Pillow's Peercoin Myths

[quote=“Jordan Lee, post:5, topic:2518”]I would like to present the specific steps of an attack exploiting the “nothing at stake” phenomena. As you will see, the attack does not pose a serious threat to the network.

  1. Alter the client source code to not include any transactions in a block except your own.

  2. Write a utility that can sign and automatically issue a transaction to transfer coins from and to addresses of your choosing.

  3. Build and deploy your altered Peercoin client to 10 different virtual machines.

  4. Open exchange accounts with 10 different exchanges. In each virtual machine, configure the utility you wrote to transfer the same coins to a unique exchange address. You are attempting a double spend, or in this case, you try to spend the same coins 10 times.

  5. Mint on all 10 virtual machines using the same wallet on each while sending out transactions spending your coins to ten different exchange deposit addresses. Other nodes will only accept a single transaction: the one they received first. You only have about a 10% chance of the exchange nodes receiving the spend you wanted it to (this works the same in a proof of work system like Bitcoin). If any other client besides the attackers’ finds the next block, the multiple spend is resolved and the coins cannot be used again to attempt a multiple spend in the next block. The attempt to get the double or multi spend confirmed failed. If the attacker is very lucky and finds the very next block after sending out multi spends (using 10 machines does not increase the attacker’s likelihood of finding the next block), there will be 10 forks with 10 different spends of the same coins with one confirmation. No other transactions will be included in these 10 competing blocks.

  6. We now have 10 Peercoin forks, all of which are being minted on. Clients run by others will decide which fork to mint on based on which of the 10 competing blocks they received first.

  7. The next block will be minted. If it is minted by someone else other than the attacker, which is the overwhelming likelihood, this new block defines the best chain and consensus is restored across the entire network. All legitimate transactions excluded from the previous block are included in this block. In the unlikely event that the next block is minted by the attacker, all 10 forks will continue.

  8. As soon as anyone else on the network besides the attacker finds a single block, the attack is defeated. Double spends (or 10 spends in our case) disappear and all other transactions are confirmed normally.

Let’s consider the above attack scenario for someone who has accumulated 6% of all Peercoins, meaning they spent at least $2,400,000 USD on Peercoins at today’s prices and split them up into 6 different outputs or addresses (one for each of the 6 consecutive blocks they need). Let’s assume they waited 90 days to mint with those coins. Such a person might have a 3% chance of finding the next block. If they succeed at getting one and only one confirmation on their multiple spends they cannot defraud an exchange (because they typically require 6 confirmations). They have less than a 0.1% chance of getting two blocks in a row and around 0.003% of find three in a row. The chance they will find six blocks in a row is 0.00000000729%. They must wait 90 days to get another optimal chance to attack after a failed attempt.

If they fork the network for one or two blocks and their double spend is successful for only one or two blocks, they can’t defraud an exchange but they might harm the value of their own investment if the market is not impressed by these one or two block forks. Because 6 consecutive blocks are needed to defraud an exchange from double spending, even a very large stakeholder would have a negligible chance of success. If they got somewhat close to success but failed (the overwhelming likelihood) it would lower the value of their Peercoins as the market priced in worries of a possible future success. The odds of gain are strongly against you because any near success that ultimately fails can hurt the value of your Peercoins.

The endeavor cannot be embarked upon with an expectation of financial gain. Financial loss is far, far more likely. The loss of large amounts of time is certain. Additionally, few people have the skills to mount such a complicated attack. The fact that such forks have not been known to occur suggests no one has attempted it, precisely because it is extremely unlikely to result in financial gain while much more likely to result in loss.

There are many more important threats to PoS networks than the risk of a successful exploit of the “nothing at stake” phenomena. For instance, the possibility that the Peercoin network will experience low levels of adoption is far, far greater than the possibility of a successful attack of the kind described above. We should focus our attention accordingly.

