignoring the alarms raised from amassing such large amounts of asics , ignoring the cost of setting up and maintaining the equipment and doing so in secrecy, ect...
Buying one or two forging pools and one mining facility should totally do the job. I don't see how I miss costs there... those likely run profitable or close to.
Note how for a state actor all this would be in fact easy, undetectable - and basically free.
A small proof of work component is exactly what NXT does.
Again, it would help if you read what you link - would waste less of everyone's time.
Again, it would help if you read what you link - would waste less of everyone's time.
This has nothing to do with PoW consensus mechanisms. Next you are going to insinuate hashing itself is "work" thus one should consider all PoS to incorporate the PoW consensus mechanism.
I don't "insinuate" - it's a straight up fact: hashing is work. It has a difficulty - used as protection mechanism. You can't provide blocks for free.
Quote
If we must use your twisted definition of PoW than the point still stands: Why does Vitalik insist upon a much more inefficient version of PoW with a hashimoto dagger IO bound PoW consensus mechanism?
The paper you linked doesn't say that. In the blog links you posted he doesn't say that. You're chasing me in circles with your fake references. I'll end responding.
In fact most your links say: he leans towards POS (which checkpoints of several months of age), which you don't want to explain. You're not living up to your own standards.
January 17, 2015, 10:51:08 AM
If there is no fundamental reasons why PoW is better than PoS, then PoS will win out due to lower cost (imho).
Yet despite Bitcoin being in a death spiral of capitulation both Bitshares and Nxt have lost far more against bitcoin in the last year. Perhaps there are other factors that are far more prescient than the mining costs to secure the network?
I wouldn't say far more. There are more forces at work than mining cost, certainly. Bitcoin is the big daddy of crypto and in a world of it's own in terms of price and network effect. But if you compare PoS coins versus non-bitcoin PoW coins over the last year, I'd expect PoS coins to come up on top.
You understand that long range attacks have proven impossible in simulations. So if a bank buys a large chunk of coins and waits the required number of confirmations, then the previous owner cannot launch any attacks. Or am I misunderstanding your premise?
There are many different variants of PoS, and some of them are indeed susceptible to long range attacks. Stop generalizing.
(Edited to remove something I was wrong about.)
January 17, 2015, 10:40:54 AM
Could you describe attack scenario in details? After reproducing it in simulation we would like to pay you pretty good bounty 
please elaborate on the details of the bounty
writing a white-paper quality explanation is a time consuming task
No WP quality needed, just step-by-step instructions. And why should I trust you made successful attack on Apexcoin? Please provide proof of that then we can start talk about the details
January 17, 2015, 10:34:52 AM
I am talking about a situation where first a contract is signed where the whole bank is being sold including the stash of coins in their possession. A month later the actual change of ownership of the whole bank happens when new owner gets his personnel to take over. During that month the previous owner still has complete control of the bank but he has nothing to lose if the coins in the banks possession collapse in value. He still can transfer the 100 million coins to the new owner of the bank a month later like it says on the contract and he could not care less whether the coins have value or not.
Note that there does not have to be an actual attack. All that is needed is market to know that a big bank is changing ownership and the whole market knows that the stability of the whole economy is hanging by a thread during this month. Maybe somebody else sees this as an perfect opportunity to perform an actual attack and they also do not need to be nothing else than big nasty rumours that cause panic.
Note that there does not have to be an actual attack. All that is needed is market to know that a big bank is changing ownership and the whole market knows that the stability of the whole economy is hanging by a thread during this month. Maybe somebody else sees this as an perfect opportunity to perform an actual attack and they also do not need to be nothing else than big nasty rumours that cause panic.
Ok, you are referring to a bank that has 10%+ of coins. This should not happen much/at all in a flourishing PoS economy. However, if this is happening, and the market knows the possible problems, the buyer can yet put specifications on his sale such as seller destroying the assets prior to the sale can invalidate the sale.
January 17, 2015, 10:22:31 AM
January 17, 2015, 10:21:14 AM
yes
January 17, 2015, 10:19:15 AM
I think what ThomasVeil was hinting at is that the amount of work required to forge on all possible chains grows exponentially over time.
Research Paper correcting/revising the one I cited?
January 17, 2015, 10:18:20 AM
I think what ThomasVeil was hinting at is that the amount of work required to forge on all possible chains grows exponentially over time.
January 17, 2015, 10:09:56 AM
Which paper? The papers say there is no viable 10% attack.
There also is no 10% whale or exchange in NXT - you crossing it out doesn't make a fact disappear, you know.
There also is no 10% whale or exchange in NXT - you crossing it out doesn't make a fact disappear, you know.
https://github.com/ConsensusResearch/articles-papers/blob/master/multistrategy/multistrategy.pdf
A previous block explorer, now taken down in favor of one with less granularity, showed that between 4-14 members controlled over 51% of the Nxt stake.
Not sure what you mean with "we".
We know that PoW would be easier to attack if you magically get a 10% stake - since that would likely buy you 51% of all mining.
We know that PoW would be easier to attack if you magically get a 10% stake - since that would likely buy you 51% of all mining.
Incorrect as you assume that markets aren't dynamic, ignoring the costs of electricity, ignoring the alarms raised from amassing such large amounts of asics , ignoring the cost of setting up and maintaining the equipment and doing so in secrecy, ect...
A small proof of work component is exactly what NXT does.
Again, it would help if you read what you link - would waste less of everyone's time.
Again, it would help if you read what you link - would waste less of everyone's time.
This has nothing to do with PoW consensus mechanisms. Next you are going to insinuate hashing itself is "work" thus one should consider all PoS to incorporate the PoW consensus mechanism. If we must use your twisted definition of PoW than the point still stands: Why does Vitalik insist upon a much more inefficient version of PoW with a hashimoto dagger IO bound PoW consensus mechanism?
January 17, 2015, 10:01:29 AM
I highlighted the key word for you.
Yes, if you're simply already owning a stake of a sizethat never existed in NXT - and you additionally simply scam yourself into 41% more - and then simply buy 100% of all that value in shorts, and then simply gain another 30% so you cover your costs. Then you can attack.
Why did no one think of that before?
Yes, if you're simply already owning a stake of a size
Why did no one think of that before?
10% is needed for an attack. Re-read the research paper sir. None of that 10% needs to be owned either as we have discussed.
Which paper? The papers say there is no viable 10% attack.
There also is no 10% whale or exchange in NXT - you crossing it out doesn't make a fact disappear, you know.
Clearly you didn't because you still don't even know what the term "nothing" means.
You also understand that in physics "nothing" does not have the same connotation as within philosophy?
Physics? Really? I hope you're just kidding.
https://blog.ethereum.org/2015/01/10/light-clients-proof-stake/
Whether he uses straight PoW or PoW/TaPoS the point to consider is that he has thoroughly studied the vulnerabilities within PoS variations and deems them to have insufficient security alone without PoW.
Whether he uses straight PoW or PoW/TaPoS the point to consider is that he has thoroughly studied the vulnerabilities within PoS variations and deems them to have insufficient security alone without PoW.
A small proof of work component is exactly what NXT (and Blackcoin... and others) do.
Again, it would help if you read what you link - would waste less of everyone's time.
January 17, 2015, 09:50:00 AM
Can you explain this, please. An attack happens, someone generates an incorrect chain of 20 blocks. Now, everyone waits for 30 confirmations, so they then see that the fork is invalid and no one accepts an transactions. Why is a rollback or hardfork required?
The consensus algo is what accepts the fork and this is where the weak subjectivity of the users and or developers would need to step in and correct the invalid fork. This has its own set of problems.
I believe Nxt requires a single SHA256 hash for each block. So it already has an element of PoW as suggested there.
This has nothing to do with PoW consensus mechanisms. Next you are going to insinuate hashing itself is "work" thus one should consider all PoS to incorporate the PoW consensus mechanism.
If there is no fundamental reasons why PoW is better than PoS, then PoS will win out due to lower cost (imho).
Yet despite Bitcoin being in a death spiral of capitulation both Bitshares and Nxt have lost far more against bitcoin in the last year. Perhaps there are other factors that are far more prescient than the mining costs to secure the network?
You understand that long range attacks have proven impossible in simulations. So if a bank buys a large chunk of coins and waits the required number of confirmations, then the previous owner cannot launch any attacks. Or am I misunderstanding your premise?
There are many different variants of PoS, and some of them are indeed susceptible to long range attacks. Stop generalizing.
January 17, 2015, 09:38:15 AM
I am talking about a situation where first a contract is signed where the whole bank is being sold including the stash of coins in their possession. A month later the actual change of ownership of the whole bank happens when new owner gets his personnel to take over. During that month the previous owner still has complete control of the bank but he has nothing to lose if the coins in the banks possession collapse in value. He still can transfer the 100 million coins to the new owner of the bank a month later like it says on the contract and he could not care less whether the coins have value or not.
Note that there does not have to be an actual attack. All that is needed is market to know that a big bank is changing ownership and the whole market knows that the stability of the whole economy is hanging by a thread during this month. Maybe somebody else sees this as an perfect opportunity to perform an actual attack and they also do not need to be nothing else than big nasty rumours that cause panic.
Note that there does not have to be an actual attack. All that is needed is market to know that a big bank is changing ownership and the whole market knows that the stability of the whole economy is hanging by a thread during this month. Maybe somebody else sees this as an perfect opportunity to perform an actual attack and they also do not need to be nothing else than big nasty rumours that cause panic.
January 17, 2015, 09:33:53 AM
I'm incredulous about it being easy/cheap to get 10% of a stake of a well functioning coin. If you can get 10% of a stake without buying and want to profit from it, the easiest way is not to give back the 10%, and sell the coins on the market.
In PoS economy it is very risky to buy a big bank or exchange business from its previous owner. Think about a situation where the owner of a bank/exchange with big stash of customer coins in their possession has decided that he is more a risktaker entrepenour type of person instead of a person that runs an established mature business and he wants to cash out and start over from scratch and take new risks on some other competing emerging new kind of coin. Quite natural event that I guarantee is going to happen thousands of times.
You understand that long range attacks have proven impossible in simulations. So if a bank buys a large chunk of coins and waits the required number of confirmations, then the previous owner cannot launch any attacks. Or am I misunderstanding your premise?
January 17, 2015, 09:30:47 AM
20 Blocks , not confirmations. The attack would have still occurred whether you wait for more confirmations or not. waiting for 30 confirmations simply means that you could avoid participating in an illegitimate transaction, but the attack still occurred. 20 blocks is merely the window the attack needs to occur in for NxT, once the attack occurs the network will need to perform a hardfork, or rollback the blockchain to recover which has its own set of problems.
Can you explain this, please. An attack happens, someone generates an incorrect chain of 20 blocks. Now, everyone waits for 30 confirmations, so they then see that the fork is invalid and no one accepts an transactions. Why is a rollback or hardfork required?
"Hence, it may make sense for a proof of stake algorithm to still require a small amount of proof of work on each block, ensuring that an attacker must spend some computational effort in order to even slightly inconvenience light clients."
I believe Nxt requires a single SHA256 hash for each block. So it already has an element of PoW as suggested there.
Whether he uses straight PoW or PoW/TaPoS the point to consider is that he has thoroughly studied the vulnerabilities within PoS variations and deems them to have insufficient security alone without PoW.
I know the initial intention of ethereum was to be mainly PoW, but with every blog post, Vitalik seems to embrace PoS more, so I'll be interested to see what the final version comes out with. With his last few posts, he seems to find very few problems with PoS (he learned to love weak subjectivity). I guess some others in ethereum might have different views to Buterin.
So I take the fact that Buterin, and now kushti/andruiman have taken a thorough look at PoS and they are seeing problems, sure, but also seeing solutions to those. If there is no fundamental reasons why PoW is better than PoS, then PoS will win out due to lower cost (imho). So I'm hoping that investigations into PoS continue, and that better solutions emerge, whether it be a stronger PoS algo, a PoS/PoW combo or a TaPoS addition.
January 17, 2015, 09:25:24 AM
I'm incredulous about it being easy/cheap to get 10% of a stake of a well functioning coin. If you can get 10% of a stake without buying and want to profit from it, the easiest way is not to give back the 10%, and sell the coins on the market.
These things are not mutually exclusive. The selling that you brought up to discussion could be one part of the plan. Actually I think the selling of the coins is going to be prominent part of most of the attacks. Let me remind that selling of a big stash usually does not happen instantenously when talking about a large stash like 10%. There is quite typically first a contract signed that there is going to be a sale and some time after that the coins actually change owners.
The period between signing the contract of the sale and the actual transfer of the coins is a perfect place to attack the coin where the seller has nothing to lose and in many cases quite a lot of to win by doing so. And there are situations where the timegap between those events is naturally quite long like months. A well functioning monetary system allows all kinds of transactions including ones where somebody can buy a big stash of coins in such a way for example in a situation where a whole bank/exchange business is up for a sale.
In PoS economy it is very risky to buy a big bank or exchange business from its previous owner. Think about a situation where the owner of a bank/exchange with big stash of customer coins in their possession has decided that he is more a risktaker entrepenour type of person instead of a person that runs an established mature boring business and he wants to cash out and start over from scratch and take new risks on some other competing emerging new kind of coin. Quite natural event that I guarantee is going to happen thousands of times.
