Pages:
Author

Topic: Proof-of-stake is more decentralized, efficient and secure than PoW- white paper - page 8. (Read 9984 times)

newbie
Activity: 25
Merit: 0

As far as spoofing the time intervals,
lets say you want to start a chain
"from 200 minutes ago".  You can have
a computer calculate an alternate
chain that supposedly started 200 minutes
ago in a few seconds, and broadcast
that in realtime right now.  Nodes receiving that
would not know that the blocks on
the false chain weren't really
built 200 minutes ago.

Nodes must accept the longest chain,
otherwise you will loose consensus and
risk a fork in the blockchain.

You won't always be able to achieve this,
but occassionally you will, and since
the cost is minimal, why not try it?

The reason this is incorrect is that there is no possibility for a "computer to calculate an alternate chain that started 200 minutes ago" and have it become longer than the main one.
What one has to keep in mind is that everything is deterministic.
For an attacker to build this fork he must own private keys that give him control over some stakes at the beginning of the attack.
Let's say the attacker has control over 10% of the mining coins. Two possibilities:
  • These coins have been used to mine on the main chain. In this case, the stakes will create blocks exactly at the same timestamps then they did when mining on the main chain because since everything is deterministic, the proofs are the same.
    Starting our clock at the start of the fork, let's consider the average case (20 blocks mined by the coins the attacker control), the stakes have generated blocks at time 3,7,13,[...],189,198. Then the attacker's fork will consist of 20 blocks created with the exact same proofs.
    The important part is that since the fork will always be a subset of the main branch he will never be able to create a fork with more trust than the main chain. A second important remark is that the attacker cannot try his luck many time.
  • The coins used to stake were not mining previously and in this case he would need in average 50% of all mining coins to be able to create a longer fork. This corresponds of course to a 51% attack.
    You might ask, if he gets his hand on 10% might he win? The probability that an attacker a fork with 10% of the coins will outperform the 90% remaining over a 200 minutes period is ~10^-100 (using formula on p.35 on the white paper). Therefore, this kind of event will never happen no matter how often attackers try.
  • A third possibility would be to send coins you own the fork and mine with them. In theory, you could do that a great number of time and you might expect to succeed at some point. That's why the minimum stake age (i.e. the minimum time during which coins have to wait before they can mine) is important. For these coins to be allowed to mine they must wait a significant amount of time and this creates a lag. And this has a consequence on "real time" since the nodes receiving the forks will check if the proofs used to generate the blocks are valid.

Quote
You won't always be able to achieve this,
but occassionally you will, and since
the cost is minimal, why not try it?

The important part is that, you will not "not always be able to achieve this", you will actually never be able to achieve this without owning ~50% of the mining coins.

Quote
I'm not sure what the 200 minute buffer
zone applies to (new coins staking?),
but that really doesn't solve the issue,
as you can keep trying to attack with
old coins, or you can attack less frequenly
(every 200 minutes) with coins you just
bought and sold.  In addition, I believe
it opens additional attack vectors based
on older stake participants rejecting
newer participants.

The reason behind this is that since you cannot "hope" to win be trying to fork a large number of time, the best thing you can hope for is to "grind" through stake modifiers, and to do that you must have control over the current stake modifier and this takes time.

Finally, what do you mean by "additional attack vectors"?


legendary
Activity: 2142
Merit: 1010
Newbie
yes; in the sense that any other approach requires you to know more information about a node in one way or another if you want to prevent sibyl attacks, so that you know you can trust them (you could see proof-of-stake as just some anonymized form of trust). And the thing with trust is...



We don't see her tits, hence your "appeal to authority" is not accepted.
legendary
Activity: 1764
Merit: 1007
yes; in the sense that any other approach requires you to know more information about a node in one way or another if you want to prevent sibyl attacks, so that you know you can trust them (you could see proof-of-stake as just some anonymized form of trust). And the thing with trust is...

legendary
Activity: 2142
Merit: 1010
Newbie
which one of my claims you think is bold?

Quote
only spent CPU power can algorithmically be proven because it boils down to pure physical entropy at the end of the day
legendary
Activity: 1764
Merit: 1007
which one of my claims you think is bold?
legendary
Activity: 2142
Merit: 1010
Newbie
I like proof of activity the best.  

