Dissector: A punitive proof-of-stake algorithm

The purpose of this post is not to say that Ethereum will use Slasher instead of Dagger as its main mining function. Instead, the Slasher is a useful build in our war chest in case proof of stake mining becomes more popular or a compelling reason to switch is presented. Slasher may also benefit other cryptocurrencies that wish to exist independently of Ethereum. Special thanks to tacotime for some inspiration, and to Jack Walker for improvement suggestions.

Proof of stake mining has long been a huge area of ​​interest for the cryptocurrency community. The first proof-of-stake coin, PPCoin, was released by Sunny King in 2012, and has consistently remained among the top five altcoins. By the monetary base since then. And for good reason. Proof of Stake has a number of advantages over Proof of Work as a mining method. First and foremost, Proof of Stake is more environmentally friendly; While Proof of Work requires miners to effectively burn computational power on useless accounts to secure the network, Proof of Stake effectively mimics burning, so no real-world energy or resources are ever wasted. Second, there are concerns about centralization. With proof of work, mining is essentially dominated by specialized hardware (“application-specific integrated circuits” / ASICs), and there is a high risk that one big player like Intel or a major bank will de facto take over. Market monopoly. Solid-memory mining algorithms like Scrypt and now dagger Alleviating this greatly, but still not completely. Again, proof of stake, if it can be made to work, is basically an ideal solution.

However, proof of stake, as implemented in almost every currency to date, has one fundamental flaw: as one prominent Bitcoin developer put it, “there is nothing at stake.” The meaning of the statement becomes clear when we try to analyze what exactly happens in the event of a 51% attack attempt, which is the situation that any type of proof-of-work mechanism aims to prevent. In a 51% attack, attacker A sends a transaction from A to B, waits for the transaction to be confirmed in block K1 (with asset K), collects a product from B, and then immediately creates another block K2 on top of K – with a transaction sending the same bitcoins but This time from A to A. At this point, there are two blockchains, one from block K1 and one from block K2. If B can add blocks above K2 faster than the entire legitimate network can add blocks above K1, the K2 blockchain will win – and it will be as if the payment from A to B never happened. The goal of Proof of Work is to make it take a certain amount of computational power to create a block, such that for K2 to outperform K1 B must have more computational power than the entire legitimate network combined.

In the case of Proof of Stake, it doesn’t take computational power to create a business — it takes money instead. In PPCoin, each “coin” has a chance per second of becoming the lucky coin that has the right to create a new valid block, so the more coins you have, the faster new blocks will be created in the long run. Thus, a 51% successful attack, in theory, would require not having more computing power than the legitimate network, but more money than the legitimate network. But here we see the difference between Proof of Work and Proof of Stake: In Proof of Work, the miner can only mine on one fork at a time, so the legitimate network will back the legitimate blockchain and not the attacker’s blockchain. However, in Proof of Stake, once a fork occurs, miners will have funds in both forks at the same time, and thus miners will be able to mine on both forks. In fact, if there is even the slightest chance that the attack will succeed, miners have an incentive to mine both. If a miner has a large number of coins, the miner will want to oppose attacks to preserve the value of his coins; However, in an ecosystem with small miners, network security would likely collapse into a classic public goods problem where no single miner has a significant impact on the outcome, and thus each miner would act purely “selfishly.”

the solution

Some have assumed that the above argument is a slam dunk on any proof of stake, at least without evidence of the labor component that aids it. In a context where each series is only aware of itself, this is certainly true. However, there is actually a clever way around this problem, one that has not been explored yet: make the chain aware of other chains. Then, if a miner is caught mining on two chains at the same time, that miner can be penalized. However, it is not at all clear how to do this using a PPCoin-like design. The reason is that mining is a random process. This means that a miner with 0.1% of the stake has a 0.1% chance of mining a valid block on block K1, a 0.1% chance of mining a valid block on block K2, but only a 0.0001% chance of mining block K2. Block is valid for both. In this case, the miner can simply hold back the second block – since mining is probabilistic, the miner can still get 99.9% of the mining benefit on the second block.

However, the following proposal outlines an algorithm, which we call Slasher to express its harshly punitive nature, to avoid this proposal. The design description here uses address credits for clarity, but it could just as easily be used to work with “unspent transaction outputs,” or any other similar abstraction that other currencies might use.

1. Blocks are mined with proof of work. However, we make one modification. When generating a block K, the miner must include the value H(n) of some random n generated by the miner. The miner must claim the reward by launching a transaction that reveals n between blocks K+100 and K+900. The proof of work reward is very low, ideally encouraging energy usage equivalent to about 1% of Bitcoin usage. The target block time is 30 seconds.
2. Suppose the total money supply is M and n[i] is the value of n in block i. In block K+1000, address A with balance B gains “signing privilege” if sha256(n)[K] + n[K+1] + … + n[K+99] + A) < 2^256 * 64 * B / M. Basically, an address has a chance of obtaining a signing privilege proportional to the amount of money it has, and on average it will be allocated 64 signing privileges per block.
3. In block K+2000, miners with signing privileges from block K have the opportunity to sign the block. The number of signatures is what determines the total length of one block chain versus another. The signature gives the signer a much larger reward than the PoW reward, and this reward will be unlocked by block K+3000.
4. Suppose the user detects two signatures made by address A on two different blocks with height K+2000. This node can then post a transaction containing those two signatures, and if that transaction is included before block K+3000, it destroys the reward for that signature and sends 33% to the user who exposed the cheater.

The key to this design is how signing privileges are distributed: instead of signing privilege being randomly based on the previous block, signing privilege is based on a block two thousand blocks ago. Thus, if a fork occurs, a miner who is unlucky on one chain will also be unlucky on the other, completely eliminating the potential double mining attack that can occur with PPCoin. Another way to look at it is that since Slasher has been using Proof of Stake since 2000 blocks rather than Proof of Stake now, and the forks will almost certainly not last 2000 blocks, there is only one coin supply to mine, so there is actually “something at stake” . The penalty for losing the block reward ensures that each node makes sure to sign only one block at each block number.

The use of 100 pre-committed random numbers is an idea taken from fair gambling protocols; The idea is that powerful miners have no way to try to create many blocks and only publish those that give their own stake the signing privilege, because they don’t know what any of the other random data is used to identify stakeholders when they create their own stake. Blocks.

The system is not just proof of reconciliation; Some minimal proof of work will be required to maintain an interval between blocks. However, a 51% attack on proof of work would be essentially insignificant, because proof of stake signing is the only deciding factor on which blockchain wins. Moreover, the energy consumption generated by PoW can be reduced by 95-99%, which solves the environmental problem of PoW.