Proof of Stake
Proof of Stake is a proposed alternative to Proof of Work. Like proof of work, proof of stake provides a mechanism for determining who signs bitcoin transactions.
It was probablly first proposed here by Quantum Mechanic. With Proof of Work, the probability of mining a block depends on the work done by the miner (e.g. CPU/GPU cycles spent checking hashes). With Proof of Stake, the resource that's compared is the amount of Bitcoin a miner holds - someone holding 1% of the Bitcoin can mine 1% of the "Proof of Stake blocks".
Some argue that methods based on Proof of Work alone might lead to a low network security due to Tragedy of the Commons, and Proof of Stake is one way of changing the miner's incentives in favor of higher network security.
Here is one attempt to describe an implementation of Proof of Stake.
- 1 Motivation For Proof of Stake
- 2 Implementations
- 2.1 Cunicula's Implementation of Mixed Proof-of-Work and Proof-of-Stake
- 2.1.1 Definitions
- 2.1.2 How the system works
- 2.1.3 Does this system exhibit Constant-Returns-to-Scale ?
- 2.1.4 How could we see constant returns to scale here?
- 2.1.5 Stylized Example (You get an outcome that works like this when p is close to 1)
- 2.1.6 Infeasibility of Pure Proof of Stake Under this System
- 2.2 Meni's implementation
- 2.3 Key difference between the two proposals
- 2.1 Cunicula's Implementation of Mixed Proof-of-Work and Proof-of-Stake
Motivation For Proof of Stake
- A proof-of-stake system might provide increased protection from a malicious attack on the network. Additional protection comes from two sources:
1) Executing an attack would be much more expensive. 2) Reduced incentives for attack. The attacker would need to own a near majority of all bitcoin. Therefore, the attacker suffer severely from his own attack.
- When block rewards are produced through txn fees, a proof of stake system would result in lower equilibrium txn fees. Lower long-run fees would increase the competiveness of bitcoin relative to alternative payments systems. Intuitively reduced fees are do to vast reductions in the scale of wastage of resources.
The Monopoly Problem
If a single entity (hereafter a monopolist) took control of the majority of txn verification resources, he could use these resources to impose conditions on the rest of the network. Potentially, the monopolist could choose to do this in malicious ways, such as double spending or denying service. If the monopolist chose a malicious strategy and maintained his control for a long period, confidence in bitcoin would be undermined and bitcoin purchasing power would collapse. Alternatively, the monopolist could choose to act benevolently. A benevolent monopolist would exclude all other txn verifiers from fee collection and currency generation, but would not try to exploit currency holders in any way. In order to maintain a good reputation, he would refrain from double spends and maintain service provision. In this case, confidence in Bitcoin could be maintained under monopoly since all of its basic functionality would not be affected.
Both benevolent and malevolent monopoly are potentially profitable, so there are reasons to suspect that an entrepreneurial miner might attempt to become a monopolist at some point. Due to the Tragedy of the Commons effect, attempts at monopoly become increasingly likely over time.
How Proof of Stake Addresses Monopoly Problems
Monopoly is still possible under proof-of-stake. However, proof-of-stake would be more secure against malicious attacks for two reasons.
Firstly, proof-of-stake makes establishing a verification monopoly more difficult. At the time of writing, an entrepreneur could achieve monopoly over proof-of-work by investing at most 10 million USD in computing hardware. The actual investment necessary might be less than this because other miners will exit as difficulty increases, but it is difficult to predict exactly how much exit will occur. If price remained constant in the face of extremely large purchases (unlikely), such an entrepreneur would need to invest at least 20 million USD to obtain monopoly under proof-of-stake. Since such a large purchase would dramatically increase bitcoin price, the entrepreneur would likely need to invest several times this amount. Thus, even now proof-of-stake monopoly would be several-fold more costly to achieve than proof-of-work monopoly. Over time the comparison of monopoly costs will become more and more dramatic. The ratio of bitcoin's mining rewards to market value is programmed to decline exponentially. As this happens, proof-of-work monopoly will become easier and easier to obtain, whereas obtaining proof-of-stake monopoly will become progressively more difficult as more of the total money supply is released into circulation.
Secondly, and perhaps more importantly, a proof-of-stake monopolist is more likely to behave benevolently exactly because of his stake in Bitcoin. In a benevolent monopoly, the currency txn continue as usual, but the monopolist earns all txn fees and coin generations. Other txn verifiers are shut out of the system, however. Since mining is not source of demand for bitcoin, bitcoin might retain most of its value in the event of a benevolent attack. Earnings from a benevolent attack are similar regardless of whether the attack occurs under proof-of-stake or proof-of-work. In a malicious attack, the attacker has some outside opportunity which allows profit from bitcoin's destruction (simple double-spends are not a plausible motivation; ownership of a competing payment platform is). At the same time, the attacker faces costs related to losses on bitcoin-specific investments which are necessary for the attack. It can be assumed that a malicious attack causes the purchasing power of bitcoin to fall to zero. Under such an attack, the proof-of-stake monopolist will lose his entire investment. By contrast, a malicious proof-of-work monopolist will be able to recover much of their hardware investment through resale. Recall also, that the necessary proof-of-work investment is much smaller than the proof-of-stake investment. Thus, the costs of a malicious attack are several-fold lower under proof-of-work. The low costs associated with malicious attack make a malicious attack more likely to occur.
Why Proof of Stake Would Likely Decrease Long-run Txn Fees Considerably
In a competitive market equilibrium, the total volume of txn fees must be equal to opportunity cost of all resources used to verify txns. Under proof-of-work mining, opportunity cost can be calculated as the total sum spent on mining electricity, mining equipment depreciation, mining labor, and a market rate of return on mining capital. Electricity costs, returns on mining equipment, and equipment depreciation costs are likely to dominate here. If these costs are not substantial, then it will be exceptionally easy to monopolize the mining network. The fees necessary to prevent monopolization will be onerous, possibly in excess of the 3% fee currently charged for credit card purchases. Under pure proof-of-stake, opportunity cost can be calculated as the total sum spent on mining labor and the market interest rate for risk-free bitcoin lending (hardware-related costs will be negligible). Since bitcoins are designed to appreciate over time due to hard-coded supply limitations, interest rates on risk-free bitcoin-denominated loans are likely to be negligible. Therefore, the total volume of txn fees under pure proof-of-stake will just need to be just sufficient to compensate labor involved in maintaining bandwidth and storage space. The associated txn fees will be exceptionally low. Despite these exceptionally low fees, a proof-of-stake network will be many times more costly to exploit than the proof-of-work network. Approximately, a proof-of-work network can be exploited using expenditure equal to about one years worth of currency generation and txn fees. By constrast, exploitation of a proof-of-stake network requires purchase of a majority or near majority of all extant coins.
There are currently at least two distinct proposals on how to implement PoS, by Cunicula and Meni.
Cunicula's Implementation of Mixed Proof-of-Work and Proof-of-Stake
This suggestion is of a mixed Proof-of-Work / Proof-of-Stake system.
'Coin-confirmations' are defined as the product of the number of coins in an account multiplied by the number of confirmations on this account.
'Confirmations' are defined as the number of blocks mined since this account's private key was last used to send coins or sign a newly mined block.
How the system works
Each block must be signed by its miner using a single bitcoin account. The account used to sign a block must also be the recipient of txn fees and generation from this block. Blocks are mined by proof-of-work hashing as before, but with modified difficulty criteria. The difficulty criterion for block validity is modified as follows:
Hash generates valid block if and only if
Hash Difficulty >= Difficulty Target / ( max(Coin-confirmations used to sign block, 100 satoshi-confirmations) )^( p / (1-p))
, where 0 <= p < 1. Stake becomes more and more important as p approaches 1. p=0.8 is suggested as an appropriate choice. p=0 is identical to the current proof-of-work system.
If the block is signed by a bitcoin account holding less than 100 satoshi-confirmations, this is treated as if the account held 100 satoshi-confirmations. Thus non-stakeholders are allowed to verify blocks, but relative to stakeholders they must meet extremely stringent difficulty criteria. Permitting non-stakeholders to verify blocks solves the initial distribution problem.
As before the Difficulty Target is a periodically adjusted constant which is set to maintain a target generation rate of 1 block every 10 minutes.
Does this system exhibit Constant-Returns-to-Scale ?
While the formal theory behind this has yet to be laid out in detail, simulations indicate that the system is fully described by a constant returns-to-scale Cobb-Douglas production function. Generation rate over a long time span is almost perfectly predicted by the following equation, where Q is generation per unit time, k is the number of coins invested in generation, h is hashing power, A is an arbitrary constant which is inversely proportional to difficulty, and p is the parameter described in the previous section.
Q = A*k^(p)*h^(1-p)
How could we see constant returns to scale here?
Returns-to-scale in this system are subtle. If you double hashing power at one point in time, then you double the probability that you will find a block in the current hashing round. Therefore, intuitively one might think that doubling hashing power would allow you to generate double the amount of bitcoin generated per unit time on average. However, this is not true. Outcomes in each round of hashing affect outcomes in subsequent rounds of hashing. In this system, failure to find a block in the current period leads to decreased expected waiting time in the next round (since if you fail in the current round you get the consolation prize that the next round will have an easier target). This decrease in future waiting time provides some compensation for not mining the block immediately. Thus, doubling your chance of mining the block immediately does not double your output over a longer period.
Stylized Example (You get an outcome that works like this when p is close to 1)
Consider a system where: you have a 0% chance of mining coins at less than 6 coin confirmations, a 50% chance of mining coins at 6 coin confirmations, and a 100% chance of mining coins at 7 or more coin confirmations.
Half the time you will mine your coin after 6 confirmations. The other half you will mine your coin after 7. Therefore, it will take 6.5 rounds on average to mine a block.
Now what if you double hashing power. Remember that this doubles your chance of mining a block at any given stage. Now.. you have a 0% chance of mining coins at less than 6 coin confirmations, a 100% chance of mining coins at 6 or more coin confirmations,
Therefore, it will take 6 rounds on average to mine a block.
Here you have doubled hashing power, but only increased average output per unit time by a small amount.
Infeasibility of Pure Proof of Stake Under this System
Note: in the limit when p -> 1 (that is p approaches pure proof of stake), you approach a situation where you have a 0% chance of mining coins at less than x coin confirmations, but a 100% chance at x+1 coin confirmations, where x depends soley on difficulty. Mining becomes completely deterministic and doubling hashing power has no effect on output at all. Essentially miners take turns to mine blocks. The frequency with which a miner's turn comes up is equal to his ownership share in the total volume of coins actively used for mining. This sounds really good, but a fatal problem arises if participation falls. A fall in participation would make it impossible for anyone to mine blocks. Particularly, worrisome is that if participation is at 100%, a loss of some coins would interrupt the blockchain forever with no possible remedy except location of the missing coins. Even without a loss of coins, simply transferring coins across wallets can disrupt turn-taking and freeze the blockchain forever. For these reasons, it is necessary for block mining to retain a random element and not follow a deterministic, pure proof of stake system, i.e. p can safely be 0.8 or 0.9 or even 0.99, but 0.9999999999999999 would make complete failure of the blockchain a certainty.
Key difference between the two proposals
In Cunicula's system, voting power is determined by combining (multiplicatively) your hashrate and stake. To be effective you need both to be high (which IMO is very problematic because small players cannot contribute effectively. It's not linear.) (Response: Though we are waiting on formal mathematical analysis, evidence to date suggests that this is not true. Simulations described in this thread  indicate that small players compete equally with large players and the multiplicative combinations of hashrate and stake exhibit constant returns. Evidence in the thread suggests that simulation results are accepted by both Cunicula and Meni.)
In Meni's, there's a skeleton based purely on hashrate, and superimposed on it are occasional checkpoints set by stakeholders. You can contribute PoW without having stake, and you can contribute PoS without having work, and in both cases your voting power and reward is linearly proportional to the resources you have.