Pages:
Author

Topic: Proof of Stake Bitcoin? - page 3. (Read 15926 times)

newbie
Activity: 14
Merit: 0
February 04, 2018, 11:01:14 AM
Proof of Work algorithm gives you the option to always get some coins.
In PoS system, early adopters hold the power forever, this is not a good long term strategy, since no body is perfect and nobody can be trusted.
In PoW everybody is equal in casting a vote regarding to time they joined the network, but still bounded only by the amount of electricity they have and since electricity can be traded, it means richest are the most powerful.
In PoS you can get bigger power to vote in two ways, you are an early adopter or you have a lot of coins currently. And since those coins can presumably be traded as well, that means the richest have most of the power in PoS as well.
So PoS has one more vector for reorganization, but the benefit of lower costs of the network.

I believe Bitcoin should stay PoW and I can't see a reason for it to make a switch. I don't believe security of it should be put on the risk for the benefit of saving some money. A natural system of who can bring more to the table is the best option we currently have to keep the blockchain safe.
 
I like you
full member
Activity: 403
Merit: 109
my Beans can beat your Beans in a fight
February 04, 2018, 09:11:59 AM
that proof of stake has many problem like the increasing max supply for every stake of every holder . the more the demand the higher the max supply , so in the end ure stake is useless because the price keeps on lowing after someone stake at there wallet . look at B3 coin and sprouts coin all dying because of POS . il go with POW than POS

Not all are so poorly planned.
newbie
Activity: 15
Merit: 0
February 04, 2018, 07:15:22 AM
that proof of stake has many problem like the increasing max supply for every stake of every holder . the more the demand the higher the max supply , so in the end ure stake is useless because the price keeps on lowing after someone stake at there wallet . look at B3 coin and sprouts coin all dying because of POS . il go with POW than POS
hero member
Activity: 770
Merit: 629
February 02, 2018, 12:42:30 PM
wow, there is so much erroneous information on this thread about POS coins...

It is true that the thing I argue for, is not the classical PoS.  Classical PoS that wants to play the same game as PoW has indeed a problem of principle, because both approaches are wanting to adhere to a property that is, when you think about it, quite crazy.  It is what I said before:

"suppose that an entity E is presented with a set of potential consensus propositions X (containing the "true one" A) and entity F is presented
with another set of potential consensus propositions Y (also containing A), how to make sure that both will elect A, assuming E and F don't trust anyone, and have no previous information (weren't online) ?"

In absolute terms, PoW can provide a solution, by spending more than half of planet earth's energy and hardware on the true consensus A.  Any set can only contain consensus documents with less PoW, so "maximum PoW" will elect this A for sure.    But this is madness.

If we define PoS in a very similar manner as PoW, that is, a block chain with rewards by stakers, to stakers in a similar way that PoW works, then there's no way to satisfy the above condition.  Indeed, if A was the "true" chain, there can be an infinite amount amount of different chains that can be just as well chosen.  Any selection procedure that picks "the best" chain out of a set, can be tricked in picking a chain that is different if you are allowed to propose chains.   I can make easily hundreds of chains that will all be preferred over the "true" chain, no matter what is the deterministic selection function.  This is the main reason why people say that PoS is not trustless secure.

Indeed, I can always make a new genesis block, giving me the first coins.  As I'm the only staker at that point, I can make the second block, and win coins.  I can now transact from myself to myself.  I'm still the only staker, but it looks like there's two of us.  And so on.  I can make an entirely new chain from scratch, and I'm the full owner of all coins. I could decide to transact to "real users" on the original chain. Depending on the deterministic selection function, I can steer that in such a way, that my chain will be preferable over the the original one, and that I and all my addresses, remain nevertheless stakers for all blocks according to the rules at hand.  As such, I can give myself a big chunk of coins, while leaving some of them to others.  If ever I publish this entire chain, all nodes should switch to it, and forget the original true chain.

However, we saw that PoW is only solving the issue when we accept madness: wasting more than half of humanity's energy on it.

So something has to give in.  Some trust must be allowed for.  If we accept trust in the genesis block, and a given client software, it becomes harder... but now, the founder of the chain has all the power to do what I proposed and/or if this genesis block is checked for in the software, the software signer can do so.  These guys can screw the entire system if they want to, but at least, ONLY they can do so.

