Topic: Bounty for successful nothing at stake attack? (Read 9843 times)

ThomasVeil · July 05, 2014, 11:32:39 pm

Quote from: kushti on July 05, 2014, 11:22:48 pm

Could anyone pls send me the best detailed explanation of "Nothing-at-stake" attack at the moment? I've found only some totally unclear fantasies.

This one about Peercoin might be what you need: http://www.peercointalk.org/index.php?PHPSESSID=6ncnpr1cn0agilrm892o06l4a6&topic=2976.msg27303#msg27303
more links are here: http://www.peercointalk.org/index.php?topic=2976.msg27787#msg27787

But basically I don't think there is a clear answer, it's just a nice term. What I was told: N-a-S doesn't lead to double spending nor does it create funds or anything. At most it would make forks or so. Doesn't exactly scare me. No one is willing to follow up once you ask for details.

I like the bounty idea definitely! Can we get this done?

anon136 · July 05, 2014, 11:55:10 pm

Quote from: kushti on July 05, 2014, 11:22:48 pm

Could anyone pls send me the best detailed explanation of "Nothing-at-stake" attack at the moment? I've found only some totally unclear fantasies.

The idea is that people can attempt to build ontop of multiple forks at once. So instead of just putting your block ontop of the main chain, you could also build a database where for each block, instead of the person who actually won the right to build ontop of that block, you build your own chain and store on your hard drive as if you had won that block. and every other block also. it increases your ability to attack by a very tiny amount.

sorry about this explanation being a mess, wife is saying comon comeon

Daedelus · July 06, 2014, 01:55:34 am

Quote from: kushti on July 05, 2014, 11:22:48 pm

Could anyone pls send me the best detailed explanation of "Nothing-at-stake" attack at the moment? I've found only some totally unclear fantasies.

Come from beyond and Chuckone had a debate with high level bitcoin guys (deathandtaxes) on this, has links to BTT on there too

https://nxtforum.org/general-discussion/some-thoughts-on-arguments-of-pow-guys/

Come-from-Beyond · July 06, 2014, 07:27:42 am

Quote from: Daedelus on July 06, 2014, 01:55:34 am

Quote from: kushti on July 05, 2014, 11:22:48 pm
Could anyone pls send me the best detailed explanation of "Nothing-at-stake" attack at the moment? I've found only some totally unclear fantasies.

Come from beyond and Chuckone had a debate with high level bitcoin guys (deathandtaxes) on this, has links to BTT on there too

https://nxtforum.org/general-discussion/some-thoughts-on-arguments-of-pow-guys/

Kushti found good words for describing N@S - "some totally unclear fantasies"

mczarnek · July 06, 2014, 09:42:42 am

I like the bounty idea.. how much of a BTC bounty do we need to make this meaningful? Anyone willing to donate some BTC?

ChuckOne · July 06, 2014, 10:43:44 am

Quote from: Come-from-Beyond on July 06, 2014, 07:27:42 am

Kushti found good words for describing N@S - "some totally unclear fantasies"

+1440

ChuckOne · July 06, 2014, 10:44:19 am

Quote from: mczarnek on July 06, 2014, 09:42:42 am

I like the bounty idea.. how much of a BTC bounty do we need to make this meaningful? Anyone willing to donate some BTC?

Me, too. But I have no BTC. :/

benjyz · July 06, 2014, 10:52:33 am

To me, this defies logic. An "attack" is inherently linked to the profit of the bad guy. So if there is no incentive, it's not an attack. Also: there is no bounty needed because the live network is already proving every day that attack is not possible. So what information should such an "attack" exactly provide? If if where successful the network would die and we can all go home.

ChuckOne · July 06, 2014, 10:55:59 am

Quote from: benjyz on July 06, 2014, 10:52:33 am

To me, this defies logic. An "attack" is inherently linked to the profit of the bad guy. So if there is no incentive, it's not an attack. Also: there is no bounty needed because the live network is already proving every day that attack is not possible. So what information should such an "attack" exactly provide? If if where successful the network would die and we can all go home.

Sure. However, if it has proven reliably, then why not incenting an futile attack?

valarmg · July 06, 2014, 11:04:44 am

Quote from: benjyz on July 06, 2014, 10:52:33 am

To me, this defies logic. An "attack" is inherently linked to the profit of the bad guy. So if there is no incentive, it's not an attack. Also: there is no bounty needed because the live network is already proving every day that attack is not possible. So what information should such an "attack" exactly provide? If if where successful the network would die and we can all go home.

Disagree. A white hat attacker could discover a flaw in the network, reveal it to the developers and allow the developers a chance to fix it. The white hat programmer gets an incentive to look for holes in the network, and reward for finding them, and the Nxt network gets subjected to more scrutiny (early in its development), and a possibly a chance to fix fatal flaws.

And if there is no flaw, Nxt gains the advantage of being able to point to the large bounty whenever someone spreads nothing at stake FUD.

Come-from-Beyond · July 06, 2014, 11:08:06 am

Quote from: valarmg on July 06, 2014, 11:04:44 am

And if there is no flaw, Nxt gains the advantage of being able to point to the large bounty whenever someone spreads nothing at stake FUD.

I would wait until opponents provide a clear explanation why N@S is a flaw. Right now it looks more as an advantage of PoS. Anyway without such the explanation we can't say what the bounty is about.

benjyz · July 06, 2014, 11:18:18 am

Quote from: valarmg on July 06, 2014, 11:04:44 am

Quote from: benjyz on July 06, 2014, 10:52:33 am
To me, this defies logic. An "attack" is inherently linked to the profit of the bad guy. So if there is no incentive, it's not an attack. Also: there is no bounty needed because the live network is already proving every day that attack is not possible. So what information should such an "attack" exactly provide? If if where successful the network would die and we can all go home.

Disagree. A white hat attacker could discover a flaw in the network, reveal it to the developers and allow the developers a chance to fix it. The white hat programmer gets an incentive to look for holes in the network, and reward for finding them, and the Nxt network gets subjected to more scrutiny (early in its development), and a possibly a chance to fix fatal flaws.

And if there is no flaw, Nxt gains the advantage of being able to point to the large bounty whenever someone spreads nothing at stake FUD.

I think these are two issues:

1. "propaganda" by Bitcoin guys. But the same way PoS has an agenda against PoW. So this is a natural process, which will solve itself over time. If people spread mis-information, or don't take time to form an opinion based on facts, that is their problem. The market provides plenty of incentives for being right.

2. possible flaws in Nxt. If there are fatal (and N@S would be fatal if possible), then bounty does not matter at all. The network dies in any case. And some person saying "I have found no flaws" does not prove that no flaws exist. Counterfactuals are impossible to prove. Which is, by the way, one major trouble with the financial system we have today (risk-management based on statistics, see Taleb for details).

I have a couple of possible attacks in mind, which I thought about, especially with regards to TF. To describe them in detail and field test them is a lot of work - I don't understand Nxt well enough to do this work (yet). It's an error to think there are just "attacks" which have binary outcomes. For example the AE can be gamed by issuing time orders. That's not a fatal issue.

Brangdon · July 06, 2014, 12:40:02 pm

Quote from: ThomasVeil on July 05, 2014, 11:32:39 pm

What I was told: N-a-S doesn't lead to double spending nor does it create funds or anything. At most it would make forks or so. Doesn't exactly scare me. No one is willing to follow up once you ask for details.

I think it does allow double-spending. As I understand it, you forge on a hidden fork. Because you are the only account forging on that fork, you get all the blocks. Eventually your fork somehow gets to be longer than the public chain, and then you publish it and the network accepts it as the new main fork.

You can double-spend by including different transactions in your private fork than in the public one. You also win all the transaction fees. You can do all the other tricks of a 51% attack, such as rejecting transactions that would help competitors, or including zero transactions so the network halts, or only accepting transactions that have high fees. You can't spend coins from other accounts or create new transactions for them (because you don't have their private keys), but by rewinding the existing transactions you can effectively deprive others of coins that belong to them.

Come-from-Beyond · July 06, 2014, 12:46:50 pm

Quote from: Brangdon on July 06, 2014, 12:40:02 pm

I think it does allow double-spending. As I understand it, you forge on a hidden fork. Because you are the only account forging on that fork, you get all the blocks. Eventually your fork somehow gets to be longer than the public chain, and then you publish it and the network accepts it as the new main fork.

You can double-spend by including different transactions in your private fork than in the public one. You also win all the transaction fees. You can do all the other tricks of a 51% attack, such as rejecting transactions that would help competitors, or including zero transactions so the network halts, or only accepting transactions that have high fees. You can't spend coins from other accounts or create new transactions for them (because you don't have their private keys), but by rewinding the existing transactions you can effectively deprive others of coins that belong to them.

I marked what won't work in Nxt.

Brangdon · July 06, 2014, 01:11:08 pm

Quote from: Come-from-Beyond on July 06, 2014, 12:46:50 pm

I marked what won't work in Nxt.

OK

Obviously the first one is the biggy, but can we address the second one first? What stops me deciding which transactions to include in a block that I forge? Are you talking about a new planned feature, or is it a consequence of the draft white paper that I'm missing?

(I'm partly interested in this from the point of view of honest forging, especially with Transparent Forging enabled so I know in advance which block I'm likely to get to forge. Although I think with TF if I reject a transaction, the next forger will include it so a 60-second delay is all I achieve.)

Come-from-Beyond · July 06, 2014, 01:22:05 pm

Quote from: Brangdon on July 06, 2014, 01:11:08 pm

Obviously the first one is the biggy, but can we address the second one first?

https://nxtforum.org/news-and-announcements/economic-clustering/

Brangdon · July 06, 2014, 02:38:58 pm

Quote from: Come-from-Beyond on July 06, 2014, 01:22:05 pm

https://nxtforum.org/news-and-announcements/economic-clustering/

So something not described in the draft white paper. Is it active now? My impression from that thread is that it won't be enabled until we have more robust, independent nodes. If we do this bounty thing, we need to be clear about which version of Nxt they are supposed to attack. There's no point asking them to attack something which doesn't exist yet.

As far as I can tell the key idea is that transactions reference a recent block. This does not mean the private fork couldn't exclude transactions. Quite the reverse: it must exclude all transactions that reference the public fork after it has branched from the attacker's fork. (Presumably the attacker will create a load of artificial transactions instead, so the fork looks plausible.) So we'd actually get loads of double-spends. Many transactions from the main fork would be undone, and have to be reissued, supposing that the sender wanted to.

I've posted some more in that thread. It seems to me that a lot depends on how recent "recent" is. If most transactions reference a block 10 blocks earlier, then the attacker can include them in the first 10 blocks of their private fork. So for short forks, it doesn't make much difference.

Mexxer · July 06, 2014, 03:14:58 pm

Ethereum just posted about PoS and Nothing-at-Stake

https://blog.ethereum.org/2014/07/05/stake/

joefox · July 06, 2014, 03:37:57 pm

Quote from: Mexxer on July 06, 2014, 03:14:58 pm

Ethereum just posted about PoS and Nothing-at-Stake

https://blog.ethereum.org/2014/07/05/stake/

*facepalm*

vbuterin · July 06, 2014, 03:49:27 pm

Here's what NaS means. Suppose that you have a chain C1, and then some attacker with P portion of network hashpower decides to start trying to fork your blockchain starting N blocks ago. Then, there are two competing chains, C1 and C2. Now, look at it from the point of view as an ordinary forger. You have four options:

1. Try to forge on neither chain.
2. Try to forge on C1 only.
3. Try to forge on C2 only.
4. Try to forge on C1 and C2 simultaneously.

Because there is no significant cost to forging that is external to the blockchain, like there is with PoW, (4) is an actually viable strategy (in Bitcoin, (4) would have cost you 2x as much mining power). (4) is clearly the best from a revenue standpoint, because it gives you a reward if either chain ultimately wins, whereas the "honest" strategy, (2), gives you only rewards if C1 wins. Hence, all purely self-interested forgers will forge on C1 and C2, altruists will forge on C1 only, and the attacker will forge on C2 only. Thus, in order for the attack to win, the attacker will need to overpower only the altruists, not 51% of the entire network.

You guys are secure now because everyone is using the default client, which I presume enforces the "forge on C1 only" rule. Later on, clients designed and downloaded by users motivated solely by financial interest may well switch to double-forging. An analog of this problem exists for every PoS system to date with the exception, as I described in my article, of permanent-genesis-nobility and TaPoS.

News:

Author Topic: Bounty for successful nothing at stake attack? (Read 9843 times)