I’ve seen it mentioned as a criticism several times. If you have too, you know what I’m talking about.
-
Is it true?
-
If so, is it something that can be fixed?
It’s basically the only Peercoin concern I have atm.
Could you elaborate and be more specific? What is the concern?
It’s hard for me to elaborate because I don’t fully understand it honestly. I just know I’ve seen it brought up a few times, most recently here by ‘Hazard’:
https://bitcointalk.org/index.php?topic=326216.20
And this was in Sunny King’s 2nd weekly update:
•Two protocol changes were included in v0.2.0 release. One is that competing block chains are now scored based on proof-of-stake difficulty. Sharp readers would note this is the counterpart of Satoshi's original scoring based on (proof-of-work) difficulty. The property of this formula is that it makes the threshold of effective double-spending attack very high, to the point of almost controlling the entire main chain. The other change is we have limited coin age weighting in proof-of-stake block generation to a max age of 90 days. This change defends against a patient attacker accumulating coin age indefinitely over the rest of the network. With this change the required threshold of stake to control main chain is raised significantly for a patient attacker.
[quote=“Yurizhai, post:3, topic:438”]It’s hard for me to elaborate because I don’t fully understand it honestly. I just know I’ve seen it brought up a few times, most recently here by ‘Hazard’:
https://bitcointalk.org/index.php?topic=326216.20
And this was in Sunny King’s 2nd weekly update:
•Two protocol changes were included in v0.2.0 release. One is that competing block chains are now scored based on proof-of-stake difficulty. Sharp readers would note this is the counterpart of Satoshi's original scoring based on (proof-of-work) difficulty. The property of this formula is that it makes the threshold of effective double-spending attack very high, to the point of almost controlling the entire main chain. The other change is we have limited coin age weighting in proof-of-stake block generation to a max age of 90 days. This change defends against a patient attacker accumulating coin age indefinitely over the rest of the network. With this change the required threshold of stake to control main chain is raised significantly for a patient attacker.[/quote]
Thanks. I got the reference that the max coin-age is 90 days. BTW, the tx coin need 30 days for coin-age calculation, after 30 days, the coin-age is 30 days or 0? So does it take 90days or 120 days to accumulate 90 days coin-age?
Coinage starts from last transaction. So it takes 90 days to accumulate 90 days of coin age.
No, after 30 days the coinage is 0 and starts counting up to 60 days where it reaches it’s maximum.
Maybe we need to dive into peercoin codes. I can’t get the answer from the code, so anyone familiar with peercoin code can give us some explanation? Actually, I don’t understand how PoS difficulty dynamics, how it is related to the personal coin age, to the whole network coin age.
IMO, the best way to fix it is to dump more money into it, to increase it’s value, and start minting. This may sound sort of funny, but the interesting about PPC is that the more expensive it gets the more secure it gets because the more it will cost the bad guy to try to gain the share of coins able to perform the attack. In this way, Peercoin is secured by it’s own increasing value. As the cost to attempt this sort of attack depends on coin age, the best way to get coin age is to get coins. So, PPC get’s better with increased user adoption.
Also, there is no guarantee of success even once you have the coin age and attempt the attack.
As Sunny once said here, https://bitcointalk.org/index.php?topic=101954.60
“You could try to do that, but other nodes may only take the first block you send due to duplicate stake detection (see design paper for the description of duplicate stake detection). That means you would end up on one fork anyway.”
It would be nice to learn more about how good this duplicate stake detection works though.
the difficulty solely depends on the difficulty of the previous block and the time interval it took to generate the last block after its predecessor. its not related to the global available coin age.
It seems that coin age initiates after 30 days from the last tx from the code https://github.com/ppcoin/ppcoin/blob/master/src/kernel.cpp#L283
// v0.3 protocol kernel hash weight starts from 0 at the 30-day min age
// this change increases active coins participating the hash and helps
// to secure the network when proof-of-stake difficulty is low
int64 nTimeWeight = min((int64)nTimeTx - txPrev.nTime, (int64)STAKE_MAX_AGE) - (IsProtocolV03(nTimeTx)? nStakeMinAge : 0);
CBigNum bnCoinDayWeight = CBigNum(nValueIn) * nTimeWeight / COIN / (24 * 60 * 60);Thanks.
