Cold storage minting proposal

[quote=“superppc, post:139, topic:2336”]i now understand sigmike’s strategy, it’s counterintuitive and brilliant:

-intuitively it seems that mint only key with no risk to user (as no coins can be spent with it) could lead to pool centralization as users are not too worried of giving that key to a pool (no risk)
-however for that same fact that coins can’t be accessed with mint key, pools can’t “pool” the money of users to reduce variance, removing the main incentive for pools to become big (main issue with btc)
-so ppl may just use small pools, virtual servers, their computer, raspberry-pi, etc… with no fear of hacking and no desire to go to the biggest/most reliable/safest pool and so PPC stays decentralized

i’m impressed, what is the ETA for this to be released?[/quote]

i think the reasons you srated about avoiding large pools and thus centralization, are not trustless.
i mean that it is up to pool owners to reject new private keys and it is up to users to select the smaller pools.
i wish i am mistaken but the risk stll exists if it is plausible for an attack with the majority of minting coins
belonging to different addresses

[quote=“seki, post:141, topic:2336”]i think the reasons you srated about avoiding large pools and thus centralization, are not trustless.
i mean that it is up to pool owners to reject new private keys and it is up to users to select the smaller pools.
i wish i am mistaken but the risk stll exists if it is plausible for an attack with the majority of minting coins
belonging to different addresses[/quote]

it’s more about the user not to have an incentive to go for the big pool as there is no benefit for him in doing so

The cold minting key has also another benefit, in proof of stake there is another issue:
https://bitcointalk.org/index.php?topic=694436.0
making minting safe and easy will reduce the number of coins stored on exchanges and so reducing the risk of a hack that could compromise the network.
Another benefit for PPC is that since it’s the oldest POS it has the best distribution of the POS coins and so is less likely to have a very large number of coins stored in an exchange.

If MintPool can’t extract coins from the minting process, the MintPool have to monetize the operation in another way. Likely the MintPool will charge a fee for the mint service. Since 1% interest isn’t that much, the fee can’t really be that high and therefor the MintPool have to be very large to be able to finance its operations (which besides a couple of Raspberry PIs :wink: also is marketing, maintenance staff, support desk, etc). A MegaMintPool will be harder to compete against as a SmallMintPool which probably will have to charge higher fees. A few very large SuperMintPool’s will emerge. The tragedy of the commons, has it that people are shortsighted. Yes people have a stake in peercoins, but from the looks of it people still don’t have any issues with pooling their coins on a few big exchanges. To make matters worse, they even forfeit their minting reward just so that they can expose themselves to risk of centralization.

People are stupid. I would know… I have peercoins on an exchange as well (not all of them, but together with all other stupid people there is to much in there). :stuck_out_tongue:

I’m not sure thing will play out as this. But there is a potential here that it could. Perhaps we could add an incentive to mint without minting key: 1% without it, 0.7 with minting key?

I still believe there is insufficient economic incentive for pool owners so long as they have no spending control over stakes or rewards. As you point out, a fraction of 1% is not an exciting margin for building a successful business. The problem with the idea of pools charging a small “minting fee” in advance is that pool owners are easily vulnerable to abuse by stakeholders who will use enhanced wallets to predict the precise second they will likely mint and therefore they will only “lease” very narrow segments of “minting time” in the pool. If the stakeholder happens to be unlucky, he will blame the pool. Administrative/accounting costs and customer service issues will quickly outstrip the meager revenues from minting fees.

The only (small) drawback I see to the current cold-minting solution as designed by SigMike is that it still allows for free (i.e. “no fee”) or even >1% return minting pools to attempt to attract stakes for malicious purposes. These pools could pay an even higher premium for specific stakes which they predict will win them consecutive blocks. I say this is a “small” problem, however, because I believe it can be effectively countered by general public-awareness to not give out minting keys and that such pools can be easily identified and targeted by the larger community.

Nevertheless, I do think that reducing variance is an important factor in increasing participation. I believe there is at least a partial solution to this problem through promotion of a more narrow distribution of coin-age used in successful blocks. The effect will be that stakeholders will be better able to predict whether minting will be worthwhile for them at any given time. If, for example, most blocks are minted with ~60k coin-day stakes, people with smaller (and larger) stakes will be persuaded toward other forms of investment. This pertains to an idea discussed in another thread about improving the the overall security-quality of blocks. Unfortunately, the discussion sort of fizzled, so I will now shamelessly quote myself here in the hope that people smarter than me can identify the flaws with this proposal and/or offer improvements:

If anyone has comments on this idea, please add to the original thread here: Cryptoblog - notícias sobre bitcoin e criptomoedas!

