Topic: rpietila Altcoin Observer - page 7. (Read 387507 times)

@cryddit, I didn't see any comments on the Consensus Research findings I posted relating to Nothing at Stake. Did I miss them?

Resources committed exclusively to a _single_branch_ of the block chain in any fork are the key to any block chain security (including proof-of-stake) that doesn't immediately fail. 

The 0@S problem is basically exploiting the lack of that property in the PoS systems so far implemented. 

The only thing I can come up with that is limited in the way that committing it to a single branch would be meaningful, is transactions.  And that's why I advocate transactions-as-proof-of-stake.  A transaction would have to be committed to some particular block of the recent block chain, and would not be valid in any branch not including that block.  In resolving conflicts between branches of a fork, you'd look at the relative fractions of the money supply used in transactions committed to each branch.  That is, unspent txOuts that existed before the fork, spent in transactions committed to blocks after the fork.   The result is that in a normally circulating economy, where txOuts are spent in combinations,  will rapidly have stake representing close to the whole money supply.  Whereas the guy who had 51% of the money supply at some point six years ago, can never make on his own a block chain in which more than 51% of the money supply has been spent since the fork. 

It's not without its problems;  While secure against the Nothing-at-Stake problem in the long run, it's very sensitive to big spends in the short run.  Second, transactions committed to a losing branch of the fork, disappear instead of getting added into the winning branch.  That combination opens up all kinds of games an attacker can play trying to get people to accept his spends and then make a big spend in a branch forked before the block the tx are committed to, 'unspending' his txOuts.  Not too much unlike the double-spend attempts in a PoW system, but much more reliable if the attacker controls any significant fraction of the money supply. 

In order to "smooth out" the unevenness of spending volume at least somewhat, you'd need long block times, to gather a bigger sample of transactions (smaller standard deviation in spending volume) into each block.   And you need it to be pretty hard or pretty unlikely to be able to form a valid block whenever you want to, in order to limit short-term opportunities to make forks to play attack games with.  Finally, ou'd need to have it very widely distributed among a group of people actively using it to make transactions instead of just holding.  Getting to that point could take years and years.

Distribution, in particular, is key.  Having a small group of initial holders and no way for anyone else to get any other than by buying it from them, would not set up a scenario in which any kind of PoS, including TaPoS, would be likely to be successful.  So, if you're doing an initial Proof-of-Work mining phase, it should last for years, not days.  And you shouldn't make initial distribution via sale or IPO; if you do that you're not going to get anybody other than speculators who will NOT be using it for daily transactions, and who therefore won't be contributing to the security of the leading chain. 

TL:DR; Proof-of-Stake can work if you do it in a way that isn't a blatant scam.

Lol.  That pretty much sums it up.

It seems it's the Byzantine's Generals' problem you guys are trying to solve here. I'm wondering if anyone in computer science has found a solution to that one yet. *cough*

How?

Ok, fair enough. I disagree but also believe both are very unlikely. But it doesn't really seem worthwhile to continue.

I can't find any charts showing network staking weight or amount of coins staking versus time, but I'd guess that when there is a price spike the amount of coins staking decreases, as people move their coins to exchanges. So, I don't think it's out of the question that a single exchange hack could lead to 51% of staking coins being available to the hacker. This seems to be basically what happened with Vericoin.

I don't think the top four mining pools colluding is as much of an issue as this, especially for ASIC mined coins such as bitcoin and litecoin. At least several of the top ten pools own significant amounts/all of the hardware mining on their pool: KnC, ghash, antpool (?), and possibly others. If any of these pools conspire to attack the network, they are basically conspiring to destroy the value of the hardware that they have invested so much money in, since presumably bitcoin would suffer a huge price drop and may or may not recover.

In the case of someone stealing a bunch of PoS coins and double-spending, their goal is presumably to sell out for bitcoin asap, so there's certainly no similar risk to a hacker who steals a boatload of coins. I think it is probably more likely that a top exchange or several top exchanges could collude to perform a 51% attack on a PoS coin than top mining pools colluding. Bter seems to be the poster child for shady exchanges, but there certainly doesn't seem to be a shortage of them. They are (possibly) risking their reputation, but not risking the value of physical assets (ASIC miners). I put 'possibly' in parentheses since they could pretend that they were hacked and then the "hacker" could perform the 51% attack. Bter seemed to do quite OK for a while after the NXT hack, just the more recent BTC hack that seems to have caused people to abandon them.

