Proof of Stake の Stake Grinding 攻撃とは?

  • このエントリーをはてなブックマークに追加

Proof of Stake の Stake Grinding 攻撃について

stake grinding

Quote from:
Altcoin – Bitcoin

There are also “stake grinding” attacks which require a trivial amount of currency. In a stake[2] grinding attack, the attacker has a small amount of stake and goes through the history of the blockchain and finds places where their stake wins a block. In order to consecutively win, they modify the next block header until some stake they own wins once again. This attack requires a bit of computation, but definately isn’t impractical.

Because these attacks exists, including Peercoin[3] and Blackcoin[4] proof of stake cryptocurrencies have “master” public keys that control the blockchain.

This class of cryptocurrency is either insecure or centralized, however proof of stake (based on a PoW currency) is useful in some systems because gaining stake is costly, but it isn’t workable for bootstrapping distributed consensus.

Ethereum: Proof of Stake FAQ

Peercoin Talk

Pillow’s Peercoin Myths

Version 1 of the myth: Using only a limited amount of coin age, the blockchain history can be re-written by grinding through the probabilities involved in creating the longest blockchain. As long as there is only a little coin age left, it is possible to create one more block. This makes Proof-of-Work arbitrator in Peercoin.

ppcoin – stake burn-through vulnerability

NXT Forum

NXT stake-grinding attack?

Stake grinding was a technique based around PoS currencies which used coin age, which nxt never was. BCnext originally was going to use coin age, but was dissuaded to do so by cunicula if I remember my history correctly.

blog by Paul Sztorc

Nothing is Cheaper than Proof of Work | Truthcoin: Making Cheap Talk Expensive

When applied to naive proof of stake (PoS), this principle implied the attack-phenomenon known as “stake grinding”, a version of PoW (“attempting multiple-block chain-histories until you found a history which granted you the coins”) that was markedly less-cumulative. Because the cumulative work wasn’t measured (as it is with Bitcoin’s “difficulty”), it wouldn’t be readily obvious that “total work” = “total expected value of the blockreward”.


[Debunked] Stake grinding (bitcoin wiki is wrong)



  • proof-of-stake
  • プルーフオブステーク
  • このエントリーをはてなブックマークに追加