NeuCoin's 40-page white paper rebuts all nothing at stake objections

[center]The NeuCoin white paper just released - rebutting all “nothing at stake” objections to proof-of-stake[/center]

The NeuCoin Project just released a 40-page technical white paper on proof-of-stake. It is available as a PDF version on this link: http://www.neucoin.org/en/whitepaper

We hope to gather comments and questions from the PoS community as we consider this to be a first draft. Our work attempts to highlight how PoS is a superior alternative to Proof-of-Work. It offers arguments and data to stand up against the unsubstantiated “nothing at stake” claims made by many in the PoW camp. Bounties will be awarded for all constructive feedback, positive or negative; see details below.

The white paper starts with a discussion of PoW’s severe flaws: its increasing centralization, the prospect of much higher transaction fees over time, and the diverging interests of corporate miners and Bitcoin holders. It then explains how PoS solves all these flaws. Then it moves on to answering objections and addressing attack vectors.

Answering the “nothing at stake” argument

Thus far, PoS has been dismissed by much of the crypto community - especially large holders of Bitcoin - based on the umbrella objection that there is “nothing at stake.” What is meant is that since PoS mining does not consume any outside resources (electricity, computing power), miners have no costs, so nothing prevents them from endlessly trying to commit double-spends, or mining on multiple branches, no matter how low the odds of success. The critics ask, “how can you have security without paying anything for it?”

What PoW advocates neglect to see is that PoS security does have a cost: the capital cost of acquiring and holding coins. The brilliance of PoS is that it turns all coin owners into security providers, and requires any would-be attacker to purchase a large amount of the currency to attempt an attack, which would be an attack on his own wealth.

Besides ignoring the reality of capital costs, PoS critics are also prone to depicting scary-sounding attack vectors against PoS - grinding through the blockspace, rewriting history with old private keys, long-range, pre-programmed double spends - without explaining the details of how these attacks would be conducted or demonstrating mathematically that they have any chance of success.

Perhaps by leaving the critiques abstract, the point is made that PoS’s “nothing at stake” flaw is fundamental and nothing can be done to fix it. Or it could be that actually taking the time and effort to analyze the actual odds of success of a given attack vector against PoS is hard, time consuming and may not lead to the desired result (that PoS is hopelessly doomed). NeuCoin has taken the time to analyze the attack vectors and their chances of success. We hope that our white paper will be a contribution to the entire PoS community, and invite you to comment, give feedback and help take this technology even further.

White paper bounty program

NeuCoin bounties will be awarded by the NeuCoin Code foundation for all constructive input, both positive and critical, you will find details here: http://forum.neucoin.org/t/white-paper-bounty-program/

PoW is centralized, costly and inefficient - and has been attacking PoS on flimsy grounds. We hope the wider PoS community will join us in this debate.

was interested to see if the community picked up on Neucoin and you have

This was the post i was interested in on their main thread:

[quote=“iCEBREAKER”]BTC isn’t hard to use. You get the wallet from the app store and scan a QR code. Simple.

PoS isn’t “innovative.” It’s been around since Peercoin!

Also not innovative: ICO/ITO/presales/instamines, airdrops, slick graphics, hype and buzzwords with no specifics. PayCoin (your fellow Peercoin clone) already did all that.

Even if you did get every idiot on the internet microtipping their favorite snarky commenters, crap musicians, and asinine fremium game devs, how would NEUBcoin scale to handle all these transactions and the resulting bloated blockchain? ATM only expensive, proprietary, centralized Visa-style solutions are available.

You know what is innovative? Cryptonite’s mini-blockchain scheme (https://bitcointalk.org/index.php?topic=713538.0).

That’s what you should be building this on. But then you couldn’t control it solely for the benefit of your wannabe-plutocrat masters.

[b]This isn’t even Flooz 2.0. This is Beenz Lite!

DO. NOT. WANT.[/b][/quote]

Why they did not use peershares IDK?

Fuzzybear

Lol, Fuzzy.

Honestly, I’m so tired of people claiming to have solved problems like this when a solution for it has already been provided by Sigmike and Jordan Lee. How does writing a gigantic whitepaper and offering a Peercoin clone change anything? Most of the criticisms for nothing at stake have already been answered on this forum. If you’re serious about helping proof-of-stake succeed, then join us here. Peercoin invented proof-of-stake and has been fully functional for 2.5 years while the community is busy building its infrastructure.

Also, I like Tomjoad’s comment on Neucoin. He puts a NuBits twist on it though.

They seem to be a very well-funded project with some big crypto names (Jackson Palmer, Brock Pierce) on their team as "strategic advisors". I find it almost impossible to believe they haven't heard of the Nu project by this point, but perhaps they haven't.