January 17, 2015, 08:48:55 AM
I'm incredulous about it being easy/cheap to get 10% of a stake of a well functioning coin. If you can get 10% of a stake without buying and want to profit from it, the easiest way is not to give back the 10%, and sell the coins on the market.
If you have the resources to get 10% of a PoS coin, often the price to buy enough hashrate to control a PoW coin is much less than 10%. I don't see how the incentives are drastically different. Usually owning a coin gives more incentive to not damage the coin than owning hardware does. For example, say bitcoin falls more, and lots of bitcoin mining rigs get shut off. Someone who doesn't own any bitcoin, and has lots of unprofitable bitcoin miners could just launch an attack at very low cost. Maybe put money on some shorts on bitfinex to offset the cost of electricity while attacking.
If you have the resources to get 10% of a PoS coin, often the price to buy enough hashrate to control a PoW coin is much less than 10%. I don't see how the incentives are drastically different. Usually owning a coin gives more incentive to not damage the coin than owning hardware does. For example, say bitcoin falls more, and lots of bitcoin mining rigs get shut off. Someone who doesn't own any bitcoin, and has lots of unprofitable bitcoin miners could just launch an attack at very low cost. Maybe put money on some shorts on bitfinex to offset the cost of electricity while attacking.
Banks and exchanges already have far greater than 10% stake for certain PoS coins right now. I am not discussing a hypothetical. It is also likely that a few Nxt users have over 10% stake.
Source? As I understand it, he is still deciding between a PoS/PoW combo and full PoS.
https://www.youtube.com/watch?v=qPsCGvXyrP4
More specifically, Ethereum will be a hashimoto dagger IO bound PoW consensus mechanism.
The latest under review is here under PoC7:
https://github.com/ethereum/cpp-ethereum/wiki
http://gavwood.com/Paper.pdf
He may use both however:
https://blog.ethereum.org/2015/01/10/light-clients-proof-stake/
Whether he uses straight PoW or PoW/TaPoS the point to consider is that he has thoroughly studied the vulnerabilities within PoS variations and deems them to have insufficient security alone without PoW.
So just extend the number of confirmations to 30, then short range attack becomes impossible. (6 confirmations on bitcoin is an hour, so a shorter block PoS coin would still take less time than bitcoin confirmation)
20 Blocks , not confirmations. The attack would have still occurred whether you wait for more confirmations or not. waiting for 30 confirmations simply means that you could avoid participating in an illegitimate transaction, but the attack still occurred. 20 blocks is merely the window the attack needs to occur in for NxT, once the attack occurs the network will need to perform a hardfork, or rollback the blockchain to recover which has its own set of problems.
--------------------------------------------------------------------------------
TaPoS can be used with PoW to improve the security of Bitcoin like one example I provided:
Sidechain or not. No need for burning bitcoins, as someone could simply create a TaPoS blockchain that mirrored and synced the distribution of BTC and than have a wallet acknowledge both blockchains but have the TaPoS layer hidden where only BTC is used and the TaPoS layer acts to add another form of security that could have 1-30 second confirmation times in addition to PoW 10 min confirmation times.
I.E... pay for a cup of Coffee the confirmations start rolling in this way:
TaPoS 1 second confirmation, TaPoS 3 second confirmation, TaPoS 5 second confirmation, TaPoS 10 second confirmation, TaPoS 30 second confirmation, TaPoS 1 min confirmation, TaPoS 3min confirmation, TaPoS 5 min confirmation,TaPoS 7min confirmation, PoW Bitcoin 1st confirmation ~10min, TaPoS 13min confirmation, ect...
This would allow you to have instant confirmations and better security because now you are trusting full nodes and miners and you could detect a PoW 51% attack if the TaPoS confirmations weren't confirming while the PoW confirmations were.
You wouldn't even need a softfork or hardfork to accomplish this, just a TapoS blockchain and a wallet that acknowledged it.
I.E... pay for a cup of Coffee the confirmations start rolling in this way:
TaPoS 1 second confirmation, TaPoS 3 second confirmation, TaPoS 5 second confirmation, TaPoS 10 second confirmation, TaPoS 30 second confirmation, TaPoS 1 min confirmation, TaPoS 3min confirmation, TaPoS 5 min confirmation,TaPoS 7min confirmation, PoW Bitcoin 1st confirmation ~10min, TaPoS 13min confirmation, ect...
This would allow you to have instant confirmations and better security because now you are trusting full nodes and miners and you could detect a PoW 51% attack if the TaPoS confirmations weren't confirming while the PoW confirmations were.
You wouldn't even need a softfork or hardfork to accomplish this, just a TapoS blockchain and a wallet that acknowledged it.