|This article may rely excessively on sources too closely associated with the subject, potentially preventing the article from being verifiable and neutral. (August 2016) (Learn how and when to remove this template message)|
Proof-of-stake (PoS) is a type of algorithm by which a cryptocurrency blockchain network aims to achieve distributed consensus. Unlike proof-of-work (PoW) based cryptocurrencies (such as bitcoin), where the algorithm rewards participants who solve complicated cryptographical puzzles in order to validate transactions and create new blocks (i.e. mining), in PoS-based cryptocurrencies the creator of the next block is chosen in a deterministic (pseudo-random) way, and the chance that an account is chosen depends on its wealth (i.e. the stake). In PoS cryptocurrencies the blocks are usually said to be forged (in the blacksmith sense of this word), or minted, rather than mined. Also, usually all the coins are created in the beginning and the total number of coins never changes afterwards (although there are some other versions of PoS where new coins can be created). Therefore, in the basic version of PoS there are no block rewards (e.g. as in bitcoin); so, the forgers take only the transaction fees.
Block selection variantsEdit
Proof-of-stake must have a way of defining the next valid block in any blockchain. Selection by account balance would result in (undesirable) centralization, as the single richest member would have a permanent advantage. Instead, several different methods of selection have been devised.
Randomized block selectionEdit
Nxt and BlackCoin use randomization to predict the following generator, by using a formula that looks for the lowest hash value in combination with the size of the stake. Since the stakes are public, each node can predict - with reasonable accuracy - which account will next win the right to forge a block.
Coin age based selectionEdit
Peercoin's proof-of-stake system combines randomization with the concept of "coin age," a number derived from the product of the number of coins times the number of days the coins have been held. Coins that have been unspent for at least 30 days begin competing for the next block. Older and larger sets of coins have a greater probability of signing the next block. However, once a stake of coins has been used to sign a block, they must start over with zero "coin age" and thus wait at least 30 more days before signing another block. Also, the probability of finding the next block reaches a maximum after 90 days in order to prevent very old or very large collections of stakes from dominating the blockchain. This process secures the network and gradually produces new coins over time without consuming significant computational power. Peercoin's developer claims that this makes a malicious attack on the network more difficult due to the lack of a need for centralized mining pools and the fact that purchasing more than half of the coins is likely more costly than acquiring 51% of proof-of-work hashing power .
Proof of Work relies on energy use. According to a bitcoin mining-farm operator, energy consumption totaled 240kWh per bitcoin in 2014 (the equivalent of 16 gallons of gasoline). Moreover, these energy costs are almost always paid in non-cryptocurrency, introducing constant downward pressure on the price. Proof of Stake currencies can be several thousand times more cost effective.
The incentives of the block-generator are also different. Under Proof-of-Work, the generator may potentially own none of the currency they are mining. The incentive of the miner is only to maximize their own profits. It is unclear whether this disparity lowers or raises security risks. In Proof-of-Stake, those "guarding" the coins are always those who own the coins (although several cryptocurrencies do allow or enforce lending the staking power to other nodes).
Some authors argue that proof-of-stake is not an ideal option for a distributed consensus protocol. One problem is usually called the "nothing at stake" problem, where (in the case of a consensus failure) block-generators have nothing to lose by voting for multiple blockchain-histories, which prevents the consensus from ever resolving. Because there is little cost in working on several chains (unlike in proof-of-work systems), anyone can abuse this problem to attempt to double-spend (in case of blockchain reorganization) "for free".
Many have attempted to solve these problems:
- Ethereum's suggested Slasher protocol allows users to "punish" the cheater, who forges on the top of more than one blockchain branch. This proposal assumes you must double-sign to create a fork and that you can be punished if you create a fork while not having stake. However Slasher was never adopted; Ethereum developers concluded proof-of-stake is "non-trivial". Instead Ethereum designed a proof-of-work algorithm named Ethash. It is planned to be replaced by a different PoS protocol called "CASPER".
- Peercoin uses centrally broadcast checkpoints (signed under the developer's private key). No blockchain reorganization is allowed deeper than the last known checkpoints. The tradeoff is that the developer is the central authority controlling the blockchain.
- Nxt's protocol only allows to reorganize last 720 blocks. However, this only rescales the problem: a client may follow a fork of 721 blocks, regardless of whether it is the tallest blockchain, preventing consensus.
- Hybrid "Proof of burn" and proof of stake. Proof of burn blocks act as checkpoints, have higher rewards, contain no transactions, are more secure, and anchor both to each other and to the PoS chain, but are more expensive.
- Decred's hybrid proof-of-work and proof-of-stake. Proof-of-stake as an extension dependent on the Proof-of-work timestamping, based on the "Proof of Activity" proposal, which aims to solve the nothing-at-stake problem by having proof-of-work miners mining blocks and proof-of-stake acting as a second authentication mechanism.
Statistical simulations have shown that simultaneous forging on several chains is possible, even profitable. But Proof of Stake advocates believe most described attack scenarios are impossible or so unpredictable that they are only theoretical.
- Popov, Serguei (2016). "A Probabilistic Analysis of the Nxt Forging Algorithm". Ledger. 1: 69–83. ISSN 2379-5980. doi:10.5195/LEDGER.2016.46.
- "Nxt Whitepaper (Blocks)". nxtwiki. Retrieved 2 January 2015.
- mthcl (pseudonymous). "The math of Nxt forging" (PDF). pdf on docdroid.net. Retrieved 22 December 2014.
- Vasin, Pavel. "BlackCoin’s Proof-of-Stake Protocol v2" (PDF).
- King, Sunny. "PPCoin: Peer-to-Peer Crypto-Currency with Proof-of-Stake" (PDF). Retrieved 2014-11-17.
- Buterin, Vitalik. "What Proof of Stake Is And Why It Matters". Bitcoin Magazine. Retrieved 2013-11-20.
- Bradbury, Danny. "Third largest cryptocurrency peercoin moves into spotlight with Vault of Satoshi deal". CoinDesk. Retrieved 2013-11-20.
- Thompson, Jeffrey (15 December 2013). "The Rise of Bitcoins, Altcoins—Future of Digital Currency". The Epoch Times. Retrieved 29 December 2013.
- Whelan, Karl (2013-11-20). "So What's So Special About Bitcoin?". Forbes.
- "Carbon Footprint of Bitcoin". coindesk.com. Retrieved 2 January 2015.
- "Nxt Network Energy and Cost Efficiency Analysis" (PDF). Retrieved 21 December 2014.
- "Proof of Work, Proof of Stake and the Consensus Debate". cointelegraph.com. Retrieved 3 January 2015.
- Andrew Poelstra. "Distributed Consensus from Proof of Stake is Impossible" (PDF).
- Vitalik Buterin. "On Stake".
- "Hard Problems of Cryptocurrencies".
- Buterin, Vitalik. "Slasher: A Punitive Proof-of-Stake Algorithm".
- Buterin, Vitalik. "Slasher Ghost, and Other Developments in Proof of Stake". Retrieved 23 January 2016.
one thing has become clear: proof of stake is non-trivial
- Wood, Gavin. "Ethereum: A Secure Decentralised Generalised Transaction Ledger" (PDF). Retrieved 23 January 2016.
Ethash is the planned PoW algorithm for Ethereum 1.0
- "Nxt Whitepaper: History Attack". Nxtwiki. Retrieved 2 January 2015.
- Bentov I., Gabizon A., Mizrahi A. 2015. Cryptocurrencies without Proof of Work. arXiv Cryptography and Security. https://decred.org/research/bentov2015.pdf
- Chepurnoy, Alexander. "PoS forging algorithms: multi-strategy forging and related security issues" (PDF). github.com. Retrieved 30 December 2014.
- Chepurnoy, Alexander. "PoS forging algorithms: formal approach and multibranch forging". scribd.com. Retrieved 22 December 2014.