Topic: [PPC] PPCoin 0.2 Proposal - page 2. (Read 6582 times)

You cannot stockpile hashing power. You can stockpile coin age.

Killerstorm's point is that stockpiling coin age allows you to double-spend periodically. (of course you can checkpoint every block to prevent this, but...). Whether periodic double-spending is practically relevant or not depends on how frequently it can occur. Obviously once a decade is not a problem. Once a year should be fine too. Once a day would be cause for concern (and might potentially motivate a revision of your design). I'm fine with once every week, but I suspect Killerstorm has more stringent standards. I have no idea what other people think.

The frequency depends on your protocol design and the attacker's resources. Say a wicked stakeholder owns 5% of all coins and 5% of all computing power. I'd say this is a reasonable benchmark attacker (quite well-endowed, but not ridiculously so). He doesn't ever mine except to execute 6-block long reorgs. Can you give us an estimate of how frequently the he can execute these 6-block reorgs? The arithmetic behind the estimate will be really helpful here becuase it will clarify features of your design.

If you haven't worked this out before you can check out the recent posts by killerstorm and I where we try to 'hash out' this property in the context of my scheme. I'm not sure exactly how your scheme operates, but perhaps the math is similar.

Cunicula also thought it's true, but I've demonstrated that one can easily manipulate things into his favor. Additionally, it turns out that total coin-confirmations is a totally meaningless metric: what matters is average coin-confirmations, and you can beat the average by waiting a bit.


It doesn't offend me, at all. I just wanted to help. It looks like you don't need my help, that's OK.

I just want to warn people who consider using PPCoin that it is not possible to analyze how insecure next release will be.

Let me give you an example here. If you have lot's of hashing power, can you pump out a lot of blocks in a short interval of time to compete with main chain? No you'd need more than everyone else combined.

Same with coin age here. You can accumulated a lot of coin age, but in order to beat main chain, you have to beat everyone else combined.

I hope you can spend some serious effort in understanding our design and in the future we can have more enjoyable discussions. You have to realize not everyone share the same ideology as you. In my opinion I have no obligation revealing my design to public before release. If that offends you, then so be it.

Best Regards,

I think I have put enough detail into the design paper which is intended for other crypto-currency designers. I am actually quite puzzled why our fellow proof-of-stake designers have so much trouble understanding basic aspects of our design. If you really want to know more details, the code is also your friend.

I apologize here as my time is limited as I have a lot of things to do in the first couple weeks of the release. But I will try to answer more questions when I can have some more free time.

I do encourage our fellow designers to examine our code. In my opinion you have to spend effort to get familiar with Bitcoin code. If you don't, you are not going to be a successful designer no matter how many design proposals you pump out and argue it to death on a forum.

Best Regards,

How people are supposed to discuss if you give no detailed description of proposed changes?



Cryto research usually works like this: Researchers release papers with detailed description of their constructs, then they wait for years while other researchers analyze these constructs and try to find weaknesses. And if after years of research no significant weaknesses are found somebody might consider practical use of those constructs, e.g. hashing algorithms.

I'm not saying that you should wait for years, but you should publish a detailed description and wait at least a month while people analyze it.

Otherwise you should call it your personal experiment rather than some valuable cryptocurrency.


So you just want wider a adoption, i.e. ability to sell your coins, right?

I see no other reason why you want wider participation, attention from experts is not proportional to number of users you have.


Am I supposed to just imagine some formula here or something?

Here's what I read in paper:


This is exactly how Cunicula's formula works. How many targets you have is irrelevant, important part is that one can compensate for a lack of hashing power with larger coin-age.

So, basically, one can wait till his coins age, and then make a lot of blocks in a short interval of time (using limited hashing power) to achieve a double-spend. Is there anything in your formula which prevents this?


You aren't offering a civil and friendly discussion in the first place: you are not showing your magic formula.


lolwut

So, again: early adopters are top priority to you, security is lowest priority. And, well, that "blame yourself" thing makes it even closer to pump&dump.


So? There should be a public review of an algorithm, not a private review of code.

Your code is already public (which is good), but if people have to decipher algorithms it doesn't encourage analysis at all.

Sunny, it would help if you made discussions between you and Scott completely public rather than secret. You could have the best method. However, to convince others of this, you need to explain:

a) precisely what you are doing
b) the reasons why you are doing it

You have done (a) and (b) to some degree, but you could really do a much better job. If you do so, it will be much easier to have a constructive debate. I think everyone wants this.
Transparency will shut down comparisons between you and Realsolid. I think that differentiating yourself from Realsolid is highly desirable.

Since killerstorm questioned our review process, so I am making a public statement here:

Scott and I have been reviewing each other's code since the project began. Scott is currently busy with personal matters so he should greet you all on the forum in the near future. We are still a small team so there is no such formal process as Bitcoin. But as we progress and the project matures, more public review would be involved in decision making.

