PoS - How does it really work? Long and maybe confusing thread incoming ;)

Thanks for the modeling effort, which is very much needed for an innovative coins such as Peercoin.

[quote=“Cybnate, post:72, topic:648”]Just enter the following in the green blocks:
…

• Your coinage per coin; so if you haven’t move the coins in a particular address for 60 days you would enter 60.
  In the amber block:[/quote]

I think coinage is transaction based, not address based. For example in a mining payout address you can have many batches of coins paid by the pool at different times. Coins in different batches have different ages. I hope coinage is not calculated such that when a new payout is received coinage is reset to 0 for all coins in the address. That would be a bad surprise. Then it’s better to use a new address for every payout to preserve accumulated coinage.

Coin age is tied to a transaction, that is correct. It’s also segregated by address; because multiple transactions that have coin age that have reached “maturity” can be summed together for the purpose of solving a block.

Once a block is solved, the transactions that were used, and the reward for the block, are rolled into a single new transaction with coin age equal to zero, but any non-matured coins in that address are still able to mature and eventually attempt to solve their own block.

[quote=“mhps, post:75, topic:648”]Thanks for the modeling effort, which is very much needed for an innovative coins such as Peercoin.

[quote=“Cybnate, post:72, topic:648”]Just enter the following in the green blocks:
…

• Your coinage per coin; so if you haven’t move the coins in a particular address for 60 days you would enter 60.
  In the amber block:[/quote]

I think coinage is transaction based, not address based. For example in a mining payout address you can have many batches of coins paid by the pool at different times. Coins in different batches have different ages. I hope coinage is not calculated such that when a new payout is received coinage is reset to 0 for all coins in the address. That would be a bad surprise. Then it’s better to use a new address for every payout to preserve accumulated coinage.[/quote]

Agree with you and Ben, I confused transaction and address, will update my spreadsheet accordingly.
@Ben, not sure if I understand what you say about having multiple transactions reaching coin age can be summed up together for purpose of solving a block.
The only purpose would be to increase the chance to solve a block faster. Each transaction would be able to solve a block on itself and gaining the same amount of interest over time anyway.

I’ll have to recheck my logs and compare against against the block chain, but in one of the blocks I solved, the inputs that were summed together and used as the basis to calculate the reward appeared to have come from two separate transactions a couple of days apart.

Maybe this will be referred to later in this thread (I’m still clearing my backlog…)…
…but I had the feeling to jump in the math^^

[quote=“Cybnate, post:57, topic:648”][…]
They are talking about a randomiser factor +Coin age to solve blocks, double the coinage doubles your chance. I got that.
Ok, let’s do some examples ignoring any complex randomisers to equal chances to start with. Let’s say you have just one block in a certain period.

And the following people have their wallet set to minting:
5 people (A) have 100 coinage, 4 people (B) have 50 coinage, 1 © has 24 coinage and 1 (D) only 1 coinage.

Throwing this into the pool; A has double the chance of solving a block over B. B would have double the chance over C.
But what is the actual chance for A, B and C? Total coinage is 5100+450+124+11= 725
So someone in group A would have a 100/725 chance = ~13.79% chance. An individual in B would have 50/725 = 6.7% C would have 24/725 = 3.3% and D only 1/725 = 0.13%

Let’s keep these 11 individuals and add more blocks into it. With Peercoin we seem to have 6 blocks every hour. However it seems there are on average 5 to 6 blocks PoS and 1 block PoW in an hour (this needs further statistical proof). Let’s assume 5 blocks in hour for PoS. A day has 24 hours. 5 blocks x 24 = 120 blocks/days

So what are the chances now? To me each individual would have 120x times more chance (draws) to solve a block in a day then if there was only one.
So someone from group A would on average successfully mint a block after 100/16.55% = 6.04 blocks.
C have to wait for 100/6.7% = 14,93 blocks to successfully mint.
However D 100/0.13% = 769 blocks, so the chance of D minting a block on that day is 0.13% * 120 blocks = 15.6%[/quote]

If A has the chance of solving one block at the given difficulty of 16.55% (0.1655), he has a chance of 83.45% (0.8345) of not solving it.
This makes for a series of n blocks a total chance of 0.8345^n for not solving any block.
After 6.04 blocks (knowing that there are no 0.04 blocks that can be solved ) the total chance of solving at least 1 block is 1-0.8345^6.04=0.66 -> 66%
You miss the “compound interest” of luck for solving blocks
If you ask about the average time to solve a block, I think the question would be: at which number of blocks (n) is the chance at least 50% to have successfully minted at least one block.
For participant A that leads to:

1-0.8345^n=0.5
0.8345^n=0.5
log(0.8345^n)=log(0.5)
n*log(0.8345)=log(0.5)
n=log(0.5)/log(0.8345)
-> n=3.83

Beginning with the 4th block in a row the chance to have minted at least one of them is above 50%!

