Pages:
Author

Topic: Which Proof of Stake System is the Most Viable - page 10. (Read 25775 times)

sr. member
Activity: 364
Merit: 250
☕ NXT-4BTE-8Y4K-CDS2-6TB82
Not necessarily. The problem in Bitcoin pools is that they are not limited, and the same problem exists with pooled forging.

With DPoS, there is a limit to how much votes each can collect, and any delegate can not dominate; at least openly.

With TF, the amount of consensus power is also limited.
sr. member
Activity: 364
Merit: 250
☕ NXT-4BTE-8Y4K-CDS2-6TB82
Transparant forging is really impressive, never seen something like that in cryptocurrencies.  Shocked

I can relive your emotion.
full member
Activity: 144
Merit: 100
What is interesting to me is that in the (IMO very unlikely) event that Nxt has technical promise, then as soon as the code is open-source it will be possible to create Nxt-clone using the spin-off mechanism and immediately bootstrap the clone with a more efficient distribution than Nxt-original.  
As I understand it, the Nxt code is modular. The core, including the PoS stuff, will be open-source, but some of the services built on top will not be. The Nxt devs believe a lot of their value is in the services - things like the Asset Exchange. So the clone won't include all of Nxt.

Asset Exchange is in the core and is open source.

Third party services (like muiltisig gateway for othjer cryptos)  may or maynot.

Why NXT guys are so against open culture? If someone copies it new ideas might emerge.. I dont see the reason to be secretive at all... but it is their choice..
hero member
Activity: 644
Merit: 500
What is interesting to me is that in the (IMO very unlikely) event that Nxt has technical promise, then as soon as the code is open-source it will be possible to create Nxt-clone using the spin-off mechanism and immediately bootstrap the clone with a more efficient distribution than Nxt-original.  
As I understand it, the Nxt code is modular. The core, including the PoS stuff, will be open-source, but some of the services built on top will not be. The Nxt devs believe a lot of their value is in the services - things like the Asset Exchange. So the clone won't include all of Nxt.

Asset Exchange is in the core and is open source.

Third party services (like muiltisig gateway for othjer cryptos)  may or maynot.
sr. member
Activity: 365
Merit: 251
If he wants public review, why doesn't he just post here.
I don't know. Perhaps because this is the Bitcoin forum, not the Nxt forum. The Nxt forum is public: https://nxtforum.org/general-discussion/some-thoughts-on-arguments-of-pow-guys/.
sr. member
Activity: 365
Merit: 251
What is interesting to me is that in the (IMO very unlikely) event that Nxt has technical promise, then as soon as the code is open-source it will be possible to create Nxt-clone using the spin-off mechanism and immediately bootstrap the clone with a more efficient distribution than Nxt-original.  
As I understand it, the Nxt code is modular. The core, including the PoS stuff, will be open-source, but some of the services built on top will not be. The Nxt devs believe a lot of their value is in the services - things like the Asset Exchange. So the clone won't include all of Nxt.

Also, the Bitcoin distribution isn't all that fantastic. It has its whales. And the whole spin-off idea is unproven. The new clone will be neither Nxt not Bitcoin. Merchants who accept Bitcoin won't automatically accept the clone. There probably will be more than one clone, diluting attention. The idea that the clone will instantly have the same market capitalisation as Bitcoin is false. Network effects will encourage people to stick with Bitcoin and/or Nxt, because they will follow the market cap. The reasons that cause alt-coins to struggle, even when they are technically better than Bitcoin, will apply to the new clone.
legendary
Activity: 1302
Merit: 1008
Core dev leaves me neg feedback #abuse #political
Sounds like he want to pick DaT's brain.
That's more or less what he said: that he wants public review of the ideas planned for Nxt. As seems sensible.

Quote
If he had a solid solution he would be releasing without the fanfare.  Just my opinion.
He says he's concerned about clones. Also, some of this stuff depends on a robust ecosystem, which isn't in place yet, but hopefully will grow over the next few months.

(I'm not saying I agree with this approach, but I can see the sense of it, and there's no doubt the Nxt developers have delivered in other areas.)

No he wanted to PRIVATELY consult.

If he wants public review, why doesn't he just post here.
sr. member
Activity: 365
Merit: 251
Sounds like he want to pick DaT's brain.
That's more or less what he said: that he wants public review of the ideas planned for Nxt. As seems sensible.

Quote
If he had a solid solution he would be releasing without the fanfare.  Just my opinion.
He says he's concerned about clones. Also, some of this stuff depends on a robust ecosystem, which isn't in place yet, but hopefully will grow over the next few months.

