Topic: Nothing at stake robust Pure Proof of stake - page 2. (Read 5365 times)

If a Trojan horse in the github repo is the source of the attack vulnerability, then bitcoin is just as vulnerable.
It's not worth discussing this issue further because it has no theoretical content. 

Etlase2! (That is you ?) hello.. 

Love that you're still plugging Decrits.

As for this POS/POW conundrum, I am realising that this is a psychological/philosophical argument. Mathematically some people will not be swayed - on both sides 

POS systems need a startup value to initialise (basically). That's fine. But where this 'number' comes from, always troubles me. Average Joe User will not be anywhere near it. His software client will deal with it, and that will come from some github repo that someone else has compiled. Probably the same main repo most people use. That is the weak link and where the eventual attack will come IMHO.

And that's about it. However you wrap it up, some of us find that discomforting just as some find POW untenable.

You cannot hack a POW chain in this way. The chain itself is INDEPENDENT of the software, unlike POS systems. POW chains can be compared to another POW chain on it's own merits/work.

I'm thinking that eventually the attack on POS will come from a large POW stake holder. Sort of like currency wars. One coin attacking another.

Sounds exciting.
 

That document is very short on specifics, which is a negative signal. It seems to be some form of mixed proof of stake \ proof of work.
If you go that (and it is a sensible route IMO), then iddo et al.'s proof of activity seems like a better choice.
See the link I provided in a previous post.
Note: There is no currently released coin using iddo et al.'s system.

What do you guys think of Staked Proof of Work? https://docs.google.com/document/d/1LzY_dQz4jVDrHZq6BawSzT9rNRx_CaZou_fpEcu6CU4/edit?usp=sharing (ignore the Polychains part - that is really a separate technology).

One simple way of thinking about this is as follows.

1) Fork the current bitcoin blockchain to produce a genesis block with diffuse ownership. Call the genesis block, block 0.
2) Order all satoshi in the genesis block from 1 to N, where N is the total number of satoshi.
3) Allow satoshi that have never moved since genesis to mint blocks.
4) All nodes agree on the current minute. If not, then replace minute in what follows with some larger unit of time that all nodes can agree on.
5) Satoshi 1 can build a block during the first minute since genesis. Call this block 1.
    Satoshi 2 can build a block during the second minute since genesis. (provided it didn't move in block 1)
    Satoshi 3 can build a block during the third minute since genesis. (provided it didn't move in blocks 1 or 2)
    Satoshi 4 can build a block during the fourth minute since genesis. (provided it didn't move in blocks 1, 2, or 3)
    ...
6) If Satoshi x mints a block on one chain at minute x and sends a txn on a fork at a time x-t, where t>=0, then this satoshi is blacklisted. To verify this, we can require that txn include a block number y and prohibit inclusion of txns in a block minted by satoshi x when y7) If Satoshi x mints blocks on multiple chains at minute x, then this satoshi is blacklisted.
Given a comparison set of competing chains U, define the value of a specific blockchain, u in U, as V(u). Compute V(u) as
V(u) = the total number of blocks on blockchain u - the number of blocks on blockchain u minted by blacklisted satoshi
9) Whichever blockchain has the highest V(u) is the main chain.

I claim that, as long as at least one minting satoshi is not blacklisted, this system generates a long-run consensus.

We can think about incentives to avoid blacklisting and ways of replenishing the set of minting satoshis later.
The point is that there is a well-defined consensus here. There is no nothing@stake problem because anyone who attempts to use a minting satoshi for multiple purposes gets ignored during chain selection.    

Note: if you want to know if Vitalik 'agrees' with this, then you should ask him to read the specific statement written above.

No, I'm following that, but I don't have time to participate in a group at this point.

Do you have any reason for disagreeing, or just stubbornness? In my paper on the Decrits consensus algorithm, I called it common sense, because that's exactly what it is -- not trust. In bitcoin, in lieu of common sense, you have an algorithm that will idiotically allow anyone with enough hash power to commit fraud against you. To reduce the likelihood of this fraud, hundreds of millions and what will eventually be billions of dollars of wasted electricity and capital must be spent annually to make it more difficult. In stake algorithms, you have virtually no cost to protect against this, you must only rely on the user to be modestly aware of what millions or billions of other people who were watching the network think is the correct chain of events, and this is only if you specifically are being targeted for fraud. And how are you being targeted if you aren't even watching the network?