Otherwise, carry on - and thanks for reading!

I’ve not thought about this. Very good point.

I have read several times this thread and my personal opinion is that the solution proposed (by sigmike) looks very nice.
The only drawback that I see is that one particular minting provider could accumulate a lot of minting stake if that particular provider is able to convince plenty of holders to give him or her their minting keys.
But as explained by sigmike, the economics are against such a phenomenon, contrary to bitcoin.

However, I fail to understand the difference between accumulating a minting stake (1) and holding actually the coins (2).
In (1) you are not able to reduce the variance of the probability to find blocks whereas in (2) you are.
But somehow (1) can harm security if the stake gets important.
So, does it mean that (1) implies the fact that there is another way to compromise security than finding blocks?

Sorry. I do not fully understand the mechanics of Peercoin or more generally the features of a blockchain.

EDIT: typo

cryptog1 - I’ll admit I’m having a little trouble understanding your exact question, but hopefully this summary of the issue will provide clarity:

  1. Stakeholders are afraid to mint under the current protocol because, by necessity, their private keys must be contained in computer memory in order to sign a block at the appropriate time.

  2. The proposed protocol change will introduce two separate keys: one that can only sign blocks (coinstake transaction) and another that is required for all other spending transactions.

  3. Under the new protocol, stakeholders will be able to “unlock for minting” without any risk of having their private spending keys exposed.

  4. The fundamental problem with minting-only keys, however, is that these keys can be shared with others (e.g. with minting pools) without risk to the stakeholders.

  5. Unlike the rewards in mining pools, however, minting rewards will never fall under the control of pool owners because the owners will not have access to the private spending keys. Without the capacity to spend rewards, pool owners have no ability to reduce variance by distributing rewards across the entire pool. Thus, while pools are free to exist (and may in some cases even be helpful), the lack variance-reduction means there is no pressure toward centralization as there is in traditional mining.

  6. Still, because stakeholders theoretically have no risk in freely sharing their minting-only keys, they may decide it is worthwhile to share these keys indiscriminately with the entire world in the hope that someone else will mint their reward for them.

  7. Here, however, the additional protocol change to reject any two or more blocks with the same stake discourages this behavior because a stakeholder now risks entirely losing an opportunity to mint a block through either coincidental or intentional reuse of the same stake.

…So, if I do understand your question correctly you are confusing the concept of “variance reduction” in regards to the (attacker’s) probability of minting consecutive blocks with the concept of “variance reduction” in terms of the incentive of individual stakeholders to join large pools and create centralization. Yes, sharing minting keys with malicious nodes does increase the probability of these nodes successfully executing attacks… but under the proposed changes, there is NO inherent incentive via “variance reduction” available to individual stakeholders by sharing their minting-only keys.

(Now as a significant additional caveat, even the new protocol changes allow for the possibility of a malicious individual offering to pay large stakeholders for their minting-only keys in order to increase the odds of successfully minting a continuous series of blocks. It may be that this risk is always unavoidable in PoS, but it is also fundamentally weak against general public education to avoid carelessly sharing keys. By definition, anyone offering to pay for for minting keys is a bad actor and should be ostracized (and perhaps even proactively assailed) by the overwhelming majority.

tl;dr: Peercoin is secure now (with checkpoints) and will be more secure in the future (even without checkpoints) when more stakeholders are running their own nodes and minting without risk!

[quote=“learnmore, post:148, topic:2336”]cryptog1 - I’ll admit I’m having a little trouble understanding your exact question, but hopefully this summary of the issue will provide clarity:

  1. Stakeholders are afraid to mint under the current protocol because, by necessity, their private keys must be contained in computer memory in order to sign a block at the appropriate time.

  2. The proposed protocol change will introduce two separate keys: one that can only sign blocks (coinstake transaction) and another that is required for all other spending transactions.

  3. Under the new protocol, stakeholders will be able to “unlock for minting” without any risk of having their private spending keys exposed.

  4. The fundamental problem with minting-only keys, however, is that these keys can be shared with others (e.g. with minting pools) without risk to the stakeholders.

  5. Unlike the rewards in mining pools, however, minting rewards will never fall under the control of pool owners because the owners will not have access to the private spending keys. Without the capacity to spend rewards, pool owners have no ability to reduce variance by distributing rewards across the entire pool. Thus, while pools are free to exist (and may in some cases even be helpful), the lack variance-reduction means there is no pressure toward centralization as there is in traditional mining.