(I'm not saying I agree with this approach, but I can see the sense of it, and there's no doubt the Nxt developers have delivered in other areas.)
legendary
Activity: 1302
Merit: 1008
Core dev leaves me neg feedback #abuse #political
What are we talking about exactly when you say
"support the main chain"?

That's maybe where I'm not following you.

My assumption was the penalty was
because an attacker tried to broadcast
a chain that wasn't the best to the other
nodes, and it was rejected.

No that isn't the penalty.  The "penalty" is if a miner doesn't mint a block when he can then he is prevented from minting future blocks for a period of 2 days ON THAT CHAIN.

"supporting the main chain" = minting blocks on that chain = no penalty = doesn't prevent the attacker from simultaneously working to extend one ore more candidate attack chains at the same time.

I see.

And I assume the kind of penalty i'm talking about would
be highly impractical based on the fact that you'd be
punishing honest miners way too often.

Bottom line:  nothing-at-stake-problem still not solved.  Smiley
donator
Activity: 1218
Merit: 1079
Gerald Davis
What are we talking about exactly when you say
"support the main chain"?

That's maybe where I'm not following you.

My assumption was the penalty was
because an attacker tried to broadcast
a chain that wasn't the best to the other
nodes, and it was rejected.

No that isn't the penalty.  The "penalty" is if a miner doesn't mint a block when he can then he is prevented from minting future blocks for a period of 2 days ON THAT CHAIN.

"supporting the main chain" = minting blocks on that chain = no penalty = doesn't prevent the attacker from simultaneously working to extend one ore more candidate attack chains at the same time.
legendary
Activity: 1302
Merit: 1008
Core dev leaves me neg feedback #abuse #political
What are we talking about exactly when you say
"support the main chain"?

That's maybe where I'm not following you.

My assumption was the penalty was
because an attacker tried to broadcast
a chain that wasn't the best to the other
nodes, and it was rejected.

donator
Activity: 1218
Merit: 1079
Gerald Davis
I guess I was thinking of a different scenario, where one is penalized
on the main chain for trying to create alternate chains.

So, that's not what we're talking about?

I revised the post to be more clear.  It is important to consider the optimal behavior for both an attacker with a minority and majority of the stake.   In neither case will there be an effective penalty although how the attacker proceeds will vary (it does in Bitcoin as well for different reasons).
legendary
Activity: 1302
Merit: 1008
Core dev leaves me neg feedback #abuse #political
There would be no penalty.  If the attacker has a minority of the hashrate he will support ALL chains including the main chain.  He will suffer no penalty.  There is nothing at risk precisely because he can support all chains in parallel simultaneously.  An attacker with a majority of the hashrate won't support the main chain because he doesn't need to.  You can penalize him all you want on the main chain but once the attack chain is longer then it will become the best chain and the "main" chain just a shorter orphaned fork.  Is there a penalty if you are penalized on a discarded fork?

Gotcha.

I guess I was thinking of a different scenario, where one is penalized
on the main chain for trying to create alternate chains.

So, that's not what we're talking about?
donator
Activity: 1218
Merit: 1079
Gerald Davis
There would be no penalty.  Lets look at the case of a majority and minority attacker separately.  

An attacker with a minority of the stake will optimally support ALL chains including the main chain.  He will suffer no penalty.  Yes this will (marginally) reduce his chance because it improves the effective stake of the main chain relative to his chain but the chance was already low.  In PoW the real security comes not from the fact that a double spend with a minority of the hashrate is possible.  It is very possible but it will happen infrequently and the COST for all the times it fails offsets any gain from the double spend.    For example an attacker with 10% of the Bitcoin hashrate would be able to successfully double spend a tx with 6 confirmations 1 out of 1694 attempts.   It is impossible to guarantee that an attacker (even one with a minority of the hashrate) can NEVER perform a double spend on a tx 6 confirmations deep however the cost means that if the amount being double spent is <168,000 BTC the attacker ends up losing money.  He will eventually be successful however the gain from the success will be less than the loss of coins not mined.  

With PoS, a minority attacker WILL support the main chain when required and thus he will never suffer a penalty.  His chance of success will be low (and will be lower the more confirmations that are required) but with no (real) cost and a chance >0% he will eventually pull off a double spend at no cost.  There is nothing at risk precisely because he can support all chains in parallel simultaneously.  Note: a PoS system w/ a penalty marginally reduces the profitability of the attacker when the attacker has a minority of the hashrate but it doesn't remove the nothing at stake risk because the attacker can still support all chains (he probably would anyways even w/ no penalty to collect the block rewards on the main chain).

