Pillow's Peercoin Myths


#35

This will work, theoretically.

If attack is to happen immediately then huge coindays destruction will be visible before, w/ lots of inputs, rising buyer’s alertness and making deal execution doubtful. We’ll likely see downward price action on “coordinated stake movements” [no other than mining pools charades?] news and maybe feedback loop more coindays destruction. In result - no deal, price down.
I think that mably is working on service w/ those stats.

We need at least hardcoded checkpoints during coin distribution/adoption.[/quote]

I thought a lot about it. I think this might sound a lot worse then it is. There has to be a long chain of events before this could happen. There has to be someone with a big enough hoard, there has to be a buyer that is willing to buy all of these coins very fast (if there is to many confirmations during the selling phase, the attacker will not have enough coin age to be able to build a long enough attack chain). Then the attacker has to have some luck on top of that. And everything has to be carried out anonymously, because during the minting process the attacker there will be proof who did the attack and the coin buyer will both have the incentive and then technical details required to match the seller with the attacker. So, who is going to buy coins up front not waiting only a few confirmations from an anonymous entity? Or is the attacker going to cover up the whole thing and hire “goal keepers”? It starts to sounds like a movie or something. At least it sounds as there are easier ways to make money then this.

While technically possible, it doesn’t sound that likely. Also, the higher the price of peercoins and the greater the distribution of coins, the more unlikely it is that this attack would happen.

If it is attempted, there is also a chance that it won’t be successful.

Agree?

EDIT: also, since price of peercoins is going to jupiter, who would even sell the coins in the first place when you can simply just hold on to them? :wink:


#36

I am wondering if this threat could be addressed simply by having nodes reject any coinstake inputs that match any confirmed or queued transaction inputs over the past n blocks. If this becomes too processor intensive, perhaps only transactions involving a certain consumed coin-age will be matched against future coinstakes. While it is theoretically possible for this method to (rarely) reject some legitimate POS blocks, I think it is a worthy trade-off.


Fix for reviseing history
#37

To keep this thread on-topic, I created a separate thread where we can discuss this attack vector: http://www.peercointalk.org/index.php?topic=3005.0


#38

#Nothing-at-Stake

Busting the myth
Nothing-at-Stake is a busted myth because it is extremely unlikely that someone could successfully carry out this attack for both economical and technical reasons. When verifying whether the myth is true or false it is important to realize that Peercoin is not the only coin using PoS as a consensus mechanism and that there meaningful differences in the different implementations. In Peercoin there is a double-block protection mechanism (cancelling of top block for double stakes), coin age consumption and economical implications serving to protect against attacks. Now follows some variants of the myth and counter-arguments.

Version 1 of the myth: There is nothing that prevents minters from minting on several chains at once, and since doing so doesn’t cost anything, there is an incentive to do so. Therefore, the network will never reach consensus and there will be a multitude of competing chain forks.

Duplicate blocks are not propagated by the network and a limit is imposed on how often an attack can be attempted, by the coin age being consumed by staking. Secondly the top block is removed when a duplicate stake (using the same output more then once) is received directly punishing the attacker by delaying the reward, thus loosing out on compounding interest.

Another protection is that because the attacker has to own a considerable amount of coins, it exposes the attacker to exchange rate risk (the value of their investment collapsing); a risk that is increased by the person’s own attempt to attack the network. The argument is flawed because it argues that the attacker has nothing at stake, when in reality the attacker has to spend resources to acquire the coins used in the attack, thereby exposing themselves to exchange rate risk. It is also false because the probability of succeeding with an attack greatly diminishes for each new block confirmation. The attacker’s coin age is consumed, thus preventing an extended attack from taking place.

Version 2 of the myth: Everyone will mint on as many chains as possible, because no-one have anything to loose and nothing can stop them.

As already described, this won’t work since honest nodes will filter out and stop duplicate blocks from propagating on the network and double staking entities are punished. Furthermore all peercoins holders have an incentive to run honest nodes, because if the blockchain would fork, the exchange rate is likely to collapse. This is especially true for minting nodes, since staked coins can not be spent. While the profit would be relatively small, dishonest nodes minting on several chains would put their entire stake at risk (exchange rate risk). This myth is busted, because everyone have something to loose (the value of the coin) and honest nodes stops duplicate blocks from propagating.

Version 3 of the myth: The double-block prevention mechanism in Peercoin can be removed and there is an incentive for everyone to do so and then mint on as many chains as possible, because no-one have anything to loose and nothing can stop them.

Nothing-at-Stake assumes that a stake doesn’t have value, which is false. If there was multiple chains and chaos, the exchange rate of peercoins would collapse. Nobody would be able to trust that the coins they buy, receive or hold will be there for them to spend. There is a clear economic incentive for Peercoin users to not run a patched client that propagate double-blocks.

If everyone was minting on all chains and there was chaos, then the coin wouldn’t be worth anything at all. If it was worth nothing at all, there would be neither any point in holding nor minting peercoins. Why risk everything, when there is nothing to gain?

It’s in both the peercoin buyers and holders interest that coins are buried as deep as possible in the blockchain that has the most chaintrust. This is true also for custodians, such as exchanges. Everyone that are exposed to the exchange rate risk of peercoins, have an incentive to build only on the blockchain with the most chaintrust and protect the network against double-block propagation.

Also note that when coins are used as a stake, they are locked and can’t be spent for a long period of time. The greater the stake, the greater the incentive to not do anything that could cause the exchange rate to collapse. The greater the stake, the more chaintrust contributed to the blockchain that already has the most chaintrust. Consensus is reached, because Peercoin users have the value of the coin at stake.

Learn More
For a more detailed rundown of the costs and probabilities associated with this attack, read this post by Peershares/NuBits architect Jordan Lee:

The block duplicate protection mechanism can be studied here:

Cancelling of the best block when duplicate block is received:

For a more in-depth study of the concerns surrounding this type of attack, the following links could serve as entry points:

And read this for an informal technical discussion about how PoS works:

Study the source code:

Counter-argument
The argument that the double-block protection mechanism in Peercoin could be removed, is similar to the argument that the reward for mining a block in Bitcoin could be increased. Technically there is nothing that prevents this from happening in Bitcoin, yet is hasn’t happen. Why has this not happened in Bitcoin? Because Bitcoin miners have a stake in Bitcoin! But how great is this stake?

With Peercoin, the attacker must be fully invested in Peercoins. With Bitcoin, a malicious miner has resources invested in an infrastructure that can be pointed in the blink of an eye to perform mining on alternative coins. The attacker doesn’t need to own bitcoins, therefore it could be argued that the malicious Bitcoin miner has nothing at stake in Bitcoin.

More Myths


»Nothing-at-stake« is the main fear of opponents of Peercoin
#39

[quote=“Jordan Lee, post:5, topic:2518”]I would like to present the specific steps of an attack exploiting the “nothing at stake” phenomena. As you will see, the attack does not pose a serious threat to the network.

  1. Alter the client source code to not include any transactions in a block except your own.

  2. Write a utility that can sign and automatically issue a transaction to transfer coins from and to addresses of your choosing.

  3. Build and deploy your altered Peercoin client to 10 different virtual machines.

  4. Open exchange accounts with 10 different exchanges. In each virtual machine, configure the utility you wrote to transfer the same coins to a unique exchange address. You are attempting a double spend, or in this case, you try to spend the same coins 10 times.

  5. Mint on all 10 virtual machines using the same wallet on each while sending out transactions spending your coins to ten different exchange deposit addresses. Other nodes will only accept a single transaction: the one they received first. You only have about a 10% chance of the exchange nodes receiving the spend you wanted it to (this works the same in a proof of work system like Bitcoin). If any other client besides the attackers’ finds the next block, the multiple spend is resolved and the coins cannot be used again to attempt a multiple spend in the next block. The attempt to get the double or multi spend confirmed failed. If the attacker is very lucky and finds the very next block after sending out multi spends (using 10 machines does not increase the attacker’s likelihood of finding the next block), there will be 10 forks with 10 different spends of the same coins with one confirmation. No other transactions will be included in these 10 competing blocks.

  6. We now have 10 Peercoin forks, all of which are being minted on. Clients run by others will decide which fork to mint on based on which of the 10 competing blocks they received first.

  7. The next block will be minted. If it is minted by someone else other than the attacker, which is the overwhelming likelihood, this new block defines the best chain and consensus is restored across the entire network. All legitimate transactions excluded from the previous block are included in this block. In the unlikely event that the next block is minted by the attacker, all 10 forks will continue.

  8. As soon as anyone else on the network besides the attacker finds a single block, the attack is defeated. Double spends (or 10 spends in our case) disappear and all other transactions are confirmed normally.

Let’s consider the above attack scenario for someone who has accumulated 6% of all Peercoins, meaning they spent at least $2,400,000 USD on Peercoins at today’s prices and split them up into 6 different outputs or addresses (one for each of the 6 consecutive blocks they need). Let’s assume they waited 90 days to mint with those coins. Such a person might have a 3% chance of finding the next block. If they succeed at getting one and only one confirmation on their multiple spends they cannot defraud an exchange (because they typically require 6 confirmations). They have less than a 0.1% chance of getting two blocks in a row and around 0.003% of find three in a row. The chance they will find six blocks in a row is 0.00000000729%. They must wait 90 days to get another optimal chance to attack after a failed attempt.

If they fork the network for one or two blocks and their double spend is successful for only one or two blocks, they can’t defraud an exchange but they might harm the value of their own investment if the market is not impressed by these one or two block forks. Because 6 consecutive blocks are needed to defraud an exchange from double spending, even a very large stakeholder would have a negligible chance of success. If they got somewhat close to success but failed (the overwhelming likelihood) it would lower the value of their Peercoins as the market priced in worries of a possible future success. The odds of gain are strongly against you because any near success that ultimately fails can hurt the value of your Peercoins.

The endeavor cannot be embarked upon with an expectation of financial gain. Financial loss is far, far more likely. The loss of large amounts of time is certain. Additionally, few people have the skills to mount such a complicated attack. The fact that such forks have not been known to occur suggests no one has attempted it, precisely because it is extremely unlikely to result in financial gain while much more likely to result in loss.

There are many more important threats to PoS networks than the risk of a successful exploit of the “nothing at stake” phenomena. For instance, the possibility that the Peercoin network will experience low levels of adoption is far, far greater than the possibility of a successful attack of the kind described above. We should focus our attention accordingly.

Update: I realized I had over estimated the probability of a successful attack. If you buy 1% of Peercoins and put them all in the same output (similar to an address), you might have about a 3% chance of finding the next block. However, you would have nothing left to try to find your 2nd, 3rd, 4th, 5th and 6th consecutive blocks. To do that with the probabilities mentioned above you would need to purchase 6% of all Peercoins at a current cost of more than 2.4 million USD. Doing so would raise the price of Peercoin, meaning you would have to pay more than market price on average. Similarly, such a large amount of Peercoins would have to sold later below market price on average, exposing the attacker to certain financial loss.[/quote]


#40

#Stake Grinding

Version 1 of the myth: Using only a limited amount of coin age, the blockchain history can be re-written by grinding through the probabilities involved in creating the longest blockchain. As long as there is only a little coin age left, it is possible to create one more block. This makes Proof-of-Work arbitrator in Peercoin.

Very Unlikely in a Mature Network
When this myth is found in the wild, most often it is based on the fundamental misconception that the longest blockchain is the winning blockchain, whereas in reality the chain that has the most chain trust is selected as main chain.

Even though its theoretically possible to get lucky and mint blocks using only a small amount of coins and thereby creating the longest blockchain, it won’t matter since the consumed coin days will be to small to compete with the rest of the network.

In some version of this myth, the attacker has bought old private keys that once held enough coins to attempt an attack. The misconception here is that there is a limit to how many coin days coins can accumulate. If the attacker is using very old coins, to overtake the blockchain the attacker has to create a very deep reorganization of the blockchain for the attack to be successful. To get a better understanding of how many coins we are talking about here, the reader is encouraged to study the “Peercoin is highly vunerable to 51% attack” myth here: http://www.peercointalk.org/index.php?topic=2976.msg28107#msg28107

But let’s say that the attacker has somehow been able to get enough old private keys, say from the early days of Peercoin, and now has enough coins to do some serious damage, what then? Then there is hard checkpoints in the Peercoin source code (same as in Bitcoin) that protects against such a deep reorganization of the blockchain.

This means that the attacker has to acquire private keys that once held enough coins to compete with the rest of the network, but that are fresh enough so that the checkpoints won’t protect against a reorganization. As the Peercoin network matures and the coin distribution widens this becomes improbable, but for the sake of the argument let’s say the attacker succeeds with this, what then? Well, besides the massive amount of coin days consumed, the mere fact that a deep reorganization of blocks have occurred, is an inescapable sign of an attack taking place. Once again the attacker runs into the protection mechanisms described in the “Peercoin is highly vunerable to 51% attack” myth which you can study here: http://www.peercointalk.org/index.php?topic=2976.msg28107#msg28107

In summary, the odds of successfully carrying out a stage grinding attack is very low and as the network matures, it lowers the odds even further.

Version 2 of the myth: The blockchain can be re-written using only a trivial amount of coins. The attacker simply goes through the history of the blockchain and finds places where the stake wins a block.

Debunking the Myth
The stake grinding attack doesn’t work on Peercoin because the block hash is not used in the Proof-of-Stake (PoS) process. Furthermore nothing in the previous block is used in the minting of the next block. These are misconceptions about Peercoin, probably originating from people who have studied how Bitcoin works but that haven’t studied the Peercoin source code.

Learn More
Study the source code yourself here:

More Myths


Is Nxt a fork of Peercoin?
#41

From PM correspondence with Sunny King:

[quote=“Sunny King”]Hi pillow,

Yeah most of these folks probably never read peercoin paper nor source code. Some of our competitors clone our code and make arbitrary modifications without understanding the security mechanisms. Yeah if they include block hash in proof-of-stake that would be a huge vulnerability.

Yes sigmike is quite knowledgeable in these matters. He studied peercoin well.

Best Regards,

[quote=“pillow”]…
hi
this grinding attack doesn’t work on peercoin because the block hash is not used in the proof of stake process
so you can’t try many block hash to find one that make you find the next block
…[/quote][/quote]


#42

#Synchronized Checkpointing

Myth: The network is centralized because the synchronized checkpointing mechanism allows Sunny King to control the blockchain history.

The Purpose of Synchronized Checkpointing
Peercoin has hardcoded checkpoints. Bitcoin also use hardcoded checkpointing. It is a way to mitigate attacks when a new node that has yet to download the blockchain, connects to the network. In addition to hardcoded checkpointing, Peercoin use synchronized checkpoints.

Minting is when a Peercoin node creates a block (in Bitcoin this is called mining). As the number of minting nodes increases, the network becomes more secure. Initially, when the network is young, an attack is relatively cheap. During this time, the bootstrapping phase of the network, synchronized checkpointing is used to deter and protect against malicious entities. Its a temporary and precautionary measure and the plan is to phase out it out, as minting nodes are added to the network and the protection is no longer needed. The first step is to make it possible for users to disable the feature.

The synchronized checkpointing has never been a secret. It’s described in the white paper written by Sunny King and Scott Nadal (http://peercoin.net/assets/paper/peercoin-paper.pdf). The mechanism is controlled by Sunny King. It’s worth considering that he stands to profit a great deal if Peercoin is successful and that all his work would likely be pointless if he abused the control.

Counter-argument
Whereas Peercoin arguably started off more centralized than Bitcoin, the number of minting nodes is likely to increase over time, hence the network will become more decentralized over time. Bitcon is the opposite. Even if Bitcoin started off as a decentralized network where everyone with a CPU could participate on equal footing, because of the resource intense nature of Proof-of-Work (PoW), those with the most resources outcompete those with lesser resources, therefore Bitcoin is likely to become more centralized over time.

Community Support
The Peercoin community is committed to bringing on more minting nodes, by making it easier for new and existing users to start minting.

Customized device for secure minting:

Get 10 PPC for free by adding a node to the network, find out more here:

Map of Peercoin nodes:

More Myths


#43

reserved


#44

#History Revision Attack

Myth: An attacker can rewrite the blockchain history using old private keys.

Protection
A successful attack is theoretically possible but very unlikely to happen. Peercoin has hard checkpoints (Bitcoin core has it too) and synchronized checkpoints. Both types of checkpoints protects against this attack, simply by making a deep blockchain reorganization impossible. Coins spent before the latest checkpoint can’t be used, so the coins used in the attack would have to be accumulated after that checkpoint.

The other minting nodes on the network also protects against this attack. The attacker must pick a point in time, a block in the blockchain, where the blockchain should fork. From this point forward, the attack chain must now out compete the stakes used in the main blockchain.

Let’s illustrate what this means. If the network has an average of 60% of the coins used for minting since the last checkpoint (either hard or synchronized), the attacker now need outputs that had 61% of the coins.

It’s also worth noticing that coins used by the attacker, if they have been spent on the main chain, will have added coin age to the chain trust, thus the coins used in the attack will not only compete with the rest of the network, but also against the stakes the same coins were used in before. In a sense, the attack coins will be competing against themselves.

In summary, as more people enter the Peercoin economy, hold coins and run minting nodes, the more expensive, difficult and less likely this attack becomes.

In-depth Study
For a more detailed and elaborate discussion of the attack and the protection:

View the hard coded checkpoints in the source code here:

More Myths


Is Nxt a fork of Peercoin?
#45

[quote=“sigmike”]Rewriting a blockchain from a point where you had the majority of the minting coins is possible but there are a few things that protect us:

  1. The hard checkpoints in the source code. The last one is from 0.4 release so the new blockchain cannot start before block 99999 generated on 2014-03-06. So the attacker cannot use coins that were spent before this date.

  2. The synchronized checkpoints. The last one is from 1 hour ago. They will be removed, but I guess only when the last protection is strong enough:

  3. The stakes that have been minting since the attacker wants to start the rewrite. For example if the coins the attacker had in the past have been constantly used for minting since they were sold then he won’t be able to compete with the main chain. And in general the more coins are minting the more difficult it is to rewrite the blockchain. Imagine we get an average of 60% of the coins minting since the last checkpoint, then the attacker needs outputs that had 61% of the coins.[/quote]


#46

Thanks. I will go back to that thread http://www.peercointalk.org/index.php?topic=2634.0 and discuss there. I hate to see the same discussion spreaded all over the place.[/quote]

For those who haven’t followed the discussion in the above link, the conclusions are that the time-drift attack brings the attacker trivial gains. The exploit and some variations of it have little impact on the security aspects of the network.


#47

Alright, I’ve gone over everything in this thread and tried to make edits to fix grammatical errors. I cleaned up a lot of the sentences to make them sound better. I even added some nice looking green font. I’m not a grammar expert though, so somebody should still check my work. Other people that are familiar with the content should check to make sure everything listed is true or what we could improve. Here are some other things I noticed…

This sentence in the history revision post sounds screwed up and I’m not sure how to fix it. Could you take a look at it? “The stakes that have been minting since the attacker wants to start the rewrite, also serve as protection.”

The history revision section feels incomplete to me. It needs more details from this thread http://www.peercointalk.org/index.php?topic=3005.0 on how this attack is supposed to be carried out. I also had a hard time telling when you were talking about synchronized checkpoints or hard coded checkpoints. You might want to make that clearer in all the spots where it’s mentioned. I altered this sentence as well “Coins spent before this checkpoint date can’t be used again.” but I’m unsure if it’s correct. You should go over this whole section and make things more clear.

About the synchronized checkpoints section, the first title is called “The Reasoning Behind Checkpoints,” but I couldn’t find the reason or purpose for why they existed in that paragraph. As I understand it, they’re to protect Peercoin from attacks while the network is still young. The purpose of checkpoints needs to be explained in the beginning of the paragraph.

When talking about increased adoption as a reason for why checkpoints won’t be needed any longer, I think you need to make it clear that you’re talking about the minting participation. As minting participation goes up, the network becomes more secure.

For the reasons why checkpoints shouldn’t be removed in a rush, if the minting participation isn’t at an acceptable level yet, they shouldn’t be removed yet or you’d be inviting an attack. As far as I understand it, they should only be removed once the network has enough people minting that it can take care of itself.

About this sentence: “The first reason is that it’s important to have a margin of error when it comes to evaluating how widespread minting is.” I don’t completely understand what it’s getting at. Maybe you should expand it some.


#48

#Time-Drift Attack

Myth: An attacker can manipulate the clock time and generate blocks ahead of time.

A Moot Point
Proof-of-Stake use a timestamp that is added to the transaction data. The source code allows for a slight time-drift and accordingly to the myth, an attacker can manipulate the time so as to mine blocks ahead of time or to have a much better chance to find a block. However, a closer study of attack reveals that the impact on network security is very limited.

Since the network has a tolerance of two hours of time stamp error, does it mean one can try 14400 different time stamps per second? Well, the previous block hash in not part of the hash you compute in Proof-of-Stake (PoS). So the 14400 hashes available in the time-drift attack, stay the same even if there’s a new block. The only thing that may change is the difficulty. If you try the next 14400 timestamps at time t, then at time t+1 you’ll try 14399 timestamps you’ve already tried, and only try 1 new. So you still try only 1 new timestamp per second.

Taking into account the probability of finding a block, exploiting the time-drift is insignificant. Actually the time-drift is there for a reason. The purpose is to protect the network from freezing up which could happen if some time-drift was not allowed.

Learn More
For a more in-depth description of time-drift and how time is used in Proof-of-Stake read:

More Myths


#49

reserved


#50

Thank you very much Sentinelrv. You inspired me to rewrite the “s. checkpoint” post completely. I took you comments to heart and hope its much better now.

I’ve not started on the history revision attack, but I will get to that.


#51

[quote=“Sentinelrv, post:47, topic:2518”]…history revision post sounds screwed up and I’m not sure how to fix it. Could you take a look at it? “The stakes that have been minting since the attacker wants to start the rewrite, also serve as protection.”

The history revision section feels incomplete to me. It needs more details from this thread http://www.peercointalk.org/index.php?topic=3005.0 on how this attack is supposed to be carried out.[/quote]

I’ve re-wrote the whole thing (yes I can do that, there is not checkpoints blocking me :P).

I did’t want to go into more details, because I’m aiming for a short text. The attack is kind of abstract and the whole thing requires some knowledge of both the inner workings of minting, checkpoints and so forth and so on. It’s kind of one of the reasons I have those “in-depth study” (I changed the title to better reflect the content) links.

Maybe someone else could do a better job? (I hope someone can :))


#52

Suggestion:

“accordingly to the myth, an attacker can manipulate the time so as to mine blocks ahead of time or to have a much better chance to find a block. However, a closer study of attack reveals that the impact on network security is very limited.”


#53

Suggestion:

“accordingly to the myth, an attacker can manipulate the time so as to mine blocks ahead of time or to have a much better chance to find a block. However, a closer study of attack reveals that the impact on network security is very limited.”[/quote]

Thanks for reviewing and updating the myth. I changed it accordingly and it is now also added to the index in the first post.


#54

#Only One Developer

Myth: There is only one developer, Sunny King. He is anonymous and if something happens to him, that’s the end of it.

Busting the Myth
This myth is false. There are already other developers working with the Peercoin code base, so if Sunny King stopped doing so, they would have to continue without him. The myth probably originates from the fact that it took some time for Sunny King to find developers. In this type of project, it is of utmost importance that the quality of the work must meets the highest standard.

There are several active members in the Peercoin community who knows the Peercoin code base well. Some have deep knowledge and some have only partial knowledge. There are also some developers with a shallow knowledge, with an aspiration to learn more. Some noteworthy people are: Sunny King, Sigmike, Jordan Lee, glv, Ben, Fuzzybear (un-verified), mphs, kac- and irigi. Keep in mind that the list doesn’t tell anything about level of expertise and isn’t an attempt to create a complete list either. It is however proof that there is more then one developer.

Sunny King and sigmike are working directly on the Peercoin protocol. Both have deep understanding of the source code. The team behind Peershares, a fork of Peercoin, has both in-depth knowledge of the code and a stake in a secure and stable Peercoin network.

Peercoin is about long term value and therefor security is one of Sunny King’s main concerns. The purpose of Sunny King’s anonymity, is that if the network would come under attack, being anonymous could buy him some more time to help secure the network. There are however several other developers with in-depth knowledge of the code base that are not anonymous. Most importantly, the code base is open source.

It is also worth noticing that Peercoin is a fork of Bitcoin, which means that much of the work that is being done on Bitcoin, Peercoin benefit from. These developers and testers, deserves credit as well.

Contributors
Peercoin

More Myths