Topic: PPCoin is NOT a decentralized cryptocurrency - page 2. (Read 10995 times)

Unfortunately the community will have to reverse engineer the security model of ppcoin in an effort to document it. On that note I'd like to push the idea of a tournament scheme to introduce a habit of exploring the security of POS (https://bitcointalksearch.org/topic/ppcoin-stake-generation-tournament-152809). I haven't had time to work on the details, but the idea is out there and people should state their opinions.

The POS implementation in ppcoin and any of its derivatives is mainly broken at this time. There has been an acclaimed "fix", but based on my analysis all it did was to disguise the underlying problems. A practice which seems to be systemic for the development of ppcoin. However, that doesn't prevent people from bidding the price of ppcoin up - 99% of traders have no technical understanding.

The current POS implementation in ppcoin has the following problems:
1) No theory model on required stake granularity and steady state allocations for stake. I want to see a differential equation.
2) Missing incentive structure to perform transaction validation
3) No effective cost for working on competing branches with respect to the main chain
4) Reversibility between stake and coins - leading to a situation in which market price manipulations change the incentive structure for allocating stake

Especially 4) gets me worried. It exhibits opposite dynamics to POW. In POW, an increase in price encourages investments in hashing power and leads to a strengthening of the network, while in POS, an increase in price creates an incentive to move coins out of stake, effectively weakening the network. However 4) could be dealt with a protocol enhancement which prevents the reversibility between stake and coins.

I still stand by my assessment that ppcoin is an unfinished cryptocurrency. Any investments in it will evaporate as soon as the underlying flaws start to affect the resilience of the system. Buyer beware, drama included!

hang on hang on even if this quote is attributable (and I can get my retinas back)...so what

this maybe a true claim of cost to do....I think you (or someone) admitted Sunnys work was more complex. It's not (always)ego to say  I think my work is worth X and that work over there is worth Y. It just a persons market appraisal.

I just read most of this interesting thread.

The way I see it, the goal of PPCoin should be to lead the Proof of Stake currency space. As such a leader, it is essential that a simple security model for how it works is prepared and presented. The model should be on the same "analysis complexity level" as Satoshi's whitepaper - it should make it easy for every capable person to validate the model's assumptions and predictions.

I am somewhat invested in PPCoin, because of two reasons:

1. IMO Sunny King has shown some capabilities and innovation, as well as good communication practices. I haven't seen him "pull a RealSolid" and lose it.
2. I believe Proof of Stake is a good hedge for Proof of Work, and PPCoin is the best PoS coin we have.

Still, I agree with the detractors and think that a security analysis is clearly missing.
Perhaps such an analysis will reveal some changes to PPCoin that could solidify its security?
If a major change in PPCoin is required, now is a much better time to implement it rather than in a year or two.

Sunny King - PPCoin is not a research project anymore, with a market cap of $6,000,000. 8 months have passed since this thread was created. Sunny King, whatever else was on your development roadmap this past 8 months, isn't it time to focus on this aspect of PPCoin's security?

Detractors - Do you have constructive proposals for increasing the security of PPCoin? I think that solid, well documented proposals, will be favorably considered. I kind of like that Sunny King insists on such proposals to maintain the "long term energy efficient" property of PPCoin - the goal isn't to consume 1/2 or 1/5 of the electricity and hardware that Bitcoin does, but to achieve a cryptocurrency that's multiple orders of magnitudes more energy efficient than Bitcoin. Security should not be compromised for this end, but neither should energy efficiency.

Isn't there a Grand Unifying Theory of PoS that is easy to analyze, "secure enough", and diminishes the significance of PoW as time progresses?

IIRC this refers to the QoS issue with the missing incentives to incorporate transactions into the generated blocks. I would give that a lower priority than the issue discussed in this thread. Preventing double spending and creating a strong main chain are very important. QoS issues are a nuisance, Trust issues are a hazard.

Anyway - AFAIK one way to mitigate the risk of double spending is to just increase the number of required confirmations - and that can be chosen by the participants of a transaction. It may make ppcoin impractical for any form of fast transaction processing, but may still be viable for transfers which need cheap transaction fees (one of the effects of lower energy consumption is lower cost of maintaining the network at a higher level of security [51% attack] ) and can wait for a few days.

However, I like the idea of cunicula to impose some form of cost on creating a rejected proof-of-stake block. In that case the network would have to negotiate on what a rejected proof-of-stake block is, how to count them and what cost it generates on the used stake.

I don't think you would want to do that. Human weakness is pretty reliable.

Could you improve this by making the algo such that the reward bonus works in a logarithmic factor ... i.e. if I wait 1 month I get say 5%, 2 months I get say 9%, 3 months - 12% and so forth (Numbers fudged for example) .... eventually you would get to the point where people would be encouraged to apply their stake in lieu of the diminishing reward increases.  And in this way you are not 100% relying on human weakness.

Punishments would likely cause reorganization of the currently accepted chain. Blocks and txns that were valid would become invalid once duplicate stake is incorporated in an older block. Strategic insertion of duplicate stake would become a double-spending strategy. My guess is that attempts to punish offending addresses will introduce very severe problems. People will strategically seek out these punishments to mess with the blockchain.

I think the appropriate strategy is to fiddle with the proof-of-stake reward. You want to make it so that, once your stake block is included in the main chain, you would always suffer from using the same stake to mine a block in an earlier, alternate chain.

For example say that you make the stake block reward as follows:

stake coins * (0.01+confirmations on stake coins/length of main chain in blocks*0.5)*coin-age in years. [This formula should be continuous compounding, but the simple one is easier to read.]

Then you have a minimum interest rate of 1% and a maximum of 51% (if you use coins that have sat idle since the genesis block). You get rewarded for delaying inclusion of your stake block. If you use the same stake to build on earlier branches of the chain, then you risk causing a reorganization that takes away your reward.

Some people will benefit from a reorg ex-post, but if they participate in the re-org, they will suffer from it. You can think of re-orgs as redistributing block reward from attackers to everyone else.

A question that arises is: If you always benefit from mining later rather than now, then why mine now? I think the answer is that some people will always be impatient and want spendable coins right away. You should take advantage of human weakness and use it secure the blockchain.

Okay, so it's all or nothing for you. That doesn't make any sense to me, but I'll respect that and try to come up with solutions that meet your ideals. I agree that (as an ideal) it would be better to have no work involved at all.

If you're really after this, you need to fork PPC so that it generates only proof-of-stake blocks and does not use centralized checkpointing. If it works, then we're golden. Otherwise the energy-efficient cryptocurrency is just an unsubstantiated hypothesis.

Except it is not more energy efficient. You are just engage in obscuration of difficulty and it's connection to energy consumption.

I have stated this numerous times, the goal of ppcoin project is to demonstrate energy consumption is not required to secure a cryptocurrency. If you want an implementation of your hybrid proof-of-stake design you are free to start your own coin, forking off ppcoin code is also welcome. I would only consider enhancement proposals that preserve energy-efficiency of ppcoin.

The obvious fix is to require work submission to accompany stake signatures. Could you explain why you don't want to do this?

Would it not be relatively trivial to force a client to expend a portion of their coin age every time they sign a block and the remaining from the whole less a portion if they sign the "winning" block?  This way the will expend a whole coin age expenditure on the winning plus additional portions of the whole for every other split they sign?  ***note: does not fully understand PPC so this is just conjecture at best

It may be doable to persist and broadcast evidence of duplicate stakes and punish the offending address in some way (rejecting stake from this address or even outright reject spending). Although this would require much more careful design to avoid introducing other problems.

This probably belongs to the same type of issues as the other open issue that minters may stop processing transactions. I generally consider under these type of situations most rational nodes would not try to modify client to gain very little profit. Tragedy of the commons most likely does not apply as the gain is minimal.

Ideally it would be nice to not have this type of issues, but in practice it might not be easy to completely rid of them given the design goals and other more serious attacks to defend. Also if it's true that users are easily bribed to adopt corrupted clients, then there are likely a lot more tragedy of the commons type of attacks to all cryptocurrencies including bitcoin.

But anyways we can keep this topic open in case it becomes realistic.

You do lose a little due to compound interest. I get 1% interest a year from PPCoin. This is compounded every time I get a block. Getting the block earlier increases the compounding frequency. I concede that the benefit is minuscule. You could reduce the benefit to 0 by compounding interest continuously rather than just calculating the block reward using simple interest.

My problem is as follows:

1) There is a positive incentive to adopt modified code.
2) The modified code invalidates the proof-of-stake mechanism.

A cheap attack is to release modified code and pay new users a small amount to adopt it. Stake contributed by these corrupted clients would no longer secure the network. You depend on the residual users who decide to use the original code out of altruism. Again, admittedly just a tiny bit of altruism would suffice to motivate them.

Anyways, the broader point is that security should be created by block validity rules. These rules are enforceable. Modifiable code should not be the basis for security. The blockchain-based solution is to require stakeholders to submit work when they submit signatures. This rule can be enforced in the blockchain.

The current algorithm is for the unlucky miner to try to extend fork A, but if B gets extended by others first then the unlucky miner would accept fork B and reorganize.

Once again I don't see much incentive here to try to disable duplicate stake detection and open yourself to serious DoS attacks. You just get your 1% later, it's not lost.

Is it rational for miners to try to detect duplicate stake? I don't understand this well, so please correct any errors I make.

Say we have two forks (A and B) with a common history H. Each fork has the probability pA and pB of becoming the main chain. Chain B is one block longer, containing an extra block Sb. They share a duplicated stake block Sd.

(A) H-Sd

(B) H-Sb-Sd

Some unlucky miners are going to see fork A first. They perceive chains A and B to be of equal length. They will either extend fork A or add another fork to B. Some lucky miners see fork B fist and thus perceive fork B as longer. The lucky miners only extend fork B.

Aren't the unlucky miners at a disadvantage because their blocks are more likely to be orphaned. Wouldn't they be better off ignoring duplicate stake detection and just extending the longer chain, B?

If so, wouldn't miners prefer a modified client that drops duplicate stake detection?

And that is the problem.

Voting for the wrong fork should be costly, not a freebie.

Failing to consume your coindays means you can vote for every fork.

So stake ends up not helping at all, its just free coins for rich folk and does not protect against attacker's forks.

-MarkM-

You could try to do that, but other nodes may only take the first block you send due to duplicate stake detection (see design paper for the description of duplicate stake detection). That means you would end up on one fork anyway.

Also the proof-of-stake mint is based on coin age consumed by minter. You don't lose much if your block is on the wrong fork, as then the coin age wasn't consumed. So there isn't much incentive to try to prevent mint loss by getting on multiple forks.

Right now its not a proof of stake coin at all, its just a free coins for rich folk coin.

-MarkM-