Topic: Poll - Should Proof of Stake be implemented in Litecoin? - page 3. (Read 4714 times)

This would have to be part of the design algorithm. Something that first needs to be designed, tested, and fine-tuned.

I think a good place to start is for each client to follow the block-chain back a couple thousand blocks or so and see what the typical Litecoin Days Destroyed is for each block, and use that as a base line. If 6 blocks in a row meet or beat the average LDD, the 6th block (in bitcoin terms, perhaps this would be 20 or so in litecoin, but 6 may still be fine, needs testing) in the past could be cemented in stone and can only be replaced if the user agrees to it. If the LDD is say, between 20-40% below normal, it will take perhaps 4x the 6 or 20 blocks before this block will be cemented unless 6 or 20 blocks come after that meet or beat LDD avg. If it's 40-60% below normal, then 8x, and so on.

Something along those lines. An exchange could wait a few extra blocks to be fairly sure that everyone has the block it is interested in cemented.

I agree that proof of stake will likely add a lot of bloat to the blockchain and possibly add a lot of strain to the network to propage all those signatures. Etlase2, I am also thinking about your days destroyed solution. It seems like a good solution, but can you think of how it can help solve the problem of an attacker forking the chain for 10 blocks so that he can do a double spend on the exchange?

I am going to point out some the clear differences and advantages I see in using a days destroyed weighted block chain over proof of stake. I am going to go by some of the things I see written in the wiki as reference to PoS.

Proof of stake problems:

* Monopoly is still possible under proof-of-stake. ... [A] proof-of-stake monopolist is more likely to behave benevolently exactly because of his stake in Bitcoin.
The idea can already be written off as a joke.
* stakeholders (people who have bitcoins) are expected to sign it by using a private key associated with their address which contains coins to sign the block hash.
So everybody who owns a bitcoin is supposed to sign? Are there any minimums on this? This is just left wide open. How many thousands of extra transactions and signature verifications will this take? This may be an extreme imposition on the entire network.
* The signatures are broadcast on the network and included in a future block.
Or not. A miner has no incentive to put signatures in a block. Verifying them is work, they add lots of data to the miner's payload, and if the signatures are signing a block-chain different from the one he's working on, he will simply drop them. This is a problem because nodes may never see these signatures.
* Cementing is a node's reluctance to do a blockchain reorganization. A node will reject any new block found if it contradicts a 6-block deep branch it is already aware of and currently considers valid. That is, once a node receives 6 confirmations for a block, it will not accept a competing block even if it is part of a longer branch.
This does not require any form of proof of stake and can be implemented on its own. It is inherent in the design of a proper algorithm for a days destroyed weighted block-chain.
* In a pure PoW system this is problematic to do because a node could be stuck on "the wrong version" - if an attacker isolates the node and feeds him bogus data, it will not embrace the true, longer chain when he learns of it. However, using PoS to have the final say in such situations makes this possible.
PoS only has the final say when? When 51% of all coins in existence have signed one chain or another? This is insanity.
* If an address signs two conflicting blocks, its weight is reset to 0. This is to limit the power of malicious stakeholders.
Where exactly is all of this information going to be stored? How much immense amounts of data will this add to the block-chain? Denials of service attacks will be everywhere.

Days destroyed weighted block-chain advantages:

* Clients have a say in the matter. Every client. Miners are forced to include every transaction possible because if someone else comes along and does them one better, their block may be invalidated. Even if only a single miner is doing the right thing, the clients will be using his chain over a malicious one. So as long as one miner is honest, the honest network wins.
* Clients have the power to choose which block-chain is the correct one, not basing it off of hashing power. This is the ultimate blow to any 51% attack. Want to create a monopoly? Oh well someone else came along and is offering cheaper tx fees, goodbye.
* Absolutely no additional data is added to the block-chain. Nothing to keep track of except mini-forks which may be slightly more likely depending on how the final algorithm works.
* Money is given no more power than it already has. There is a veritable check and balance system between clients, miners, and the wealthy.
* Difficulty CAN GO DOWN without opening the network to attack. This means transaction fees can go down. And stakeholders don't have to be paid to cancel out this effect.


Proof of stake is a waste of time in a bitcoin-like block-chain. Completely.

The reason for this coin & bounty is because at least a proof-of-concept coin needs to be implemented before it's integrated into Bitcoin/Litecoin. This needs to be designed & developed.

The bounty is to "pay" for this work. The coin doesn't necessarily need to be an investment vehicle, just a playground. The goal is to test this coin for a bit, and then integrate the ideas/code from it into other chains.

+1

I don't think spawning a yet-another-coin-now-with-PoS is a good idea.

Having said that, I support the general concept of PoS (assuming "decent" implementation) and I do think that litecoin should implement it. Litecoin is way overdue for some innovation...

+1 for coblee in this discussion, you did a really good job of explaining the idea, despite resistance.

Here is a bounty for someone to make a Proof of Stake altcoin.

Litecoin blocks are 2.5 mins. So 100 blocks is about 4 hours. But you don't have to wait for a signature block for every transaction. You can choose to wait for large transactions similar to how most people don't wait for 6 confirmations.

In the end, this is just an idea that we are discussing. Nothing is set in stone. Even the 100 blocks was just something thrown out there. We could do signature blocks every 6 blocks, but we have to find a tradeoff between bloating the blockchain and the security provided by the signature blocks.

i am "throwing out" too many what ifs just as you "throw out" too many assumptions to support yourself as to why this is a good thing for litecoins.


also are we REALLY going to make ANOTHER trade off in order to make this work?even MORE time to confirm transactions? really?...


bitcoin = 1 block every ten minutes so for bitcoins this would take almost (1000 minutes) 17 HOURS for every transaction to be "safe" against this.
so if litecoin takes half as much time to generate the same amount of blocks, we would need (500 minutes) 8.5 HOURS for transactions to be "safe". is this really practical ? you tell me.

I don't think this discussion is going anywhere. You are really throwing out too many what ifs. If the exchanges are malicious, then they can steal your coins outright without anymore having to perform a 51% attack. So the point is moot.

you assume exchanges are trustworthy. your assumption does not work with malicious exchanges.

this takes scamming/malicious exchanges to the next level.

Either I've failed to understand you, or you've failed to understand me.
To "list litecoins for sale in an exchange", you have to deposit them by doing a litecoin transfer on the blockchain, so if the exchange waited for the signed checkpoint block then we agree that the deposit isn't reversible. Now you trade on the exchange and the ownership of those litecoin changes hands to someone else, who wishes to withdraw these litecoins so he tells the exchange to initiate a litecoin transfer on the blockchain to his personal litecoin address (assume again that the exchange waits until the next signed checkpoint to verify that the withdrawal transaction really took place, otherwise if the exchange sees that the withdrawal transaction was reversed so that the litecoins are back under the control of the exchange then it considers it a failed withdrawal attempt and restores the litecoins to the person's account on the exchange). If the attacker prepared a forked branch while this is going on, and didn't include this withdrawal transaction in his forked branch, then he denied the withdrawal attempt, but nobody is left with "imaginary litecoins", it's again simply an attack that denies transactions.
You should note that an attacker who just denies transaction does it at a financial loss to himself while he competes with the distributed hashpower, so such attacks cannot be sustained for long. There's no financial incentive to do such an attack, it's purely malicious, so these kinds of attacks are less likely.

The exact same time is whatever the block acceptance rules says it is. I didn't go that far into processing this idea because I'm not using it, but the greater the days destroyed in the block that came second, the longer it has to replace, with a maximum amount of time (and blocks) before notifying the user that there is a competitor but not replacing the block.

It actually won't be fork free, but it will be impossible to fool honest users connected to the network. New users could be temporarily fooled, but once the days destroyed ran out, the real chain would eventually get a greater weight of LTC days destroyed and win out.


Proof of stake does nothing to fix this either. Both solutions prevent the network from being destroyed, one solution is much simpler and compatible with existing clients.

it is worse because holding the biggest amount of coins is not supposed to be a way the network determines whether or not something is valid in a cryptocurrency, and because you are giving different nodes different weights (AKA SUPERNODES) whether or not you want to admit it, too.

supernodes are BAD BAD BAD, normal currencies already have super nodes (the government, banks) and this would work the same way.


cryptocurrencies are not supposed to be assigning different weights to different nodes.

Did you not see that a single threat of a 51% attack caused massive panic and for the price to be almost halved. If a real attack happened, it's not going to be pretty. If you had 1,000,000 litecoins, would you attack the network to steal 10,000 coins and risk it?

Also, your criticism applies to the current proof of work. Currently if you have 51% of the network, you can perform this double spend attack. With proof of stake, you need both 51% of hashrate and 51% of stake. So how is it worse than Today?

Yes, it's decentralized. Basically the concept is that every 100 blocks, there will be a signature block, which is like the checkpoint blocks. And the stake holders (people who own litecoins) decide to sign the block or not. If there is a competing signature block, then the block signed by the most coins wins out and is accepted as part of the real chain. And if so happens that more stake holders sign an attacker's signature block, then that chain will win out. But if you think about it... if the majority stake holders agree that the attacking chain is the "right" chain, so it makes sense for it to be accepted as the "right" chain. So it's equivalent to if BCX came out last week and released a new version of the Litecoin binaries with his/her chain checkpointed AND the majority of Litecoin users decided to run his binary instead of the binary I released. Then BCX's chain is the "right" chain and I'm the "attacker". But with proof of stake, instead of one client getting one vote, it's just one coin gets one vote.

this is just one example i could come up with in less than 5 minutes as to why the biggest stake holders could be incentivized to collaborate with the attacker or even BE the attacker.

the reason is clear:
financial benefit from selling imaginary litecoins that will no longer exist when they sign the next checkpoint.

also, trust in litecoins wouldnt be ruined because of it (the attack) unless they did it to a really big number of people (or with a really big number of litecoins), just as a single bank being robbed doesnt create a bank run.

That helps me understand this concept a lot more. I personally like the idea, it would be no different then you releasing your own checkpoint and having the network agree to that, except this way is much more decentralized because the largest parts of the network still has to agree to it. I think?

Yes, you just described a 51% attack with a double spend. Trust in Litecoin then quickly disappears and price of Litecoin goes to 0. All the stake holders just lost a lot of money. Tell me why any one of the big stake holders would want to do that, let alone most of them doing it together at the same time.

not including other transactions in his forked branch is still a VERY VERY BAD thing to happen.

edit
ok you want a reason for the big stake holders to sign the blocks of the attacker/cooperate with the attacker/attack? fine, i will give it to you.

so the signing is not reversible. this is fine.
you do  the "attack", get the big stake holders to sign it through whatever means. you then list litecoins for sale in an exchange. the attacker does not include these transactions in his forked branch at all.
when the next checkpoint is reached, whoever bought/exchanged these litecoins will then be left with IMAGINARY LITECOINS, but a real money/btc loss.

this provides a clear incentive for the big stake holders and the attacker to collaborate, and provides a good example as to why centralization (whether or not you want to call it something else is another matter) grows to serve its own interests rather than the interests of the network.