PoS - How does it really work? Long and maybe confusing thread incoming ;)


#81
"There is no such thing as a >50% attack of Peercoin's PoS process."

You are assuming there is an attacker or an attacker who wants to benefit directly from double spending. It could be an accident. Say Peercoin becomes a main stream currency and there are banks or wealth management companies of cryptocurrency that offer real, attractive interest (via investment etc.) to depositors. Some of these financial entities could accumulate more than 51% PPCs, just like the aggregation of hash power to big pools in BTC’s POW network. Then accidental double spending could happen (check out blockchain.com. there is a record of suspected double spending events that shows it happens all the time). Or it could happen because a competitor/vandalist has broken into the servers trying to ruine the financial entity.
Although such double spending could be an accident/crime, it would still be a real possibility. People’s confidence will still take a hit nonetheless.


#82

[quote=“mhps, post:81, topic:648”]

“There is no such thing as a >50% attack of Peercoin’s PoS process.”

You are assuming there is an attacker or an attacker who wants to benefit directly from double spending. It could be an accident. Say Peercoin becomes a main stream currency and there are banks or wealth management companies of cryptocurrency that offer real, attractive interest (via investment etc.) to depositors. Some of these financial entities could accumulate more than 51% PPCs, just like the aggregation of hash power to big pools in BTC’s POW network. Then accidental double spending could happen (check out blockchain.com. there is a record of suspected double spending events that shows it happens all the time). Or it could happen because a competitor/vandalist has broken into the servers trying to ruine the financial entity.
Although such double spending could be an accident/crime, it would still be a real possibility. People’s confidence will still take a hit nonetheless.[/quote]

Just a nit-pick, but accumulating 51% of the hash rate on the network is significantly less expensive than accumulating 51% of the peercoins in existence. I also doubt that those financial entities could get in early enough to buy up 51% of the available coins, even if they wanted to. That’s not to say that it isn’t something that is within the realm of all things that are possible, just that the likelihood of that happening is significantly less than the likelihood that it would not happen.


#83

They don’t have to buy 51%. They just need to offer good, safe return to attract depositor/investors. Isn’t 48% of all PPCs are in 100 addresses? You don’t need to convince that many people to get hold of 50+%.


#84

In order to do, what, exactly? Even if they could somehow convince people to send them their coins for safe keeping, and then not request withdrawals for at least 31 days, they may be able to attempt a bunch of concurrent mint attempts (from a huge number of addresses that they created specifically for this attack) running through a set of custom peercoin daemons.

So, let’s say that going to all this work is possible – and they immediately mint a block, and then another – things are looking good! They submit a block that has a bunch of double-spends on it, and pow, they get another block minted. They are now well on their way to double-spend glory…

…at which point, the odds say that disaster will strike.

All it takes though is for one of us who isn’t in this collective to mine or mint a block, and their ability to generate a confirmation consensus is gone.


#85

I’m not saying it would be easy or usual. I was checking masterOfDisaster’s thesis “There is no such thing as a >50% attack of Peercoin’s PoS process.”


#86

[quote=“Ben, post:82, topic:648”]Just a nit-pick, but accumulating 51% of the hash rate on the network is significantly less expensive than accumulating 51% of the peercoins in existence.
[…][/quote]

Thank you for nailing it down!
This calculation of mine is from the past (and admittedly I thought something like a > 50% PoS would be possible).
The numbers have changed, but the math is still the same.

Here is the cost for a PoW attack by bought miners on the Bitcoin network :
https://bitcointalk.org/index.php?topic=326216.msg3526904#msg3526904
The result from Nov, 9th 2013 was: roughly 3% of the market capitalization of Bitcoin needed to be invested in mining hardware to get > 50% of the hashing power (based on some assumption and just to identify the dimension).

And here is what you get when you try to invest equivalent amounts in Peercoin:
https://bitcointalk.org/index.php?topic=326216.msg3543338#msg3543338

In a nutshell: PoS attacks can be considered more expensive than PoW attacks!
Or the other way round: the money that is needed for a successful PoW attack doesn’t allow for a dependable PoS attack!


#87

And by having hold of 50+% they get what?
Just a chance to put some PoS blocks in a row, but no guarantee, right?

Is my understanding wrong, that - in other words - PoS minting is like taking part in a lottery?
…with the coin-age being the number of lottery tickets?
Even if you have > 50% of all lottery tickets in the lottery wheel, you can’t be sure, whose ticket is next!
If you have less tickets in a row than the number of confirmations your payee expects (I’m talking of double-spending now), your attack fails.


#88

[quote=“Ben, post:84, topic:648”][…]
…at which point, the odds say that disaster will strike.
[…][/quote]

That’s my point! Where at PoW there is (under certain circumstances) control over the network, at PoS is only chance.

The tragedy is: if you want to have a high chance for a successful PoS attack, you literally have to put your coins at stake, as a successful PoS attack will annihilate most of your coins value!

Once again:
“There is no such thing as a >50% attack of Peercoin’s PoS process.”
…as I still haven’t seen disproof.

And just in case there is disproof that I just don’t understand, please elaborate on that patiently (no sarcasm!).


#89

And just for the record - my intention is not to spam this thread.
My intention is to find out, underline, point out the improvements Peercoin has brought to crypto-coin-land.
I want to go out and tell everybody. The attack resiliency of PoS is what I try to focus on as this is not only different from most other crypto currencies. It has been implemented at Peercoin first of all (at least to the best of my remembrance).

Where Bitcoin can be called the father of crypto currency in general (I dont’ count previous attempts as they have failed too quickly), Peercoin is the father of PoS!

I want to explain why PoS is good, why PoS can be superior to PoW. And once people get that and ask me “why not NXT then?”, I can pull the “hybrid joker” and tell about the advantages of two independent processes securing the network and the (compared to a PoS-only IPO) quite fair distribution model.

But I’d prefer having an in-depth discussion as I want to lead my discussions with good and valid arguements.
This is currently a kind of sandbox for me. Thank you for helping me!


#90

And by having hold of 50+% they get what?
Just a chance to put some PoS blocks in a row, but no guarantee, right?[/quote]

See my post started with “You are assuming…” about competitor/vandalist as an example – They don’t need guarantee. They don’t need the double spent money. They win if succeed once after trying many times to make the financial firm look bad.
All I am saying is you can’t say a POS attack angle is not possible just because the stake owner doesn’t like the consequences or it has a low suceess rate.
I agree most of what you and Ben say. But if we want Peercoin to hold serious money, every aspect of Peercoin should be scrutinized under microscope.


#91

Absolutely, and I appreciate the points of debate, mhps. I hope that I’m not coming across as combative, because the truth is exactly opposite of that. I’d rather back myself into a logical corner and eat my words, if it means that we’ve discovered (or rediscovered) a previously unknown vulnerability.

I agree that they don’t need the guarantee or even to benefit from the double-spend of coins, if the intent is to disrupt confidence in the network protocol. On the other hand, unless they can demonstrate that the attack is viable and it would result in double-spends or other actions detrimental to the rest of the holders of Peercoin, there’s no crisis of confidence.

For example, it’s a known and demonstrable fact that with sufficient hash rate (25% of the global total and up) you can attack a proof of work crypto currency via a double-spend attack. Even with the knowledge that the vector exists, and with actual occasions where you can point to instances where the attack was conducted (for instance, GHash.io’s double-spends against BetCoin Dice), I have not seen a crisis of confidence amongst current holders.

Let’s keep beating on this topic and modeling attack vectors (e.g. the “nothing at stake/multi-chain minting” hypothesis). This has motivated me to set up a section of the Peercoin wiki to track potential vectors and we can then include details of how they are conducted and how the protocol defends against them.


#92

[quote=“mhps, post:90, topic:648”]See my post started with “You are assuming…” about competitor/vandalist as an example – They don’t need guarantee. They don’t need the double spent money. They win if succeed once after trying many times to make the financial firm look bad.
All I am saying is you can’t say a POS attack angle is not possible just because the stake owner doesn’t like the consequences or it has a low suceess rate.
I agree most of what you and Ben say. But if we want Peercoin to hold serious money, every aspect of Peercoin should be scrutinized under microscope.[/quote]

I’m sorry if I sounded rude - that was not my intention.
You are absolutely right that a PoS attack vector exists.
And you are right that it can be intentionally or unintentionally done.
I agree that Peercoin should be scrutinized under microscope.

All I’m trying to say regarding PoS attacks is:

[ul][li]it is not likely to happen[/li]
[li]if you plan to pull off a dependable attack it becomes very costly[/li][/ul]

That 's why I started with the thesis “There is no such thing as a >50% attack of Peercoin’s PoS process.” :wink:
As this thesis for now is still not disproven, I suggest to follow Ben’s idea of gathering thoughts/results at the Peercoin Wiki.


#93

this conversation about possible attack is really interesting. however maybe it should go in a different thread? and if anybody can summarise in a really clear way when you come to a conclusion that would be really helpful. also, would someone be able to tell me if this is the same issue as discussed here:

sorry, i am not very technical but this could be a very important subject. thank you very much…


#94

Here’s an example of a block solved with a very small stake, 1.03115 PPC (91.848479 coin days consumed). The original transaction that was used occurred on November 22, 2013, which was 89 days ago.

Based on my spreadsheet, the reward should have been 0.002512642 PPC, so I’m not sure why the network didn’t award any additional units in the transaction.

[font=courier]Block reward = 89 * 33 / (( 365 * 33 + 8 )) * 0.01[/font]

@SunnyKing; is there an explanation for this scenario?


#95

@Ben and @mOD , understood. These possible attack vectors should be discussed and documented with prevention suggestions. Many of the possible attacks can only happen under certain specific conditions and can be easily prevented if pointed out.


#96

Sunny King already answered a similar question here:

bitcointalk.org/index.php?topic=167298.msg1742077#msg1742077


#97

Sunny King already answered a similar question here:

bitcointalk.org/index.php?topic=167298.msg1742077#msg1742077[/quote]
Thanks for that one, I was just trying to figure out that dust question as I minted with a few small transactions. It’s good to hear that it isn’t creating dust and just being added to the transaction.


#98

Sunny King already answered a similar question here:

bitcointalk.org/index.php?topic=167298.msg1742077#msg1742077[/quote]

While that was informative, I don’t believe it’s the same situation that I’m seeing. In Tacotime’s question, he’s seeing the microPPC amount and Sunny is saying that the reward is included in the output. This makes sense.

In this case though, if you look at the raw transaction data, you’ll see that it is for zero value:

{
  "hash": "e74db3d726daf3d3d0b42db1876285054b77066fc2374d141a5f7644244c098c", 
  "in": [
    {
      "prev_out": {
        "hash": "0000000000000000000000000000000000000000000000000000000000000000", 
        "n": 4294967295
      }, 
      "raw_scriptSig": "04e5dc0453029501062f503253482f", 
      "sequence": 4294967295
    }
  ], 
  "lock_time": 0, 
  "out": [
    {
      "raw_scriptPubKey": "", 
      "value": "0.00000000"
    }
  ], 
  "size": 79, 
  "ver": 1, 
  "vin_sz": 1, 
  "vout_sz": 1
}

I traced back the staked amount and it is consistent with the original transaction amount, so it’s not being added behind the scenes (from what I can tell).[/code]


#99

You’ve got a very interesting anomaly here. Have been looking at it via both block explorers but couldn’t find anything about it other than what you describe. You might be on to something.

Possibly some inappropriate rounding (e.g. <0.01) is happening somewhere in the code causing this weird behaviour.

Have you seen more of those very small stakes minting? That might provide proof for some rounding bug in the code if it is consistent below certain values.


#100

Can someone explain to me exactly how long minting takes? Do we have to have the client open for a certain amount of time continuously? If so, does it matter if it’s interrupted, say by a restart or something like that?