Author Topic: BitFury White Paper: "Proof of Stake versus Proof of Work"  (Read 5747 times)

0 Members and 1 Guest are viewing this topic.

Offline bitmarley

  • Full Member
  • ***
  • Posts: 135
    • View Profile
Thanks a lot for the responses. Seems like BitFury already admits that BitShares is not vulnerable to most of the attacks they listed. So the BitFury report is very positive for the BitShares community from my perspective.

They say this about the Long Range Attack.
"In delegated PoS, an attack typically re-quires collusion by 2/3 of delegates"

Is this a risk for BitShares when 2/3 of witnesses collude then?
Can you provide more detail about TAPOS and how it prevents collusion? 

Any comments/links relevant to the DOS and Sybil attacks?

« Last Edit: October 22, 2015, 04:18:42 pm by bitmarley »

Offline libaisan

  • Full Member
  • ***
  • Posts: 67
    • View Profile
antchina 蚂蚁基金,专门为新人开钱包,需要btsx注册ID的朋友请找我们要:QQ群318011493

Offline bytemaster

So are any of the attacks listed in the document applicable to BitShares?
No point digging our heads in the sand. Here is the list of attacks:

3.1 NothingatStakeProblem
3.2 InitialDistributionProblem
3.3 LongRangeAttack
3.4 BribeAttack
3.5 CoinAgeAccumulationAttack
3.6 PrecomputingAttack

Can anyone provide analysis or links relevant to these and BitShares?

Depending upon definitions:

1. Initial Distribution is never a problem except for the POW religious.
2. Nothing At Stake implies you can produce on two forks simultaneously and have Nothing to Lose.   Technically witnesses can produce on two forks at once.  This is not a problem unless there is 66% collusion in which case the last irreversible block becomes ambiguous.  If there is less than 66% collusion then the double signing would not impact consensus and would cause the witness to lose their job.  The cost of losing your job is the net present value of future income which is non-0 and thus SOMETHING is at stake.
3. Long Range Attack implies that the initial witnesses could produce an alternative chain that is longer than the real chain and thereby "undo" everything that happened on the real chain.   TAPOS (Transactions as Proof of Stake) protects the network against this particular attack because the attacker would be unable to migrate selective transactions from the real chain to the attack chain.   
4. Bribe Attack  all networks are subject to bribes.    The cost to bribe someone is proportional to the profit they are making by being honest plus the amount they will lose by being dishonest.   In my blog post I show that we can make being a witness extremely profitable (high margins) and thereby more expensive to bribe than a mining pool or miner which will have their margins pushed toward 0 by free market competition.   In other words, BTS can buy loyalty while BTC cannot.

http://bytemaster.github.io/update/2015/09/29/Bitcoin-is-100x-less-secure-than-commonly-believed/

5. Coin Age attack is only relevant to Peercoin style POS
6. The pre-computation attack does not effect DPOS because witnesses go in rounds and the block one witness produces does not allow them to influence the next block.

For the latest updates checkout my blog: http://bytemaster.bitshares.org
Anything said on these forums does not constitute an intent to create a legal obligation or contract between myself and anyone else.   These are merely my opinions and I reserve the right to change them at any time.

Offline bitmarley

  • Full Member
  • ***
  • Posts: 135
    • View Profile
I noticed this table on page 16:

Table 2: Vulnerability of proof of work and proof of stake consensus mechanisms to attack vectors

Attack type                                               PoW              PoS               Delegated PoS
Short range attack (e.g., bribe)                       −                  +                            −
Long range attack                                         −                  +                            + 3*
Coin age accumulation attack                        −                  −                             −
Precomputing attack                                     −                  +                             −
Denial of service                                          +                   +                            +
Sybil attack                                                 +                   +                            +
− −
Selfish mining                                          maybe               −                            −


So I think this means BitShares has vulnerabilities for Long range attack, Denial of service & Sybil attack only according to BitFury. And the point 3* says Long range attack can be prevented by using social-driven security in addition to protocol rules. 

3.8.3 Long Range Attack
Short range attacks described earlier in this section are made expensive in the case of delegated proof
of stake, so we need to consider the cost of long range attacks as well. For proof of work systems, the
cost of a long range attack is prohibitively high. For example, an attack on Bitcoin lasting for 1,000
blocks would require $4 million at very least (and, unlike a short range attack, it would be highly
visible as observed network hash rate would drop in half for an extended time).
In earlier versions of proof of stake, the cost of a long range attack would be much lower; as we
showed in the previous section, a one day long attack may cost about $5,000 in a system where a valid
blockchain is determined based on total destroyed coin age. In delegated PoS, an attack typically re-
quires collusion by 2/3 of delegates; its cost is difficult to assess, as delegated PoS protocols use differing methods to select, reward and punish delegates.

5 Conclusion
....

A recent development in proof of stake are delegated systems. While these systems solve several
major problems with the straightforward PoS implementations, they are not yet widespread, making
it difficult to evaluate their security. Nevertheless, delegated PoS solves the “nothing at stake” problem
and prevents short range attacks on the system.
« Last Edit: October 22, 2015, 03:44:10 pm by bitmarley »

Offline bitmarley

  • Full Member
  • ***
  • Posts: 135
    • View Profile
So are any of the attacks listed in the document applicable to BitShares?
No point digging our heads in the sand. Here is the list of attacks:

3.1 NothingatStakeProblem
3.2 InitialDistributionProblem
3.3 LongRangeAttack
3.4 BribeAttack
3.5 CoinAgeAccumulationAttack
3.6 PrecomputingAttack

Can anyone provide analysis or links relevant to these and BitShares?

Offline xeroc

  • Board Moderator
  • Hero Member
  • *****
  • Posts: 12922
  • ChainSquad GmbH
    • View Profile
    • ChainSquad GmbH
  • BitShares: xeroc
  • GitHub: xeroc
Your argument is the same as someone accepting a 0 confirmation bitcoin transaction and claiming bitcoin suffers from double spend attacks.  Double spends on bitcoin are very real no matter how much you close your eyes and try to reason about merchant actions.     In other words, double spends are only POSSIBLE if both parties to the double spend behave irresponsibly.   Someone who behaves responsibly is protected.

This is different because the bitshares blockchain considers a transaction 'confirmed' at 1 confirmation. The code is littered with the is_confirmed flag and the RPC calls all return it - therefore the official line is that 1 confirmation is safe to spend, when this is not the case. Your definition of 'responsibly' is completely ad-hoc and at odds with reality.

We have defined a new metric for being confirmed and will be updating the GUI to reflect it. 
https://bitsharestalk.org/index.php/topic,18720.msg240787.html#msg240787

Offline bytemaster

Your argument is the same as someone accepting a 0 confirmation bitcoin transaction and claiming bitcoin suffers from double spend attacks.  Double spends on bitcoin are very real no matter how much you close your eyes and try to reason about merchant actions.     In other words, double spends are only POSSIBLE if both parties to the double spend behave irresponsibly.   Someone who behaves responsibly is protected.

This is different because the bitshares blockchain considers a transaction 'confirmed' at 1 confirmation. The code is littered with the is_confirmed flag and the RPC calls all return it - therefore the official line is that 1 confirmation is safe to spend, when this is not the case. Your definition of 'responsibly' is completely ad-hoc and at odds with reality.

We have defined a new metric for being confirmed and will be updating the GUI to reflect it. 
For the latest updates checkout my blog: http://bytemaster.bitshares.org
Anything said on these forums does not constitute an intent to create a legal obligation or contract between myself and anyone else.   These are merely my opinions and I reserve the right to change them at any time.

Offline monsterer

Your argument is the same as someone accepting a 0 confirmation bitcoin transaction and claiming bitcoin suffers from double spend attacks.  Double spends on bitcoin are very real no matter how much you close your eyes and try to reason about merchant actions.     In other words, double spends are only POSSIBLE if both parties to the double spend behave irresponsibly.   Someone who behaves responsibly is protected.

This is different because the bitshares blockchain considers a transaction 'confirmed' at 1 confirmation. The code is littered with the is_confirmed flag and the RPC calls all return it - therefore the official line is that 1 confirmation is safe to spend, when this is not the case. Your definition of 'responsibly' is completely ad-hoc and at odds with reality.
My opinions do not represent those of metaexchange unless explicitly stated.
https://metaexchange.info | Bitcoin<->Altcoin exchange | Instant | Safe | Low spreads

Offline Troglodactyl

  • Hero Member
  • *****
  • Posts: 960
    • View Profile
It's incorrect that the attack has no cost, since the attack is completely traceable and can only be attempted after building sufficient reputation to secure a witness position.

It's mostly incorrect that the attack allows double spending, since that is only effective if the victim takes irreversible action based on an alternate head block.

1. You are talking about a vapourware blockchain
2. The 'cost' you refer to is not relevant since the attacker may only plan one 24h attack and have no plans to collect further witness pay
3. Double spends are very real no matter how much you close your eyes and try to reason about merchant actions

The blockchain currently shows a transaction as confirmed at 1 confirmation; this is obviously insecure. I'm sure it will be corrected for 2.0.

edit: anyway, the point is, Nothing At Stake attacks will always be possible when block production costs nothing.
...and the cost of a Bitcoin 51% attack is irrelevant if there's nothing else you intend to do with all that hash power you've accumulated.

Offline bytemaster

It's incorrect that the attack has no cost, since the attack is completely traceable and can only be attempted after building sufficient reputation to secure a witness position.

It's mostly incorrect that the attack allows double spending, since that is only effective if the victim takes irreversible action based on an alternate head block.

1. You are talking about a vapourware blockchain
2. The 'cost' you refer to is not relevant since the attacker may only plan one 24h attack and have no plans to collect further witness pay
3. Double spends are very real no matter how much you close your eyes and try to reason about merchant actions

The blockchain currently shows a transaction as confirmed at 1 confirmation; this is obviously insecure. I'm sure it will be corrected for 2.0.

edit: anyway, the point is, Nothing At Stake attacks will always be possible when block production costs nothing.

Your argument is the same as someone accepting a 0 confirmation bitcoin transaction and claiming bitcoin suffers from double spend attacks.  Double spends on bitcoin are very real no matter how much you close your eyes and try to reason about merchant actions.     In other words, double spends are only POSSIBLE if both parties to the double spend behave irresponsibly.   Someone who behaves responsibly is protected.
For the latest updates checkout my blog: http://bytemaster.bitshares.org
Anything said on these forums does not constitute an intent to create a legal obligation or contract between myself and anyone else.   These are merely my opinions and I reserve the right to change them at any time.

Offline monsterer

It's incorrect that the attack has no cost, since the attack is completely traceable and can only be attempted after building sufficient reputation to secure a witness position.

It's mostly incorrect that the attack allows double spending, since that is only effective if the victim takes irreversible action based on an alternate head block.

1. You are talking about a vapourware blockchain
2. The 'cost' you refer to is not relevant since the attacker may only plan one 24h attack and have no plans to collect further witness pay
3. Double spends are very real no matter how much you close your eyes and try to reason about merchant actions

The blockchain currently shows a transaction as confirmed at 1 confirmation; this is obviously insecure. I'm sure it will be corrected for 2.0.

edit: anyway, the point is, Nothing At Stake attacks will always be possible when block production costs nothing.
« Last Edit: October 02, 2015, 07:02:08 pm by monsterer »
My opinions do not represent those of metaexchange unless explicitly stated.
https://metaexchange.info | Bitcoin<->Altcoin exchange | Instant | Safe | Low spreads

Offline Troglodactyl

  • Hero Member
  • *****
  • Posts: 960
    • View Profile
You mean as you incorrectly suggested.  It's recommended that exchanges use the delayed node to prevent any risk from this, and the cost to the delegate is sacrificing his position and reputation by creating and distributing signed proof of his attempted fraud.  Attempted fraud with a very low chance of success if the target is using the system correctly.

Point out which bit was incorrect.
It's incorrect that the attack has no cost, since the attack is completely traceable and can only be attempted after building sufficient reputation to secure a witness position.

It's mostly incorrect that the attack allows double spending, since that is only effective if the victim takes irreversible action based on an alternate head block.

Offline monsterer

You mean as you incorrectly suggested.  It's recommended that exchanges use the delayed node to prevent any risk from this, and the cost to the delegate is sacrificing his position and reputation by creating and distributing signed proof of his attempted fraud.  Attempted fraud with a very low chance of success if the target is using the system correctly.

Point out which bit was incorrect.
My opinions do not represent those of metaexchange unless explicitly stated.
https://metaexchange.info | Bitcoin<->Altcoin exchange | Instant | Safe | Low spreads

Offline Troglodactyl

  • Hero Member
  • *****
  • Posts: 960
    • View Profile
http://bitfury.com/content/4-white-papers-research/2-proof-of-stake-vs-proof-of-work/pos-vs-pow-1.0.2.pdf

they also have DPOS in there:

Quote
...delegated PoS solves the “nothing at stake” problem and prevents short range attacks on the system.

This is false, as I demonstrated in another thread - a bad block producer can use a race attack to perform a double spend by creating fake blocks at no cost, hence nothing at stake.

The whole paper is a bit tedious in my opinion; it doesn't really explore the key issues between POS and POW - i.e. whether either solve the 'byzantine generals problem', which is what all p2p currencies boil down to.
You mean as you incorrectly suggested.  It's recommended that exchanges use the delayed node to prevent any risk from this, and the cost to the delegate is sacrificing his position and reputation by creating and distributing signed proof of his attempted fraud.  Attempted fraud that will fail if the target is using the system correctly.
« Last Edit: October 02, 2015, 06:18:07 pm by Troglodactyl »

Offline monsterer

http://bitfury.com/content/4-white-papers-research/2-proof-of-stake-vs-proof-of-work/pos-vs-pow-1.0.2.pdf

they also have DPOS in there:

Quote
...delegated PoS solves the “nothing at stake” problem and prevents short range attacks on the system.

This is false, as I demonstrated in another thread - a bad block producer can use a race attack to perform a double spend by creating fake blocks at no cost, hence nothing at stake.

The whole paper is a bit tedious in my opinion; it doesn't really explore the key issues between POS and POW - i.e. whether either solve the 'byzantine generals problem', which is what all p2p currencies boil down to.
My opinions do not represent those of metaexchange unless explicitly stated.
https://metaexchange.info | Bitcoin<->Altcoin exchange | Instant | Safe | Low spreads

Offline xeroc

  • Board Moderator
  • Hero Member
  • *****
  • Posts: 12922
  • ChainSquad GmbH
    • View Profile
    • ChainSquad GmbH
  • BitShares: xeroc
  • GitHub: xeroc
They are actually doing a good and fair job .. Much appreciated

disclaimer: have not yet read the WHOLE paper

Offline cass

  • Hero Member
  • *****
  • Posts: 4311
  • /(┬.┬)\
    • View Profile
 +5%

Quote
2.5 BitShares
BitShares is a polymorphic digital asset which can be used to create fungible assets pegged to particular
markets (e.g., US dollars) [18]. It is similar to a colored coins system, with BitShares acting
– 11 –
as an internal currency (like XCP for Counterparty). One of the innovative features of BitShares is
its delegated proof of stake consensus algorithm. The founders of BitShares are now developing Bit-
Shares 2.0, an enterprise-grade financial smart contract platform utilizing several technologies from
BitShares including DPoS.
Delegated proof of stake in BitShares relies on the concept of witnesses. Stakeholders can select
an arbitrary number of witnesses to generate blocks. Each stakeholder has a number of votes equal
to the amount of BitShares he possesses; votes can be distributed among witnesses in an arbitrary
way. Besides witness candidates, a user also selects a number of witnesses he estimates is sufficient
for decentralization. Naturally, a user cannot vote for more witnesses than he believes is necessary.
After results of voting are tallied up, the top N witnesses are selected. N is defined as the minimal
number satisfying at least 50% of stakeholders’ votes. Selected witnesses produce blocks every two
seconds in turns. After each of N witnesses has had his turn, the list of witnesses is shuffled so that
the order of block minters constantly changes.
Similar to witnesses, users of the system elect delegates, who have the privilege to change network
parameters, including transaction fees, block sizes and intervals, as well as witness rewards. To make
changes to the network protocol, delegates co-sign a special account (so-called genesis account). After
the majority of delegates have approved a proposed change, stakeholders then have a two-week period
when they can recall their delegates and cancel the changes. Unlike witnesses, delegates are not
rewarded for their efforts.
« Last Edit: October 02, 2015, 11:29:04 am by cass »
█║▌║║█  - - -  The quieter you become, the more you are able to hear  - - -  █║▌║║█

Offline testz


Offline xeroc

  • Board Moderator
  • Hero Member
  • *****
  • Posts: 12922
  • ChainSquad GmbH
    • View Profile
    • ChainSquad GmbH
  • BitShares: xeroc
  • GitHub: xeroc
http://bitfury.com/content/4-white-papers-research/2-proof-of-stake-vs-proof-of-work/pos-vs-pow-1.0.2.pdf

they also have DPOS in there:

Quote
...delegated PoS solves the “nothing at stake” problem and prevents short range attacks on the system.