Should adding PoW to Peercoin's security concept be considered?

[edit2]
adjusted title from “Peercoin’s security is based on PoS solely and not PoW as well?” to “Should adding PoW to Peercoin’s security concept be considered?”

Disclaimer:
This post is biased as all are, because we are all subjects and hence perceive the world subjectively.
I truly believe in the beauty of PoS. It addresses problems that PoW networks may suffer from. It creates economical incentives for those who are invested in such a concept to keep it safe. I think it was a great invention by QuantumMechanic and a mastermind implementation by Sunny King.

Peercoin is doing great, has never suffered from serious attacks, has a growing community, is soundly developed and even slashers admit that it is practically very secure. The combination of PoS and the next line of defense in the form of checkpointing would most likely render any attack useless.

Nevertheless I think it should always be allowed to discuss room for improvement.
As I got aware of the fact (and the initial post is in terms of this disclaimer a little bit outdated…) that PoW is currently not being used as part of Peercoin’s security concept, I thought it might be worth being discussed.
The intention is not to say “we need this, or Peercoin will fail”. It’s far from that.
Peercoin is in so many ways great and I expect it to prosper anyway.

But I like the approach of Primecoin to make “dual use” of the PoW - for both securing the block chain and generating information that might be useful.
So I developed the idea of making “dual use” of Peercoin’s PoW - for both coin distribution and securing the block chain.

I once was in favor for phasing out PoW as that would ultimately make Peercoin energy efficient and I still am in favor for that.
But as we already have PoW, we might consider making more use of it as we currently do.
This is why I’d like to gather thoughts regarding benefits and drawbacks of such an approach.
[/edit2]

I got involved into a discussion with “killerstorm” on reddit: http://www.reddit.com/r/Bitcoin/comments/22aw8c/most_altcoins_are_not_secure_enough_they_exist/cgl76p5

By killerstorm’s assessment Peercoins block chain security is based solely on PoS whereas the PoW process is only for coin distribution.
[edit]He takes the checkpointig into consideration as well.
Quote from one of his reddit posts:“Also, there is centralized checkpointing, perhaps it can prevent an attack.”
But regarding the hybrid model the security comes only from the PoS process.
[/edit]
I though that were different. Due to lacking coding skills I can’t really follow that assessment. And I’m far from being able to disprove it.

If it were true, that’d put Peercoin in a worse position than it had with PoW securing the block chain as well (as PoS does that).
I consider it a huge security drawback if this accusation is valid and would recommend a discussion on the drawbacks/benefits from changing the current security model.

I’m not sure if the same person is behind the “killerstorm” account on reddit and bitcointalk. But I assume it. The killerstorm on bitcointalk is well-informed (as the killerstorm on reddit appears to be) and involved in cryptos (and especially the security/economical aspects) for a long time.
Killerstorm was involved in discussions like this https://bitcointalk.org/index.php?topic=102342.0;all that helped improving Peercoin’s security in its early days.
So I honor his assessment quite a bit.
And I take it serious.

Killercoinstorm can be harsh - like in one of his posts here: https://bitcointalk.org/index.php?topic=101954.0;all (which is another interesting thread, btw.) - but I consider him smart and well-informed.

It would be great if someone could find in Peercoin’s source code how the security model really works.

The current status quo is:
http://www.reddit.com/r/Bitcoin/comments/22aw8c/most_altcoins_are_not_secure_enough_they_exist/cglcoxm

Q: Does the chain selection not involve chain length? A: No, it doesn't. Chain with biggest "ChainTrust" wins, ChainTrust is sum of BlockTrust of all blocks in the chain, BlockTrust is computed like this: [code] return (IsProofOfStake()? (CBigNum(1)<<256) / (bnTarget+1) : 1); [/code] That is, weight of PoW blocks in negligible, while weight of PoS blocks depends on PoS difficulty. (i.e. chain which was more difficult to mine wins. Just like in case with Bitcoin.)

The sorce code where this code section is from can be found here: https://github.com/ppcoin/ppcoin/blob/master/src/main.h#L1269
CBigNum is used in several other source files.

