Topic: Proof that Proof of Stake is either extremely vulnerable or totally centralised - page 6. (Read 11771 times)

The problem is not to acquire a historic key and make a doublespending transaction, the problem is to acquire enough historic keys to outweigh the honest stake. When you acquire the first key, you must start your fork before it was emptied. In the scenario you describe, your fork must start very far in the past, but that's not a problem. The problem is, you now have a transaction that must be censored on your fork (in your scenario it's the transaction that deposits the funds back to an exchange). Since this transaction (let's call it transaction A) is excluded from your fork, you must exclude all transactions that depend on it, i.e. a transaction B that spends that output, and all descendant transactions (that's all on your fork, the main fork continues to function as it supposed to). Now, when you make the second withdrawal from the exchange, it may happen, that you must exclude this withdrawal on your fork too, because it indirectly depends on the transaction A, so you fail to acquire new keys this time. If the second withdrawal doesn't depend on transaction A, than OK, you got the second key, but you must again censor depositing transaction on your fork, therefore your fork inevitably drifts away from the main fork and it becomes more and more difficult to find suitable keys. Given that for a successful attack you need a lot of stake/keys, the only plausible scenario is to acquire them all in a very short timeframe.

P.S. I don't know, whether my explanation is easy to understand, English isn't my native language. If it's not clear enough, maybe other people may help you (most people here seem to understand this issue with this kind of attack).

the reason Bumbacoin switched to PoS was to protect against PoW random hashes.

any shitcoin that is not worth people pointing mega-peta-hashes at the chain is at risk of multi-pools or even random arse's with a bunch of miners in their spare room.

BCX? used to make a thing about attacking shit coins, that capability is with in the hands of many more people now. even with apparently fancy difficulty re-targeting algorithms , the chain will still get shat on when mega-hash gets pointed at it.

pos is much more secure than pow. you can't attack pos without notice or real world feedback but you can on pow.
on pow an evil entity could easily aggregate +50% silent, in the dark, without any chance to prevent this.
even without any new fancy, more powerfull asic design, this attack could occur anytime and compared to a pos
with a similar macap it would also be cheap, very cheap.

to follow your crude 'pico-probabillity-attack-vectors' on pos, here is a crude pow one for you. just imagine that
for whatever reason, the power-lines to the three chinese mining-warehouses randomly gets broken. i guess in this
case the attack would be much cheaper, perhaps close to free compared to pos and as said, just out of the dark
without any chance or sign to prevent it. this is impossible with pos.

however, whatever possible attack vector you are constructing, it boils down to this. if you try to find a solution to fix users,
having the goal to destroy their own stuff serving them (your gen key example) you will fail, no matter how fancy your math is.
there is no solution for lunatic or planed selfdestroying behaviour simple because even if it would, it has no value because the
target and reason for this solution dissapears.

Your point doesn't make any sense in any other context. Mining is necessarily a competition, so if ASIC performance spikes then unless one entity has control of more than 50% of the network then they cannot rewrite the blockchain from the genesis, since all miners complete to create blocks.

Then why does your attack require buying a private key that has mined on the network?

Ah, right. I didn't notice that you emphasized on achieving a consensus, not on security. My bad.

That would be a 51% attack.

ASIC speed grows in bursts. Eventually one of the bursts will allow to rewrite the whole blockchain from the genesis within a day. I wouldn't say that PoW is that secure as you think.

That's entirely inaccurate. The whole point of this thread is to get people to realise that PoS does not reinforce consensus; that's what PoW miners do.

Anyone can mine a PoW coin, nobody can mine a PoS coin without investing first.

FTFY

PoS is mining.  It's cpu-mining, not much different than what satoshi designed for Bitcoin.

But while anyone can attack a PoW coin, nobody can attack a PoS coin without investing first.  Even in your scenario.

Check the OP - that is what this entire discussion is about.

How many possible staking inputs do these addresses have?
What is the min/max staking age of this coin?
How long a chain will they need to create to be longer?

Any such addresses need to have enough inputs to support not just a functional chain,
also with enough aged inputs to generate a long string of blocks with obscenely fast transaction time,
and also be "young" enough to ensure the chain necessary is not very long.


Not forgetting many PoS coins already have centralised checkpointing hard coded, and that active coins have regular checkpoints added to the source - so such centralisation is already a given.

Nxt only have 73 original keys,so attack happened before the world know.

LOL

As long as you believe this, any discussion is pointless.
It's economic nonsense, plain and simple.

They can prove that they own a receiving address, but any number of receiving addresses can belong to the same private key. 

They can't prove that their private key is different from someone else's without revealing the private key.

Miners create the value in the system which is then invested in by stakeholders. The value is the continually reinforced consensus which cements a partial order of transactions with asymptotic finality.

If you remove the miners, you are investing in nothing. That is PoS in a nutshell.

Why wouldn't you get them to sign a their msg with each of their private keys to prove that they owned them and that they were both separate?

I'm talking about Nxt, not about Iota.

PS: The point was that economic relationships already enforce some level of centralization. Nxt doesn't add extra bits of centralization, it fits into existing limits.