  6. Still, because stakeholders theoretically have no risk in freely sharing their minting-only keys, they may decide it is worthwhile to share these keys indiscriminately with the entire world in the hope that someone else will mint their reward for them.

  7. Here, however, the additional protocol change to reject any two or more blocks with the same stake discourages this behavior because a stakeholder now risks entirely losing an opportunity to mint a block through either coincidental or intentional reuse of the same stake.

…So, if I do understand your question correctly you are confusing the concept of “variance reduction” in regards to the (attacker’s) probability of minting consecutive blocks with the concept of “variance reduction” in terms of the incentive of individual stakeholders toward centralization. Yes, sharing minting keys with malicious nodes does reduce the probability of these nodes successfully executing an attack… but under the proposed changes, there is NO inherent “variance reduction” available to individual stakeholders by sharing their minting-only keys.

(Now as a significant additional caveat, even the new protocol changes allow for the possibility of a malicious individual offering to pay large stakeholders for their minting-only keys in order to increase the odds of successfully minting a continuous series of blocks. It may be that this risk is always unavoidable in PoS, but it is also fundamentally weak against general public education to avoid carelessly sharing keys. By definition, anyone offering to pay for for minting keys is a bad actor and should be ostracized (and perhaps even proactively assailed) by the overwhelming majority.

tl;dr: Peercoin is secure now (with checkpoints) and will be more secure in the future (even without checkpoints) when more stakeholders are running their own nodes and minting without risk![/quote]

Tks a lot for your detailed explanation which sums up very well i think the features of the cold minting mechanism envisioned.

I believe my definition of “variance reduction” is a bit imprecise or incorrect.
To me “variance reduction” is basically increase of the probability of getting a reward (better to get say 10% of the rewards with 50% probability than 100% of the rewards with 1% probability).

So I would reformulate my question as follows.
Let us say that there is an individual node that does not want to mint on its own machine.
This node decides to lease its minting key to a minting provider.
By doing so, does this node increase its probability to get a reward?
In other words, between minting on its own and minting via a provider, which way would give the most rewards to the node?
If the reward is the same, I would say that the minting provider does not reduce the variance. Consequently, in such a case, as it has been explained in this thread, economics cannot be a factor in a hypothetical minting centralization.

In short, no. To explain further, by “node,” I think you mean “stakeholder.” In any case, the probability of reward for any given set of coins is directly proportional to the amount of time the set of coins is actively included in minting. So if the stakeholder does not want to run a private node, he/she can give the keys to someone else who is willing to run a node continuously. In this case, the stakeholder does increase the probability of reward insofar as the amount of time the coins are actively included in minting effectively increases.

In short, neither. The stakeholder’s reward is strictly related to time. It happens exactly the same whether it is minted on his/her own computer or a provider’s.

True.

In short, no. To explain further, by “node,” I think you mean “stakeholder.” In any case, the probability of reward for any given set of coins is directly proportional to the amount of time the set of coins is actively included in minting. So if the stakeholder does not want to run a private node, he/she can give the keys to someone else who is willing to run a node continuously. In this case, the stakeholder does increase the probability of reward insofar as the amount of time the coins are actively included in minting effectively increases.

In short, neither. The stakeholder’s reward is strictly related to time. It happens exactly the same whether it is minted on his/her own computer or a provider’s.

True.[/quote]

Tks a lot for the clarification.
But instead of leasing its minting key, let us say that the stakeholder leases its spending key to the provider.
In that case, my understanding is that the provider becomes a pool: there is a reduction of the variance of the probability of getting a reward for the stakeholder, which would imply that such a reward would not be only a function of time, contrary to the case in which there is only leasing of the minting key.
Would you confirm that?

Now the only issue that comes up with such a minting key proposal is the hypothetical dangerous accumulation of a big stake by a provider despite your bullet 7) (btw it is difficult for me to see that 7) could represent a counter-incentive since the provider has no incentive to mint twice with the same minting key since the reward goes to the sending key unless the provider wants to somehow sabotage the stake).
In such a situation, my understanding is that the provider could 51%-attack the network…Except going back in time with the check point system, wouldn’t there be any other way to somewhat alleviate the consequences of such an attack? I am wondering about that because the provider would hold only leased stakes, not the real coins themselves.

I have a question: will it be possible to hold several minting keys in our Peercoin wallet?

If yes, does it mean that we could use our “always on” wallet to freely mint for friends for example?

Does it also mean that a nasty pool (competitor, state, etc.) could propose to mint for free and then succeed in reaching the 51% limit in order to harm or destroy the network?