[quote=“Cybnate, post:57, topic:648”][…]
Here I need some help in mathematics.
[…]
If you’re still with me after reading the above then you’re probably a mathematician or a very big proof-of-stake/PPC fan ;-)[/quote]

I am - both a fan of math and Peercoin/PoS!

[quote=“Cybnate, post:70, topic:648”][quote=“Jimmy, post:69, topic:648”][…]
I’m wondering whether an attack required more than 51% of all coins or just more than 51% of the forging coins in the fly.
[…][/quote]
[…]
A POS attack is likely to only need 51% of the forging coins based on logic. Only the forging coins can create a block. Coins<30 days or off-line can’t and therefore do not secure the network.
[…][/quote]

I might be wrong - but I’d like to have this thesis checked:

[size=10pt]“There is no such thing as a >50% attack of Peercoin’s PoS process.”[/size]

Explanation:
The success for minting a PoS block is based on luck. The relevant part that determines the luck is the coin-age. The coin-age is capped at 90 days[sup]1[/sup].

Even if you have more than 50% of all coin-age taking actively part in the PoS process, you don’t have control over the PoS part of the Peercoin network.
Your luck for solving the next block is > 50%. And even if that doesn’t significally decrease your total coin-age (let’s assume you still have more than 50%), you only have a chance of 50% for solving the next PoS block and so forth.
Let’s assume you constantly stay above 50% of the coin-age in this game.
Being able to mint n PoS blocks in a row at 50% chance for success has a total chance of 0.5^n.
This is far from being in control over the network (which is completely different for PoW processes as control of > 50% of the hashing power allows to supress valid blocks and prevent them from being added to the blockchain!)

Please try to disprove this thesis.

If you disprove it, I might congratulate you on having shown that an owner of more than 50% of all coin-age can most likely evaporate all his Peercoins by performing such an attack!
The Peercoins that have been used for minting can’t be transferred anywhere for the next ~500 blocks and the price of the Peercoins that are left and have not been used for minting will most likely be worthless once they are credited at an exchange and can be sold (as you can only transfer them earliest if you don’t need them any longer for PoS minting).
And even if it takes some time for the world to get aware of that attack, it will for sure create a huge drop in prices tring to sell them in a short period of time. The losses are either way tremendous.

Just in case you are not plain evil and want to ruin Peercoin…
…maybe you try to pull off a double-spending attack: make sure you have > 50% of Peercoins PoW hashing power as each interfering PoW block might ruin your plans.
AND
Make sure the profit you make by pulling off that double-spending attack exceeds the invested money for buying/mining the coins and for aggregating > 50% of the PoW hashing power!

If you can’t disprove it, let others try to.
If they can’t, consider such an attack more and more unlikely the longer this thesis has not been disproved

[sup]1[/sup] STAKE_MAX_AGE is defined here: https://github.com/ppcoin/ppcoin/blob/master/src/main.h#L46 and used here: https://github.com/ppcoin/ppcoin/blob/master/src/kernel.cpp#L271

"There is no such thing as a >50% attack of Peercoin's PoS process."

You are assuming there is an attacker or an attacker who wants to benefit directly from double spending. It could be an accident. Say Peercoin becomes a main stream currency and there are banks or wealth management companies of cryptocurrency that offer real, attractive interest (via investment etc.) to depositors. Some of these financial entities could accumulate more than 51% PPCs, just like the aggregation of hash power to big pools in BTC’s POW network. Then accidental double spending could happen (check out blockchain.com. there is a record of suspected double spending events that shows it happens all the time). Or it could happen because a competitor/vandalist has broken into the servers trying to ruine the financial entity.
Although such double spending could be an accident/crime, it would still be a real possibility. People’s confidence will still take a hit nonetheless.

[quote=“mhps, post:81, topic:648”]

“There is no such thing as a >50% attack of Peercoin’s PoS process.”

You are assuming there is an attacker or an attacker who wants to benefit directly from double spending. It could be an accident. Say Peercoin becomes a main stream currency and there are banks or wealth management companies of cryptocurrency that offer real, attractive interest (via investment etc.) to depositors. Some of these financial entities could accumulate more than 51% PPCs, just like the aggregation of hash power to big pools in BTC’s POW network. Then accidental double spending could happen (check out blockchain.com. there is a record of suspected double spending events that shows it happens all the time). Or it could happen because a competitor/vandalist has broken into the servers trying to ruine the financial entity.
Although such double spending could be an accident/crime, it would still be a real possibility. People’s confidence will still take a hit nonetheless.[/quote]

Just a nit-pick, but accumulating 51% of the hash rate on the network is significantly less expensive than accumulating 51% of the peercoins in existence. I also doubt that those financial entities could get in early enough to buy up 51% of the available coins, even if they wanted to. That’s not to say that it isn’t something that is within the realm of all things that are possible, just that the likelihood of that happening is significantly less than the likelihood that it would not happen.

They don’t have to buy 51%. They just need to offer good, safe return to attract depositor/investors. Isn’t 48% of all PPCs are in 100 addresses? You don’t need to convince that many people to get hold of 50+%.

In order to do, what, exactly? Even if they could somehow convince people to send them their coins for safe keeping, and then not request withdrawals for at least 31 days, they may be able to attempt a bunch of concurrent mint attempts (from a huge number of addresses that they created specifically for this attack) running through a set of custom peercoin daemons.

So, let’s say that going to all this work is possible – and they immediately mint a block, and then another – things are looking good! They submit a block that has a bunch of double-spends on it, and pow, they get another block minted. They are now well on their way to double-spend glory…

…at which point, the odds say that disaster will strike.

All it takes though is for one of us who isn’t in this collective to mine or mint a block, and their ability to generate a confirmation consensus is gone.

I’m not saying it would be easy or usual. I was checking masterOfDisaster’s thesis “There is no such thing as a >50% attack of Peercoin’s PoS process.”

[quote=“Ben, post:82, topic:648”]Just a nit-pick, but accumulating 51% of the hash rate on the network is significantly less expensive than accumulating 51% of the peercoins in existence.
[…][/quote]

Thank you for nailing it down!
This calculation of mine is from the past (and admittedly I thought something like a > 50% PoS would be possible).
The numbers have changed, but the math is still the same.

Here is the cost for a PoW attack by bought miners on the Bitcoin network :
https://bitcointalk.org/index.php?topic=326216.msg3526904#msg3526904
The result from Nov, 9th 2013 was: roughly 3% of the market capitalization of Bitcoin needed to be invested in mining hardware to get > 50% of the hashing power (based on some assumption and just to identify the dimension).

And here is what you get when you try to invest equivalent amounts in Peercoin:
https://bitcointalk.org/index.php?topic=326216.msg3543338#msg3543338

In a nutshell: PoS attacks can be considered more expensive than PoW attacks!
Or the other way round: the money that is needed for a successful PoW attack doesn’t allow for a dependable PoS attack!

And by having hold of 50+% they get what?
Just a chance to put some PoS blocks in a row, but no guarantee, right?

Is my understanding wrong, that - in other words - PoS minting is like taking part in a lottery?
…with the coin-age being the number of lottery tickets?
Even if you have > 50% of all lottery tickets in the lottery wheel, you can’t be sure, whose ticket is next!
If you have less tickets in a row than the number of confirmations your payee expects (I’m talking of double-spending now), your attack fails.

[quote=“Ben, post:84, topic:648”][…]
…at which point, the odds say that disaster will strike.
[…][/quote]

That’s my point! Where at PoW there is (under certain circumstances) control over the network, at PoS is only chance.

The tragedy is: if you want to have a high chance for a successful PoS attack, you literally have to put your coins at stake, as a successful PoS attack will annihilate most of your coins value!

Once again:
“There is no such thing as a >50% attack of Peercoin’s PoS process.”
…as I still haven’t seen disproof.

And just in case there is disproof that I just don’t understand, please elaborate on that patiently (no sarcasm!).

And just for the record - my intention is not to spam this thread.
My intention is to find out, underline, point out the improvements Peercoin has brought to crypto-coin-land.
I want to go out and tell everybody. The attack resiliency of PoS is what I try to focus on as this is not only different from most other crypto currencies. It has been implemented at Peercoin first of all (at least to the best of my remembrance).

Where Bitcoin can be called the father of crypto currency in general (I dont’ count previous attempts as they have failed too quickly), Peercoin is the father of PoS!

I want to explain why PoS is good, why PoS can be superior to PoW. And once people get that and ask me “why not NXT then?”, I can pull the “hybrid joker” and tell about the advantages of two independent processes securing the network and the (compared to a PoS-only IPO) quite fair distribution model.

But I’d prefer having an in-depth discussion as I want to lead my discussions with good and valid arguements.
This is currently a kind of sandbox for me. Thank you for helping me!

And by having hold of 50+% they get what?
Just a chance to put some PoS blocks in a row, but no guarantee, right?[/quote]

See my post started with “You are assuming…” about competitor/vandalist as an example – They don’t need guarantee. They don’t need the double spent money. They win if succeed once after trying many times to make the financial firm look bad.
All I am saying is you can’t say a POS attack angle is not possible just because the stake owner doesn’t like the consequences or it has a low suceess rate.
I agree most of what you and Ben say. But if we want Peercoin to hold serious money, every aspect of Peercoin should be scrutinized under microscope.

Absolutely, and I appreciate the points of debate, mhps. I hope that I’m not coming across as combative, because the truth is exactly opposite of that. I’d rather back myself into a logical corner and eat my words, if it means that we’ve discovered (or rediscovered) a previously unknown vulnerability.

I agree that they don’t need the guarantee or even to benefit from the double-spend of coins, if the intent is to disrupt confidence in the network protocol. On the other hand, unless they can demonstrate that the attack is viable and it would result in double-spends or other actions detrimental to the rest of the holders of Peercoin, there’s no crisis of confidence.

For example, it’s a known and demonstrable fact that with sufficient hash rate (25% of the global total and up) you can attack a proof of work crypto currency via a double-spend attack. Even with the knowledge that the vector exists, and with actual occasions where you can point to instances where the attack was conducted (for instance, GHash.io’s double-spends against BetCoin Dice), I have not seen a crisis of confidence amongst current holders.

Let’s keep beating on this topic and modeling attack vectors (e.g. the “nothing at stake/multi-chain minting” hypothesis). This has motivated me to set up a section of the Peercoin wiki to track potential vectors and we can then include details of how they are conducted and how the protocol defends against them.

[quote=“mhps, post:90, topic:648”]See my post started with “You are assuming…” about competitor/vandalist as an example – They don’t need guarantee. They don’t need the double spent money. They win if succeed once after trying many times to make the financial firm look bad.
All I am saying is you can’t say a POS attack angle is not possible just because the stake owner doesn’t like the consequences or it has a low suceess rate.
I agree most of what you and Ben say. But if we want Peercoin to hold serious money, every aspect of Peercoin should be scrutinized under microscope.[/quote]

I’m sorry if I sounded rude - that was not my intention.
You are absolutely right that a PoS attack vector exists.
And you are right that it can be intentionally or unintentionally done.
I agree that Peercoin should be scrutinized under microscope.

All I’m trying to say regarding PoS attacks is:

[ul][li]it is not likely to happen[/li]
[li]if you plan to pull off a dependable attack it becomes very costly[/li][/ul]

That 's why I started with the thesis “There is no such thing as a >50% attack of Peercoin’s PoS process.”
As this thesis for now is still not disproven, I suggest to follow Ben’s idea of gathering thoughts/results at the Peercoin Wiki.

this conversation about possible attack is really interesting. however maybe it should go in a different thread? and if anybody can summarise in a really clear way when you come to a conclusion that would be really helpful. also, would someone be able to tell me if this is the same issue as discussed here:

sorry, i am not very technical but this could be a very important subject. thank you very much…

Here’s an example of a block solved with a very small stake, 1.03115 PPC (91.848479 coin days consumed). The original transaction that was used occurred on November 22, 2013, which was 89 days ago.

Based on my spreadsheet, the reward should have been 0.002512642 PPC, so I’m not sure why the network didn’t award any additional units in the transaction.

[font=courier]Block reward = 89 * 33 / (( 365 * 33 + 8 )) * 0.01[/font]

@SunnyKing; is there an explanation for this scenario?