Nxt Forum

Please login or register.

Login with username, password and session length
Advanced search  

News:

Latest Nxt 1.11.13 - NEW RELEASE: Ardor 2.0.14 - The Ardor genesis block happened at 0:00 January 1st

Pages: 1 [2] 3 4 5  All

Author Topic: Bounty for successful nothing at stake attack?  (Read 12199 times)

Daedelus

  • Hero Member
  • *****
  • Offline Offline
  • Posts: 3280
    • View Profile
  • Karma: +230/-12

Could anyone pls send me the best detailed explanation of "Nothing-at-stake" attack at the moment? I've found only some totally unclear fantasies.

Come from beyond and Chuckone had a debate with high level bitcoin guys (deathandtaxes) on this, has links to BTT on there too

https://nxtforum.org/general-discussion/some-thoughts-on-arguments-of-pow-guys/
NXT: NXT-4CS7-S4N5-PTH5-A8R2Q

Come-from-Beyond

  • Hero Member
  • *****
  • Offline Offline
  • Posts: 4013
    • View Profile
  • Karma: +793/-671

Could anyone pls send me the best detailed explanation of "Nothing-at-stake" attack at the moment? I've found only some totally unclear fantasies.

Come from beyond and Chuckone had a debate with high level bitcoin guys (deathandtaxes) on this, has links to BTT on there too

https://nxtforum.org/general-discussion/some-thoughts-on-arguments-of-pow-guys/

Kushti found good words for describing N@S - "some totally unclear fantasies"  :D

mczarnek

  • Hero Member
  • *****
  • Offline Offline
  • Posts: 898
    • View Profile
    • Nxt Place - Craigslist for Nxt
  • Karma: +68/-4

I like the bounty idea.. how much of a BTC bounty do we need to make this meaningful? Anyone willing to donate some  BTC?
NXT Organization: Tech
Donations greatly appreciated: NXT-DWVJ-G89C-RHNL-6QW6Q

ChuckOne

  • Hero Member
  • *****
  • Offline Offline
  • Posts: 3450
  • ☕ NXT-4BTE-8Y4K-CDS2-6TB82
    • View Profile
  • Karma: +293/-17

Kushti found good words for describing N@S - "some totally unclear fantasies"  :D

+1440

ChuckOne

  • Hero Member
  • *****
  • Offline Offline
  • Posts: 3450
  • ☕ NXT-4BTE-8Y4K-CDS2-6TB82
    • View Profile
  • Karma: +293/-17

I like the bounty idea.. how much of a BTC bounty do we need to make this meaningful? Anyone willing to donate some  BTC?

Me, too. But I have no BTC. :/

benjyz

  • Hero Member
  • *****
  • Offline Offline
  • Posts: 508
    • View Profile
  • Karma: +71/-4

To me, this defies logic. An "attack" is inherently linked to the profit of the bad guy. So if there is no incentive, it's not an attack. Also: there is no bounty needed because the live network is already proving every day that attack is not possible. So what information should such an "attack" exactly provide? If if where successful the network would die and we can all go home.

ChuckOne

  • Hero Member
  • *****
  • Offline Offline
  • Posts: 3450
  • ☕ NXT-4BTE-8Y4K-CDS2-6TB82
    • View Profile
  • Karma: +293/-17

To me, this defies logic. An "attack" is inherently linked to the profit of the bad guy. So if there is no incentive, it's not an attack. Also: there is no bounty needed because the live network is already proving every day that attack is not possible. So what information should such an "attack" exactly provide? If if where successful the network would die and we can all go home.

Sure. However, if it has proven reliably, then why not incenting an futile attack? ;)

valarmg

  • Hero Member
  • *****
  • Offline Offline
  • Posts: 1766
    • View Profile
  • Karma: +178/-57

To me, this defies logic. An "attack" is inherently linked to the profit of the bad guy. So if there is no incentive, it's not an attack. Also: there is no bounty needed because the live network is already proving every day that attack is not possible. So what information should such an "attack" exactly provide? If if where successful the network would die and we can all go home.

Disagree. A white hat attacker could discover a flaw in the network, reveal it to the developers and allow the developers a chance to fix it. The white hat programmer gets an incentive to look for holes in the network, and reward for finding them, and the Nxt network gets subjected to more scrutiny (early in its development), and a possibly a chance to fix fatal flaws.

And if there is no flaw, Nxt gains the advantage of being able to point to the large bounty whenever someone spreads nothing at stake FUD.
NXT-CSED-4PK5-AR4V-6UB5V

Come-from-Beyond

  • Hero Member
  • *****
  • Offline Offline
  • Posts: 4013
    • View Profile
  • Karma: +793/-671

And if there is no flaw, Nxt gains the advantage of being able to point to the large bounty whenever someone spreads nothing at stake FUD.

I would wait until opponents provide a clear explanation why N@S is a flaw. Right now it looks more as an advantage of PoS. Anyway without such the explanation we can't say what the bounty is about.

benjyz

  • Hero Member
  • *****
  • Offline Offline
  • Posts: 508
    • View Profile
  • Karma: +71/-4

To me, this defies logic. An "attack" is inherently linked to the profit of the bad guy. So if there is no incentive, it's not an attack. Also: there is no bounty needed because the live network is already proving every day that attack is not possible. So what information should such an "attack" exactly provide? If if where successful the network would die and we can all go home.

Disagree. A white hat attacker could discover a flaw in the network, reveal it to the developers and allow the developers a chance to fix it. The white hat programmer gets an incentive to look for holes in the network, and reward for finding them, and the Nxt network gets subjected to more scrutiny (early in its development), and a possibly a chance to fix fatal flaws.

And if there is no flaw, Nxt gains the advantage of being able to point to the large bounty whenever someone spreads nothing at stake FUD.

I think these are two issues:

1. "propaganda" by Bitcoin guys. But the same way PoS has an agenda against PoW. So this is a natural process, which will solve itself over time. If people spread mis-information, or don't take time to form an opinion based on facts, that is their problem. The market provides plenty of incentives for being right.

2. possible flaws in Nxt. If there are fatal (and N@S would be fatal if possible), then bounty does not matter at all. The network dies in any case. And some person saying "I have found no flaws" does not prove that no flaws exist. Counterfactuals are impossible to prove. Which is, by the way, one major trouble with the financial system we have today (risk-management based on statistics, see Taleb for details).

I have a couple of possible attacks in mind, which I thought about, especially with regards to TF. To describe them in detail and field test them is a lot of work - I don't understand Nxt well enough to do this work (yet). It's an error to think there are just "attacks" which have binary outcomes. For example the AE can be gamed by issuing time orders. That's not a fatal issue.
« Last Edit: July 06, 2014, 11:25:40 am by benjyz »

Brangdon

  • Hero Member
  • *****
  • Offline Offline
  • Posts: 1384
  • Quality is addictive.
    • View Profile
  • Karma: +228/-25

What I was told: N-a-S doesn't lead to double spending nor does it create funds or anything. At most it would make forks or so. Doesn't exactly scare me. No one is willing to follow up once you ask for details.
I think it does allow double-spending. As I understand it, you forge on a hidden fork. Because you are the only account forging on that fork, you get all the blocks. Eventually your fork somehow gets to be longer than the public chain, and then you publish it and the network accepts it as the new main fork.

You can double-spend by including different transactions in your private fork than in the public one. You also win all the transaction fees. You can do all the other tricks of a 51% attack, such as rejecting transactions that would help competitors, or including zero transactions so the network halts, or only accepting transactions that have high fees. You can't spend coins from other accounts or create new transactions for them (because you don't have their private keys), but by rewinding the existing transactions you can effectively deprive others of coins that belong to them.

Come-from-Beyond

  • Hero Member
  • *****
  • Offline Offline
  • Posts: 4013
    • View Profile
  • Karma: +793/-671

I think it does allow double-spending. As I understand it, you forge on a hidden fork. Because you are the only account forging on that fork, you get all the blocks. Eventually your fork somehow gets to be longer than the public chain, and then you publish it and the network accepts it as the new main fork.

You can double-spend by including different transactions in your private fork than in the public one. You also win all the transaction fees. You can do all the other tricks of a 51% attack, such as rejecting transactions that would help competitors, or including zero transactions so the network halts, or only accepting transactions that have high fees. You can't spend coins from other accounts or create new transactions for them (because you don't have their private keys), but by rewinding the existing transactions you can effectively deprive others of coins that belong to them.

I marked what won't work in Nxt.

Brangdon

  • Hero Member
  • *****
  • Offline Offline
  • Posts: 1384
  • Quality is addictive.
    • View Profile
  • Karma: +228/-25

I marked what won't work in Nxt.
OK  :) Obviously the first one is the biggy, but can we address the second one first? What stops me deciding which transactions to include in a block that I forge? Are you talking about a new planned feature, or is it a consequence of the draft white paper that I'm missing?

(I'm partly interested in this from the point of view of honest forging, especially with Transparent Forging enabled so I know in advance which block I'm likely to get to forge. Although I think with TF if I reject a transaction, the next forger will include it so a 60-second delay is all I achieve.)

Come-from-Beyond

  • Hero Member
  • *****
  • Offline Offline
  • Posts: 4013
    • View Profile
  • Karma: +793/-671

Brangdon

  • Hero Member
  • *****
  • Offline Offline
  • Posts: 1384
  • Quality is addictive.
    • View Profile
  • Karma: +228/-25

https://nxtforum.org/news-and-announcements/economic-clustering/
So something not described in the draft white paper. Is it active now? My impression from that thread is that it won't be enabled until we have more robust, independent nodes. If we do this bounty thing, we need to be clear about which version of Nxt they are supposed to attack. There's no point asking them to attack something which doesn't exist yet.

As far as I can tell the key idea is that transactions reference a recent block. This does not mean the private fork couldn't exclude transactions. Quite the reverse: it must exclude all transactions that reference the public fork after it has branched from the attacker's fork. (Presumably the attacker will create a load of artificial transactions instead, so the fork looks plausible.) So we'd actually get loads of double-spends. Many transactions from the main fork would be undone, and have to be reissued, supposing that the sender wanted to.

I've posted some more in that thread. It seems to me that a lot depends on how recent "recent" is. If most transactions reference a block 10 blocks earlier, then the attacker can include them in the first 10 blocks of their private fork. So for short forks, it doesn't make much difference.

Mexxer

  • Hero Member
  • *****
  • Offline Offline
  • Posts: 653
    • View Profile
  • Karma: +32/-20

Ethereum just posted about PoS and Nothing-at-Stake

https://blog.ethereum.org/2014/07/05/stake/
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬  ▄▀▀▀▀▀▀▀▀▄  ▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬●  nimirum  ●▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
▬▬▬ ◖ENDING CENSORSHIP ONLINE◗  ◖ ICO OPEN NOW◗ ▬▬▬

joefox

  • Hero Member
  • *****
  • Offline Offline
  • Posts: 522
    • View Profile
    • The Nxt Wiki
  • Karma: +62/-1
GPG Key Id: 0x94A521DA613CAE76 | BitMessage BM-NBzUURL9jLagPALxCpxYDaMVe9E3965u
Nxt Wiki: http://wiki.nxtcrypto.org/
Tips: NXT-DBDW-STA8-ARBE-6JRPA

vbuterin

  • Newbie
  • *
  • Offline Offline
  • Posts: 4
    • View Profile
  • Karma: +9/-0

Here's what NaS means. Suppose that you have a chain C1, and then some attacker with P portion of network hashpower decides to start trying to fork your blockchain starting N blocks ago. Then, there are two competing chains, C1 and C2. Now, look at it from the point of view as an ordinary forger. You have four options:

1. Try to forge on neither chain.
2. Try to forge on C1 only.
3. Try to forge on C2 only.
4. Try to forge on C1 and C2 simultaneously.

Because there is no significant cost to forging that is external to the blockchain, like there is with PoW, (4) is an actually viable strategy (in Bitcoin, (4) would have cost you 2x as much mining power). (4) is clearly the best from a revenue standpoint, because it gives you a reward if either chain ultimately wins, whereas the "honest" strategy, (2), gives you only rewards if C1 wins. Hence, all purely self-interested forgers will forge on C1 and C2, altruists will forge on C1 only, and the attacker will forge on C2 only. Thus, in order for the attack to win, the attacker will need to overpower only the altruists, not 51% of the entire network.

You guys are secure now because everyone is using the default client, which I presume enforces the "forge on C1 only" rule. Later on, clients designed and downloaded by users motivated solely by financial interest may well switch to double-forging. An analog of this problem exists for every PoS system to date with the exception, as I described in my article, of permanent-genesis-nobility and TaPoS.

Daedelus

  • Hero Member
  • *****
  • Offline Offline
  • Posts: 3280
    • View Profile
  • Karma: +230/-12

Here's what NaS means. Suppose that you have a chain C1, and then some attacker with P portion of network hashpower decides to start trying to fork your blockchain starting N blocks ago. Then, there are two competing chains, C1 and C2. Now, look at it from the point of view as an ordinary forger. You have four options:

1. Try to forge on neither chain.
2. Try to forge on C1 only.
3. Try to forge on C2 only.
4. Try to forge on C1 and C2 simultaneously.

Because there is no significant cost to forging that is external to the blockchain, like there is with PoW, (4) is an actually viable strategy (in Bitcoin, (4) would have cost you 2x as much mining power). (4) is clearly the best from a revenue standpoint, because it gives you a reward if either chain ultimately wins, whereas the "honest" strategy, (2), gives you only rewards if C1 wins. Hence, all purely self-interested forgers will forge on C1 and C2, altruists will forge on C1 only, and the attacker will forge on C2 only. Thus, in order for the attack to win, the attacker will need to overpower only the altruists, not 51% of the entire network.

You guys are secure now because everyone is using the default client, which I presume enforces the "forge on C1 only" rule. Later on, clients designed and downloaded by users motivated solely by financial interest may well switch to double-forging. An analog of this problem exists for every PoS system to date with the exception, as I described in my article, of permanent-genesis-nobility and TaPoS.

Before we go any further, any chance of a pgp sig?  ;D
NXT: NXT-4CS7-S4N5-PTH5-A8R2Q

Mexxer

  • Hero Member
  • *****
  • Offline Offline
  • Posts: 653
    • View Profile
  • Karma: +32/-20

Here's what NaS means. Suppose that you have a chain C1, and then some attacker with P portion of network hashpower decides to start trying to fork your blockchain starting N blocks ago. Then, there are two competing chains, C1 and C2. Now, look at it from the point of view as an ordinary forger. You have four options:

1. Try to forge on neither chain.
2. Try to forge on C1 only.
3. Try to forge on C2 only.
4. Try to forge on C1 and C2 simultaneously.

Because there is no significant cost to forging that is external to the blockchain, like there is with PoW, (4) is an actually viable strategy (in Bitcoin, (4) would have cost you 2x as much mining power). (4) is clearly the best from a revenue standpoint, because it gives you a reward if either chain ultimately wins, whereas the "honest" strategy, (2), gives you only rewards if C1 wins. Hence, all purely self-interested forgers will forge on C1 and C2, altruists will forge on C1 only, and the attacker will forge on C2 only. Thus, in order for the attack to win, the attacker will need to overpower only the altruists, not 51% of the entire network.

You guys are secure now because everyone is using the default client, which I presume enforces the "forge on C1 only" rule. Later on, clients designed and downloaded by users motivated solely by financial interest may well switch to double-forging. An analog of this problem exists for every PoS system to date with the exception, as I described in my article, of permanent-genesis-nobility and TaPoS.

Before we go any further, any chance of a pgp sig?  ;D

Well he was asked on reddit to come here:
http://www.reddit.com/r/Bitcoin/comments/29yyjm/proofofstake_and_distributed_consensus_are/

So it's probably him.

Would be awesome to get a nice discussion going!
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬  ▄▀▀▀▀▀▀▀▀▄  ▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬●  nimirum  ●▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
▬▬▬ ◖ENDING CENSORSHIP ONLINE◗  ◖ ICO OPEN NOW◗ ▬▬▬
Pages: 1 [2] 3 4 5  All