Yes, in this case you are completely handing over your money for someone else to hold. Such a provider would be able to pay monthly “interest” and thereby eliminate variance of reward for the stakeholder. You would have to have 100% trust in this provider. This is not unlike conventional banks or even the current cryptocurrency landscape of major exchanges. The major risk here is not likely to come from the banks or exchanges themselves but from 3rd party hackers obtaining control of the funds. This is where the implementation of multi-sig transactions is also a crucial upcoming development for Peercoin.

Point #7 addresses the concern of stakeholders promiscuously sharing their minting-only keys. Yes, it does not directly discourage sharing the key with a single trustworthy provider, but it does introduce some risk against sharing indiscriminately. If you share your minting-only key with a large number of pools, there is a good chance that you will end up submitting multiple simultaneous (but slightly different) blocks that will end up being rejected by the network. This will especially be the case if a malicious provider has obtained your minting-only key because the block they submit will be intentionally different from the rest. Also, if I had access to your minting-only key, I could watch for you (or your provider) to broadcast a valid block and then sabotage the reward by submitting a duplicate block.

Yes, a nasty pool could offer free minting; however it is highly unlikely that any such pool could every grow to 51% because the entry-cost for competition is so low. One nasty pool would be competing against every other nasty pool with the same idea. Benevolent pools and techie friends could also offer free minting alternatives as well. As long as there are a healthy number of active nodes on the network, sharing minting-only keys with trusted parties is not an inherent risk and may, in fact, be helpful toward encouraging more users to mint and thereby increasing PoS difficulty. The important point is that without access to minting rewards, large “pools” have no advantages over smaller “pools” and therefore there is no pressure toward centralization.

Yes, in this case you are completely handing over your money for someone else to hold. Such a provider would be able to pay monthly “interest” and thereby eliminate variance of reward for the stakeholder. You would have to have 100% trust in this provider. This is not unlike conventional banks or even the current cryptocurrency landscape of major exchanges. The major risk here is not likely to come from the banks or exchanges themselves but from 3rd party hackers obtaining control of the funds. This is where the implementation of multi-sig transactions is also a crucial upcoming development for Peercoin.

Point #7 addresses the concern of stakeholders promiscuously sharing their minting-only keys. Yes, it does not directly discourage sharing the key with a single trustworthy provider, but it does introduce some risk against sharing indiscriminately. If you share your minting-only key with a large number of pools, there is a good chance that you will end up submitting multiple simultaneous (but slightly different) blocks that will end up being rejected by the network. This will especially be the case if a malicious provider has obtained your minting-only key because the block they submit will be intentionally different from the rest. Also, if I had access to your minting-only key, I could watch for you (or your provider) to broadcast a valid block and then sabotage the reward by submitting a duplicate block.

Yes, a nasty pool could offer free minting; however it is highly unlikely that any such pool could every grow to 51% because the entry-cost for competition is so low. One nasty pool would be competing against every other nasty pool with the same idea. Benevolent pools and techie friends could also offer free minting alternatives as well. As long as there are a healthy number of active nodes on the network, sharing minting-only keys with trusted parties is not an inherent risk and may, in fact, be helpful toward encouraging more users to mint and thereby increasing PoS difficulty. The important point is that without access to minting rewards, large “pools” have no advantages over smaller “pools” and therefore there is no pressure toward centralization.[/quote]

Tks for the additional explanation. That helps a lot.
So now I envision a peercoin network in which large and medium size stakes will be minting on their own since using a minting provider offers no advantage for them.
But perhaps small and very small stake holders could decide to use such providers because they could think that since they are not likely to get an interest on their coins, making someone else do the hard work could be attractive, for convenience reasons.
They would lease their minting keys to a single provider only in order to avoid the potential punishment caused by duplication.
The danger here is that a provider could accumulate a lot of small stakes, which could amount to a large global stake.
I am playing the devil’s advocate here since it seems that there would be plenty of providers out there, since it seems that being a very big provider would not help that much in terms of scale economy.
So in that particular case, we would need to find a way to give a counterincentive to small holders so that they would want instead to mint on their own.
It seems that below a stake of 50 ppcs, the probability to get the 1% annual reward is only a few percents.
I saw somewhere that there were some ideas from the development team to make it easier for small holders to get some reward.
If such a mechanism could be implemented, that could make peercoin extremely secure.

I would avoid the term “lease” because the concept doesn’t really apply to how (I believe) minting keys are being designed for Peercoin. Once you’ve given someone your key, they have it forever but also cannot ever directly derive any profit from minting on your behalf. The only way to prevent someone from minting freely on your behalf once you have given them your minting key is to use your secret spending key to move the coins to a new address. Doing so, however, means that you will suffer the negative consequence of losing all your stored coin-age. This is yet another important reason to be very judicious when deciding to share your minting key.

