public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed
From: ZmnSCPxj <ZmnSCPxj@protonmail.com>
To: "Kenshiro \\[\\]" <tensiam@hotmail.com>,
	Bitcoin Protocol Discussion
	<bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] Secure Proof Of Stake implementation on Bitcoin
Date: Wed, 17 Jul 2019 08:11:26 +0000	[thread overview]
Message-ID: <D-LJd2MDCfyPvBy7Px7FFjsh6ZrD2fmCCZ66tKQEMpBf5VEJ2RTh6GsE24uu4ow4bD_O-a_vyZh6qLaWOJIpkfO4EzOKbvO_xW5Bwjf_yPI=@protonmail.com> (raw)
In-Reply-To: <DB6PR10MB1832257D676DDA7B4F55E658A6CE0@DB6PR10MB1832.EURPRD10.PROD.OUTLOOK.COM>

Good morning Kenshiro,

> 4 - In any given block, only one staker gets the authorization to create that block, so other stakers can't spam the network with many different blocks as they are illegal. 

This leaves the consensus algorithm liable to stake-grinding attacks.
Often, the selection of the "single staker" for each block is based on some hashing of some number of the previous headers.

This allows the single staker to do some trivial grinding of the `R` of some signature of some transaction of some money from itself to itself.
This grinding is likely to change the hash of the current block.
Changing the hash of the current block is enough to change the hash that is used in the selection of the **next** single staker.
Note that the staker will of course only publish the version of that block that makes itself the **next** staker.

This is the well-known stake-grinding attack; did you not encounter it in your proof-of-stake research?
This is a basic objection to proof-of-stake, together with the nothing-at-stake.

Suppose the staker owns 49% of the staked funds.
It is now trivial for it to continuously grind so that it is again the next staker for the next block, as 49% of the time, it would be selected as the next staker.
Further, this is easily hideable, as the staker can simply run 100000 masternodes and split its funds to all of them, so that it becomes very non-obvious that there is in fact only one staker running the entire network.

(Did you consider how much energy such a staker would be willing to spend on grinding so that it remains the next staker forevermore?
In particular, the staker would be willing to spend energy up to the block reward in such grinding --- a property that proof-of-work has, and ***openly*** admits it has.)

In particular, this allows that one staker to impose any censorship it likes.
Thus, Bitcoin cannot support any kind of proof-of-stake that is vulnerable to this stake-grinding attack.

Regards,
ZmnSCPxj


  reply	other threads:[~2019-07-17  8:11 UTC|newest]

Thread overview: 21+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-07-11 15:16 [bitcoin-dev] Secure Proof Of Stake implementation on Bitcoin Kenshiro []
2019-07-16 20:35 ` Oscar Lafarga
2019-07-16 21:28   ` Kenshiro []
2019-07-17  8:11     ` ZmnSCPxj [this message]
2019-07-16 23:00 ` ZmnSCPxj
2019-07-17 10:10   ` Kenshiro []
2019-07-17 12:02     ` Eric Voskuil
2019-07-18  1:13       ` ZmnSCPxj
2019-07-18  9:58         ` Kenshiro []
2019-07-18 14:15           ` ZmnSCPxj
2019-07-18 15:50             ` Kenshiro []
2019-07-19  3:45               ` ZmnSCPxj
2019-07-19  5:10                 ` Eric Voskuil
2019-07-19 10:24                   ` Kenshiro []
2019-07-19  9:48                 ` Kenshiro []
2019-07-20  0:45                   ` ZmnSCPxj
2019-07-20 10:37                     ` Kenshiro []
2019-07-20 11:07                       ` ZmnSCPxj
2019-07-20 13:00                         ` Kenshiro []
2019-07-24  4:14                           ` ZmnSCPxj
2019-07-24  9:30                             ` Kenshiro []

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='D-LJd2MDCfyPvBy7Px7FFjsh6ZrD2fmCCZ66tKQEMpBf5VEJ2RTh6GsE24uu4ow4bD_O-a_vyZh6qLaWOJIpkfO4EzOKbvO_xW5Bwjf_yPI=@protonmail.com' \
    --to=zmnscpxj@protonmail.com \
    --cc=bitcoin-dev@lists.linuxfoundation.org \
    --cc=tensiam@hotmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox