Bitcoin is "broken" - so they say. Does PoS prevent such risks in peercoin?

I do realize the below is a deceptive headline and sensational article but this news if getting a lot of traffic.

Question - does this vulnerability also exist within peercoin? If not, we have a major messaging opportunity.

IMPORTANT: Does somebody know the answer to this question? I’m seeing articles all around about this Bitcoin problem that we could be posting in right now to tell people that Peercoin doesn’t have this problem. These are going to be missed opportunities.

An attack seems possible, but is not this easy to execute as the article above suggests:

https://bitcointalk.org/index.php?topic=324413.0

Peercoin/PPCoin (PPC) is less affected by this since only Proof of Work mining is affected by this problem. And Peercoin also uses Proof of Stake mining so blocks can be created that the blockchain changes and this change by Proof of Stake needs to be respected by the selfish miner that his unpublished blocks become invalid. So the more Peercoin uses Proof of Stake mining the less the proposed attack vector is a danger for the currency.

From what I understand (or at least think I do…) I tend to agree with Centaure. The PoS process of Peercoin seems to be unaffected by this attack vector (because it is not based on aggregating large amounts of the network’s hash rate but on aggregating coin-age) whereas the PoW process f Peercoin is basically affected in the same way as the PoW process of Bitcoin or any other PoW-only coin.
Although the majority of blocks in the Peercoin block chain is generated by PoW, the PoS process might by now be able to put its oar in the attack by generating a block in the chain which renders the withheld PoW blocks useless.
Although the majority of coins in the Peercoin block chain is generated by PoW, the majority of blocks is generated by PoS and might by now be able to put its oar in the attack by generating a block in the chain which renders the withheld PoW blocks useless.*
And the more PoS blocks are generated (in relation to PoW) the less feasible that attack vector becomes.
Sounds more or less like Centaure’s post - like I said; I agree.

The only uncertianty for calling Peercoin’s PoS the mitigation of that attack vector is the fact that I don’t know about a possible predominance of PoS blocks over PoW blocks. But before I explain that, I try to present my understanding of the attack. I don’t want to base my analysis on wrong facts…

So let’s have a look at the attack. Selfish miners withhold found blocks from being distributed to the block chain to profit from the chance to find another block that can only be found by the selfish miners (because no one else knows about their found blocks and can’t generate blocks for that part of the chain). The evil plan is to find more blocks and earn more rewards than their fair share (in relation to their hashing power) would be by making the work of regular miners less effective; they would hash in dead-ends without knowing. The selfish miners need to distribute their withheld blocks before other blocks are distributed by regular miners and are considered the valid block chain (which would render the selfish miners blocks useless by making it an orphan chain).

And now to PoS.
Do PoS blocks have any precedence over PoW blocks? Can a PoS block start an orphaned chain (if the fork starts with a PoS block on one side and a PoW block on the other side of the fork…)? What happens with the spent coin-age in that case? Is it restored? Does it stay consumed? If it did stay consumed, I could very well imagine an alternative of the recently found attack vector making PoS even more endangered than PoW.
I would be very glad if PoS blocks simply did “win” over PoW blocks in case of starting a block chain fork…

Maybe we need Sunny to answer this!

I recently found out that I know less about PoS than I thought. This thread makes it even more clear :frowning:

*edit inspired by irritant’s post

Centaure - Master of Disaster -

If you comment these wise arguments on that article linked in my post keep an eye out for the researcher - he is posting replies. And if he concedes that peercoin is much less vulnerable we should try to get a snapshot of it.

In the end, the dude is a clown, in my opinion for making a big stink about not so much - but would be great to have his reply on peercoin.

[quote=“masterOfDisaster, post:5, topic:645”][…]
Although the majority of blocks in the Peercoin block chain is generated by PoW,
[…][/quote]

I don’t have all the answers, but this is not true iirc. I heard the amount of PoW blocks are about 10% now, compared to PoS blocks.
(maybe you want to say “the majority of coins”?)