An attacker with a majority of the stake will optimally only extend the attack chain(s) and not the main chain because he doesn't need to.  You can penalize him all you want on the main chain but once one of the attack chains are longer then it will be published, the network will reorg to use that chain as the "best chain" and all the "penalties" will be limited to an orphaned fork.  Is there an effective penalty if all the penalties are limited to a chain which has been orphaned?  The irony is that after the attack chain is published all the honest miners who did not complete blocks when required will be subject to a penalty and unable to mine for 2 days.
legendary
Activity: 1302
Merit: 1008
Core dev leaves me neg feedback #abuse #political
donator
Activity: 1218
Merit: 1079
Gerald Davis
1. I thought the nothing-at-stake problem applied to more than just the 51% scenario... that an attacker with even 10, 20, 30% could do some damage at no cost,
and that's why its such an issue.

It is but then the attacker would operate differently.  Since there is no cost he would simply support both chains.  Yes he is working against himself but with a minority of the hashrate the probability of producing a longer chain of x blocks was already <50%.  Still the odds are 0% and he isn't penalized because he is supporting the "main" chain (chain most likely to remain the longest).  So he loses nothing, gets no penalty and some % of the time will be able to out mine/mint the main chain and perform a double spend at no cost.  Granted the odds may be low (they are low for Bitcoin as well) if his share of the stake is low but say you got away with a double spend once a year with no cost or risk.  Other than ethics why wouldn't you try?  Attempt 10,000 double spends and if 9,999 are unsucessful and 1 is the fact that there was no cost means you are ahead.

Quote
2. I thought NXT's deterministic system to decide the next forger of a block is easier to attack by orders of magnitudes when the attack could come
from any block, versus being limited.  Its not that the attack would give up, but they would have to try harder (the computations should rise in
difficulty at least to some degree)

I have no idea what you mean by "any block".  An attack can come from any block.  An attacker can continue to extend multiple chains extending from multiple blocks all in parallel and if any of them by "luck" end up longer than the main chain they will be published.  If the attacker has a minority of the effective stake (even when boosted by computing power), the chance of success if low.  That means the chance of penalty is high and it would be optimal to build on the main chain as well.

The same concept applies to selfish mining.  A minter produces a valid block and he will be penalized if he doesn't publish it on the main chain however the block doesn't allow him the chance of forging the next block so he hangs on to it for a while.   If prior to him finding a better block another miner publishes a block at the same height that is inferior then he publishes his block as well and suffers no penalty.  If prior to another miner finding a better block he finds a block which allows him to forge the next block he publishes that instead and then immediately attempts to solve the next block to double his reward.

legendary
Activity: 1302
Merit: 1008
Core dev leaves me neg feedback #abuse #political
What I mean is:

On the main chain, "attacker A" TRIES to attack
at the time block 1000 is created and fails... the network notices
and on block 1001, it is recorded in the main chain that attacker A's
stake is penalized.

He can still keep trying to re-attack at block 1000
or earlier, but not 1001 or greater... thus his
opportunities to attack become diminished.

Why would he do that?  If the attacker has a majority of the stake he will eventually have the longest chain.  All that matters is variance and time (well # of blocks) but the longer the chain the higher the probability the attacker will be head and that rapidly approaches 100%.  The exact same principle in in play when we assume the "good guys" have the majority.  In Bitcoin why do you trust a tx with 20 confirmations more than one with 1 confirmation?  Because the probability that someone with a minority of the hashrate (even 49%) could build a longer chain to perform a reorg and "reverse" that tx decreases as the chain length increases.   In a 51% attack the attacker is the one with the majority so the roles are reverse.  The attack has a >50% chance of being ahead after 1 block but that rapidly rises to ~100% as the chain becomes longer.

So why would the attacker just give up and try later?

1. I thought the nothing-at-stake problem applied to more than just the 51% scenario... that an attacker with even 10, 20, 30% could do some damage at no cost,
and that's why its such an issue.

2. I thought NXT's deterministic system to decide the next forger of a block is easier to attack by orders of magnitudes when the attack could come
from any block, versus being limited.  Its not that the attack would give up, but they would have to try harder (the computations should rise in
difficulty at least to some degree)


donator
Activity: 1218
Merit: 1079
Gerald Davis
What I mean is:

On the main chain, "attacker A" TRIES to attack
at the time block 1000 is created and fails... the network notices
and on block 1001, it is recorded in the main chain that attacker A's
stake is penalized.

