PPC Checkpoint system

I think it would be a good idea to open a thread in this section for important technical issues of PPC.

One of these issues is the checkpoint system, which is one of the main problems pointed out by critics of PPCoin. They will be phased out later this year as Sunny King posted today on Bitcointalk in the last weekly update:

Recently we have seen intermittent 51% attack on feathercoin network and other new cryptocurrency networks. This was one of the top reasons that ppcoin's checkpoint system was originally designed. The recent attack on feathercoin network indicates that the attacker is quite resourceful, controlling maybe upward of 2gh/s scrypt mining (meaning thousands of highend GPUs). [b]The phaseout of ppc's checkpoint is planned for later this year but will be gradual. Eventually the checkpoint would become user enabled and by default not enforced. In this running mode, the checkpoint system still acts as a safety mechanism that can be utilized via community consensus in the event of persistent 51% attack on proof-of-stake or other emergencies.[/b]

(Source)

I think it is a good idea to make the checkpoints voluntary and was glad to hear of this news, but I am not a techie :wink: . I am fully aware that the phasing-out of this checkpoints depends on the security of the actual Proof-of-Stake design.

Would be interesting to hear some opinions here.

Well, my opinion is just as yours is. The concern is the centralization the checkpoint system offers, which isn’t an invalid concern, however as a temporary mechanism while PPC ‘gets its legs’ frankly I think its a major boon to the network, especially in light of recent deliberate attacks which demonstrate a really remarkable ability by whomever to purposefully attack a network. That is to say, those weren’t amateurs attacking FTC, and they had a ton of resources with which to attack. Granted, that was a POW attack, but its POS and as a further added measure the checkpoint system which insulates PPC from a complimentary attack…which (despite current FTC prices…WTF?!) would be a disaster.

[b]The phaseout of ppc's checkpoint is planned for later this year but will be gradual. Eventually the checkpoint would become user enabled and by default not enforced. In this running mode, the checkpoint system still acts as a safety mechanism that can be utilized via community consensus in the event of persistent 51% attack on proof-of-stake or other emergencies.[/b]
What is a 51% attack on proof-of-stake? Is it an attack with more than 50% of all coins?

Yes, I believe in order for it to work, you need to have over 50% of the coins + you need over 50% of the PoW power as well.

Isn’t it just 51% of the current coinage of coins older 30 days? In the end of the day you need 51% of the blocks. Don’t you?

To make an example with numbers which do not necessarily have to meet the facts (just made a guess):

Let’s say 60% of all PPC (20 millions to make math easier) are in wallets with active PoS minting and coinage >30 days. 40% of all coins were either transferred in the past 30 days, mined a PoS block in the past 30 days, minting is not enabled for the wallet or the wallet is offline. Let´s further say, that 85% of all Blocks are PoS and 15% are PoW. The average coinage of the"honest" coinholders is 45 days.

One crooked coinholder bought at least 25% of all PPC. Most likely he bought it over a longer period of time to not increase the price per coin (let’s say 20k PPC on vircurex every day ;), but this is off topic ) and held them for at least 90 days without minting. He also may be an bigger exchange like vircurex or btc-e which made uncovered short sales on PPC. I don´t want to insinuate anything here, just pointing at the possibility.

Honest holders hold 7 million coins (35%) with a total coinage of 315 Mio (7Mio x 45 days)
Crooked holder holds 5 million coins (25%) with a total coinage of 450 Mio (5 Mio x 90 days)

When I understood the PoS minting correctly, the crooked holder now has (for a short period of time and rapidly decreasing) 58,8% of the PoS hashing power and therefore exactly 50% of the total blockrate (PoS and PoW combined). If he has a few more coins and/or throws some ASICs on PPC he could make an successful 51% attack. Did I miss something?

Are there any news about removing or decentralization the checkpointsystem?

Makes sense. I’m not really worried about this much, because PPC is not in the focus of attackers, it has a minor rule yet in CC. If it gets more important, it will be more and more difficult to collect enough coinage.

I agree PPC is not much in focus, but it’s a realistic scenario in my opinion. Especially an exchange with more than 25% of all PPC could be a potential attacker which would have a huge benefit and low risk/investment.

I’m rather sure there is no exchange with 25% of all PPC. It’s much too risky for coin holders.

The largest amount of PPC offered the last weeks on btc-e was around 1,400,000 coins, now it has dropped to 930,000. It will drop even more, if PPC becomes succesful. Of course there are much more PPC not seen in the limit offers, but they for sure do not reach 25%.

But isn’t this sort of attack just pointless to try to do with PPC. There is like zero intensive to do this attack with PPC. It’s not the same incentive as you would have with Bitcoin. The combination of perpetually needing a majority of PoS & PoW is so not worth it to ever even do it, (even if you could).
Let’s say you were able get enough PoS coins and PoW to perform this attack. Once it is discovered, wouldn’t those coins be essentially “blacklisted” and the attacker loses all of their coins (25% of the coins?)…doesn’t make any sense to even try to do this attack. And even if you were able to do it once, you would never be able to do it again. Couldn’t the good nodes just fork away, and the attacker would have to get another 25% of coins before being able to attempt another attack?

The benefit can change suddenly - there are enough worthless Dollars and other incentives the gov can pay to an attacker.

It would be so difficult to try to do, all I am saying is it is a lot harder to do than people realize. This sort of attack is a lot harder to perform on PPCoin because of its PoS design.

There are several factors that play into being able to successfully do this. There is more to it than just owning a lot of coins, and a lot of hashing power.

From the source code:

Stake Modifier (hash modifier of proof-of-stake):
The purpose of stake modifier is to prevent a txout (coin) owner from computing future proof-of-stake generated by this txout at the time of transaction confirmation. To meet kernel protocol, the txout must hash with a future stake modifier to generate the proof.
Stake modifier consists of bits each of which is contributed from a selected block of a given block group in the past.
The selection of a block is based on a hash of the block’s proof-hash and the previous stake modifier.
Stake modifier is recomputed at a fixed time interval instead of every block. This is to make it difficult for an attacker to gain control of additional bits in the stake modifier, even after generating a chain of blocks.

The chance of getting a coinstake is proportional to the amount of coin age one owns.
The reason this hash is chosen is the following:

nStakeModifier: (v0.3) scrambles computation to make it very difficult to precompute future proof-of-stake at the time of the coin’s confirmation.

txPrev.block.nTime: prevents nodes from guessing a good timestamp to generate transaction for future advantage.

txPrev.offset: offset of txPrev inside block, to reduce the chance of nodes generating coinstake at the same time.

txPrev.nTime: reduce the chance of nodes generating coinstake at the same time.

txPrev.vout.n: output number of txPrev, to reduce the chance of nodes generating coinstake at the same time. block/tx hash should not be used here as they can be generated in vast quantities so as to generate blocks faster, degrading the system back into a proof-of-work situation.

v0.3 protocol kernel hash weight starts from 0 at the 30-day min age. This change increases active coins participating the hash and helps to secure the network when proof-of-stake difficulty is low.

But isn't this sort of attack just pointless to try to do with PPC. There is like zero intensive to do this attack with PPC.

[…]

Once it is discovered, wouldn’t those coins be essentially “blacklisted” and the attacker loses all of their coins (25% of the coins?)…doesn’t make any sense to even try to do this attack

I don’t think it is that easy to “blacklist” coins. This would require a hard fork. Doesn’t it?

The main reasons I see, to do a 51% attack are:

a) to double spend coins

Doesn’t make sense with PPC since you will not be able to spend that much coins in short period of time to make a RoI on the money you invested to buy 15-30% (I’ll come back to this value later in my post) of all ppcoins.

b) to destroy the currency or the confidence in the currency

This could make sense in the future. In my opinion the biggest risk for all cryptocurrencys. Currently PPC is not big enough, to make it interesting for a gov or banksters.

c) to crash the price and buy back uncovered short sales

I’m not aware of any exchange offering that to its customers. But an exchange itself could do so and make tons of BTC/LTC etc. with it. There will be a time when at least one exchange is offering uncovered sales and/or leverage products. At this point it’s going to be interesting. A successful 51% attack will crash the price near zero.

Also a combination of A) and C) is possible. There may be more reasons to do a 51% attack, but I think we should focus on the how and not on the why here. If it’s possible with a reasonable effort, some bad guy will find a way to make money with it.

I do not talk about precomputing blocks here (which is nearly impossible because of the time value integrated in the hash) but about getting 51% of the total hashing power for a short period of time.

To be honest, I do not understand good parts of your excursion in the source code :-\ Especially I do not understand what nStakeModifier and txPrev.vout.n is and how it’s calculated.

But doesn’t the above quoted change make the attack I described even easier? Assuming the average age of all coins doing PoS is 45 days and the bad guy waits for 90 days: It’s 15 vs 60 coinage instead of 45 vs 90 per coin then. Isn’t it?

Therefore he does only need 25% of the coins doing PoS and have a coinage >30 days. Again, assumung this is 60% of the total coins, one “only” needs 15%+1 of all coins and a bit of luck to produce more PoS blocks than the rest of the network. So basically 20% of all coins are by far enough to do a 51% attack. I do not say it is easy to do an 51% attack, but it’s by far easier to get 15-20% of all coins instead of getting 51% of all coins.