Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 29A26D30 for ; Wed, 17 Jul 2019 08:11:37 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mail-40135.protonmail.ch (mail-40135.protonmail.ch [185.70.40.135]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 7FA6363D for ; Wed, 17 Jul 2019 08:11:36 +0000 (UTC) Date: Wed, 17 Jul 2019 08:11:26 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=default; t=1563351094; bh=uAOEsJFGdtHWBlhViEgvleKVXm22DFi8DAX2YB0UAkc=; h=Date:To:From:Cc:Reply-To:Subject:In-Reply-To:References: Feedback-ID:From; b=OFNkUwtmYWu2jjnTZAAAVlBhwIbi+3l2CWOOHja1CkCxJv0KmtUytfnMZB3T69wbg 8ONikbE8akpSC8vG1a9EPiXdWPrKwi9XlhLgeblsm73dYQCql1ANhM02tk042nDniF NkyQ5HZ2HEpMKScDtKs6/upDzy0mXlFDCmr9cmsE= To: "Kenshiro \\[\\]" , Bitcoin Protocol Discussion From: ZmnSCPxj Reply-To: ZmnSCPxj Message-ID: In-Reply-To: References: Feedback-ID: el4j0RWPRERue64lIQeq9Y2FP-mdB86tFqjmrJyEPR9VAtMovPEo9tvgA0CrTsSHJeeyPXqnoAu6DN-R04uJUg==:Ext:ProtonMail MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-2.2 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, FROM_LOCAL_NOVOWEL, RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org X-Mailman-Approved-At: Wed, 17 Jul 2019 08:22:45 +0000 Subject: Re: [bitcoin-dev] Secure Proof Of Stake implementation on Bitcoin X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Jul 2019 08:11:37 -0000 Good morning Kenshiro, > 4 - In any given block, only one staker gets the authorization to create = that block, so other stakers can't spam the network with many different blo= cks as they are illegal.=C2=A0 This leaves the consensus algorithm liable to stake-grinding attacks. Often, the selection of the "single staker" for each block is based on some= hashing of some number of the previous headers. This allows the single staker to do some trivial grinding of the `R` of som= e signature of some transaction of some money from itself to itself. This grinding is likely to change the hash of the current block. Changing the hash of the current block is enough to change the hash that is= used in the selection of the **next** single staker. Note that the staker will of course only publish the version of that block = that makes itself the **next** staker. This is the well-known stake-grinding attack; did you not encounter it in y= our proof-of-stake research? This is a basic objection to proof-of-stake, together with the nothing-at-s= take. Suppose the staker owns 49% of the staked funds. It is now trivial for it to continuously grind so that it is again the next= staker for the next block, as 49% of the time, it would be selected as the= next staker. Further, this is easily hideable, as the staker can simply run 100000 maste= rnodes and split its funds to all of them, so that it becomes very non-obvi= ous that there is in fact only one staker running the entire network. (Did you consider how much energy such a staker would be willing to spend o= n grinding so that it remains the next staker forevermore? In particular, the staker would be willing to spend energy up to the block = reward in such grinding --- a property that proof-of-work has, and ***openl= y*** admits it has.) In particular, this allows that one staker to impose any censorship it like= s. Thus, Bitcoin cannot support any kind of proof-of-stake that is vulnerable = to this stake-grinding attack. Regards, ZmnSCPxj