Topic: Proof that Proof of Stake is either extremely vulnerable or totally centralised - page 4. (Read 11692 times)

okaay

This already sort of exist and is called proof of burn, people send coins to a wallet X that no one is the owner, the amount of coins you send to this wallet X is your stake.

The way you talk about it, the closest thing from your idea would be a proof of burn coin where you send some amount of coins Y to someplace and each minute Y/(43200 [amount of minutes in 30 days) coins go to wallet X (that are removed from wallet X and sent to wallet Z after 1 minute).
The amount of coins at wallet X now would be the stake.

That's simple - you only have to write the corresponding number at the place in the block. You can put any number there.

Difficulty only matters in PoW chains. The attacker only needs to ensure that he has more than 50% of the weight ("chain trust" called in Peercoin) at the moment he forks his attack chain.

He achieves this with a double spend - instead of the original transaction of the "old key owner" he places his own transaction in the first fork block, which spends the same coins to another address he owns. From this moment on, both chains become incompatible, but it's trivial to produce the matching block hashes.

You refer to "chain trust", not to difficulty. If you own 50% of the stake in your chain, then it's trivial to achieve high chain trust values.

That's the point where I disagree with monsterer, I think carrying out the attack is extremely difficult and expensive - not the part "calculating the fake chain", but the part "buying 50% of old keys" or "bribing the holders of 50% of the stake".

Calculating a fake chain should be no problem. If I have time I could do that with a short example, but don't expect it tomorrow.

He can combine his attack with a short sell, as written in my last post.

Here I mostly agree.

So less assume there are no checkpoints to block it.

If the Main Chain is 3 months ahead of your fake chain, (because you purchased old keys)

Detail exactly how you are going to fake the time stamp on your fake chain blocks.

Detail exactly how you are going to fake the required time & hashes between blocks so it's difficulty # matches or exceeds the main chain, while also exceeding the block height.

Your Fake chain has to exceed the length of the main chain and has to have a higher difficulty level for it to be accepted over the main chain.

* Feel free to demonstrate on any PoS coin you own, and prove your theory. *
* We'll need copies of the main chain and your fake chain as proof. *


FYI:
If someone steals coins with a fake wallet download, the incentive is to sell the stolen coins for profit, not waste effort trying to destroy their ill gotten gain.
It be the same as robbing a bank and then setting the money on fire.  

FYI2:
N@S is not impossible, just an extreme waste of time and resources, which is why no one has ever even bothered to write a multistaking client.
The supposed benefits are mere hype and bullshit. It won't grant anything worth the time or effort of running one.
You drive up your needed resources for no real benefits.

No, monsterer is right here. You cannot differentiate a blockchain with "fake" timestamp and one with "real" timestamps.

The blockchain is a relatively simple database. It's only possible to check if the hashes correspond to a real block.

Things would be different if, at every block, a majority of the staking participants (=those holding 50%+1) would have to sign a message that the last block they received was received in a certain time interval, and all these messages would be included in the next block. This is basically what Proof of Approval is wanting to achieve. The downside is that a majority of all coin holders must be always online.

This isn't the case in "traditional PoS", where you can simply write your blockchain to the disk, when you want. You can even build it in something like Excel, based on previous blockchain data, and then save it

I still believe traditional, "naive" Proof of Stake is pretty secure if certain conditions are met, the most important being no incentives to stake multiple chains at once - staking algorithms like Peercoin with coin-age based rewards (not to be confused with coin-age based weight!) achieve that. A N@S attack is not impossible, but I think it is so difficult to carry out that it becomes extremely expensive, in the same order of magnitude than a 50+1% PoW attack.

The basic question is: how to buy old keys or bribe the stakeholders holding the  50+1%?

I already heard some ideas, like distributing a fake wallet client which is praised to give holders a "higher minting reward" but steals their coins or ensures in other ways that the network consensus gets corrupted. But people with significant holdings ("whales") would not be easily tricked into this. And if the code is open source then the hack will be discovered soon.

It could also be tried to buy the old keys at a black marketplace, but if the coin is mature enough, you would never get near even 10% of the holdings - at least if rolling checkpoints are implemented.

The only relevant option I know until now is the "shorting attack", but it is extremely expensive and risky. And it works with PoW coins, too, if you buy mining hardware/hashrate instead of coins.

Proof of stake is pretty reliable, because to take control of the chain, it would be necessary to control a huge part of the coins.

