Sunny claimed that in order to successfully conduct a 51% attack on peercoin, the attacker is not only require 51% of network hash but also possess 51% of all peercoin. However, I have read a few articles that claims it is not true. The articles indicated that the attacker only need to have 51% (or may even less) of existing ppc that are currently on minting. If this is true, then the amount of ppc require would be significant less than 51% of all ppc and this will make the ppc much vulnerable than I thought. Can anyone who is capable to read Sunny’s protocol give me an answer? Thank you very much. The level of the security of this coin will play a big part on my decision on how much fund I am going to invest into ppc.
You are right, only the PPC presently on minting secure the network. But consider, that if only 10% of PPC in existence are minting, the security is comparable or better than the present POW. Example on Bitcoin: Total revenues for Bitcoin miners during year 2014 will be 11% of the BTC in existence. The hardware costs to achieve 51% of miners is therefore smaller than 51% of 11 % of BTC. If Bitcoin was secured by the POS protocol and only 11% of the coins existing were mining, the security would be the same as the security of all the miners combined. But while the miners really cost comparable amounts of money to run, POS is cheap and not connected to any significant costs. (That’s why Bitcoin security will be decreasing over time, since the miners revenues will. )
Also, in case of Peercoin, the attacker would have additional difficulties, since (s)he would have to control also the POW part. Peercoin has both POW and POS.
[quote=“irigi, post:2, topic:2074”]You are right, only the PPC presently on minting secure the network. But consider, that if only 10% of PPC in existence are minting, the security is comparable or better than the present POW. Example on Bitcoin: Total revenues for Bitcoin miners during year 2014 will be 11% of the BTC in existence. The hardware costs to achieve 51% of miners is therefore smaller than 51% of 11 % of BTC. If Bitcoin was secured by the POS protocol and only 11% of the coins existing were mining, the security would be the same as the security of all the miners combined. But while the miners really cost comparable amounts of money to run, POS is cheap and not connected to any significant costs. (That’s why Bitcoin security will be decreasing over time, since the miners revenues will. )
Also, in case of Peercoin, the attacker would have additional difficulties, since (s)he would have to control also the POW part. Peercoin has both POW and POS.[/quote]
Thanks for the reply. Firstly, do you think is there any chance Sunny could resign the protocol to make the attacker still need 51% of all ppc in existence regardless whether they are on actively minting or not? Is this possible??
Secondly,I am interesting in the 10% of PPC on minting. Is this percentage just your guessing on is there somewhere we can check how many ppc are currently actively on minting? I am really keen to find out the actual percentage of ppc actively on minting. As the current client (even 0.4) do not support cold locked minting, I do not know how many ppc holders would be willing to risk their coins to make their client running on 24x7.
[quote=“irigi, post:2, topic:2074”]You are right, only the PPC presently on minting secure the network. But consider, that if only 10% of PPC in existence are minting, the security is comparable or better than the present POW. Example on Bitcoin: Total revenues for Bitcoin miners during year 2014 will be 11% of the BTC in existence. The hardware costs to achieve 51% of miners is therefore smaller than 51% of 11 % of BTC. If Bitcoin was secured by the POS protocol and only 11% of the coins existing were mining, the security would be the same as the security of all the miners combined. But while the miners really cost comparable amounts of money to run, POS is cheap and not connected to any significant costs. (That’s why Bitcoin security will be decreasing over time, since the miners revenues will. )
Also, in case of Peercoin, the attacker would have additional difficulties, since (s)he would have to control also the POW part. Peercoin has both POW and POS.[/quote]
Also Sunny said in the future, PPC’s security will be mainly rely on POS as POW’s reward will reduce to minimal, so I guess the network hash rate will also drop to a very low level then it will not cost much to possess 51% of hash rate.
[quote=“Percy520, post:4, topic:2074”]Thanks for the reply. Firstly, do you think is there any chance Sunny could resign the protocol to make the attacker still need 51% of all ppc in existence regardless whether they are on actively minting or not? Is this possible??[/quote]I do not see any way to do that technically. If a wallet would be minting all the time without need to input your password, this would mean you do not have control of your private key and the party that holds it would have to be trusted. (Which doesn’t go together with security well.) You can ask Sunny King the question directly, they are preparing chat interview with him. I do not understand the details of the cryptography involved myself.
Look here. Recently, I tried to calculate exactly that. Although it would be nice if someone else would go through my thinking line, just to check it is correct. Presently, it seems that approximately 40% of stakes are minting (POS difficulty / 25, or more precisely POS difficulty * 21,200,000 / money supply / 25), which looks very good. It is an estimate, I am sure more precise number could be obtained if someone dug deep enough.
[quote=“Percy520, post:4, topic:2074”]Also Sunny said in the future, PPC’s security will be mainly rely on POS as POW’s reward will reduce to minimal, so I guess the network hash rate will also drop to a very low level then it will not cost much to possess 51% of hash rate.[/quote]The protocol is set so that more than 80% of the blocks are proof of stake blocks. Unlike in Bitcoin, the POW reward does not depend on time, but on hashing rate. The higher hashing rate, the smaller the reward (more precisely, if hashing rate increases 16x, the reward drops 2x). If the price of Peercoin increases, so will the hashing rate as people will be more interested in mining. This will decrease the rewards and the mining will thus not be increased proportionally to the money supply, but at slower rate. So there will always be some mining, but its cost will become smaller and smaller in comparison with the money supply. But in absolute numbers, I think the hashing rate will rather grow. If there is plan to discontinue POW by a hard fork, I do not know that. (I hope there isn’t.)
[quote=“Percy520, post:1, topic:2074”]Sunny claimed that in order to successfully conduct a 51% attack on peercoin, the attacker is not only require 51% of network hash but also possess 51% of all peercoin.
[…][/quote]
I’d like to know where you read that, because I think there might be a misunderstanding.
As far as I know (and as far as discussed in this forum) there is no such thing as a >50% PoS attack.
One important question would be: what shall be the aim of such an attack?
If it is double-spending coins, it might be a bad idea to lead an attack on Peercoin…
The > 50% PoW attack vector is existing, but it’s hard to play that attack because of the interfering PoS blocks.
You need control over both the PoS and the PoW process.
As there is “control” over the PoW process by having > 50% of the hashing power, there is no absolute control over the PoS process as it is based on chance that has mainly to do with coins and their age.
You can’t be sure to mine a subsequent number of PoS blocks unless you control all coins that take part in the PoS process.
If you have less than 100% of those coins, you might have a high chance, but no complete control!
If you rely on 0-block confirmations or 1-block confirmations, you might be at risk (at any crypto coin!).
But depending on the amount that is to be transferred, it is no bad idea to adjust the number of confirmations to the amount being transferred (for millions of USD even 6 confirmations might be considered not enough…).
If you are intersted in a discussion regarding PoS attacks, you might want to look here:
And this post is from a time when I believed there was a thing like a > 50% PoS attack vector (which seems to be not true).
But even that attack vector did exist, the calculation makes quite clear, that such an attack would be more costly than a similar > 50% PoW attack:
https://bitcointalk.org/index.php?topic=326216.msg3526904#msg3526904
The post is from an ancient past (at least when time is measured with crypto coin clocks^^) and the numbers might have changed, but the math is more or less the same.
…if it is more costly, it can be considered more secure 
But still - the good thing is: there is no > 50% PoS attack 
[quote=“irigi, post:5, topic:2074”][…]
If there is plan to discontinue POW by a hard fork, I do not know that. (I hope there isn’t.)[/quote]
Once I was hoping to phase out the PoW process (when Peercoins are widely distributed and PoS minting is widely distributed) because of its energy consumption.
But meanwhile I have understood what benefit comes from that additional process (not only in terms of coin distribution, but in terms of security as well).
The combination of PoS and PoW makes the block chain more secure than any “PoS only” or “PoW only” approach can be!
[quote=“masterOfDisaster, post:6, topic:2074”][quote=“Percy520, post:1, topic:2074”]Sunny claimed that in order to successfully conduct a 51% attack on peercoin, the attacker is not only require 51% of network hash but also possess 51% of all peercoin.
[…][/quote]
I’d like to know where you read that, because I think there might be a misunderstanding.
As far as I know (and as far as discussed in this forum) there is no such thing as a >50% PoS attack.
One important question would be: what shall be the aim of such an attack?
If it is double-spending coins, it might be a bad idea to lead an attack on Peercoin…
The > 50% PoW attack vector is existing, but it’s hard to play that attack because of the interfering PoS blocks.
You need control over both the PoS and the PoW process.
As there is “control” over the PoW process by having > 50% of the hashing power, there is no absolute control over the PoS process as it is based on chance that has mainly to do with coins and their age.
You can’t be sure to mine a subsequent number of PoS blocks unless you control all coins that take part in the PoS process.
If you have less than 100% of those coins, you might have a high chance, but no complete control!
If you rely on 0-block confirmations or 1-block confirmations, you might be at risk (at any crypto coin!).
But depending on the amount that is to be transferred, it is no bad idea to adjust the number of confirmations to the amount being transferred (for millions of USD even 6 confirmations might be considered not enough…).
If you are intersted in a discussion regarding PoS attacks, you might want to look here:
And this post is from a time when I believed there was a thing like a > 50% PoS attack vector (which seems to be not true).
But even that attack vector did exist, the calculation makes quite clear, that such an attack would be more costly than a similar > 50% PoW attack:
https://bitcointalk.org/index.php?topic=326216.msg3526904#msg3526904
The post is from an ancient past (at least when time is measured with crypto coin clocks^^) and the numbers might have changed, but the math is more or less the same.
…if it is more costly, it can be considered more secure
But still - the good thing is: there is no > 50% PoS attack
[quote=“irigi, post:5, topic:2074”][…]
If there is plan to discontinue POW by a hard fork, I do not know that. (I hope there isn’t.)[/quote]
Once I was hoping to phase out the PoW process (when Peercoins are widely distributed and PoS minting is widely distributed) because of its energy consumption.
But meanwhile I have understood what benefit comes from that additional process (not only in terms of coin distribution, but in terms of security as well).
The combination of PoS and PoW makes the block chain more secure than any “PoS only” or “PoW only” approach can be![/quote]
Thanks for providing such great information. I am going to have a good read on the two threads.
Have fun! And if the read results in questions or ideas, please share them with us! 
[quote=“masterOfDisaster, post:80, topic:648”]I might be wrong - but I’d like to have this thesis checked:
[size=10pt]“There is no such thing as a >50% attack of Peercoin’s PoS process.”[/size]
Explanation:
The success for minting a PoS block is based on luck. The relevant part that determines the luck is the coin-age. The coin-age is capped at 90 days[sup]1[/sup].
Even if you have more than 50% of all coin-age taking actively part in the PoS process, you don’t have control over the PoS part of the Peercoin network.
Your luck for solving the next block is > 50%. And even if that doesn’t significally decrease your total coin-age (let’s assume you still have more than 50%), you only have a chance of 50% for solving the next PoS block and so forth.
Let’s assume you constantly stay above 50% of the coin-age in this game.
Being able to mint n PoS blocks in a row at 50% chance for success has a total chance of 0.5^n.
This is far from being in control over the network (which is completely different for PoW processes as control of > 50% of the hashing power allows to supress valid blocks and prevent them from being added to the blockchain!)[/quote]
I unfortunately didn’t have time to read whole discussion after this post, but just a quick question: Does the official Peercoin client still accept the longest blockchain available, as the Bitcoin client does? If yes, then you could do the following: If you control 51% of all minting Peercoins, you construct wallet that includes only your own POS blocks. Since you still have 51%, you will solve blocks against POS-difficulty fast enough so your private blockchain will be still longer than the blockchain others contribute to. As a result the official clients always use YOUR blockchain and you control the network. Since the POW is much slower than POS in Peercoin, you probably do not need to control both POS and POW, just use only POS and disallow any POW blocks into your personal blockchain. If it is the longest, official clients will accept it anyway and miners are out of the game simply by the fact that the 51% stakeholder is creating fake blockchain they cannot contribute to. Or am I wrong somewhere? (I hope I am wrong, but I didn’t check the source-code to see what measures are taken to prevent exclusion of POW miners, so I am probably just painting the problem in black colors. Please correct me if I do.) Even if the attack I described works, POS 51% attack is probably still a stupid idea, since you would be destroying/damaging currency you highly invested in.
Unless…
I finally figured out, how many coins you actually need to perform the “51% attack”. All you need is to have more coins than the presently minting minters. This is related to the POS difficulty by the last Eq. on first page of this document. As a result, number of Peercoins that are taking part in minting (based on difficulty) is:
PPCminting = 4294901760 x POSdiff / (60 x 600)
The number 4294901760 is, as explained in the document, relating base POS difficulty 1 to probability per second, 60 is the maximum coinage weight of every Peercoin the attacker uses (alpha’ in the original equation) and 600 is the number of seconds between blocks (T in the original equation). Presently, the POS difficulty is 13.66, which means that 1,629,676 Peercoins is effectively minting now, which is 7.6%. So if the “51% attack” exists, it is actually 3.8% attack and it would cost $2,000,000 now.
This does not necessarily mean that only 7.6% of PPC are minting. As I was arguing here, if some blocks are secured by very big stakes that enter only rarely, they are not helping the security (not increasing the difficulty most of the time) and therefore it is entirely possible, that more than 7.6% PPC is minting, just not regularly enough.
The assumption that PoW is a part of the security model was wrong and I tried to start a discussion regarding “PoW for security” here:
In fact you don’t need control over the PoW process, because the PoW block weight is 1 and that is faaaaar below the PoS block weight (http://www.peercointalk.org/index.php?topic=2606.msg22152#msg22152). And it’s the block weight that determines which fork gets chosen in case of chain forking.
It seems that the community is not very much interested in that idea or doesn’t like it, respectively, although I still believe it could make Peercoin much more secure, if designed and implemented deliberately.
