Proof of Stake の Stake Grinding 攻撃について
“Stake grinding” is a class of attack where a validator performs some computation or takes some other step to try to bias the randomness in their own favor.
1. In Peercoin, a validator could “grind” through many combinations of parameters and find favorable parameters that would increase the probability of their coins generating a valid block.
2. In one now-defunct implementation, the randomness for block N+1 was dependent on the signature of block N. This allowed a validator to repeatedly produce new signatures until they found one that allowed them to get the next block, thereby seizing control of the system forever.
3. In NXT, the randomness for block N+1 is dependent on the validator that creates block N. This allows a validator to manipulate the randomness by simply skipping an opportunity to create a block. This carries an opportunity cost equal to the block reward, but sometimes the new random seed would give the validator an above-average number of blocks over the next few dozen blocks. See here for a more detailed analysis.
Altcoin – Bitcoin
>There are also “stake grinding” attacks which require a trivial amount of currency. In a stake grinding attack, the attacker has a small amount of stake and goes through the history of the blockchain and finds places where their stake wins a block. In order to consecutively win, they modify the next block header until some stake they own wins once again. This attack requires a bit of computation, but definately isn’t impractical.
>Because these attacks exists, including Peercoin and Blackcoin proof of stake cryptocurrencies have “master” public keys that control the blockchain.
>This class of cryptocurrency is either insecure or centralized, however proof of stake (based on a PoW currency) is useful in some systems because gaining stake is costly, but it isn’t workable for bootstrapping distributed consensus.
>Version 1 of the myth: Using only a limited amount of coin age, the blockchain history can be re-written by grinding through the probabilities involved in creating the longest blockchain. As long as there is only a little coin age left, it is possible to create one more block. This makes Proof-of-Work arbitrator in Peercoin.
ppcoin – stake burn-through vulnerability
Stake grinding was a technique based around PoS currencies which used coin age, which nxt never was. BCnext originally was going to use coin age, but was dissuaded to do so by cunicula if I remember my history correctly.
blog by Paul Sztorc
>When applied to naive proof of stake (PoS), this principle implied the attack-phenomenon known as “stake grinding”, a version of PoW (“attempting multiple-block chain-histories until you found a history which granted you the coins”) that was markedly less-cumulative. Because the cumulative work wasn’t measured (as it is with Bitcoin’s “difficulty”), it wouldn’t be readily obvious that “total work” = “total expected value of the blockreward”.
- PoW: Proof of Work
- PoS: Proof of Stake: proof-of-stake