But PoS as presented is not at the end of its problems.  Former owners of stake, that have transacted their coins later, and are, on the true chain, not stake holders, were potential stake holders in the past.  There are ways for them to construct a new chain from a point after they became legitimate owners, as stake holders, and so they can, as stake holders, remove the transaction where they weren't stake holder any more.  Of course, any sensible pseudo-random stake selector will try to avoid to allow same stakers to stake successively.  But as our former stake holder can put in new transactions of his former holdings (to himself), and is also winning new blocks, and can include or exclude as many other transactions as he wants to, he can tweek the stakeholder choice function (a pseudo random generator) in such a way, that nevertheless, he's allowed to make every successive block with all the stuff he has.  This requires some "proof of work", but you can easily see that if, say, in total, there are 1 billion potential stakers in the system, of which he holds, say, 100 addresses, you only need on average to try 10 million different configurations (order, date, whatever the pseudo random generator is sensitive to as source of entropy) to always have it fall on one of YOUR addresses "by coincidence".  So that's the PoW equivalent of a meagre "10 million hashes" or so, each time to "be lucky" and be allowed to be the next preferred staker.

This is why many people consider the bare bones PoS system to be profoundly insecure.  But that is because this kind of PoS imitates bitcoin's PoW, that mixes up coin creation, consensus voting online, and "consensus proof after-the-fact".   Pure PoS that way is simply not secure, and this is why people say that it is IN GENERAL not secure.

The first thing to remove, is coin creation.  As PoS doesn't require a huge effort, there's no reason to be rewarded a fortune over it.  In fact, this rewarding can actually induce you to try to attack the chain, just to be able to stake and reap in the rewards.  

The second problem, which is common with PoW, is the silliness of rewinding far back in time.  Uncertainty over reached consensus comes from splits of the group, so that two or more parts independently, and honestly, each come to a different consensus in their own partition of the group.  Whenever the group joins, one can only see that others came visibly according to the rules, to a different chain of consensus decisions.

If one defines an absolute consensus rule that has no notion of time, then this problem seems "easy": of different proposals, find the "best" one.  As I said before, no matter what PoS system, it is always possible to invent a "better" chain than a given one.  In as much as in PoW, the decision is easy (even though terrible for the part that truly lost) and the attack expensive, in PoS, pretending to be a "lost piece of network" and winning over everyone is easy.  

But this is in practice not thinkable.  The rule that one should accept a risk of attack and rewind over a long period, because of the theoretical possibility of a long net split, is stupid.  The net doesn't split in separate big parts for days of weeks - most probably not even  for tens of minutes, apart maybe catastrophic events.  As such, there is no reason to allow a "rewind" for a long period.  In reality, a network consensus can be reached in real time in a period of several minutes.  It is totally ridiculous to accept attacks that "redo past consensus" for long periods, when it is obvious to all parties online present, that this winding back is an attack.   This is also why many clients have "fixed points" in their code.  But this is nothing else but a very slow PoS kind of consensus, by a centralized signature, that of the dev.  
This is even something that makes PoW also much, much more secure.  Indeed, "overtaking the chain" in PoW usually takes time, unless one has an IMMENSE amount of extra PoW hardware over the rest of the network.  If there are "PoS" signatures of consensus that don't allow one to wind back, these attacks fail.  But then, instead of having such a clumsy and centralized way of "certifying past consensus by dev signature" in the code, it is much smarter to make this certification the real consensus fixing rule.  If, after a reasonable time lapse by which all network propagation times are largely taken into account, a network consensus is reached, it would be pure madness for an online entity to accept to wind back the consensus it witnessed, for many epochs, by some or other silly rule, in the same way that the devs will not re-consider their "fixed points in the past" in the code.

So my idea is that when one drops the unnecessary and illusionary requirements, and one looks at the practical mechanism of consensus, one can arrive at a much, much lighter and in for all practical purposes even more secure way to do things, avoiding the huge disadvantages of many current systems.

full member
Activity: 351
Merit: 134
February 02, 2018, 02:39:49 AM
I half agree with that.  PoW uses an INACCEPTABLE amount of energy, to establish a kind of security that is not needed

I couldn't disagree more with that statement, but I'm not wasting any more time arguing this point.
hero member
Activity: 770
Merit: 629
February 01, 2018, 04:19:58 PM
seeing you guys argue is like watching democrats and republicans. One side will NEVER concede to the other... At the end of the day POS still works and this sort of thing isn't going to take place.

I agree, and I bored of the argument.

Lets just agree the following:

* PoW uses a lot more energy than PoS, but is objectively more secure than PoS
* PoS can be secure if a majority of nodes remain online at all times

?

