The other attacks you describe all derive from the fundamental reason I declared all non-proof-of-work systems to be insecure back in April.
My logic was mathematically fundamental. The input entropy set is quite deterministic and well known and thus can be preimaged. For example, accumulating a lot of coin-days-destroyed and then targeting them in clever ways to subvert the security.
The randomness (entropy) of each proof-of-work is fundamental and mathematical and it can not be preimaged. It can only be surely defeated with > 50% of the network hash rate. Note I recently offered what I believe to a solution to the selfish-mining attack (the one at hackingdistributed.com that claims 25 - 35% attack).
I am skeptical that you can characterize all possible attack vectors of proof-of-stake in one coherent mathematical proof. Thus you will not know formally what the security is; instead a list of adhoc attacks and counter-measures.
Nevertheless I am not bagging on Peercoin. Everyone should be free to decide for themselves which coin they prefer. Perhaps there are unknown attacks on Bitcoin as well, yet I am somewhat comforted by the clear math for security of proof-of-work. I will not say I will never be convinced to support a non-proof-of-work coin, I will correct myself if someone explains such a system convincingly. It is on my TODO list to study more Peercoin.
Edit: Perhaps coin-days-destroyed in some attack vectors motivates not transacting for long periods of time.
Topic: Transactions as Proof of Stake White Paper - page 2. (Read 6564 times)
The most significant flaw of any proof-of-stake system and any system that diminishes coin rewards, is it can't distribute currency from the hoarders to the users of the currency, thus it will end up with the hoarders (the banksters) accumulating all the coin and the currency usage dying.
This is because the wealthy spend a much lower % of their net worth than the masses do.
Freicoin if I am not mistaken, sends the demurrage into the ether, so those who transact more often see their coin balances decline less fast, thus it effectively redistributes relative coin value to the users of the currency. That could in theory be combined with a proof-of-stake system. The problem is correctly as Impaler described it, how to secure the public ledger.
Although I admire how demurrage distributes directly to those who transact the most, it suffers from the fact that spenders are not necessarily doing anything to secure the coin (except perhaps increasing its long-term value, thus value of mining if coin rewards do not diminish). Spending can even be wasteful and misallocation of capital. Indiscriminately subsidizing spending (or anything) is not good economics. Zero transaction fees would already be a significant gift to spenders. Demurrage also reduces the balances of holders, I find it difficult to conceive how it will be popular. Whereas coin rewards do nothing to balances, and also apparently nothing to coin value since Bitcoin is rising in price while the debasement is currently 12.5% new coins in the money supply this year.
Whereas those who actually mine are proactively using their time, ingenuity, initiative and capital to secure the network, thus it seems more capitalistic they should receive the redistribution from the hoarders. Besides it may be the only viable way to secure the public ledger.
This is because the wealthy spend a much lower % of their net worth than the masses do.
Freicoin if I am not mistaken, sends the demurrage into the ether, so those who transact more often see their coin balances decline less fast, thus it effectively redistributes relative coin value to the users of the currency. That could in theory be combined with a proof-of-stake system. The problem is correctly as Impaler described it, how to secure the public ledger.
Although I admire how demurrage distributes directly to those who transact the most, it suffers from the fact that spenders are not necessarily doing anything to secure the coin (except perhaps increasing its long-term value, thus value of mining if coin rewards do not diminish). Spending can even be wasteful and misallocation of capital. Indiscriminately subsidizing spending (or anything) is not good economics. Zero transaction fees would already be a significant gift to spenders. Demurrage also reduces the balances of holders, I find it difficult to conceive how it will be popular. Whereas coin rewards do nothing to balances, and also apparently nothing to coin value since Bitcoin is rising in price while the debasement is currently 12.5% new coins in the money supply this year.
Whereas those who actually mine are proactively using their time, ingenuity, initiative and capital to secure the network, thus it seems more capitalistic they should receive the redistribution from the hoarders. Besides it may be the only viable way to secure the public ledger.
This proposal appears to be flawed, unless I am missing something. I have only read the first 4 pages thus far.
1. You propose to decrease the coin rewards as coin-days-destroyed volume increases, so this makes it less costly for an attacker to obtain > 50% of the hash rate assuming the attacker includes all the transactions. You apparently are attempting to imply there is no useful attack to do if the attacker is including the most coin-days-destroyed? Please confirm or deny then I will dig into more analysis of this vector.
2. Also how do you choose between someone who generates a proof-of-work hash with lower coin-days-destroyed several times sooner than the network propagation delay versus another who generates it that much delayed with a higher coin-days-destroyed? If you choose the latter, then you've killed the proof-of-work incentive because it means it will always pay to be later and wait for more transactions to arrive.
3. You claim to defeat my Transactions Withholding Attack, by blacklisting those who send blocks with transactions that were not recently seen by all miners. I retorted against this recently. This centralizes the network (all for one and one for all outcome) by requiring every miner to be responsible for the incoming network connectivity of other miners. And it centralizes the network in other ways, such it can't tolerate a temporary partitioning of the network due to connectivity outages.
P.S. By coin-days-destroyed, I assume you mean coin value x days, otherwise you would motivate proliferation of dust.
1. You propose to decrease the coin rewards as coin-days-destroyed volume increases, so this makes it less costly for an attacker to obtain > 50% of the hash rate assuming the attacker includes all the transactions. You apparently are attempting to imply there is no useful attack to do if the attacker is including the most coin-days-destroyed? Please confirm or deny then I will dig into more analysis of this vector.
2. Also how do you choose between someone who generates a proof-of-work hash with lower coin-days-destroyed several times sooner than the network propagation delay versus another who generates it that much delayed with a higher coin-days-destroyed? If you choose the latter, then you've killed the proof-of-work incentive because it means it will always pay to be later and wait for more transactions to arrive.
3. You claim to defeat my Transactions Withholding Attack, by blacklisting those who send blocks with transactions that were not recently seen by all miners. I retorted against this recently. This centralizes the network (all for one and one for all outcome) by requiring every miner to be responsible for the incoming network connectivity of other miners. And it centralizes the network in other ways, such it can't tolerate a temporary partitioning of the network due to connectivity outages.
P.S. By coin-days-destroyed, I assume you mean coin value x days, otherwise you would motivate proliferation of dust.
Really interesting. I have a few questions though:
I like the idea of putting the hash of the previous block into a transaction. What happens if you broadcast a transaction for a certain previous block and then a new best blockchain is published before your transaction can be confirmed? Are the coin-days from the transaction wasted? And when transactions are migrated from one chain to another such that their previous block hash doesn't match up, are the coin-days for those transactions just destroyed and never count to the difficulty of the chain? If so, would this cause any long term problems where one chain has too many transactions that were migrated into it and can be overtaken by another chain? What incentive does someone have to include transactions in their block if they don't match the previous block's hash?
Regarding the double spend vulnerability, that does seem like a pretty real concern whenever you don't trust the party sending you the coins. It seems like you may have to wait quite some time before you can be certain that your transaction won't be reversed.
What is a DAC? You don't define it anywhere as far as I can tell.
I'd love to see details for the protocol of a specific implementation of this idea. More details on how the POW will work (still not sure how target intervals are maintained) and how block rewards and transaction fees might look would be good.
And on a mostly unrelated note, is there any explanation about how Nxt works? I couldn't find a whitepaper or even a coherent explanation of how their system secures the blockchain with 100% POS. Is it similar to this whitepaper?
I like the idea of putting the hash of the previous block into a transaction. What happens if you broadcast a transaction for a certain previous block and then a new best blockchain is published before your transaction can be confirmed? Are the coin-days from the transaction wasted? And when transactions are migrated from one chain to another such that their previous block hash doesn't match up, are the coin-days for those transactions just destroyed and never count to the difficulty of the chain? If so, would this cause any long term problems where one chain has too many transactions that were migrated into it and can be overtaken by another chain? What incentive does someone have to include transactions in their block if they don't match the previous block's hash?
Regarding the double spend vulnerability, that does seem like a pretty real concern whenever you don't trust the party sending you the coins. It seems like you may have to wait quite some time before you can be certain that your transaction won't be reversed.
What is a DAC? You don't define it anywhere as far as I can tell.
I'd love to see details for the protocol of a specific implementation of this idea. More details on how the POW will work (still not sure how target intervals are maintained) and how block rewards and transaction fees might look would be good.
And on a mostly unrelated note, is there any explanation about how Nxt works? I couldn't find a whitepaper or even a coherent explanation of how their system secures the blockchain with 100% POS. Is it similar to this whitepaper?
I'm very hopeful that this solution proves workable as I would like to see it used in Freicoin. I will bring it to the attention of our lead programmer maaku and possibly Luke-Jr too. We have long desired a solid PoS system which would allow for a decentralized distribution of the demurrage fee, but we have always been stymied by possible PoW attack vectors that our designs were vulnerable too.
Good stuff. Love to see this running.
Please read my paper for further details, but I believe that I have a Proof-of-Stake system that requires no explicit mining and for which mining is never 'profitable'. If the security model holds review then this could dramatically change the future of all DACs and crypto-currencies, eliminate mining pools, lucky mining, vesting, ASICs, the 51% attack, selfish-mining, merged-mining, denial of service, etc.
Please review and give me your feedback.
Please review and give me your feedback.
Have u compared ur concept to existing PoS currencies?
I have compared it to Peercoin and the methods described on the bitcoin wiki as well as Nxt. I am looking for people who know about this to point out any other prior art or problems that are not obvious to me.
Please read my paper for further details, but I believe that I have a Proof-of-Stake system that requires no explicit mining and for which mining is never 'profitable'. If the security model holds review then this could dramatically change the future of all DACs and crypto-currencies, eliminate mining pools, lucky mining, vesting, ASICs, the 51% attack, selfish-mining, merged-mining, denial of service, etc.
Please review and give me your feedback.
Please review and give me your feedback.
Have u compared ur concept to existing PoS currencies?
Transactions as Proof-of-Stake & The End of Mining
http://the-iland.net/static/downloads/TransactionsAsProofOfStake.pdf
Please read my paper for further details, but I believe that I have a Proof-of-Stake system that requires no explicit mining and for which mining is never 'profitable'. If the security model holds review then this could dramatically change the future of all DACs and crypto-currencies, eliminate mining pools, lucky mining, vesting, ASICs, the 51% attack, selfish-mining, merged-mining, denial of service, etc.
Please review and give me your feedback.
http://the-iland.net/static/downloads/TransactionsAsProofOfStake.pdf
Quote
The concept behind Proof-of-Stake is that a block chain should be secured by those with a financial interest in the chain. This paper will introduce a new approach to Proof-of-Stake that utilizes coin-days-destroyed by every transaction as a substitute for the vast majority of the security currently provided by Proof-of-Work. Unlike prior Proof-of-Stake systems in which only some nodes contribute to the proof-of-stake calculation, we present a new approach to Proof-of-Stake whereby all nodes generating transactions contribute to the security of the network. The result is that the network immune to known attacks against Bitcoin or Peercoin.
Quote
Every transaction on the network carries with it an implicit Proof-of-Stake in the network. The creator of the transaction wants the network to accept it and the receiver of the transaction is making decisions on whether or not to ship goods based upon whether or not the network has accepted the transaction. It is clear that those behind the transaction have a stake in the health of the network. After all, the network is worthless if transactions cannot be executed as expected. A well functioning network will have thousands of transactions every single block. This represents thousands of stake holders who could be contributing to the security of the network.
Quote
In order for a 51% attack to be successful in a Proof-of-Work system, the attacker must keep their alternative chain secret. Once they have locked in the profits from their first spend, they can broadcast the longer secret block chain which will invalidate the original transaction. Keeping solved blocks secret is also used in the selfish-mining attack which can be effective with much less than 51% of the hashing power.
In order to prevent this kind of behavior we must make it impractical for miners to maintain secret block chains. If every transaction that is broadcast contains the hash of a recent block and the block chain enforces the rule that the transaction can only be included in block chains that build off of that block then no one will be able to build secret block chains that leverage the coin-days-destroyed of transactions in the public chain.
In order to prevent this kind of behavior we must make it impractical for miners to maintain secret block chains. If every transaction that is broadcast contains the hash of a recent block and the block chain enforces the rule that the transaction can only be included in block chains that build off of that block then no one will be able to build secret block chains that leverage the coin-days-destroyed of transactions in the public chain.
Quote from: phoenix
So the basic idea is that the more coin-days destroyed in a given block, the lower the difficulty. But even if someone had enough computing power to find blocks that only destroyed a few coin-days, their chain would still be rejected, because proof of stake is used as the primary judge of chain size, not proof of work. Therefore, the fastest growing chain will be the one that includes the most transactions, which keeps the network healthy.
Please read my paper for further details, but I believe that I have a Proof-of-Stake system that requires no explicit mining and for which mining is never 'profitable'. If the security model holds review then this could dramatically change the future of all DACs and crypto-currencies, eliminate mining pools, lucky mining, vesting, ASICs, the 51% attack, selfish-mining, merged-mining, denial of service, etc.
Please review and give me your feedback.
Jump to: