Topic: Which Proof of Stake System is the Most Viable - page 10. (Read 25752 times)

With TF, the amount of consensus power is also limited.

I can relive your emotion.

Why NXT guys are so against open culture? If someone copies it new ideas might emerge.. I dont see the reason to be secretive at all... but it is their choice..

Asset Exchange is in the core and is open source.

Third party services (like muiltisig gateway for othjer cryptos)  may or maynot.

I don't know. Perhaps because this is the Bitcoin forum, not the Nxt forum. The Nxt forum is public: https://nxtforum.org/general-discussion/some-thoughts-on-arguments-of-pow-guys/.

As I understand it, the Nxt code is modular. The core, including the PoS stuff, will be open-source, but some of the services built on top will not be. The Nxt devs believe a lot of their value is in the services - things like the Asset Exchange. So the clone won't include all of Nxt.

Also, the Bitcoin distribution isn't all that fantastic. It has its whales. And the whole spin-off idea is unproven. The new clone will be neither Nxt not Bitcoin. Merchants who accept Bitcoin won't automatically accept the clone. There probably will be more than one clone, diluting attention. The idea that the clone will instantly have the same market capitalisation as Bitcoin is false. Network effects will encourage people to stick with Bitcoin and/or Nxt, because they will follow the market cap. The reasons that cause alt-coins to struggle, even when they are technically better than Bitcoin, will apply to the new clone.

No he wanted to PRIVATELY consult.

If he wants public review, why doesn't he just post here.

That's more or less what he said: that he wants public review of the ideas planned for Nxt. As seems sensible.

He says he's concerned about clones. Also, some of this stuff depends on a robust ecosystem, which isn't in place yet, but hopefully will grow over the next few months.

(I'm not saying I agree with this approach, but I can see the sense of it, and there's no doubt the Nxt developers have delivered in other areas.)

I see.

And I assume the kind of penalty i'm talking about would
be highly impractical based on the fact that you'd be
punishing honest miners way too often.

Bottom line:  nothing-at-stake-problem still not solved. 

No that isn't the penalty.  The "penalty" is if a miner doesn't mint a block when he can then he is prevented from minting future blocks for a period of 2 days ON THAT CHAIN.

"supporting the main chain" = minting blocks on that chain = no penalty = doesn't prevent the attacker from simultaneously working to extend one ore more candidate attack chains at the same time.

What are we talking about exactly when you say
"support the main chain"?

That's maybe where I'm not following you.

My assumption was the penalty was
because an attacker tried to broadcast
a chain that wasn't the best to the other
nodes, and it was rejected.

I revised the post to be more clear.  It is important to consider the optimal behavior for both an attacker with a minority and majority of the stake.   In neither case will there be an effective penalty although how the attacker proceeds will vary (it does in Bitcoin as well for different reasons).

Gotcha.

I guess I was thinking of a different scenario, where one is penalized
on the main chain for trying to create alternate chains.

So, that's not what we're talking about?

There would be no penalty.  Lets look at the case of a majority and minority attacker separately.  

An attacker with a minority of the stake will optimally support ALL chains including the main chain.  He will suffer no penalty.  Yes this will (marginally) reduce his chance because it improves the effective stake of the main chain relative to his chain but the chance was already low.  In PoW the real security comes not from the fact that a double spend with a minority of the hashrate is possible.  It is very possible but it will happen infrequently and the COST for all the times it fails offsets any gain from the double spend.    For example an attacker with 10% of the Bitcoin hashrate would be able to successfully double spend a tx with 6 confirmations 1 out of 1694 attempts.   It is impossible to guarantee that an attacker (even one with a minority of the hashrate) can NEVER perform a double spend on a tx 6 confirmations deep however the cost means that if the amount being double spent is <168,000 BTC the attacker ends up losing money.  He will eventually be successful however the gain from the success will be less than the loss of coins not mined.  

With PoS, a minority attacker WILL support the main chain when required and thus he will never suffer a penalty.  His chance of success will be low (and will be lower the more confirmations that are required) but with no (real) cost and a chance >0% he will eventually pull off a double spend at no cost.  There is nothing at risk precisely because he can support all chains in parallel simultaneously.  Note: a PoS system w/ a penalty marginally reduces the profitability of the attacker when the attacker has a minority of the hashrate but it doesn't remove the nothing at stake risk because the attacker can still support all chains (he probably would anyways even w/ no penalty to collect the block rewards on the main chain).

An attacker with a majority of the stake will optimally only extend the attack chain(s) and not the main chain because he doesn't need to.  You can penalize him all you want on the main chain but once one of the attack chains are longer then it will be published, the network will reorg to use that chain as the "best chain" and all the "penalties" will be limited to an orphaned fork.  Is there an effective penalty if all the penalties are limited to a chain which has been orphaned?  The irony is that after the attack chain is published all the honest miners who did not complete blocks when required will be subject to a penalty and unable to mine for 2 days.

It is but then the attacker would operate differently.  Since there is no cost he would simply support both chains.  Yes he is working against himself but with a minority of the hashrate the probability of producing a longer chain of x blocks was already <50%.  Still the odds are 0% and he isn't penalized because he is supporting the "main" chain (chain most likely to remain the longest).  So he loses nothing, gets no penalty and some % of the time will be able to out mine/mint the main chain and perform a double spend at no cost.  Granted the odds may be low (they are low for Bitcoin as well) if his share of the stake is low but say you got away with a double spend once a year with no cost or risk.  Other than ethics why wouldn't you try?  Attempt 10,000 double spends and if 9,999 are unsucessful and 1 is the fact that there was no cost means you are ahead.


I have no idea what you mean by "any block".  An attack can come from any block.  An attacker can continue to extend multiple chains extending from multiple blocks all in parallel and if any of them by "luck" end up longer than the main chain they will be published.  If the attacker has a minority of the effective stake (even when boosted by computing power), the chance of success if low.  That means the chance of penalty is high and it would be optimal to build on the main chain as well.

The same concept applies to selfish mining.  A minter produces a valid block and he will be penalized if he doesn't publish it on the main chain however the block doesn't allow him the chance of forging the next block so he hangs on to it for a while.   If prior to him finding a better block another miner publishes a block at the same height that is inferior then he publishes his block as well and suffers no penalty.  If prior to another miner finding a better block he finds a block which allows him to forge the next block he publishes that instead and then immediately attempts to solve the next block to double his reward.

1. I thought the nothing-at-stake problem applied to more than just the 51% scenario... that an attacker with even 10, 20, 30% could do some damage at no cost,
and that's why its such an issue.

2. I thought NXT's deterministic system to decide the next forger of a block is easier to attack by orders of magnitudes when the attack could come
from any block, versus being limited.  Its not that the attack would give up, but they would have to try harder (the computations should rise in
difficulty at least to some degree)

Why would he do that?  If the attacker has a majority of the stake he will eventually have the longest chain.  There is no reason to "give up".  All that matters is variance and time (well # of blocks) but the longer the chain the higher the probability the attacker will be head and that rapidly approaches 100%.  The exact same principle in in play when we assume the "good guys" have the majority.  In Bitcoin why do you trust a tx with 20 confirmations more than one with 1 confirmation?  It is because the probability that someone with a minority of the hashrate (even 49%) could build a longer chain to perform a reorg and "reverse" that tx decreases as the chain length increases.   In a 51% attack the attacker is the one with the majority so the roles are reverse.  The attack has a >50% chance of being ahead after 1 block but that rapidly rises to ~100% as the chain becomes longer.  The more of a majority the attacker has the quicker the confidence rises (both 51% and 70% will eventually produce the longest chain but we can say at a given chain length the later will have a higher computed probability of being ahead).

So why would the attacker just give up and try later?

Over time but not instantly and thus the chain with the majority of the stake will be the longest.  If it wasn't true then someone with 1% of the stake could form a chain as long as the network with 99% of the stake (99% of the stake is penalized for not mining on the attack chain and eventually the 1% has 100% of the active stake).


This is where you get into trusted node voodoo.  The attacker can include tx from the "honest" chain.  He doesn't need to (nor can he) double spend all transactions.  The attacker can broadcast double spends which are picked up by the main chain and then include the legit tx in the attack chain. 

The idea that 100% of the nodes will always be online, and always know which chain is the best is dubious.   If that were possible then you wouldn't even need PoS or minting at all.  Nodes would simply agree which tx are valid and confirmations would be nearly instantaneous.  So what happens when there are two chains A & B.  In A BTC-E is double spent a small fortune and in B BitStamp is double spent a small fortune?  One of them is just going to take a massive loss for the team?  No in a scenario where longest chain is ignored and the EC doesn't reach 100% consensus either you have a network split or the attacker is able to double spend anyways.  Sorry BTC-E your tx was in the longest chain but the board of trusted elders has decided that the inferior chain is the "best" and you lose to the double spend. 

What I mean is:

On the main chain, "attacker A" TRIES to attack
at the time block 1000 is created and fails... the network notices
and on block 1001, it is recorded in the main chain that attacker A's
stake is penalized.

He can still keep trying to re-attack at block 1000
or earlier, but not 1001 or greater... thus his
opportunities to attack become diminished.

I understand its about building an alternate chain,
but obviously it is one that diverges from the main
chain at some point... and what point that is,
is what i'm talking about here.