I half agree with that.  PoW uses an INACCEPTABLE amount of energy, to establish a kind of security that is not needed, and only becomes truly secure if half of human's production capacity of electricity and/or hardware is devoted to it.   Whenever much less than this amount is used for PoW (even if still extremely wasteful) the security of PoW is based upon limited game-theoretical arguments of benefits and costs to attackers, but the attack is provably possible, even if its "motivation" may be put into question.  Given this relativity of security in PoW, the HUGE waste and damage done to the environment most probably doesn't justify the relative limited security it procures.

PoW has a game-theoretical advantage as to the uniqueness of its consensus, but on the other hand, has, apart from its huge waste, also an evident problem of centralisation.

PoS can be for all practical purposes be secure, if we drop the strict requirement of absolute, offline trustlessness, which is in any case not a real practical case: everyone is obliged to put trust *somewhere*.  Especially in monetary affairs, where "belief in other's belief in value" is a fundamental issue.   There's no need for a "majority" to be online.  There's a need for a sufficiently decentralized, half-trusted set of entities to be online at any time.  In all human activities, trust is part of the game.  In as much as blind trust is foolishness, trustlessness is madness.  There's a compromise to be found in sufficient decentralization, while at the same time allowing sufficient trust in "known peers" in order not to diverge into impossible or impractical situations.   The winning system is the one that puts sufficient trust in reliable partners, while at the same time putting sufficient cross checks to avoid being gullible.  

Most of the problems of PoS come from the assumption that PoS needs to be rewarded in a similar way that PoW needs to be rewarded.  In fact, in as much as rewards are an essential feature of PoW (otherwise, nobody is going to do so), PoS is rendered less secure by rewards, because it stimulates otherwise honest consensus deciders to go to strategies to be awarded more rewards.

In my opinion, PoW is the right way to *create* coins (to burn seigniorage, and to limit price increase), but it is the wrong way to provide consensus (as it is too wasteful, and has automatic centralisation as a consequence).  Consensus is supposed to be quite straight forward: confirming the broadcast set of transactions, making a deterministic choice between double spend alternatives.  Apart from some limited network delays, it should be something most online nodes in the network can agree upon.  There's no need to go to extreme measures to do this.  

I know the argument of the "underground" kind of robustness.  Requiring to be publicly online is not exactly what one would consider a robust system that can survive government attacks and go underground.  The point is, a system that needs to spend 10 GW of power cannot go underground either.   Any large-scale financial system needs to be socially accepted - if it isn't, it will crumble in any case.  You can't need to consume 10 GW of power, hold a market cap of several hundreds of billions and be at the same time a half-secret underground grass roots thing.
full member
Activity: 351
Merit: 134
February 01, 2018, 03:50:15 PM
seeing you guys argue is like watching democrats and republicans. One side will NEVER concede to the other... At the end of the day POS still works and this sort of thing isn't going to take place.

I agree, and I bored of the argument.

Lets just agree the following:

* PoW uses a lot more energy than PoS, but is objectively more secure than PoS
* PoS can be secure if a majority of nodes remain online at all times

?
full member
Activity: 403
Merit: 109
my Beans can beat your Beans in a fight
February 01, 2018, 03:42:57 PM
The fundamental rule is simply: you never wind back.  You never accept to "erase" a former observed consensus.  At best, you accept double spends.

Double spends are erasure of former consensus. You can't just accept them blindly, the currency would be worthless.

If you refuse to wind back, you will end up with a corrupt blockchain, as latency and temporary outages will present you with missing and or incorrect data with no malintent.

My point was that in the unlikely event of the observation of a consensus split, which only can happen by a concordance of a very sophisticated attack and a full network split, the best solution is to merge both consensus and accept the double spends as an extra coin creation.  In reality, it will not happen, because to succeed the full split of a large network, and at the same time, propagate in both halves an accepted, different, consensus with two different spends, is very difficult to pull off.  But if ever it happens, there must be a response to it, and the best response it to merge both "account states" - that is, to accept the creation of some extra coins by the double spend that was successfully incorporated in the two otherwise legitimate accepted half-consensus parts.  As I said, it is essentially impossible to pull off.  You would expect that there's a well-known backbone of nodes most of the network is connected to.  In order for it to work, there must be a significant part of the network YOU trust, that has adopted ANOTHER consensus even though you thought you were on the network, while another significant part of the network YOU trust, has adopted the same consensus than you did.  It would be something like you seeing that Bitfinex, Amazon and Coinbase had accepted one consensus (yours), while at the same time, the dev's node, Kraken, Poloniex and Google had accepted another consensus.  This would be not even possible if you were connected to all of them at that time, because you would have relayed them the consensus proposals of both sides, and there would have been an obvious single choice.  It is only when suddenly, say, the dev's node, Kraken, Poloniex and Google seemed "offline" to you, just to come back 20 minutes later with a different consensus history, and lo and behold, their different consensus history has double spends with regards to yours (and Bitfinex's, Amazon's, and Coinbase's), which means that an attacker had succeeded in splitting them off, be on the split, and moreover, propose a different winning consensus on both halves.  Hard to pull off.



nokat tried this with Bitbean long ago, the other developers caught it and prevented it. Its not really possible in a practical situation. seeing you guys argue is like watching democrats and republicans. One side will NEVER concede to the other... At the end of the day POS still works and this sort of thing isn't going to take place.
hero member
Activity: 770
Merit: 629
February 01, 2018, 03:13:50 PM
The fundamental rule is simply: you never wind back.  You never accept to "erase" a former observed consensus.  At best, you accept double spends.

Double spends are erasure of former consensus. You can't just accept them blindly, the currency would be worthless.

If you refuse to wind back, you will end up with a corrupt blockchain, as latency and temporary outages will present you with missing and or incorrect data with no malintent.

My point was that in the unlikely event of the observation of a consensus split, which only can happen by a concordance of a very sophisticated attack and a full network split, the best solution is to merge both consensus and accept the double spends as an extra coin creation.  In reality, it will not happen, because to succeed the full split of a large network, and at the same time, propagate in both halves an accepted, different, consensus with two different spends, is very difficult to pull off.  But if ever it happens, there must be a response to it, and the best response it to merge both "account states" - that is, to accept the creation of some extra coins by the double spend that was successfully incorporated in the two otherwise legitimate accepted half-consensus parts.  As I said, it is essentially impossible to pull off.  You would expect that there's a well-known backbone of nodes most of the network is connected to.  In order for it to work, there must be a significant part of the network YOU trust, that has adopted ANOTHER consensus even though you thought you were on the network, while another significant part of the network YOU trust, has adopted the same consensus than you did.  It would be something like you seeing that Bitfinex, Amazon and Coinbase had accepted one consensus (yours), while at the same time, the dev's node, Kraken, Poloniex and Google had accepted another consensus.  This would be not even possible if you were connected to all of them at that time, because you would have relayed them the consensus proposals of both sides, and there would have been an obvious single choice.  It is only when suddenly, say, the dev's node, Kraken, Poloniex and Google seemed "offline" to you, just to come back 20 minutes later with a different consensus history, and lo and behold, their different consensus history has double spends with regards to yours (and Bitfinex's, Amazon's, and Coinbase's), which means that an attacker had succeeded in splitting them off, be on the split, and moreover, propose a different winning consensus on both halves.  Hard to pull off.

As to latency and outages, the whole idea is that the network doesn't propose a next consensus round, as long as most of the trusted participants haven't "checked off" this one within sufficient latency time.  One uses real world time, and a given sequence of events: a slot for sending proposals, a moratorium when they should propagate which is long enough for all network delays, a slot for sending acceptance, and a moratorium when these acceptance signatures should propagate.  There can be a whole network protocol to see what nodes are slow, spamming etc...  and eventually exclude them.  Point is, for sufficiently slow slices of time, for all practical purposes, network propagation delays are smaller than slot times and we can take it that for most nodes, proposals have arrived, and signatures of approval have been sent.

full member
Activity: 351
Merit: 134
February 01, 2018, 02:45:06 PM
The fundamental rule is simply: you never wind back.  You never accept to "erase" a former observed consensus.  At best, you accept double spends.

Double spends are erasure of former consensus. You can't just accept them blindly, the currency would be worthless.

If you refuse to wind back, you will end up with a corrupt blockchain, as latency and temporary outages will present you with missing and or incorrect data with no malintent.
hero member
Activity: 770
Merit: 629
February 01, 2018, 12:30:09 PM
Well, you may have successfully created a different coin, yes.  It wouldn't be an "attack".  Because there's no rewinding.  You may trick some newcomers into your coin, thinking it is another one.  They will find out.  Your difference will be noted.   You will have a hard time having constant online entities like exchanges believing your nonsense coin.  And I will most probably put some trust in different exchanges.  Not one, but several.  If you don't give up, and if you keep sufficient followers for a sufficiently long time, your version may be listed on exchanges too.  And the market will take care of it.

