Topic: PPCoin is NOT a decentralized cryptocurrency - page 6. (Read 10995 times)

+ 2

+1

PPCoin is NOT DECENTRALIZED!

Pretty  much this.

Do you know something about solidcoin that I do not ?

It seems to me that in order for a coin to become soiledcoin, the coin's dev must pick a fight with an uber-hacker.

Well, I believe proof-of-stake can work if there is a way for someone to lose his stake if he is caught participating in malicious activity.

E.g. you use 1000 coins to sign a double-spend transaction and you're caught, your 1000 coins are banned. If chances to get caught are high, incentive from this double-spend must be much higher.

This means that for a transaction worth 100 coins you can trust 1000 coins worth of confirmations, as nobody in his sane mind will risk his 1000 coins for 100 coin double-spend.

Now there is a question: how do we detect and punish a double-spend? Well, detection is trivial, but we don't know which miner is guilty. (Or maybe miners are not guilty at all.)

I believe it's tricky, but not impossible.

One way is to implement is to make it manual: if there is a large reorg, simply half operation and let human operator to decide which blockchain we trust. Eventually consensus will be reached and guilty party would be punished.

So under these conditions double-spends will never be done for profit, but only as a form of DoS attack. But this DoS attack costs money, so we can expect that there won't be a lot of that.

Also, monopolization isn't such a problem: if monopolist pisses off people they can just ban his stake. (For this to work stakes must be identifiable, i.e. one needs to move his money from transactional account to stake account, and this move should take a lot of time to mature so it's not easy to switch.)

So back to your game theory analogy, it is a game where if you play by rules you get profit, but if you try to break the rules you lose. Makes sense, no?

I hope the issue of checkpoints can be automated without any human intervention. Competing strategies for block and fee rewards should serve to keep each other from gaining overwhelming advantage. I suppose a two-factor strategy will work once the game is fully developed. PPCoin (or a version of) may work in the long run but it seems a very complex set of rules would be needed to manage the network. I would prefer a third player for simpler game balance, but it looks promising for now.

But in the existing, community-vetted proof-of-stake proposals nobody is given control because of a high balance. In Mini's proposal, for example, PoS is simply a method of voting on checkpoints. It's therefore reactionary and you'd have both significant mining power *and* a significant balances to execute a double-spend attack. With PPCoin you need either significant mining power *or* a significant balance to execute a double-spend. That's not a trivial difference.

As long as it's based on a game theory with both competition and cooperation, then it can be fair. I did not mean that the blockchain is controlled by network keys, but by monopolists that have control simply by being early adopters.

No, it's not. Read the wiki page on proof-of-stake. The existing proposals have been designed to not hand the keys to the network over to anyone. Proof-of-stake must be implemented as PoW *AND* PoS. Proof-of-work is meant to add security, not take it away. But that's exactly what happens in PPCoin--PPCoin greatly lessens the security of the network.

This a fundamental flaw with PoS in general. A decentralized currency is based on game theory. In PoW we have miners competing with hash power to win blocks. In PoS we have the game owner making up the rules as they go along. That's not much of a game. A hybrid money game would work, expecially with competing verification systems, but the rules have to clear, up-front, and fair.

They hope that they'll find an algorithm to do distributed checkpointing... But that's the whole point!

So what they say essentially is: "We haven't developed the main part yet, but we hope there is some solution. Meanwhile, here's this completely centralized system with proof-of-stake used as disguise of decentralization".

I'm not claiming that they are scammers, it is just incredibly sloppy crypto design. Somebody was just too eager to release the first proof-of-stake based cryptocurrency, without thinking about security much.

In all fairness, the authors of PPCoin admit it is currently not fully decentralized, but they wish to remove these "broadcasted checkpoints" in a future software update - it is used for bootstrapping the coin.

I can't say that I support the idea myself, but it doesn't smell like yet another SolidCoin to me, just leaves a bad taste.

(It was already mentioned a couple of times in comments, but they are often buried, so I want a separate discussion.)

The most 'interesting' part of a cryptocurrency design is its defense against double-spend attacks (since ownership is trivially implemented via public key crypto). In Bitcoin it is done using proof-of-work approach.

In PPCoin it is done using proof-of-stake/proof-of-work hybrid.

The problem is that proof-of-stake used in PPCoin does not really defend against double spend attacks. At all.

If you have a large enough stash of coins you can do a history rewrite of arbitrary size. Particularly, you can rewrite last few blocks to do a practical double-spend.

If it fails, you lose nothing. So only irrational person would not do double spends.

If we assume that miners are rational, they will try to do these attacks, it is a legitimate business with PPCoin. It costs you nothing, but brings money (e.g. kickbacks), so why not?

So, well,. this scheme of proof-of-stake does not work. Actually, authors note it in PPCoin paper, so they use a centralized checkpointing approach.

So, let's summarize:

• proof-of-stake is useless
• currency is secured through centralized checkpointing

Thus it is definitely not a decentralized cryptocurrency.

(It's worth noting that there are better ways to implement proof-of-stake, it's just that method used in PPCoin is flawed. https://en.bitcoin.it/wiki/Proof_of_Stake )