Proof-of-stake

From Bitcoin Wiki
This is the approved revision of this page, as well as being the most recent.
Jump to: navigation, search

Proof-of-stake is a method of securing a cryptocurrency network through requesting users to show ownership of a certain amount of currency. It is different from proof-of-work systems that run hashing algorithms to validate electronic transactions. It is most commonly used as a supplement to proof-of-work in Peercoin and a few other electronic currencies.

Block selection variants[edit]

Proof-of-stake must have a way of defining the next valid block in any blockchain. Selection by account balance would result in (undesirable) centralization, as the single richest member would have a permanent advantage. Instead, several different methods of selection have been devised.

Randomized block selection[edit]

Nxt and BlackCoin use randomization to predict the following generator, by using a formula that looks for the lowest hash value in combination with the size of the stake. Since the stakes are public, each node can predict - with reasonable accuracy - which account will next win the right to forge a block.

Coin age-based selection[edit]

Peercoin's proof-of-stake system combines randomization with the concept of "coin age", a number derived from the product of the number of coins times the number of days the coins have been held.

Coins that have been unspent for at least 30 days begin competing for the next block. Older and larger sets of coins have a greater probability of signing the next block. However, once a stake of coins has been used to sign a block, they must start over with zero "coin age" and thus wait at least 30 more days before signing another block. Also, the probability of finding the next block reaches a maximum after 90 days in order to prevent very old or very large collections of stakes from dominating the blockchain. This process secures the network and gradually produces new coins over time without consuming significant computational power. Peercoin's developer claims that this makes a malicious attack on the network more difficult due to the lack of a need for centralized mining pools - and the fact that purchasing more than half of the coins is likely more costly than acquiring 51% of proof-of-work hashing power.

Masternodes[edit]

Another form of staking is running a masternode. The term masternode applies to any cryptocurrency which allows the decentralized use of servers, that can generate an income to the owner. The main disadvantage of a masternode is the often relatively high entry point as opposed to staking alone. In order to secure the network, those willing to run a masternode are required to purchase a certain number of coins as collateral for whatever the market price is at the time.

Some coins, such as Dash or PIVX, have a set cost for a masternode, while other currencies such as Divi offer a multi-tiered masternode system, with different levels of increasing awards.

Advantages[edit]

Proof of Stake currencies can be more energy efficient than Proof of Work, which mainly relies on energy use.

The incentives of the block-generator are also different. Under Proof-of-Work, the generator may potentially own none of the currency they are mining. The incentive of the miner is only to maximize their own profits. It is unclear whether this disparity lowers or raises security risks. In Proof-of-Stake, those "guarding" the coins are always those who own the coins (although several cryptocurrencies do allow or enforce lending the staking power to other nodes).

Criticism[edit]

Some authors argue that proof-of-stake is not an ideal option for a distributed consensus protocol. One problem is usually called the "nothing at stake" problem, where (in the case of a consensus failure) block-generators have nothing to lose by voting for multiple blockchain-histories, which prevents the consensus from ever resolving. Because there is little cost in working on several chains (unlike in proof-of-work systems), anyone can abuse this problem to attempt to double-spend (in case of blockchain reorganization) "for free". Many have attempted to solve these problems:

  • Ethereum's suggested Slasher protocol allows users to "punish" the cheater, who forges on the top of more than one blockchain branch. This proposal assumes you must double-sign to create a fork and that you can be punished if you create a fork while not having stake. However Slasher was never adopted; Ethereum developers concluded proof-of-stake is "non-trivial". Instead Ethereum designed a proof-of-work algorithm named Ethash. It is planned to be replaced by a different PoS protocol called "Casper".
  • Peercoin, in its early stages, used centrally broadcast checkpoints (signed under the developer's private key). No blockchain reorganization was allowed deeper than the last known checkpoints. Checkpoints are now opt-in as of v0.6 and are not enforced now that the network has reached a suitable level of distribution.
  • Nxt's protocol only allows reorganization of only the last 720 blocks. However, this only rescales the problem: a client may follow a fork of 721 blocks, regardless of whether it is the tallest blockchain, preventing consensus.
  • Hybrid "Proof of burn" and proof of stake. Proof of burn blocks act as checkpoints, have higher rewards, contain no transactions, are more secure, and anchor both to each other and to the PoS chain, but are more expensive.
  • Decred's hybrid proof-of-work and proof-of-stake. Proof-of-stake as an extension dependent on the Proof-of-work timestamping, based on the "Proof of Activity" proposal, which aims to solve the nothing-at-stake problem by having proof-of-work miners mining blocks and proof-of-stake acting as a second authentication mechanism.

Statistical simulations have shown that simultaneous forging on several chains is possible, even profitable. But Proof of Stake advocates believe most described attack scenarios are impossible or so unpredictable that they are only theoretical.

Mining Process[edit]

1) Block meeting work difficulty target is mined. Difficulty target periodically adjusted so that 1 PoW block arrives every 10 minutes.

2) Work submission is hashed 10 times consecutively. Each consecutive hash maps to an individual unspent output in the blockchain. This is essentially a lottery drawing two sets of five winners. The first five hashes map to mandatory signatures, the final five hashses map to voluntary signatures.

3) If the mandatory signatures map to active public keys [see glossary], the block can potentially be valid. Otherwise, the block is invalid and must be discarded.

4) If PoW miner finds a potentially valid block, he transmits the following hash to the network: {work submission;hash(his block, the previous valid block)}

5) If the work submission meets the difficulty target and maps to active signatories, then the block is relayed through the network. Otherwise, the message is dropped as spam.

5) The first five selected signatories sequentially sign this hash and transmit it onwards as {work submission; hash; sig 1; sig 2; sig 3; sig 4; sig 5}

6) After the mandatory signature sequence is complete, the final signatory publishes the PoW block and also his own PoS block.

7) The final five hashes map to voluntary signatures. These voluntary signatures can be inserted into any block within the next 6 blocks as special txns. These txns do not require fees.

9) Go to step 1

Note: This process is simultaneous so that multiple block hashes can circulate in the network attempting to collect five signatures and generate PoW/PoS block pairs. Block pairs that lose this race are orphaned.

Infeasability of standard attack vectors[edit]

Unless attackers own a large share of stake, all types of PoW attacks are computationally infeasible. I think there are two types of known attacks: 1) Double-Spend 2) Denial of Service I consider approximations below. The numbers are so favorable that consideration of exact statistics is not particularly interesting.

1) Double Spend. Double spends rely on secrecy. In order to mine blocks in secret a PoW miner must select his 5 of his own public keys in the lottery. If the PoW miner owns a share 0<s<1 of all coins, the probability of doing that a block meeting the difficulty target will select the miner's coins is (1/s)^5. For s=0.01, 1 out of 10 billion blocks will satisfy this criteria. Even for extremely small hash aggregate rates, it is not practical to privately mine at a rate 10 billion times faster than all other miners combined. For s=0.1, 1 out of 100,000 blocks will satisfy this criteria. (i.e. the attack still requires approximately 99.999% of all hashing power). For s=0.5, the attacker will succeed if he controls 51% of the aggregate hash rate.

2) Denial of Service

An attacker who mines publicly could simply produce empty PoW blocks. However, this would fail to deny service. 50% of all blocks are randomly mined via PoS. The attacker cannot force the PoS miners to produce empty blocks. Therefore he cannot deny service regardless of how much hash rate he controls.

Long-term Chain Evaluation[edit]

1) Comparison of two long chains is based on a simple sum of block difficulty, just as in bitcoin.

2) A criticism of PoS is that there is no reason not to sign attack chains. However, in a long secret chain, many stakeholders will have dead signatures. These dead stakeholders will not be able to sign the main chain, but not the attack chain. They will have a strong incentive to make sure the main chain wins because the attack chain will impose demurrage fees on them.

Incentives to maintain full nodes[edit]

This system introduces powerful incentives to maintain full nodes. Many people argue that the lack of an incentive to maintain a full node is a problem in the bitcoin system.

1) a steady flow of txns will generate some fees even if all public keys remain active. Active keys must be maintaining full nodes. Otherwise they could not provide the voluntary signatures which prove their activity. Even very weak incentives are sufficient in this case. If almost all keys are associated with active nodes, then it is not necessary to motivate additional participation.

2) Some public keys may decide to become inactive. This is costly for them. They will suffer a loss of 5% of their balance per year for as long as they remain inactive.

3) The active public keys constantly capture revenue from inactive public keys. This means that the incentives to remain increase dramatically as participation falls. Suppose that 50% of public keys maintain full nodes, then this 50% will capture 2.5% of coins per annum. This is equal to an annual of return of 2.0%. The alternative, inactivity, yields an annual return of -5.0% as discussed in point 2. I consider this a reasonable incentive level and participation rate. Suppose that I am wrong, and only 10% of public keys maintain full nodes. Then these 10% will capture 4.5% of all extant coins per annum. This implies an annual return on participation equal to 45% per annum. This is a very strong incentive and is almost certain to be sufficient, even if nodes are quite costly to maintain. If only 1% of coins participate, then 4.95% of all extant coins will be distributed to this 1% each year. This implies a weekly return on participation of 3%, a pirate ponzi scheme level return. If these incentive are inadequate to support a healthy network of full nodes (which seems unlikely to me), then the levy on dead coins could be increased to exceed 5% per annum.

4) Many people will not have enough coins to justify running their own node. Such individuals will likely use an online banking service which could store their limited spend key. The service could return interest to users in exchange for managing their keys.

5) Other individuals may prefer the privacy associated with dropping out of participation. These individuals are still welcome to use the network, but must face a wealth tax of 5% per annum to compensate for the security risk created by their behavior.

Beneficiaries and Lossers from Txn Fees[edit]

The total amount of demurrage fees collected annually varies between 0% and 5% of the total money supply.

The most burdensome fee in the system is the fee paid to PoW miners. This fee imposes a demurrage tax of between 0% and 0.1% per annum on all users of the system. In addition to the demurrage tax, PoW miners receive a 2% share of any optional fees paid to access scarce block space. All coin owners are net losers as a result of PoW mining fees. To minimize costs to coin owners, PoW fee payments are kept as low as possible. Since large hash rates play only a tiny role in security, larger fees for PoW miners are unnecessary.

Other demurrage fees are transfers of revenue from one private key to another. Some keys are net beneficiaries of these transfers, while other keys are net losers. Collectively, these fees do not make coin owners better or worse off. Their effects are neutral. However, individually, the fees do create winners and losers. Active users that spend infrequently gain from the system. An active user with average spend frequency is likely to gain from the system as well, but only by a small amount. An active user that spends very frequently will probably lose from the system. Dead users will certainly lose from the system. This loss serves as a punishment for failure to maintain an active node.

Usage in Peercoin[edit]

Peercoin's proof-of-stake system is based around the concept of "coin age," a measure of the product of the currency amount held times the amount of time it has been held for. When generating a proof-of-stake block, the user sends some money to themselves, consuming their coin age in exchange for a preset reward. This minting transaction becomes more likely to succeed over time until a valid block is found, generating a new block on the blockchain and a payout for the proving user. This process secures the network and gradually produces new coins over time without consuming significant computational power.

Both proof-of-work and proof-of-stake blocks are used in Peercoin, although the main blockchain is determined by the highest total consumed coin age (from proof-of-stake generation) instead of the total combined difficulty of the chain (determined by proof-of-work blocks, as in Bitcoin). Peercoin's developer claims that this makes a malicious attack on the network more difficult.

See also[edit]

References[edit]

Licence.png