Pillow's Peercoin Myths

General
25

No counter-argument for that. Although hard to achieve when even uber-hero members of this forum admit that they’re waiting for cold locked minting :-\

Can you elaborate this? Block # doesn’t take part in calcs.

26

I’m not waiting. All your blocks are belong to me!

27

@BenNot mine! :slight_smile:

OT: what do you think about Minting Badge action: “I’mkac- is minting like crazy bastard, last block 102322”. This would require a service where you can input block # with 140 chars message signed with minting address(for sigmike’s cold stor. mint. - spending address). ???

28

Yep…that would be me. :-\

29

[quote=“mhps, post:23, topic:2518”][quote=“masterOfDisaster, post:13, topic:2518”][quote=“Jordan Lee, post:5, topic:2518”][…]
Let’s consider the above attack scenario for someone who has accumulated 6% of all Peercoins, meaning they spent at least $2,400,000 USD on Peercoins at today’s prices and split them up into 6 different outputs or addresses (one for each of the 6 consecutive blocks they need). Let’s assume they waited 90 days to mint with those coins. Such a person might have a 3% chance of finding the next block.
[…][/quote]
Hi Jordan!
I appreciate your input to this discussion as you are for sure one who understands the source code and the mechanics of Peercoin. I only have my apprehension to try to follow…
One question that crossed my mind:
does the attacker need 6% of all Peercoins or 6% of all actively minting Peercoins?
If the attacker only needs 6% of the minting Peercoins to have the attack probabilty you calculated it would be significantly “cheaper” to get the needed Peercoins.
Based on the assumption that only < 5 million Peercoins are minting (http://www.peercointalk.org/index.php?topic=2515.msg27233#msg27233), only < 300,000 Peercoins are needed to achieve the probability you calculated.[/quote]

Jordan and MoD, from my study there are only ~10% (about 2M) Peercoins minting, in agreement with SK’s estimate. The attacker doesn’t need to split into 6 piles. My study shows that currently with a half million Peercoins (2.5% money base) splitted in many smaller stakes the address owner could sustainably produce a quarter of all new POS blocks, therefore by statistical coincidence is able to double spend every half year.

Also Jordan’s assumption that the attacker has to find all blocks by himself is not necessarily true if there are many concurrent minters minting on all chains. I made some analysis here. The conclusion is not clear but it points to little prospect to actually gain a profit.

In short we should not be over complacent. Currently the network is running fine because probably all big stake owners who can attack the network want Peercoin to be good and safe. We should get more stakes minting.[/quote]

Let’s focus for a second on the second option, the one where attacker buys old private keys that have held a lot of coins but not longer does.

I have a question: Will the double block protection mechanism protect us from, someone building a new blockchain, starting from a point in time where there actually were coins spendable with the private key?

30

[quote=“mhps, post:24, topic:2518”][quote=“josojo, post:17, topic:2518”]Clock drift problem:

Smike elaborated how this works in http://www.peercointalk.org/index.php?topic=2634.0.
He states:
[…]
I am not sure, but I think that if an attacker attacks the network over 1 hour - assuming he wants to reorganize 6 blocks - then he can try 14400+7200 timestamps instead of just 7200 timestamps. For sure this would be an advantage for the attacker, but still he has to have many many coins…[/quote]

I think the problem is still there, although not as severe. For every new block there would be 7800 (2hr+10min) tries than 600 (10min).[/quote]

Ups I messed up with the numbers, but the way I calculated things were right!
Right version:
If an attacker attacks the network over 1 hour - assuming he wants to reorganize 6 blocks - then he can try 7200+3600 timestamps instead of just 3600 timestamps.

mhps, your calculation is wrong, since the hash of a new block is not part of the hash the minter calculates in order to find a new block. Probably, you have not seen sigmike last post in the thread mentioned above:

Is it right? In the (N+1)th second the difficulty and the hash for the previous block have all changed so you won’t get the same hash with timesptamp=N as you did in the Nth second (when timesptamp was N). All 14400 hashes would be new compared with the last second.[/quote]

Actually the previous block hash in not part of the hash you compute in PoS. So the 14400 hashes stay the same even if there’s a new block.
The only thing that may change is the difficulty.[/quote]

31

No.

32

No.[/quote]

I think I understand the difference. In the attackers chain, the attacker is minting using private keys that hasn’t necessarily ever been used for minting. The privatekey-seller that sold the keys to the attacker, never did any minting hence the attacker can use these keys to mint without the network detecting any duplicate blocks (definition of block is a kernel and timestamp pair, where the kernel is last output of one of your coin transactions).

(now let’s create a new attack scenario where we combine the nothing at stake attack with the history revision attack)
If I understand this correctly, it implies that if the coin-seller sells a huge amount of coins and the coins are transferred in one transaction (an example here where this won’t affect the market price, would be MrBigPPC selling all his coins to the SecondMarket fund) to someone. Then coin-seller also sells the private key to the attacker (actually the coin-seller could be same entity as the attacker and perhasp even go short peercoins on a futures exchange after selling the coins) and then just a few blocks later use a customized Peercoin node, build a new chain and broadcast it to the net (and then attempt to sell the coins a second time).

Since the attacker has never minted before, it would not be perceived as a duplicate block right? And since the attacker didn’t really have to spend any resources, the attacker has a potential upside but only a very little risk (especially if the coin-seller is the same person as the attacker and the transaction to the coin-buyer was anonymous and price settled with some kind of anonymizing crypto currency).

Since the attack takes place almost instantly after the coin sale, there is probably no check-points and the coin age could potentially be huge as well.

Since I’m an ignorant fool with a puny brain, I really need someone to tell me where I went wrong here. Why won’t this work?

EDIT: Okay, it seems like the attack is technically possible. To keep this thread on topic, I’ve created a new thread where the attack can be properly addressed: Cryptoblog - notícias sobre bitcoin e criptomoedas!

33

Thanks. I will go back to that thread Cryptoblog - notícias sobre bitcoin e criptomoedas! and discuss there. I hate to see the same discussion spreaded all over the place.

34

This will work, theoretically.

If attack is to happen immediately then huge coindays destruction will be visible before, w/ lots of inputs, rising buyer’s alertness and making deal execution doubtful. We’ll likely see downward price action on “coordinated stake movements” [no other than mining pools charades?] news and maybe feedback loop more coindays destruction. In result - no deal, price down.
I think that mably is working on service w/ those stats.

We need at least hardcoded checkpoints during coin distribution/adoption.

35

This will work, theoretically.

If attack is to happen immediately then huge coindays destruction will be visible before, w/ lots of inputs, rising buyer’s alertness and making deal execution doubtful. We’ll likely see downward price action on “coordinated stake movements” [no other than mining pools charades?] news and maybe feedback loop more coindays destruction. In result - no deal, price down.
I think that mably is working on service w/ those stats.

We need at least hardcoded checkpoints during coin distribution/adoption.[/quote]

I thought a lot about it. I think this might sound a lot worse then it is. There has to be a long chain of events before this could happen. There has to be someone with a big enough hoard, there has to be a buyer that is willing to buy all of these coins very fast (if there is to many confirmations during the selling phase, the attacker will not have enough coin age to be able to build a long enough attack chain). Then the attacker has to have some luck on top of that. And everything has to be carried out anonymously, because during the minting process the attacker there will be proof who did the attack and the coin buyer will both have the incentive and then technical details required to match the seller with the attacker. So, who is going to buy coins up front not waiting only a few confirmations from an anonymous entity? Or is the attacker going to cover up the whole thing and hire “goal keepers”? It starts to sounds like a movie or something. At least it sounds as there are easier ways to make money then this.

While technically possible, it doesn’t sound that likely. Also, the higher the price of peercoins and the greater the distribution of coins, the more unlikely it is that this attack would happen.

If it is attempted, there is also a chance that it won’t be successful.

Agree?

EDIT: also, since price of peercoins is going to jupiter, who would even sell the coins in the first place when you can simply just hold on to them? :wink:

36

I am wondering if this threat could be addressed simply by having nodes reject any coinstake inputs that match any confirmed or queued transaction inputs over the past n blocks. If this becomes too processor intensive, perhaps only transactions involving a certain consumed coin-age will be matched against future coinstakes. While it is theoretically possible for this method to (rarely) reject some legitimate POS blocks, I think it is a worthy trade-off.

37

To keep this thread on-topic, I created a separate thread where we can discuss this attack vector: Cryptoblog - notícias sobre bitcoin e criptomoedas!

38

#Nothing-at-Stake

Busting the myth
Nothing-at-Stake is a busted myth because it is extremely unlikely that someone could successfully carry out this attack for both economical and technical reasons. When verifying whether the myth is true or false it is important to realize that Peercoin is not the only coin using PoS as a consensus mechanism and that there meaningful differences in the different implementations. In Peercoin there is a double-block protection mechanism (cancelling of top block for double stakes), coin age consumption and economical implications serving to protect against attacks. Now follows some variants of the myth and counter-arguments.

Version 1 of the myth: There is nothing that prevents minters from minting on several chains at once, and since doing so doesn’t cost anything, there is an incentive to do so. Therefore, the network will never reach consensus and there will be a multitude of competing chain forks.

Duplicate blocks are not propagated by the network and a limit is imposed on how often an attack can be attempted, by the coin age being consumed by staking. Secondly the top block is removed when a duplicate stake (using the same output more then once) is received directly punishing the attacker by delaying the reward, thus loosing out on compounding interest.

Another protection is that because the attacker has to own a considerable amount of coins, it exposes the attacker to exchange rate risk (the value of their investment collapsing); a risk that is increased by the person’s own attempt to attack the network. The argument is flawed because it argues that the attacker has nothing at stake, when in reality the attacker has to spend resources to acquire the coins used in the attack, thereby exposing themselves to exchange rate risk. It is also false because the probability of succeeding with an attack greatly diminishes for each new block confirmation. The attacker’s coin age is consumed, thus preventing an extended attack from taking place.

Version 2 of the myth: Everyone will mint on as many chains as possible, because no-one have anything to loose and nothing can stop them.

As already described, this won’t work since honest nodes will filter out and stop duplicate blocks from propagating on the network and double staking entities are punished. Furthermore all peercoins holders have an incentive to run honest nodes, because if the blockchain would fork, the exchange rate is likely to collapse. This is especially true for minting nodes, since staked coins can not be spent. While the profit would be relatively small, dishonest nodes minting on several chains would put their entire stake at risk (exchange rate risk). This myth is busted, because everyone have something to loose (the value of the coin) and honest nodes stops duplicate blocks from propagating.

Version 3 of the myth: The double-block prevention mechanism in Peercoin can be removed and there is an incentive for everyone to do so and then mint on as many chains as possible, because no-one have anything to loose and nothing can stop them.

Nothing-at-Stake assumes that a stake doesn’t have value, which is false. If there was multiple chains and chaos, the exchange rate of peercoins would collapse. Nobody would be able to trust that the coins they buy, receive or hold will be there for them to spend. There is a clear economic incentive for Peercoin users to not run a patched client that propagate double-blocks.

If everyone was minting on all chains and there was chaos, then the coin wouldn’t be worth anything at all. If it was worth nothing at all, there would be neither any point in holding nor minting peercoins. Why risk everything, when there is nothing to gain?

It’s in both the peercoin buyers and holders interest that coins are buried as deep as possible in the blockchain that has the most chaintrust. This is true also for custodians, such as exchanges. Everyone that are exposed to the exchange rate risk of peercoins, have an incentive to build only on the blockchain with the most chaintrust and protect the network against double-block propagation.

Also note that when coins are used as a stake, they are locked and can’t be spent for a long period of time. The greater the stake, the greater the incentive to not do anything that could cause the exchange rate to collapse. The greater the stake, the more chaintrust contributed to the blockchain that already has the most chaintrust. Consensus is reached, because Peercoin users have the value of the coin at stake.

Learn More
For a more detailed rundown of the costs and probabilities associated with this attack, read this post by Peershares/NuBits architect Jordan Lee:

The block duplicate protection mechanism can be studied here:

Cancelling of the best block when duplicate block is received:

For a more in-depth study of the concerns surrounding this type of attack, the following links could serve as entry points:

And read this for an informal technical discussion about how PoS works:

Study the source code:

Counter-argument
The argument that the double-block protection mechanism in Peercoin could be removed, is similar to the argument that the reward for mining a block in Bitcoin could be increased. Technically there is nothing that prevents this from happening in Bitcoin, yet is hasn’t happen. Why has this not happened in Bitcoin? Because Bitcoin miners have a stake in Bitcoin! But how great is this stake?

With Peercoin, the attacker must be fully invested in Peercoins. With Bitcoin, a malicious miner has resources invested in an infrastructure that can be pointed in the blink of an eye to perform mining on alternative coins. The attacker doesn’t need to own bitcoins, therefore it could be argued that the malicious Bitcoin miner has nothing at stake in Bitcoin.

More Myths

39

[quote=“Jordan Lee, post:5, topic:2518”]I would like to present the specific steps of an attack exploiting the “nothing at stake” phenomena. As you will see, the attack does not pose a serious threat to the network.

  1. Alter the client source code to not include any transactions in a block except your own.

  2. Write a utility that can sign and automatically issue a transaction to transfer coins from and to addresses of your choosing.

  3. Build and deploy your altered Peercoin client to 10 different virtual machines.

  4. Open exchange accounts with 10 different exchanges. In each virtual machine, configure the utility you wrote to transfer the same coins to a unique exchange address. You are attempting a double spend, or in this case, you try to spend the same coins 10 times.

  5. Mint on all 10 virtual machines using the same wallet on each while sending out transactions spending your coins to ten different exchange deposit addresses. Other nodes will only accept a single transaction: the one they received first. You only have about a 10% chance of the exchange nodes receiving the spend you wanted it to (this works the same in a proof of work system like Bitcoin). If any other client besides the attackers’ finds the next block, the multiple spend is resolved and the coins cannot be used again to attempt a multiple spend in the next block. The attempt to get the double or multi spend confirmed failed. If the attacker is very lucky and finds the very next block after sending out multi spends (using 10 machines does not increase the attacker’s likelihood of finding the next block), there will be 10 forks with 10 different spends of the same coins with one confirmation. No other transactions will be included in these 10 competing blocks.

  6. We now have 10 Peercoin forks, all of which are being minted on. Clients run by others will decide which fork to mint on based on which of the 10 competing blocks they received first.

  7. The next block will be minted. If it is minted by someone else other than the attacker, which is the overwhelming likelihood, this new block defines the best chain and consensus is restored across the entire network. All legitimate transactions excluded from the previous block are included in this block. In the unlikely event that the next block is minted by the attacker, all 10 forks will continue.

  8. As soon as anyone else on the network besides the attacker finds a single block, the attack is defeated. Double spends (or 10 spends in our case) disappear and all other transactions are confirmed normally.

Let’s consider the above attack scenario for someone who has accumulated 6% of all Peercoins, meaning they spent at least $2,400,000 USD on Peercoins at today’s prices and split them up into 6 different outputs or addresses (one for each of the 6 consecutive blocks they need). Let’s assume they waited 90 days to mint with those coins. Such a person might have a 3% chance of finding the next block. If they succeed at getting one and only one confirmation on their multiple spends they cannot defraud an exchange (because they typically require 6 confirmations). They have less than a 0.1% chance of getting two blocks in a row and around 0.003% of find three in a row. The chance they will find six blocks in a row is 0.00000000729%. They must wait 90 days to get another optimal chance to attack after a failed attempt.

If they fork the network for one or two blocks and their double spend is successful for only one or two blocks, they can’t defraud an exchange but they might harm the value of their own investment if the market is not impressed by these one or two block forks. Because 6 consecutive blocks are needed to defraud an exchange from double spending, even a very large stakeholder would have a negligible chance of success. If they got somewhat close to success but failed (the overwhelming likelihood) it would lower the value of their Peercoins as the market priced in worries of a possible future success. The odds of gain are strongly against you because any near success that ultimately fails can hurt the value of your Peercoins.

The endeavor cannot be embarked upon with an expectation of financial gain. Financial loss is far, far more likely. The loss of large amounts of time is certain. Additionally, few people have the skills to mount such a complicated attack. The fact that such forks have not been known to occur suggests no one has attempted it, precisely because it is extremely unlikely to result in financial gain while much more likely to result in loss.

There are many more important threats to PoS networks than the risk of a successful exploit of the “nothing at stake” phenomena. For instance, the possibility that the Peercoin network will experience low levels of adoption is far, far greater than the possibility of a successful attack of the kind described above. We should focus our attention accordingly.

Update: I realized I had over estimated the probability of a successful attack. If you buy 1% of Peercoins and put them all in the same output (similar to an address), you might have about a 3% chance of finding the next block. However, you would have nothing left to try to find your 2nd, 3rd, 4th, 5th and 6th consecutive blocks. To do that with the probabilities mentioned above you would need to purchase 6% of all Peercoins at a current cost of more than 2.4 million USD. Doing so would raise the price of Peercoin, meaning you would have to pay more than market price on average. Similarly, such a large amount of Peercoins would have to sold later below market price on average, exposing the attacker to certain financial loss.[/quote]

40

#Stake Grinding

Version 1 of the myth: Using only a limited amount of coin age, the blockchain history can be re-written by grinding through the probabilities involved in creating the longest blockchain. As long as there is only a little coin age left, it is possible to create one more block. This makes Proof-of-Work arbitrator in Peercoin.

Very Unlikely in a Mature Network
When this myth is found in the wild, most often it is based on the fundamental misconception that the longest blockchain is the winning blockchain, whereas in reality the chain that has the most chain trust is selected as main chain.

Even though its theoretically possible to get lucky and mint blocks using only a small amount of coins and thereby creating the longest blockchain, it won’t matter since the consumed coin days will be to small to compete with the rest of the network.

In some version of this myth, the attacker has bought old private keys that once held enough coins to attempt an attack. The misconception here is that there is a limit to how many coin days coins can accumulate. If the attacker is using very old coins, to overtake the blockchain the attacker has to create a very deep reorganization of the blockchain for the attack to be successful. To get a better understanding of how many coins we are talking about here, the reader is encouraged to study the “Peercoin is highly vunerable to 51% attack” myth here: Cryptoblog - notícias sobre bitcoin e criptomoedas!

But let’s say that the attacker has somehow been able to get enough old private keys, say from the early days of Peercoin, and now has enough coins to do some serious damage, what then? Then there is hard checkpoints in the Peercoin source code (same as in Bitcoin) that protects against such a deep reorganization of the blockchain.

This means that the attacker has to acquire private keys that once held enough coins to compete with the rest of the network, but that are fresh enough so that the checkpoints won’t protect against a reorganization. As the Peercoin network matures and the coin distribution widens this becomes improbable, but for the sake of the argument let’s say the attacker succeeds with this, what then? Well, besides the massive amount of coin days consumed, the mere fact that a deep reorganization of blocks have occurred, is an inescapable sign of an attack taking place. Once again the attacker runs into the protection mechanisms described in the “Peercoin is highly vunerable to 51% attack” myth which you can study here: Cryptoblog - notícias sobre bitcoin e criptomoedas!

In summary, the odds of successfully carrying out a stage grinding attack is very low and as the network matures, it lowers the odds even further.

Version 2 of the myth: The blockchain can be re-written using only a trivial amount of coins. The attacker simply goes through the history of the blockchain and finds places where the stake wins a block.

Debunking the Myth
The stake grinding attack doesn’t work on Peercoin because the block hash is not used in the Proof-of-Stake (PoS) process. Furthermore nothing in the previous block is used in the minting of the next block. These are misconceptions about Peercoin, probably originating from people who have studied how Bitcoin works but that haven’t studied the Peercoin source code.

Learn More
Study the source code yourself here:

More Myths

41

From PM correspondence with Sunny King:

[quote=“Sunny King”]Hi pillow,

Yeah most of these folks probably never read peercoin paper nor source code. Some of our competitors clone our code and make arbitrary modifications without understanding the security mechanisms. Yeah if they include block hash in proof-of-stake that would be a huge vulnerability.

Yes sigmike is quite knowledgeable in these matters. He studied peercoin well.

Best Regards,

[quote=“pillow”]…
hi
this grinding attack doesn’t work on peercoin because the block hash is not used in the proof of stake process
so you can’t try many block hash to find one that make you find the next block
…[/quote][/quote]

42

#Synchronized Checkpointing

Myth: The network is centralized because the synchronized checkpointing mechanism allows Sunny King to control the blockchain history.

The Purpose of Synchronized Checkpointing
Peercoin has hardcoded checkpoints. Bitcoin also use hardcoded checkpointing. It is a way to mitigate attacks when a new node that has yet to download the blockchain, connects to the network. In addition to hardcoded checkpointing, Peercoin use synchronized checkpoints.

Minting is when a Peercoin node creates a block (in Bitcoin this is called mining). As the number of minting nodes increases, the network becomes more secure. Initially, when the network is young, an attack is relatively cheap. During this time, the bootstrapping phase of the network, synchronized checkpointing is used to deter and protect against malicious entities. Its a temporary and precautionary measure and the plan is to phase out it out, as minting nodes are added to the network and the protection is no longer needed. The first step is to make it possible for users to disable the feature.

The synchronized checkpointing has never been a secret. It’s described in the white paper written by Sunny King and Scott Nadal (Peercoin — The Pioneer of Proof-of-Stake). The mechanism is controlled by Sunny King. It’s worth considering that he stands to profit a great deal if Peercoin is successful and that all his work would likely be pointless if he abused the control.

Counter-argument
Whereas Peercoin arguably started off more centralized than Bitcoin, the number of minting nodes is likely to increase over time, hence the network will become more decentralized over time. Bitcon is the opposite. Even if Bitcoin started off as a decentralized network where everyone with a CPU could participate on equal footing, because of the resource intense nature of Proof-of-Work (PoW), those with the most resources outcompete those with lesser resources, therefore Bitcoin is likely to become more centralized over time.

Community Support
The Peercoin community is committed to bringing on more minting nodes, by making it easier for new and existing users to start minting.

Customized device for secure minting:

Get 10 PPC for free by adding a node to the network, find out more here:

Map of Peercoin nodes:

More Myths

43

reserved

44

#History Revision Attack

Myth: An attacker can rewrite the blockchain history using old private keys.

Protection
A successful attack is theoretically possible but very unlikely to happen. Peercoin has hard checkpoints (Bitcoin core has it too) and synchronized checkpoints. Both types of checkpoints protects against this attack, simply by making a deep blockchain reorganization impossible. Coins spent before the latest checkpoint can’t be used, so the coins used in the attack would have to be accumulated after that checkpoint.

The other minting nodes on the network also protects against this attack. The attacker must pick a point in time, a block in the blockchain, where the blockchain should fork. From this point forward, the attack chain must now out compete the stakes used in the main blockchain.

Let’s illustrate what this means. If the network has an average of 60% of the coins used for minting since the last checkpoint (either hard or synchronized), the attacker now need outputs that had 61% of the coins.

It’s also worth noticing that coins used by the attacker, if they have been spent on the main chain, will have added coin age to the chain trust, thus the coins used in the attack will not only compete with the rest of the network, but also against the stakes the same coins were used in before. In a sense, the attack coins will be competing against themselves.

In summary, as more people enter the Peercoin economy, hold coins and run minting nodes, the more expensive, difficult and less likely this attack becomes.

In-depth Study
For a more detailed and elaborate discussion of the attack and the protection:

View the hard coded checkpoints in the source code here:

More Myths