Except it isn't a "proof". Proof-of-activity, proof-of-resource, proof-of-storage or similar are all misnomers. There can't be "proof" of these things, all of these can be forged; only spent CPU power can algorithmically be proven because it boils down to pure physical entropy at the end of the day. Also MaidSafe use the term proof-of-resource but in reality their security mechanism is a node-ranking system which does introduce a degree of trust.

You refuted one bold claim with another...
legendary
Activity: 1764
Merit: 1007
I like proof of activity the best.  

Except it isn't a "proof". Proof-of-activity, proof-of-resource, proof-of-storage or similar are all misnomers. There can't be "proof" of these things, all of these can be forged; only spent CPU power can algorithmically be proven because it boils down to pure physical entropy at the end of the day. Also MaidSafe use the term proof-of-resource but in reality their security mechanism is a node-ranking system which does introduce a degree of trust.
hero member
Activity: 718
Merit: 545
POS vs POW!!

Again!!!

hmm..

I did ask a few question in the Neucoin https://bitcointalksearch.org/topic/ann-neucoins-40-page-white-paper-rebuts-all-nothing-at-stake-objections-1003488 thread but no answers were forthcoming..

For me, there are issues with POS that many choose to ignore, or are ignorant about, simply because they think POW is wasteful..

I repeat :

1) Much is made of the 'wasted' and 'costly' electricity used to run the POW mining rigs.. People seem to think this number can increase 'INDEFINITELY' and somehow consume ALL the power in the world. LOL. This simply is not the case. The miners will spend what they can make from mining, they can't spend more.. or go out of business. The Market will determine what this will be. Personally, I don't see it as an issue, at all. The amount of energy Bitcoin mining uses is literally PEANUTS in the bigger scheme of things.  

Can someone explain a couple of POS queries.. ?

2) What if all the coins in a POS system are distributed evenly, the dream!, so that there are very few, if any, whales. Everyone thinks they have an insignificant amount, for mining purposes, but in truth they are ALL minnows. Who would mine ? Can't just lock up your funds if you are living hand to mouth..

3) If 10% of the stakeholders mine in POS, since I think 100% or even 50% seems unlikely, does that mean you need 5.1% to perform a 51% attack ?

4) In POS, can energy be expended searching more chain branches to find a valid chain on which you make more money ? If this is the case, won't future miners just spend money and expend energy until they spend slightly less than 1 block makes (same as POW) ?

5) Is this true : If a Cartel of POS stakeholders ever reach 51%.. That's it.. They can never be overtaken if they choose not to be. In POW this is not the case.

Thank you..
hero member
Activity: 759
Merit: 502
What about terrible initial distribution of coins in Proof-of-stake ? About the security, in order to stake new coins you must have unlocket wallet, so basicaly the least secure option to keep your coins.
legendary
Activity: 3248
Merit: 1070
you forgot that in pow, there is the halving, which will lead at the end to an increase in price because of less supply and more demand

in pos no one will buy anymore because he/she can generate coins without any effort, free money for them
i didn't forget halvings i just don't want to wait years for coin generation to be low enough that it doesnt hurt the price anymore and when that happens we get bigger risk of 51% as many miners switch off machines

of course someone will buy, the same who are buying now except they will be buying from our hoarded coins + 1% interest instead of miners who dump at any price

i could agree that halving structure isn't ideal as it is right now, 4 years between halving is too much, satoshi didn't take that into account maybe, it should have been 2 years max or even one year, the sooner bitcoin enter in the "fees phase" the better

hero member
Activity: 658
Merit: 501
But in proof of activity a person that is the most active in the network gets the honor to produce the next block.  It basically is a return to proof of work, except the work now is not some random arbitrary and pointless work but instead work done in the ecosystem that is strengthening it.  

Interesting --
http://eprint.iacr.org/2014/452.pdf
legendary
Activity: 1232
Merit: 1001
mining is so 2012-2013
MtGox would have dominated a PoS-version of Bitcoin quite exclusively back then.

Centralized exchanges is so 2014...