The bigger problem is that their strategy is nonsense. They’re using a tried-and-true start-up approach of using lots of trendy words like “Freemium”, “Micropayments”, “Cloud Consumer Mining”, etc, as well as dropping big names all over their website.

This doesn’t change the reality that their economic model will never gain widespread adoption. Here are two statements which are completely at odds with each other:

1.Unlike most other digital currencies, purchasing NeuCoin is not simply speculating that one will be able to sell later to another speculator at a higher price. It is participating in a thoughtfully designed plan to create real utility in a digital currency, starting with a solution for micropayments on a broad scale.

2.NeuCoin’s economic model uses very high PoS awards, starting at 100% per year in year one and gradually declining to 6% by year ten. The total coin supply begins with a 3 billion pre-mine and will grow to an estimated 100 billion over ten years.

In short, they are using the same “wait and pray” method of solving volatility that Bitcoin employs. Neucoins are indeed “simply about speculating that one will be able to sell later to another speculator at a higher price”. With each new project (pun intended) introduced to the world I’m amazed how few seem to realize that the critical flaw of Bitcoin is not that it is too complicated to use, it’s that BTC cannot and will never hold a stable value.

Stability leads to utility in currencies; utility doesn’t lead to stability.

I found this in their whitepaper. Are they suggesting Sigmike is working with them or am I misinterpreting this?

3. Duplicate stake punishment: NeuCoin uses a client version developed by [b]Michael Witrant aka \sigmike[/b]" (core developer of Peercoin [b]and Technical Advisor to NeuCoin[/b]) that not only detects duplicate stakes so that honest nodes can reject them, but also punishes nodes that broadcast duplicate stakes by rejecting all blocks broadcast by the dishonest miner.

Also, much of the whitepaper seems to be about Peercoin and Sunny King. Can we have some technical people read through this and offer their opinions? Here is just one section. There’s much much more than this…

Is Peercoin's proof-of-stake design secure? In other words, does Peercoin answer the "nothing at stake" critiques? Does it both (a) prevent attackers from altering history and (b) maintain consensus on the order of transactions on a single block chain?

Before answering this question, let’s recall the context. Bitcoin itself is not cryptographically secure[5]. It only tries to be “economically secure” in the sense that an attacker would have to spend more than he could gain through an attack. Furthermore, it is fully acknowledged that any actor controlling 51% of Bitcoin network’s hash power could effectively shut Bitcoin down. In addition, Bitcoin has some flaws - inherently high operating costs, increasing centralization, and diverging interests between miners and coin holders - which Peercoin would correct - so perhaps some loss of security in Peercoin relative to Bitcoin would be an acceptable tradeoff.

Even with all of these considerations, our conclusion would still be that Peercoin’s design is only somewhat secure - and significantly less secure than that of Bitcoin. The rationale for our conclusion will be explained in the following section 3.2, where we review all of the changes that NeuCoin has made to Peercoin’s design. In our opinion, the factor that detracts the most from Peercoin’s security is that its design fails to incentivize a large proportion of coins to be staked at any one time. It also suffers from issues related to its use of coin age in block generation. Lastly, it fails to foil attempts to precompute proofs of stake due to the static nature of its stake modifier design.

Whether or not Peercoin’s creator Sunny King would agree with our specific conclusions is unknown. It is likely, however, that he shares the view that Peercoin’s design is not currently “secure enough”. This can be inferred from the fact that three years after its creation, Peercoin still uses centrally broadcast checkpoints that prevent any possible changes to the part of block chain earlier than the checkpoint. The checkpointing is done several times per day by way of Sunny King digitally signing the block chain.

The great thing about checkpointing is that even proof-of-stake’sfiercest critics will concede that it does secure the currency against attacks. The downside of checkpointing is that it is a form of centralization. It is not the case that the entity that performs the checkpointing has the power to control the block chain, but it is the case that all users of the currency are relying on this “trusted entity” to provide a necessary layer of security.

Unfortunately for Peercoin, checkpointing has severely hurt market acceptance of the currency partly because the checkpointer is the anonymous creator Sunny King himself. There are obvious and near-fatal problems with trusting an anonymous person with a necessary security function. What happens if that anonymous person dies or becomes incapacitated, sells off his or her stake in the currency, or simply loses interest?

+9000

First of all, the reason we posted on Peercointalk is certainly not to cast doubt over Peercoin or Peershares but to hopefully spark a discussion on proof-of-stake security.

The fact is that the majority of the crypto community is still convinced that PoS cannot possibly be secure. When asked about PoS algorithms in his reddit AMA, Gavin simply provided a link to Andrew Poelstra’s paper called Distributed consensus from proof of stake is impossible.This is a problem.
I believe we’re all in the same boat when it comes to convincing the crypto community that there are secure and more efficient alternatives to Bitcoin’s proof-of-work. NeuCoin has a model (non-profit foundations with millions of dollars) that allows it to invest heavily in consumer adoption and utility development. A benefit to Peercoin is that NeuCoin is going to bring lots of attention to PoS.

Sentinelrv:

Most of the criticisms for nothing at stake have already been answered on this forum. If you're serious about helping proof-of-stake succeed, then join us here.

We’ve obviously been through all the answers on the forum (especially the ones compiled by Pillow) and we decided to write our own because:

[ol][li]We believe that the best way to answer PoS critics is to provide a detailed, scientific description of the attacks and show mathematically their odds of success. I strongly encourage you to read section 3.3 about the attacks on PoS and tell me what you think.[/li]
[li]Let’s face it, all the efforts so far to convince the Bitcoin community of the viability of proof-of-stake have failed so far. That’s why all PoS coins put together have just 1% of Bitcoin’s market cap (and only about 5% of Ripples’ market cap). Proof-of-stake has much less momentum than it had a year ago. Proof-of-stake detractors are winning and this is an issue that concerns all of us.[/li][/ol]

Moreover, as described in the quote of the white paper Sentinelrv provided, the reason why we decided to launch our own coin is because we believe Peercoin has made decisions that will make it hard to get rid of checkpointing. I’ve been studying Peercoin’s protocol extensively for quite some time now, and believe me, I think Sunny is a genius! However, we believe that market adoption of proof-of-stake requires abandoning checkpoints. Security also requires having incentives to motivate large numbers of nodes to stake large numbers of coins over time.

I strongly encourage you to read the parts on NeuCoin’s security. All feedback is appreciated.

I will read the whitepaper later. Will you please post the link to neucoin github repo? I am sure the community will love to see and share your innovation.

Also, if you can open a pull request on Github against ppcoin’s repo to merge your NeuCoin fixes that would be awesome! :))

The Neucoin repo will be made public just before the launch. However, the modifications made to Peercoin’s code are detailed extensively in section 3.2 of the white paper so you can take a look there

Why not :)) the problem is most of them would require a hard fork!

No problem, let’s do this!

On page 14, the second “vulnerability” is in itself very weak (remember that a node doesn’t contribute to the network if it doesn’t find a block). Moreover this is arguably a feature because more people could consider minting a block because 1) it needs very short period of time connecting wallet to the internet (safer); or 2) even you have a very small stake, you don’t have to mint years to get your reward, you need only mint for a few minutes at a specific time. I didn’t find any block for 1.5 years because I mint on and off. With findstake I have found like 5 blocks.

On page 37, about the long range attack, simulation or more detailed analysis is need to show it is an actual problem for Peercoin. The reason is that when you split your attacking coins to many stakes, each stake becomes small in value hence has less chance to find a block in a given period. This not only forces you to choose an attacking window in proportional farther distant future, hence increases capital opportunity cost, but also makes it proportionally harder to “aim” the stake at an attack window of a given length. The attack window has to be so short that you need to squeeze 6+ consecutive blocks in tens of minutes for peercoin.

For example if a stake is 1000 PPC, at currrent difficulty, after 90 days, it has ~0.1% chance to find a block in a given 20 min window. To get 6 stakes in one 20 min window you need to aim 10^15 times! Everytime you aim you resend the stake to yourself and wait for 6 hours to calculate stake modifier. It will take you longer than the life of the universe to get it done (you could increase number of stakes to paralellize. It proportionally increases cost and you can only improve by up to several 1000 times). It seems that you can’t realistically succeed.

[quote=“koubiac, post:7, topic:3424”]First of all, the reason we posted on Peercointalk is certainly not to cast doubt over Peercoin or Peershares but to hopefully spark a discussion on proof-of-stake security.

The fact is that the majority of the crypto community is still convinced that PoS cannot possibly be secure. When asked about PoS algorithms in his reddit AMA, Gavin simply provided a link to Andrew Poelstra’s paper called Distributed consensus from proof of stake is impossible.This is a problem.
I believe we’re all in the same boat when it comes to convincing the crypto community that there are secure and more efficient alternatives to Bitcoin’s proof-of-work. NeuCoin has a model (non-profit foundations with millions of dollars) that allows it to invest heavily in consumer adoption and utility development. A benefit to Peercoin is that NeuCoin is going to bring lots of attention to PoS.

Sentinelrv:

Most of the criticisms for nothing at stake have already been answered on this forum. If you're serious about helping proof-of-stake succeed, then join us here.

We’ve obviously been through all the answers on the forum (especially the ones compiled by Pillow) and we decided to write our own because:

[ol][li]We believe that the best way to answer PoS critics is to provide a detailed, scientific description of the attacks and show mathematically their odds of success. I strongly encourage you to read section 3.3 about the attacks on PoS and tell me what you think.[/li]
[li]Let’s face it, all the efforts so far to convince the Bitcoin community of the viability of proof-of-stake have failed so far. That’s why all PoS coins put together have just 1% of Bitcoin’s market cap (and only about 5% of Ripples’ market cap). Proof-of-stake has much less momentum than it had a year ago. Proof-of-stake detractors are winning and this is an issue that concerns all of us.[/li][/ol]

Moreover, as described in the quote of the white paper Sentinelrv provided, the reason why we decided to launch our own coin is because we believe Peercoin has made decisions that will make it hard to get rid of checkpointing. I’ve been studying Peercoin’s protocol extensively for quite some time now, and believe me, I think Sunny is a genius! However, we believe that market adoption of proof-of-stake requires abandoning checkpoints. Security also requires having incentives to motivate large numbers of nodes to stake large numbers of coins over time.

I strongly encourage you to read the parts on NeuCoin’s security. All feedback is appreciated.[/quote]

I agree that something needs to be done to convince PoW supporters, but many of them are so invested in Bitcoin that they try to twist everything you tell them. Pillow has experience with talking to PoS critics. It’s like they don’t want to hear your arguments. I remember Gavin in particular posting on Twitter about the rich getting richer, an argument debunked a long time ago. Even with checkpoints removed, it’s hard to tell if they would suddenly have an awakening, since they’re so invested in PoW already.

I wanted to point out that NuBits doesn’t use synchronized checkpoints. Their high minting participation comes from the fact that shareholders need to vote on motions, interest rates and custodian proposals in order for the network to function properly, so they have a better incentive to mint than Peercoin.

Either way, I’ve notified both Sigmike and Sunny King about the Neucoin whitepaper and its criticisms against Peercoin. I’m not sure whether they will respond here in public, but I encourage them to. After all, you said you wanted to start a discussion on improving PoS security. Many people in this community have been waiting for checkpoints to be removed. It would be a shame if Sunny continued to remain silent on important topics like this. I’m sure we all want to know what he thinks.

I have a question though. Let’s say Sunny and Sigmike were convinced and decided to tweak the system to implement these changes. You say you think it will be hard to do this, but let’s just say that it could be done. Would there really be a reason to push Neucoin anymore if you accomplished the changes in Peercoin you sought out to make? Why not invest heavily in consumer adoption and utility development of Peercoin if all your security concerns end up getting relieved in the future? It sounds like you’ve been studying us for a while, so I imagine it’s possible you may be invested to some degree, plus the price is currently pretty cheap.

hey mhps,

First of all, let me start by saying that I really appreciate the detailed feedback

Very interesting thread, I hadn’t seen the post on FindstakeJS. I’m gonna read more on this, it’s an interesting idea but I’m not very comfortable with it for the following reasons:

[ol][li]It requires managing the evolution of difficulty extremely wisely.
As you wrote in FindstakeJS’s thread:

Specifically, if someone takes his node off line for a month because the diff has been 15 and in this month his stakes will only find block at diff=13, then unexpectedly the difficulty dips to below 13, the node won't be able to find the block at diff = 13 (hence unable to contribute to network security, pushing the diff up).

I think that assessing exactly what the repercussions could be would require further research but a situation where a significant part of coin holders rely on assumptions of future difficulty to determine when they will connect their wallets seems potentially risky. [/li]

[li]The network must trust people to mine when they are supposed to. I think this is placing a lot of trust in the behavior of the coin holders. Every user forgetting to connect his wallet when he is supposed to will lower the security. Another consequence would be that it would disrupt the forecasted difficulty! [/li][/ol]

More generally (and perhaps on a quasi philosophical level ), I think the very fact of being able to see in the future is an issue. The next topic being a consequence of this.

We initially had a much longer part on this but we decided to take it out for 3 reasons:
1/ The paper is already 40-pages long!
2/ NeuCoin doesn’t suffer from it thanks to the “floating stake modifier” so we didn’t want to go too much into details
3/ As I said in a previous post, our goal definitely isn’t to bash Peercoin, we owe an awful lot to Sunny’s work and we know it

I actually did some quite extensive math research on this topic, so if you’re interested, I’d be glad to make another post with a much more detailed (and cleaner) explanation.
However, a simple way of looking at it is:
If an attacker wanted to attack the network 1 year in the future, he would be able to resend his stakes ~41 times (number of stake modifier interval in a year). This means that (even without taking into account the fact the many of the stakes he has kept for the attack have accumulated more coin age than the network average) the attacker divides by 41 the number of coins necessary to conduct a 51% attack over the chosen attack window.

Two things:

[ol][li]As you pointed out, this doesn’t mean that this attack vector allows him to make a temporary 51% attack with a infinitesimal number of coins, but it does allow him to greatly multiply the influence he should normally have over the network.[/li]
[li]The fact that he can sell the coins that are not needed before the attack window starts further reduces the cost of the attack (from the devaluation of the coins used in the attack).[/li][/ol]

I think it’s a very interesting topic, I’d be glad to continue the discussion

Can you do a real attack? Hypothetical attacks let me down.

Talking to PoW people is difficult. It would be great to listen to a debate between you and /r/nullc. He’s a we’ll meaning and friendly person i gather, but don’t think pos works. Talking here is like preaching in the church besides that people have another god (investment) Perhaps. I do think checkpointing is the major thing holding peercoin back but iit’snecessary. Neucoin on the other hand is major inflationary. Peercoin has an emergent ecosystem growing. Neucoin has perhaps better media campaign strategies. i guess the race is on. I fail to see how neucoin and peercoin can "help eachother ". I’m not selling my peercoins for it. Might sell some btc though. It’s unfortunate that you’re not putting your weight behind peercoiN - i get the feeling its a way of making moneY. Neucoin won’t be the last though. I forsee a Litecoin fork like explosion in the future.

Well it’s definitely an easier attack to conduct than the grinding attack for instance.
The only thing you need to do is to check when your stakes are susceptible to mine and resend the ones that don’t perform until you reach the attack window.
With the checkpointing mechanism currently in place in Peercoin it wouldn’t work. I don’t remember the exact frequency but they happen often enough to prevent double spends, so they make pretty much any attack on consensus history impossible.

The issue with this mechanism is that it constitutes a high level of centralization and as sentinelrv pointed out it badly hinders proof of stake adoption.

I agree, convincing hardcore bitcoin people is going to be a daunting task
Hopefully, these arguments are harder to turn down when they are scientifically detailed. I guess best thing we can do is to make it difficult for them to ignore us

Either way, I've notified both Sigmike and Sunny King about the Neucoin whitepaper and its criticisms against Peercoin.

Thanks for doing that. Actually, Sigmike is one of our technical advisors and has already read the paper and given us feedback. We would obviously love to have Sunny’s input. All constructive criticism is welcome and who better than Sunny himself to do that.

I have a question though. Let's say Sunny and Sigmike were convinced and decided to tweak the system to implement these changes. You say you think it will be hard to do this, but let's just say that it could be done. Would there really be a reason to push Neucoin anymore if you accomplished the changes in Peercoin you sought out to make? Why not invest heavily in consumer adoption and utility development of Peercoin if all your security concerns end up getting relieved in the future?

That question is too hypothetical for me!

Hello.

Thanks for posting about the paper in this forum. I’m still reading it.

Could you please license the paper itself under a free license?. I suggest to dual license it under the Creative Commons BY-SA 4.0 (or any later version published by Creative Commons) and the GNU General Public License (or any later version published by the Free Software Foundation). Note that by the Berne convention, publishing a work without a license makes it proprietary (It is equivalent to “all rights reserved”).

I have a comment so far: In page 6, there is the assertion that Bitcoin miners get free Bitcoins for solving a PoW; however the bitcoins they receive are not free, it takes work (money and effort invested in mining equipment) to earn them, and they represent a reward for the work done securing the network.

Regards.

I’ve browsed the site. This is probably one of the best attempt I’ve seen of making money out of thin air. I suspect that this isn’t the average pump n dump, instead it’s a well thought out scheme with the purpose of not dumping on the forest wave of speculators, but rather cashing out on the investment gradually over a much longer period of time. The lure is interrogation of neucoin into possibly any or all of the businesswas businesses mentioned either outright or implicit by name dropping candy crush etc. Also the time limit for big bag holders and when they can cash out, further makes it more of a longer term thing. IN the end a pos coin costs n ed xt to nothing to print (only fork and maintain). I can see myself buying this coin for btc instead of betting on bitfinex. Same risk of losing everything, but probably better reward. The pump propaganda machine, that’s what it is all about four this coin. It might work. I’m not sure.