The Value of a Hybrid PoW/PoS Algorithm
Hello everyone, as you may already know, Zano utilizes a Hybrid PoW/PoS algorithm. Previously we’ve been talking about the PoW half of that system and why we chose that particular algo. You can read more about that decision in this post “Zano Proof of Work: Our motivation for using ProgPoW” and more about what we have done and plan to do with the PoS here. In this post, we’ll address a few common attack vectors and explain how Zano’s fork choice rule protects against them.
“Nothing at stake” Problem
Almost every PoS model has been criticized for not being resistant to the “Nothing at stake” problem. The idea of this attack is based on “Tragedy of the commons”[1]. Let’s assume we have a project with 1M coins emitted, and those coins are perfectly distributed between 10k holders with equal parts (100 coins for every holder). In this example every holder is participating in PoS mining, so every time block is created it is done so by one of the 10k holders.
The problem lies in the fact that no particular holder makes any additional cost/effort to mine an alternative subchain. The actual “nothing at stake” theory says that any potential PoS miner is motivated to mine every alternative chain he/she aware of, but we’ll review only a worst case of a planned attack enabled by this problem.
In this worst case scenario a PoS miner can be bribed to mine an alternative malicious chain (one performing a double spend for example). In case the malicious chain will take over the bribed holder only risks his stake (in the case of subsequential depreciation of coin value). According to “Tragedy of the Commons”, an average PoS miner is motivated by personal profit more than they care about the safety of the network. If his own profit (in the case where he wins a block) will be bigger than his potential loss (more than 100 coins), then the holder would be motivated to join the attack. From a theoretical perspective, this weakness seems to be a major issue for any PoS blockchain, but let’s review practical circumstances and compare them with pure PoW systems.
First, this method requires a perfect communication channel with the majority of PoS miners. Zano is an anonymous blockchain, which means there are no wallet addresses or other related information presented in blockchain. But we can assume that PoS miners want to be bribed and they will find a way to communicate with an attacker.
The example above describe unrealistic currency, with perfectly smooth distribution, which doesn’t exist in real life. It’s not always possible to read distribution from particular existing cryptocurrency, especially if it’s a privacy coin. However cryptocurrency, being a closed financial system, has the same pattern as global distribution of wealth[2](Figure 2), and crypto market behavior proves it.
As soon as currencies reflect this distribution pattern ( Bitcoin is not an exception here) we can assume that the majority of PoS miners are big holders which own relatively large stakes. This means that the amount of the theoretical bribe needed to convince them to join the attack is now way bigger. It’s hard to provide accurate numbers, because it depends on many factors such as the total amount of coins, total amount of holders, market price, emission curve, liquidity, etc, so let’s take Bitcoin as an example of the most scaled and adopted cryptocurrency.
The table above is taken from [3] and reflects current distribution of coins according to addresses present in blockchain.
Clarification*: Bitcoin addresses number and holders number are not equal, actually average bitcoin holder has multiple addresses mostly because of widely used hierarchical deterministic wallets, not to mention that a holder can control a few wallets. So the real picture is way more centralized, but to be accurate and to avoid accusation of speculation let’s stick to reliable facts.
Clarification**: Some of the addresses belong to exchanges and may represent different holders behind exchange infrastructure, but from PoS model’s perspective it has no difference, since it has the right to verify history according to it’s balance.
It’s clearly seen that majority of the coins are controlled by big holders, so an attacker, to motivate at least 51% of PoS mining power by bribe according to this table would need to reach at least the holders of wallets with 1000–10000 BTC value, which means that the bribe should be at least 1000 BTC.
Now, let’s compare this with PoW situation: a Bitcoin block reward at this moment is 12.5 BTC, talking rough mining of 6 blocks should cost 75 BTC(in terms of hashpower). These days hashrates are simply rented in open markets, so an attacker has a choice: he/she can bribe pool with lets say 100BTC (amount sufficiently higher 75 BTC) to perform the mining of alternative malicious chain, or just rent the needed hashrate to perform the needed attack; the cost would be nearly the same. We don’t take into account any moral concerns, since “Tragedy of Commons” works with PoW miners in the same way as PoS. It’s a matter of profit, so the cost of that attack 10 times cheaper then attack for PoS powered blockchain.
Bitcoin itself is a questionable example for many reasons (it’s hard to find extra hashrate for such a big player, hard to bribe asic miners, etc). It had been used here just to represent how a PoW model is similar to PoS model in terms of bribing and, from this perspective, even weaker.
Also, this example does not take into account that, for minor holders, PoS mining is not profitable due to the low probability of finding a block against electricity costs, so in reality most of PoS power is delivered by major holders, which makes an attack even harder according to calculation above.
These conclusions are correct for a pure PoS system, but an attack would be even harder on Zano because even if the attacker bribed 90% of PoS miners, he/she still need at least 18% of PoW power to perform a takeover with an alternative chain.
In summary, it’s important to point out that this kind of attack is purely theoretical. We haven’t seen any evidence of it being performed so far, however it’s a subject for future research and improvements.
“Long Range” Attack Resistance
A well known problem of the PoS consensus model is something called a “long range attack”. The idea is that for a potential attacker it is theoretically quite easy and cheap to get private keys from old wallets. This is done by buying them from ex-holders who have already sold their stake and don’t have an interest in continued network safety. The attacker would then use these keys to generate an alternative chain from a far point in past and at nearly no cost, making this alternative chain weight and length as powerful as needed to takeover the net.
With Zano we protect against this by using a special fork choosing function which prevents this style of attack by implementing specific requirements to the PoW/PoS power balance in an alternative chain.
As an example, if the theoretical attacker was able to get 90% of PoS power at some point in the past, according to the fork choice formula he/she would still need to have at least 18% of PoW hashrate.
The middle of this graph curve represents a 50% PoS/50% PoW equilibrium. In this example, all existing coins are involved in mining, so if an attacker got 90% of the wallets he would still need to have at least 18% of hashing power. If the PoS power only consist of 80% emitted coins, then attack gets even harder. An attacker would need to have at least 20% of PoW. We can see that even in the worst and practically impossible case, when all PoS coins are being used for mining, and attacker somehow got access to all the private keys in the past, he would still need at least 17% of PoW during the entire long range attack, which means the cost of attack would an order of magnitude more challenging than typical 51% attack of pure PoW.