Double Spending

MUTO · March 12, 2014, 9:36am

Hi,

sometimes when I look out of the window freaking thoughts come to my mind ;D

A few minutes ago the following came up:

I already mentioned a few times, that 5-10% of all coins and letting them mature for 60-90 days should be enough to relatively secure hit 6 blocks in a row at current participitation level in PoS.

What if someone runs two nodes with the same wallet.dat

[table]
[tr]
[td]Node A[/td]
[td] [/td]
[td]Node B[/td]
[/tr]
[tr]
[td]Block 1 - does not broadcast to network[/td]
[td][/td]
[td]Block 1 + transaction to exchange or whatever[/td]
[/tr]
[tr]
[td]Block 2 - does not broadcast to network[/td]
[td][/td]
[td]Block 2[/td]
[/tr]
[tr]
[td]Block 3 - does not broadcast to network[/td]
[td][/td]
[td]Block 3[/td]
[/tr]
[tr]
[td]Block 4 - does not broadcast to network[/td]
[td][/td]
[td]Block 4[/td]
[/tr]
[tr]
[td]Block 5 - does not broadcast to network[/td]
[td][/td]
[td]Block 5[/td]
[/tr]
[tr]
[td]Block 6 - does not broadcast to network[/td]
[td][/td]
[td]Block 6[/td]
[/tr]

[/table]

From this point on the exchange or whatver recipient should accept the transaction and the coins could be exchanged for Bitcoins or Dollars or …

Now node B stops working and Node A broadcasts all blocks to the network (without the transaction included in Note B). The Chance is very good now, that Node A will get the longest chain. The “best” thing is, that there are no costs (compared to PoW, where potential orphraned blocks are wasted money) in trying this double spending.

Please discuss, I hope I missed something. If not, we need some strategy to get more people in minting PoS blocks.

Ben · March 12, 2014, 12:03pm

MUTO, have you run the probabilities through www.peercoincalculator.info to see if the percentages hold up? The probabilities will be approximate, but so far, from what I’ve seen they look reasonable to use for the discussion and modeling.

MUTO · March 12, 2014, 3:34pm

No, not yet. But I will do so. Above calculations are (most likely not really acurate) numbers out of my head

Posted using Tapatalk for Android.

sigmike · March 13, 2014, 12:06am

I wish I had more time to think about that but here are some thoughts.

First you’d have to make another transaction with the same coins on the left blockchain. Otherwise someone will eventually include your right transaction in the left blockchain. But that’s not really a problem.

You’d also have to split your 5-10% into 7 independent transactions (+ the coins you spend). The first 6 to generate the blocks of the 2 blockchains as you described, and 1 to generate another extra block. If you don’t push this 7th block other nodes won’t accept the left blocks because they are duplicate stakes. They will only accept them if there’s a higher block that depends on them.

I don’t know the exact probability of having these 7 transactions matching the difficulty at very close times. I’d be interesting to calculate, but also probably very difficult.

And the block times cannot be too close. Otherwise the difficulty may rise too much (the difficulty is adjusted after each block).

But I think the most difficult part for this operation to succeed is there must be no other block found during the whole operation.
If any other block is found in the right chain, your left chain is much less likely to win.

It all depends on the timings but I think the probability of someone else finding another block (PoS or PoW) during the operation is high.

You could decide to exclude this block from your blockchains. But then you’d have a competing blockchain which has good chances of beating your 2 chains.

mhps · May 1, 2014, 1:47am

[quote=“sigmike, post:4, topic:2040”]But I think the most difficult part for this operation to succeed is there must be no other block found during the whole operation.
If any other block is found in the right chain, your left chain is much less likely to win.

It all depends on the timings but I think the probability of someone else finding another block (PoS or PoW) during the operation is high.

You could decide to exclude this block from your blockchains. But then you’d have a competing blockchain which has good chances of beating your 2 chains.[/quote]

From my observation it’s easy to find 6-chain POS blocks that has less than 100,000 coindays for every block. So it’s quite likely you will win over the competing blockchain if your blocks have more than 100,000 coindays. For example if someone gets hold of 8,000 PPCs and use 7,000 for the seven blocks and 1,000 for the transaction spending, he could have a try with three months’ coin age. The most disturbing part is if one try fails, the attacker can transfer the spent fund back and try again.

josojo · May 1, 2014, 1:04pm

-deleted due to thinking faulty -

irritant · May 1, 2014, 1:18pm

can we try this on testnet?

Ben · May 1, 2014, 2:35pm

I was discussing with sigmike yesterday afternoon ways that a separate simnet block chain (and what parameters we could modify, like block times or a “pre-mine” to seed a number of addresses with enough funds) to run simulations like these. It’s certainly possible, but it would likely take additional development. If anyone is interested in starting to map out the requirements for this simulated network, I’d be happy to start a project on Github where we can collect notes.

mhps · May 1, 2014, 3:46pm

[quote=“josojo, post:6, topic:2040”]Thank you mhps for this post and the answers in http://www.peercointalk.org/index.php?topic=2744.0.

I am making exactly the same judgements. I am far from being an expert, but it seems to be easy to reorganise 6 blocks with just 5000 PPC in your pocket by the method described above.[/quote]

I wouldn’t say it’s easy. One has to be methodical, patient and technically competent to try. With PPC at today’s price it seems hardly worth it for the money.

It can’t be done on the testnet? It’s easy to mine several million coins. Not sure if that is enough, though. If we have a testnet blockchain explorer and watcher it would be easier to plan the simulations. Mabe bkchain’s open source explorer can be adapted for this?

ppcman · May 1, 2014, 3:51pm

If Sunny’s private servers are monitoring the network for checkpointing opportunities and saw this, and issued checkpoints to invalidate the forks, do you think that might stop this from succeeding?

mhps · May 1, 2014, 4:15pm

I am not sure how his server works and how/if it reacts automatically. I though human intervention would be needed to pull the trigger, which as I wrote here might not be fast enough in some cases Cryptoblog - notícias sobre bitcoin e criptomoedas!

josojo · May 1, 2014, 6:36pm

[quote=“mhps, post:9, topic:2040”][quote=“josojo, post:6, topic:2040”]Thank you mhps for this post and the answers in http://www.peercointalk.org/index.php?topic=2744.0.

I am making exactly the same judgements. I am far from being an expert, but it seems to be easy to reorganise 6 blocks with just 5000 PPC in your pocket by the method described above.[/quote]

I wouldn’t say it’s easy. One has to be methodical, patient and technically competent to try. With PPC at today’s price it seems hardly worth it for the money.[/quote]
Yeah, sorry. Easy is not the right word.

But as it seems to be theoretical possible, we should direct sunny king to this thread. I guess he is in the best position to make a judgement whether such an attack is theoretical possible.

mhps · May 5, 2014, 3:43am

Anyway for Peershares it seems relatively easy for the share-issuing company to make its network orders of magnitude more secure by just increasing the number of confirmation blocks. Peershares are not currency so a longer confirmation time isn’t as a big deal. For example increasing the confimation N from 6 to 10 will reduce the chance of a double spend by ~100 times for an attacker who has gathered 30% of neetwork minting power.

To fend off the attackers who do it for the money, we don’t need to reduce their chance to 0, we only need to make their attacks unprofitable.