This week, we’ll be going over the commonly spoken but not well defined words “PoS” or “Proof-of-Stake”. If you haven’t already, be sure to check out our other posts in the consensus series covering preliminaries and PBFT.
Proof-of-Work, consensus is based only on computation power. Participation is fluid. Thus, from the protocol standpoint, it is entirely permissionless. Anyone with the capability of solving the hash puzzle has a chance to contribute to consensus. This capability is in no way given to anyone by the protocol itself. As more hash power joins the network problem difficulty goes up. In economic equilibrium, problem difficulty scales with token value. Energy consumption goes up and chance of mining a block per unit of hash power goes down.
Proof-of-Stake (PoS) protocols switch the participation requirement to be based on stake in the underlying currency instead of hash power. This section introduces the major themes of PoS and some of its variants.
The original usage of “Proof-of-Stake” refers to a class of Nakamoto consensus algorithms where a node’s holdings or stake in the underlying currency is converted to virtual computation power. The name is derived from its similarity to Proof-of-Work somewhat literally replacing the “Work” with “Stake” in the algorithm. For example, the PoW mining problem might be changed from:
hash(parent, nonce) <= difficulty
to something like:
hash(parent, address A) <= balance(address A) * time * difficulty
with the remainder of the protocol unchanged.
Since original PoS still uses the longest fork choice rule, the immediate issue is that it is easy for nodes to “mine” blocks on many forks at once. This is byzantine behavior as honest nodes only mine on a single longest block. However, since there is no cost for acting byzantine, we can not assume nodes will not do so. It is strict economic gain as more mined blocks on different forks means a higher chance of being included in the canonical chain and earning block rewards. This is referred to as the the nothing at stake problem and can be addressed with slashing which we’ll discuss soon. There are still other difficult to address vulnerabilities.
Committee based Proof-of-Stake
The term Proof-of-Stake has also been applied to classical consensus protocols that use some staking based scheme for choosing its participants. We call the chosen set of participants a committee and individually we refer to them as voters. In these protocols, participants put down a deposit in the underlying currency for the right to become a voter in the network. The committee is responsible for creating new blocks on the blockchain. The nothing at stake problem can be addressed by slashing a voter’s deposit when there is cryptographic evidence of the voter’s bad behavior.
Though we consider this bad use of Proof-of-Stake, it seems far past the point where this usage can be corrected. Thus Proof-of-Stake refers to a broad class of blockchain protocols where participation is based on stake which include both Nakamoto and classical consensus protocols.
Other approaches include permissioned networks where the set of consensus nodes are known beforehand. A similar (arguably indistinguishable) approach is to allow each individual node on the network to choose the nodes they trust to achieve consensus. Public networks like Stellar and Ripple deploy the latter. Permissioned networks are the obvious choice for private consortium chains.
With staking, deposited stake must be released eventually at which point it can no longer be slashed. After this point, voters (who may have moved or sold their stake) can release their old private keys with no consequence. If an attacker obtains enough of these keys (by purchasing them for example) they can readily create a new blockchain that forks the current one from a long time ago. This is referred to as a long range attack. Thankfully, there is a straightforward defense. Nodes on the network will simply reject any blockchain that doesn’t extend recently from their own blockchain thus thwarting this attack entirely. For new nodes joining the network, the only solution is to pick a set of trusted nodes to provide them with the canonical chain. In practice, this solution seems satisfactory at least when considering the fact that the $$$ value (of a cryptocurrency) is a social construct to begin with.
PoW mining pools combine the hash power of many nodes distributing risk and rewards across all participants. Analogous to this, PoS participants may delegate their stake to another consensus node on the network who will take a cut of the rewards. Delegation is simpler than pool mining as it does not involve the delegator to run any of their hardware. Delegation might be built directly into the protocol or trustlessly mediated by a smart contract. If it’s not supported in the protocol, delegation can also be done off-chain with a trusted service provider. Most PoS chains support non-custodial (trustless) delegation and there are many staking as a service providers out there to make delegating your stake even easier.
For clarity, we will briefly talk about the DPOS BFT¹ consensus algorithm which is a simple classical-like consensus algorithm. DPOS BFT takes the top 21 (say) highest staking nodes (which include delegated stake from other users) to be nodes participating in consensus. Consensus is achieved through round robin proposing and voting. Offline proposers are skipped after sufficient time. Two round robin rounds of proposed blocks are needed to finalize a block. DPOS BFT is the name of this consensus algorithm. The name also refers to the mechanism of delegating stake to choose participants which is a feature available in many other PoS blockchains. Similar consensus algorithms include Aura and Clique. These algorithms are also known as Proof-of-Authority, which refers to the participants being chosen based on a-priori authority and says nothing about the mechanism for consensus.
As of writing, PoW blockchains still hold a large majority of the cryptocurrency market cap and proponents advocate for their completely permissionless and decentralized nature. From an economic standpoint, PoW networks fall short of PoS in terms of security.
The main issue is that the cost of attack is proportional only to lost mining time. Since a longer adversarial fork becomes the canonical chain, any rewards lost are immediately returned. Thus the cost of attack is proportional to rewards lost during the attack which are returned if the attack succeeds.
With services such as online hash power markets, coordinating such an attack is entirely trivial. In addition, Volatile token prices means mining may not be consistently profitable. If mining not profitable, there will be an excess of unused hash power (bitcoin ASICS have few other uses) that could be sold for for a profitable attack. Hash power owners who have withdrawn their bitcoin would gladly take a premium in exchange for renting their unused hardware. In practice we’ve already seen several 51% attacks on major a PoW chains.
Proof-of-Stake, subverts these issues by relying on deposits and slashing schemes to disincentivize attacks. The cost of attack in a PoS blockchain can be precisely set by the deposit requirement and slashing amount. In practice, these prices should be set so high that such an attack would never be profitable. Thus, from an economic standpoint, PoS is more secure than PoW by design. For the curious reader, we suggest this blog post for a more detailed discussion on the design philosophy of PoS.
So we see there are many ways to look at consensus and choosing participants for consensus. In Nakamoto protocols, the mechanism for choosing participants and consensus are inseparable. It seems that in continuing a dialog that started with Bitcoin, many non-Nakamoto blockchain protocols still combine these two concepts and add to the confusion. The usage of Proof-of-Stake to refer to a means of choosing participants rather than a mechanism for consensus is perhaps for a similar reason. We hope this brief exposition here will clarify some of the ambiguous terminology.
: This single 7 character acronym blurs the terminology for delegating stake with a consensus algorithm, a Nakamoto style consensus algorithm with a committee selection policy, and a fault tolerance mode with finality guarantees 🥇.