I feel like by the end of 2015 the community will really have some exchanges that will not run with the money because they are either 1) insured so even if the money disappears, it is just repaid, or 2) the exchanges are designed in a way that it is unpractical to steal the money because the exchange was designed from the ground up to not be able to steal money, and even the few weaknesses where it could be exploited would be pointless because it is in the exchanges interest in the long run to not act maliciously.
legendary
Activity: 1232
Merit: 1001
mining is so 2012-2013
After the creation of proof-of-activity and proof-of-capacity schemes I think there is no reason to create new proof-of-stake coins.

In the end, there is always more room for improvement.
legendary
Activity: 1232
Merit: 1001
mining is so 2012-2013
After the creation of proof-of-activity and proof-of-capacity schemes I think there is no reason to create new proof-of-stake coins.

I like proof of activity the best.  

In POW we are saying whoever can waste the most electricity should get the honor of forming a block, but that doesn't really help the network.

In proof of capacity, we are saying that whoever can waste the most hard drive space should get the honor of forming a block, but again that doesn't really help the network.

In POS, we are saying that who every directly invested in the network gets the honor to produce the next block.  So in a way a person is in someways contributing to the network.  Way better than the above two options.

But in proof of activity a person that is the most active in the network gets the honor to produce the next block.  It basically is a return to proof of work, except the work now is not some random arbitrary and pointless work but instead work done in the ecosystem that is strengthening it.  
legendary
Activity: 1302
Merit: 1008
Core dev leaves me neg feedback #abuse #political
No, that's just how I post. 
It's an old habit to try to
make emails more readable.
legendary
Activity: 2114
Merit: 1040
A Great Time to Start Something!

But none of these time intervals happen in real time or matter to the attacker
in a PoS.  They can all be spoofed...You can always broadcast a false chain
and that has always been the problem with PoS.

(Only PoW is resistant to time manipulations because it takes real time
to do the work.)

Can someone explain to me what is really new here?


Hi jonald,

I'd love to go into details about the grinding attack.
Could you clarify a few points for me before we dig in so that I don't paraphrase the paper.
1/What do you mean by "creating a false chain"? Creating a competing chain? I'm not sure what "false" means here.
2/What do you mean by "time intervals can all be spoofed". Of course, the attacker doesn't have to "redo the work" if he can reuse some previously create proofs but in this case his fork (at the beginning) will be a subset of the mainchain.

More generally, could you please provide a detailed description of how you would conduct such an attack (even a high level explanation would be great)
thanks !


There is some mechanism to decide who gets
to stake the next block.

In PoW, you must solve be the first to
solve a puzzle.  In PoS, you need only
meet certain conditions with your stake.
(And those conditions must be flexible
enough to ensure that blocks come out
in a timely manner -- should the chosen
participant not mint the block, an alternate
must be quickly selected).

Forcing a reorganization by broadcasting
a longer chain is the same mechanism
whether one is attempting a double spend
or simply trying to garner transaction
fees.

As the paper, says, grinding refers
to "cheaply searching the blockspace to find blocks
that direct history in their favor".

So a false chain is any other chain than
the main chain -- it is one that you forked
from a previous point on the main chain,
either for the purposes of double spending,
or gaining fees.

As far as spoofing the time intervals,
lets say you want to start a chain
"from 200 minutes ago".  You can have
a computer calculate an alternate
chain that supposedly started 200 minutes
ago in a few seconds, and broadcast
that in realtime right now.  Nodes receiving that
would not know that the blocks on
the false chain weren't really
built 200 minutes ago.

Nodes must accept the longest chain,
otherwise you will loose consensus and
risk a fork in the blockchain.

You won't always be able to achieve this,
but occassionally you will, and since
the cost is minimal, why not try it?

Of course, if everyone starts doing that,
you are back to the issue of using
competing computing resources, and thus
energy costs will rise to the level of
marginal profitability, which is the
very thing that PoS claims to avoid.

I'm not sure what the 200 minute buffer
zone applies to (new coins staking?),
but that really doesn't solve the issue,
as you can keep trying to attack with
old coins, or you can attack less frequenly
(every 200 minutes) with coins you just
bought and sold.  In addition, I believe
it opens additional attack vectors based
on older stake participants rejecting
newer participants.

Again, this kind of thing has always
been a problem with PoS coins.  
I just don't see how neucoin is anything new.

disclaimer: I'm not an expert and I could certainly
be wrong, but I would like someone to
explain why I am wrong.


