Author Topic: How Do Bitshares DACs Solve The "Nothing At Stake" Problem  (Read 11986 times)

0 Members and 1 Guest are viewing this topic.

Offline arhag

  • Hero Member
  • *****
  • Posts: 1214
    • View Profile
    • My posts on Steem
  • BitShares: arhag
  • GitHub: arhag
And would those former delegates have been delegates at the same time?

Yes, they would all have to have been delegates at the same time in order to create a plausible fake blockchain history from that point forward. Which is why it is so unlikely that you can find a group of 101 delegates that satisfy that requirement and are all willing to collude.

Offline santaclause102

  • Hero Member
  • *****
  • Posts: 2486
    • View Profile
Nope, this would not work unless they controlled 100% of the stake... or enough stake to vote in a complete new slate of 101 delegates.  Their chain would never be longer than the official chain because if they had only 1 delegate slot they could only produce 1% of the blocks.   All clients that connected to the "attack network" would see delegate participation rate of 1% and a big red warning bar.

So the only one able to attack the network is the INIT delegates and they could only do this by preventing all transactions that vote them out.   A quick sanity check would then reveal that 90% of the genesis stake was "unmoved" and thus be another RED FLAG.   

Add a checkpoint at some block after the majority of init delegates have been voted out and you are even protected here.

From a risk profile perspective, you are more likely to lose your private key than be attacked in such a manner.

Doesn't this also assume that it is unlikely that any previous delegates who have now been removed from their delegate position do not collude to attempt a double-spend attack? For example, say there were 101 non-init delegates active in early August, but they were all replaced by better delegates in late August. Someone who had synchronized with the network in early August and went offline until resynchronizing with the network in September could be vulnerable to an attack by the 101 now fired delegates colluding together, correct? The assumption here is that even though these 101 delegates now have nothing at stake since they have already been fired, they are still unlikely to all collude together to attempt a double-spend attack. I suppose, we could also have the client detect that there are two different equal length chains being offered (assuming the user's internet connection isn't completely compromised by the attacker so that they can actually get the true chain), warn the user he is under attack, and make a suggestion to pick the chain with more transaction activity since it is more likely to be the true chain.

Edit: I also realize the probability that most active delegates are replaced in a short enough time frame that the replacement happens between the time a typical user would resync is very low. I don't think it is a concern in practice. I just want to make the concern explicit to point out why we shouldn't have to really worry about it.
And would those former delegates have been delegates at the same time?

Offline arhag

  • Hero Member
  • *****
  • Posts: 1214
    • View Profile
    • My posts on Steem
  • BitShares: arhag
  • GitHub: arhag
Nope, this would not work unless they controlled 100% of the stake... or enough stake to vote in a complete new slate of 101 delegates.  Their chain would never be longer than the official chain because if they had only 1 delegate slot they could only produce 1% of the blocks.   All clients that connected to the "attack network" would see delegate participation rate of 1% and a big red warning bar.

So the only one able to attack the network is the INIT delegates and they could only do this by preventing all transactions that vote them out.   A quick sanity check would then reveal that 90% of the genesis stake was "unmoved" and thus be another RED FLAG.   

Add a checkpoint at some block after the majority of init delegates have been voted out and you are even protected here.

From a risk profile perspective, you are more likely to lose your private key than be attacked in such a manner.

Doesn't this also assume that it is unlikely that any previous delegates who have now been removed from their delegate position do not collude to attempt a double-spend attack? For example, say there were 101 non-init delegates active in early August, but they were all replaced by better delegates in late August. Someone who had synchronized with the network in early August and went offline until resynchronizing with the network in September could be vulnerable to an attack by the 101 now fired delegates colluding together, correct? The assumption here is that even though these 101 delegates now have nothing at stake since they have already been fired, they are still unlikely to all collude together to attempt a double-spend attack. I suppose, we could also have the client detect that there are two different equal length chains being offered (assuming the user's internet connection isn't completely compromised by the attacker so that they can actually get the true chain), warn the user he is under attack, and make a suggestion to pick the chain with more transaction activity since it is more likely to be the true chain.

Edit: I also realize the probability that most active delegates are replaced in a short enough time frame that the replacement happens between the time a typical user would resync is very low. I don't think it is a concern in practice. I just want to make the concern explicit to point out why we shouldn't have to really worry about it.
« Last Edit: August 03, 2014, 09:56:47 pm by arhag »

Offline bytemaster

What do you mean when you say "Nope"? This is the long-range NaS as described by everyone I could find who wrote about it.

Which of the 6 steps do you disagree with?

Step 4... they tell their computer to build a completely different blockchain history....

Their computer could only produce 1 block every 110 seconds and thus their chain would be 1% the length of the real history.   Unless you controlled enough shares to completely change the 101 delegate slate to one you control you will never be able to create a longer chain.
For the latest updates checkout my blog: http://bytemaster.bitshares.org
Anything said on these forums does not constitute an intent to create a legal obligation or contract between myself and anyone else.   These are merely my opinions and I reserve the right to change them at any time.

Offline AsymmetricInformation

  • Full Member
  • ***
  • Posts: 67
    • View Profile
    • Truthcoin
What do you mean when you say "Nope"? This is the long-range NaS as described by everyone I could find who wrote about it.

Which of the 6 steps do you disagree with?

Offline bytemaster

The 'Nothing at Stake' is indeed that people would sign two different blocks at the same time, but the true danger is that people can do this at any time.

For example:
[1] Someone was a delegate.
[2] 12 years from now when the person is no longer a delegate, they decide to attack the network.
[3] They take the current valid chain, and cut off the 12 years of blockchain-history that have passed.
[4] They then tell their computer to build a completely different blockchain-history.        Without a proof of work requirement they can do this 'for nothing'
[5] Repeat [3-4] millions of times, to make many similar chains.                                      Without a proof of work requirement they can do this 'for nothing'
[6] Sybil attack the network and try to drag people onto one of them.

PoW clients choose the chain which is longest, but PoS clients must use something else. My understanding is that Mr. L believes that long-run consensus is not a significant concern, and that wallets will be able to find the right chain by themselves without much help and without significant risk.

Nope, this would not work unless they controlled 100% of the stake... or enough stake to vote in a complete new slate of 101 delegates.  Their chain would never be longer than the official chain because if they had only 1 delegate slot they could only produce 1% of the blocks.   All clients that connected to the "attack network" would see delegate participation rate of 1% and a big red warning bar.

So the only one able to attack the network is the INIT delegates and they could only do this by preventing all transactions that vote them out.   A quick sanity check would then reveal that 90% of the genesis stake was "unmoved" and thus be another RED FLAG.   

Add a checkpoint at some block after the majority of init delegates have been voted out and you are even protected here.

From a risk profile perspective, you are more likely to lose your private key than be attacked in such a manner. 
For the latest updates checkout my blog: http://bytemaster.bitshares.org
Anything said on these forums does not constitute an intent to create a legal obligation or contract between myself and anyone else.   These are merely my opinions and I reserve the right to change them at any time.


Offline AsymmetricInformation

  • Full Member
  • ***
  • Posts: 67
    • View Profile
    • Truthcoin
The 'Nothing at Stake' is indeed that people would sign two different blocks at the same time, but the true danger is that people can do this at any time.

For example:
[1] Someone was a delegate.
[2] 12 years from now when the person is no longer a delegate, they decide to attack the network.
[3] They take the current valid chain, and cut off the 12 years of blockchain-history that have passed.
[4] They then tell their computer to build a completely different blockchain-history.        Without a proof of work requirement they can do this 'for nothing'
[5] Repeat [3-4] millions of times, to make many similar chains.                                      Without a proof of work requirement they can do this 'for nothing'
[6] Sybil attack the network and try to drag people onto one of them.

PoW clients choose the chain which is longest, but PoS clients must use something else. My understanding is that Mr. L believes that long-run consensus is not a significant concern, and that wallets will be able to find the right chain by themselves without much help and without significant risk.

Offline bytemaster

The Nothing At Stake problem assumes certain properties of POS based upon the Peercoin design. 

It is impossible for DPOS to produce an alternative longer chain without collusion of 51% of the delegates.  With 51% collusion you are back to the 51% attack that all systems are subject to.

In this case the delegates also have something at stake:  their job.   

So how has DPOS changed the game?

1) "Miners" are now generally public, known individuals rather than anonymous individuals.
2) Secret attacks are no longer possible
3) Alternative chains are not possible
4) In the time it takes Bitcoin to generate 1 confirmation, 60 delegates will have confirmed your transaction. 
For the latest updates checkout my blog: http://bytemaster.bitshares.org
Anything said on these forums does not constitute an intent to create a legal obligation or contract between myself and anyone else.   These are merely my opinions and I reserve the right to change them at any time.

Offline santaclause102

  • Hero Member
  • *****
  • Posts: 2486
    • View Profile
no nothing at stake problem because: block production is deterministic / sequential (it is not possible that two delegates find blocks before each of them saw that the other one found one).
Now one delegate could still sign two blocks. But why sould he/she do it? Own answer: To double spend a merchant after one confirmation.
Wouldnt it be possible to punish any delegate that signs two blocks even if there is a fork and that delegate has to decide randomly on one block like a miner would decide randomly? Then 2 confirmations would be enough to be safe if not two delegates collude which would require 3 confirmations to be safe and so on...

https://bitsharestalk.org/index.php?topic=4347.msg84182#msg84182
« Last Edit: August 03, 2014, 10:38:06 am by delulo »

Offline luckybit

  • Hero Member
  • *****
  • Posts: 2921
    • View Profile
  • BitShares: Luckybit
How Do Bitshares DACs Solve The "Nothing At Stake" Problem

Vitalik Buterin wrote an article, On Stake:
https://blog.ethereum.org/2014/07/05/stake/

He wrote:

Quote
However, with the naive proof of stake algorithm described above, there is one serious problem: as some Bitcoin developers describe it, “there is nothing at stake”. What that means is this: in the context of a proof-of-work blockchain, if there is an accidental fork, or a deliberate transaction reversal (“double-spend”) attempt, and there are two competing forks of the blockchain, then miners have to choose which one they contribute to.

...

The optimal strategy is to mine on any fork that you can find. Thus, in order to launch a successful attack, an attacker need only overpower all of the altruists who are willing to vote only on the correct chain.
...

However, there is a problem: what motivates signers to sign blocks on only one chain? If the arguments against pure proof of stake are correct, then most rational stake-miners would sign both chains. Hence, in hybrid PoS, if the attacker signs only his chain, and altruists only sign the legitimate chain, and everyone else signs both, then if the attacker can overpower the altruists on the stake front that means that the attacker can overtake the chain with less than a 51% attack on the mining front. If we trust that altruists as a group are more powerful in stake than any attacker, but we don’t trust that too much, then hybrid PoS seems like a reasonable hedge option; however, given the reasoning above, if we want to hybridize one might ask if hybrid PoW + TaPoS might not be the more optimal way to go. For example, one could imagine a system where transactions need to reference recent blocks, and a blockchain’s score is calculated based on proof of work and coin-days-destroyed counts.


He also pressed a very high evaluation to TaPOS, which to my understanding is somehow part of DPOS.

I think what we Bitshares community, especially Stan Larimer gave to the so called "nothing at stake" problem is what we call "Bitshares Social Consensus" -- all chains that have people's "votes" all deserve existence. Let the FREE MARKET judge which chain or which DAC should take over the most, thus the main market volume.

Any thoughts?

I think we should stop calling it the "nothing at stake" problem because the phrase generates confusion. What are the factors of the problem we need to solve? List them.

Then once we agree on and understand those major issues we can find an approach to solving it if it is indeed a problem.

I gave some thought to this particular problem and the conclusion is there is a low probability of it being a successful attack vector. It's of low risk because the consequences of the attack would not be catastrophic because DPoS is set up to minimize the damage of any attack of this sort just by firing the delegates responsible.

And if it were so easy to pull off then other Proof of Stake coins with a higher market cap would face attack.

I think Bitcoin and Litecoin are centralized thus currently among of the most insecure cryptocurrencies. Proof of Work will end up being the cause of the insecurity as it promotes the centralization which ultimately will lead to attacks.

So given a choice I would say Proof of Stake is more secure than Proof of Work even if the "nothing at stake" problem is some theoretically possible attack. So far it has not been attempted or it has been attempted and proved ineffective.

If I'm wrong and someone can explain the "nothing at stake" problem in plain English then I'll give it more thought.

Bytemaster said several times that automatic delegate firing should occur if the are found to sign 2 different blocks.
However I dont think this is implemented... yet.

This should be sufficient provided it is difficult enough to become delegate. However some problems might arise if these who vote for the misbehaving delegate just vote-in another one.

Right. DPoS is self healing and somewhat collusion resistant too. Delegates can be fired and  we can optimize for delegates which don't collude or attack the integrity of the network. I think DPoS offers way more flexibility than Proof of Work wit'h it's unelected government of miners. If miners desire they can gain complete and absolute control over Bitcoin and Litecoin over time and there is actual evidence of it happening right now.

If you look at Bitcoin or Litecoin neither are willing to swap out their hashing algorithms despite the fact that there are ASICs. No one gives a good reason why developers are sticking with ASICs and as a security design it really doesn't make any sense. ASICs result in extreme centralization which is very bad for security but I guess because the difficulty numbers look high it has everyone fooled into thinking it's more secure...

Difficulty is not security.
« Last Edit: August 03, 2014, 10:04:41 am by luckybit »
https://metaexchange.info | Bitcoin<->Altcoin exchange | Instant | Safe | Low spreads

Offline emski

  • Hero Member
  • *****
  • Posts: 1282
    • View Profile
    • http://lnkd.in/nPbhxG
Bytemaster said several times that automatic delegate firing should occur if the are found to sign 2 different blocks.
However I dont think this is implemented... yet.

This should be sufficient provided it is difficult enough to become delegate. However some problems might arise if these who vote for the misbehaving delegate just vote-in another one.
« Last Edit: August 03, 2014, 06:48:28 am by emski »

Offline coolspeed

  • Hero Member
  • *****
  • Posts: 536
    • View Profile
    • My Blog
How Do Bitshares DACs Solve The "Nothing At Stake" Problem

Vitalik Buterin wrote an article, On Stake:
https://blog.ethereum.org/2014/07/05/stake/

He wrote:

Quote
However, with the naive proof of stake algorithm described above, there is one serious problem: as some Bitcoin developers describe it, “there is nothing at stake”. What that means is this: in the context of a proof-of-work blockchain, if there is an accidental fork, or a deliberate transaction reversal (“double-spend”) attempt, and there are two competing forks of the blockchain, then miners have to choose which one they contribute to.

...

The optimal strategy is to mine on any fork that you can find. Thus, in order to launch a successful attack, an attacker need only overpower all of the altruists who are willing to vote only on the correct chain.
...

However, there is a problem: what motivates signers to sign blocks on only one chain? If the arguments against pure proof of stake are correct, then most rational stake-miners would sign both chains. Hence, in hybrid PoS, if the attacker signs only his chain, and altruists only sign the legitimate chain, and everyone else signs both, then if the attacker can overpower the altruists on the stake front that means that the attacker can overtake the chain with less than a 51% attack on the mining front. If we trust that altruists as a group are more powerful in stake than any attacker, but we don’t trust that too much, then hybrid PoS seems like a reasonable hedge option; however, given the reasoning above, if we want to hybridize one might ask if hybrid PoW + TaPoS might not be the more optimal way to go. For example, one could imagine a system where transactions need to reference recent blocks, and a blockchain’s score is calculated based on proof of work and coin-days-destroyed counts.


He also pressed a very high evaluation to TaPOS, which to my understanding is somehow part of DPOS.

I think what we Bitshares community, especially Stan Larimer gave to the so called "nothing at stake" problem is what we call "Bitshares Social Consensus" -- all chains that have people's "votes" all deserve existence. Let the FREE MARKET judge which chain or which DAC should take over the most, thus the main market volume.

Any thoughts?
« Last Edit: August 03, 2014, 05:49:44 am by coolspeed »
Please vote for  delegate.coolspeed    dac.coolspeed
BTS account: coolspeed
Sina Weibo:@coolspeed