what about minting from multisig address? (ex: 2-of-2)
-if done locally hacker would have to hack 2 machines to steal coins
-if done on pool no pool could reach 51% because worst case scenario is 2 pools with 50% each (very unlikely anyway) and no pool could be more than 50% (and only if everyone uses that pool)
==> user would be very careful of pools colliding as he may lose his coins (rather than just an entity hitting 51%):
in this scenario we align tragedy of the commons of 51% attack with loss of coins
Yes, my suggestion should solve this, giving more incentive on less minters.[/quote]
If this idea is not implemented as a voluntary option, some big stake owner may get very unhappy.
Some people have expressed fears that completely safe minting would lead to the emergence of pools and the centralization of the network. I think this is taking the issue from the wrong end. Here is how I see things.
Why are pools desirable? Because it is too hard for small PPC owners to earn interests through solo block minting.
How do we make it easier? We can give interests to anybody who destroys coin-days in a regular transactions. E.g.: if I buy something for 50 PPC with a 1 year-old 100 PPC output, I will get 51 PPC as change (I get 1 extra PPC).
Doesnât it impact security? Not directly, since as far as I know, coin-days destroyed in regular (not coinstake) transactions also contribute to determining the longest chain.
How to make sure people will constantly be securing the chain? We could cap interests to 1%. E.g.: if I keep 100 PPC for half a year, I get 0.5 PPC as interest, 1 PPC for a year, but still 1 PPC for 2 years. This way people have to move their coins regularly to maximize profit, which results in a more secure network. Between transactions, coins can be kept offline in cold storage.
How to make sure stakeholders will keep minting blocks (processing transactions) if it does not give any benefit? This is the trickiest point for me. What is sure is that minting should at least be perfectly safe, as there is nothing to be gained from it (well, excepted a warm feeling in your belly). So this is where cold minting comes in.
Iâm not really happy about the last point, but it seems to me that rewarding block minters inevitably creates incentives to form pools, as not everybody can be a block minter (unless you use an insane block frequency). In defence of my proposal though, altruistic computing projects like Folding@Home or World Community Grid seem to do fine, even though they only rely on goodwill.
This is a great point the deserves some attention. In the future, most users will not have enough peercoin to justify attempting to solo mint. It would take too long to find a block if the stakeholder only has 2 PPC (which could still be a large amount of USD).
Perhaps we need, instead, a mechanism that allows for and encourages pools (!!) but somehow limits them to x% of the total participating minting coins on the network.
Unfortunately I donât think there is any way to know whoâs hiding behind a coinstake transactionsâŚ
anyone thinks itâs possible to mint with multisig? (2+ keys required to mint)
Sigmikeâs proposal uses multisig. It is probably the leading proposal at this point.
I am very concerned with this approach because I think many wallets and third party services will start using multisig this year and in the immediately coming years to enhance security against unauthorized, undesired and unintended spending.
Multisig can work for cryptocurrency spending like 2FA (Two Factor Authentication) works to protect password access to various web services, which is a big giant advance in security. So, I am very concerned that we could adapt multisig for minting and then find some really cool advances coming that Peercoin canât use because our multisig minting use might block.
So far as I can tell, whether multisig minting would block, or have a work around or be no factor, will always in the future be a concern if we use multisig for minting.
So, I am very concerned that we could adapt multisig for minting and then find some really cool advances coming that Peercoin can't use because our multisig minting use might block.
I could be mistaken, but it was my understanding that in sigmikeâs proposal that a type of multi-sig address was used, but it was an extension of the current multi-sig implementation. If thatâs true, then I donât see an impact to future developments that use âstandardâ multi-sig addresses.
if i got it right sigmike talks about 2 keys (regular and minting key). issue is that lack of care of minting key could lead to centralization (ex: pools). my suggestion would be to have a multisig minting key to avoid that issue (so 2 minting keys + regular key(s))
Itâs feasible but it requires a lot of work to make the two clients automatically sign the same block. Right now thereâs nothing in the protocol that would help us doing that.
It requires almost the same work as making multisignature spending automatically work. The problem is getting the signature from the keys you donât have. I think Bitcoin didnât solve that either.
One way to solve this would be to allow the propagation of partially signed blocks.
But I donât understand how this is would be beneficial for minting.
If you gave your minting key to someone else and want to revoke the right to mint, you can just move your coins with your spending key.
If you are able to run a second client 24/7 to verify the otherâs blocks then why donât you just do the minting yourself on this client?
In my proposal the minter cannot spend the reward so thereâs not risk of stealing that multisig could prevent.
The spending key is different though. Itâs not very difficult to allow the spending key to be a multisignature address.
The third party services may have to adapt their software though.
-if done locally hacker would have to hack 2 machines to steal coins
-if done on pool no pool could reach 51% because worst case scenario is 2 pools with 50% each (very unlikely anyway) and no pool could be more than 50% (and only if everyone uses that pool)
==> user would be very careful of pools colliding as he may lose his coins (rather than just an entity hitting 51%):
in this scenario we align tragedy of the commons of 51% attack with loss of coins for user
note: iâm talking about multisig for a private key, in this model there is no minting only key to avoid centralization issues, but still people may use pools without reducing security too much (as user needs to use at least 2 pools)
-if done locally hacker would have to hack 2 machines to steal coins
-if done on pool no pool could reach 51% because worst case scenario is 2 pools with 50% each (very unlikely anyway) and no pool could be more than 50% (and only if everyone uses that pool)
==> user would be very careful of pools colliding as he may lose his coins (rather than just an entity hitting 51%):
in this scenario we align tragedy of the commons of 51% attack with loss of coins for user
note: iâm talking about multisig for a private key, in this model there is no minting only key to avoid centralization issues, but still people may use pools without reducing security too much (as user needs to use at least 2 pools)[/quote]
Ok this is a new proposal not related to mine. Thatâs what I didnât understand.