Update: I realized I had over estimated the probability of a successful attack. If you buy 1% of Peercoins and put them all in the same output (similar to an address), you might have about a 3% chance of finding the next block. However, you would have nothing left to try to find your 2nd, 3rd, 4th, 5th and 6th consecutive blocks. To do that with the probabilities mentioned above you would need to purchase 6% of all Peercoins at a current cost of more than 2.4 million USD. Doing so would raise the price of Peercoin, meaning you would have to pay more than market price on average. Similarly, such a large amount of Peercoins would have to sold later below market price on average, exposing the attacker to certain financial loss.[/quote]

#Stake Grinding

Version 1 of the myth: Using only a limited amount of coin age, the blockchain history can be re-written by grinding through the probabilities involved in creating the longest blockchain. As long as there is only a little coin age left, it is possible to create one more block. This makes Proof-of-Work arbitrator in Peercoin.

Very Unlikely in a Mature Network
When this myth is found in the wild, most often it is based on the fundamental misconception that the longest blockchain is the winning blockchain, whereas in reality the chain that has the most chain trust is selected as main chain.

Even though its theoretically possible to get lucky and mint blocks using only a small amount of coins and thereby creating the longest blockchain, it won’t matter since the consumed coin days will be to small to compete with the rest of the network.

In some version of this myth, the attacker has bought old private keys that once held enough coins to attempt an attack. The misconception here is that there is a limit to how many coin days coins can accumulate. If the attacker is using very old coins, to overtake the blockchain the attacker has to create a very deep reorganization of the blockchain for the attack to be successful. To get a better understanding of how many coins we are talking about here, the reader is encouraged to study the “Peercoin is highly vunerable to 51% attack” myth here: Cryptoblog - notícias sobre bitcoin e criptomoedas!

But let’s say that the attacker has somehow been able to get enough old private keys, say from the early days of Peercoin, and now has enough coins to do some serious damage, what then? Then there is hard checkpoints in the Peercoin source code (same as in Bitcoin) that protects against such a deep reorganization of the blockchain.

This means that the attacker has to acquire private keys that once held enough coins to compete with the rest of the network, but that are fresh enough so that the checkpoints won’t protect against a reorganization. As the Peercoin network matures and the coin distribution widens this becomes improbable, but for the sake of the argument let’s say the attacker succeeds with this, what then? Well, besides the massive amount of coin days consumed, the mere fact that a deep reorganization of blocks have occurred, is an inescapable sign of an attack taking place. Once again the attacker runs into the protection mechanisms described in the “Peercoin is highly vunerable to 51% attack” myth which you can study here: Cryptoblog - notícias sobre bitcoin e criptomoedas!

In summary, the odds of successfully carrying out a stage grinding attack is very low and as the network matures, it lowers the odds even further.

Version 2 of the myth: The blockchain can be re-written using only a trivial amount of coins. The attacker simply goes through the history of the blockchain and finds places where the stake wins a block.

Debunking the Myth
The stake grinding attack doesn’t work on Peercoin because the block hash is not used in the Proof-of-Stake (PoS) process. Furthermore nothing in the previous block is used in the minting of the next block. These are misconceptions about Peercoin, probably originating from people who have studied how Bitcoin works but that haven’t studied the Peercoin source code.

Learn More
Study the source code yourself here:

More Myths

From PM correspondence with Sunny King:

[quote=“Sunny King”]Hi pillow,

Yeah most of these folks probably never read peercoin paper nor source code. Some of our competitors clone our code and make arbitrary modifications without understanding the security mechanisms. Yeah if they include block hash in proof-of-stake that would be a huge vulnerability.

Yes sigmike is quite knowledgeable in these matters. He studied peercoin well.

Best Regards,

[quote=“pillow”]…
hi
this grinding attack doesn’t work on peercoin because the block hash is not used in the proof of stake process
so you can’t try many block hash to find one that make you find the next block
…[/quote][/quote]

#Synchronized Checkpointing

Myth: The network is centralized because the synchronized checkpointing mechanism allows Sunny King to control the blockchain history.

The Purpose of Synchronized Checkpointing
Peercoin has hardcoded checkpoints. Bitcoin also use hardcoded checkpointing. It is a way to mitigate attacks when a new node that has yet to download the blockchain, connects to the network. In addition to hardcoded checkpointing, Peercoin use synchronized checkpoints.

Minting is when a Peercoin node creates a block (in Bitcoin this is called mining). As the number of minting nodes increases, the network becomes more secure. Initially, when the network is young, an attack is relatively cheap. During this time, the bootstrapping phase of the network, synchronized checkpointing is used to deter and protect against malicious entities. Its a temporary and precautionary measure and the plan is to phase out it out, as minting nodes are added to the network and the protection is no longer needed. The first step is to make it possible for users to disable the feature.

The synchronized checkpointing has never been a secret. It’s described in the white paper written by Sunny King and Scott Nadal (Peercoin — The Pioneer of Proof-of-Stake). The mechanism is controlled by Sunny King. It’s worth considering that he stands to profit a great deal if Peercoin is successful and that all his work would likely be pointless if he abused the control.

Counter-argument
Whereas Peercoin arguably started off more centralized than Bitcoin, the number of minting nodes is likely to increase over time, hence the network will become more decentralized over time. Bitcon is the opposite. Even if Bitcoin started off as a decentralized network where everyone with a CPU could participate on equal footing, because of the resource intense nature of Proof-of-Work (PoW), those with the most resources outcompete those with lesser resources, therefore Bitcoin is likely to become more centralized over time.

Community Support
The Peercoin community is committed to bringing on more minting nodes, by making it easier for new and existing users to start minting.

Customized device for secure minting:

Get 10 PPC for free by adding a node to the network, find out more here:

Map of Peercoin nodes:

More Myths

reserved

#History Revision Attack

Myth: An attacker can rewrite the blockchain history using old private keys.

Protection
A successful attack is theoretically possible but very unlikely to happen. Peercoin has hard checkpoints (Bitcoin core has it too) and synchronized checkpoints. Both types of checkpoints protects against this attack, simply by making a deep blockchain reorganization impossible. Coins spent before the latest checkpoint can’t be used, so the coins used in the attack would have to be accumulated after that checkpoint.

The other minting nodes on the network also protects against this attack. The attacker must pick a point in time, a block in the blockchain, where the blockchain should fork. From this point forward, the attack chain must now out compete the stakes used in the main blockchain.

Let’s illustrate what this means. If the network has an average of 60% of the coins used for minting since the last checkpoint (either hard or synchronized), the attacker now need outputs that had 61% of the coins.

It’s also worth noticing that coins used by the attacker, if they have been spent on the main chain, will have added coin age to the chain trust, thus the coins used in the attack will not only compete with the rest of the network, but also against the stakes the same coins were used in before. In a sense, the attack coins will be competing against themselves.

In summary, as more people enter the Peercoin economy, hold coins and run minting nodes, the more expensive, difficult and less likely this attack becomes.

In-depth Study
For a more detailed and elaborate discussion of the attack and the protection:

View the hard coded checkpoints in the source code here:

More Myths

[quote=“sigmike”]Rewriting a blockchain from a point where you had the majority of the minting coins is possible but there are a few things that protect us:

  1. The hard checkpoints in the source code. The last one is from 0.4 release so the new blockchain cannot start before block 99999 generated on 2014-03-06. So the attacker cannot use coins that were spent before this date.

  2. The synchronized checkpoints. The last one is from 1 hour ago. They will be removed, but I guess only when the last protection is strong enough:

  3. The stakes that have been minting since the attacker wants to start the rewrite. For example if the coins the attacker had in the past have been constantly used for minting since they were sold then he won’t be able to compete with the main chain. And in general the more coins are minting the more difficult it is to rewrite the blockchain. Imagine we get an average of 60% of the coins minting since the last checkpoint, then the attacker needs outputs that had 61% of the coins.[/quote]

Thanks. I will go back to that thread Cryptoblog - notícias sobre bitcoin e criptomoedas! and discuss there. I hate to see the same discussion spreaded all over the place.[/quote]

For those who haven’t followed the discussion in the above link, the conclusions are that the time-drift attack brings the attacker trivial gains. The exploit and some variations of it have little impact on the security aspects of the network.

Alright, I’ve gone over everything in this thread and tried to make edits to fix grammatical errors. I cleaned up a lot of the sentences to make them sound better. I even added some nice looking green font. I’m not a grammar expert though, so somebody should still check my work. Other people that are familiar with the content should check to make sure everything listed is true or what we could improve. Here are some other things I noticed…

This sentence in the history revision post sounds screwed up and I’m not sure how to fix it. Could you take a look at it? “The stakes that have been minting since the attacker wants to start the rewrite, also serve as protection.”

The history revision section feels incomplete to me. It needs more details from this thread http://www.peercointalk.org/index.php?topic=3005.0 on how this attack is supposed to be carried out. I also had a hard time telling when you were talking about synchronized checkpoints or hard coded checkpoints. You might want to make that clearer in all the spots where it’s mentioned. I altered this sentence as well “Coins spent before this checkpoint date can’t be used again.” but I’m unsure if it’s correct. You should go over this whole section and make things more clear.

About the synchronized checkpoints section, the first title is called “The Reasoning Behind Checkpoints,” but I couldn’t find the reason or purpose for why they existed in that paragraph. As I understand it, they’re to protect Peercoin from attacks while the network is still young. The purpose of checkpoints needs to be explained in the beginning of the paragraph.

When talking about increased adoption as a reason for why checkpoints won’t be needed any longer, I think you need to make it clear that you’re talking about the minting participation. As minting participation goes up, the network becomes more secure.

For the reasons why checkpoints shouldn’t be removed in a rush, if the minting participation isn’t at an acceptable level yet, they shouldn’t be removed yet or you’d be inviting an attack. As far as I understand it, they should only be removed once the network has enough people minting that it can take care of itself.

About this sentence: “The first reason is that it’s important to have a margin of error when it comes to evaluating how widespread minting is.” I don’t completely understand what it’s getting at. Maybe you should expand it some.

#Time-Drift Attack

Myth: An attacker can manipulate the clock time and generate blocks ahead of time.

A Moot Point
Proof-of-Stake use a timestamp that is added to the transaction data. The source code allows for a slight time-drift and accordingly to the myth, an attacker can manipulate the time so as to mine blocks ahead of time or to have a much better chance to find a block. However, a closer study of attack reveals that the impact on network security is very limited.

Since the network has a tolerance of two hours of time stamp error, does it mean one can try 14400 different time stamps per second? Well, the previous block hash in not part of the hash you compute in Proof-of-Stake (PoS). So the 14400 hashes available in the time-drift attack, stay the same even if there’s a new block. The only thing that may change is the difficulty. If you try the next 14400 timestamps at time t, then at time t+1 you’ll try 14399 timestamps you’ve already tried, and only try 1 new. So you still try only 1 new timestamp per second.

Taking into account the probability of finding a block, exploiting the time-drift is insignificant. Actually the time-drift is there for a reason. The purpose is to protect the network from freezing up which could happen if some time-drift was not allowed.

Learn More
For a more in-depth description of time-drift and how time is used in Proof-of-Stake read:

More Myths

reserved

Thank you very much Sentinelrv. You inspired me to rewrite the “s. checkpoint” post completely. I took you comments to heart and hope its much better now.

I’ve not started on the history revision attack, but I will get to that.

[quote=“Sentinelrv, post:47, topic:2518”]…history revision post sounds screwed up and I’m not sure how to fix it. Could you take a look at it? “The stakes that have been minting since the attacker wants to start the rewrite, also serve as protection.”