[quote=“irritant, post:7, topic:645”][…]
I heard the amount of PoW blocks are about 10% now, compared to PoS blocks.
(maybe you want to say “the majority of coins”?)[/quote]

If that is true I consider Peercoin mostly unaffected by that attack vector.
…although I can’t properly estimate the effects of consumed coin-age in the case a PoS block is put to an orphaned chain by a withheld PoW block. It would really be beneficial to understand the interaction between PoW and PoS better. Being able to waste coin-age by releasing withheld PoW blocks and rendering the competing PoS useless (without having the consumed coin-age restored) could still be a mess…
But now it’s time for bed (where I already was and browsed the forum, finding new posts in this thread and feeling the urge to write another one :slight_smile: )

I posted my first post in this thread on his blog some hours ago. But it seems like he is not too much into Peercoin, so he has not yet an opinion on it (maybe because it has not yet grown big enough to do some thorough research) and his research paper does not cover Proof of Stake mining at all.

Do PoS blocks have any precedence over PoW blocks?
That's the sticking point. It is acceptable if Proof of Stake and Proof of Work do not have a precedence over another. And it is also acceptable if Proof of Stake has a precedence over Proof of Work. This needs to be checked and if not the case probably modified. I would like to have a look at it but first I need to get started in understanding and compiling the source code for Peercoin (Help! Kick-starting needed).
Can a PoS block start an orphaned chain (if the fork starts with a PoS block on one side and a PoW block on the other side of the fork...)? What happens with the spent coin-age in that case? Is it restored? Does it stay consumed?
If you start an chain which becomes orphaned then this chain does not show the chain which is relevant for the future any more. So if you spent coin age on that orphaned chain and the corresponding block does not get included into the dominating chain, your coin age is not consumed in this chain since the block is only in the orphaned chain not the dominating.

I would really like to get Sunny’s official opinion on it.

The paper just cited peercoin and primecoin when talk about altcoin, and no extensive analysis, no comment on PoS. Compared to litecoin, there is even no “peercoin” “primecoin” word in the paper. I think they don’t pay much attention to PoS. Apart from the public comment at that link, writing email to the authors for a private communication is also a way to get their arguments on PoS.

How concentratedly are PPC owned? For a starter, how many coins do the top 20 PPC address own? Although a person can have many addresses, if, for example, we find an address that have 30% of total PPC it still tells us one person can control 30% of POS blocks.

Do PoS blocks have any precedence over PoW blocks?
Although I am not 100% sure what you mean by "precedence". . . Yes. I believe PoS has precedence. This is part of what tends to drive the energy efficient aspect. At this time, I think it would be quite hard to pull this off on the Peercoin network. PPC is already approaching near immunity to this attack as you barely ever see consecutive PoW blocks anymore. In the last 24 hours there were only 2 times where PoW blocks were right next to each other. And as time goes on, the network will get even more secure from this.

If you just take a look at the PPC blockchain (http://ppc.cryptocoinexplorer.com/chain/PPCoin?count=500&hi=78779), you can clearly see that it is rare that PoW blocks are able to form a consecutive chain. And if I understand correctly, as each day goes by it should get even rarer (i.e. more secure) with time.

Disclaimer: I am not an expert.

Thanks Alertness for this post. I had a view at the blockchain, too. And I can only explain this huge occurrence of Proof of Stake by the precedence of Proof of Stake over Proof of Work. But probably the term precedence is not correct and we need to further get an understanding of when a Proof of Stake will be included and when a Proof of Work block. And as you said most blocks in the last few days on http://ppc.cryptocoinexplorer.com/chain/PPCoin?count=500&hi=78779 are created through Proof of Stake (about 420 in this period of time) and Proof of Work has about 80 in this period of time. This is a ratio 5.25/1=(PoS Blocks)/(PoW Blocks) which is pretty impressive since Peercoin is not yet as widespread as Bitcoin. This shows that the research paper is not convincing at all for Peercoin (at a scientific level).

I have been trying to find out the answer for this for at least a month. Can someone put together a list of the top 100 PPC addresses? I see BTC has some blockchain analysis tools on github, but it doesn’t look like anyone has forked off one to deal with PPC’s POS blocks. Anyone with PPC dev skills willing to take a shot at this?

I had communications with Ittay, the author of the paper, through the email and got his replies. I also introduced peercoin community to him and asked him to join in and have a discussion with us. Look forward to his comments here.

How do we interpret the numbers here:(http://ppc.cryptocoinexplorer.com/chain/PPCoin?count=500&hi=78779)
Value out?
Difficulty?

i studied the paper in question and the ppcoin source code for the last couple of hours.

one question that comes up in this thread is when do PoS blocks take precedence over PoW blocks. Its stated in a comment somewhere in the source code that PoS is always preferred.

But lets assume that the selfish miners block is not overridden by a PoS block. Another insight i gained is that the difficulty for the selfish miner is higher than for the rest. this goes as follows:

the selfish PoW miner creates a block. the block has a timestamp. because he was first, he was lucky and probably needed less time than average on his block. this results in a higher difficulty for his second block. so the probability to successfully get ahead by two blocks is at least lower compared to bitcoin. to get ahead by 3 blocks is even less likely. Or the other way around: the probability that the honest miners create a block before the selfish miner gains his second or third block is higher than with bitcoin, because of the continuous difficulty adjustment.

the paper states that in case of equals length chains, the selfish miner will publish its block and work on its own chain while the rest of the network splits up between the the selfish and the other chain. but the honest chain has the lower difficulty. the neutral miner would hash on the lower difficulty, because he can just start in the very moment when the selfish miner published his block. Since every attempt to calculate the hash has the same probability to win, it would yield a disadvantage to the neutral miner to work on the selfish chain.

1:0 for the honest miners.

if the honest miners create a PoS block before the selfish miners publish another PoW block, the efforts of the selfish miners will be lost. if the selfish miner does so, the honest chain rewards will be lost. so this rule does not help the honest miners.

The PoS block creation follows basically the same rules. but the described attack vector is not applicable. the described attack is an economic attack. by using the discussed strategy, the participants of the selfish pool will gain a profit above their fair share. when mining PoS blocks, the reward is linear to the consumed coinage. the reward is limited by the coinage the miner has available. there is no possibility for him to get a reward higher than this fixed percentage. and i believe he does not even to create a block to get his reward. he can just start a minting transaction by sending money to himself, without creating the block. since the described attack is a economic attack, the incentive to do so is missing in PoS mining.

i hope i got everything right.

by the way, i guess the core developers of bitcoin should be really concerned about this problem. and i bet they know this, but try to look not impressed by the findings. they can probably do something about it, but if they don’t, bitcoin / litecoin / … are done.

one always reads the 25% and thinks this is a large enough percentage. its probably some time left till one of the big players starts to use the security hole to maximize his profit. but the truth is, that right now the threshold is 0% of the combined hashing power, if the attacker gets enough nodes up to manipulate block propagation within the bitcoin network in favor of his own blocks. this means he needs a bunch of cheap vhosts with a fake client that does not need resources like disk space. and therefore anyone can start a pool like this.

lots of people write that the honest miners can choose to never mine on the selfish chain if two chains of the same length are visible. but thats a question of centralization and politics. the protocol itself does not enforce this. in addition, if the selfish mining pool succeeds to grow 33% of the hashing power, it will be still earning more money than its fair share, what would attract neutral miners to join the selfish miners.

and there lies the bigger problem: when a selfish pool reached 33%, it will most likely reach 51%. it then will earn all the profit of the network, because his selfish strategy dictates him to throw away all other blocks and maintain its own chain.

this problem cannot be solved without major changes to the protocol. and the problem is very real. and the core developers state that its not a big deal. this is exactly what i would be doing, when i have no plan b yet.