Pages:
Author

Topic: PoS is far inferior to PoW - why are so many people advocating switching to PoS - page 8. (Read 12865 times)

legendary
Activity: 1442
Merit: 1005
[...]
I am entrusting the miners that need to collaborate and play fairly to profit.

[...]
otherwise you are "relying on the good will" of humans again.

Seems like a contradiction, could somebody please clarify?
There is no good will or bad will, just economic will in PoW. If you do the right thing to obtain maximum profit possible from mining, you are actually obeying and enforcing the protocol rules. It's that simple. Do the wrong thing and you lose.
hero member
Activity: 574
Merit: 500
2. It does not bother to mention how many calculations are needed to secretly build a valid longer chain with a small stake in a specific PoS system. This is like saying sha512 algo can be cracked, without calculating how many tries one needs to crack it...

I'm eagerly awaiting a revised version that calculates needed computing power to n@s-attack, let's say current version of Nxt.
The tedious details that would go into trying to figure out precisely how NxT would be attacked don't resolve the problem that the paper is talking about, and more importantly, it's not the responsibility of us to put forward the security model.


The 'tedious detail' is what your argument is and relies upon. Until you provide this and show there is a problem, then there is no problem as it hasn't been articulated. It is in the same camp as stating categorically "The numbers 3 and 5 can never be used to give a sum of 23" and then not even attempting any calculations to check you are correct, as it isn't your "responsibility to put forward summation models".  



Below is paraphrased from Come-from-Beyond and is a question that was posed in May 2014. It has still gone unanswered (publicly at least, the silence of the initial Nothing at Stake zealots is telling I think).



Alice wants to attack the blockchain.
She owns private keys of 400 accounts totalling to 75% of the stake.
She is planning to rewrite the history from block 5'000.
Legit chain is at block 5'300 (less than 720).
Cumulative difficulty at block 5'000 is 8'000'000.
Cumulative difficulty at block 5'300 is 9'000'000.
How many SHA256 operations in average it's necessary to do to find a branch where cumulative difficulty at block 5'300 is at least 9'000'001?
Hint: Blocks from 5'000 to 5'300 were forged by 100% of the stake.



Without a detailed further explanation of the so called Nothing at Stake 'problem', further discussion is quite useless.
hero member
Activity: 574
Merit: 500
If you reverse PoS and PoW in your post, then your post would be 100% accurate and correct Smiley
Doesn't it cost nothing to attack a PoS coin? While you must use actual resources to attempt to attack a PoW coin?

Exactly, I thought attacking PoS coin is much more cost free (next to nothing) than attacking PoW coin.

You just have to buy 51% of the currency or track down majority of stakeholders and compromise their private keys. Much cost free

lots of people seem to believe this (I think it's even mentioned in Sunny King's PPC paper), but it's not accurate: you need 51% of the actively staking coin-age. That's much, much, less than 51% of the currency.
I had some ideas to help fix this, I'm working on it.
How do you fix the past?

If someone had 51% stake share at one point, what can you do to prevent him forking the chain?

Relating to Nxt only:

There is nothing to fix. The current inclusion of the retargeting algorithm makes it computationally very expensive to do a history attack. i.e. much much more hash power the bitcoin network currently has. The better chain needs to almost mirror the honest one in terms of certain properties. And you only have 720 blocks to calculate this in.

Nxt has interlocking, layered security. A lttile bit being added at a time (economic clustering next IIRC). Transparent Forging isn't a switch that will be flipped one day, >50% of Transparent Forging is 'on' now.

/Nxt

But since you insist that POS = POS = POS, I don't think you'd be interested.
legendary
Activity: 1008
Merit: 1000
After having several farms of significant size for the last few generations of mining, I have finally switched sides and much prefer PoS now. I took a deeper look into the tech behind it and have been convinced that staking is a better idea as long as distribution was fair from mining

you got it wrong little buddy - there needs to be continual PoW.

there can be PoS to supplement that.

otherwise you are "relying on the good will" of humans again.

 Cheesy Cheesy Cheesy

Here are two charts for you:

Nxt block generators


BTC block generators


Quiz of the day:
1. How many accounts/mining pools would be needed for each network to perform a 51% attack
2. Which one is more decentralized?  Grin

And don't bring up that "All stakes belong to the same person" argument again, because you can't prove it and it can also applied to bitcoin mining power.


This is what I have been repeatedly saying. As long as the Cartel controls Bitcoin, they shouldn't start arguing about vulnerabilities in other systems or claim they are decentralized. All it needs is the government or a bad actor to gain control of a couple of pools and Bitcoin is done.

At least with PoS, the attacker has to gain control of the coins through some means. Hacking exchanges won't give them enough so they will actually have to buy out the coins. Thats another key difference, anybody holding a PoS coin has a say in the network, Bitcoin holders don't.
legendary
Activity: 1225
Merit: 1000
After having several farms of significant size for the last few generations of mining, I have finally switched sides and much prefer PoS now. I took a deeper look into the tech behind it and have been convinced that staking is a better idea as long as distribution was fair from mining

you got it wrong little buddy - there needs to be continual PoW.

there can be PoS to supplement that.

otherwise you are "relying on the good will" of humans again.

 Cheesy Cheesy Cheesy

Here are two charts for you:

Nxt block generators


BTC block generators


Quiz of the day:
1. How many accounts/mining pools would be needed for each network to perform a 51% attack
2. Which one is more decentralized?  Grin

And don't bring up that "All stakes belong to the same person" argument again, because you can't prove it and it can also applied to bitcoin mining power.
legendary
Activity: 1181
Merit: 1002
[...]
I am entrusting the miners that need to collaborate and play fairly to profit.

[...]
otherwise you are "relying on the good will" of humans again.

Seems like a contradiction, could somebody please clarify?
hero member
Activity: 798
Merit: 1000
‘Try to be nice’
After having several farms of significant size for the last few generations of mining, I have finally switched sides and much prefer PoS now. I took a deeper look into the tech behind it and have been convinced that staking is a better idea as long as distribution was fair from mining

you got it wrong little buddy - there needs to be continual PoW.

there can be PoS to supplement that.

otherwise you are "relying on the good will" of humans again.
legendary
Activity: 1442
Merit: 1005
Besides theoretical attacks on PoS, which have been posited and acknowledged by many prominent developers/cryptographers, does anyone know of analyses conducted on PoS attacks that have actually occurred?

Besides telling you to READ this topic before you reply to it (and find out exactly what you asked), which has not actually occurred?
legendary
Activity: 1442
Merit: 1005
So.. you are going to cherry pick the version of PoS that best fits your argument? DPoS is PoS, it is just a variant of PoS.
There should be no confusion here. Please don't claim PoS has some features that are present only in DPoS as a supporting argument for PoS. When the title shows DPoS I will consider it fair to use those features as part of the discussion. I don't think PoS is the same as DPoS. What do you think?

Let's consider Proof Of Waste for a second. 51% of Bitcoin's hash power is on 2 to 3 mining pools. The paid NOTHING to obtain it. You are entrusting them directly (or indirectly when they get "hacked") to not fork your coin. By the way... this statement I can back up with facts and readily available data. Wink
First, it's not "waste". It's a highly specific impossible to forge or reuse effort to ensure security while also fairly converting value (energy) into tokens, bridging the outside and indise economy seamlessly.

The pools and their costs argument is only temporarily valid. The pools paid nothing, but they have nothing long-term. If they fuck up, miners will move quickly, miners paid A LOT of money for their power and have not usually recouped. I am entrusting the miners that need to collaborate and play fairly to profit.

You see the difference now?
legendary
Activity: 1225
Merit: 1000
Besides theoretical attacks on PoS, which have been posited and acknowledged by many prominent PoW developers/cryptographers, does anyone know of analyses conducted on PoS attacks that have actually occurred?


FTFY
legendary
Activity: 1225
Merit: 1000
The tedious details that would go into trying to figure out precisely how NxT would be attacked don't resolve the problem that the paper is talking about, and more importantly, it's not the responsibility of us to put forward the security model.

but that's excatly what it does. The n@s attack the paper talks about is not feasible because you'd need more processing power than anyone could own. Prove me wrong. I still don't see any hard math in your claim.

edit: only speaking about nxt. don't know the others enough.
sr. member
Activity: 433
Merit: 267
More discussion about NaS attack: https://bitsharestalk.org/index.php?topic=6638.0

"Short fork" differences;
Quote from: arhag
POW systems resolve the forks by agreeing to build on the chain with the most work done (the sum of the difficulty values at each block up to current head block in the blockchain). If everyone follows this rule, eventually all the nodes will come to a consensus on one particular chain, thus resolving the fork.

Peercoin-like POS systems can resolve the fork by building on a chain with the most amount of some other metric, like the total amount of coin-age consumed. Again, as long as everyone follows the same rule, the network will eventually naturally converge to just one of the forks.