Indeed being able to mint from 2 computers with multisig would significantly improve security compared to the current situation. Itâs not âcold walletâ security, but certainly good enough for the people who can run 2 clients at different locations. And it can be done while still implementing cold minting. But the amount of work required is much more important, and there are many different ways to achieve that. It should be done so that itâs not too much a hassle for the users and not bloat the network traffic.
We can also just allow multi-signed PoS blocks in the client and let people figure out how to multi-sign their blocks.
Aligning 51% risk with loss of coins is interesting but Iâm not sure itâs a good thing. It looks like removing a security barrier to make people more cautious. And the incentive for pools to collude is huge. Would people be able to find 2 trustworthy enough pools to send them their multisig private keys?
being able to mint from 2 computers using multisig, does it work similar to say, minting with half a key from one location and the other half from the other location?
Would people be able to find 2 trustworthy enough pools to send them their multisig private keys?
what if you can give one the half of your keys and the other one the other half, and make sure they both donât know each other (and make some way they will never learn from each existence)
the thing is there are 2 risks:
a) for the user: to lose the coins
b) for the coin in general: 51% attack
minting only key is good for a) but bad for b)
private key only (like now) is good for b) but bad for a) [with indirect result that few ppl mint, so also bad for b)]
multisig private key is average for both a) and b) (which may be the optimal combination)
imagine using a 2-of-2 private key for minting, one is kept on your everyday computer and the other one on a pool/online wallet:
-if u have malware on your computer itâs no prob as there is just 1 key there
-if the pool goes crazy no problem as they just have 1 key too
[quote=âsuperppc, post:114, topic:2336â]imagine using a 2-of-2 private key for minting, one is kept on your everyday computer and the other one on a pool/online wallet:
-if u have malware on your computer itâs no prob as there is just 1 key there
-if the pool goes crazy no problem as they just have 1 key too[/quote]
However you still have to keep your computer on at all times.
By the way, isnât pool-minting dangerous for the pool as well? If the pool charges a minting fee, the pool could be cheated if the owner of the âwinning outputâ broadcasts a solo-minted block before the pool broadcasts its own, thus denying the pool its cut. This incentivizes a form of double minting.
then pools may have to charge the customer directly, no big deal as their marginal cost is close to zero (itâs pure profit for them). could even be a small monthly fee for example
[quote=âsuperppc, post:114, topic:2336â]the thing is there are 2 risks:
a) for the user: to lose the coins
b) for the coin in general: 51% attack
minting only key is good for a) but bad for b)
private key only (like now) is good for b) but bad for a) [with indirect result that few ppl mint, so also bad for b)]
multisig private key is average for both a) and b) (which may be the optimal combination)[/quote]
This is very simplified.
I disagree minting only key is bad for b). By making minting 100% safe it will bring in a lot of new minters and that is good for b). Even providers are good because they bring people who canât run a client 24/7. As I explained before I donât believe the providers will grow enough to be a concern. Most people will just run their own client, and the others will not choose a provider based on its size so the vicious circle that inevitably leads to always bigger providers do not exist.
[quote=âsuperppc, post:114, topic:2336â]imagine using a 2-of-2 private key for minting, one is kept on your everyday computer and the other one on a pool/online wallet:
-if u have malware on your computer itâs no prob as there is just 1 key there
-if the pool goes crazy no problem as they just have 1 key too[/quote]
Who is choosing the transactions to be included in the block?
If itâs only the pool then from the network security point of view itâs equivalent to giving the pool your minting abilities.
If your own client verifies the transactions then you risk rejecting blocks because of lag. Itâs equivalent to solo minting with an additional chance of missing some blocks.
And you still have the risk of both being compromised. It may be a very small risk, but for people holding a large amount of peercoins I think it would still be too high. And thatâs the people who would help securing the network the most.
Sigmike, in the v0.5 cold minting feature youâre working on, does the holder of the minting key control the generated newly-minted coins, to discourage (but not prevent) pool formation? Is there somewhere we can read details on the solution you and Sunny are implementing? Thanks!
[quote=âsigmike, post:117, topic:2336â]This is very simplified.
I disagree minting only key is bad for b). By making minting 100% safe it will bring in a lot of new minters and that is good for b). Even providers are good because they bring people who canât run a client 24/7. As I explained before I donât believe the providers will grow enough to be a concern. Most people will just run their own client, and the others will not choose a provider based on its size so the vicious circle that inevitably leads to always bigger providers do not exist.[/quote]
why should they run their own client if there is a free pool that runs 24/7 and there is 0 risk of losing coins? there is no guarantee a single pool will not hit 51%, just like ghash did for btc.
[quote=âsuperppc, post:119, topic:2336â][quote=âsigmike, post:117, topic:2336â]This is very simplified.
I disagree minting only key is bad for b). By making minting 100% safe it will bring in a lot of new minters and that is good for b). Even providers are good because they bring people who canât run a client 24/7. As I explained before I donât believe the providers will grow enough to be a concern. Most people will just run their own client, and the others will not choose a provider based on its size so the vicious circle that inevitably leads to always bigger providers do not exist.[/quote]
why should they run their own client if there is a free pool that runs 24/7 and there is 0 risk of losing coins? there is no guarantee a single pool will not hit 51%, just like ghash did for btc.[/quote]
Holding the minting key wonât mean you will get the reward as it can be send to some other address. Each pool will have to explicitly claim fees from users, and they will most probably have to be paid in advance. That might be a show stopper for most people.
But pools might be needed for small stake holders as it is described there: http://www.peercointalk.org/index.php?topic=3029