Anyone got any thoughts on this article?
[quote=“Percy520, post:1, topic:1661”]http://poseidon01.ssrn.com/delivery.php?ID=948094085101100119105100087094006112050056057015048070089079091127004087102026071111035039121014039099118097084116004088030067018080026002036084116109115016020022067046084067027024005068107073102026098&EXT=pdf.
Anyone got any thoughts on this article?[/quote]
Any thoughts about this article.
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2393940
It Will Cost You Nothing to ‘Kill’ a Proof-of-Stake Crypto-Currency
Houy Nicolas
University of Lyon 2 - Groupe d’Analyse et de Théorie Economique (GATE)
January 2014
Abstract:
It is a widely spread belief that crypto-currencies implementing a proof of stake transaction validation system are less vulnerable to a 51% attack than crypto-currencies implementing a proof of work transaction validation system. In this article, we show that it is not the case and that, in fact, if the attacker’s motivation is large enough (and this is common knowledge), he will succeed in his attack at no cost.
Number of Pages in PDF File: 6
Keywords: Bitcoin, protocol, proof of work, proof of stake, 51% attack
JEL Classification: G23, Z00
working papers series
It will cost you nothing to “kill” a Proof-of-Stake
crypto-currency [v.0.1]
Nicolas Houy
February 6, 2014
Abstract
It is a widely spread belief that crypto-currencies implementing a proof of stake trans-
action validation system are less vulnerable to a 51% attack than crypto-currencies im-
plementing a proof of work transaction validation system. In this article, we show that it
is not the case and that, in fact, if the attacker’s motivation is large enough (and this is
common knowledge), he will succeed in his attack at no cost.
JEL Classication: G23, Z00.
Keywords: Bitcoin, protocol, proof of work, proof of stake, 51% attack.
1 Introduction
Bitcoin has become increasingly popular in 2013 even though it has been invented in 2008,
[Nakamoto, 2008]. It is usually described by laymen as an electronic money even though this
denition is much criticized by the computer science community that rather talks about a
revolutionary protocol. At its core, Bitcoin allows to secure property rights, in a decentralized
peer-to-peer network, on tokens (bitcoins1) produced in limited quantity. There exist markets
to purchase and exchange bitcoins. At the time this article is written, there are about 12.3
millions bitcoins in circulation and they can be exchanged at about $850 per bitcoin. Whether
we consider its theoretical aspects or its use as a currency or as an asset, economists should be
interested by this new “Unidentied Financial Object”. In this article, we study a particular
aspect of the Bitcoin technology that is much debated in the crypto-currency community with
tools borrowed from the economic science.
In order to do that, we need to describe a bit how Bitcoin actually works. When an
individual sends some bitcoins to another individual, this information is broadcast to the
Bitcoin network. However, for technical purposes we won’t address here, this transaction,
treated in a block with other transactions, needs to be inserted in the blockchain in order
to be conrmed and secured. The blockchain is a public ledger that contains the history of
all the transactions in bitcoins ever processed. It is the role of the miners to do this work
of conrming and securing transactions. Practically, this mining process consists in solving
a mathematical problem and the rst miner to do so, technically to bring a proof-of-work
(POW), can insert a set of transactions in the blockchain. As it requires computational
Universite de Lyon, Lyon, F-69007, France; CNRS, GATE Lyon Saint-Etienne, Ecully, F-69130, France.
E-mail: houy@gate.cnrs.fr.
1As the norm tends to be, we will write “Bitcoin” for the network or the protocol and “bitcoin” for the
tokens that circulate on it.
1
Nicolas Houy v.0.1
resources, the successful miner is rewarded in bitcoins for his useful work. In order to control
the monetary base, mining is made more complex than it could be. And since the probability
for each miner to solve the mining problem depends on his computational power, the mining
complexity is made dependent on the total computational power of the miners. To sum up,
for POW crypto-currencies, including Bitcoin, miners are in competition to solve a problem
needed to conrm and secure transactions. The rst miner to solve the problem earns a
reward. The problem is made articially complex in order to control the monetary base.
This process is described as brilliant by some but it has been criticized for the ineciency
due to the loss of resources it induces (see [Krugman, 2013] for instance). Indeed, Bitcoin
miners have engaged in an arm race to computational power and in the end, much hardware,
engineering and power are used in order to solve mathematical problems that are articially
made extremely complex.
As it requires trust in the system to be adopted, Bitcoin is open-source. Hence, many
alternative crypto-currencies have been proposed at almost no cost. Each supposedly solves
some Bitcoin
aws. Naturally, some of those crypto-currencies try to tackle the problem
of the ineciency due to the POW aspect of Bitcoin. Most of these crypto-currencies are
based on another mining process, called proof-of-stake (POS). For the sake of simplicity and
with a slight lack of rigor, let us just say that with POS, the expected reward for inserting
transactions in the blockchain does not depend on the computational power of miners but on
the amount of crypto-currency they already own. Peercoin and Nxtcoin are two alternative
crypto-currencies that use POS (the former partially, the later completely2).
Let us now explain a weakness of all crypto-currencies. Roughly speaking, regardless on
it using POW or POS, any crypto-currency cannot be trusted if one individual can mine
too many blocks in expectation (see [Kroll et al., 2013], [Eyal and Sirer, 2013]). In a POW
crypto-currency, the condition of what is called a “51% attack” and that would totally un-
dermine the value of the money, is that an individual owns strictly more than 50% of the
total computational power of the network. In a POS crypto-currency, the same attack would
happen if an individual owns strictly more than 50% of the monetary base.3 It is believed
in the crypto-currency community that a 51% attack is less likely to occur in a POS system
than in a POW system because it would be more expensive (in direct and opportunity costs)
for a malicious agent to buy 50% of a POS crypto-currency than 50% of the computational
power of a POW network (see [Bitcoin Wiki, 2014] for instance). In this article, we show that
not only this is not the case under some conditions but even that it would cost nothing for a
malicious agent to buy 50% of a POS crypto-currency monetary base.
2 Model
Let us consider a set of N + 1 agents with N > 2. Each agent is indexed by an integer in
f0; :::;Ng. There are two goods in the economy, a crypto-currency (CC) and money. There is
no money liquidity constraint. Each agent is initially endowed with one unit of CC. CC yields
2As Nxtcoin is a 100% POS protocol, for reasons that would bring us too far, its monetary base could
not be controlled if it was working exactly as we describe in this article. This is why, its creators have xed
the number of nxtcoins since its launch and all nxtcoins have been premined. This technical details do not
invalidate our study and can be easily ignored.
3We use the simplication that the fatal threshold remains 50% for a POS crypto-currency. In fact, this
depends on some rule that we don’t describe here. However, our argument remains valid even if this assumption
is not made.
2
Nicolas Houy v.0.1
a monetary interest r for each unit of time. This interest rate embodies the utility that can
be extracted from using CC as a mean of exchange. The time discount factor of all agents is
. CC loses all its utility whenever an agent holds strictly more than half ((N + 1)=2) of the
CC units. Agent 0 has a special interest in killing the CC we study. Hence, he earns U if an
agent holds strictly more than (N + 1)=2 units of CC.
CC can be exchanged on a market. We are especially interested in situations where one
agent (specically agent 0) may be willing to hold more than half of the CC quantity. Hence,
we cannot just use the usual supply-demand model that makes the assumption that agents
are atomistic. We need to go further in the description of the market. At each time step,
agent 0 is matched with the same probability with any other agent that holds some CC unit,
say i. Agent 0 makes a “take or leave” price oer to i in order to buy his unit of CC. i accepts
or not the oer. Exchange takes place or not depending on the oer by 0 and the acceptance
decision by i. The time step between two matching is dt, arbitrarily short. We will denote
V (n) the expected discounted future
ow of money earned by any agent i > 0 holding one
unit of CC where n is the number of CC units held by 0. V0(n) is the expected discounted
future
ow of money earned by agent 0 where n is the number of CC units he holds.
Obviously, the step “oer by 0, take or leave by i” has a simple outcome: either 0 makes
the cheapest oer that will be accepted or he makes an oer that will be rejected. In the rst
case, i’s unit of CC changes hand for (1 dt)V (n).
Once this step outcome is computed, we can simply write the dynamics of V and V0.
Precisely,
otherwise
where p(n) = 1=(N n) is the probability for any agent holding some CC to be matched with
agent 0 when the latter holds n units of CC and Pe(n) is the belief that an agent dierent
from 0 has that agent 0 will buy one more unit of CC when he already holds n.
Let us rst solve the problem for n the greatest integer smaller than (N + 1)=2, n =
b(N +1)=2c. There exist two possible equilibria. The rst one is with Pe(n) = 0, V (n) = r=
and V0(n) = nr=. This equilibrium is subgame perfect if and only if U r(n + 1)=. The
second equilibrium is with Pe(n) = 1, V (n) arbitrarily close to 0 when dt tends to 0 and V0(n)
arbitrarily close to U. This equilibrium is subgame perfect if and only if U > r(n+1)=. Let
us now solve our game one time step before. Again, there exist two possible equilibria and
these are the same as above. The rst one is with any Pe(n), V (n) = r= and V0(n) = nr=.
This equilibrium is subgame perfect if and only if U r(n+1)=. The second equilibrium is
with Pe(n) = 1, V (n) arbitrarily close to 0 when dt tends to 0 and V0(n) arbitrarily close to
U. This equilibrium is subgame perfect if and only if U > r(n + 1)=. The same reasoning
can be made for all preceding steps.
Then, there are two equilibria for our game. In the rst one, when U > r(N +1)=, agent
0 buys strictly more than half of the coins and actually kills the CC. Since this is anticipated
by all the other agents, the latter are in competition to sell to agent 0 their coins, who they
know have already no value. The attack can be undertaken at no cost.
3
Nicolas Houy v.0.1
In the second equilibrium, even if 0 accumulates enough CC coins, he will have no incentive
to cross the 50% threshold because it is better for him to keep the coins and receive the interest
ow that goes with it rather than kill the CC at the expense of this
ow. Anticipating this,
the other agents are not ready to sell the CC units below their value, r=.
3 Discussion
With a simple (one could say simplistic) model, we showed that the belief, widely spread in
the computer science community, that POS crypto-currencies are immune to a 51% attack
because of the supposedly too high cost to buy half of the coins is
awed. Indeed, the
underlying reasoning does not take into account the fact that if the attack is undertaken by
someone credibly willing to really kill the crypto-currency, agents should anticipate that their
coins are worthless since the start and should practically sell them for nothing to the attacker.
A more realistic model would take into account dierentiated beliefs about the attacker’s
motivations (U) and hence Bayesian updating of this, liquidity constraints, dierent beliefs
about the future value of the crypto-currency without attack… We chose our market model
with a special care for simplicity. We checked that results are unchanged for other market
structures. In particular, our results would be unchanged if the potential attacker was the
Stackelberg follower in the “take or leave” step. The basic requirement needed to get our
results is simply that sellers are in competition in front of the attacker. Whenever the latter
is credible, the CC has already lost its value, there is no need to wait for the attacker to
actually buy the CC.
We believe that, in the rst approximation at least, we should consider that POS implies
high vulnerability to 51% attacks and not see POS as a viable alternative to POW at least
in this regard. Notice that our model cannot be applied to POW. Indeed, with POW, agents
invest a high xed cost in computational power and only suer a very marginal cost to mine.
In this case, an attacker would have to actually spend a high xed cost to gain more than
50% of the network computational power. The announcement of the attacker’s motivation,
even if credible, would not be enough for other agents to give up their resources.
References
[Bitcoin Wiki, 2014] Bitcoin Wiki “Proof of Stake” page.
https://en.bitcoin.it/wiki/Proof of Stake. Retrieved on 02/05/2014.
[Eyal and Sirer, 2013] Eyal I. and Sirer E.G. (2013) “Majority is not enough: Bitcoin mining
is vulnerable”, arXiv: 1311.0243.
[Kroll et al., 2013] Kroll J.A., Davey I.C. and Felten E.W. (2013) “The economics of Bitcoin
mining, or Bitcoin in the presence of adversaries”, Mimeo.
[Krugman, 2013] Krugman P. (2013) “Adam Smith hates Bitcoin”. NYTimes blog.
http://krugman.blogs.nytimes.com/2013/04/12/adam-smith-hates-bitcoin/
[Nakamoto, 2008] Nakamoto S. (2009) “Bitcoin: A peer-to-peer electronic cash system”.
4
As an investor who invests a lot of money in ppc, I am really keen to hear Sunny King’s argument.
OK interesting read.
But the author of the paper is arguing that the attacker will try and gain coins from a market that is keen to offload at the cheapest price possible and that the attacker is the only one “stockpiling” coins.
To say it costs nothing to acquire 51% of the coins of Peercoin is just factually where this argument falls down… and I think this is the point the author has missed… or just skipped over as they say… “We are especially interested in situations where one agent (specically agent 0) may be willing to hold more than half of the CC quantity.” . Peercoin is distributed widely enough that it would now cost many tens of millions to try such a venture to try and get even 1 million PPC.
I like the argument that once the coins have been obtained, the attacker then yes has the ability to “destroy” the coin at no “running costs” but also in their process they will destroy the coin they have invested so heavily in. All POW 51% attacks can be carried out on a cryptocoin, and then when attack is deemed as successful and all obtained from the venture, the attacker is then actually poised to attack the next coin through the hardware they must have at their disposal. So in this regard there is no “damaging financial” effect felt by the POW miners so the cost of the attack here is purely based on initial hardware setup and electricity consumption during the attack. If they had to buy custom hardware for each cryptocoin they attacked then this would be a closer model to the 51% attack on a POS coin.
Look at how only POW coins have evidence of 51% attacks and yet all POS coins are yet to be attacked… as it is just too expensive!! TRC, FTC all good examples of how an excessive miner can take over the network and 51% attack a coin.
I would like to propose to the author of the paper to aquire 51% of all the Peercoins and perform an attack on the PPC network at no cost. If they have a successful attack I will retract all these statements but I’d be willing to bet BTC to say they can’t do it at “no cost”
Author is also looking at NXT as well in the paper and this could be where some perceptions have been skewed as the market cap of NXT and other POS coins is considerably lower than PPC. This simply means the coins are younger in age, not as widely dispersed and hence potentially more easy to buy up 51% of the coins at lower costs.
Fuzzybear
Here’s the /r/Peercoin discussion about the white paper.
Personally, I agree that the attack vector exists, but that in practice there are too many variables that will be in play to believe that it could actually be implemented.
[quote=“FuzzyBear, post:6, topic:1661”]OK interesting read.
But the author of the paper is arguing that the attacker will try and gain coins from a market that is keen to offload at the cheapest price possible and that the attacker is the only one “stockpiling” coins.
To say it costs nothing to acquire 51% of the coins of Peercoin is just factually where this argument falls down… and I think this is the point the author has missed… or just skipped over as they say… “We are especially interested in situations where one agent (specically agent 0) may be willing to hold more than half of the CC quantity.” . Peercoin is distributed widely enough that it would now cost many tens of millions to try such a venture to try and get even 1 million PPC.
I like the argument that once the coins have been obtained, the attacker then yes has the ability to “destroy” the coin at no “running costs” but also in their process they will destroy the coin they have invested so heavily in. All POW 51% attacks can be carried out on a cryptocoin, and then when attack is deemed as successful and all obtained from the venture, the attacker is then actually poised to attack the next coin through the hardware they must have at their disposal. So in this regard there is no “damaging financial” effect felt by the POW miners so the cost of the attack here is purely based on initial hardware setup and electricity consumption during the attack. If they had to buy custom hardware for each cryptocoin they attacked then this would be a closer model to the 51% attack on a POS coin.
Look at how only POW coins have evidence of 51% attacks and yet all POS coins are yet to be attacked… as it is just too expensive!! TRC, FTC all good examples of how an excessive miner can take over the network and 51% attack a coin.
I would like to propose to the author of the paper to aquire 51% of all the Peercoins and perform an attack on the PPC network at no cost. If they have a successful attack I will retract all these statements but I’d be willing to bet BTC to say they can’t do it at “no cost”
Author is also looking at NXT as well in the paper and this could be where some perceptions have been skewed as the market cap of NXT and other POS coins is considerably lower than PPC. This simply means the coins are younger in age, not as widely dispersed and hence potentially more easy to buy up 51% of the coins at lower costs.
Fuzzybear[/quote]
Agreed, also if I know someone is going to undertake 51% attack on peer coin and have a big chance to success, I will still not sell my coins for nothing, I will rather wait as the price may go much higher because the attacker will need to buy lots of coins.
This is a fun little paper with twisting POS into 51% attack possibility. So let’s take a look at his “assumptions”:
-
Author assumes that POS is similar to POW therefore you need over 50% coins to attack the coin; then he goes on to base his theory on an agent that can actually acquire 50% of all coins.
-
Once his agent acquires 50% of all coins he conducts the attack, but he never explains how!
So let’s assume agent 0 acquired over 50% at some small cost, let’s also assume that he can control some big POW operation so he can control that as well. When we are talking 51% what are we really after?
-
To prevent transactions of attacker’s choosing from gaining any confirmations, thus making them invalid, potentially preventing people from sending Peercoins between addresses.
-
Reverse transactions they send during the time they are in control (allowing double spend transactions), and they could potentially prevent other miners from finding any blocks for a short period of time.
Now moving on to the attack, Our coins have to have 30 days maturity and we need to have a healthy transaction size to control the PoS so we divide our coins into large size transactions, the coins will be moved to stake for 520 blocks so if we divide our 51% coins into 500 chunks we get about 21K Peercoins per transactions, and here is the problem:
- Our 21K transaction competing to find a block is going against 49% coins left in the system, there is no way we can dominate for 520 blocks unless everyone else stops minting.
- Oh, and did I mention checkpoints? We have that too…
As far as Peercoin is concerned, this paper is debunked. sahkan already listed the major points.
There’s an economic problem with this too, even if it was possible it’d still cost a lot of money. How would the other actors in the market know that somebody wanted to buy all the coins? He’d need to buy a large amount first & announce it, assume that nobody else got there first or tried to set up in competition to buy all the coins creating a price war. If there was really no cost to it, it’d already have been done.
Seems to me that he did not read up on PoS and assumed it is just like PoW. In PoW you find the block and you retain your hashrate, in PoS you find a block, your coins get locked for 520 blocks and it will take them 30 days to mature again and you can’t retain your minting power for the next block.
Exactly! The author didn’t really grasp the fundamentals of PoS.
While I disagree with the conclusion in the article (for reasons already pointed out previously in this thread), I kind of think it could be a good idea to keep the following attack vector in mind: an exchange offers discounted trading for PPC and use the deposited coins to attack the network, rendering panic and market crash and lots of (for them lucrative) trading activity. Anticipating this, they short the market by borrowing even more coins (perhaps not on the exchange itself). This is possible if the exchange can have a fraction of the coins in cold storage which can grow larger over time (more people deposit then withdraw). In the end PoS gets hammered and there bitcoins long position rewards them good. If the exchange is ever exposed they might loose customers which could be a detraction for them to attack. The following post inspired me:
Did I understand that post correctly? That Litecoin has a single address which holds 6.300.001 LTC (~24% of the monetary supply)? That’s troubling, for a lot of reasons, but namely that a single entity has that much control over the economy.
Regarding the attack vector, it’s conceivable that it could befall a proof-of-stake currency, but I see two issues with it:
Consolidation into a single address, or even a small number of addresses, has a max coin age after 90 days. This means that unleashing this large stake almost assures you will immediately solve a block, but as mentioned above, you aren’t able to attempt it again for another ~3.5 + 30[sup][1][/sup] days.
This attack requires the coins to be in a hot wallet, as it is not currently possible to use coins stored in cold storage to attempt to solve proof-of-stake blocks.
[sup][1][/sup] Can anyone confirm when a stake’s coin days begin to accrue again? Is it immediately after block is solved (but before the 520 confirmation lock is removed), or does it only happen once the staked amount is returned to the wallet’s live balance?
The 30 days delay starts at the time of the block that confirmed the last transaction of the coins (whether it’s a PoS or a standard transaction).
Sigmike, so I can confirm that I understand what I read in the code, and what you posted here, I’ll restate it:
When I solve a block using stake, the newly created transaction (stake + reward) is given a coinAge=0, and then is put into a “staked” state for 520 network confirmations (~3.5 days). Once released from this state, that newly created transaction will be eligible to try to solve for another block in ~27.5 days.[sup][1][/sup]
[sup][1] [/sup]I’m making the assumption that in the case of 1 PPC, it won’t register that it has gained 1 coin day until 24 hours have passed since the deposit transaction was registered into the account. In that case, minting is only viable on the 31 day after the transaction occurred (though the coin age accrued would be equal to coinAge=30). Is this correct, or am I making it more difficult trying to think about it that way?
I’m not sure I understand the question. Where do these 24 hours come from? When the 30 day limit is calculated, the coin age is in seconds, so there’s no day rounding if that’s what you mean.
I’ll need to track down the quote from Sunny that indicated that there was day rounding, but perhaps I misunderstood his meaning. If the calculation uses Unix Epoch time, that would explain the subtle variations that I’ve seen in my calculator.
There is day rounding just below, but it’s only used in the difficulty calculation: https://github.com/ppcoin/ppcoin/blob/master/src/kernel.cpp#L287 and https://github.com/ppcoin/ppcoin/blob/master/src/kernel.cpp#L322
There’s also a day rounding when the reward is calculated.