No, it's much worse than that. Because I am persistent, I make sure my nodes are UPS protected and geographically distributed such that they become the nodes with the most up-time across the entire network. Therefore, over time it is not my blockchain that is rejected as fake, but the original one.

As I said, I should make a write-up of how one can solve this.   The whole misunderstanding is that money is about an offline ledger, while it is a common agreement of parties.   Most usage of crypto right now is between users and exchanges.  But maybe one day, that will be between users, exchanges, stores, etc....   Most professionals in this game will remain online all the time.  As such, they cannot be talked into rewinding something.  You will not be able, no matter how many nodes you have, to convince, say coinbase, to rewind.  Coinbase has been on the network all the time, and has acknowledged all consensus decisions on the network.  Of course, coinbase by itself cannot be fully trusted.  But Bitfinex will also have been online all the time.  They will ALSO have acknowledged all consensus decisions.  Maybe some banks will too.  Maybe some day, Amazon will accept coins too.  Maybe Google.  Maybe your local supermarket.  In any case, your coins are only useful with these partners, and if all of them give you the same chain, you may fire up one million nodes saying something else, this one million nodes will not convince, because they are in disagreement with a backbone of trusted nodes.  So their keys are immediately tagged as untrustworthy, because they tell bullshit. It doesn't need to be just big companies that have trusted nodes.  You can have the devs running some trusted nodes too.  There's no chance that all of them, if they adhere to the principle of no wind-back, suddenly accept another chain.  The idea is that you fill up a list of keys of trusted nodes - but you can know them publicly too.

The only danger is a global net-split, a kind of a MITM attack on global scale.  That's not so easy to pull off.  And then, if ever that happens, the solution is to accept a merge, and accept double spends.  Accepting exceptional double spends in the case of a global network split is the best solution.  Nobody is hurt.  The only thing you get is a bit of inflation.  Not much, because you can only have some double spends of spendings during the split.

The fundamental rule is simply: you never wind back.  You never accept to "erase" a former observed consensus.  At best, you accept double spends.  Most of the time, and in reality, all of the time, all online nodes will be aware of all propositions of consensus in a given time lapse.  Especially if here are relatively central hubs most of them connect to.  The only way to be able to obtain a double accepted consensus, is if you can succeed in propagating a consensus proposal on one half of the network while the other half propagates another consensus proposal, and never gets to see the first one.
If there is the slightest leak of the first proposal to the second network block, all nodes in the second part of the network will be aware of it, compare it to the first, and come to the same consensus conclusion.  As there are no rewards attached to the proposition of the consensus, there are no motivated preferences apart from the rule that tells you which consensus to accept.  If you see that you are in check with a lot of trusted nodes, like the dev's nodes, big commercial nodes,  your buddies and so on, that's just as good as being in sync with some obscure Chinese mining pools.  It is essentially impossible to split the backbone of big, known nodes, and as most probably all user nodes are somehow also connected to some of these backbone nodes, it is essentially impossible to split the network.  If the network is not split, there's no way to have a split in consensus.  And if ever it happens, the idea is not to rewind, but to merge, and accept eventual double spends as the price to pay for the split.

Note that a split is not enough: you also have to have stake holders signing, and you can only bring confusion over the time lapse you arrive at keeping the network split.  

Quote
There only way to prevent this is to use subjectivity by manual intervention. This is a horrible way to run something as important as a currency; credibility would be destroyed.

Absolutely not.  Like the dollar is not destroyed because exceptionally, there have been some counterfeiters.  

Quote
Quote
The more you sign correct propositions, the more I can trust you that you will have continued doing so if I am absent.  Even though I shouldn't be absent in my own interest.

So, I perform a long-con whereby my majority of nodes start out trustworthy, enough to acquire the trust of nodes like yours, then I carry out my attack, by purchasing old private keys, for example from the genuine chain with which I can become a staker and broadcast a fork where I can do what I like, which will be accepted by your syncing node, or even your regular node, potentially due to network latency.