When I use the term “stake” I’m generally referring to distinct, individual Peercoin transaction outputs which a “stakeholder” controls through their wallet and intends to set aside for the purpose of earning a 1% annual reward. This is important because Peercoin minting occurs specifically on the level of these saved “unspent outputs.” Because of this fact, the concept of combining “small stakes” into a “large global stake” sounds a little confusing to me. In fact, neither very many, very small stakes nor very few, very large stakes offers any real advantage to an attacker. The biggest risk comes from a significantly large total amount of coins distributed into enough significantly large individual “stakes” that an attacker’s odds of finding ~6 consecutive blocks is relatively high compared to the rest of the honest minting public.

Yes, lots of ideas have been floated to encourage more distributed minting. Actually, the biggest improvement is likely to come from the implementation of the minting-only keys as we’ve been discussing here! Over time, it may prove unnecessary to make additional adjustments. The good thing is that there are lots of smart people here thinking about these issues in advance, and Sunny King has already proven to be an insightful and meticulous lead developer.

Once you've given someone your key, they have it forever but also cannot ever directly derive any profit from minting on your behalf.

I see, it is not “leasing” but “giving away”.

In fact, neither very many, very small stakes nor very few, very large stakes offers any real advantage to an attacker

In that case I am wondering about the danger from a network’s security perspective of such a minting-key sharing mechanism since I assume that most of the users that would give away their minting-key would be very small stakeholders.
In other words if you cannot somehow combine plenty of small coin age derived from plenty of small active stakes (accessible because you have access to the minting keys) into a big coin age, then I fail to understand how that could be a threat to the security. It is probably a lack of knowledge of the PoS mechanics from my side though…

The good thing is that there are lots of smart people here thinking about these issues in advance

Yes. I tend to think that the amount of innovation and innovative ideas coming from the Peercoin dev team and community is more important than coming from the Bitcoin dev team and community nowadays.
I have the feeling that Peercoin is getting more and more decentralized trustless (from checkpoints to peerbox) whereas Bitcoin is getting more and more centralized and trustfull (from CPU-mining to mining centralization).
Therefore it seems to me that Peercoin is getting closer and closer to the idea of a P2P trustless decentralized currency system, the original idea of Satoshi…
Of course a lot of work remains in terms of development and marketing but with hard work I am convinced it will succeed.

In this example of an address of a half mil PPC , the address has thousands of ~150 PPC stakes. It finds 1/4 of all POS blocks. Because at most one stake can be used in 10min, this address never runs out of stakes that are fully matured (90 days). It mints 7x24, and by pure chance it finds 6 blocks in a row every a few months.
I may have lost track … can the cold storage minting proposal avoid creating pools that can do similar thing? Will the pool get to make blocks using customers small stakes (average 150PPC is pretty small these days)?

Indeed, there is a latent threat toward the blockchain in the ability to amass minting keys without requiring significant cost. Even beyond “real-time” reorganizations, it seems that “discarded” minting keys could just as easily be mobilized to power more massive “history revision” attacks as well. That’s why I think “cold storage” may be a bit of a misnomer because the coins are still very much “hot” in terms of their participation in securing the network.

The counterweight to this inherent “community risk” hinges on the assumption that a reduction in individual “stakeholder risk” will amply increase the total number of Peercoins participating in minting. After all, as you point out, it’s clear that even without the minting-only keys we’re already realizing the possibility for wealthy stakeholders to routinely print 6-block chains. (And we can only know of the one(s) consolidating their holdings in a single address!)

Thus, it seems to me that any steps to provide safer, more approachable minting-for-the-masses is the best way to continue securing the blockchain following the deprecation of centralized checkpoints. If/when minting-only keys become available the task of promoting stakeholder education remains all the more important.

I totally agree. Cold storage minting will encourage many owners to mint. We could even directly contact the big exchanges to mint with their cold wallets. I think btc-e alone has a couple of million. If we get 1/3 of all coins to mint, we tripple security of the network.

In this example of an address of a half mil PPC , the address has thousands of ~150 PPC stakes. I
Indeed, there is a latent threat toward the blockchain in the ability to amass minting keys without requiring significant cost.

So that means that theoretically a provider can amass 1M minting keys holding 1ppc each, which would amount to a huge stake of 1M ppcs.
Which is most dangerous from a network security perspective?
1M minting keys of 1ppc each or 1 minting key holding 1M ppcs?

EDIT: typo