Best Regards,

I offered this thread for discussion, but I didn't get a lot of feedback with merits. I am not going to wait forever to make this important change. People can get a fair assessment of where we are and start participating if previously they didn't because of fear of permanent centralization.

Our formula is very different from cunicula's as we don't involve proof-of-work difficulties in the calculations of proof-of-stake difficulties. We have 2 independent difficulties. So no your hashing power would only help in accumulating coin age first before you can have some say in whether to reorganize.

So far I only see cunicula can offer a civil and friendly discussion among those who claim they have better designs. I hope this situation would change as we progress.

As for your jealousy of early adopters should we succeed, I think I have made it clear. You would have only yourself to blame if you were blinded by your own prejudice.

Definitely not as bad as RealSolid. At least implementation is open source...

But the fact that he's going to change implementation at whim, without much discussion and review should be alarming.

Some quotes from a recent update:

• PPCoin has sailed through our first week with aplomb. -- this ignores shitload of criticism it got
• In v0.2 a main chain protocol upgrade is expected as I described ... The code of this has been done, ... Over next week v0.2 code would go through testing and be prepared for release. -- No detailed description of changes, no real discussion, no review process. People will have to accept change blindly, in a short time frame.
• First week total mintage is 3~4 million coins.  -- I don't really understand mintage formula, but it looks like early adopters (including Sunny King?) get a sizable bonus.

It looks like Sunny King shares some traits with RealSolid, although they are of a milder form...

So basically Sunny King is a reincarnation or emulation of RealSolid, in effect?

-MarkM-

Whether what killerstorm says has validity or not obviously depends on what the monotonic function f() is. Define coin-confirmation=c

If we have f(c)=c for all c, then the system is as killerstorm describes. -> 10% of hashing power and 10*n times as many coin-confirmations as the average miner is sufficient to create a fork of length n

[I don't know where killer-storms 138 day number comes from, but I'm going to assume the number is accurate here. Note that because the formula looks like this if a 50-block reorg can be done once every 138 days, then a six-block reorg can be done once every 16-17 days.  In order to attack and mine 6 consecutive blocks once every 16 days, the attacker is not mining. If he mined, then he would get 115 blocks during this period. Instead he gets 6-7 plus a double spend opportunity. One-off double-spend profit has to be about 20 times the block reward for this to payoff. To be safe, you would need to wait for more than 6 confirms on a txn worth more than 20 times block reward. Even here, I don't see why this is a big concern.]

If we have f(c)=c^(1/4) for all c -> 10% of hashing power and 10^4*n times as many coin-confirmations as the average miner is sufficient to create a fork of length n

[ This modification increases the waiting time from 138 days to 10^4*138 days or 3778 years. Waiting 450 years for a single 6 block double-spend is a good investment if the double-spend profit exceeds the block reward from 1 million mined blocks + interest and you have a strong bequest motive. 6 confirms should be enough for any size of txn.]

If we have f(c)=c^(1/g) for all c -> 10% of hashing power and 10^g*n times as many coin-confirmations as the average miner is sufficient to create a fork of length n

[increasing g makes double-spends more difficult, but makes persistently disrupting the network easier. The optimal choice of g is debatable. ]

If we have f(c)=1 for all c, then the system is identical to bitcoin.  -> 10% of hashing power is never sufficient to double-spend for n blocks

[for bitcoin double-spending and having the power to persistently disrupt the network are equivalent.]

Of course other mixes of hashing power and stake are possible. As g increases and n increase, the waiting time necessary to double spend increases.

Yes, the attacker can spend a lot of amount of money on rented hashing power to double-spend. But by doing this, the attacker sacrifices income from legit mining. Double-spending is unlikely to be highly profitable. A big barrier is not needed.

That is not a major problem. Killerstorm is exaggerating. However, it is 100% essential to think carefully about design and debate design choices. Killerstorm is 100% right about this.

Sunny King have provided only a very vague description of an algorithm, but as I understand, his PPCoin 0.2 Proposal is a variation of cunicula's algorithm: https://en.bitcoin.it/wiki/Proof_of_Stake#Cunicula.27s_Implementation_of_Mixed_Proof-of-Work_and_Proof-of-Stake

I.e. your hash target is lowered by your stake. Something like where f is some monotonic function.

This formula is just as vulnerable as your previous formula. For example, if f is identity, a person with 5% of coins and 5% of hashing power (which he needs to borrow only temporarily, i.e. rent from Amazon) can do a 50-block deep reorg once in 138 days.

So, do not even bother. Check discussion here: https://bitcointalksearch.org/topic/m.1133808

I could provide recommendation on how to strengthen it, but I have absolutely no motivation to help Sunny King as he has numerous attitude problems:

• he does not bother to reveal all algorithm details
• yet he is very busy promoting his cryptocoin
• he tends to ignore or dismiss criticism, i.e. "we'll solve this crucial issue some time later"

So at this point I see PPCoin as a get-rich-quick project, and with such attitude it will never be secure. If you stay with PPCoin, there WILL be double-spends.