I am wrong, so the PoS difficulty adjustment is similar to PoW, and the reward should be related to the coin age. On the other hand, what condition should be met to get the stake reward at some stake difficulty? Is there also stake hash function? So the client do hash operation to meet the difficulty? It seems that it’s easy to get the stake from stake minting after three months un-minting, so is there more probability for the client to meet the difficulty? I got a stake block several days agon and there was a stake transaction with part of my coins as input, and two outputs. Why not all my coins are involved the stake block and contribute stakes to me?
if the node receives a block that it has no previous block for, it will remember it, until it receives the previous block.
if the node receives a block with a stake that has already been used, it checks if there is a remembered block that is the successor of the block with the duplicate stake.
if so, the block with duplicate stake gets accepted and the previously remembered block gets inserted in the chain as well.
if not, the block with duplicate stake gets discarded.
so in effect, the longest chain always wins. if one stake is spend, it cannot be spend on another block. if the communication is perfect and there is no delay in block propagation, the node will always discard any subsequent duplicate stake block. so the above described algorithm makes a difference only if the network partitions.
it can be checked, wether coins have been used for stake already, because the stake includes the transaction id that put the coins to the wallet of the attacker. and since transactions that are older than the last checkpointing are locked, the attacker cannot include a new transaction that gives him back his coinage used for the attack right away, if the last checkpoint is not older than 30 days. if the attacker cheats on these principles, his chain would be falsy and rejected by the rest of the network.
lets say the attacker included a valid transaction to himself with a timestamp after the last checkpoint. then his coinage is still lost for some time, dependent on how frequent the checkpoints are.
Thanks.
I am wrong, so the PoS difficulty adjustment is similar to PoW, and the reward should be related to the coin age. On the other hand, what condition should be met to get the stake reward at some stake difficulty? Is there also stake hash function? So the client do hash operation to meet the difficulty? It seems that it’s easy to get the stake from stake minting after three months un-minting, so is there more probability for the client to meet the difficulty? I got a stake block several days agon and there was a stake transaction with part of my coins as input, and two outputs. Why not all my coins are involved the stake block and contribute stakes to me?[/quote]
welcome. i read through the code yesterday to help out with this kind of questions 
you are right, the consumed coinage lowers the difficulty for the hash algorithm. for PoW there goes a variable nonce to the hash. in contrast PoS depends on the coinage (in seconds) that changes once a second.
the coinage is calculated per incoming transaction in your wallet (older than 30 days) every second. for every transaction a hash is calculated and compared to the target. this explains why only part of your coins took part in the minting.
I’m glad that I’ve been pointed to this thread. It helped me understand a bit more.
I’d be glad if you did join the discussion at https://bitcointalk.org/index.php?topic=326216.0
I bet you can bring this discussion to a whole new level
…I tried to counter the user named “Hazard”'s accusations the best I could. But I doubt it was enough…
[quote=“masterOfDisaster, post:14, topic:438”]I’m glad that I’ve been pointed to this thread. It helped me understand a bit more.
I’d be glad if you did join the discussion at https://bitcointalk.org/index.php?topic=326216.0
I bet you can bring this discussion to a whole new level
…I tried to counter the user named “Hazard”'s accusations the best I could. But I doubt it was enough…[/quote]
I read the thread over there and found you make a pretty good job. Maybe we could make some kind of mathematical model to be able to simulate different attacks that have been discovered on PoS or PoW like they did in the paper for the 25% attack on bitcoin. It’s always a game of probabilities and they can be calculated to be verifiable once and for all. Let’s say, we start with: how big is the chance that a forked PoS chain gets the main chain when the attacker got 3% of the coinage available? There are far more variables in PPC than in BTC. Not to forget the variable difficulty.
You elaborated on this exact question in your last post, but we have to find things like maximums and minimums. Too bad I didn’t study mathematics, but I have a friend that did and he will visit me this week
I am thinking about this PoS and will probably invest in peercoin but I just started to research it. I tried to calculate how much double spend would roughly cost with what I know.
- Let’s assume there is X PPC coins as total supply
- X*60 = total coindays per 90 days (first 30 days are not counting?)
- X60/90/24/6 = X0,00462963 coin-days per block - (average if no coinday is wasted)
- 0.462963/60 = 0,0000771604938 (0,00771604938%) - amount needed of total supply to sign block
Now if we asume network is completely maintained with PoS (which in at some point it should be) and if we assume market cap of:
- 10 000 000$ - ~771.604$ needed to verify block * 6 = 4629,629628$
- 10 B$ - ~771 604$ needed to verify single block * 6 = 4 629 629.628$
So 5M$ (0.05%) would roughly be enough to create 6 blocks in secret when market cap is 10B$.
In order to create secret block chain for 1 day it would be 111 111 111.072$ or 1.1%
This is very rough assessment as I can’t count other factors in but I noticed that for security reason long confirmation time might be solution? And as peercoin is not built for high transactions volume that might be ok from user side, to wait whole day or more for confirmation. That could give superb security and for online purchase ppl would use currencies built upon peercoin? Eventually even government currencies might be backed by something like this as $ was with gold…
Very interesting Petar87, it further backs my thoughts of Peercoin being very thoroughly thought through (wow lot’s of ou’s).
Peercoin already has long confirmation blocks, averaging 10min/block and assuming 6 confirmation sound very safe to me. But maybe we need even longer for larger transactions?
BTW the first 30 coin age days are not counting, but you can still accumulate 90 coin days per PPC.
Slightly off topic:
Not being in mathematics, can we calculate with your assumptions how many PPC on average you need to create a block.
Or are we missing the variable PoS difficulty in here? Or am I supposing here something which isn’t true?
I took your item 4 (amount needed of total supply to sign block).
Assuming 21m PPC * 0.0077 = 161,700 coin days.
Maximum coindays per PPC = 90, so 161,700/90 = ~1796 PPC (with maximum 90 day coin age).
So you would require 1796 PPC with 90 coin age before you can create a block. True or false?
Edit: oops lost a few zeros, ehh no got it right. Mathematics…
Hm I was wrong on some facts, coins do mature during first 30 days you just can’t use them for minting. My rough estimate is like worst-case scenario taking into account that nobody does transactions and there is no waste of any coindays.
I was unable to find how PoS difficulty mechanism exactly works but I read that 200cd are twice as likely to find block then 100cd and I will assume this is true.
So if no coinday is ever wasted and if all blocks are PoS then
21M*90/90/24/6 = 145833,33 cd/per block
would be required on average if I didn’t miss something out?
Now in reality how many coindays are wasted and what is PoW PoS ratio should be possible to calculate from block-chain.
Ok, sound good to me. So given the 145833.33 cd and assuming no coindays are lost (static account), this account would create a block with near 100% certainty in that 90 day period.
But we are still missing something in the equation here. Proof of Stake difficulty, PoS/PoW ratio as you said and maybe number of blocks of generated (but latter is fairly static at 6 an hour).
I think we need someone to dive into code for PoS difficulty mechanism and some statistician to work through blockchain and extract PoW/PoS ratio at a given time.
I can provide data that, at least on the surface, appears to back up your assertions.
On 12/29 I solved a proof of stake block and generated 3.76 PPC. If I inspect my local logs and the block chain, here’s the calculation that I come up with:
Money Supply on 12/29/2013 (from the block immediately after the found PoS block) = 20982317.727611 PPC
Difficulty of PoS Block Solved: 6.349
20982317.727611 * 90 / 90 / 24 / 6.349 = 137700.93536784664 coin days per block
–
My rough calculations, given the age of the coins that were held in stake for that solved block, 3699.99 PPC, was 137498.23 cd. For me, that’s well within the margin of error that I can attribute to using rough date calculations vs. the actual UNIX epoch time stamps for each of the staked transactions.
It also meshes with the output of a spreadsheet I created to give me an idea of how much PoS would pay out given a specific staked amount of PPC and the age of the coins included in that stake. 299.3 PPC was 40 days old and the rest, 3400.69 PPC, was 37 days old.
Very interesting work, Petar87 and Cybnate. Thanks for sharing!