[bitcoin-dev] Secure Proof Of Stake implementation on Bitcoin

ZmnSCPxj ZmnSCPxj at protonmail.com
Wed Jul 17 08:11:26 UTC 2019


Good morning Kenshiro,

> 4 - In any given block, only one staker gets the authorization to create that block, so other stakers can't spam the network with many different blocks as they are illegal. 

This leaves the consensus algorithm liable to stake-grinding attacks.
Often, the selection of the "single staker" for each block is based on some hashing of some number of the previous headers.

This allows the single staker to do some trivial grinding of the `R` of some signature of some transaction of some money from itself to itself.
This grinding is likely to change the hash of the current block.
Changing the hash of the current block is enough to change the hash that is used in the selection of the **next** single staker.
Note that the staker will of course only publish the version of that block that makes itself the **next** staker.

This is the well-known stake-grinding attack; did you not encounter it in your proof-of-stake research?
This is a basic objection to proof-of-stake, together with the nothing-at-stake.

Suppose the staker owns 49% of the staked funds.
It is now trivial for it to continuously grind so that it is again the next staker for the next block, as 49% of the time, it would be selected as the next staker.
Further, this is easily hideable, as the staker can simply run 100000 masternodes and split its funds to all of them, so that it becomes very non-obvious that there is in fact only one staker running the entire network.

(Did you consider how much energy such a staker would be willing to spend on grinding so that it remains the next staker forevermore?
In particular, the staker would be willing to spend energy up to the block reward in such grinding --- a property that proof-of-work has, and ***openly*** admits it has.)

In particular, this allows that one staker to impose any censorship it likes.
Thus, Bitcoin cannot support any kind of proof-of-stake that is vulnerable to this stake-grinding attack.

Regards,
ZmnSCPxj


More information about the bitcoin-dev mailing list