I like the unusual formatting, since it makes your post look like poetry.
Were you on a phone (very small screen) typing it?
sr. member
Activity: 252
Merit: 250
After the creation of proof-of-activity and proof-of-capacity schemes I think there is no reason to create new proof-of-stake coins.
legendary
Activity: 1302
Merit: 1008
Core dev leaves me neg feedback #abuse #political

But none of these time intervals happen in real time or matter to the attacker
in a PoS.  They can all be spoofed...You can always broadcast a false chain
and that has always been the problem with PoS.

(Only PoW is resistant to time manipulations because it takes real time
to do the work.)

Can someone explain to me what is really new here?


Hi jonald,

I'd love to go into details about the grinding attack.
Could you clarify a few points for me before we dig in so that I don't paraphrase the paper.
1/What do you mean by "creating a false chain"? Creating a competing chain? I'm not sure what "false" means here.
2/What do you mean by "time intervals can all be spoofed". Of course, the attacker doesn't have to "redo the work" if he can reuse some previously create proofs but in this case his fork (at the beginning) will be a subset of the mainchain.

More generally, could you please provide a detailed description of how you would conduct such an attack (even a high level explanation would be great)
thanks !


There is some mechanism to decide who gets
to stake the next block.

In PoW, you must solve be the first to
solve a puzzle.  In PoS, you need only
meet certain conditions with your stake.
(And those conditions must be flexible
enough to ensure that blocks come out
in a timely manner -- should the chosen
participant not mint the block, an alternate
must be quickly selected).

Forcing a reorganization by broadcasting
a longer chain is the same mechanism
whether one is attempting a double spend
or simply trying to garner transaction
fees.

As the paper, says, grinding refers
to "cheaply searching the blockspace to find blocks
that direct history in their favor".

So a false chain is any other chain than
the main chain -- it is one that you forked
from a previous point on the main chain,
either for the purposes of double spending,
or gaining fees.

As far as spoofing the time intervals,
lets say you want to start a chain
"from 200 minutes ago".  You can have
a computer calculate an alternate
chain that supposedly started 200 minutes
ago in a few seconds, and broadcast
that in realtime right now.  Nodes receiving that
would not know that the blocks on
the false chain weren't really
built 200 minutes ago.

Nodes must accept the longest chain,
otherwise you will loose consensus and
risk a fork in the blockchain.

You won't always be able to achieve this,
but occassionally you will, and since
the cost is minimal, why not try it?

Of course, if everyone starts doing that,
you are back to the issue of using
competing computing resources, and thus
energy costs will rise to the level of
marginal profitability, which is the
very thing that PoS claims to avoid.

I'm not sure what the 200 minute buffer
zone applies to (new coins staking?),
but that really doesn't solve the issue,
as you can keep trying to attack with
old coins, or you can attack less frequenly
(every 200 minutes) with coins you just
bought and sold.  In addition, I believe
it opens additional attack vectors based
on older stake participants rejecting
newer participants.

Again, this kind of thing has always
been a problem with PoS coins.  
I just don't see how neucoin is anything new.

disclaimer: I'm not an expert and I could certainly
be wrong, but I would like someone to
explain why I am wrong.
legendary
Activity: 2142
Merit: 1010
Newbie
http://www.links.org/files/decentralised-currencies.pdf claims that cryptocurrencies with unknown "miners" are flawed. Unlike PoW, PoS coins do know who the "miners" are.
sr. member
Activity: 476
Merit: 251
COINECT
I don't believe that proof-of-stake is necessarily appropriate for Bitcoin but I do completely agree with:

Quote
Bitcoin holders are reluctant to debate competitive alternatives to PoW such as PoS and trusted nodes (like Ripple, despite its nearly $1B market cap).

It seems like every new technological innovation being pioneered by other cryptocoins is categorically rejected for implementation in Bitcoin almost immediately. It also seems like most of the people behind Bitcoin are also on the board of dozens of projects designed to replace it. If Bitcoin does end up failing, I think that the failure will be entirely social, a refusal to adapt and innovate. This is something that anybody interested in the project should be worried about.
Pages:
Jump to: