Pillow's Peercoin Myths

[quote=“onthefrynge, post:11, topic:2518”]I have been working hard trying to figure out why this attack isn’t valid for someone willing to spend the money.

https://bitcointalk.org/index.php?topic=604716.20

By splitting up your stake into small chucks you can attempt to mint with the almost the same rate on successive blocks without losing coin age. Someone please tell me I am wrong. And then if you skew your block’s time but stay within the clock-drift you get an even better chance of success (as hinted at in the post by cinnamon_carter, page 2, 6/5/2014).[/quote]

Great - I’ve added it to the list! I’ve not looked at this one before. If someone knows the answer to this one, please post here or PM me so I can update the first post.

[quote=“Jordan Lee, post:5, topic:2518”][…]
Let’s consider the above attack scenario for someone who has accumulated 6% of all Peercoins, meaning they spent at least $2,400,000 USD on Peercoins at today’s prices and split them up into 6 different outputs or addresses (one for each of the 6 consecutive blocks they need). Let’s assume they waited 90 days to mint with those coins. Such a person might have a 3% chance of finding the next block.
[…][/quote]
Hi Jordan!
I appreciate your input to this discussion as you are for sure one who understands the source code and the mechanics of Peercoin. I only have my apprehension to try to follow…
One question that crossed my mind:
does the attacker need 6% of all Peercoins or 6% of all actively minting Peercoins?
If the attacker only needs 6% of the minting Peercoins to have the attack probabilty you calculated it would be significantly “cheaper” to get the needed Peercoins.
Based on the assumption that only < 5 million Peercoins are minting (http://www.peercointalk.org/index.php?topic=2515.msg27233#msg27233), only < 300,000 Peercoins are needed to achieve the probability you calculated.

I agree that it will be hard to get a direct financial gain by executing a successful or almost successful double spend (although it is easier the less Peercoins you need for that because it is easier to buy/sell them in a short period of time without suffering from a huge spread between buy/sell price)

But what about other reasons to attack Peercoin? Reasons that are not incentivized by a direct financial gain?
What about governments?
What about people being heavily invested in Bitcoin who might feel threatened by a possible success of Peercoin but are not willing to invest in Peercoin and rather try to bring it down (hoping that the fall of the “first PoS coin” pushes the Bitcoin price higher)?

I want Peercoin to succeed as I believe in the need for crypto currencies and I understand that PoW has flaws that are (at least partly) addressed by PoS, especially by the way Peercoin is implemented. But I still don’t understand why PoW is not used as additional security layer while it is in place for mining.

I made a kind of proposal how to include PoW in the security model of Peercoin (http://www.peercointalk.org/index.php?topic=2606.msg22403#msg22403). I understand that the idea of including PoW in the security model is not welcome. I understand that this would need a hard fork because the protocol needs to be adjusted. But I still claim that wisely including PoW in the security model would raise the security level if you’d need a certain amount of control over both of the PoS and PoW process to successfully attack the block chain.
If PoW is the weaker part of the security model (weaker than PoS) but not as negligible as it is currently, there would be even more at stake.
Economically speaking it would be more secure that way!

[quote=“romerun, post:4, topic:2518”]How do you respond to the history attack ? Critics claim by using checkpoint, therefore peercoin is centralized by dev. For example:

https://bitcointalk.org/index.php?topic=615843.msg6753563#msg6753563[/quote]

Here is something else about this…

http://www.reddit.com/r/Bitcoin/comments/281kqz/51_has_been_reached/ci773o2

[quote=“Sentinelrv, post:14, topic:2518”][quote=“romerun, post:4, topic:2518”]How do you respond to the history attack ? Critics claim by using checkpoint, therefore peercoin is centralized by dev. For example:

https://bitcointalk.org/index.php?topic=615843.msg6753563#msg6753563[/quote]

Here is something else about this…

http://www.reddit.com/r/Bitcoin/comments/281kqz/51_has_been_reached/ci773o2[/quote]

Great, I added it to the index in the top post.

Oh-my, AlphaBar woke up on the aggressive side that day :)) I’ve not thought of this kind of attack earlier, so I’ll need help addressing this one as well.

Those myths that we’re not able to actually debunk ourselves, we could perhaps ask Sunny about. If peercoin main site is also going to have a myth section, I believe it could be worth while for him to do it.

EDIT: ok read it now. will attempt a brief summary here:

[ol][li]Attacker has more then 50% of the total coin supply in block 9[/li]
[li]Attacker sell all of the coins on an exchange in block 11[/li]
[li]Attacker change his Peercoin clients source code and starts to mint his own chain from block 10, in this chain the coins were never sent to the exchange.[/li]
[li]When the attack chain is longer then the main chain on the network attacker broadcast the attack chain[/li]
[li]The main chain is substituted by the attack chain[/li]
[li]Attacker now has USD on the exchange and all the peercoins in the wallet[/li][/ol]

Another version of basically the same thing is:

[ol][li]Attacker buys private keys that are “not longer used” from early adopter who sold old his coins in block 10, for 1 USD.[/li]
[li]Attacker use these private keys that happened to have held 50% of the coin supply in block 9[/li]
[li]Attacker change is Peercoin client source code and start minting on block 9, building his own chain in which the coins were never spent in block 10.[/li]
[li]When attack chain is longer then the main chain on the network attacker broadcast the attack chain.[/li]
[li]Attacker now has coins which can be sold on an exchange.[/li][/ol]

Did I understand this correctly? How is this attack vector addressed in Peercoin?

EDIT 2: Maybe “chaintrust” (http://www.peercointalk.org/index.php?topic=2606.30) or “duplicate block” have something to do with it? I’m thinking chaintrust because the coin age is consumed when minting (50% of the coins is a lot though and theoretically more could be bought cheaply) so “duplicate block protection” looks interesting in this context. But I’ve got to study these kernel things and so forth and so on. Would be easier if someone who already knew gave us some hints.

[quote=“onthefrynge, post:11, topic:2518”]I have been working hard trying to figure out why this attack isn’t valid for someone willing to spend the money.

https://bitcointalk.org/index.php?topic=604716.20

By splitting up your stake into small chucks you can attempt to mint with the almost the same rate on successive blocks without losing coin age. [/quote]
That is right! You can do this. But we think that even if your spilt your coins, you have to do an immense investment to attack Peercoin.

Clock drift problem:

Smike elaborated how this works in http://www.peercointalk.org/index.php?topic=2634.0.
He states:

Since the network has a tolerance of two hours of time stamp error, does it mean one can try 14400 different time stamps per second?[/quote]

Yes. There are other limits involved but you can try more timestamps per second. The client already tries some previous timestamps if you missed them.

But if you try the next 14400 timestamps at time t, then at time t+1 you’ll try 14399 timestamps you’ve already tried, and only try 1 new. So you still try only 1 new timestamp per second.

If you do that it may still be a little easier to find a block if the difficulty changes a lot (because you’ll try more timestamps when the difficulty is low). But it’s probably not significant. And you wouldn’t get more reward, you’d only a part of it earlier.[/quote]
I am not sure, but I think that if an attacker attacks the network over 1 hour - assuming he wants to reorganize 6 blocks - then he can try 14400+7200 timestamps instead of just 7200 timestamps. For sure this would be an advantage for the attacker, but still he has to have many many coins…

[quote=“Jordan Lee, post:5, topic:2518”]I would like to present the specific steps of an attack exploiting the “nothing at stake” phenomena. As you will see, the attack does not pose a serious threat to the network.

1. Alter the client source code to not include any transactions in a block except your own.

2. Write a utility that can sign and automatically issue a transaction to transfer coins from and to addresses of your choosing.

3. Build and deploy your altered Peercoin client to 10 different virtual machines.

4. Open exchange accounts with 10 different exchanges. In each virtual machine, configure the utility you wrote to transfer the same coins to a unique exchange address. You are attempting a double spend, or in this case, you try to spend the same coins 10 times.

5. Mint on all 10 virtual machines using the same wallet on each while sending out transactions spending your coins to ten different exchange deposit addresses. Other nodes will only accept a single transaction: the one they received first. You only have about a 10% chance of the exchange nodes receiving the spend you wanted it to (this works the same in a proof of work system like Bitcoin). If any other client besides the attackers’ finds the next block, the multiple spend is resolved and the coins cannot be used again to attempt a multiple spend in the next block. The attempt to get the double or multi spend confirmed failed. If the attacker is very lucky and finds the very next block after sending out multi spends (using 10 machines does not increase the attacker’s likelihood of finding the next block), there will be 10 forks with 10 different spends of the same coins with one confirmation. No other transactions will be included in these 10 competing blocks.

6. We now have 10 Peercoin forks, all of which are being minted on. Clients run by others will decide which fork to mint on based on which of the 10 competing blocks they received first.

7. The next block will be minted. If it is minted by someone else other than the attacker, which is the overwhelming likelihood, this new block defines the best chain and consensus is restored across the entire network. All legitimate transactions excluded from the previous block are included in this block. In the unlikely event that the next block is minted by the attacker, all 10 forks will continue.

8. As soon as anyone else on the network besides the attacker finds a single block, the attack is defeated. Double spends (or 10 spends in our case) disappear and all other transactions are confirmed normally.

Let’s consider the above attack scenario for someone who has accumulated 6% of all Peercoins, meaning they spent at least $2,400,000 USD on Peercoins at today’s prices and split them up into 6 different outputs or addresses (one for each of the 6 consecutive blocks they need). Let’s assume they waited 90 days to mint with those coins. Such a person might have a 3% chance of finding the next block. If they succeed at getting one and only one confirmation on their multiple spends they cannot defraud an exchange (because they typically require 6 confirmations). They have less than a 0.1% chance of getting two blocks in a row and around 0.003% of find three in a row. The chance they will find six blocks in a row is 0.00000000729%. They must wait 90 days to get another optimal chance to attack after a failed attempt.

If they fork the network for one or two blocks and their double spend is successful for only one or two blocks, they can’t defraud an exchange but they might harm the value of their own investment if the market is not impressed by these one or two block forks. Because 6 consecutive blocks are needed to defraud an exchange from double spending, even a very large stakeholder would have a negligible chance of success. If they got somewhat close to success but failed (the overwhelming likelihood) it would lower the value of their Peercoins as the market priced in worries of a possible future success. The odds of gain are strongly against you because any near success that ultimately fails can hurt the value of your Peercoins.

The endeavor cannot be embarked upon with an expectation of financial gain. Financial loss is far, far more likely. The loss of large amounts of time is certain. Additionally, few people have the skills to mount such a complicated attack. The fact that such forks have not been known to occur suggests no one has attempted it, precisely because it is extremely unlikely to result in financial gain while much more likely to result in loss.

There are many more important threats to PoS networks than the risk of a successful exploit of the “nothing at stake” phenomena. For instance, the possibility that the Peercoin network will experience low levels of adoption is far, far greater than the possibility of a successful attack of the kind described above. We should focus our attention accordingly.

Update: I realized I had over estimated the probability of a successful attack. If you buy 1% of Peercoins and put them all in the same output (similar to an address), you might have about a 3% chance of finding the next block. However, you would have nothing left to try to find your 2nd, 3rd, 4th, 5th and 6th consecutive blocks. To do that with the probabilities mentioned above you would need to purchase 6% of all Peercoins at a current cost of more than 2.4 million USD. Doing so would raise the price of Peercoin, meaning you would have to pay more than market price on average. Similarly, such a large amount of Peercoins would have to sold later below market price on average, exposing the attacker to certain financial loss.[/quote]

Let’s say I’m buying a whole lot of old private keys that once upon a time could be used to spend an enormous amount of coins. Then I select a block a long way back in time, when those coins were still there and build a chain that is super long. Would I then be able to broadcast this chain and replace the main chain on the network (and if check-pointing is disabled of course)?

Will the duplicate block protection invalidate the attack chain? I looked at the code, but I’m very reluctant to even speculate on these things, since I’m writing educational material.

Solution given by Ethereum:
Slasher: A Punitive Proof-of-Stake Algorithm

[quote=“crypto_coiner, post:19, topic:2518”]Solution given by Ethereum:
Slasher: A Punitive Proof-of-Stake Algorithm
http://blog.ethereum.org/2014/01/15/slasher-a-punitive-proof-of-stake-algorithm/[/quote]

I think the paper is deceptive. The author argues a solution, but the problem isn’t there. The “Nothing at stake” myth that is referred to, has been debunked. Check out Jordan’s post here: http://www.peercointalk.org/index.php?topic=2976.msg27303#msg27303

Thanks for pointing out.

[quote=“pillow, post:15, topic:2518”]EDIT: ok read it now. will attempt a brief summary here:

[ol][li]Attacker has more then 50% of the total coin supply in block 9[/li]
[li]Attacker sell all of the coins on an exchange in block 11[/li]
[li]Attacker change his Peercoin clients source code and starts to mint his own chain from block 10, in this chain the coins were never sent to the exchange.[/li]
[li]When the attack chain is longer then the main chain on the network attacker broadcast the attack chain[/li]
[li]The main chain is substituted by the attack chain[/li]
[li]Attacker now has USD on the exchange and all the peercoins in the wallet[/li][/ol][/quote]
I don’t see economical incentive here, even if we’re talking about 50% of active stake - sell off for 1/4(example - v.optimistic) of their $ value and still having all Peercoins but with market valuation @ 1/6 of their original value (v.optimistic) together gives 7/24=30% of value before attack.

[quote=“pillow, post:15, topic:2518”]Another version of basically the same thing is:

[ol][li]Attacker buys private keys that are “not longer used” from early adopter who sold old his coins in block 10, for 1 USD.[/li]
[li]Attacker use these private keys that happened to have held 50% of the coin supply in block 9[/li]
[li]Attacker change is Peercoin client source code and start minting on block 9, building his own chain in which the coins were never spent in block 10.[/li]
[li]When attack chain is longer then the main chain on the network attacker broadcast the attack chain.[/li]
[li]Attacker now has coins which can be sold on an exchange.[/li][/ol][/quote]
Situation here is quite similar, you expect 50% of coins to be already sold (don’t expect current holders to participate in attack), attacker have to pay for old keys and pray for no hardware checkpoint in client update(triggered by f.e. high coindays destruction or price action- network has 30 days).

Each unsuccessful attack will increase distribution -> better security.

The key is that security gets improved over time/distribution - other coins may have checkpoint-free consensus but diminishing security.

Right?

[quote=“masterOfDisaster, post:13, topic:2518”][quote=“Jordan Lee, post:5, topic:2518”][…]
Let’s consider the above attack scenario for someone who has accumulated 6% of all Peercoins, meaning they spent at least $2,400,000 USD on Peercoins at today’s prices and split them up into 6 different outputs or addresses (one for each of the 6 consecutive blocks they need). Let’s assume they waited 90 days to mint with those coins. Such a person might have a 3% chance of finding the next block.
[…][/quote]
Hi Jordan!
I appreciate your input to this discussion as you are for sure one who understands the source code and the mechanics of Peercoin. I only have my apprehension to try to follow…
One question that crossed my mind:
does the attacker need 6% of all Peercoins or 6% of all actively minting Peercoins?
If the attacker only needs 6% of the minting Peercoins to have the attack probabilty you calculated it would be significantly “cheaper” to get the needed Peercoins.
Based on the assumption that only < 5 million Peercoins are minting (http://www.peercointalk.org/index.php?topic=2515.msg27233#msg27233), only < 300,000 Peercoins are needed to achieve the probability you calculated.[/quote]

Jordan and MoD, from my study there are only ~10% (about 2M) Peercoins minting, in agreement with SK’s estimate. The attacker doesn’t need to split into 6 piles. My study shows that currently with a half million Peercoins (2.5% money base) splitted in many smaller stakes the address owner could sustainably produce a quarter of all new POS blocks, therefore by statistical coincidence is able to double spend every half year.

Also Jordan’s assumption that the attacker has to find all blocks by himself is not necessarily true if there are many concurrent minters minting on all chains. I made some analysis here. The conclusion is not clear but it points to little prospect to actually gain a profit.

In short we should not be over complacent. Currently the network is running fine because probably all big stake owners who can attack the network want Peercoin to be good and safe. We should get more stakes minting.

[quote=“josojo, post:17, topic:2518”]Clock drift problem:

Smike elaborated how this works in http://www.peercointalk.org/index.php?topic=2634.0.
He states:
[…]
I am not sure, but I think that if an attacker attacks the network over 1 hour - assuming he wants to reorganize 6 blocks - then he can try 14400+7200 timestamps instead of just 7200 timestamps. For sure this would be an advantage for the attacker, but still he has to have many many coins…[/quote]

I think the problem is still there, although not as severe. For every new block there would be 7800 (2hr+10min) tries than 600 (10min).

No counter-argument for that. Although hard to achieve when even uber-hero members of this forum admit that they’re waiting for cold locked minting :-\

Can you elaborate this? Block # doesn’t take part in calcs.

I’m not waiting. All your blocks are belong to me!

@BenNot mine!

OT: what do you think about Minting Badge action: “I’mkac- is minting like crazy bastard, last block 102322”. This would require a service where you can input block # with 140 chars message signed with minting address(for sigmike’s cold stor. mint. - spending address). ???

Yep…that would be me. :-\

[quote=“mhps, post:23, topic:2518”][quote=“masterOfDisaster, post:13, topic:2518”][quote=“Jordan Lee, post:5, topic:2518”][…]
Let’s consider the above attack scenario for someone who has accumulated 6% of all Peercoins, meaning they spent at least $2,400,000 USD on Peercoins at today’s prices and split them up into 6 different outputs or addresses (one for each of the 6 consecutive blocks they need). Let’s assume they waited 90 days to mint with those coins. Such a person might have a 3% chance of finding the next block.
[…][/quote]
Hi Jordan!
I appreciate your input to this discussion as you are for sure one who understands the source code and the mechanics of Peercoin. I only have my apprehension to try to follow…
One question that crossed my mind:
does the attacker need 6% of all Peercoins or 6% of all actively minting Peercoins?
If the attacker only needs 6% of the minting Peercoins to have the attack probabilty you calculated it would be significantly “cheaper” to get the needed Peercoins.
Based on the assumption that only < 5 million Peercoins are minting (http://www.peercointalk.org/index.php?topic=2515.msg27233#msg27233), only < 300,000 Peercoins are needed to achieve the probability you calculated.[/quote]

Jordan and MoD, from my study there are only ~10% (about 2M) Peercoins minting, in agreement with SK’s estimate. The attacker doesn’t need to split into 6 piles. My study shows that currently with a half million Peercoins (2.5% money base) splitted in many smaller stakes the address owner could sustainably produce a quarter of all new POS blocks, therefore by statistical coincidence is able to double spend every half year.

Also Jordan’s assumption that the attacker has to find all blocks by himself is not necessarily true if there are many concurrent minters minting on all chains. I made some analysis here. The conclusion is not clear but it points to little prospect to actually gain a profit.

In short we should not be over complacent. Currently the network is running fine because probably all big stake owners who can attack the network want Peercoin to be good and safe. We should get more stakes minting.[/quote]

Let’s focus for a second on the second option, the one where attacker buys old private keys that have held a lot of coins but not longer does.

I have a question: Will the double block protection mechanism protect us from, someone building a new blockchain, starting from a point in time where there actually were coins spendable with the private key?

[quote=“mhps, post:24, topic:2518”][quote=“josojo, post:17, topic:2518”]Clock drift problem:

Smike elaborated how this works in http://www.peercointalk.org/index.php?topic=2634.0.
He states:
[…]
I am not sure, but I think that if an attacker attacks the network over 1 hour - assuming he wants to reorganize 6 blocks - then he can try 14400+7200 timestamps instead of just 7200 timestamps. For sure this would be an advantage for the attacker, but still he has to have many many coins…[/quote]

I think the problem is still there, although not as severe. For every new block there would be 7800 (2hr+10min) tries than 600 (10min).[/quote]

Ups I messed up with the numbers, but the way I calculated things were right!
Right version:
If an attacker attacks the network over 1 hour - assuming he wants to reorganize 6 blocks - then he can try 7200+3600 timestamps instead of just 3600 timestamps.

mhps, your calculation is wrong, since the hash of a new block is not part of the hash the minter calculates in order to find a new block. Probably, you have not seen sigmike last post in the thread mentioned above:

Is it right? In the (N+1)th second the difficulty and the hash for the previous block have all changed so you won’t get the same hash with timesptamp=N as you did in the Nth second (when timesptamp was N). All 14400 hashes would be new compared with the last second.[/quote]

Actually the previous block hash in not part of the hash you compute in PoS. So the 14400 hashes stay the same even if there’s a new block.
The only thing that may change is the difficulty.[/quote]

No.