Proof-of-stake mining (or minting) is much more environmentally friendly (near to zero electricity consumption) and decentralized (no ASICs) than the widespread proof-of-work mining. However it has an unresolved flaw known as the “nothing at stake” issue. This post propose a solution to this problem based on Peercoin, the pioneer proof-of-stake cryptocurrency.
The above picture represents a blockchain. Blocks in green compose the main chain, and blocks in red compose orphan chains.
Because it effectively consume computational power to mine a proof-of-work block, a miner will have to “choose” on top of which block he wants to mine. A rational miner will only mine on top of the main chain since this is the branch the most likely to be accepted by the other nodes of the network. This fact introduce a computational race that stabilize the proof-of-work blockchain and secure it against double spend attacks.
On the contrary and by design it does not consume computational power to mint a proof-of-stake block, but instead it consumes coin-age. The fundamental difference with proof-of-work mining is that it doesn't cost anything to mint an orphaned block, since the coin-age is consumed only in one branch but not in the others. Thus if at a given time there are multiple chain competing to be the main chain, a rational miner would search block in both chain.
In the above situation the cost to search for a block simultaneously on top of A and B in null. There is even a little incentive to do so, because the quicker a minter find a block, the more cumulative interests he will receive. In the current Peercoin model, this incentive is low enough to be considered negligible. However if proof-of-stake blocks had a constant mint per block, at least for a part (which is something the Peercoin community is considering to strengthen minting incentives) a rational minter will have a significantly stronger incentive to mint on multiple chains at the same time.
Actually even in the general case, a minter could literally try to mint on top of any block since the last checkpoint for free, here blocks B to J. In the above example if a minter find a block on top of B he will broadcast it and this block will have a little chance to become the main chain. Even if there are only a few "selfish" minters that behave in this manner, this leads to a destabilization of the blockchain, and users will have to wait for a larger number of confirmations before assuming that a transaction is irreversible.
Even worse, as described in the “Cryptocurrencies without Proof of Work” paper, a PeerUndo service (inspired by Bitcoin BitUndo) could be created to reverse a Peercoin transaction with n confirmations. PeerUndo will pay people to mint on top of a chain fork that start at least (n+1) blocks ago. If the attack succeeds, the transaction will be reversed and the minters of the fork will receive the money from PeerUndo. If the attack fails minters of the fork won't loose anything at all. While with proof-of-work mining these miners would have lost their computational power (ie electricity, ie money) which is why BitUndo can't reverse confirmed transactions.
| Cost to mine a block | on the main chain | on a orphan chain |
|---|---|---|
| with proof-of-work | computational power | computational power |
| with proof-of-stake | coin age | null |
The following paragraphs expose a Peercoin protocol modification ensuring that minters could only allocate their coin-age stake to a single chain at a given time. The proposal is based on a solution to the underline problem of orphaned blocks cost-free minting.
In Peercoin, proof-of-stake blocks contains a coinstake transaction described in the white paper. In this special transaction the output value is greater than the sum of all inputs. The difference correspond to the newly generated coins. The first input is called the kernel and its hash is used as a parameter of the minting puzzle function.
The coinstake transaction has two goals:
- The coin-age consumption
- The monetary creation
I propose to split the coinstake in two distinct transactions each of them handling one of the above goal.
The first one is the coin-age proof-of-burn transaction that I'll abbreviate as the burn transaction. This transaction is quite similar to the coinstake transaction except that it doesn't handle the monetary creation, and as a result the output amount equals the sum of all inputs, like in any standard transaction. This transaction has nothing special, it is just a transaction from a stake holder to himself that is made to reset the age of the stake, ie to burn the coin-age.
The second one is the creation transaction. It is similar to the Bitcoin coinbase transaction: there is no input, and the output(s) correspond to the newly generated coins. This is a special transaction that is only valid in its proof-of-stake block and can't be re-used elsewhere (similarly the coinbase transaction can't be created without mining a block).
When both the burn and the creation transactions are included at the beginning of the transactions list of a proof-of-stake block, they behaves exactly like the current coinstake transaction. Peercoin nodes verify the kernel hash (ie the hash of the first input of the burn transaction) and the amount of monetary creation.
Let's consider an attacker (or a group of attackers) that want to double-spend a transaction with n=6 confirmations.
Honest holders mint on top of the green chain, attackers on top of the red one. With the current Peercoin protocol, the attack is risk-free, if the attack fails, the attackers won't lost anything.
Now let's look at what will happen with the protocol modification exposed on the above paragraph. To mint a block on the red chain, a minter will have to broadcast, along with the block, a valid creation transaction and a valid burn transaction. Since the burn transaction is a standard transaction (from a holder to himself) it can be included in other chains, and in this particular case in the green one. Someone minting on the green chain, will simply extract the burn transaction from the attacker block, and then include it in the next block on the green chain along with other transactions. The goal of this is to reset the age of the burn transaction output on the green chain. So if the red attack fails, minters of the red chain will lose their coin age capital in both the red and the green chain.
| Cost to mine a block | on the main chain | on a orphan chain |
|---|---|---|
| with proof-of-work | computational power | computational power |
| with proof-of-stake | coin age | coin age |
This case is already handled by the Peercoin protocol. If a client receive two blocks with the same kernel, it will ignore the second one. So it's not possible to mint on two different chains with the same output.
The protocol modification also incentive a new type of attack which work as follows. A selfish holder mint a block but keep it private by not broadcasting it. Then later, a honest holder mint a block and broadcast it. The selfish minter can now publish its own block, and since the timestamp associated to its block kernel is lower that the other one, it's block will be considered to be the first one, and so the honest minter block will be considered as an orphan block and he will lose the associate coin age capital.
To solve this attack, a solution would be to use the same rule that as classical proof-of-work algorithms, ie the first block received is the legitimate block. And minter shouldn't broadcast their block ahead of time.
Should the burn transaction include the 0.01 transaction fee? Otherwise it won't be a standard transaction. If it does it should be compensated in the creation transaction.
Is the risk of a large proportion of the network running a modified Peercoin client (provided by a peerundo service) is significant? Some members of the Peercoin community have argued that people won't run a client that risk to destroy their investment. The same argument is used in the Bitcoin community about mining centralisation: people won't join a pool with a large part of the mining power of the network because that will end up destroying the bitcoin value.
In my humble opinion this risk exists, and it will grow with cold mining (that's minting without your client being able to spend your funds), people may be interested in third party clients that promise more revenues (thanks to the commission for double spending peercoin transactions) and with no risk regarding their own peercoins (thanks to cold minting). But only time will tell.
I like the idea of splitting the coinstake transaction.
In PoS blocks we have and unused coinbase transaction, that we can use.
Splitting the coinstake has the disadvantage of creating a small value UTXO for the interest.
This might be solved by allowing additional inputs (with the same redeem script) in the "coin-age consumption" transaction.
A separate "coin-age consumption" transaction could allow minting to any type of script, not only limited to P2PK.
However, with this proposal I believe there is a too big incentive to mint offline.
I think we could mitigate that by giving PoW blocks some chain weight.
To be continued.