Nope, because you will not be a stakeholder according to my latest records, so your propositions of new consensus are not even valid, and I never wind back.  I might be convinced in accepting a double spend, if enough stake has proposed it, and enough of my trusted nodes have acknowledged it, in which case I assume there has been a network split.  But I never wind back.  If I see that important nodes like exchanges and all that have accepted those other spends simultaneously, I accept them too.  But I don't wind back.  Never.  So at most, we all accept some legacy double spends, which are then simply some extra coins, in those cases where there was a network split.  It won't happen, because a backbone of important nodes will not do so.

full member
Activity: 403
Merit: 109
my Beans can beat your Beans in a fight
February 01, 2018, 10:37:17 AM
wow, there is so much erroneous information on this thread about POS coins...
I'm not going to point any fingers but with this level of misinformation out there about POS I can understand some things better.
ok, you guys have fun, I'm going back to Beanland.
full member
Activity: 351
Merit: 134
February 01, 2018, 06:23:37 AM
Well, you may have successfully created a different coin, yes.  It wouldn't be an "attack".  Because there's no rewinding.  You may trick some newcomers into your coin, thinking it is another one.  They will find out.  Your difference will be noted.   You will have a hard time having constant online entities like exchanges believing your nonsense coin.  And I will most probably put some trust in different exchanges.  Not one, but several.  If you don't give up, and if you keep sufficient followers for a sufficiently long time, your version may be listed on exchanges too.  And the market will take care of it.

No, it's much worse than that. Because I am persistent, I make sure my nodes are UPS protected and geographically distributed such that they become the nodes with the most up-time across the entire network. Therefore, over time it is not my blockchain that is rejected as fake, but the original one.

There only way to prevent this is to use subjectivity by manual intervention. This is a horrible way to run something as important as a currency; credibility would be destroyed.

Quote
The more you sign correct propositions, the more I can trust you that you will have continued doing so if I am absent.  Even though I shouldn't be absent in my own interest.

So, I perform a long-con whereby my majority of nodes start out trustworthy, enough to acquire the trust of nodes like yours, then I carry out my attack, by purchasing old private keys, for example from the genuine chain with which I can become a staker and broadcast a fork where I can do what I like, which will be accepted by your syncing node, or even your regular node, potentially due to network latency.

hero member
Activity: 770
Merit: 629
February 01, 2018, 06:11:36 AM
Just look at all the sites selling reddit upvotes, or twitter followers for $5 per 100,000.

There's no accepting other's votes.  My trust in you has more to do with you behaving correctly on the network for a long time while I watch you (like you watch me).  Note that you are not a staker, you cannot propose anything.  You can only confirm a proposed consensus by a staker, for which the confirmation should be automatic.  You add your signature to that proposition if it is the right one, and everyone online can SEE it is the right one.  The more you sign correct propositions, the more I can trust you that you will have continued doing so if I am absent.  Even though I shouldn't be absent in my own interest.

hero member
Activity: 770
Merit: 629
February 01, 2018, 06:08:25 AM
List's of buddies are ephemeral. Even when they remain consistent, as an attacker in such a network, I can create a majority of false online nodes at near zero cost, all broadcasting impostor blockchain data which a syncing node will not be able to distinguish from reality

Given that no online node winds back, if you do that, you've simply created a clone and the newcomer will be on your clone.  But what happens on your clone will not be accepted by the "older nodes" that don't accept your alternative history, simply because they were there.  Exchanges that remain online all the time will not recognize your history.   So you've simply created another P2P money all by yourself, but with no link to the existing one.  Newcomers may be tricked in using YOUR P2P coin, but they will not be able to buy or sell their coins on an exchange, simply because that's another chain that doesn't rewind.

Quote
- and since I've been doing this for a while, your list of buddies will contain all my nodes, which do not start their attack until much later on.

Well, you may have successfully created a different coin, yes.  It wouldn't be an "attack".  Because there's no rewinding.  You may trick some newcomers into your coin, thinking it is another one.  They will find out.  Your difference will be noted.   You will have a hard time having constant online entities like exchanges believing your nonsense coin.  And I will most probably put some trust in different exchanges.  Not one, but several.  If you don't give up, and if you keep sufficient followers for a sufficiently long time, your version may be listed on exchanges too.  And the market will take care of it.

full member
Activity: 351
Merit: 134
February 01, 2018, 05:59:56 AM
You cannot prove that to an offline party afterwards of course, but that's the concession that is needed.  You can only witness the emergence of the consensus if you were online.

This is insufficient in providing the necessary resilience that a p2p currency should enjoy.

Quote
 But it is impossible for an attacker to give you a false list not have you find the right list somewhere.  For that, the attacker would need to overthrow your entire list of former buddies, and he doesn't know them all, doesn't know what you know (when you were online and when not), and doesn't know the different trust scores you've attached to different buddies.  You will not have much difficulties establishing what was the right list by cross-checking what you know, and your different buddies.  You can then also know who is not to be trusted and who is.  People build a "web of trust" that way.

List's of buddies are ephemeral. Even when they remain consistent, as an attacker in such a network, I can create a majority of false online nodes at near zero cost, all broadcasting impostor blockchain data which a syncing node will not be able to distinguish from reality - and since I've been doing this for a while, your list of buddies will contain all my nodes, which do not start their attack until much later on.

Web of trust = web of fail. Just look at all the sites selling reddit upvotes, or twitter followers for $5 per 100,000.
hero member
Activity: 770
Merit: 629
February 01, 2018, 05:53:09 AM
a) He has a client installed on his machine, which knows the chain it expects to receive, offline or online, doesn't matter
b) He doesn't have a client in the first place

The only aspect of trust here is that he trusts his existing client to be correct, or he locates the genuine client if he never had it to start with.

How can he trust these clients ?  If we assume trustlessness, you don't trust any client by itself.  You do not distinguish the bitcoin core client from the bitcoin cash client from the monero client from the ethereum client from the litecoin client from the DASH client.... all these are untrusted pieces of software of course.  

You only have a list of untrusted ledgers, and untrusted pieces of software.  No trust in a trustless system.  You can match them.  That's not trustless.  You can see that the bitcoin ledger "works" with the Core client.  You can see that the monerod client works with the monero ledger.  But you do not trust anything.  What's the "true" ledger (and hence, what's the "true" client) ?  --> The one with the most remarkable pair of numbers that required the biggest economic effort wasted on it.

hero member
Activity: 770
Merit: 629
February 01, 2018, 05:50:53 AM
You cannot attack a system that doesn't rewind.  But for that, you simply need online presence, or trust other online presence not to wind back.

You're basically saying: without double spends, we don't need a blockchain. Guess what?

No, that's not the case.  Every consensus decision on-line will have picked one of the double spends and not the other one - otherwise, the online nodes wouldn't have accepted it as a consensus - YOU wouldn't have accepted it as a consensus !  If you don't rewind, you'll never re-consider.  Of course, in order to even be accepted as consensus decision, it needs to be correct.  Double spends are not correct.  So no consensus proposal containing double spends is to be accepted by the online deciders.
Given that one doesn't rewind, you need online stakeholders to sign for it even to be a proposition of consensus, and you need online nodes to acknowledge (by signature) that they accepted it.  Only then, the consensus is acted and no online node will wind back.

You cannot prove that to an offline party afterwards of course, but that's the concession that is needed.  You can only witness the emergence of the consensus if you were online.  However, you can register the consensus that was reached.  Normally, all online nodes will register that (and its hash).  If there is enough diversity in online nodes, and none of them is willing to "wind back", there's no way for an attacker to "overdo past consensus".   Of course, if you've been offline, you need to check with all your "former online buddies" what is their list of consensus hashes.  Normally, all of them will give you the same list.  At worst you get different lists and you know there's something fishy.  But it is impossible for an attacker to give you a false list not have you find the right list somewhere.  For that, the attacker would need to overthrow your entire list of former buddies, and he doesn't know them all, doesn't know what you know (when you were online and when not), and doesn't know the different trust scores you've attached to different buddies.  You will not have much difficulties establishing what was the right list by cross-checking what you know, and your different buddies.  You can then also know who is not to be trusted and who is.  People build a "web of trust" that way.

Note that if you consider that stake holders and online entities could nevertheless decide upon proposing and accepting an erroneous consensus, you can just as well assume this to be done by the PoW consensus deciders.  In as much as this harms other stake holders is their fault: they simply had to be online.  If they aren't, they take this risk.  Everybody will see of course that people decided upon a double spend.  So be it.  Exactly as if you'd discover that there was a double spend in bitcoin's block chain, 50 blocks ago.  So be it.


full member
Activity: 351
Merit: 134
February 01, 2018, 05:38:30 AM
You cannot attack a system that doesn't rewind.  But for that, you simply need online presence, or trust other online presence not to wind back.

You're basically saying: without double spends, we don't need a blockchain. Guess what?

As soon as you bring trust into the equation, you throw away the security model, making all the other sacrifices that go along with using a cryptocurrency over the banking system, pointless.

Quote
Absolutely not.  As that agent who doesn't trust anyone cannot distinguish between both and doesn't trust any digital signature, how is he to make the difference ?  

