rat4



Offline



Activity: 253

Merit: 156









Full MemberActivity: 253Merit: 156 Security analysis of PoW/PoS hybrids with low PoW reward March 31, 2014, 07:07:20 PM

Last edit: April 02, 2014, 05:23:41 AM by rat4 #1



Low PoW reward doesn't attract miners. This leads to ridiculously low PoW difficulty.



A pair of examples:

Mintcoin scrypt diff 0.1 (vs Litecoin 5677)

SHACoin sha256 diff 1427 (vs Bitcoin 5006860589)



At such difficulty PoW blocks can be mined with speed of light.



Attack I



It is possible to build sequential chain of PoW blocks to confirm a transaction. Only 4 blocks for Mintcoin and 10 for SHACoin.



Is it hard to orphan the chain of PoW blocks?

One PoS block is enough. In both Mintcoin and SHACoin one PoS block may orphan a few millions of PoW blocks.

If at the same time the main chain will get a competing stake, attacker's chain can be enlarged with PoW.

This dramatically increases chance to success in comparison to pure PoW attack.



Ability to confirm a transaction and then orphan confirmations is ability to double spend.



Summary: double spend attack requires 1 PoS block and low hashing power.



Visualization:



Attack II



Current implementation of stake miner gives up if median time of last blocks is in future.

This temporarily makes the whole network PoW-only and opens well known 51% PoW attack.



Attacker needs only 6 of 11 last blocks.



Successfully tested on Mintcoin: no PoS blocks from 203231 up to 203441, more than 1 hour of real time. Security analysis of PoW/PoS hybrids with low PoW rewardLow PoW reward doesn't attract miners. This leads to ridiculously low PoW difficulty.A pair of examples:Mintcoin scrypt diff 0.1 (vs Litecoin 5677)SHACoin sha256 diff 1427 (vs Bitcoin 5006860589)At such difficulty PoW blocks can be mined with speed of light.It is possible to build sequential chain of PoW blocks to confirm a transaction. Only 4 blocks for Mintcoin and 10 for SHACoin.Is it hard to orphan the chain of PoW blocks?One PoS block is enough. In both Mintcoin and SHACoin one PoS block may orphan a few millions of PoW blocks.If at the same time the main chain will get a competing stake, attacker's chain can be enlarged with PoW.This dramatically increases chance to success in comparison to pure PoW attack.Ability to confirm a transaction and then orphan confirmations is ability to double spend.Summary: double spend attack requires 1 PoS block and low hashing power.Visualization: https://i.imgur.com/Pyrw75q.png Current implementation of stake miner gives up if median time of last blocks is in future.This temporarily makes the whole network PoW-only and opens well known 51% PoW attack.Attacker needs only 6 of 11 last blocks.Successfully tested on Mintcoin: no PoS blocks from 203231 up to 203441, more than 1 hour of real time.

AWARD-WINNING

CASINO CRYPTO EXCLUSIVE

CLUBHOUSE 1500+

GAMES 2 MIN

CASH-OUTS 24/7

SUPPORT 100s OF

FREE SPINS PLAY NOW ertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertised sites are not endrsed bythe Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.

futile-resistance



Offline



Activity: 840

Merit: 516









Hero MemberActivity: 840Merit: 516 Re: Security analysis of PoW/PoS hybrids with low PoW reward March 31, 2014, 07:44:18 PM #3 Quote from: rat4 on March 31, 2014, 07:07:20 PM



Low PoW reward doesn't attract miners. This leads to ridiculously low PoW difficulty.



A pair of examples:

Mintcoin scrypt diff 0.1 (vs Litecoin 5677)

SHACoin sha256 diff 1427 (vs Bitcoin 5006860589)



At such difficulty a sequential chain of PoW blocks can be mined in a flash.

Even long enough to confirm a transaction. Only 4 blocks for Mintcoin and 10 for SHACoin.



Is it hard to orphan the chain of PoW blocks?

One PoS block is enough. In both Mintcoin and SHACoin one PoS block may orphan a few millions of PoW blocks.

If at the same time the main chain will get a competing stake, attacker's chain can be enlarged with PoW.

This dramatically increases chance to success in comparison to pure PoW attack.



Ability to confirm a transaction and then orphan confirmations is ability to double spend.



Summary: double spend attack requires 1 PoS block and low hashing power.



Visualization:

Security analysis of PoW/PoS hybrids with low PoW rewardLow PoW reward doesn't attract miners. This leads to ridiculously low PoW difficulty.A pair of examples:Mintcoin scrypt diff 0.1 (vs Litecoin 5677)SHACoin sha256 diff 1427 (vs Bitcoin 5006860589)At such difficulty a sequential chain of PoW blocks can be mined in a flash.Even long enough to confirm a transaction. Only 4 blocks for Mintcoin and 10 for SHACoin.Is it hard to orphan the chain of PoW blocks?One PoS block is enough. In both Mintcoin and SHACoin one PoS block may orphan a few millions of PoW blocks.If at the same time the main chain will get a competing stake, attacker's chain can be enlarged with PoW.This dramatically increases chance to success in comparison to pure PoW attack.Ability to confirm a transaction and then orphan confirmations is ability to double spend.Summary: double spend attack requires 1 PoS block and low hashing power.Visualization: https://i.imgur.com/Pyrw75q.png

Can anyone test or confirm? Can anyone test or confirm?

Zzzack



Offline



Activity: 168

Merit: 100







Full MemberActivity: 168Merit: 100 Re: Security analysis of PoW/PoS hybrids with low PoW reward March 31, 2014, 07:48:41 PM #5 Quote from: futile-resistance on March 31, 2014, 07:44:18 PM Quote from: rat4 on March 31, 2014, 07:07:20 PM



Low PoW reward doesn't attract miners. This leads to ridiculously low PoW difficulty.



A pair of examples:

Mintcoin scrypt diff 0.1 (vs Litecoin 5677)

SHACoin sha256 diff 1427 (vs Bitcoin 5006860589)



At such difficulty a sequential chain of PoW blocks can be mined in a flash.

Even long enough to confirm a transaction. Only 4 blocks for Mintcoin and 10 for SHACoin.



Is it hard to orphan the chain of PoW blocks?

One PoS block is enough. In both Mintcoin and SHACoin one PoS block may orphan a few millions of PoW blocks.

If at the same time the main chain will get a competing stake, attacker's chain can be enlarged with PoW.

This dramatically increases chance to success in comparison to pure PoW attack.



Ability to confirm a transaction and then orphan confirmations is ability to double spend.



Summary: double spend attack requires 1 PoS block and low hashing power.



Visualization:

Security analysis of PoW/PoS hybrids with low PoW rewardLow PoW reward doesn't attract miners. This leads to ridiculously low PoW difficulty.A pair of examples:Mintcoin scrypt diff 0.1 (vs Litecoin 5677)SHACoin sha256 diff 1427 (vs Bitcoin 5006860589)At such difficulty a sequential chain of PoW blocks can be mined in a flash.Even long enough to confirm a transaction. Only 4 blocks for Mintcoin and 10 for SHACoin.Is it hard to orphan the chain of PoW blocks?One PoS block is enough. In both Mintcoin and SHACoin one PoS block may orphan a few millions of PoW blocks.If at the same time the main chain will get a competing stake, attacker's chain can be enlarged with PoW.This dramatically increases chance to success in comparison to pure PoW attack.Ability to confirm a transaction and then orphan confirmations is ability to double spend.Summary: double spend attack requires 1 PoS block and low hashing power.Visualization: https://i.imgur.com/Pyrw75q.png

Can anyone test or confirm?

Can anyone test or confirm?

Very true. POW is necessary for these coins to secure the network...and when minted coins are low (with little value), miners have an incentive to mine a different coin and sell it for their coin of choice. Few miners = low network hash = poorly protected public ledger. And, after all, we are investing in systems that maintain the public ledger in different ways.



I'm all in on cryptos, but the network strength of bitcoin is what gives it value right now over the cryptos. Very true. POW is necessary for these coins to secure the network...and when minted coins are low (with little value), miners have an incentive to mine a different coin and sell it for their coin of choice. Few miners = low network hash = poorly protected public ledger. And, after all, we are investing in systems that maintain the public ledger in different ways.I'm all in on cryptos, but the network strength of bitcoin is what gives it value right now over the cryptos. Producer

stormia



Offline



Activity: 868

Merit: 1000







Hero MemberActivity: 868Merit: 1000 Re: Security analysis of PoW/PoS hybrids with low PoW reward April 01, 2014, 12:03:22 AM #10



You say "a sequential chain of PoW blocks can be mined in a flash."

Which is not true. Sure, you could mine all of the PoW blocks that occur sequentially, but there will be many, many more PoS blocks that interrupt those far and few apart PoW blocks. In a PoS/PoW hybrid there is no way to predict or control whether or not the next block will be PoS or PoW and therefore you cannot guarantee you will be in control of a long stream of blocks unless you have 51% of the PoW and PoS power.



Now, this brings up an issue with pure PoS coins such as your Blackcoin... That I have yet to be seen answered in any technical detail. How, when it is pure PoS and it IS known that every block in a row will be PoS, can you prevent an attack such as the one anonymousg64 brings up:



Quote from: Anonymousg64 on March 29, 2014, 07:09:12 AM





can someone explain how this stops someone from generating lots of PoS blocks 20 days in the future from a bunch of TX's with small interval, whether through one or multiple wallets



Code: ss << nStakeModifier;

ss << nTimeBlockFrom << nTxPrevOffset << txPrev.nTime << prevout.n << nTimeTx;

hashProofOfStake = Hash(ss.begin(), ss.end());

if(CBigNum(hashProofOfStake) > bnCoinDayWeight * bnTargetPerCoinDay)

return false;





im not well enough versed with the code to know what these variable names imply

im still on the fencecan someone explain how this stops someone from generating lots of PoS blocks 20 days in the future from a bunch of TX's with small interval, whether through one or multiple walletsim not well enough versed with the code to know what these variable names imply

Without PoW blocks to interrupt such an attack, how is it prevented?



This thread of yours is in really bad taste, rat4, you should find better ways of promoting your coin.



I await your reply, and your explanation as to how PoS coins are safe from a TX/coinage attack. This is a joke. Nice try to spread FUD about other coins, rat4, to try and promote your pure PoS blackcoin. How is it that Blackcoin prevents attack forks as a pure PoS coin, again?You say "a sequential chain of PoW blocks can be mined in a flash."Which is not true. Sure, you could mine all of the PoW blocks that occur sequentially, but there will be many, many more PoS blocks that interrupt those far and few apart PoW blocks. In a PoS/PoW hybrid there is no way to predict or control whether or not the next block will be PoS or PoW and therefore you cannot guarantee you will be in control of a long stream of blocks unless you have 51% of the PoW and PoS power.Now, this brings up an issue with pure PoS coins such as your Blackcoin... That I have yet to be seen answered in any technical detail. How, when it is pure PoS and it IS known that every block in a row will be PoS, can you prevent an attack such as the one anonymousg64 brings up:Without PoW blocks to interrupt such an attack, how is it prevented?This thread of yours is in really bad taste, rat4, you should find better ways of promoting your coin.I await your reply, and your explanation as to how PoS coins are safe from a TX/coinage attack.

stormia



Offline



Activity: 868

Merit: 1000







Hero MemberActivity: 868Merit: 1000 Re: Security analysis of PoW/PoS hybrids with low PoW reward April 01, 2014, 12:18:24 AM #14 Quote from: Soepkip on April 01, 2014, 12:17:00 AM Yes, this is purely a discussion for us. The connection to BlackCoin is purely rat4 being the dev of it.



The earlier blockchain stuck we had for BlackCoin has nothing to do with this and is not adding to the discussion so far. We are talking hybrid PoW/PoS coins and their security.



Well, now we are also talking pure PoS coins and their security- which is much less tested and founded. I still await a technical response as to how pure PoS prevents the type of transaction/coinage attacks that anonymousg64 has outlined before. Well, now we are also talking pure PoS coins and their security- which is much less tested and founded. I still await a technical response as to how pure PoS prevents the type of transaction/coinage attacks that anonymousg64 has outlined before.

stormia



Offline



Activity: 868

Merit: 1000







Hero MemberActivity: 868Merit: 1000 Re: Security analysis of PoW/PoS hybrids with low PoW reward April 01, 2014, 12:23:02 AM #15 Quote from: maarx on April 01, 2014, 12:18:58 AM 1. Mint is not a person.

2. SHACoin is not a person.

3. rat4 is not actively promoting PoS or blackcoin



This thread is about a potential security issue with PoW/PoS hybrids. Maybe it's true, maybe not. I don't know the technicals.



Same for PoS. I dont know how secure it is. I dont know the technicals.



I have asked many times on the blackcoin thread, and so have others, as to how pure PoS is safe. No reply, other than directing me to Sunny's answers, which actually only pertain to PoS/PoW hybrids if I am not mistaken. I have asked many times on the blackcoin thread, and so have others, as to how pure PoS is safe. No reply, other than directing me to Sunny's answers, which actually only pertain to PoS/PoW hybrids if I am not mistaken.