The history revision section feels incomplete to me. It needs more details from this thread http://www.peercointalk.org/index.php?topic=3005.0 on how this attack is supposed to be carried out.[/quote]

I’ve re-wrote the whole thing (yes I can do that, there is not checkpoints blocking me :P).

I did’t want to go into more details, because I’m aiming for a short text. The attack is kind of abstract and the whole thing requires some knowledge of both the inner workings of minting, checkpoints and so forth and so on. It’s kind of one of the reasons I have those “in-depth study” (I changed the title to better reflect the content) links.

Maybe someone else could do a better job? (I hope someone can :))

Suggestion:

“accordingly to the myth, an attacker can manipulate the time so as to mine blocks ahead of time or to have a much better chance to find a block. However, a closer study of attack reveals that the impact on network security is very limited.”

Suggestion:

“accordingly to the myth, an attacker can manipulate the time so as to mine blocks ahead of time or to have a much better chance to find a block. However, a closer study of attack reveals that the impact on network security is very limited.”[/quote]

Thanks for reviewing and updating the myth. I changed it accordingly and it is now also added to the index in the first post.

#Only One Developer

Myth: There is only one developer, Sunny King. He is anonymous and if something happens to him, that’s the end of it.

Busting the Myth
This myth is false. There are already other developers working with the Peercoin code base, so if Sunny King stopped doing so, they would have to continue without him. The myth probably originates from the fact that it took some time for Sunny King to find developers. In this type of project, it is of utmost importance that the quality of the work must meets the highest standard.

There are several active members in the Peercoin community who knows the Peercoin code base well. Some have deep knowledge and some have only partial knowledge. There are also some developers with a shallow knowledge, with an aspiration to learn more. Some noteworthy people are: Sunny King, Sigmike, Jordan Lee, glv, Ben, Fuzzybear (un-verified), mphs, kac- and irigi. Keep in mind that the list doesn’t tell anything about level of expertise and isn’t an attempt to create a complete list either. It is however proof that there is more then one developer.

Sunny King and sigmike are working directly on the Peercoin protocol. Both have deep understanding of the source code. The team behind Peershares, a fork of Peercoin, has both in-depth knowledge of the code and a stake in a secure and stable Peercoin network.

Peercoin is about long term value and therefor security is one of Sunny King’s main concerns. The purpose of Sunny King’s anonymity, is that if the network would come under attack, being anonymous could buy him some more time to help secure the network. There are however several other developers with in-depth knowledge of the code base that are not anonymous. Most importantly, the code base is open source.

It is also worth noticing that Peercoin is a fork of Bitcoin, which means that much of the work that is being done on Bitcoin, Peercoin benefit from. These developers and testers, deserves credit as well.

Contributors
Peercoin

More Myths

reserved

#Peercoin was Pre-Mined

Myth: Peercoin was pre-mined/insta-mined.

Busting the Myth
This myth is false. Sunny King announced the planned release of Peercoin nine days before the release. There were no blocks mined prior to launch.

Sources
Bitcointalk, was at the time the official forum for posting new coin announcements:

More Myths

reserved

#Peercoin is Extremely Inflationary

Myth: New coins are created all the time, it will be incredibly inflationary.

Busting the myth
The money supply curve is totally dependent on user adoption. Currently, the network is producing less coins each month. It will likely take hundreds of years to reach 1 billion peercoins, if ever.

The change of money supply is determined by:

  1. Proof-of-Work difficulty level: In Peercoin, the miners only purpose is to increase the supply of coins.
  2. Proof-of-Stake: Minting nodes build blocks and as a reward they get coins. This increases supply at a rate up to 1% per year.
  3. Number of transactions: Every time there is a transaction, the coins in the fee is destroyed. This decreases supply.

Learn More
Learn more about the details here:

Official source code repository:

More Myths