Finally, I would note that there is an energy-efficient pure PoS system proposal: it is Etlase2's Decrits. Whole proposal seems to be overly complex, but core protocol which secures transactions is incredibly simple and I'm fairly sure it is actually secure.

I like the idea of punishment for misbehaving 

Well, if you want to work further on proof-of-stake approach I strongly recommend reading other proposals and discussing them.

Particularly, check this one: https://en.bitcoin.it/wiki/Proof_of_Stake#Meni.27s_implementation

Note that each particular implementation detail is there for a reason. Particularly, it includes a way to punish malicious stakeholders:



Also I think that cementing is a great idea, but I'm not sure it can work in 'energy-efficient' variant.

I had a strange dream this morning.

I am a fairly spiritual guy and do meditations sometimes. I don't often have this type of vivid dreams where I can remember some details. And I don't believe in coincidences, so I would love to share with all of you my dream.

I went to the street and there was perhaps some sort of checkpoints. Agents are there maybe to check people's ID's.

I printed out some random guy's photo from the Internet and bring it to the agent, he rejected it and ask me to go back.

I was feeling a bit frustrated and wanted to get out. Then with a bit surprise I received a mail with a passport in it. I tried to remember how I did apply for this passport and what my name should be with this passport. I had a hard time recalling it still before I get to see the agent. Then with a bit relief I finally saw the passport is from Sweden and my new name is Korean. I was filled with joy and my hand almost shook when signing it with a pen.

Then I woke up.

I don't really fully understand the meaning of this dream. But that's not important. I wanted to share this dream with all of you because I think, given our differences, maybe we didn't fully understand our purpose, maybe we were meant to be a bigger team doing something truly great. I used to tell folks that I thought Bitcoin was the single most important event in the entire financial history of humanity, bigger than gold, bigger than fiat. Because I think it changes the foundational fabric of our society known as private property.

So yes I really cherish what I did with the ppcoin project, this is probably the best work I have ever produced. Yes I have limitations, maybe lot's of them. I thought about quitting the project several times. But I persisted. Now here we are, I hope we can understand our differences, and truly help out each other to fulfill our destiny.

Peace and Love

Have you ever heard about prisoner's dilemma? Nash equilibrium can be bad for everyone.


You don't really have a security mindset, do you? You shouldn't be operating with categories like 'crazy', you should look at various attack motives, e.g. what would a rational entity do? What if somebody will try to kill your currency if he has a stake in a competing currency?

First of all, accumulating vast wealth isn't necessary. Once you've made a block with double-spending txn, you can bribe stake-holders to build blocks on top of your block to force a reorg. Rational stake holders would do that because that doesn't cost them anything: they will earn their bounty in either case, but in case of reorg they get an extra reward (bribe).

You say that then their currency holdings become less valuable? No, one double-spend won't cause devaluation. The knowledge that such double-spend is possible will make it worthless from the start.

This is just game theory basics.


If you assume that then your protocol is based on trust, essentially. There is much better protocol based on trust: Ben Laurie's mintettes. http://www.links.org/files/distributed-currency.pdf Please check it.

Besides that, assumption that there is just one wealthy guy is just wrong. You should assume that people can sell their signatures, form alliances and whatnot.

You are thinking in right direction: punishing mis-behaving stakeholders can work. But it should be a part of your crypto protocol, you should not assume availability of a lynching mob.

PoW is costly in energy and capital investment, but PoS is costly too to the attackers as they will lose the value of their currency holdings as Market loses confidence in the currency.

If someone actually accumulated such vast wealth and be crazy enough to mount the attack, I suspect that he would not be able to remain anonymous, and folks would find out about him and mobs probably would lynch him. So I doubt any reasonably rational rich people would attempt to do that, other than some established institution. Which bring it back to the point, it is comparable to a 51% attack on proof-of-work.

Why is it comparable? PoW is costly, PoS is costless.
Are you saying that your protocol is less secure than pure-PoW, and that's the price to pay for energy-efficiency?
I'm still throwing darts randomly, pending detailed description of your protocol.

Right, which is why merged mining is still useful. Re-using already-spent energy is about as energy-efficient as it is possible to be.

-MarkM-

Existing proposals are not energy-efficient.

I believe that the only way to make it energy-efficient is to make people lose their stakes in case of double-spend or other malicious act.
This will attacks economically unfeasible. Double-spend can be trivially detected.

If people can do attacks without downsides, they WILL do these attacks.

So you need PoS+PoW scheme, then a downside of an attack is money lost on PoW part.

But PoS+PoW is not energy efficient, since it still requires PoW.