The core argument is that there is no objectively determined network. A node that was not around during the time the "honest network" progressed has no basis of knowledge for which fork to choose when presented with equally valid options. In this case, "making up 3 months" is as simple as creating the blocks near instantly with only a signature as proof and no immediate cost. With PoW this immediate cost is very high for bitcoin, but can drop dramatically for many altcoins.

However, the argument started as a criticism of NXT and Peercoin where there is literally no downside to staking several competing forks. It has been reformulated several times over to apply to any proof of stake system (including ones that punish bad behavior)--somewhat successfully in my opinion, but only given some highly implausible (but not impossible) conditions. There is *a lot* of manipulation in the cryptocurrency sphere, so discounting implausible scenarios as impossible seems like a logical mistake. However, I think the future of cryptocurrency security will be in currencies that are more PoS-like than PoW-like.

I find it amazing , that you PoW zealots , always say someone else needs to do more research.
When you are always the ones unable to prove your point.

The fact is I ask a very simple question, how does one make up the 3 months,
you come back with a pretense that you can just fake the timestamp and think the other nodes will fall for it with zero proof.

And you can't even post a link to a VM that fakes time so we can real world test your weak speculations.

My research on you is complete, as expected you are just spreading fud with no logic , just fear mongering.

Seems to me you need to get your act together Mr. Little.  



You just sprout more random talk trying to cover up the fact ,
that you are really clueless and not even able to test a real world attack simulation of what you claim is almost certain destruction of a PoS coin.

Enjoy your useless fud , you wasted enough of my time.

That's called 'weak subjectivity'. You really need to do some more research.

Kinda ironic that Proof of Anti-stake may work. The idea is, that user destroys it's coins and by doing so confirms a block

With some PoS coins it is a requirement that all nodes be within a certain time frame.
It used to be 2 hours , but a flaw was discovered that allowed people to gain a staking advantage by having such a large time window.
So the window was lowered to 1 minute or lower for most coins to stop the unfair staking advantage.
So if your PC time is >1 minute off from the actual time, any block your system created was refused by the Proof of Stake network.

* Even Bitcoin Requires blocks to be within that 2 hour window to be accepted in their network.*
https://bitcoin.stackexchange.com/questions/5076/what-stops-miners-nodes-lying-about-what-time-a-block-was-mined

---

What I am telling you is , you are wrong.

If you modify the wallet client to place false time date in the blocks , all you are doing is making a hard fork that the other nodes will ignore.

I telling you , you have to run the wallet code unmodified to create the blocks so that the real network would even think about accepting them.

So can you give me a virtual machine that lets me run a wallet application tricking it into thinking 24 seconds is 24 hours.
Because unlike you , I plan on doing some real world testing with it , not limited to speculative discussion.

If you can't provide me with such a virtual machine, then you are nothing more than chicken little running around screaming the sky is falling.

What exactly would make a block of a POS coin invalid, e.g. timestamp too late, compared to timestamp of previous block?
A POW coin can have a target time of 1 minute but could be stalled for days. Some shitty ones regularly do this.

If a block has to wait the coded time of 1 minute before block generation can occur, then every node must have really exact system time. Not like Bitcoin (quoted from wiki)

I really hope you're not the developer of that coin in your sig, because you seem to have some fundamental misconceptions about consensus design.

1) I have already said this above, but I'm going to restate it in plain terms: any concept of time elapsed in a trustless system is utterly unverifiable without an objective measure such as PoW, which is an unforgable proxy for elapsed time

2) In PoS block production has zero cost, see 1)

I did say New Breakthrough ASICS, which implies extremely better Energy & Hashing Performance.

Plus the CEO of Bitmain is Jihan Wu. (Major Bitcoin Cash Supporter)

If he could destroy bitcoin and replace it with Bitcoin Cash which BitMain has been stockpiling since it's creation.

So if he triggered a flippening making bitcoin cash the #1 coin , bitmain and his profit potential would be thru the roof.

So how much do you trust Mr. WU?  



As Much as you used to trust Mr. Ver

does not work like this at all.


to attack  you don't need a cloned block chain as it is not the blockchain you are attacking .

to attack the  BTC  chain  at 51% you need about 2.5 billion usd in hard gear .    that is if you have  s-9s.

the network right now is  42,616,425,761gh   so to do a 51% attack you need 45,000,000,000 gh in gear.  that is 3,214,285 s9's

you also need 4,500,000,000 in watts.

that is 4,500,000 kwatts  or 4,500 mega watts  which is about all of the Niagra falls power plant

http://nyfalls.com/niagara-falls/faq5/

New york city uses about 6,000 mega watts

So a direct 51% on BTC  would be really hard to do.  Unless you build a new miner that  is about 1000x better then an s9

but If bitmain build a 1000x more efficient miner  they absolutely would not want to do a 51% attack.