Although, DPOS is able to randomize the order of delegates within a round, the order of the delegates in a given round is known prior to any of the delegates producing blocks in that round. For this reason, block production order can be considered deterministic. Nevertheless, very small forks could be possible because of network issues. For example, if block N is delayed by the network for too long, the producer of block N+1 might assume that the producer of block N was not available to produce his block at his designated time slot, so instead will chain off block N-1. The producer of block N+2 may have seen block N and/or block N+1. If he saw both, he always chooses the one that is supposed to come later in time, on the other hand if he sees only one or the other, he builds off of the one he saw. Thus, the chain is built with either block N or block N+1 considered missing, but the network is able to quickly get back to a consensus on the true chain because of the deterministic ordering of block producers.
Since "if he saw both, he always chooses the one that is supposed to come later in time", stakeholder 101 could choose not to include any of the previous 100 blocks because they were "too late".

There are only 101 stakeholders that matter in bitshares, I suppose the rest can all suck on a salty sausage? In which case, you really don't need anywhere near 51% of the stake, you only need enough so that you are wealthier than the next 50 wealthiest combined stakers. (Or had it within six months in the past.)

Basically, I have no idea what's going on here, it sounds pretty unworkable.

"Long fork" differences;
Quote from: arhag
POW resolves this issue by using the same method used to resolve short forks: pick the chain with the most work done. Attackers have no way of faking the block acceptance criteria. They need to put in the work necessary to match the difficulty requirements at that point in the blockchain. Attackers can create a fake blockchain history by putting in the necessary work, but if they have less than <50% hashing power, their accumulated amount of work will be less than the accumulated work of the true chain. As long as the true chain is made visible to the resyncing user, he can easily pick it over the fake chains.

POS tries to resolve this issue by also making it difficult for attackers to fake the block acceptance criteria. In the case of Peercoin-like POS systems, it needs to be difficult for attackers to get coin-age (which is ultimately dependent on the amount of stake in the attacker's control). In the case of DPOS, it needs to be difficult for the attacker to get control of the delegates. Because of the way delegates work, the attacker would actually need to control nearly all of the 101 delegates to fake the blockchain history (see here and here for details). However, if the attacker controlled more than 50% of the stake, he could vote in all of his own delegates. So all POS systems are ultimately vulnerable if the attacker is able to get the majority of the stake. For a POS system to be secure from fake blockchain history attacks, the majority of the stake in the system needs to be kept away from the control of an attacker during the time a user is offline. However, if an attacker was able to capture only a small minority of the stake while the user was offline, the attacker cannot create a fake blockchain that the user would accept as valid.

POW supporters like to point out that the attacker does not need to control >50% on a live system; as long as an attacker controls >50% of the stake at any point in time t on the blockchain, that attacker could easily build a fake blockchain from that point forward that would fool a user's client if its last resync point was before time t. For a completely new user synchronizing from the genesis block, this means the attacker only needs to control >50% of the stake at any point in time in the history of the blockchain. This is the meaning behind the Nothing-at-Stake name. The users who owned >50% of the stake in the system in the past, may no longer own any stake in the system in the present. While it would be foolish for a present-day >50% stake holder to harm the network, someone who held >50% of the stake in the past but holds nothing at stake in the present has nothing to lose with an attack attempt.

As bad as this may look for POS systems, with more careful analysis, it is clear it is not actually a problem. A user in a POS system will always have a checkpoint in the not-too-distant past. This checkpoint either comes from the last block of the locally-saved, trusted blockchain (or perhaps just the locally-saved hash of the last seen block), or it can be hardcoded into the particular version of the wallet. As long as that checkpoint is in the not-too-distant past, users would not be vulnerable to fake blockchain history attacks in realistic scenarios. If the checkpoint is older than some threshold, then other measures are needed. This threshold can vary depending on the circumstances of the network and the paranoia of the user, but I think a threshold of 6 months is sufficient in most realistic scenarios.

Resyncing after being offline for less than 6 months should not be a cause for concern of fake blockchain history attacks. The only way such an attack can successfully work is if the attacker obtains ownership of >50% of the stake existing at some point during that 6 month period. The attacker would like to buy old private keys at very low cost from users who had stake in the system in the 6 month period but now no longer do. They have to no longer have stake in the system otherwise they would be foolish to sell old private keys to someone whose only purpose for buying old keys is clearly to attack the system and thus reduce the value of the seller's existing stake. But the attacker will not be able to find enough private key sellers that match that criteria, because it is extremely unlikely for stakeholders with >50% of the stake to completely exit out of the system within a 6 month period. The attacker is forced to legitimately buy into the system at a high cost if he wants to attack the network. But an attacker who grows his stake over some period of time until it reaches >50% would likely not attack the network while still holding the stake, otherwise they would cause the most damage to themselves. If the attacker is able to begin and finish selling their >50% of stake during that 6 month period, then the attacker has the opportunity to carry out a fake blockchain history attack against the victim who was offline for 6 months. However, the price one pays trading assets depends on how quickly they need to finish the trade. The attacker can take his time building up the stake to not have to overpay in order to incentivize stake holders to sell, but he is forced to sell at a discount to incentivize enough people to buy to quickly sell off his stake before the 6 month deadline. Pulling off this kind of buy-sell cycle is going to cost the attacker a lot of money. It is only rational to do this if this one buy-sell cycle provides him with enough opportunity to recover his costs through double-spend attacks. But the only people he can attack are people who were offline for about 6 months. Most people would be resyncing at much higher frequencies than that, which would be really hard to attack. Trying to sell >50% of stake in one week would cause a flash crash of the price of the coin (hurting the attacker the most). Also, from a practical manner, the attacker doesn't have any good way of knowing who has been offline during the same time period they set up the buy-sell cycle to actually target these individuals. So, even if there are a decent number of people out there that the attacker could target to make his money back, it isn't trivial to identify them.

So what about resyncing after being offline for more than 6 months? With the exception of resyncing from a genesis block on a new computer, it would be a very unusual circumstance to be doing this. The vast majority of people would be resyncing on a much more frequent basis. Nevertheless, in these rare cases, users would follow the same procedure that users who are resyncing from a genesis block on a new computer would follow. First, if the user already has an up-to-date blockchain on one computer and they just want to set up their wallet on a new computer, the clients could provide an easy method for the existing trusted client to communicate a hash of a recent block to the new client. Since a user obviously trusts himself and the client he has already been using, he can carry over that trust to the new device. What about a completely new user who has never been part of this network before? Or someone who lost their hard drive (but still has a backup of their private keys) and wants to reinstall the client from scratch on their computer? In these cases, the users would rely on the snapshot hardcoded in the latest version of the client software (which would be <6 months old). A new user needs to download the client software anyway; and, they need to have some way of trusting the software they download. If the attacker was able to provide a fake client with a fake snapshot, they would again be vulnerable to the fake blockchain history attack. But if the attacker was able to provide a fake client, the user would be compromised in so many ways. The fake client could just steal the user's private keys! Or if they are using a hardware wallet, the fake client could present a false view of the blockchain to make the user think he got paid when he didn't.

Bolded favorite parts.
Not-too-distant-past = 6 months.
All the delegates in a given cycle = 101.

I think this is a great illustration of how much simpler and easier it is to reason about the security of Bitcoin, and how all the complexity of PoS gives the illusion of security (Bitshares in this case).

I look forward to casting off the yolk of Congress and the Fed in favor of my 101 overlords. /sarcasm
member
Activity: 118
Merit: 11
Qeditas: A Formal Library as a Bitcoin Spin-Off
Besides theoretical attacks on PoS, which have been posited and acknowledged by many prominent developers/cryptographers, does anyone know of analyses conducted on PoS attacks that have actually occurred?


There was a double-spend attack on NavajoCoin (PoS) a few months ago:

http://coinjoint.info/navajo-suffers-double-spend-attack/

I only found that link because I had a vague memory of hearing about it at the time. I don't know if anyone has seriously studied what happened there.
member
Activity: 70
Merit: 10
Bitcoin trolls back
While not a direct comparison of PoW and PoS, this thread might be relevant to this discussion.
https://bitcointalksearch.org/topic/an-answer-to-perceived-uselessness-of-pow-hashing-neutrality-855520
What do you think?
full member
Activity: 221
Merit: 100
Besides theoretical attacks on PoS, which have been posited and acknowledged by many prominent developers/cryptographers, does anyone know of analyses conducted on PoS attacks that have actually occurred?
legendary
Activity: 2548
Merit: 1054
CPU Web Mining 🕸️ on webmining.io
After having several farms of significant size for the last few generations of mining, I have finally switched sides and much prefer PoS now. I took a deeper look into the tech behind it and have been convinced that staking is a better idea as long as distribution was fair from mining
legendary
Activity: 1484
Merit: 1026
In Cryptocoins I Trust
How do you fix the past?

If someone had 51% of a Proof Of Waste coin's hash power, what can you do to prevent him forking the chain?
The same way as with Proof of Shit coins. So why are we discussing this aspect?
Duh. I was making fun of your question as any decentralized consensus algo is vulnerable to some type of 51% attack.

DPoS
We are discussing PoS versus PoW here, and why people support PoS specifically.
So.. you are going to cherry pick the version of PoS that best fits your argument? DPoS is PoS, it is just a variant of PoS. There are many PoS variants and people all too often wrongly refer to them as all having the same pros and cons. Misinformation on PoS is spread in an echo chamber around here.

Quote from: CoinHoarder link=topic=848440.msg9523003#date=1415819215
You would need to buy up 51% of the currency supply to use this attack vector.
Just as it happens for many coins an exchange owns more than 51% of the supply. They paid NOTHING to obtain it. You are entrusting them directly (or indirectly when they get "hacked") to not fork your coin.
Provide proof 51% of the currency supply of any PoS coin are on centralized exchanges. This seems like a wild claim that you cannot back up and I wouldn't be surprised if it is wrong. Volume on all coins is split amongst exchanges so this risk is mitigated, even if 51% of the currency supply did happen to be on exchanges (which it isn't.)

Let's consider Proof Of Waste for a second. 51% of Bitcoin's hash power is on 2 to 3 mining pools. The paid NOTHING to obtain it. You are entrusting them directly (or indirectly when they get "hacked") to not fork your coin. By the way... this statement I can back up with facts and readily available data. Wink

See how dumb this argument is? Proof Of Waste supporters grasp at straws all day every day. Yes, PoS has vulnerabilities, but so does Proof Of Waste. PoW supporters ignore its vulnerabilities when talking about PoS as if its shit doesn't stink, when in actuality a lot of the arguments they make can be applied to PoW.
hero member
Activity: 756
Merit: 506
How do you fix the past?

If someone had 51% of a Proof Of Waste coin's hash power, what can you do to prevent him forking the chain?
The same way as with Proof of Shit coins. So why are we discussing this aspect?

DPoS
We are discussing PoS versus PoW here, and why people support PoS specifically.

You would need to buy up 51% of the currency supply to use this attack vector.
Just as it happens for many coins an exchange owns more than 51% of the supply. They paid NOTHING to obtain it. You are entrusting them directly (or indirectly when they get "hacked") to not fork your coin.

In the NXT hack at BTER, BTER only had like 5% of NXT's total supply - so there's already empirical evidence proving that no exchange has 51% of NXT and I assume this to be likewise true for other PoS coins. 

legendary
Activity: 1442
Merit: 1005
How do you fix the past?

If someone had 51% of a Proof Of Waste coin's hash power, what can you do to prevent him forking the chain?
The same way as with Proof of Shit coins. So why are we discussing this aspect?

DPoS
We are discussing PoS versus PoW here, and why people support PoS specifically.

You would need to buy up 51% of the currency supply to use this attack vector.
Just as it happens for many coins an exchange owns more than 51% of the supply. They paid NOTHING to obtain it. You are entrusting them directly (or indirectly when they get "hacked") to not fork your coin.
legendary
Activity: 1484
Merit: 1026
In Cryptocoins I Trust
You just have to buy 51% of the currency or track down majority of stakeholders and compromise their private keys. Much cost free

lots of people seem to believe this (I think it's even mentioned in Sunny King's PPC paper), but it's not accurate: you need 51% of the actively staking coin-age. That's much, much, less than 51% of the currency.
I had some ideas to help fix this, I'm working on it.

Peercoin PoS is not the same as NXT PoS, the latter doesn't use coin-age.

it doesn't matter, it has the same probblem, just replace "coin-age" by "coins".
form their "whitepaper" (actually a wiki):

Quote
tokens must be stationary within an account for 1,440 blocks before they can contribute to the block generation process

this means all coins that are used for transfers cannot be staken and do not count toward the total of which you need 51%
moreover, lots of holders do not stake, so it's not 51% of coins, it's 51% of coins being actively at stake

...and it get worse if you consider NXT has punishments for not staking...

DPoS doesn't suffer from this problem. You would need to buy up 51% of the currency supply to use this attack vector.

Also the Bitshares community believes DPoS is immune to a NaS attack. No one has been able to prove us wrong yet.

More about DPoS: http://bitshares.org/delegated-proof-of-stake/
Even more about DPoS: http://wiki.bitshares.org/index.php/DPOS
Old discussions on DPoS: https://bitsharestalk.org/index.php?topic=4009.0
Discussions regarding "nothing at stake" attacks: https://bitsharestalk.org/index.php?topic=6584.0
More discussion about NaS attack: https://bitsharestalk.org/index.php?topic=6638.0
Pages:
Jump to: