Hi all, >>> I already told you that it is always possible to get around this: leverage >>> by use of short options. Short the coin to attack, then perform your attack by censorship. Coin value will drop due to reduced utility of the coin, then you reap the rewards of the short option you prepared beforehand. By this, you can steal the entire marketcap of the coin.
>>> Yes, and of course stealing the value in the chain is not the only way to >>> profit from the destruction of its usefulness. PoS offers no defense >>> against the primary threat to permissionless money. As I told in my other mail, my trading level is very basic and I don't understand this type of attack. >>> In PoS, once a miner achieves necessary stake (also profitably) it can >>> censor indefinitely. It’s a big difference. Imagine you have 90% of coins, there 2 possible situations: 1 - You keep creating blocks in the main chain: then you can censor only in your 90% of blocks. Censored transactions are included in the other 10% of blocks. 2 - You stop creating blocks in the main chain to force others to follow your evil chain (which is longer) and then you can censor everything: that's a clear 51% attack that can be easily detected and your funds are burned in a hard fork. Even for the first case, with time the accumulation of old transactions in the mempool will be very evident for all nodes and I bet its possible to analyze the blocks and the mempool during some time until it's evident who is censoring transactions. >>> It’s sort of like Bitcoin’s nonlinear hash power to hash rate ratio, on >>> steroids. The nonlinearity hasn’t been shown to be avoidable, but certainly >>> something to minimize. I copy the explanation of my other e-mail: "Not at all, I forgot to tell you that in modern PoS protocols like PoS v3.0 staking deposits have to wait many blocks after creating a block to be able to create another block. With my additional rule every staker is incentivized to put their staking deposit in a single address to avoid a strong penalty in their staking weight, and having their coins together they can't avoid the wait time with the "stake in many addresses" trick 🙂" Regards, ________________________________ From: Eric Voskuil <e...@voskuil.org> Sent: Friday, July 19, 2019 7:10 To: ZmnSCPxj Cc: Kenshiro []; Bitcoin Protocol Discussion Subject: Re: [bitcoin-dev] Secure Proof Of Stake implementation on Bitcoin On Jul 18, 2019, at 20:45, ZmnSCPxj <zmnsc...@protonmail.com<mailto:zmnsc...@protonmail.com>> wrote: Good morning Kenshiro, Sent with ProtonMail Secure Email. ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Thursday, July 18, 2019 11:50 PM, Kenshiro [] <tens...@hotmail.com<mailto:tens...@hotmail.com>> wrote: Hi all, A 51% attack under proof-of-work is only possible, in general, if some singular entity were able to have physical control of almost 50%, or some such close number, of the globe, simply due to the fact that energy availability is somewhat distributed over the globe. Mining is not only about the energy sources, individual miners spread around the globe can join big mining pools, and these mining pools could be hacked to participate in a 51% attack. Some governments (or other groups) could plan this type of attack if it's in their interest. If you look at this graph you will see that controlling 4 mining pools could be enough: https://www.blockchain.com/en/pools Pools only have short-term power in that they can only temporarily attack the coin until miners notice and then voluntarily leave. But also long term economic power, since leaving implies a lower proportional hash power, until another comparably-sized pool exists, but this is not the case when there is a majority hash power pool, which is economically inevitable until the majority miner starts censoring. https://github.com/libbitcoin/libbitcoin-system/wiki/Pooling-Pressure-Risk Pools are themselves still subject to economic forces, and censored transactions can raise their fee until competing pools arise which do not censor (and which would have an economic advantage in taking the higher fee offered). The invisible hand abides. This is why PoW is necessary, and why fee-based confirmation is necessary. It’s the only economically-rational way that the censor can be overpowered. But keep in mind the only net cost to the censor is the *premium* on censored transactions. https://github.com/libbitcoin/libbitcoin-system/wiki/Censorship-Resistance-Property Further, the correct solution is to support the development and deployment of better pool<->miner protocols, such as BetterHash. So we should instead focus on helping Matt Corallo et al. in this work, than proposing a hard fork to proof-of-stake which will be strongly opposed economically. While this proposal may introduce engineering improvements, it does not change any of the economic forces at work and therefore does not mitigate this issue. The pool controls the payout, and therefore retains power over tx selection regardless of who selects and grinds on them. https://github.com/libbitcoin/libbitcoin-system/wiki/Decoupled-Mining-Fallacy Secondly: change of hashing algorithm is pointless in the highly unlikely case of a 51% attack, because what matters is control of energy sources. As far as I know, if the PoW algorithm changes to an ASIC resistant algorithm that can only run in GPUs or CPUs, the hashing power would be much more distributed at least until someone creates a new ASIC for that algorithm. There are many GPUs around the globe, but not so many ASIC miners right? GPUs still require electricity to run, and are far easier to source. Hash change simply means that those with control of energy sources can easily purchase the needed hardware from many sources (as opposed to ASICs which are only sourced from a few places). So a hash change will only affect things temporarily, and it will still settle to the existing distribution of mining hashpower. Yes https://github.com/libbitcoin/libbitcoin-system/wiki/Proof-of-Work-Fallacy Nothing can be more efficient than proof-of-work, and the proof-of-stake delusion is simply a perpetual motion machine that attempts to get something from nothing. As time passes and more PoS coins appears, including big projects like Ethereum, we will see if it's delusional or not 🙂 I forgot one, if you do a 51% attack to a PoS coin you know that all your staking funds will be burned. In a PoW coin you don't lose your miners and can use them to mine or attack another coin with the same algorithm. I already told you that it is always possible to get around this: leverage by use of short options. Short the coin to attack, then perform your attack by censorship. Coin value will drop due to reduced utility of the coin, then you reap the rewards of the short option you prepared beforehand. By this, you can steal the entire marketcap of the coin. Yes, and of course stealing the value in the chain is not the only way to profit from the destruction of its usefulness. PoS offers no defense against the primary threat to permissionless money. https://github.com/libbitcoin/libbitcoin-system/wiki/Fedcoin-Objectives Then you still have the economic power (plus what you managed to steal), which you can then use to take over another proof-of-stake coin, regardless of whether it uses the same proof-of-stake algorithm or not. At least mining hardware are physical hardware and subject to deprecation over time. Capital cost isn’t the source of this defense, it’s the ability to introduce as much power as necessary to evict the censor, paid for by the rising premium on censored txs. Without this the majority miner can mine indefinitely and be the most profitable. This is of no consequence to confirmation until censorship begins. In PoS, once a miner achieves necessary stake (also profitably) it can censor indefinitely. It’s a big difference. https://github.com/libbitcoin/libbitcoin-system/wiki/Cryptodynamic-Principles You must understand that removing the chain tip puts the transactions in that block back in the mempool, before we ever start following the longer chain. Yep but it could make double spend attacks very easy. People would know what is happening and could send the money to themselves with a higher fee to recover it. Many people would lose money with that. To fix that problem with a PoS algorithm, some community-guided initiative could get all transactions of both chains and create a merged chain with a hard fork so double spends attacks would not be possible. This could be somewhat slow, maybe the network is stopped a few days, but in the end no one will see money disappear from their wallet, much better than pray that your payer doesn't send the money back ato himself. This happens every day in Bitcoin, and nobody particularly cares. You just wait for confirmations that in practice are impossible for some orphaned chain to persist. Yes, and of course the same scenario as described above can also occur with PoW. Gather up the victims, invest in mining a stronger chain, get the profit from the mining investment, and get your money back. This solution is worse than the problem, and speeds up the dominance of large stakers over the coin, trivially letting someone with the largest stake in the coin grow their stake even faster. I think it's very evident that the rich guy earn coins faster in both algorithms. In PoS if you have 51% of the coins and use them to stake, you make 51% of the blocks, I don't see any problem with that. If you decide to do a 51% attack, stopping doing blocks in the main chain to force the others to follow your "private" chain, well, you know for sure your funds will be burned in the next hard fork. But your proposal of being non-linear on the size of the stake means that if you have 51% of the coins, if you put them in a single stake UTXO you potentially get 99.999% of the blocks, which is ***much worse***. It’s sort of like Bitcoin’s nonlinear hash power to hash rate ratio, on steroids. The nonlinearity hasn’t been shown to be avoidable, but certainly something to minimize. Just admit that you have no real solution to knowing how much every entity controls of your coin. No, I think it will be very successful in ensuring that smart individuals will spend their time actually doing things that benefit the economy and technology instead of wasting their time being distracted with Ethereum and proof-of-stake. Ok, we the PoS advocates will let the smart people to work in more difficult issues like finding reasons to justify the energy waste and heat generation of PoW when Bitcoin price reaches 1 million dollars 😉 We hope to see you back soon after having learned your lesson. Let’s all be nice. But WRT energy waste... see last paragraph for a consideration of waste in relation to any other monetary options. https://github.com/libbitcoin/libbitcoin-system/wiki/Energy-Waste-Fallacy e Regards, ZmnSCPxj
_______________________________________________ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