Keep in mind Killerstorm has been around since Peercoin was released and has argued with Sunny King in the threads linked above. If he is correct though, he also seems to have hope that Peercoin’s security will improve in the future…

Q: Hi Killerstorm, why did you recommend ppc (http://www.reddit.com/r/CryptoCurrency/comments/1rmo5r/best_cryptocurrency_investment/) if you think ppc’s pos is pretty bad??!

A: I did more research on Peercoin.

Also, there is hope that it improves in future.

And Sunny King claims that major Peercoin stakeholders will never resort to double-spending attacks, as they fear to crush value of their stake. I really doubt that this argument is game-theoretically sound, but if you accept it, then Peercoin is pretty secure.

I didn’t to read the post on Reddit, but based on what you’ve said in quoting Killerstorm it seems inaccurate in terms of what Peercoin says.

Every single thing I read, which is supplied by Peercoin directly (Peercoin.net) states, and as far as I know hasn’t changed, that the Peercoin protocol is still
using the Hybrid system which requires BOTH PoS and PoW to secure the network. Now, unless someone is going to tell me that peercoin.net’s information is false, then there shouldn’t even be a problem.

Just a tiny chunk quoted from the site to make a point

...In a hybrid proof-of-work/proof-of-stake system, an attacker would have to possess 51% of mining power and 51% of all coins. This makes the attack more difficult ...

I understood it that way when I started following Peercoin, and unless they used Stealth to remove it, it still is that way. PoW secures the network, and PoS secures the network and on top of that the current checkpointing system is still in place to ensure that people cannot attack the network.

Unless I am an idiot that would tell me that Peercoin is currently more secure than anyone out there. The age old argument about checkpointing need not apply because there are already a million discussions on it in other threads. Simple point is it is secure at this point.

[quote=“masterOfDisaster, post:1, topic:2161”]

Q: Does the chain selection not involve chain length?
A: No, it doesn’t. Chain with biggest “ChainTrust” wins, ChainTrust is sum of BlockTrust of all blocks in the chain,
BlockTrust is computed like this:

    return (IsProofOfStake()? (CBigNum(1)<<256) / (bnTarget+1) : 1);

That is, weight of PoW blocks in negligible, while weight of PoS blocks depends on PoS difficulty. (i.e. chain which was more difficult to mine wins. Just like in case with Bitcoin.)

Indeed, the weight of a PoS block is about 40 billion at current difficulty, whereas the weight of a PoW block is 1.
So if someone wants to push an alternative chain, he doesn’t need to care about PoW.

[quote=“Drummel, post:3, topic:2161”]I didn’t to read the post on Reddit, but based on what you’ve said in quoting Killerstorm it seems inaccurate in terms of what Peercoin says.
[…][/quote]

The explanation is in my first post in the “quote section”.
As far as I understand it, the problem lies here:“Chain with biggest “ChainTrust” wins, ChainTrust is sum of BlockTrust of all blocks in the chain”.
Say an attacker tries to perform a double spending attack.
He spends Peercoins and creates an alternate chain where those Peercoins are spent again.
If he manages to create a fork with a higher “ChainTrust”, this chain will be chosen (by protocol? here’s where the source code analysis helps understanding it).
As PoW blocks don’t add “BlockTrust” to the chain, they don’t count when calculating the “ChainTrust”.
If that is true, PoW is for distribution only but not for securing the block chain (at least not against this attack vector).

There are for sure economical aspects that need to be taken into consideration when calculating the risk. If the double spending generates less benefit than the loss by an impacted coin value, it is economically not wise to perform such an attack. But technically, PoW provides no security against that attack and there might be other reasons to attack Peercoin.

Including the PoW process to the security concept should be discussed.
One drawback might be that this requires a hard fork.
Another drawback could be that providing security by PoW makes it harder to phase out PoW at some point of time.
But an advantage could be an improved level of security (that really meets what’s promised at some places).

