Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 4E927E5A for ; Thu, 18 Jul 2019 01:13:32 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mail-40133.protonmail.ch (mail-40133.protonmail.ch [185.70.40.133]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 5052725A for ; Thu, 18 Jul 2019 01:13:31 +0000 (UTC) Date: Thu, 18 Jul 2019 01:13:27 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=default; t=1563412408; bh=Rcn/5BJHtUGPQYPWtN1/IB7mGvJFI1AmrR7js9x924s=; h=Date:To:From:Cc:Reply-To:Subject:In-Reply-To:References: Feedback-ID:From; b=W5S+ZAwHBeZypnM2Afge4Hg18RbI22UhknlrdBxYyhucZ3mfWbvcznKV7ojn+zSAX aM6ycbOGN4QwKbHYY/KMipKHY/qCZaVCT3PYm1GqyKreKuxce+dHUiswIUGGPMajRB WAHy+gTjiL39nktj9o63iEY2u1pwkPQ9tu6yvBIw= To: Eric Voskuil From: ZmnSCPxj Reply-To: ZmnSCPxj Message-ID: In-Reply-To: <207DBF48-E996-440D-ADDC-3AEC9238C034@voskuil.org> References: <207DBF48-E996-440D-ADDC-3AEC9238C034@voskuil.org> Feedback-ID: el4j0RWPRERue64lIQeq9Y2FP-mdB86tFqjmrJyEPR9VAtMovPEo9tvgA0CrTsSHJeeyPXqnoAu6DN-R04uJUg==:Ext:ProtonMail MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-2.2 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, FROM_LOCAL_NOVOWEL, RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org X-Mailman-Approved-At: Thu, 18 Jul 2019 01:19:02 +0000 Cc: Bitcoin Protocol Discussion , "Kenshiro \[\]" Subject: Re: [bitcoin-dev] Secure Proof Of Stake implementation on Bitcoin X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Jul 2019 01:13:32 -0000 Good morning all, > > >>>Under the trust-minimization requirement of Bitcoin this is simply n= ot acceptable. > > As there is no way to trust-minimally heal from a network split (and ev= ery time a node is shut down, that is indistinguishable from a network spli= t that isolates that particular node), this is not a trust-minimizing conse= nsus algorithm. > > That=E2=80=99s nonsense, one is a feature (systemic trust), the other is = a bug (code accident). But there is a way to minimize actual forks - try no= t to change the consensus rules in the code you ship. I am uncertain what you mean here. What I am attempting to compare are: 1. A network split (maybe better term is "network partition"?) wherein som= e number of nodes are temporarily unable to contact the rest of the network= . This has the degenerate but very common case where a single node is tem= porarily unable to communicate with the rest of the network. AND 2. A node being shut down, then brought back online again. Neither seems to match "feature" or "bug", as both are simply accidents of = deployment. The point (as I understand it) of a consensus algorithm is to be able to ge= t all nodes into agreement about the global state, even after a network par= tition. Ideally, such an algorithm would place as little trust as possible on some = other node, and would work even in adversarial conditions. To my understanding, the proposal from Kenshiro is not able to get all node= s into agreement about global state after a network partition, without trus= t in some node, when in adversarial conditions. > > >>> History rewrites are not the only attack possible. > > The worst attack is a censorship attack, and a 99% staker can easily ce= nsor on the creation of new blocks. > > > > I don't agree, history rewrite attacks are much worse than censorship b= ecause they can be used to steal funds from people. > > Censorship can steal everybody=E2=80=99s money. To expand on this: by censoring ***all*** transactions one is able to preve= nt spending of all funds. This will crash the value of the staked funds also, but note that the stake= r could use techniques like short options to leverage this and potentially = earn more than the value of their staked funds, effectively stealing the en= tire marketcap of the attacked coin. > > > In PoS staking addresses are public, so maybe it should be possible to = detect if some transaction in the mempool is repeatedly=C2=A0being ignored = and what staking deposit is repeatedly ignoring transactions. After some ti= me, a hard fork could burn the funds of the evil validator. > > Political money. Aside from that, this is possible to evade by running 10000 masternodes and= splitting your staking funds among them. Rent from a botnet, and it appears the masternodes are geographically diver= se. Then it becomes hard to accuse the network of actually being controlled str= ongly by a single participant. (the ability to rent botnets means that even existing PoS coins might alrea= dy be strongly controlled, but appear "healthy" because masternodes *appear= * geographically diverse, but in actuality are controlled by a single entit= y) Further, "detect if some transaction in the mempool" cannot provide a proof= , as no construct ever precommits to the state of the mempool at a particul= ar time (if it did, the mempool would cease to be a mempool and would be pa= rt of the block). I can generate a completely new transaction, then accuse the masternodes of= censoring it. Other nodes may not believe me, as they have not seen my transaction on the= ir mempool, but note that the mempools of nodes are ***not*** strongly sync= hronized. By careful timing and control of the connectivity of the network, it become= s possible to effectively split the consensus algorithm by showing my trans= action to some non-masternode nodes but keeping my transaction away from ma= sternodes, then have the non-masternode nodes accuse the masternodes of cen= soring my transaction and hereby penalizing them. But the masternodes would not agree, not having seen my transaction in thei= r mempool, and thus is the network consensus destroyed. Basically: "never base consensus rules on mempool state" is a good rule of = thumb for ensuring that consensus can be maintained. Consensus rules should consider only data that is committed to some block, = and the mempool is not intended to be committed to in every block. > > https://www.coingecko.com/en/coins/nxt > > > > Another thing is that Ethereum itself is going to PoS next year, but wi= th a different implementation that I'm proposing here. > > Just another nail in the coffin. I agree. Regards, ZmnSCPxj