Hi,

can somebody please tell me how Cardano defends against exactly the following long range attack scenario:

Please correct me if I’m wrong, but I saw in the videos of IOHK and in the whitepapers, that they always assume within the security proofs of their protocols, that an honest party stays honest for the whole time, which is simply not the case in the real world. Just watch the Cardano whiteboard of IOHK there you can clearly see that they assume that within their proofs. Lets assume 60% are honest and are not creating two blocks or more at one timeslot (nothing-at-stake), then after some amount of time exactly those 60% decide now to unstake and exchange all their coins for fiat. Now these 60% are highly incentiviced to create a fork in the past (double-spend) which is the natural thing to do for those parties and they will succeed (60%). Now all security proofs of those whiteboard vids are basically void, because they did not take basic token-economics into account. Ethereum’s Casper does solve this via Slashing and Cardanos Ouroboros does nothing about that from what I saw.

I’m not 100% sure what you are talking about.
But do you say that if 60% of all smaller (home) pool operators close down the shop then there is only the big pools left like Binance, Kraken, Coinbase etc. And then they can “change the rules” so to speak?

If you are not honest and the system sees that then you loose the money when running a pool.
Since English is not my first language i can’t explain it better then that.

I’m no expert on the protocol, far from it, but I believe that a problem with your scenario is that you don’t distinguish between pool operators and delegators. Maybe, if you rethought and rewrote it making that distinction clear, then it would be easier to see if this is a real problem or not.

I have no idea why the mods here move questions from the right place into the wrong forum. It is a consensus question and was in the right forum and mods decided to move it. Can you please stop doing that and move it again where it belongs…? @adatainment @rdlrt

Nobody would do that deliberately. Of course opinions about most suitable category can differ. Looks like that’s the case here.

Lets assume 60% are honest […] then after some amount of time exactly those 60% decide now to unstake and exchange all their coins for fiat. Now these 60% are highly incentiviced to create a fork in the past…

There’s something odd in your argument. If someone has control over more than 51% of the stake then a 51% attack is possible. Why does he/she have to sell 60% of the stake, destroing the investment?
Ad absurdum, suppose we want to do what you’re saying without pursuing a 51% attack. Ourboros Genesis introduced the “plenitude rule” to overcome bootstrapping problem: https://eprint.iacr.org/2018/378.pdf
Even if we join the network again, now without 60% of the stake we sold, we have to select the densest chain as the main one. In addition, Ouroboros Praos introduced key evolving signatures (KES) to avoid “back corruption attacks”: https://eprint.iacr.org/2017/573.pdf. So, we can’t fork the blockchain in the past as we like it.

Further explanations:

• Introduction To Ouroboros: Introduction To Ouroboros. “Ouroboros” is the name of Cardano’s… | by LLFOURN | Unraveling the Ouroboros | Medium
• How secure is Cardano: How secure is Cardano?. An in-depth look at the security model… | by Undersearcher | Medium

I think the biggest problem with your argument is that if 60% of people (the honest ones) sell their coins at exactly the same time (which seems incredibly unlikely to begin with) then other people have to buy them. Who is to say what the intentions are of the new people? I would presume the new people would be motivated to have an honest chain and protect their investment. Why would the 60% sell in the first place? If the dishonest ones try to buy the honest ones out prices will quickly rise and make that unprofitable. The remaining honest people could always fork the code and create “Honest Cardano”. This just happened when Justin Sun tried to take over Steemit and the community forked and created Hive.

You both misunderstood my post. You do not destroy your investment, please read again.

Wouldn’t the 60% need to coordinate with each other to pull off this double spend caper? Also the 60% still need to simultaneously try to sell their coins for fiat which would cause the price to crater.

I found some docs from Cardano where they say that nodes I think in Praos do not accept blocks which are older then X, but like that you cannot bootstrap from genesis. But then they developed another solution (I think Genesis) with what you can bootstrap from genesis. But Praos and Genesis would not prevent the attack from the OP.

As mentioned after selling they are highly incentivized to do the attack.

In Praos you would not accept the forked chain if you were online all the time, but if you bootstrap from genesis you would have to trust somebody telling you this is the valid chain, which would deviate hard from Proof of work and they could make the argument anymore that PoS is the same but more clean…

In regards to Genesis I have to do more research but I think from what I’ve seen it does not prevent the attack.

From what I’ve seen about Genesis is that in Genesis the block densety after the fork would have to be higher on the current chain (not the forked chain) to be adopted as the valid chain. Idk this seems to be pretty weak to me if you take these token economics into consideration and the participation of the stakers would have to be always pretty high within k after the fork.

In PoW you have to put a ton of skin in the game to perform a long-range attack and in in PoS it seems like that is is the natural thing to do for some parties which is kind of dangerous. Is Cardano open for the thought to adopt slashing?

By the way how big is k within Genesis?

The “nothing at stake problem” is not relevant in Ouroboros, each slot has a preassigned slot leader. (through randomness created in an whole epoch)

Every node can easily verify that the block was created according the blockchain rules (like the right genesis, not having double-spends…) and was produces by a valid slot leader.

Sorry, the only reason I’m moving a thread is that I think it’s in the wrong place or it gets more visibility from another category. Okay, I have to admit this time @rdlrt and I had different views about the right category and worked against each other . That was not intentional, of course.

If that would be the case you’d not need to write proofs. No, you can issue two blocks as a slot-leader and AFAIU it slot-leaders can therefore change at the fork at the next epochs.

I think it is hard to discuss these things in “one-liners”. Unfortunately, you have to understand that we see such postings very often on Twitter, in the forum and in Reddit that claim something in one or two lines.

So, I recommend reading this paper about common attacks and why they do not affect Ouroboros: https://eprint.iacr.org/2016/889.pdf

Many people have already given it a lot of thought. It addresses as well as double-spending attacks, nothing at stake problem, long-range attacks and others in a scientific manner.

If you have any criticisms afterwards and you formulate them very well, I’m happy to try finding the right contact person to forward your thoughts.

Somehow Cardano always tries to avoid giving simple answers to simple questions and always point to papers. I did not ask for the mathematical proofs, I asked for an abstract answer. If that is not possible and you do not want such discussion, ok, no problem, then I’m out here… I described a pretty easy and simple to understand scenario with common terminology.

Do you know the sentence “if you cannot explain it in simple terms you do not understand it”. This sentence is IMO almost always true from my experience. It is easy to get caught up in a topic and miss the whole picture.

In the videos they talk about attack scenarios in an abstract manner. Why can somebody not answer a question here and get an abstract answer, instead you get pointed to a whitepaper with a bunch of mathematical proofs? I mean I did not ask for the mathematical proof.

Just as a sidenote, it seems people consider things to be more valueable that they understand. You see that at Monero and Bitcoin. Yes, that is no fact, but it is most probably true in this space and will be in the future and from what I can see Cardano wants to create something of value and if they do then they should probably be able to explain things in a more competent way then they do in the videos.

And another sidenote: If you look at the videos, then you see, that always when it comes to the interesting part they somehow cut the video and say there is no time anymore or the do not cover it at all when it gets interesting and just jump to the next topic. I have to say that I find the educational videos are pretty bad quality. But you tried. Other projects do not even try… When you do something you should to it in a competent manner and not half baked. I hope that Cardano you can handle critique.

Anyway, I think the only way to get answers is to dig into the proofs in the paper. Thx for the discussion.

I’m really sorry if you feel that way. I was in a rush when I wrote this. What I was trying to say is that if you try to void the security proofs, then there is a path to this.

I think it’s a very fair and a very simple question that warrants a simple answer. Ouroboros forms an open BFT network. It’s known that long range attack scenario is one of the most trivial attacks on open BFT networks. I think given the popularity of the attack, it’s fair to demand a down-to-Earth explanation which is as abstract as the description of the attack.

Addendum:

The original Ouroboros paper, upon inspection, provides a rather handwavy argumentation, which would also require some elaboration! Citing verbatim, emphasis mine.

Nothing at stake attacks

The “nothing at stake” problem refers in general to attacks against
PoS blockchain systems that are facilitated by shareholders continuing simultaneously multiple blockchains exploiting the fact that little computational effort is needed to build a PoS blockchain.

Provided that stakeholders are frequently online, nothing at stake is taken care of by our analysis of forkable strings (even if the adversary brute-forces all possible strategies to fork the evolving blockchain in the near future, there is none that is viable), and our chain selection rule that instructs players to ignore very deep forks that deviate from the block they received the last time they were online.

It is also worth noting that, contrary to PoW-based blockchains, in our protocol it is infeasible to have a fork generated in earnest by two shareholders. This is because slots are uniquely assigned and thus at any given moment there is a single uniquely identified shareholder
that is elected to advance the blockchain. Players following the longest chain rule will adopt the newly minted block (unless the adversary presents at that moment an alternative blockchain using older blocks). It is remarked in [15] that the “tragedy of commons” might lead stakeholders in some PoS based schemes to adhere to attacks because they do not have the power to deter attacks by themselves and would incur financial losses even if they did not join the attack. This would lead rational stakeholders to accept small bribes in alternative currencies that might at least obtain some financial gain. However, in the incentive structure of Ouroboros, slot leaders and endorsers who could potentially join an attack would receive rewards in both the main and the adversarial chain, resulting in those stakeholders not achieving higher profits by joining the attack.

Indeed, the idea of synchrony plus requiring stakeholders to be online is a great answer to the problem. As far as I understand the Ouroboros’s answer to the long range attack goes like this:

1. Require rough synchrony (everyone := players + stakeholders can always know in which slot they are, even with slightly desynced clocks)
2. Require presence from stakeholders (those who have a chance to issue a block unilaterally)
3. Show that the length of the slot is enough for transaction finality. It means that now any forgery will have to rely on at most last epoch (a collection of slots, for which MPC random generator determines slot leaders).

3 is very dense and isn’t obvious from 1 and 2, but I’ll try to ELI5 it anyway. Slot leaders are determined in batches via a multi-party-computation algorithm, with probabilities proportional to their stakes. There is no way to vote yourself in as a slot leader ever, it’s random and proportional to stake. Players (regular actors who want to just verify the chain) can follow the trace of this MPC and verify its outcome. The function that assigns slot leaders is deterministic, absolutely new player will be able to follow the longest chain with a rather high probability, due to the online assumption. The genesis block is invulnerable to long range, then, as the player follows the chains available, the probability of the longest chain being adversarial is ~0. During this traversal, the player contacts a lot of slot leaders, at least $SECURITY_PARAMETER of whom is honest, thus, coupled with online requirement, selection of epoch length and the string prefix proof from the paper (sorry, you’ll need to read the proof there), there’s an overwhelming probability of constructing the longest honest chain. Now when it comes to the “exit” attacks during a particular epoch (they are no longer “long range attacks”! But still are a kind of a “nothing-at-stake” attack) – they are, indeed, possible, but txs in blocks within the current epoch may be treated by the player as not-yet final which should mitigate this “short range” “nothing at stake”.

I have no idea how Ouroboros Paros works though, I just followed the link sent by @adatainment and re-told it in this thread because it will be useful for someone.