They could expand hash nest and claim their new miner is too large to sell  they could say it is 50th and uses 2000 watts.

then just sell shares of hash nest   and they would make a fortune doing that

Hmm,

Are their any Virtual or Physical Machines that can allow me to run applications at a different time scale than normal time.
Basically scaling 24 hours in 24 seconds and the application be none the wiser.

Therefore truly tricking an application about the speed of time.

Does anyone have any links to such a thing?


FYI:
OK, just to sum up.
To run this attack,

1.  One has to Buy or Steal old Private Keys totaling over 51% of a Proof of Stake Coin.
2.  Have a Virtual Machine that can fake time, so the wallet client can run unmodified.
3.  Create a Longer Chain with more difficulty on their virtual machine.
4.  Run Multiple PCs with their new chain on the coin network to replace the main chain.

* Still other factors that could block the fake chain from taking over,
Coin Age may keep the main chain with a higher difficulty, even if the attacker has actual 51% of coins.
Many Coins refuse blocks created too far ahead of the main chain, blocking the attacker's chain.
So timing has to be perfect.

Actually looks like a lot of personal time and expense to really accomplish nothing.
Say the attacker chain actually does rewrite the main chain.
Such a thing will be noticed immediately.

So the coin community releases the main chain with a hard coded check point blocking the attacker's chain.
People redownload the main chain and updated code and are back to normal within a day.

This attack , causes all Proof of Stake coins to implement rolling checkpoints as a safeguard and the whole attack proves to be a NON-EVENT.  

The attacker however has wasted his time and money on an attack , that never had any real chance of destroying a proof of stake network.  



FYI2:  Little thought for the PoW Crowd.  
The Largest ASICS Producer could have a major breakthrough and run NEW ASICS in their factory in Parallel to the main chain
for a few months creating a Longer chain with higher difficulty at their factory than the public bitcoin chain.
Releasing the ASICS Attack chain to overwrite the Bitcoin Network Main Chain.
And what would they do to repair things, release a download of the main chain and a updated client with a hard coded check point ,
and most likely implement rolling check points to prevent that from happening again.  

Cost is not the issue, Each Block has a defined target of say 1 minute between blocks.

Your chain is 3 months behind, and still has a target time of 1 minute,  your block height will always be ~ the same 3 months behind and as such never a threat to causing a reorg, because a reorg can only happen if your block height # exceeds the main chain.

So how do you make up the 3 months time difference?

FYI:
Any change to the code to modify the time target between blocks could allow faster blocks, would lower the target difficulty making it a weaker chain and also break consensus with the other nodes, therefore making sure it would never be accepted over the main chain.

FYI2:
The phrase (block production has zero cost) , is incorrect.
There actually is a cost , it is time.  
Your block has to wait the coded time before block generation can occur, and those coins go dormant for a coded period, another time factor.
The Time between blocks is hard coded which affects the difficulty # in proof of stake coins, thus defining the strength or weakness of a chain.

Because block production has zero cost, and there is no way to objectively verify any given block as being created at time T.

The Term : Rolling Checkpoints, where after a certain # of confirmations a Reorg is not allowed seem to block this issue outright and still allow a coin to stay decentralized.
Examples:
Blackcoin allows reorgs no deeper than 500 blocks.
NXT allows reorgs no deeper than 720 blocks.

My question is this:
Let's say their are no checkpoints , rolling or coded.

Someone buy the old private keys or at some point just actually owned over 51% of a coin total.

Say they try your attempt , but it was 3 months earlier when they owned coins.

The Blockchain has 3 months of confirmations ahead of them at a rated say 1 minute interval.

How do they ever catch up , with the block height of the main chain, won't they always be ~3 months behind?

* Now if you say it is possible to trick the time setting and somehow condense those 3 months into a day, please provide details or proof on how that is done.*
 

Thanks.

This can be easily mitigated: Do not make bitcoin purely PoS protocol. Make it mandatory that every 10th block must be created by PoW.

In that case someone would need to have a lot of processing power as well as a lot of stake.