We initially had a much longer part on this but we decided to take it out for 3 reasons:
1/ The paper is already 40-pages long!
2/ NeuCoin doesn’t suffer from it thanks to the “floating stake modifier” so we didn’t want to go too much into details
3/ As I said in a previous post, our goal definitely isn’t to bash Peercoin, we owe an awful lot to Sunny’s work and we know it
I actually did some quite extensive math research on this topic, so if you’re interested, I’d be glad to make another post with a much more detailed (and cleaner) explanation.
However, a simple way of looking at it is:
If an attacker wanted to attack the network 1 year in the future, he would be able to resend his stakes ~41 times (number of stake modifier interval in a year). This means that (even without taking into account the fact the many of the stakes he has kept for the attack have accumulated more coin age than the network average) the attacker divides by 41 the number of coins necessary to conduct a 51% attack over the chosen attack window.[/quote]
Hi koubiac,
So currently the number of coins necessary for this attack would be roughly 22,000,000 PPC (coins in existence) x 0.15 [% of staking coins, not quite sure how much that is right now] x 0.51 divided by 41.
That’s roughly 41,000 PPC, right?
This is of course under the assumption that this attack vector is really valid, since you did not disclose the proceedings in greater detail yet. Also, assuming that there was no central checkpointing of course.
I didn’t check the other numbers, but the coefficient 0.51 is definitely wrong. 51% has nothing special. “51% attack” is an incorrect name for that attack scheme. However, 50 % is special, because any amount of computational power or stake beyond that guarantees that the attacker will eventually succeed, in that regard, 51% is no different from 50.03 % or 82+π %. The attack scheme must be called “>50 % attack scheme” or at least “>50 % attack”. Regardless of which proportion of the hash rate or stash the attacker controls, it is still a stochastic process, so the attacker may succeed with a power or stake below 50 % (See the random walk calculations in the Bitcoin original paper). Some extra considerations apply to proof of stake due to its predictability, here I assumed that it is equivalent to proof of work. The implied analysis by which 50 % is taken to be privileged also ignored network propagation delay, which may play a significant role if the attacker exploits it (See Majority is not Enough: Bitcoin Mining is Vulnerable (note that it exaggerates the impact, but otherwise it seems correct to me)).
[quote=“koubiac, post:14, topic:3424”]a situation where a significant part of coin holders rely on assumptions of future difficulty to determine when they will connect their wallets seems potentially risky.
The network must trust people to mine when they are supposed to. I think this is placing a lot of trust in the behavior of the coin holders. Every user forgetting to connect his wallet when he is supposed to will lower the security. Another consequence would be that it would disrupt the forecasted difficulty![/quote]
The difficulty changes very slowly. The choice of minimal difficulty can be set to very low so that it is highly unlikely that difficulty will drop to so low suddenly (maybe if half of the Internet is cut off)
Difficulty is determined by the rate blocks are found so those who won’t find any block can be off-line and have no effect on difficulty.
More generally (and perhaps on a quasi philosophical level :) ), I think the very fact of being able to see in the future is an issue. The next topic being a consequence of this.
Look at NXT as an extreme example: which address will find out the next block is totally known.
[quote="mhps, post:12, topic:3424"]On page 37, about the long range attack, simulation or more detailed analysis is need to show it is an actual problem for Peercoin. [...][/quote]
We initially had a much longer part on this but we decided to take it out for 3 reasons:
1/ The paper is already 40-pages long!
2/ NeuCoin doesn’t suffer from it thanks to the “floating stake modifier” so we didn’t want to go too much into details
3/ As I said in a previous post, our goal definitely isn’t to bash Peercoin, we owe an awful lot to Sunny’s work and we know it
Please make it clear in the paper that the attack vector is ineffective to Peercoin due to a combination of stakemodifier, capped coin-age, and confirmation time. It could be effective to other POS coins if the parameters aren’t carefully selected.
[ol][li]As you pointed out, this doesn't mean that this attack vector allows him to make a temporary 51% attack with a infinitesimal number of coins, but it does allow him to greatly multiply the influence he should normally have over the network.[/li]
[li]The fact that he can sell the coins that are not needed before the attack window starts further reduces the cost of the attack (from the devaluation of the coins used in the attack).[/li][/ol]
The attacker has a factor of 10^15 against him. The small advantages won’t help.
When you say “sell” do you mean selling without moving the coins?
It’s not how many coin. It’s how long. In my example 1000 PPC stakes will need to try 6hour x 10^15 long to succeed. That is about 700 billion years! Even you have 1,000,000 PPC stakes you need like a billion years.
thanks for your clarification. I think there are not so many people around with a really deep understading of the Peercoin protocol, so it’s great that you have taken up the discussion at a time when few old members of the communty are active in the Forum.
Yeah, I imagine you have quite an extensive experience about that
I’d love to have a debate, hopefully we’ll be trying to get the conversation started on reddit pretty soon. As you said, it might be the best place to have a debate without preaching to the choir.
I've browsed the site. This is probably one of the best attempt I've seen of making money out of thin air. I suspect that this isn't the average pump n dump, instead it's a well thought out scheme with the purpose of not dumping on the forest wave of speculators, but rather cashing out on the investment gradually over a much longer period of time
Founders and early investors are indeed subject to the following strict re-sale provisions: they may only sell 2% of their holdings per month in the first year, 3% per month in year two, 4% per month in the year three, 5% per month in year four and 6% per month in year 5.
This is probably one of the best attempt I've seen of making money out of thin air.
[...]The lure is interrogation of neucoin into possibly any or all of the businesswas businesses mentioned either outright or implicit by name dropping candy crush etc.
I’m not exactly sure what you mean here.
Besides the white paper we’ve just released, we have indeed thought through a plan to make NeuCoin useful for regular consumers. We want to develop its utility according to a strategy that no other altcoin has implemented before. Just like any venture would develop its product and utility, our goal is to make NeuCoin useful for the widest user base possible: if we achieve this goal, it will indeed benefit the founders and early investors, but also the digital currency community as a whole, as well as the mainstream consumers who find NeuCoin useful. Achieving this goal will be a long-term effort that we’re excited to make, as we all know that just issuing a new altcoin - however good its tech is - doesn’t make it useful for a large user base.
thanks for your clarification. I think there are not so many people around with a really deep understading of the Peercoin protocol, so it’s great that you have taken up the discussion at a time when few old members of the communty are active in the Forum.[/quote]
I think Ben and sigmike and Sunny etc. are all around.
I think my last answer was not detailed enough to really be useful.
I believe that these numbers are in the right ballpark. However, I don’t quite get why you choose these goals. In a 20mn window, the entire network is supposed to find 2 blocks. Modelling the arrival of blocks as a Poisson process, an attacker with >50% the mining power (and therefore, certain to successfully conduct the attack we’re talking about) has a probability to find 6 blocks in a 20mn window that is ~0.00059 so of course this is not what an attacker is looking for
Since the forum’s format is not very adapted for detailed descriptions I wrote a latex doc that’s I’ve uploaded at the following address:https://www.scribd.com/doc/260113453/Preprogrammed-attack
Let me know if you think there’s a mistake or if something isn’t clear.
The conclusion of the latex doc is:
In order to perform a sustained 51% attack, an attacker would need ~0.18% of all PPC (~40000PPC or <$14000 at today’s rate).
A few remarks:
[ul][li]I haven’t taken coin age into account to simplify the model. Since the attacker prepares his attack long in advance, coin age actually allows him to perform the attack with less than ~0.18% of the coins.[/li]
[li]The attack doesn’t necessarily have to take place over a small period (or even over a single window). For example, an attacker who wants to conduct a 51% attack sustained over a month would have to split his coins into a number of stakes larger than the number of blocks he needs to create (>>2160)[/li]
[li]What limits the attackers power (and the length of the attack) is that he cannot split his coins into an infinite number of stakes. However, since the transaction fee is small (0.01PPC) splitting his coins into 100k stakes will only cost him $300 per step of the attack.[/li]
[li]Furthermore, the previous point is mitigated by the fact that by splitting his coins into a very large number of stakes the % of his coins not actually mining blocks decrease and he can therefore sell a very large portion of the coins needed for the attack and not be impacted too much by the devaluation of the currency. This is an important point because a large part of the cost of the attack becomes a capital cost. For example an attacker who want to perform a 51% attack over a week would need only ~504 mining stakes. Let’s suppose he spent $14000 to buy enough coins to perform the attack if he has split his coins into 10000 stakes, he will be able to sell ~95% of his coins before the attack. Therefore the actual cost of the attack will be $700 ![/li][/ul]
For these reasons, I believe that the very possibility of seeing into the future creates very severe issues.
It was probably alphabetical, but I don’t feel like I’m qualified at all to be included on that list I’m am paying close attention to this thread.
After briefly talking to him about it, I’m confident that if SigMike saw something during his techincal consultation of NueCoin’s strategy / modifications to the proof of stake algorithm that pointed to obvious deficiencies in either Peercoin, Peershares, or Nu, that he would not hesitate to draw appropriate attention (and action) to it.
The fact that the NeuCoin team has been able to detail the underlying maths that make up proof of stake is important. Sunny King’s and Scott Nadal’s initial adaptations of the existing Bitcoin codebase to introduce what became the Peercoin protocol were imaginative and bold but lacked the detailed technical descriptions. I personally believe that these documentation deficiencies have retarded the spread of information about the protocol – and by association reduced the number of developers who wanted to jump through the hoops to make sense of what was going on – greatly. The more development that occurs within the proof of stake space the better.
Agreed. Everything is pretty unorganized and important info is scattered around in different threads all over the forum. This doesn’t help matters at all. One of the main problems is that people with the best understanding are always too busy with different projects to detail everything. That’s why I love the way Nu organizes all of their information for interested developers. It makes it easier for them to get involved. The technical proof-of-stake info needs to be detailed for this very reason, to grow our existing number of developers.
I remember that Sunny King said the PoW and PoS will coexist for a long time. And SK made PrimeCoin (PoW) AFTER his Peercoin in 2013.
Should we spend so much time on PoW/PoS debate? Since Sigmike is also neucoin adviser, I doubt neucoin can outperform PPC with regard to network security. Of course any improvement on PoS mechanism by Neucoin team is appreciated/welcomed.
My worry on PoS is not WITHIN its system but OUT of it. For example, what is your salary level in your boss’ eyes, is not determined by yourself ability which is perhaps much higher than your duty demands, just by your replacer when your boss fires you and how much money he will pay for him/her.
Substitutability or Scarcity is the most important economic concept. How could PoS coin deal with their copycats especially the latter has a better/wider distribution? Is there any scarce thing in your system? Nubits(PoS), as far as I know, has scarce BTC/ USD in its system. A copy cat of Nu must get as large business as Nu, and overtake it. Bitcoin has huge hash rate barrier(300P?) so the PoW copy cats can hardly get same security as bitcoin.
But what the defend of Peercoin(PoS) against imitators? Sunny King is very smart but this world has lots of smart programmers who can read and modify PPC source code, and perhaps some improvement can be made by them. You see Neucoin is coming when PPC market capitalization is so low. How many will come when we assume PPC cap. reaches several billion USD? :)) Because of this, I don’t believe PPC will reach high cap. in future.
I definitely don’t want to throw sigmike under the bus here
1/ He has advised us mainly on the white paper (so I didn’t get the chance to talk about the details of such an attack on ppc with him)
2/ As stated previously, checkpointing thwarts this attack (and many others obviously)
I haven’t shared this with many people so it’d be great to get feedback from you guys.
Agreed. Everything is pretty unorganized and important info is scattered around in different threads all over the forum. This doesn’t help matters at all. One of the main problems is that people with the best understanding are always too busy with different projects to detail everything. That’s why I love the way Nu organizes all of their information for interested developers. It makes it easier for them to get involved. The technical proof-of-stake info needs to be detailed for this very reason, to grow our existing number of developers.[/quote]
Couldn’t agree more. I also think it makes it much more difficult to convince the community of the viability of proof-of-stake.
Koubiac’s attack is not about splitting one’s own coins into infinitely smaller stakes, it’s about resending them to yourself every 8.82 days when the stake modifier for your stake(T[sub]sm[/sub]) has been determined.
After reading koubiac’s new document, which is mostly a copy of page 37 of his Neucoin whitepaper, I finally got it:
You do not really need to understand all of the math in this document (I don’t either). The math is only necessary for calculating the exact amount of PPC that you need to succeed with your attack under certain circumstances (distance of attack window into the future, total number of coins, percentage of miniting coins etc.).
The model of the attack itself is much more simple:
Say for example, to simplify it even further, you do not even want to attack the network, but you want to be able to mint a block at Christmas evening of 2016:
You buy 100 PPC on an exchange and send them to your address.
Wait 8.82 days. The stake modifier for your PPC is now determined.
Check with Findstake: Will my 100 PPC be able to stake on 24th Dec. 2016 at the expected difficulty?
No. Resend the coins to yourself, paying 0.01 PPC transaction fee. Wait 8.82 days.
Check with Findstake: Will my 99.9 PPC be able to stake on 24th Dec. 2016 at the expected difficulty?
No. Resend the coins to yourself, paying 0.01 PPC transaction fee. Wait 8.82 days.
Check with Findstake: Will my 99.8 PPC be able to stake on 24th Dec. 2016 at the expected difficulty?
Notice how your total chance to mint a block at Christmas evening 2016 is increasing with every cycle?
And so on and so forth until either you find a stake that can mint on 24th December 2016 (succeed) or until Christmas evening 2016 has passed, because of the 8.82 days that you had to wait between each cycle (fail).
Coin age only has an impact in this during the last cycles, 90 days before Christmas evening 2016.
The chance to succeed is higher for BOTH a larger amount of coins you own and for a longer span of time until your attack window. With 1,000 PPC and Christmas evening 2017 it would be easier.
So in this regard a flexible stake modifier like in Blackcoin (and Neucoin) is more secure. I don’t know though if a flexible stack modifier opens up other attack vectors.
It would be great to have Sunny’s and SigMike’s opinions on this matter.
I can’t seem to find anything in the whitepaper or wiki about the effect of distribution on the security of a proof of stake coin. This is strange since you do such a good job of explaining the problems Bitcoin has with centralization of mining, but don’t mention that by the looks of it Neucoin will be considerably worse in this regard.
Proof of stake is only as decentralized as its distribution. As far as I can tell, after the presale 96.66% of coins (and therefore total control of the network) will be under the control of the original private investors and foundations. While it does say that coins will be distributed to new users, developers, companies etc. to encourage growth, I wouldn’t have much faith in this improving things to an acceptable level.
As Bitcoin's increasing centralization becomes clearer and clearer to the crypto-community, many of its supporters may abandon it in favor of a more decentralized solution.
I agree, but Neucoin doesn’t seem to be that solution. When I first researched Peercoin I disliked two things: that it used checkpoints and that it hadn’t improved upon Bitcoin’s terrible distribution. Compared to newer proof of stake coins however, Peercoin’s distribution seems amazing, and looking at how the crypto-community is progressing I think removal of checkpoints is more likely than a new coin improving on Peercoin’s distribution.
When I first saw NeuCoin's name, I wasn't pleased with its similarity to our own, but reasoned it was likely a coincidence.
Now that they are working with sigmike and presented the exact same nothing at stake solution we rolled out to production in September while implying it will be an innovation created for their network, may I suggest that it would be easier to buy some NuShares rather than imitating what we are doing?
Imitation is the sincerest form of flattery.
Citing me and the Nu network (in addition to sigmike) as the source of their nothing at stake solution would be the right thing to do. Sigmike and I co-architected it in a long series of communications.
Neucoin team claims they can solve “nothing at stake” problem of PoS. However, neucoin just redefine it.
The old “nothing at stake” definition is blow:
there is “nothing at stake,” meaning that since proof-of-stake mining doesn’t incur any costs for electricity and computing power, nothing would prevent dishonest miners from endlessly trying to commit double spend fraud or mine on multiple chains, no matter how low the odds of succeeding.
The neucoin phenomenon rewrite the “nothing at stake”
there is “nothing at stake,” meaning that since proof-of-stake mining doesn’t incur any costs for electricity and computing power, nothing would prevent smart programmers from endlessly trying to duplicate the old PoS crypto source code and make new similar coins , no matter how low the odds of succeeding.
You can copy/modify bitcoin source code but you can hardly duplicate the 300P hashrate hardware behind it.
The crypto world is tiny today, but if bitcoin becomes mainstream, the millions of IT programmers on this planet will rush into this field and you will find that it only cost several smart programmers to make a new POS coin and distribute it freely among poeple on internet. Without scarcity, PoS has no future unless you introduce scarce resource such as BTC/USD into your system as Nubits.
I believe there are only two ways out
POW, bitcoin, primecoin etc
2)nubits system with USD/BTC in system, ie on liquid provider custodians’ hands.
Then,
How does your solution (if verified) to the nothing at stake problem differ from Nu’s one other than that it comes way later (so reasonably likely to be imitating it or identical to it)?
Investors have keenly sensed this potential, with NeuCoin having already secured US$2.25 million in seed and angel funding from investors including Patrik Stymne, Uber senior vice-president of business Emil Michael, Facebook’s head of growth Rob Goldman and Hotwire president Henrik Kjellberg.
Wow, the "wolf" is coming! You see Uber/Facebook/Hotwire behind neucoin. Why they prefer PoS rather than PoW? ;)
In fact, we just talked about scarcity 2 months agao, see this link:
arbitrageur said
ok let's make a few examples.
bitcoin right now has, according to my estimates, about 250k users. here comes linkedin, they silently buy 10m litecoin (the price will shoot up let’s say to 0.02 btc while many people wonder what’s happening to that crappy coin) and then distribute them to their users, let’s say 100m people, or 400 times as much as btc distribution. on the announcement litecoin will shoot even further to 0.25 btc, its theoretical value, or even higher.
now what’s likely to happen? well, I believe that since btc security provided by its mining it’s way higher than ltc, people will start selling ltc to get btc. yes ltc mining will increase rapidly, but most likely not enough to match btc’s hashrate and security. so slowly ltc will come back down to a reasonable price. also, due to the switching from ltc to btc by most of those 100m people, btc will be much better distributed, even to the point of overtaking ltc new distribution.
after a few weeks facebook creates a new coin, facecoin, a copycat of btc and distribute it even to a wider user base, 1B people. lots of mining will swiftly switch from btc to facecoin as the price of the new coin will make it hugely profitable, but this won’t last long. people will most likely start selling facecoin for bitcoin (while the miners are selling for fiat) and we will end up exactly as before.
now, let’s say 2 years from now btc is dead and ppc has taken its place with about the same price and distribution btc has now. repeat the two stages. first linkedin adopt an existing copycat of ppc called linkcoin and distribute it to 100m people. istantly it will be 400 times more secure than ppc and even more fairly distributed. so it will takes its place. when facebook creates its facecoin, the same happens. facecoin will replace linkcoin because it has even a wider user base and a fairer distribution. and then, I don’t know but nobody today has more network than facebook (maybe some chinese social network?), in any case I believe the copycat process will end up with a winning POS that had the widest and fairest distribution.
Sentinelrv said:
The way I've always looked at it is that every blockchain is independent of one another. For example, Bitcoin's scarcity relies solely on the supply of Bitcoin and not any other crypto that also happens to use proof-of-work. The same would go for Peercoin. Peercoin's scarcity relies solely on the supply of existing PPC, how many are being created through inflation and destroyed through transaction fees. Peercoin is Peercoin. Why should some other copycat proof-of-stake coin affect Peercoin's scarcity? Am I wrong in thinking that copycat blockchains should have no effect on the scarcity of the originals as well as each other, since they're all independent from one another?
Sentinelrv, there are two ways to betray the PPC blockchain.
mine on multi blockchains within ppc , this way is blocked by Jordan/Sigmike.
Creat a brandnew PoS coin with same features as PPC and get more distributed than PPC. Jordan/sigmike can do nothing about this behavior, if they don’t contribute to the new coin…
Scarcity means substitutability. Bitcoin’s scarcity depends on its extremly high hashrate otherwise it has no scarcity at all after being copied thousands times. Could you find other pow coins with 300p hashrate? No!
Now facebook/Uber comes, do you PPC fans still have the faith that PPC has more security than coming Neucoin? They can issue each Uber/Facebook user a small amount of Neucoin.Then what the next? For me, the neucoin’s quality/security/popularity better than PPC, I will definately use neucoin and dump ppc! A fake PPC(no offend against neucoin) will overtake original ppc, all boils down to so called " energy efficiency, security" features, LOL. Nothing at stake!
This community has badly underestimated the value of Primecoin, what a pity!
I’m am paying close attention to this thread.