[quote=“masterOfDisaster, post:5, topic:2161”]As far as I understand it, the problem lies here:“Chain with biggest “ChainTrust” wins, ChainTrust is sum of BlockTrust of all blocks in the chain”.
Say an attacker tries to perform a double spending attack.
He spends Peercoins and creates an alternate chain where those Peercoins are spent again.
If he manages to create a fork with a higher “ChainTrust”, this chain will be chosen (by protocol? here’s where the source code analysis helps understanding it).[/quote]

Yes.
This function is run when your client has validated a block it received and is going to save it: https://github.com/ppcoin/ppcoin/blob/master/src/main.cpp#L1748
Inside this function you calculate the total trust of this block (total trust of previous block + trust of this new block): https://github.com/ppcoin/ppcoin/blob/master/src/main.cpp#L1769
And you check whether this total trust is better than the current best total trust: https://github.com/ppcoin/ppcoin/blob/master/src/main.cpp#L1808
If it is, then this block is identified as the highest block of the best chain.

Since all other clients will do the same thing, this is indeed part of the protocol.

Thank you very much for your reply, sigmike, and especially for the references to the source code.
I must admit that I’d have liked it better to see PoW being indeed a part of the security concept, but I didn’t expact that to turn out.

Now that we know that PoW doesn’t help securing the block chain we might discuss the implications.

What happens if the PoW blocks get a BlockTrust that seriously impacts the bnChainTrust value?
Does that have any drawbacks?
How can that be achieved? A fixed value might not work well. Can it be derived from preceding PoS blocks?
If so, the PoW process would generate blocks that have significant value for the bnChainTrust calculation and an attacker did need enough PoW processing power to outnumber the PoW blocks (or at least their BlockTrust) in the non-fraudulent chain.
This way both coin distribution and security enhancement could be achieved.

I might take some time to understand the implications better.
But for the time being, I’d prefer having some decent BlockTrust for PoW blocks…
…at least until somebody find significant drawbacks of that approach.

[quote=“masterOfDisaster, post:7, topic:2161”]But for the time being, I’d prefer having some decent BlockTrust for PoW blocks…
…at least until somebody find significant drawbacks of that approach.[/quote]

What if a large bitcoin miner decided to suddenly switch all his mining power to Peercoin? He would probably have more power than all the current miners.
If PoW had a significant weight this would be a problem.

So are you guys saying this entire time we’ve been telling people the wrong information?

And again I’m lost trying to denominate the way how the ratio between PoS and PoW blocks is determined.
How fast is the PoW difficulty adjusted?
Will you see a “flood” of PoW blocks in case of a quickly rising PoW hash rate?
…if so, this could be taken into consideration when calculating their BlockTrust.
When deriving the BlockTrust of a PoW block it could be significantly dependent from more than just the directly preceding PoS block.

Or you could give it a BlockTrust of 1 if the preceding block is a PoW block.
Or you could give it a BlockTrust of 1 if more than n out of m of the preceding blocks have been PoW blocks.
Or you could derive the PoW BlockTrust from preceding blocks (type of block, PoW difficulty) to take care of rapidly increasing PoW difficulties.

This could level out the attack vector of switching lots of PoW power to Peercoin’s PoW process.

I’m not trying to say that I have a solution, but I’m willing to work on a concept - or at least discuss possibilities
Thank your for joining this discussion!

[quote=“masterOfDisaster, post:10, topic:2161”]How fast is the PoW difficulty adjusted?
Will you see a “flood” of PoW blocks in case of a quickly rising PoW hash rate?[/quote]

It’s adjusted after every block: https://github.com/ppcoin/ppcoin/blob/master/src/main.cpp#L916
So indeed, a quick rise of PoW should rise the difficulty immediately.

At least it looks like exactly that.
I can say that I didn’t do it with bad intentions.
But I did it, because I didn’t know it better, which makes it in the end still bad.

As we now know it better, we can try to make the best out of it.

I see all of that crypto coin sphere in a flow, in a progress. Bitcoin is great, but not perfect. Peercoin is (imho) an impressive improvement, but not perfect. I really like to help improving it. As I’m no programmer I can only rely on my comprehension.

If other people join these kinds of discussions, that can turn the world to a better one.
…just like when QuantumMechanic on bitcointalk invented Proof-of-Stake: https://bitcointalk.org/index.php?topic=27787.0;all

Now we have a working implementation called Peercoin that is (as we now know) from security perspective a pure PoS implementation.
Maybe Peercoin’s security can be enhanced by “dual using” the PoW process for coin distribution and block chain security.

[quote=“sigmike, post:11, topic:2161”][quote=“masterOfDisaster, post:10, topic:2161”]How fast is the PoW difficulty adjusted?
Will you see a “flood” of PoW blocks in case of a quickly rising PoW hash rate?[/quote]

It’s adjusted after every block: https://github.com/ppcoin/ppcoin/blob/master/src/main.cpp#L916
So indeed, a quick rise of PoW should rise the difficulty immediately.[/quote]

That’s not too bad. That might allow us to discuss giving PoW blocks some BlockTrust, because it limits the ability to create a huge number of PoW blocks in a given time by switching lots of hashing power to the Peercoin PoW process. But I still see a problem with that. I’ll get to that immediately.

An attacker that tries to create a fraudulent fork, needs at least the same PoW hashing power as the rest of the network to (at average) achieve the same PoW block frequency.
But this attacker doesn’t put the hashing power to the Peercoin PoW process. Instead he mines hiddenly on a different fork (so I might call it “a kind of > 50% attack”).
Not bringing the hashing power to the “real” Peercoin network doesn’t affect the difficulty at all, right? It would only be used to mine on the fraudulent chain.

If you switch even more hashing power to the hidden PoW process the difficulty adjusts rapidly and the frequency of created blocks is more or less the same as in the “real” PoW process.
But that can be taken as a warning not to derive the PoW BlockTrust from the PoW block difficulty. If it were derived from the difficulty, that would make the PoW attack vector worse as switching lots of hashing power did create a lot of BlockTrust for the PoW blocks.

One more thing: I have a cloudy memory of a number of blocks such a fork can reach into the past. Is there something like that in the code?

…we still need to find out a sound concept how to determine a proper BlockTrust for PoW blocks. Difficulty alone seems to be a bad idea…

May I understand this in layman’s terms?

Originally, Peercoin was hybrid POW/POS, the former to ensure fair distribution, the latter to ensure energy efficiency. In time, POW decreases and POS increases

How does this affect security? One interpretation is that an attack on Peercoin requires both a 51% control of mining on POW and 51% of minting of POS at the same time. This is a double defence

Another interpretation is that, as POW reduces in importance/quantity, a successful 51+% control of POS minting is, alone, sufficient to attack Peercoin, since POW is sidelined. This means Peercoin’s defence is solely in POS, which is a (relatively) weaker defence

I am correct in assuming the latter interpretation is correct? Thanks

[quote=“RobertLloyd, post:14, topic:2161”]May I understand this in layman’s terms?

Originally, Peercoin was hybrid POW/POS, the former to ensure fair distribution, the latter to ensure energy efficiency. In time, POW decreases and POS increases[/quote]
That’s principally correct but Peercoin is hybrid.
PoW for coin distribution, PoS for energy efficiently securing the block chain.
Not PoW decreases over time, but the number of coins per block (PoW coinbase reward) that are generated by PoW are expected to decrease as the PoW hash rate is expected to increase and the hash rate modifies the difficulty.
That increase more or less happens since Peercoin’s early days: http://bitinfocharts.com/comparison/hashrate-ppc.html
There’s fluctuation, but the trend is visible.

The PoW coinbase reward is derived from the PoW network difficulty and gets halved when the difficulty is 16-folded.
Or to express it as an equation: if the difficulty goes 2^n, the derived coinbase reward is 2^(-n/4).

This is (currently) not correct. As the choice of chain in case of a block chain forking is relevant for the security and PoW plays practically no role for that choice, PoW is not part of the defense.

[quote=“RobertLloyd, post:14, topic:2161”]Another interpretation is that, as POW reduces in importance/quantity, a successful 51+% control of POS minting is, alone, sufficient to attack Peercoin, since POW is sidelined. This means Peercoin’s defence is solely in POS, which is a (relatively) weaker defence

I am correct in assuming the latter interpretation is correct? Thanks[/quote]
That is partly correct. The defense is not weakened by a reduced PoW importance, but by not including PoW into the security concept. Peercoin’s defense relies on PoS and checkpointing which already is very strong defense! I’m not aware of a successful attack on Peercoin - at least not since 0.3.

The strength of the security is directly related to the costs for an attack.
This should be true for attackers that want to gain profit from an attack (e.g. by pulling off double-spending), because it becomes harder and harder to gain profit the more you need to invest.
And it helps against purely evil people (you might replace that with governments, banks, credit card organisations, paypal or other crypto concepts that are afraid from suffering by a prospering Peercoin; chose the “bad” guy after your fancy), because it drives the costs for their attack up as well.
There might be other reasons for attacking Peercoin, but I can’t think of a way to enhance security by making attacks cheaper.

So I only strive for making attacks more expensively and hence the security even stronger

I consider integrating PoW to the security concept an idea that should be discussed.
I see some benefits and some drawbacks as well.
Once the PoW is part of the security concept, it might become harder to phase it out. But is it really good/desired to phase PoW out? Phasing out would make Peercoin ultimately energy efficient, but PoW is designed to level itself out by the degrading coinbase reward in consequence of more hashing power. Can we stand some energy waste?
I think the low inflation that will be caused by the PoS coinstake reward and the PoW coinbase reward is economically good. It is something completely different from hyper inflation. So I don’t see a necessity to phase PoW out. But that depends on your bias.

But even if PoW is considered to be phased out, I expect that to be done in a more far than near future. In a far future it is essential for a prospering Peercoin network to have a large part of the available coins in the PoS process. That will naturally happen and will be assisted by further wallet improvements. It will be easier and more secure to take part in the PoS process. And Peershares will do its part for that, too (both in terms of development and in desire for securing the Peercoin block chain by those who utilize Peershares).
The more coins that are in the PoS process, the harder it gets to pull off a PoS attack. It gets less likely to successfully pull off an attack if you have only a small part of the total coins that are in the PoS process (remember: PoS is a random process; less share, less chance).
And again: the more coins you need to have success, the more costly such an attack gets and the more security is achieved by that.
So, if the network is even more secure than it now is, it might not hurt much to remove PoW from the security concept. There will be a point of time when the energy costs for keeping the PoW process up are in a poor relation to the tiny bit of enhanced security.

One major possible drawback that I currently can’t estimate is the risk for the network by including PoW to the security concept. PoW blocks need an appropriate BlockTrust value to enhance the overall security. If that value is poorly chosen, you might open the door for PoW attacks. But I believe there are ways to design PoW BlockTrust values that enhance the security without creating additional risks.
But especially this needs to be evaluated by people that are more skilled with reading the code, understanding the overall concept and understanding the consequences of adjusting values. I’m willing to assist with my brains the best I can.

I believe in PoS. I believe that it’s entirely possible to secure a block chain by PoS (that already happens!). I believe that Peercoin already is in good shape and very secure.
But until the development is as far as I described it above, I want to do everything to make the most of the given situation.
I hope my intention has become a bit more clear now.
I might not always find the right words to express what I mean. That can lead to confision. Please excuse that I’m no native speaker.

Take a look at this thread of Yacoin, a fork of Novacoin which is a fork of Peercoin http://forum.yacoin.org/index.php?topic=473.0
POS block had been orphaning POW blocks of zccoing (fork of Yac, a great grandchild of Peercoin : ) and after a while Yacoin had to change its protocol so that no consecutive POS blocks are allowed. I am not sure exactly how the POS of YAC is different from that of Peercoin. I guess just the differences of network size could make different coins facing different mortal probles.
It is interesting to observe different POS coins are facing different challenges, then adapting and evolving. The diversity of POS coin ecosystem make POS collectively more robust.

In the reddit thread killerstorm said:

The superiority of a hybrid PoW/PoS was mentioned pretty much right after PPCoin was announced, but Sunny King said that it's against his stated goal of energy efficiency.

So I guess if you want to give PoW more weight you’d have to fork Peercoin and create a new coin.

I don’t want to interfere with that goal. I like that goal. But this goal is not yet reached. We are still on the way to this goal. There is PoW. There is waste/use of energy for the PoW process. All I think about is to make use of the PoW on the way to that goal, use that is beyond generating coins.
Am I the only one who finds it interesting to make “dual use” of the PoW process on the way to the goal?

With roughly 100 TH/s (fluctuating, but currently in that order of magnitude) and assuming only energy efficient mining hardware that consumes 1 W/GH/s this PoW process uses 2400 kWh per day. This is more like the minimum energy consumption as I don’t expect all minining hardware in the PoW process that energy efficient.

100 TH/s = 100.000 GH/s
1 W/GH/s * 100.000 GH/s = 100.000 W = 100 kW
100 kw * 24 h = 2400 kWh

So the PoW process currently uses per day at least as much energy as 2 person household per year (for sure depending on their habits…).
All that is done by that is to get new Peercoins.
Know what? If you use the same amount of hashing power to mine Bitcoins, you can exchange them for almost the same amount of Peercoins you can mine directly.
I did a calculation 2 weeks ago: http://www.peercointalk.org/index.php?topic=2533.msg21404#msg21404
The numbers might not be 100% accurate and have changed meanwhile. With 1 TH/s you should receive approximately 20 PPC per day.

d7 pool total (with 47 TH/s):
24 h/day / 2.5 h/block = 9.6 block/day
9.6 block/day * 99 PPC/block = 950 PPC/day

the share for 1 TH/s (ignoring the fees):
950 PPC/day / 47 = 20 PPC.

Calculate the same with a bitcoin profit calculator or do the math on your own. Currently 1TH/s gives you a daily reward of 0.0822 BTC when mining Bitcoin.
These 0.0822 BTC can be exchaged at e.g. btc-e with a current exchange rate of 0.00406 BTC/PPC to 19.75 PPC (0.822 BTC / 0.00406 BTC/PPC).
So currently there is not really an economical incentive to mine PPC if you can get the same order of magnitude Peercoins by mining Bitcoin and exchanging those.
It is for sure easier to directly mine Peercoins if you want to have them.
Although there is no strong incentive for PoW mining Peercoins people do it.

All I say is: let’s use that. Let’s make more out of the PoW than new Peercoins

I don’t want to become dependent on PoW in terms of security aspects. I don’t want to create a strong security incentive to mine in the PoW process (which would make it hard to phase PoW out). I want to have PoW for security as side product that is insignificant enough to be pruned but significant enough to help defending against PoS attacks.

As I still see it, Peercoin’s (already high level) security can be enhanced by utilizing PoW for security reasons if deliberately implemented.

I don’t know enough about the security aspect to comment on that, but could one reason be that Sunny is planning on phasing out PoW faster than previously thought? In the recent chat he said:

Sunny King: iheart, the pos incentive structure is under review

Sunny King: there could be a proposal to enhance the incentive with minimal change to inflation model

If the PoS reward is raised, then to maintain the inflation model would it make sense that the PoW part be phased out slightly?

Maybe I’m just reading into things but if that is the case it might explain why he doesn’t want to add PoW to the security, as he wants to phase it out as soon as possible for economic reasons.

Ok, so I looked again at the recent chat. Sunny said these things: “mixing pow in security model weakens the pos security and waste energy” “with ppc you can’t take over the network immediately even if you have 99% mining power” “if you mix then you can” It seems to me that Sunny is looking at it like if you also added PoW to the security model, you would only need to attack one or the other, PoW or PoS in order to successfully take over the network. What I think you’re saying though is something else, that it wouldn’t be one or the other, you would need to attack both PoW and PoS simultaneously in order to successfully take over the network. It’s not one or the other, but both simultaneously, correct? This would give Peercoin a double layer of protection.

I also think you understand that PoW is going to reduce in size over time until it’s barely nothing while PoS becomes a greater part of the network over time. You’re not saying that you want PoW to stick around forever in order to provide this extra security, because you know that PoW ultimately wastes energy. All you’re saying is that while PoW is still a large part of Peercoin, it should be used as an extra protection layer against attacks on the network, correct?

I’m not sure if Sunny misunderstood you or not, but my opinion is that while it sounds great for PoW to provide an extra layer of security while it’s still around, I don’t think it’s really necessary, the reason being that it’s going to eventually be phased out over time anyway. Is there really any point in doing all that coding work and changing things in order to create this extra layer of security that is only going to be around temporarily while PoW is still a large part of the network? The entire network is eventually going to have to rely solely on PoS, so I think it would be better to make sure PoS is properly tested and protects the network by itself right now rather than in the future once PoW gets phased out. If PoS can’t handle security by itself, we wouldn’t know it until the PoW security layer wore off in the future, which could prove disastrous for everyone involved. I think it’s safer to continue on as we are and make sure PoS is properly tested by keeping it as the sole security layer.