You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In Massa, we perform PoS draws using the roll distribution from cycle C-3 and random seed from C-2. That way, attackers can't manipulate the distribution knowing the seed (because the seed is determined later) in order to bias the PoS draws of cycle C. However, attackers can do the opposite: manipulate the seed knowing the distribution. To mitigate this attack, the seed is derived by hashing the concatenation of only the first bit of the hash of every slot of cycle C-2. That way, attackers being lucky enough to be selected as block producers for for the k last slots of cycle C-2 can choose only 1 bit of seed per block, therefore choose the most advantageous draw out of only 2^k possibilities.
Note that this attack is made more difficult in practice because 32 blocks are being produced at the same time and honest blocks propagate simultaneously.
Once the attacker is selected to produce the k last blocks of a given cycle, they can increase their probability of being selected to produce the last blocks of the next cycle. Then do it again and again to boost their number of cycle last blocks.
The question is: can attackers significantly boost their probability of getting selected to produce last ΔF0 blocks of a cycle, and therefore break the consensus through a finality fork attack?
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
In Massa, we perform PoS draws using the roll distribution from cycle C-3 and random seed from C-2. That way, attackers can't manipulate the distribution knowing the seed (because the seed is determined later) in order to bias the PoS draws of cycle C. However, attackers can do the opposite: manipulate the seed knowing the distribution. To mitigate this attack, the seed is derived by hashing the concatenation of only the first bit of the hash of every slot of cycle C-2. That way, attackers being lucky enough to be selected as block producers for for the k last slots of cycle C-2 can choose only 1 bit of seed per block, therefore choose the most advantageous draw out of only 2^k possibilities.
Note that this attack is made more difficult in practice because 32 blocks are being produced at the same time and honest blocks propagate simultaneously.
Once the attacker is selected to produce the k last blocks of a given cycle, they can increase their probability of being selected to produce the last blocks of the next cycle. Then do it again and again to boost their number of cycle last blocks.
The question is: can attackers significantly boost their probability of getting selected to produce last ΔF0 blocks of a cycle, and therefore break the consensus through a finality fork attack?
Everything is here:
Evaluation_of_PoS_selection_bias_attacks_on_Massa.pdf
TL;DR: Massa is not vulnerable to this attack.
Beta Was this translation helpful? Give feedback.
All reactions