Overview of alternatives Proof of Work. Part 1. Proof of Stake
We continue to translate cool articles from the site Bytecoin.org . Today is Ray Patterson's Alternatives for Proof of Work, Part 1: Proof Of Stake .
Also read the translation of “A Brief History of Evolution of Proof-of-Work in Cryptocurrencies”: Part 1 and Part 2 .
As we all remember, Proof of Work was born back in 1993 in a family of cryptographers; his parents pushed for his career as a defender of DoS and spam . However, in 2008 he received a tempting offer from a certain anonymous author with a Japanese accent: to become the basis for a distributed time stamp server. The scheme seemed simple: network nodes "vote" for their version of transaction history, investing their power in the calculation of "rare" hashes. The version that received the most votes is accepted by other nodes as a reference.
An important point was to ensure a large total network capacity: to protect against a potential attacker with its potential 51% of resources. However, the original concept of PoW implied small tasks that a client must perform in order to gain access to server resources. Within the framework of such a DoS protection model, even small client capacities will not interfere with the fair use of the resource, and the large ones simply were not required. Therefore, the motivation for the work of miners was implemented simply: “in kind,” bitcoins, i.e. in fact money.
')
And that changed everything. In the cryptocurrency world, PoW has turned into a monster, devouring electricity in the race for mining profitability. Serious claims appeared around 2012, when the total capacity of the Bitcoin network " overtook " in performance the most powerful supercomputer in the world. “A waste of energy!” Screams were heard from all sides. The shy protests of defenders against the defense against attacks of 51% and energy appetites of bank terminals were ignored, since the first alternative was already on the horizon - Proof of Stake.
As an idea, I was born in one of the posts on bitcointalk back in 2011. The first implementation saw the light a year later, in 2012, in the cryptocurrency PPCoin (now called PeerCoin). Later similar protocols appeared in other projects, about them later.
PoS has various incarnations, but one general idea: a limited resource that needs to be voted can be found not only in the outside world (combusted iron and electricity), but inside the system itself - digital coins themselves. The holders of the coins - shareholders (stakeholders) - do not spend them during the voting, of course, but they block them for some time, and this is how the limitations are achieved. Obviously, although the computer must be turned on for mining, it does not require any serious calculations.
In fact, the process of PoS mining is the same lottery as in PoW. However, you do not need to “pay” for your ticket with your own capacities: the search for options takes place on a very limited space of its own outputs and does not depend on the CPU speed. Your chances are affected only by your total number of coins and the current network complexity.
Due to this we get the following profit:
It seems that everything is great: we actually replaced the physical work with a kind of virtual resource. But isn't this the problem?
Answer the question: how much is the money spent? If someone contacts you and offers to buy private keys from you, from which you have spent all your money a long time ago, at what price do you agree? Since these keys are no longer worth anything and no one needs them - I assume that any sentence will suit you: this is money from nothing!
Now imagine that at some point X in the past, it turns out that 50% (or more) of all the coins lay on the keys bought now by the attacker. For simplicity, we can assume that the moment X is the time immediately after the creation of the second block, and someone bought the keys of both blocks, i.e. If it came back to the past, it would have 100% of the entire money supply.
In fact, he does not need to physically return to the past. From this point on, he can “rewrite the whole history of the blockchain” by mining these old coins! Moreover, receiving a reward for each new block, and increasing their capital. He doesn't even have to create transactions (although he can just transfer money to himself).
At some point, his alternative chain will catch up with the present and even surpass the number of blocks. The whole network will switch to it, because there are no syntactic differences between them. But the main difference will be that in one of them more than half of the coins will still belong to the attacker. So, by selling "dead souls", you can easily lose the "living."
With such a specific attack, of course, you can fight. PeerCoin, for example, uses the practice of regular checkpoints: blocks signed by a developer key, “deeper” which rebuilding of the blockchain is prohibited. But this is a private solution that does not eliminate the more general problem - Nothing on stake.
The problem is that mining - voting - costs nothing, does not require any physical costs. If, for example, at some point two blocks appear at the same height (fork of a chain), then both versions of the chain can be mined simultaneously. With PoW, this is impossible in principle for obvious reasons: each verified hash of the A chain is an unchecked hash of the B. PoS chain, however, allows you to iterate over all “parallel worlds” at once, and at any height (i.e., including past).