I even thought about raising the PoS reward by taking it from the useless (in terms of security) PoW process here (to create an even bigger incentive to mint - additional to protecting the owned Peercoins): http://www.peercointalk.org/index.php?topic=2802.msg25090#msg25090
Not much attention for that…
Your math seems to be right. An attack is in economical terms cheaper than it should be…
…but unless the attacker already has those 3.8% it took some time to gather those 3.8% if driving the Peercoin price steeply upwards by creating a lot of demand would be unwanted. So the 2 mio. USD is more or less the minimum cost for an attack!
Hopefully all these serious problems seem to have been clearly identified by the community.
Sunny King seem to be willing to work with some of our brilliant devs here to fix them (check last SK interview link below).
Cold minting and minting reward improvements will hopefully help increase the number of people hosting full nodes to secure the network.
Last SK interview: http://www.peercointalk.org/index.php?topic=2857.0
Cold minting thread: http://www.peercointalk.org/index.php?topic=2783.0
Raspberry Pi node bounty: http://www.peercointalk.org/index.php?topic=2800.0
Ben: And by “51% stake attack,” I mean someone holding greater than 51% of the available coinage that is actively being used to attempt to mint blocks – not someone who is holding 51% of the available PPC in circulation
Ben: Do you have any guidance on what the community can do to ensure network security? Is it as simple as “start minting”?
Sunny King: Right that’s sort of comparable to 51% attack in bitcoin
Sunny King: I know many users are hesitant to do this because of risk of getting hacked. That’s why the cold minting feature is an important consideration
Sunny King: Before that feature is implemented, you can do two things to help mitigate the risk
Sunny King: One is to use the ‘minting only’ unlock mode for minting with an encrypted wallet
Sunny King: The other is to proxy your minting node behind tor
I have never claimed that you need both 51% PoW and 51% all coins to attack peercoin. That’s a misunderstanding of peercoin’s security. Peercoin’s security is 100% proof-of-stake, so in terms of security it’s not really a hybrid system. So you don’t need 51% PoW. You need and only need to attack proof-of-stake.
Also, you don’t need 50% of all coins, you only need a significant portion of active minting coins for a ‘51% attack’ (in bitcoin’s terms), which includes the ability to DoS the blockchain. However this does not mean peercoin’s security is then weaker than bitcoin’s. After 6~7 years, bitcoin’s inflation rate would be close to 1% annual. Let’s assume that the mining capital has a lifecycle of 3 years, then you would only need 3% of bitcoin total coin stock value to permanently 51% bitcoin blockchain. Of course, bitcoin’s inflation would drop further after another 4 years, and so on. So we are kinda of looking at bitcoin’s security at most a couple percent of total coin stock value.
Currently my rough estimate of peercoin’s 51% security is at about 1M~2M peercoins. That already puts us ahead of bitcoin’s future. Unlike bitcoin, peercoin’s security is not a function of inflation rate. Over time it would only strengthen as coins are more distributed. With the features that reduces minters’ risk while improving incentive are introduced, we are looking at a good leap of security level further.
Thanks for clarifying and putting Peercoin security in perspective. We should get more than 5M coins minting to increase security. Currently the top 5 Peercoin address have more than 4M coins.
“Also, you don’t need 50% of all coins, you only need a significant portion of active minting coins for a ‘51% attack’ (in bitcoin’s terms), which includes the ability to DoS the blockchain. However this does not mean peercoin’s security is then weaker than bitcoin’s. After 6~7 years, bitcoin’s inflation rate would be close to 1% annual. Let’s assume that the mining capital has a lifecycle of 3 years, then you would only need 3% of bitcoin total coin stock value to permanently 51% bitcoin blockchain. Of course, bitcoin’s inflation would drop further after another 4 years, and so on. So we are kinda of looking at bitcoin’s security at most a couple percent of total coin stock value.”
----> what is meant by “mining capital”?
----> how is calculated the “3% of bitcoin total valule to 51% blockchain”
Currently my rough estimate of peercoin’s 51% security is at about 1M~2M peercoins. That already puts us ahead of bitcoin’s future. Unlike bitcoin, peercoin’s security is not a function of inflation rate. Over time it would only strengthen as coins are more distributed. With the features that reduces minters’ risk while improving incentive are introduced, we are looking at a good leap of security level further."
----> How do you calculate “1M~2M peercoins.”?
the security does not rely on pow at all. pow is ony used for distribution.
if i understand it right.
So should one had more than 2mppc and the network is dead?
That will not please the capitalists or ambitious ppl out there
It would be difficult to buy 2 million ppc.
Can you explain the incentive of an attack?
Reminder: if you successfully stake, your PPC are unspendable for 520 blocks (approx. 3.5 days).
If you try to sell 2 million PPC after a successful attack, how big do you estimate the losses are?
And I’m not saying it’s easy to perform an attack.
I just don’t find a reason for such an expansive attack.
Please elaborate.