I'm not saying that any of these scenarios are very likely, but just that I think the 51% on a well established PoS coin (NXT) is more likely than a 51% attack on a well established PoW coin (BTC or LTC).

Where do you see the 210, 000, 000 NXT needed for this coming from? If you see that is a potential issue, you must also worry constantly that the top 4 mining pools will collude?

Just clicked on stats in the same link and it says 6.3B for "total amounts". Anyway, I see 1B is total amount now, but I still think it's not a bad example of the potential issue, not as good an example as Vericoin, but not out of the realm of possibility.

You just read the bolded 'curr[ent] ave[rage] peer forging' in the top left corner > 415,700,146 = ~41% of 1billion (total nxt that will ever be)

It is a live number so will vary with time to reflect those forging. Not sure where you got 6.3B tho

If I understand the numbers in your link correctly, there's currently around 6.3B NXT (total amounts) and about 416M currently staking (current average peer forging). That amounts to less than 10%, about 6.6%, about the amount stolen from Bter. Please let me know if I'm reading the stats wrong, but I don't see how you get 40%.

The scripting language in the whitepaper isn't even implemented.

Only p2pk (where PK's are one-time via ECDH) is actually supported for now.

I believe that Hal would have distrusted Monero's extended scripting language.  It opens a lot of attack surface, which a designer has to go over with a fine-toothed comb to make sure it doesn't present an avenue for DoS. 

I can't speak much to Satoshi's opinion since I only interacted with him briefly and via email, but I think he would probably have agreed, or at least taken Hal's opinion as valid. 

This is not to say that there's necessarily anything wrong with it.  But it could take a lot of time and effort to study it in detail and figure out all the combinations that could be used in attacks. 

For example, things most people don't consider like, do your arithmetic operators allocate?  If they do, can someone send dozens of transactions that do a lot of arithmetic in an attempt to exhaust memory? 

And so on.  You really have to get in depth on each and every opcode to know what attack surface you present.  Hal disabled about half the opcodes for the scripting language for Bitcoin, and had good reasons for each one why.  Although I think most of them could have been fixed with work on the implementation, he was right. 

Cryddit, this is off-topic but I can't resist. . . since you were actually working with Hal and Satoshi on early Bitcoin. . . what do you think they would have thought about the alt-coin scene and Monero?

Long term forging has been constant for a long time at around 41%

http://nxtexplorer.com/nxt/nxt.cgi?action=160


Bter was the biggest exchange for nxt up until very recently. At the height of the hack, they held only ~5% (check the crypto press at the time.) Most nxters keep their nxt 'online' as it gives them access to asset exchange, digital goods store, encrypted messaging etc.Nxt is moving toward non centralised exchanges like multigateway.org and instantdex.

There was never a risk of 51% for the hack due to the high percentage forging (remember you will never get 100% as coins need to be in an account for 1440 blocks after being spent) and there is no depository, even at any centralised exchanges, that has enough to do any damage to the network. I guess an attacker could buy them..  

Veri I don't know anything about except it isn't the same POS as Nxt.

I can't find the number of nxt coins staking versus time, but i remember some discussion about when the hack happened (before the coins were returned/bought back by bter), and clearly it was identified as potential issue by vericoin developers.

Is this your true belief?  I can see 3 assumptions that are easy to check against reality.

And it's already happened at least a couple of times: the Mintpal hack last summer that someone stole a bunch of Vericoin in, resulting in Vericoin rolling back their blockchain at the developer's discretion, and the Bter hack where the hacker stole 5-10% of the total available supply of NXT. 5-10% doesn't sound too terrible, but since apparently most PoS/NXT holders keep their coins offline or on other exchanges, I think that even 5% of total available coins could have been greater than 50% of the network staking supply. Bter was able to buy back most/all(?) of the NXT, so no 51% attack came from either one of these hacks, but they both illustrate this type of vulnerability.

Interesting point. It is a bit like is you successfully stole BTC's they would come with the miners.

This puts undo burden on this one aspect of the token, the token itself...

As I said right after the one sentence you quoted, the PoS algorithms we've seen so far are inherently flawed.  That's one of the flaws.  It can be fixed, but not in any of the ways people have done so far.