He can still keep trying to re-attack at block 1000
or earlier, but not 1001 or greater... thus his
opportunities to attack become diminished.

Why would he do that?  If the attacker has a majority of the stake he will eventually have the longest chain.  There is no reason to "give up".  All that matters is variance and time (well # of blocks) but the longer the chain the higher the probability the attacker will be head and that rapidly approaches 100%.  The exact same principle in in play when we assume the "good guys" have the majority.  In Bitcoin why do you trust a tx with 20 confirmations more than one with 1 confirmation?  It is because the probability that someone with a minority of the hashrate (even 49%) could build a longer chain to perform a reorg and "reverse" that tx decreases as the chain length increases.   In a 51% attack the attacker is the one with the majority so the roles are reverse.  The attack has a >50% chance of being ahead after 1 block but that rapidly rises to ~100% as the chain becomes longer.  The more of a majority the attacker has the quicker the confidence rises (both 51% and 70% will eventually produce the longest chain but we can say at a given chain length the later will have a higher computed probability of being ahead).

So why would the attacker just give up and try later?
donator
Activity: 1218
Merit: 1079
Gerald Davis
In Nxt both the chains (legit and hidden) will have the same cumulative difficulties coz forging power of penalized forgers is delegated to the others and total power is bumped back to 100%.

Over time but not instantly and thus the chain with the majority of the stake will be the longest.  If it wasn't true then someone with 1% of the stake could form a chain as long as the network with 99% of the stake (99% of the stake is penalized for not mining on the attack chain and eventually the 1% has 100% of the active stake).

Quote
But the hidden chain won't have transactions of the economic cluster and this is where extra consensus rule becomes handy.

This is where you get into trusted node voodoo.  The attacker can include tx from the "honest" chain.  He doesn't need to (nor can he) double spend all transactions.  The attacker can broadcast double spends which are picked up by the main chain and then include the legit tx in the attack chain. 

The idea that 100% of the nodes will always be online, and always know which chain is the best is dubious.   If that were possible then you wouldn't even need PoS or minting at all.  Nodes would simply agree which tx are valid and confirmations would be nearly instantaneous.  So what happens when there are two chains A & B.  In A BTC-E is double spent a small fortune and in B BitStamp is double spent a small fortune?  One of them is just going to take a massive loss for the team?  No in a scenario where longest chain is ignored and the EC doesn't reach 100% consensus either you have a network split or the attacker is able to double spend anyways.  Sorry BTC-E your tx was in the longest chain but the board of trusted elders has decided that the inferior chain is the "best" and you lose to the double spend. 
legendary
Activity: 1302
Merit: 1008
Core dev leaves me neg feedback #abuse #political
from https://nxtforum.org/index.php?topic=1849.msg31104#msg31104

There is only 1 penalty for forgers - they r not allowed to forge for the next 1440 blocks. Main goal is not to punish but rather to "disable" them.

A penalty for an inactive but otherwise non malicious forgers is useful but it doesn't help in a 51% attack.

By definition in a 51% attack the attacker IS NOT mining the main chain so a penalty that doesn't allow him to mine on the chain he already isn't mining isn't much of a penalty is it?  On the other hand in the attack chain it will be the legit miners who failed to mint a block and they will be subject to the penalty.  When the attack chain is longer and the attacker broadcasts it, then it becomes the longest chain and some or all of legit miners will be penalized for up to 1440 blocks.

but does this partially solve the nothing at stake issue?

If attacks that are made on the main chain are recorded, then those miners/forgers can't attack
at any point... seems they would have to attack at a point either before the penalty existed, or after the penalty expired.


I am not even sure what you mean.  Attacks aren't "made" on the main chain.  A 51% attack involves the attacker building AN ALTERNATE chain.

In the main chain = attacker mines no block.  
In the attack chain = attacker mines all block = no penalty

When the attack chain is longer the attacker broadcasts it at which point the "attack chain" becomes the main chain and the "honest" chain just becomes an orphaned minority fork.

At no point is the attacker subject to any penalty.

What I mean is:

On the main chain, "attacker A" TRIES to attack
at the time block 1000 is created and fails... the network notices
and on block 1001, it is recorded in the main chain that attacker A's
stake is penalized.

He can still keep trying to re-attack at block 1000
or earlier, but not 1001 or greater... thus his
opportunities to attack become diminished.

I understand its about building an alternate chain,
but obviously it is one that diverges from the main
chain at some point... and what point that is,
is what i'm talking about here.
Pages:
Jump to: