koubiac

March 27, 2015

Preprogrammed attack

The preprogrammed attack involves putting together a collection of stakes that will perform
very well in a specific time window in the future (potentially a year or more).
In Peercoin, the stake modifier of a particular stake is computable after the selection interval and remains the same until it mines (or is used as an input in a transaction). Therefore,
after the selection interval, all the components of the kernel are determined and the miner
is able to predict at what time stamp the stake is likely able to mine. Although the target
cannot be known precisely in advance, a miner can guess its future value with an acceptable
margin of error.
In Peercoin, this allows an attacker to precompute future proof-of-stakes in order to carry
out a long-range attack. The steps to conduct such an attack are as follows:
1. The attacker splits his coins into a large number of stakes and chooses a distant time
window (e.g. 1 year or more in the future) during which he wants to conduct the attack.
2. After TSM , the stake modifier is generated and the attacker can compute the hashes of
all the kernels for time stamps included in the considered time frame.
3. The attacker keeps all the stakes that have a high probability of mining within that time
frame and then resends all the remaining stakes back to himself (in order to modify their
kernels)
4. He repeats the two previous steps repeatedly, in each cycle retaining the stakes that will
perform well during the attack window, until the time of the targeted attack window.
5. Once the attack window is reached, the attacker will be able to create proofs and
generate blocks with the stakes he kept. If he has a high enough number of stakes that
can generate blocks, he may be able to perpetrate an attack.
To simplify our model, we dont take coin age into account.
Let p be the portion of the total coins owned by the attacker, the percentage of coins
mining, the block time, and Tsm the modifier interval.
Futhermore, the attack window is T in the future and its length is f .
The probability that a stake be resent after the first stake modifier has been calculated
corresponds to the probability that the stake does not mine in the [T, T + f ] window. This is
the probability that a Poisson process of intensity Np has no point in a window of length f :
p

Pattack = e N f

Therefore, the probability that the stake be kept after

Ps = 1 e

p
f T
N Tsm

'

T
Tsm

tries is:

p
T
f
N Tsm

The average number of stakes mining in the window [T, T + f ] is thus:

Nattack = N Pattack '

pf T
Tsm

With NT the average number of blocks created by the network in a period f , the formula
can be rewritten:
Nattack = NT

pT
Tsm

For the attacker to succeed he must meet the following condition:

Tsm
T
With Peercoins parameters ( = 0.15 and Tsm 8.82 days), for an attacker so successfully
conduct an attack starting 1 year in the future, he must ownn: p > 0.18% ( 40000PPC or
$14000)
Nattack > 0.5NT p > 0.5