He doesn't need to care. Either one of these two conditions is true:

a) He has a client installed on his machine, which knows the chain it expects to receive, offline or online, doesn't matter
b) He doesn't have a client in the first place

The only aspect of trust here is that he trusts his existing client to be correct, or he locates the genuine client if he never had it to start with.
hero member
Activity: 770
Merit: 629
February 01, 2018, 05:20:13 AM
There isn't a way to achieve one without it. Without a profit motive, the rational behaviour to maimise gains is to attack the system, this is the opposite of a nash equilibrium.

You cannot attack a system that doesn't rewind.  But for that, you simply need online presence, or trust other online presence not to wind back.  It is much much easier to assume that there will be online systems that don't rewind, or remain online yourself, than to want to reach a Nash equilibrium with "offline rules".  There's no long-term Nash equilibrium to be reached if decisions are never rewound.  The only attack possible would consist in a "sustained split of the internet".

The unneeded difficulties caused is that one wants to prove in a trustless way to an offline participant that the consensus decision has to be unique.  That is devoid of any real-world meaning as I tried to explain.  In practice, nobody does so for anything else.  If I'm online, and I just record the successive online hashes of successive consensus decisions published by half-trusted peers, I don't need any proxy of past time (I was there) and I won't rewind (I know the hashes of consensus).  As my attacker cannot know what different peers I check, he cannot present me any consistent alternative history, even if I leave my online presence for a short while.  And that goes for most participants.  I can find them later, because they have unique keys, somewhat akin to a web of trust with mutually signed public PGP keys.  When using the network, I will learn about more and more network nodes, and learn to half-trust them.  Some will go, some will come.  I will regularly check their histories with mine (we will in any case all be voting over the last consensus when we are online).  It would be extremely difficult, for an attacker, to convince me of another history even if I were offline for a while.  And if I got tricked because I'm offline, my fault.  Let the attacker win.

Quote
Quote
They can only tell the difference because they trust or were online.  They have to trust the signatures of the "true" rule manifest (usually a piece of software).

No, they don't need to do anything. Their client, which can be offline, then online, will always know whether it is being presented with a candidate blockchain on the right hard fork, in the right blockchain.

You seem to be suggesting that the attack vector is to convince someone who's never had a bitcoin, or ethereum client before to install an impostor client. This is a social engineering attack, not a technical one.

Absolutely not.  As that agent who doesn't trust anyone cannot distinguish between both and doesn't trust any digital signature, how is he to make the difference ?  He won't believe the name "bitcoin core" (obviously).  He won't believe the name "ethereum".  He won't believe anything signed or published.  There is no such thing as "imposter" in a trustless system.    He will only cryptographically find out that some ledger includes more proof of economic waste than the other.    He will only find suggestions in software "out there" that seems to work with certain ledgers, and not with others.  He can establish that some ledgers contain "remarkable results".

I don't have to tell you that when you have a pair of numbers, one of which is the pre-image through hashcash of a near-zero number, that that pair of numbers is remarkable.  I can suggest you to look at that pair of numbers with different hash functions, and if you find out that the hashcash function maps one of the numbers on a very small number, that in itself is a remarkable feat.  In as much as you can establish yourself that the hashcash function is not reversible, and in as much as you can figure out yourself how much electronics and electricity it would take to find that remarkable pair, you can estimate how much wasted economical effort went into this, without having to know in advance that you should look at "hashcash".  

So you simply find ledgers.  You have no client.  But you find different clients on the internet.  You don't trust their authors.  But you see that some ledgers you find, "work" with some clients, and not with others. You can easily map untrusted ledgers to untrusted clients.  Through analysis of these clients, you realize that some ledgers contain "remarkable pair of numbers".  You can estimate the relative efforts that have been wasted to find those.  From that, you determine the highest-PoW ledger, and automatically, the client that goes with it.

If it turns out that amongst all untrusted ledgers you found, the one with the most remarkable pair of numbers, was the ethereum chain, and you found that the untrusted ethereum client "worked" with it, then that must be the right ledger and client.

The absolute trustless cryptographic unique signature is the discovery of that document (ledger) that contains that remarkable couple of numbers that has needed most economic effort wasted to find it.  In order to find out how remarkable it is (and hence, how much effort was wasted on it to find it), you can use untrusted SUGGESTIONS, but you don't have to trust them.  The document is moreover sufficiently complex to allow you to discover, amongst all possible suggestions, the only pieces of code that actually work with the uniquely tagged ledger of maximum waste.  That must be the "rule set" then, the right "client".
Pages:
Jump to: