If used as advertised, with anyone selecting their own validator list, it fails to reach consensus under non-pathological cases. It basically only works if you have a common list of validators that everyone uses[1], as has been recently demonstrated on Stellar[2] (a fork of Ripple). That would mean there’d be a handful of known servers around the world which together control the ledger. That may be useful in some contexts, but it is absolutely not a comparable solution to bitcoin.
Is NXT’s Transparent Forging vulnerable to attacks by old private keys in the way that normal PoS is? Or does one have to control 51% of the current forging stake in order to attack it? If this is not vulnerable, then getting control of 1% of the stake seems as hard as controlling 51% of bitcoin hash power, and the person controlling this stake would not wish to harm their own stake. (The risk in the attack is if one can sell coins and then still attack).
Is Bitshares’ DPoS vulnerable to such attacks? It seems that in order to attack the network you would need to compromise 51 out of 101 delegates, who produce the blocks. The delegates are voted on by shareholders, and you can vote again at any time. So if someone held stake, used it to vote in delegates that would attack the network, and sold their stake, the new buyer could vote in different delegates right away (if they were paying attention).
I suppose that you could social engineer your way into a position to attack by building a reputation and then getting 51 delegates elected without people realizing they were all part of the attacking group. Is it harder to fool everyone, or to get 51% of mining hash power?
As long as these systems are at least ‘almost’ as hard to attack as bitcoin, then they seem useful as a low cost alternative for applications where absolute security is not required. That is, maybe you arent trying to be the ultimate store of value like Bitcoin is. For many applications, high security at a low cost would be a better choice than perfect security at a high cost.
Or you can just buy / steal the private keys to coins that have already been spent, and then simulate alternate histories.
The trouble with these schemes is that it is quite easy to make them more difficult to review, without actually adding any security. In both cases I saw earlly versions that were criticized for being entirely insecure, then there were some iterations that added no security, until it got complex and the people involved learned to not provide free consulting, which I won’t do here either: the objections to proof of stake schemes are general. It can be shown that any proof of stake scheme must be broken by simulation. It’s just a matter of showing what the necessary procedure is for a given scheme, which can be made arbitrary difficult to review. One of the guys I work with quiped that this “cryptographic security against review.” That shouldn’t be mistake for actual security.
There are general results showing that the security being advertised is not possible, the perpetual motion sense. It’s a waste of time for credible people to spend their time disproving perpetual motions machines, particularly when their proponents can make them arbitrarily difficult to review. Do not mistake a lack of review for an indication of security.
If used as advertised, with anyone selecting their own validator list, it fails to reach consensus under non-pathological cases. It basically only works if you have a common list of validators that everyone uses[1], as has been recently demonstrated on Stellar[2] (a fork of Ripple). That would mean there’d be a handful of known servers around the world which together control the ledger. That may be useful in some contexts, but it is absolutely not a comparable solution to bitcoin.
[1] https://forum.ripple.com/viewtopic.php?f=2&t=7801&sid=b12325e49ace885697ed5448201824f1
[2] https://www.stellar.org/blog/safety\_liveness\_and\_fault\_tolerance\_consensus\_choice/
Thanks for the info, two more questions:
Is NXT’s Transparent Forging vulnerable to attacks by old private keys in the way that normal PoS is? Or does one have to control 51% of the current forging stake in order to attack it? If this is not vulnerable, then getting control of 1% of the stake seems as hard as controlling 51% of bitcoin hash power, and the person controlling this stake would not wish to harm their own stake. (The risk in the attack is if one can sell coins and then still attack).
Is Bitshares’ DPoS vulnerable to such attacks? It seems that in order to attack the network you would need to compromise 51 out of 101 delegates, who produce the blocks. The delegates are voted on by shareholders, and you can vote again at any time. So if someone held stake, used it to vote in delegates that would attack the network, and sold their stake, the new buyer could vote in different delegates right away (if they were paying attention).
I suppose that you could social engineer your way into a position to attack by building a reputation and then getting 51 delegates elected without people realizing they were all part of the attacking group. Is it harder to fool everyone, or to get 51% of mining hash power?
As long as these systems are at least ‘almost’ as hard to attack as bitcoin, then they seem useful as a low cost alternative for applications where absolute security is not required. That is, maybe you arent trying to be the ultimate store of value like Bitcoin is. For many applications, high security at a low cost would be a better choice than perfect security at a high cost.
Or you can just buy / steal the private keys to coins that have already been spent, and then simulate alternate histories.
The trouble with these schemes is that it is quite easy to make them more difficult to review, without actually adding any security. In both cases I saw earlly versions that were criticized for being entirely insecure, then there were some iterations that added no security, until it got complex and the people involved learned to not provide free consulting, which I won’t do here either: the objections to proof of stake schemes are general. It can be shown that any proof of stake scheme must be broken by simulation. It’s just a matter of showing what the necessary procedure is for a given scheme, which can be made arbitrary difficult to review. One of the guys I work with quiped that this “cryptographic security against review.” That shouldn’t be mistake for actual security.
There are general results showing that the security being advertised is not possible, the perpetual motion sense. It’s a waste of time for credible people to spend their time disproving perpetual motions machines, particularly when their proponents can make them arbitrarily difficult to review. Do not mistake a lack of review for an indication of security.