I find the answer to that question here:
[quote=“kac-, post:8, topic:2502”]Stake grinding [SG] states that you can pre-compute future, or post-compute history, winning chain using small amount of coins- making Peercoin a PoW coin.
- passive - collect set of outputs, don’t use them until you find your lucky streak (by searching some limited future)
- active- rewrite at least 30 days of blockchain[/quote]
In my myth busting thread, I would like create something similar to a user story for the attacker. Like what’s the step the attacker needs to take, why and the implications of it; all presented in a way that someone that have not read the white paper, not read the source code and are unfamiliar with key concepts can understand or at least use a platform for further studies. I’ve found some answers spread across many threads, but I fear that my ignorance and stupidity makes it impossible to do this without help from you gurus. This is as close as I can get:
- The attacker want to create a reorg of the blockchain let’s say 6 blocks deep. The blocks will be broadcasted to the net, only when the attack chain is fully built and the attacker knows that it will win over the main chain.
- The attacker has prepared for the attack in advance (90 days), creating at least as many unspent outputs as number of blocks the attacker wants to create during the reorg. This is required because the coins used in the stake in a successful mint will loose all coin age and not be possible to use again before 30 coin days.
- To create a block, a hash is produced that has to meet full-fill certain criteria, such as creating a hash that meet a target difficulty. The recent blocks in the blockchain can not be exploited to change the hash, because when creating a block, the data used in the hashing is obtained from the block where the unspent output was registered (first confirmed), which is out of control for the attacker.
- The only thing that the attacker can really manipulate when generating the hash, is the clock time because the protocol allows for some degree of clock drift. This implies that when the attacker search for a hash that meets the required target difficulty, the attack can go through the “clock space” available to improve on his chance to find a block.
- Because the protocol doesn’t allow the hash to be changed (save for manipulating the clock), the attacker need to increase the coin age of his coins to improve on the odds of successfully carrying out the attack.
- While the reward for a proof-of-stake, increases over time as the coin age grows, the coin age that the coins can use in the stake is capped at 90 days. This means that the attacker can not supercharge a few coins. To get more coin age, the attacker is forced to get more coins.
- How much coins are needed? To replace the main blockchain, the attacker needs to create an attack chain that has more accumulated chain trust, then the main chain. On the main chain, all minters are competing with each other to win the block and the winning stake is the one that consumes most coin age (and is able to meet the difficulty target). The attackers attack 6 attack blocks, must have more chain trust together, then what the winners stakes contributed to the main chain during the same period.
- Since we don’t know how many people will be minting and what coin age the winning stakes will contribute to the chain trust, we can for the sake of argument assume that XXX with difficulty XXXX with means that the attacker must have XXX coins for each block.
- In the original Peercoin implementation, the attacker could also increase his own chance of success, by making it difficult for other minters to win, when creating his block, but a stake modifier has been introduced which uses data that is not available at the time attacker is creating the block that makes this much harder.
- Besides, this there is not much that the attacker can do in terms of exploits of the protocol, to improve on his chance to find a block. The only option left for the attacker is to get his hands on as much coin age as possible and distribute them as 6 unspent outputs.
As you can see I’m both ignorant and stupid. Please, please help me correct all the errors in the story above.