6-block reorg, with no penalty for failed attack

My messages in bold. Below is a chat log wherein I describe the potential for a 6-block reorg. Please point out where I am incorrect, as this could be a great learning experience for many forum members (myself included).

Thank you!

[hr]

pillow [03|Jul 08:05 pm]: anyone knows if its possible to broadcast 6 blocks (in a chain) at once to the network?
pillow [03|Jul 08:05 pm]: (they are supposed to replace the main chains latest 6 block)
Chronos [03|Jul 08:07 pm]: yes, you can broadcast any chain at any time. If it qualifies, it will replace the currently-accepted chain.
pillow [03|Jul 08:16 pm]: hm, so if I try to create a 6 block deep reorg locally at my computer, and don’t broadcast it before I’ve been lucky enough to be able to build it, I should be able to reorg if my chain trust is higher the main?
Chronos [03|Jul 08:18 pm]: yes, the problem is that you have to be lucky enough to build a chain with higher trust.
pillow [03|Jul 08:19 pm]: but I can wait until the day I’ve actually succeed and then do it all at once. since I’m not broadcasting my failed attempts I will have lost nothing (besides the forsaken interest)
Chronos [03|Jul 08:20 pm]: you don’t even lose interest. You only lose the opportunity to compound your interest.
pillow [03|Jul 08:20 pm]: gotcha. thats true!
pillow [03|Jul 08:20 pm]: I guess the only thing that stops me from doing this, is that I won’t know in advance if I’ll be able to do it, so I can’t take advantage of the opportunity
Chronos [03|Jul 08:22 pm]: you can take advantage of the opportunity by sending ppc to an exchange like btc-e, buying another coin with them, withdrawing, and then broadcasting your private chain to reverse the payment
pillow [03|Jul 08:22 pm]: but… perhaps if I decide to just sell a whole lot of coins, I might as well just try and double spend them, since I’ve got nothing to lose.
Chronos [03|Jul 08:22 pm]: you can keep the “I pay the exchange” transaction ready to broadcast for when you get lucky, and you have no opportunity cost.
Chronos [03|Jul 08:24 pm]: the problem is the getting lucky part. In order to have higher trust, your private chain needs to be built with a good portion of the total minting coins. (51% not required because you can still get lucky with fewer)
pillow [03|Jul 08:24 pm]: but the exchange will make me wait 6 confirmations and I won’t know until after 6 confirmations, if my attack chain had more chain trust
pillow [03|Jul 08:25 pm]: first I have to send to the exchange, then quickly build the attack chain and get lucky. if im lucky Im good to go. if im lucky, iäve just lost all my coin age.
Chronos [03|Jul 08:25 pm]: you can prepare your chain ahead of time by manipulating the computer clock to simulate the time it takes to make 6 blocks. There’s a 2-hour window of flexibility built into the PPC network code
pillow [03|Jul 08:26 pm]: yes but I wont know for sure that my chain had more chain trust right?
Chronos [03|Jul 08:26 pm]: so you can get lucky and prepare the entire chain relatively instantly, and then broadcast the attack transaction, wait 6 blocks, take money, broadcast your chain, etc.
Chronos [03|Jul 08:27 pm]: I guess if it’s really close, you might not quite have enough trust, but you could just wait until you exceeded the expected trust of the public chain by a margin for error
pillow [03|Jul 08:28 pm]: I see what u mean with the clock drift thing (I think and I guess I can even use it to some extent to increase the odds of hashing to target difficulty).
Chronos [03|Jul 08:28 pm]: yes, you would do that to expand your chances
pillow [03|Jul 08:28 pm]: hm, wait. there is another thing in the way I think
pillow [03|Jul 08:29 pm]: my margin of error would probably have to include not only the 6 blocks, but also the chain trust in the blocks that have been added to main chain while I waited to get lucky
pillow [03|Jul 08:30 pm]: because of the stakemodifier, I cant just append my attack chain to any point in the blockchain. i would have to select a point to fork at, and run with that
pillow [03|Jul 08:31 pm]: then again 1 block 10 minutes… long time to build blocks
Chronos [03|Jul 08:31 pm]: in order for this to work, you would have to append your attack chain to the latest point. If you point at an old fork, you’ll need to replace more than 6 blocks to exceed chain trust.
Chronos [03|Jul 08:32 pm]: tell me about the stakemodifier. Why couldn’t you just keep a node online, trying this attack against each new chain as public blocks are broadcast?
pillow [03|Jul 08:34 pm]: i’m unsure of how the stakemodifier works, but it uses 9 days worth of blockchain data that it samples 64 bits from using some sort of selection. the protocol enforces that you do this (its deterministic) and if you don’t do it properly the block you build wont apply
pillow [03|Jul 08:34 pm]: i think
pillow [03|Jul 08:34 pm]: i guess
pillow [03|Jul 08:35 pm]: i speculate
pillow [03|Jul 08:35 pm]: u get the point
Chronos [03|Jul 08:35 pm]: since you have a node online, you could attempt your attack on each new block as it comes out. You can calculate your own stakemodifier to match what the network requires.
pillow [03|Jul 08:36 pm]: you mean like replacing the block I get with my own?
Chronos [03|Jul 08:36 pm]: the limiting factor is your coin age. If 10% of the network is minting, the difficulty will be such that you need about 5% of all coins (50%) in order to attack well.
Chronos [03|Jul 08:37 pm]: That is currently about 1 000 000 PPC. The holders of this many PPC could attack easily, and we don’t know who they are.
Chronos [03|Jul 08:37 pm]: so far, they have not attacked, supposedly because they want PPC to grow in value. This may not always be true, such as when it is possible to short the market.
pillow [03|Jul 08:38 pm]: hm, I think what gets to me is that you can do this trial run for free without any penalty (besides missing out on compound interest). It implies that I don’t need 1 000 000. I only have to be very lucky. like a lottery ticker, for free. if I dont win i dont lose. if I win, I win. right?!
Chronos [03|Jul 08:40 pm]: right, so the thing stopping this right now is that it’s technically difficult to build a client that attempts this attack. Once it is built, users might prefer it.
pillow [03|Jul 08:41 pm]: a competing coin might develop this and sell it in exchange for their own coin.

[hr]

Thoughts?

I came to think about this when trying to come up with a good attack user story sort of: http://www.peercointalk.org/index.php?topic=2949.msg28737#msg28737

I think that peercoin does not provide 100% security against doublespends or history revision attacks. But it performs pretty well.

Yes, if you have 10^6 PPC, you can manipulate the security. But that is not different from bitcoin. If someone has 5% of all bitcoin, he could wait until the the inflation of bitcoin drops under 1% per anno. Then this guy could sell all its bitcoins for miners. Now he has a pretty good change to attack the network.

If you have a smaller stacks, lets say 10^5 PPC, there is a chance that you are lucky and able to perform a double spend. But this chance falls exponentially! So if exchanges do not feel comfortable with 6 blocks confirmations, they may wait for 12 blocks. That is no big deal for a backbone currency.

Everyone, who has doubt about peercoin security , may take a look at POS difficulity chart from one year ago on http://peerchain.net/charts.html . You will see that Peercoins security has developed great over time. If cold-storage minting is release we could get a big boost.
Hopefully this will increase the network security to a degree that we are even save for a devil with 10^6 PPC!

Fix?

Its in the interest of the exchange to protect itself against double-spend.

The exchange will know (well if they update how they handle confirmations) how much chain trust the potential attacker has in the potential attack chain.

To protect themselves against a double-spend, they will wait until main chain have accumulated enough chain trust to mitigate any potential attack.

I guess all peercoins wallets should have something like this in them, to protect the receiver of the coins.

yea that’s me raving mad. be kind, i’ve already said I’m both ignorant and stupid

I think the protection is mostly economic:

If you have that many PPC, chances are that the market is not deep enough for you to sell it all in one go.
If you cannot sell it all, chances are you will lose more from the crash of the exchange rate than what you gain from the double spend.

Finally, when they hear of the attack, other stake owners may stir from their slumber and counter-mint on the original chain to protect their stake (i.e.: the exchange rate of Peercoin that would be affected by an attack). If the attacker fails, they will never be able to buy back all their PPC, as those who got them on the cheap will not part with them (at least not for the same price).

If you want a protocol protection

[ul][li]We should think of way to strip offline coins from their trust weight.
We could reward users for reporting unspent outputs that meet the current PoS target (or could have met the PoS target for previous blocks?). Those unspent output would then take a trust hit if they don’t mint and if their score would have been higher than the output that ended up doing the actual minting. I don’t think missing an opportunity should incur an immediate interest hit though, in order not to penalize small owners, but this could be combined with my proposal to cap minting rewards per block. However, without checkpoints, someone can still rewrite history from whatever point when they got rich.[/li]
[li]If transactions reference the last known block (I think this is currently not the case?), a hidden chain would be at a disadvantage, since regular transactions also contribute to trust. A hidden chain could not rely on trust contributed by regular users of the public chain.[/li][/ul]