Potential Peercoin failure mode?

If I understand correctly how the minting process works in current protocol, after successful POS block mint, the reward is proportional to total uncapped coin-age at stake. (While the probability of finding the block is capped after 90 days.) This is good, since the minting process does not disadvantage small money-holders who can achieve successful mint only rarely. When the POS block is found, they are paid in full for their coin-age. However, it also means that for moderate and large money-holder, it is almost equivalent if (s)he generates the POS block every month or every year. (S)he loses only the compound interest, which is approximately 0.005% in a year - completely negligible amount. As a result, people might not want to participate in minting process sufficiently to secure the network.

Is the community aware of this problem? Is it really a problem or am I wrong somewhere? Thank you for your answers!

I’m neither going to say you’re right, or wrong in this hypothesis, because the following answers it for me:

What I will say, is that the question you’ve posed would carry greater weight PRE-LAUNCH of Peercoin.

We’ve already launched, we’ve already been up since 2012.

The network has already proven to be working, people are minting, things are running nicely. To suggest that there is a minting situation that doesn’t work for business reasons must be false. People are already doing it, irregardless of whether or not an argument can be made for or against.

This is why network history is important. We have that now. So the social aspects of how people might react to the design of Peercoin is already proven. There is no need to speculate. We have historical data (the blockchain) as proof.

If someone wants to do a data analysis, they can download the blockchain, and produce factual results.

So in short, you’ve brought up a non-issue.

[quote=“ppcman, post:2, topic:2054”]The network has already proven to be working, people are minting, things are running nicely. To suggest that there is a minting situation that doesn’t work for business reasons must be false. People are already doing it, irregardless of whether or not an argument can be made for or against.

This is why network history is important. We have that now. So the social aspects of how people might react to the design of Peercoin is already proven. There is no need to speculate. We have historical data (the blockchain) as proof.[/quote]

If I am counting correctly, peercoin network must take care of ~1000 transactions a day and its blockchain is tiny so far. Everybody can mint now because running a node is almost free. But what about a situation when the peercoin network becomes really big and running nodes will be connected with real costs? (Much cheaper compared to POW, but still comparable with running a dedicated computer with full blockchain.) I am definitely not trying to paint any catastrofic scenarious, but I am not sure if the problem can be dismissed so easily…

The PoS splits large transactions into 2, so over time it actually encourages securing the network by minting.
Also the fiat cost per PPC will drive people’s willingness to mint.
The protocol calls for 30-90 days stake but that can be adjusted in the future as required (as it was done in the past).
But if all fails we can always fall back on PoW.

[quote=“sahkan, post:4, topic:2054”]Also the fiat cost per PPC will drive people’s willingness to mint.[/quote]I am not saying people will not mint, only that they will mint much less often and still obtain almost the same profit. (Since minting once in 5 years yields almost same profit as minting every month - the compound interest is small comparable to the running cost of the node.) As a reason, there will be many POS blocks with very small stake (=> network insecure) and only few POS blocks with very high rewards.

[quote=“sahkan, post:4, topic:2054”]The protocol calls for 30-90 days stake but that can be adjusted in the future as required (as it was done in the past).
But if all fails we can always fall back on PoW.[/quote]As long as people are willing to accept hard fork in the protocol, there is no problem. I do not think the problem is unsolvable. One obvious solution is, for example, to cap the reward so that people cannot wait 5 years before they mint. This is, however, quite nasty solution, since people with small amounts of PPC would have very small chance of finding block before the reward cap is reached and they couldn’t participate in the mint process.

Another solution I like much more would be to impose a limit on how many coin-days can be staked into single POS block. In current implementation (unless I am wrong), if I have 1000 PPC that were idle for 5 years, I have ~1,800,000 coin-days. When I suddenly decide I want to mint, during few weeks at most, I will find POS block, secure it with 1,800,000 coin-days and obtain 50 PPC as a reward. This is unfavorable, because I secured a single block, while many other blocks might be secured only by minimum amount of coin-days. With coin-day limit per block, let’s say 500 coin-days, although this should be dynamical and proportional to money-supply, I could get my 50 PPC reward only by securing at least 3600 blocks by 500 coin-days. This is much better, since it makes the network more secure. (And, unlike in the first solution, small money-holders are not cast out of the minting process.) I am sure there are many more possible solutions.

Another solution I like much more would be to impose a limit on how many coin-days can be staked into single POS block. In current implementation (unless I am wrong), if I have 1000 PPC that were idle for 5 years, I have ~1,800,000 coin-days. When I suddenly decide I want to mint, during few weeks at most, I will find POS block, secure it with 1,800,000 coin-days and obtain 50 PPC as a reward. This is unfavorable, because I secured a single block, while many other blocks might be secured only by minimum amount of coin-days. With coin-day limit per block, let's say 500 coin-days, although this should be dynamical and proportional to money-supply, I could get my 50 PPC reward only by securing at least 3600 blocks by 500 coin-days. This is much better, since it makes the network more secure. (And, unlike in the first solution, small money-holders are not cast out of the minting process.) I am sure there are many more possible solutions.

TL;DR version: Your proposed solution isn’t solving an actual problem that the network will encounter for the foreseeable future, and in fact, it would do more harm than good by punishing people for not being able to solve a block within a year.

---

…and now, the long-form version…

[size=12pt]Regarding CoinAge, solved block probabilities and proof-of-stake block rewards[/size]
While it is true that if you had kept 1000 PPC in cold-storage for exactly 5 years, you would have accumulated 1,826,210 coin days ((365.242 days/year * 5 years = 1826.21 coin days per PPC) * 1000), those coin days are only valuable when used to calculate the potential reward for solving a block. In this case, the reward would be 1% of 1000 PPC * 5 = 50 PPC, as you noted above.

Because the protocol limits the amount of “mature” coin days that a stake can attain to 90 coin days * # of PPC, this hypothetical stake would only be able to accumulate 90,000 coin days that can go towards increasing the stake’s chance of solving a block, relative to everyone else who also attempting to mint.

This cap on mature coin days means that deliberately waiting 5 years is not advantageous to the holder in any way. You have no better chance to solve a block at Day 91 than you do at Day 1826. This design decision was made (in part) to counter attempts to use a “long-held stake” attack vector, where someone could hold on to some number of small to moderate size stakes for a very long time and then, at some date in the future, attempt to subvert the network by dumping these large amounts of coin days all at once.

There is, however, a very good reason that the reward amount should continue to be calculated based on the total coin days accrued… during a given period of time there are a finite number of blocks generated by the network; approximately 6 per hour / 144 per day / 52,560 per year. It’s an even smaller number if you remove the number of blocks that will be solved via proof-of-work – which at the absolute minimum allowed by the protocol (1 every 120 minutes), will be 12 per day, leaving 132 per day or 48,180 per year – that can be solved via proof-of-stake.

So, it follows that when you attempt to solve a block, you need to compete to solve a block against everyone else who is attempting it, minting or mining, and that you have a finite amount of chances in a given year to solve it. But let’s assume, for this discussion, that rather than being based on coinAge and probability, that was completely fair and that you could solve a proportionate amount of blocks per year, automatically, based on how many holders of peercoins there are, rather than size of your holdings.

At last check, there are 13,853 addresses recognized by the network that have more than 1 PPC in them. If each one of those addresses set to mint continuously, and everything was equal, they each solve ~ 3.4779 blocks each within one year.

Now, double the size of the network to 27,706 addresses with more than 1 PPC in them, and each person will only solve ~1.7389 blocks in that same year. Quadruple the number to 55,412 addresses, and you only can expect to solve ~0.8694 blocks. Extend this as the network scales and you should immediately see how this becomes problematic.

As you can see, even in a “perfect world” where probabilities aren’t working against anyone, once the network gets large enough, it’s a given that someone isn’t going to solve a block. At scale, someone would lose out, because they would miss their chance to gain their 1% during that year.

In your proposed solution, there is no way that you’d ever solve 3600 blocks, at 500 coin days consumed per block, needed to match the reward (50 PPC) that you’d see solving one block under the current system. There are already too many addresses on the network to make this even remotely feasible.

For data to back up this assertion, take a look at www.peerchain.net and review the last solved blocks. For the most part, you’ll see that the size of the stakes and ages of those stakes aren’t “large”. While it’s true that having a larger amount of coins at stake gives you a better chance of solving a block vs. someone with a smaller stake, the data that we’ve collected indicates that it’s fairly common place for the “luck” to be with the person who has the smaller stake.

[size=12pt]Blocks and network security[/size]
To the network, “a solved block is a solved block.” There’s no difference to the security of the network if you happen to solve a block using 5 PPC that had been held for 90 days (450 coin days), or if you solved that block with 10,000 PPC held for 90 days (900,000 coin days), or those same 10,000 PPC held for 365 days (still 900,000 coin days). The important thing is that a block was solved and the transactions contained within it were verified and the global block chain was updated.

Those 48,000 blocks solved during the course of a year with an average stake amount of 5 PPC are just as secure as 48,000 blocks solved with an average stake amount of 10,000 PPC. It is my understanding that the only significant difference between the two relates to how the money supply (M) inflation is calculated.

In the first case, those blocks solved with 5 PPC @ 450 coin days would result in 600 PPC being added to the M supply (0.0125 PPC per block reward * 48,000 blocks). In the second, the blocks solved with the 10,000 PPC stakes would add 1,200,000 PPC to the M supply (25 PPC per block reward * 48,000 blocks).

[size=12pt]Summing it up with use cases[/size]
Even if everyone who held peercoins decided tomorrow to go on strike and no longer attempted to mint, the miners on the network will pick up the slack and the network is going to still process transactions and will be (relatively) safe. This is the beauty of the hybrid proof-of-work / proof-of-stake scheme; if you aren’t solving blocks with stake, you can solve them with work. The network will automatically retarget the proof-of-work and proof-of-stake difficulties to make sure that it’s solving 10 blocks per hour, on average.

In a second scenario, let’s say all but 1% of the holders of peercoins decided not to attempt to mint blocks. The “worst” thing that happens is that those people who are participating would be solving blocks at a much higher rate than they would if there were more people on the network also attempting to mint. The network security is not compromised, because any time that there weren’t enough stakes available that met the criteria to mint, there were miners who would solve blocks in the gaps.

---

Whew…my apologies for the wall of text. I think I got all of that right, but if anyone sees a problem with any of my statements, please let me know and I’ll address / update them as needed.

Thanks for the impressive answer. I can’t see a hole in your reasoning, and I agree that there is no actual failure of the network looming. What occurred to me is that the network might split up large stakes in order to increase the luck of smaller holders. The larger stakeholder still need to have their full transaction at stake, but only a capped number of coinage will be used for the block creation. The remaining coinage can still be put at stake but only after the 520 blocks. The value of the cap should be adjusted by the total number of coins at stake (difficulty).

I think this would provide a more even chance for small money-holders, but possibly it can be offset by the large stakeholders by creating more concurrent clients with the maximum caps. When we start to have very low caps this still might become a problem. But we are then on the opposite site of what the OP posed as a problem. Fierce competition for blocks.

Thank Ben for the detailed explanation. It’s a good starting point for indepth discussion (oh no, another long and confusing thread coming~ ). It should be put in an index for new people to find easily.

If Peercoin only has POS, because a stake that finds a POS block will not be allowed to find another one in 30 days, and each day 1440 POS blocks will need to be found, so 1440x30 = 43200 minting stakes are needed to keep the 10min/block target rate. This is a rather tall order – if on average each Peercoin owner as 10 stakes (inbound transactions that have not been spent), 4320 wallets should be open. Considering that when BTC was starting there were only a few people in the world who had wallets, it is apparent a pure POS network will take a long time to find a block if it doesn’t have a lot of stakes minting. Actually it is much worse than being slow. Because new blocks needs 520 confirmations before it could even start to do its 30-day “jail time”, if there were less than 520 minting stakes in the world, at some point new blocks won’t be confirmed by newer blocks because all minting stakes are waiting for confirmation. The network will stuck. Someone has to find stakes and get thems to mint to unstuck the network.

If I remember right there was a site showing the geographical locations of all Peercoin network nodes. I saw there were only something like 300 nodes in the world. So a pure POS coin could face real existential problems – if the network stops once, people will flee even if you get it working again, making the problem worse. I don’t know NXT enough to say if it has the problem. But it seems that POS+POW is not just a feature, it is a requirement for a coin using POS.

The solution for Peershare seems easier because it is not strictly decentralized – if needed the share issuing company could mine 0-value blocks or, better, generate many POS stakes when the total minting stakes run low.

ed:typo

^^This site: http://bitinfocharts.com/ppcoin/nodes-active/

Never seen it above 330 nodes. And not sure how it actually gathers its data.

I’m still surprised that e.g. Namecoin has more nodes on-line at a given time. Is minting or mining Peercoins really that unpopular?

I guess it has something to do with that NMC can be merged-mined with bitcoin and peercoin can’t be mined using many ASIC miners that are hardwired to mine bitcoin.

Ben, thank you very much for your detailed answer and your analysis of the problem! Thanks to your post, I realized that both my proposed solutions are effectively prohibiting small money-holders from the minting. (I though only the first one was.) I will not defend any of my solutions further, for now - I think the problem of decreased security it present and first, we should agree whether it is real or not.

When malicious attacker wants to perform a 51% attack against the proof of stake system, (s)he needs to outcompete all people who are presently minting to include sufficient amount of “evil POS blocks”. If this infographic is still valid, 70-80% of PPC is owned by richest 5% of addresses. This is approximately 650 addresses. If they decide to mint only once a year[sup]*[/sup], they will “occupy” only 650 blocks of ~52,000 of that year. This means that most of the time, 51% attack now requires to hold only 0.51% of ( 1 - 0.8 ) x 21,000,000 = 2,142,000 PPC. Simply because 80% of PPC are out of the minting process for most of the 52,000 blocks. Or by other words 51% attack becomes 10.2% attack. This definitely seems like decreased security. While 10% of Peercoin market cap is still really a lot of money (particularly in long term, if we are optimists), it shows that the security is decreased. The question now is, how much severe the problem can become.

In short:

• current system motivates people to put their PPC into cold-storage and mint only rately, once minting becomes more expensive
• coins in cold storage do not count to total coins competing in the POS minting, which make 51% attack easier
• money during 30 days of maturing are effectively in cold storage. If the richest address would hold half of Peercoins, 51% attack becomes 25.5% attack during 30 days after that address found its POS block.

Am I wrong somewhere?

[quote=“Ben, post:6, topic:2054”]At last check, there are 13,853 addresses recognized by the network that have more than 1 PPC in them. If each one of those addresses set to mint continuously, and everything was equal, they each solve ~ 3.4779 blocks each within one year.

Now, double the size of the network to 27,706 addresses with more than 1 PPC in them, and each person will only solve ~1.7389 blocks in that same year. Quadruple the number to 55,412 addresses, and you only can expect to solve ~0.8694 blocks. Extend this as the network scales and you should immediately see how this becomes problematic.

As you can see, even in a “perfect world” where probabilities aren’t working against anyone, once the network gets large enough, it’s a given that someone isn’t going to solve a block. At scale, someone would lose out, because they would miss their chance to gain their 1% during that year.[/quote]
I completely agree with you here. I would really like an opportunity for everyone, even the small money-holders, to participate in minting in a fair way, so they can obtain their 1% p.a. I am simply saying that the problem of decreased security I am describing needs to be addressed.

[sup]* Interestingly, even if they mint as much as they can (every 30 days or slightyly more), they will occupy only to 650*12 = 7800 blocks of total 52,000. Still, most of the time 80% of peercoins do not contribute to the POS security even if they want to! But this can get better over time by more even distribution between addresses. I am more interested in what happens when they, and others, are motivated to mint less often.[/sup]

[...]once minting becomes more expensive"

How do you define “expensive”, in this context? What is the difference from what’s happening today?

Re: stakes available to solve blocks; In my rough calculations included above, I used the number of addresses with more than 1 PPC as a proxy for the available pool of potential blocks that can be solved. As this discussion has developed, I see now that it’s not necessarily granular enough to help us clearly identify if there is a potential problem or not.

The potential pool of available stakes should be tied to the unique input transactions that those addresses contain, so this number is at least equal to, but likely higher, than the number of addresses that exist.

I’ll need to give more thought to your proposed scenario. It is a reasonable concern, and should be something that we can model to see if it is really a potential concern, or if it only appears to be a problem but in practice it would be exceedingly difficult (probability-wise) to actually conduct successfully.

@irigi, I came to the same conclusion a while ago when I build the model for the PoS calculator and the chances of minting a block.
The participation level of wallet holders is relatively low and therefore the theoretical chance on a PoS attack look very high.

There are however at least two elements in the network which makes it very difficult to do a successful attack with say 10% of the coins.

1. PoW mining, to control the blockchain for a sustained time, one also have to control the PoW mining (51% of the power)
2. Randomness, there is an amount of randomness involved which even if you have a large stake, you can still be outcompeted in creating a block by owners with smaller stakes.

In the long PoS thread and some other threads this has been discussed to great detail and to levels not everyone can fully comprehend, not being very familiar on how the protocol works.

So with our current understanding, I agree with Ben that there isn’t a serious problem now and that it looks like that minting will increase when more wallets will own Peercoins reducing any issue even further. Having said that it won’t hurt to theorise how we can improve the number of active minters without adverse effects. More minters is more secure network after all.

One more promising option is to make it more user-friendly and more secure (e.g. with multi-sig transactions) to mint for all stakeholders. On top of that a lottery for a magic mint block with 10 PPC e.g. once a week for everyone with at least a number of Peercoin (say 50) in their wallet. I’m sure that will increase the number of wallets and stakes on-line for a relatively low cost to the network.
I think we should more focus on that.

I definitely do not mean expensive in the way the POW is. POS is much, much cheaper. I only consider, that once the blockchain is 50 or 500 GB long and there is 100,000 or 1000,000 transactions a day (if that is plausible), the minting wallet will probably be impractical for running as a background process on a laptop. Rather it might require dedicated server that runs 24 hours a day. This is super-cheap compared to Peercoin money-supply or costs of POW, but it is costly compared to compound interest obtained by continuous minting (when simple interest from putting money to cold storage and minting after few years is free). Why would people bother with continuous minting if they have to pay for the dedicated server, if the profit is only the compound interest at 1% p.a.? So when I say expensive, I mean costs that are “non-negligible” and higher than profit from the compound interest.

I was thinking about some way how to quantify the would-be decrease of security from drop of people that are minting now. (=What you call the pool of available stakes?) It has to be somehow encoded in the POS difficulty, but I do not understand the protocol enough to know how exactly. Higher POS-difficulty should be proportional to how difficult is to make an 51% POS attack, right? But I do not understand cryptography so well to say when the attack is possible with confidence.

Just my thoughts regarding the ‘cost’ of running PoS clients:

When the blockchain becomes very large there are already theories out there to shorten it (e.g. like a yearly ledger for bookkeeping). Likely that Bitcoin or Dogecoin would hit that problem first and they can test this out. It is unlikely that the number of transactions would go that high overnight though. The fee would prevent that from happening in the first place and the fee can be raised if the number of transactions threatens to exceed the network capacity. So the chance that we need high-powered CPU PoS clients seems to be pretty low.

Regarding the continuous minting I agree there is a cost to do that in the background, but I think cost of electricity is more of an issue than CPU power these days. I’m running the client on a 10 year old PC without any adverse effects, the only reason not to leave it on is the power consumption of the PC when just on and idle. So with developments like Raspberry Pi (very low power computing) we would be able to mint, just by turning on a switch everyone now and then and consuming negligible amounts of energy. We only need to motivate people doing that more often or better leave it on all the time (see my previous post on how possibly to do that). So I still think your scenario is a non-starter even in the long term, but it is good to theorise and to keep it in the back of the minds. I really hope people keep doing so, as it keeps the community (and with that eventually the network) sharp and be able to cope with environmental changes before and after they happen.

The pool of available stakes and difficulty and the formulae to calculate appear to be all hidden in the code somewhere. Coders might be able to point you to that, I can’t, one day I will 8)

I found a thread at bitcointalk.org (or here in much more readable form), where they discuss exactly the same issue:

STAKE_MAX_AGE is set to 90 days.

This is for coin generation. Not for the amount of interest you are paid. PoS security is directly proportional to the amount of coin-age currently on line. If I don't earn more by being online often, then there is no incentive to come online. Instead I can just hold my PPCoin until I want to cash out. Then quickly generate my stake block and sell. This does do much to secure the network at all. I should be generating many stake blocks to earn my interest, not just one. The cap ensures that I have to come online at least once in a while.

So I am just linking, if someone wants to follow the discussion there.

[quote=“Cybnate, post:13, topic:2054”]There are however at least two elements in the network which makes it very difficult to do a successful attack with say 10% of the coins.

1. PoW mining, to control the blockchain for a sustained time, one also have to control the PoW mining (51% of the power)
2. Randomness, there is an amount of randomness involved which even if you have a large stake, you can still be outcompeted in creating a block by owners with smaller stakes.

In the long PoS thread and some other threads this has been discussed to great detail and to levels not everyone can fully comprehend, not being very familiar on how the protocol works.[/quote]
I hope you are right. I just hope someone who really understands the technical part of the cryptography involved has checked all the details. This is also why I am glad that the POW is not being discontinued on a protocol level.

[quote=“Cybnate, post:13, topic:2054”]One more promising option is to make it more user-friendly and more secure (e.g. with multi-sig transactions) to mint for all stakeholders. On top of that a lottery for a magic mint block with 10 PPC e.g. once a week for everyone with at least a number of Peercoin (say 50) in their wallet. I’m sure that will increase the number of wallets and stakes on-line for a relatively low cost to the network.
I think we should more focus on that.[/quote]
While these things are really, really necessary for the marketing reasons and for reasons of wide Peercoin adoption, I would like to stress that it is not number of wallets that secures the network, it is the size of their stake. If 30% of PPC would be distributed in 650,000 wallets with approximately 10 PPC per each, it doesn’t really matter that much whether 50,000 of them is minting or 350,000 is minting. What matters to security much more is, whether the 70% of money localized in few wallets participates in minting. They should be present in some significant portion of the POS blocks - if they occupy only few of the blocks from total, they are effectively not helping. This is why I wanted some better motivation than the compound interest for them. (I am sorry if I keep repeating myself or if I state the obvious, I just wanted to make really clear what I am after so there is no confusion.)

Luckily, it seems there is a measure of the actively minting stake pool. The bigger is the POS difficulty, the harder is to achieve a successful mint with 1 PPC older than 90 days.

// coinstake must meet hash target according to the protocol: // kernel (input 0) must meet the formula // hash(nStakeModifier + txPrev.block.nTime + txPrev.offset + txPrev.nTime + txPrev.vout.n + nTime) < bnTarget * nCoinDayWeight // this ensures that the chance of getting a coinstake is proportional to the // amount of coin age one owns.

([i]bnTarget[/i] is proportional to inverse POS difficulty.) This means that portion of the minting stakes to total stakes is proportional to POS difficulty / money supply. We should watch this quantity, which I plotted in red in a following graph. If it starts dropping significantly, the network becomes vulnerable.

I think the large spikes in the beginning and around day 260 were probably caused by a synchronized minting of newly mined coins. When I last checked it on peerchain.net, the average mint per block was around 1.6 PPC. The expected mint per block at current money supply is 4 PPC (21,000,000 * 0.01 * 10 minutes / year). Current diffuculty is ~10. This means the maximum mean difficulty at current money supply is probably 4/1.6*10 = 25. This is the value to which we should compare how big the portion of minting wallets is.

More precisely, if:

       [i]POS difficulty * 21,200,000 / money supply << 25[/i]

we should start being very careful. (I hope I didn’t make mistake somewhere.) For now, the situation looks very OK.

P.S. Now I learned that large stakes are being split, which alleviates the problem. This is good. I will check the details.

Nice work, irigi. That graph is interesting. I’m glad you’re interested in this side of the protocol, too. The more eyes on it, the better, because we’re out of the theoretical and into the “it’s working, but let’s make sure it’s working as well as it can” point in the lifecycle now.

If you have questions that come up that you can’t find answers for, please submit them in the thread for Sunny King. We’re going to be pulling those together over the next week or then determine the best format to get as many of them answered as possible.

The forum format version is at PPCoin Criticism / Security / etc