And with the DCA I even solved the problem so that you don't have to even use common sense if you haven't monitored the network recently -- except if a massive, one-time attack has occurred in the mean time. And again, it only matters if you were being targeted. Unlikely that you would part with a massive amount of goods without monitoring the network, though.

Hi benjamin_bit

Are you linked to Kushti and his PoS working group?

Err.. So Vitalik agrees.

'.the solution is simple: the first time they sign up, and every time they stay offline for a very very long time, they need only get a recent block hash from a friend, a blockchain explorer, or simply their software provider, and paste it into their blockchain client as a “checkpoint”. '

Trust.

BUT - he is saying that's no problem.

I disagree.

Some good arguments by Vitalik:

https://blog.ethereum.org/2014/11/25/proof-stake-learned-love-weak-subjectivity/

N@S seems like an urban legend.

As soon as an attack on the network happens (which must happen eventually for any alt to be viable tried and tested), the only problem is transaction processing is hindered and people choose to put the processing on hold. While this in itself can be very bad for business, the coins as they exist now in the network are STILL THERE and not lost in any way
In the long run a 51% attack will help strengthen the network and causes NO PROBLEMS for coins already confirmed in wallets.

We both disagree.

I disagree.

No, I don't use the old addresses. No extra coins.

They're new users. Don't have to convince them.

I do give most old users their balance back though so they don't mind which chain.

Keep the rest..

As in bitcoin, you would have to convince users to download a new client that allows more coins in the genesis block.
The botnet wouldn't help you in anyway.

What if I created my own genesis block, with new accounts I have access to?

And a small botnet loyal to me. Playing along with the network.

How would a new user know my chain vs the original?

Click my signature if you'd like to see my take on the solution.

Yes, exactly.
However,
1) If you restrict txns to map no more than one input to each output, then you cannot use a satoshi to taint a huge amount of coins. Essentially this restriction implies that there is nothing prunable in the blockchain. If you do this, x satoshi inputs would taint exactly x satoshi outputs, no more and no less.  [I added this to the list of necessary mods to PoA].

2) Taint is not burning the coin. it affects the algorithm used to compare competing candidate chains. It does not affect eligibility for minting rewards, txn rules, etc.. It only comes in to play when multiple competing chain are present. Under normal circumstances, it has no effect on behavior. [It could, but I haven't said that it does. If we allow such effects, it would be necessary to be very careful to limit their potential impact.] I think tainted coins would trade at parity with untainted coins. Who cares enough about voting on the winning chain to pay extra for the privilege of having their vote counted?

3) If you use a fully deterministic system related to Nxt's proposed transparent forging, then you can limit risk of taint to a very small number of coins. Essentially you could limit risk of taint to single satoshis if you allow for 100% deterministic mining.  

My plan is to go on to specific details on (3) after questions on the thread die down. Maybe tomorrow or the day after that.
I think you are a nxt developer, so you might find this interesting.

Finally about attacks. To execute a double-spending attack you would set aside a majority of 'clean' sleeper coins. You could not mine or spend these sleeper coins on the main chain. Once they are used for mining or spent, then they become useless for attack purposes. You would then reveal the sleeper coins all in one go by mining on an attack chain. This only works if you control a majority of 'clean satoshis', so that you can overtake the main chain as a solo miner. It is essentially a legitimate exercise of authority associated with 51% ownership. It is intended behavior.  
You are right though that you can use past ownership of coins to swing things in your favor to some degree. Essentially, you would want to taint as many coins as possible to increase the influence of your clean coins. Unless you have handled 100% of satoshi's over the chain's lifespan, however, you can't taint every single satoshi out there.

Since you brought up the relationship between this idea and other research, one very simple way of describing my idea is through  reference to PoA a la iddo et al.
http://eprint.iacr.org/2014/452.pdf
PoA is a mixed proof of work/proof of stake system. See the linked paper for details.

The only modifications necessary to incorporate my rules are:
1) Prohibit reuse of public keys
2) The criteria for blockchain selection is select the chain with the max summed difficutly summed difficulty, where summation of difficult is over blocks at height t that are signed exclusively by satoshis in the set Zt.

Edit:
3) Restrict txns to map no more than one input to each output. Essentially this restriction implies that there is nothing prunable in the blockchain.

Rules (1) and (3) are intended to prevent intentional blacklisting of other people's coins.

So a previous owner of a coin will always have the power to burn the coin, no matter where and when it is sent. If the time is long enough even a single satoshi may taint a huge amount of coins. He may profit through a leveraged short before the attack.