How does Cardano defend against this? (long range attack scenario)

Hi,

can somebody please tell me how Cardano defends against exactly the following long range attack scenario:

Please correct me if I’m wrong, but I saw in the videos of IOHK and in the whitepapers, that they always assume within the security proofs of their protocols, that an honest party stays honest for the whole time, which is simply not the case in the real world. Just watch the Cardano whiteboard of IOHK there you can clearly see that they assume that within their proofs. Lets assume 60% are honest and are not creating two blocks or more at one timeslot (nothing-at-stake), then after some amount of time exactly those 60% decide now to unstake and exchange all their coins for fiat. Now these 60% are highly incentiviced to create a fork in the past (double-spend) which is the natural thing to do for those parties and they will succeed (60%). Now all security proofs of those whiteboard vids are basically void, because they did not take basic token-economics into account. Ethereum’s Casper does solve this via Slashing and Cardanos Ouroboros does nothing about that from what I saw.

I’m not 100% sure what you are talking about.
But do you say that if 60% of all smaller (home) pool operators close down the shop then there is only the big pools left like Binance, Kraken, Coinbase etc. And then they can “change the rules” so to speak?

If you are not honest and the system sees that then you loose the money when running a pool.
Since English is not my first language i can’t explain it better then that.

1 Like

I’m no expert on the protocol, far from it, but I believe that a problem with your scenario is that you don’t distinguish between pool operators and delegators. Maybe, if you rethought and rewrote it making that distinction clear, then it would be easier to see if this is a real problem or not.

1 Like

I have no idea why the mods here move questions from the right place into the wrong forum. It is a consensus question and was in the right forum and mods decided to move it. Can you please stop doing that and move it again where it belongs…? @adatainment @rdlrt

Nobody would do that deliberately. Of course opinions about most suitable category can differ. Looks like that’s the case here.

2 Likes

Lets assume 60% are honest […] then after some amount of time exactly those 60% decide now to unstake and exchange all their coins for fiat. Now these 60% are highly incentiviced to create a fork in the past…

There’s something odd in your argument. If someone has control over more than 51% of the stake then a 51% attack is possible. Why does he/she have to sell 60% of the stake, destroing the investment?
Ad absurdum, suppose we want to do what you’re saying without pursuing a 51% attack. Ourboros Genesis introduced the “plenitude rule” to overcome bootstrapping problem: https://eprint.iacr.org/2018/378.pdf
Even if we join the network again, now without 60% of the stake we sold, we have to select the densest chain as the main one. In addition, Ouroboros Praos introduced key evolving signatures (KES) to avoid “back corruption attacks”: https://eprint.iacr.org/2017/573.pdf. So, we can’t fork the blockchain in the past as we like it.

Further explanations:

I think the biggest problem with your argument is that if 60% of people (the honest ones) sell their coins at exactly the same time (which seems incredibly unlikely to begin with) then other people have to buy them. Who is to say what the intentions are of the new people? I would presume the new people would be motivated to have an honest chain and protect their investment. Why would the 60% sell in the first place? If the dishonest ones try to buy the honest ones out prices will quickly rise and make that unprofitable. The remaining honest people could always fork the code and create “Honest Cardano”. This just happened when Justin Sun tried to take over Steemit and the community forked and created Hive.

You both misunderstood my post. You do not destroy your investment, please read again.

Wouldn’t the 60% need to coordinate with each other to pull off this double spend caper? Also the 60% still need to simultaneously try to sell their coins for fiat which would cause the price to crater.

I found some docs from Cardano where they say that nodes I think in Praos do not accept blocks which are older then X, but like that you cannot bootstrap from genesis. But then they developed another solution (I think Genesis) with what you can bootstrap from genesis. But Praos and Genesis would not prevent the attack from the OP.

As mentioned after selling they are highly incentivized to do the attack.

In Praos you would not accept the forked chain if you were online all the time, but if you bootstrap from genesis you would have to trust somebody telling you this is the valid chain, which would deviate hard from Proof of work and they could make the argument anymore that PoS is the same but more clean…

In regards to Genesis I have to do more research but I think from what I’ve seen it does not prevent the attack.

From what I’ve seen about Genesis is that in Genesis the block densety after the fork would have to be higher on the current chain (not the forked chain) to be adopted as the valid chain. Idk this seems to be pretty weak to me if you take these token economics into consideration and the participation of the stakers would have to be always pretty high within k after the fork.

In PoW you have to put a ton of skin in the game to perform a long-range attack and in in PoS it seems like that is is the natural thing to do for some parties which is kind of dangerous. Is Cardano open for the thought to adopt slashing?

By the way how big is k within Genesis?

The “nothing at stake problem” is not relevant in Ouroboros, each slot has a preassigned slot leader. (through randomness created in an whole epoch)

Every node can easily verify that the block was created according the blockchain rules (like the right genesis, not having double-spends…) and was produces by a valid slot leader.

2 Likes

Sorry, the only reason I’m moving a thread is that I think it’s in the wrong place or it gets more visibility from another category. Okay, I have to admit this time @rdlrt and I had different views about the right category and worked against each other :grinning:. That was not intentional, of course.

2 Likes

If that would be the case you’d not need to write proofs. No, you can issue two blocks as a slot-leader and AFAIU it slot-leaders can therefore change at the fork at the next epochs.

I think it is hard to discuss these things in “one-liners”. Unfortunately, you have to understand that we see such postings very often on Twitter, in the forum and in Reddit that claim something in one or two lines.

So, I recommend reading this paper about common attacks and why they do not affect Ouroboros: https://eprint.iacr.org/2016/889.pdf

Many people have already given it a lot of thought. It addresses as well as double-spending attacks, nothing at stake problem, long-range attacks and others in a scientific manner.

If you have any criticisms afterwards and you formulate them very well, I’m happy to try finding the right contact person to forward your thoughts.

1 Like

Somehow Cardano always tries to avoid giving simple answers to simple questions and always point to papers. I did not ask for the mathematical proofs, I asked for an abstract answer. If that is not possible and you do not want such discussion, ok, no problem, then I’m out here… I described a pretty easy and simple to understand scenario with common terminology.

Do you know the sentence “if you cannot explain it in simple terms you do not understand it”. This sentence is IMO almost always true from my experience. It is easy to get caught up in a topic and miss the whole picture.

In the videos they talk about attack scenarios in an abstract manner. Why can somebody not answer a question here and get an abstract answer, instead you get pointed to a whitepaper with a bunch of mathematical proofs? I mean I did not ask for the mathematical proof.

Just as a sidenote, it seems people consider things to be more valueable that they understand. You see that at Monero and Bitcoin. Yes, that is no fact, but it is most probably true in this space and will be in the future and from what I can see Cardano wants to create something of value and if they do then they should probably be able to explain things in a more competent way then they do in the videos.

And another sidenote: If you look at the videos, then you see, that always when it comes to the interesting part they somehow cut the video and say there is no time anymore or the do not cover it at all when it gets interesting and just jump to the next topic. I have to say that I find the educational videos are pretty bad quality. But you tried. Other projects do not even try… When you do something you should to it in a competent manner and not half baked. I hope that Cardano you can handle critique.

Anyway, I think the only way to get answers is to dig into the proofs in the paper. Thx for the discussion.

I’m really sorry if you feel that way. I was in a rush when I wrote this. What I was trying to say is that if you try to void the security proofs, then there is a path to this.