[bitcoin-dev] Secure Proof Of Stake implementation on Bitcoin

[Kenshiro []]

Hi all,

>>> For example, if you are capable of disrupting a coin such that its value is very likely to drop, you can buy short options as leverage.
Suppose you hold a large stake of coins and know you control a significant fraction, enough that a censorship attack by you will be so disruptive that the coin price will drop.
You take out a short contract with the contract price at the "hopium" level others have (say 10% higher), buying enough options that you can cover the current price of your owned stake, plus some more options.
Suppose you buy, a number of options equal to twice your stake.

Thank you for the explanation, I understand it now. But what percent of BTC trades are short options? If everyone is doing short options, the attack is very dangerous as you say, but if only a small percent of trades is done in short options, then it's not a big problem.

And this type of attack could also be done in PoW by evil miners. It's only one step more, they have to purchase a lot of BTC before the attack, buy many short options and execute the attack. Purchasing 50% of BTC is a problem because of the price, but that's the same for PoW or PoS.

>>> Let's suppose there are two big whales in your coin.
Each of them owns 50% of the total staked value.
Let's say "wait many blocks" parameter is 100 blocks.

>>>One whale puts all his coin in a single UTXO.
The other has distributed his stake in 100,000 different UTXOs.

I think there is a misunderstanding here, you forgot to divide the 50% staking weight of the evil whale by 100.000.

Yes, 50% of coins splitted in 100.000 addresses gives you the same staking weight per address as an small honest staker with 0,0005% of the coins, all together in a single address. Yes, you still have 100.000 addresses, so you win against the honest staker with 0,0005% of the coins, but you lose against the honest staker with 0,0006% of the coins.

Splitting the coins in many addresses transform the whales in little fishes, that's the greatness of this method.

>>> Now suppose the one with the 99% control performs a censorship attack.
After a week (1008 blocks) the community rallies and hardforks, burning the UTXOs that performed censorship.
However, only about 998 UTXOs of the censoring staker is known (from the 99% of blocks it generated in that period), which is less than 1% of the 100,000 UTXOs he actually owns, and thus still controls a significant stake even past the hardfork, letting it perform further censorship attacks.

It's the same as above, you can't split your coins in many addresses without becoming a little fish, so this is not a problem. Even so it's true that having 99% of the coins he could do several consecutive attacks, using 51% of the total number of coins in each attack, but they are burned again and again and the rest of the people become very happy as their coins multiply his value in each hard fork. The price could temporarily go down during the attacks, but in the end it will recover.

>>> We already know that miners are setting up mines at locations where energy is being wasted (e.g. oil well gas flares, putting up solar panels instead of just letting sunshine pointlessly heat up their roofs, etc.), and channeling the wasted energy into productive activity.

I'm sure a big percent of mining will be done in this way, but if there is still dirty energy like nuclear energy or others is because we can't get all the energy we need from clean sources (and that's excluding bitcoin mining). So even being very optimistic about bitcoin mining, it will steal clean energy sources from other human needs which will make us keep using dirty energy. So PoW makes use dirty energy sources in a direct or indirect way.

>>> Thus, adding more rules is rarely the optimal thing to do.

Proof of Stake is more complex than PoW, so you need to add a few more rules. Of course the rules must be well designed and tested, but as I explained above there is no problem with the extra rule of giving a great increase in staking weight to coins together in a single UTXO, because there is wait time for each staking deposit.

Regards,


________________________________
From: ZmnSCPxj <ZmnSCPxj at protonmail.com>
Sent: Saturday, July 20, 2019 2:45
To: Kenshiro []
Cc: Eric Voskuil; Bitcoin Protocol Discussion
Subject: Re: [bitcoin-dev] Secure Proof Of Stake implementation on Bitcoin

Good morning Kenshiro,

> >>> I already told you that it is always possible to get around this: leverage by use of short options.
> Short the coin to attack, then perform your attack by censorship.
> Coin value will drop due to reduced utility of the coin, then you reap the rewards of the short option you prepared beforehand.
> By this, you can steal the entire marketcap of the coin.
>
> >>>Then you still have the economic power (plus what you managed to steal), which you can then use to take over another proof-of-stake coin, regardless of whether it uses the same proof-of-stake algorithm or not.
>
> My trading level is very basic and I don't understand this attack

A short option is an option to force another party to buy an asset at a set price (the contract price) on a future date.
In order to get that option, you first pay that party today, a fee called "premium" (usually a small fraction of the contract price).

The effect is that, at that future date, if the asset is ***lower*** in price than the contract price, you earn by buying it at the market price, then force the party to buy it at the contract price, earning the difference.
The other party, in order to mitigate its loss, then sells the asset back to the market at market price.
(in practice, nobody goes through the rigmarole of buying, forcing the trade, then selling, instead the other party just outright gives you the difference in contract price vs market price).

However, if at that future date, the asset is ***higher*** in price than the contract price, there is no rational reason for you to buy it at market price, then force the other party to buy at the contract price, as you would lose money.
As this is an option for you, not an obligation, you can simply ignore the option and not take it.
However, do note that you did pay the premium when you bought the option, so you lose out on that.

Short options are often used by producers of a good in order to hedge their losses, i.e. insurance against changes in market price.
For example, a farmer might purchase such an option, with a maturity date at the harvest season, for the price of wheat.
The farmer would buy an option whose contract price is the price at the threshold of profitability, i.e. if the price falls below the contract price the farmer would lose money relative to their investment.
If the price of wheat drops below the contract price, the farmer earns from the short option, reducing the impact of the low price.
If the price of wheat is above the contract price, the farmer still earns from sale of the wheat, and only loses on the (comparatively small) premium of the option.

A short option can be leveraged by those with inside knowledge as an economic attack.
For example, if you are capable of disrupting a coin such that its value is very likely to drop, you can buy short options as leverage.
Suppose you hold a large stake of coins and know you control a significant fraction, enough that a censorship attack by you will be so disruptive that the coin price will drop.
You take out a short contract with the contract price at the "hopium" level others have (say 10% higher), buying enough options that you can cover the current price of your owned stake, plus some more options.
Suppose you buy, a number of options equal to twice your stake.

Then you attack the coin, dropping its price by 90% instead of the expected 10% price increase, earning the difference from the short option, about equal to the price of the coin.
Since you bought twice the number of options as your stake, you get about twice the value of your stake in earnings from the short option.
You have recouped the cost of your stake and would not care if it was burned, and now are holding twice the value of your original stake in a different asset, probably fiat.
You then move on and attack the next coin.

The only protection against this is to make sure that block generators cannot feasibly attack the coin, such as by proof-of-work.
Short options are much too useful otherwise to the block generators, as it allows them to hedge against drops in market price, and keeps them operating rather than reducing the security of the coin, thus short options will inevitably arise.

> >>> But your proposal of being non-linear on the size of the stake means that if you have 51% of the coins, if you put them in a single stake UTXO you potentially get 99.999% of the blocks, which is ***much worse***.
>
> Not at all, I forgot to tell you that in modern PoS protocols like PoS v3.0 staking deposits have to wait many blocks after creating a block to be able to create another block.
>
> With my additional rule every staker is incentivized to put their staking deposit in a single address to avoid a strong penalty in their staking weight, and having their coins together they can't avoid the wait time with the "stake in many addresses" trick 🙂

*facepalm*

Let's suppose there are two big whales in your coin.
Each of them owns 50% of the total staked value.
Let's say "wait many blocks" parameter is 100 blocks.

One whale puts all his coin in a single UTXO.
The other has distributed his stake in 100,000 different UTXOs.

The honest single-UTXO whale gets a block, because his stake dominates over all others.
Then he gets banned from signing blocks for 100 blocks.
During this ban, the other whale gets every block, as his only competitor is banned.
In addition, banning one of its 100,000 UTXOs is not much reducing his effective stake-weight.
So the honest single-UTXO whale gets 1 block (and its rewards) while the one who distributed his coins to 100,000 different UTXOs gets 100 blocks.

You have just let someone who could *just barely* 51% attack without those rules, 99% attack *with* those rules.

If you had added neither of the two new rules "non-linear stake weights" and "ban for many blocks", you would have gotten both of them at 50% control only, which while concerning, is not as bad as a 99% attack.

Now suppose the one with the 99% control performs a censorship attack.
After a week (1008 blocks) the community rallies and hardforks, burning the UTXOs that performed censorship.
However, only about 998 UTXOs of the censoring staker is known (from the 99% of blocks it generated in that period), which is less than 1% of the 100,000 UTXOs he actually owns, and thus still controls a significant stake even past the hardfork, letting it perform further censorship attacks.

You should stop adding even more rules at this point.

An experienced engineer will stop at this point, delete all his or her files related to the current design (or move them to some archive space, some engineers are compulsive archivists), then regenerate the design from principles up.

A rule-of-thumb in any security design is that, when you add something to protect against some attack, you probably just added an attack vector that is the inverse of the attack you were protecting against.
Thus, adding more rules is rarely the optimal thing to do.

You added two rules, one fixing the original attack (splitting your stake) but inviting the opposite attack (merging your stake), then added another rule to fix the second attack (merging your stake), bringing back the original attack (splitting your stake), except worse.
This is the other rule-of-thumb in any design: adding more things usually just makes things worse.

>
> >>> We hope to see you back soon after having learned your lesson.
>
> Thx 🙂

You are welcome.

>
> Just an additional question: do you have an estimation of the energy waste of PoW if Bitcoin price rises a lot, like one million dollars or more? Because if it's proportional to the price, it could be like 100 times the current energy waste.

Yes.

0.

This is because we expect market forces to move miners towards efficiency, thus they will not waste energy, only spend exactly enough to maintain the security of the coin.

We already know that miners are setting up mines at locations where energy is being wasted (e.g. oil well gas flares, putting up solar panels instead of just letting sunshine pointlessly heat up their roofs, etc.), and channeling the wasted energy into productive activity.
This is the opposite of becoming more energy-wasteful.
Thus does the invisible hand of the free market abide.



Regards,
ZmnSCPxj

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20190720/cdc354ef/attachment-0001.html>