In PoS, it's much easier for you to carry out a double-spend attack. It is enough to always mine two versions of the next block: one with a transaction that transfers your money to the seller (which does not wait for N confirmations), and the other with a transfer to you. If it happens that you find both blocks, then you send the first one to the seller (and receive your goods), and the second one to the rest. It is likely that the second version of the chain will be continued, and the money will be returned to you.
The problem with PoS is that it is beneficial for you to mine several alternative branches at once. You can just do it for free, with non-zero chances of success, which means you increase the expectation of income. PoW does not allow you such pranks, and therefore you mine only in one branch (which one is your choice). As a result, a consensus is reached sooner or later in the PoW model, and convergence is no longer possible in pure PoS.
If you are interested in this problem, then the details can be found here .
Read in the next series :
- War. War never changes. What other arguments did PoW and PoS advocate?
- Make Love not War: how to cross PoW + PoS = Proof of Activity
- What is your evidence? Proof of Burn, Proof of Capacity.
“What the hell are the generals about?”
Also read the translation of “A Brief History of Evolution of Proof-of-Work in Cryptocurrencies”: Part 1 and Part 2 .
Criticism Proof of Work
As we all remember, Proof of Work was born back in 1993 in a family of cryptographers; his parents pushed for his career as a defender of DoS and spam . However, in 2008 he received a tempting offer from a certain anonymous author with a Japanese accent: to become the basis for a distributed time stamp server. The scheme seemed simple: network nodes "vote" for their version of transaction history, investing their power in the calculation of "rare" hashes. The version that received the most votes is accepted by other nodes as a reference.
An important point was to ensure a large total network capacity: to protect against a potential attacker with its potential 51% of resources. However, the original concept of PoW implied small tasks that a client must perform in order to gain access to server resources. Within the framework of such a DoS protection model, even small client capacities will not interfere with the fair use of the resource, and the large ones simply were not required. Therefore, the motivation for the work of miners was implemented simply: “in kind,” bitcoins, i.e. in fact money.
')
And that changed everything. In the cryptocurrency world, PoW has turned into a monster, devouring electricity in the race for mining profitability. Serious claims appeared around 2012, when the total capacity of the Bitcoin network " overtook " in performance the most powerful supercomputer in the world. “A waste of energy!” Screams were heard from all sides. The shy protests of defenders against the defense against attacks of 51% and energy appetites of bank terminals were ignored, since the first alternative was already on the horizon - Proof of Stake.
Proof of stake
As an idea, I was born in one of the posts on bitcointalk back in 2011. The first implementation saw the light a year later, in 2012, in the cryptocurrency PPCoin (now called PeerCoin). Later similar protocols appeared in other projects, about them later.
PoS has various incarnations, but one general idea: a limited resource that needs to be voted can be found not only in the outside world (combusted iron and electricity), but inside the system itself - digital coins themselves. The holders of the coins - shareholders (stakeholders) - do not spend them during the voting, of course, but they block them for some time, and this is how the limitations are achieved. Obviously, although the computer must be turned on for mining, it does not require any serious calculations.
How does PPCoin work?
So, the miner's resource is his coins (unspent, of course). Or rather, the unspent exits of transactions, each of which corresponds to a certain number of coins. Mining takes place as follows:
Remarks:
- Choose your way out, which was received at least 30 days ago.
- We form the Kernel structure, which includes: deterministic data from the output (the time of the block in which it appeared, its number inside the block, etc.), the current time, and so on. nStakeModifier (periodically recalculated block of pseudo-random bits).
- We have hashed Kernel and compare the obtained value with the current goal, which depends on the current network complexity (higher complexity - less goal), “age” of output (more age - more goal) and its amount (more coins - more goal).
- If the hash turned out to be larger than the target, go back to step 1, take the next exit.
- If the exit turned out to be “successful” - we spend it in a coinbase transaction (sending it to ourselves), add a reward for the block and commissions from the included transactions and sign the entire block with the key that was associated with the output spent.
- Voila, the unit is ready. We begin the search for the next.
Remarks:
- Block check is deterministic: the current time is taken from the block header, the output data is from the blockchain, nStakeModifier is also uniquely calculated for each block.
- The exit must be “old”, so that the attacker could not, by transferring money between his wallets, get a “good” exit, which immediately allows you to find a block.
- nStakeModifier is calculated based on the last blocks, and therefore unpredictable. Because of this, mining is made even more unpredictable (and more resistant to possible attacks).
- The current Timestamp in claim 2 can vary widely: plus or minus an hour. Therefore, in fact, for each output, you can check 7200 hashes, not just one.
- The "age" multiplier of the goal is limited to above 90 days . Otherwise, the attacker could, having only a few VERY old coins, with a high probability of generating several blocks in a row.
In fact, the process of PoS mining is the same lottery as in PoW. However, you do not need to “pay” for your ticket with your own capacities: the search for options takes place on a very limited space of its own outputs and does not depend on the CPU speed. Your chances are affected only by your total number of coins and the current network complexity.
Due to this we get the following profit:
- Save energy. You can’t argue here, although you can use “useful work” (see Primecoin) or ASIC-resistant functions (Cuckoo Cycle, CryptoNigh, Ethash etc.) for PoW, which would limit the mining area to personal computers.
- The absence of an endless “arms race”: now the total hash rate is limited not by Moore’s rule and the laws of thermodynamics, but by the total number of coins in participants ’wallets. On the other hand, is it difficult to understand in such a model whether a large percentage of resources are in fair hands?
- Attack becomes more expensive. If I want to buy 51% of the coins, the market will respond with a rapid price increase. In addition, what's the point for me to make an attack on the network, if all my resources are invested in the virtual coins of this network?
It seems that everything is great: we actually replaced the physical work with a kind of virtual resource. But isn't this the problem?
Criticism Proof of Stake
Answer the question: how much is the money spent? If someone contacts you and offers to buy private keys from you, from which you have spent all your money a long time ago, at what price do you agree? Since these keys are no longer worth anything and no one needs them - I assume that any sentence will suit you: this is money from nothing!
Now imagine that at some point X in the past, it turns out that 50% (or more) of all the coins lay on the keys bought now by the attacker. For simplicity, we can assume that the moment X is the time immediately after the creation of the second block, and someone bought the keys of both blocks, i.e. If it came back to the past, it would have 100% of the entire money supply.
In fact, he does not need to physically return to the past. From this point on, he can “rewrite the whole history of the blockchain” by mining these old coins! Moreover, receiving a reward for each new block, and increasing their capital. He doesn't even have to create transactions (although he can just transfer money to himself).
At some point, his alternative chain will catch up with the present and even surpass the number of blocks. The whole network will switch to it, because there are no syntactic differences between them. But the main difference will be that in one of them more than half of the coins will still belong to the attacker. So, by selling "dead souls", you can easily lose the "living."
With such a specific attack, of course, you can fight. PeerCoin, for example, uses the practice of regular checkpoints: blocks signed by a developer key, “deeper” which rebuilding of the blockchain is prohibited. But this is a private solution that does not eliminate the more general problem - Nothing on stake.
The problem is that mining - voting - costs nothing, does not require any physical costs. If, for example, at some point two blocks appear at the same height (fork of a chain), then both versions of the chain can be mined simultaneously. With PoW, this is impossible in principle for obvious reasons: each verified hash of the A chain is an unchecked hash of the B. PoS chain, however, allows you to iterate over all “parallel worlds” at once, and at any height (i.e., including past).
In PoS, it's much easier for you to carry out a double-spend attack. It is enough to always mine two versions of the next block: one with a transaction that transfers your money to the seller (which does not wait for N confirmations), and the other with a transfer to you. If it happens that you find both blocks, then you send the first one to the seller (and receive your goods), and the second one to the rest. It is likely that the second version of the chain will be continued, and the money will be returned to you.
The problem with PoS is that it is beneficial for you to mine several alternative branches at once. You can just do it for free, with non-zero chances of success, which means you increase the expectation of income. PoW does not allow you such pranks, and therefore you mine only in one branch (which one is your choice). As a result, a consensus is reached sooner or later in the PoW model, and convergence is no longer possible in pure PoS.
If you are interested in this problem, then the details can be found here .
Read in the next series :
- War. War never changes. What other arguments did PoW and PoS advocate?
- Make Love not War: how to cross PoW + PoS = Proof of Activity
- What is your evidence? Proof of Burn, Proof of Capacity.
“What the hell are the generals about?”
Source: https://habr.com/ru/post/265561/
All Articles