Proof-of-Skill Decentralized Consensus

Image for post
Image for post

Thus far, all proposed alternatives to Proof-of-Work have failed to live up to expectations. Leaving many in the bitcoin community convinced that this is a fools errand, and react to any mention of Proof-of-Stake with a roll-of-eyes and loss of attention.

This post will first breakdown blockchain consensus algorithms and come up with properties and a framework needed for reaching decentralized consensus. With a key finding being the need for data from outside the blockchain to be known inside.

Then Proof-of-Skill is described as a new consensus algorithm that works by using external data that already has decentralized consensus. This data, derived from major sporting events, is used to generate coins which are then distributed to users based on the skill of predicting said sporting events. These skill coins combined with Nxt Forging is then used to reach distributed decentralized consensus.

Blockchain based digital currency are transferred when a sender digitally signs a transaction. The transaction is then broadcasted and propagates through the entire network. However, since it takes time to propagate, how can the receiver know that the sender didn’t “double spend” the same coins? When a double spend is attempted, half the network thinks receiver-A gets the coins, and the other half thinks receiver-B gets the coins.

Solving the double-spend problem, while maintaining censorship resistance, requires a decentralized distributed consensus algorithm. Every N minutes, a pseudo-random node on the network becomes the oracle and gets to decide which receiver gets the money. He does this by packing the transactions into a block with “Proof” that he is the oracle and broadcasting the block to the network.

For this system to work, all the nodes need to independently verify this “Proof.” For the block signer to be pseudo-random, the “Proof” has to be a result of a pseudo-random process.

Based on findings above, we can deduce two properties required of a consensus algorithm:

Property #1: A problem must be independently derived by all nodes, using only the information contained in the blockchain.

Property #2: The solution must be independently verifiable by each node.

Proof-of-Work algorithm:

  1. The block hash must contain N leading 0’s.
  2. Nodes can independently verify the solution by running the SHA256(block) — and counting the number of leading 0’s

Proof-of-Work can be thought of as finding a needle in a haystack. In order to find the solution, a miner would run SHA256(block) over and over again with just a small change to the block header. This is done by incrementing a counter, also known as a ‘nonce’.

Proof-of-Stake algorithm(Nxt):

  1. ‘Public-key of block-signer’ plus ‘previous block-signer’ must hash to a value less than X times the ‘block-signers balance’ times ‘the number of seconds since last block’
  2. Nodes can independently verify the hash by running: SHA256(pk(block-signer) + pk(prev-block-signer)) < X * balance(block-signer) * seconds-since(prev-block)

Proof-of-Stake can be thought of as a lottery. Each coin holder has a different lottery ticket. The number of coins held determines the probability of winning. The more coins one has, the higher the chance of winning the lottery.

Image for post
Image for post
PoW as a ‘needle in a haystack’ system vs. PoStake as a ‘lottery’ system.

Blockchain consensus algorithms only work if they cannot be manipulated in such a way that a single entity has the ability to sign a majority of blocks. Lets stress test…

PoW: The block hash must contain N leading 0’s.

Proof-of-Work consists of finding a block with N leading 0's. This can only be done in brute-force by incrementing the nonce with many parallel computers. However, the block difficulty increases each time a block is found faster than 10 minutes, requiring more processing power. It turns out that the energy cost of processing POW makes it an even playing field. Consensus verified!

PoStake: SHA256(pk(block-signer) + pk(prev-block-signer) ) < X * balance(block-signer) * seconds-since(prev-block)

Proof-of-Stake can be stress tested on the right or left side of the inequality. On right side, we can try buying more stake. But that is prohibitive because of the costs and as you buy more stake you incentive to be honest increases. So far so good…

On the left side - we have pk(block-signer) — which is our public-key. Since we generated this key our-self, we can just try to generate many keys over and over, until we win the lottery. We can do this block after block after block! It turns out that PoStake degenerates into PoW, making PoStake irrelevant. Consensus failed!

Both PoW and PoStake fulfill the two properties discussed above. However, PoW reaches consensus while PoStake does not. So what is PoStake missing? Looking carefully at PoW, we see the nonce is the one piece of data from the real world, outside the blockchain.

Property #3: External effort must be implicitly tied to the block signer through Proof.

Scope of this post is limited to describing an algorithm that reaches distributed decentralized consensus, for purpose of blockchain synchronization and double-spend avoidance.

Goal of Proof-of-Skill is to be the second true consensus algorithm after Proof-of-Work, and ultimately rely on Bitcoin for fiat liquidity. With Bitcoin as a backstop, the scope is farther limited to reaching consensus in the context of utility. For bitcoin, the utility is the worlds electronic cash. For Protoblock, the utility of Fantasybits is monetizing the skill of predicting sporting events and hedging external sports gambling risks. Utility comes into play when looking at incentives of attacking ones own stake.

Theoretical attack surfaces meant to counter-act economic incentive structures are not addressed in the post. These includes things like:

  • Selfish mining “economic attacks” in POW, where a miner loses money in the short term, for the purpose of sabotaging his competition, to force him to join his coalition to 51% attack the network.
  • Stealing stake in POStake, to counter-act the cost of buying enough stake to mount an attack.
  • Taking a large short position on a coin, to counter-act the cost of mounting an attack.

Distributed decentralized consensus is mathematically impossible. Satoshi took a practical approach and gave us Bitcoin with PoW, a probabilistic solution to the impossible. Nocoiners are still refusing to suspend their intuitive belief that bitcoin is impossible.

Bitcoiners are now falling into that same trap. Yes, PoS is impossible. No, we have not seen a real non-currency use case that requires a separate public blockchain. But suspending our beliefs is what got us all here!

Major public professional sporting events are considered a phenomenon, where up to 1.5 billion people watch the same thing at the same time. And after the game, billions of dollars in bets are settled based on the final score. On top of that, thousands of statistics are compiled and normalized into ‘Fantasy Points’ and billions of more dollars are awarded to winners of fantasy sports contests. All this without any central authority! In fact, humans have been reaching decentralized consensus on major public sporting events since the Roman times.

The 2015 Cricket World Cup was watched by 20% of the worlds population. A true phenomenon.

In theory, there already is consensus on major sports data, but how does the data get into the blockchain without a centralized oracle? The actual implementation requires 66% of stake to sign, but users can appoint Data Agents for practicality. Full details are found in the 2014 white paper: Distributed Engineered Autonomous Agents : Satoshi Fantasy.

Outside data that already has decentralized consensus can now be brought into the blockchain without an oracle

If “everyone” agrees on something, you already have consensus. What is often misunderstood about blockchain, is that from the point of view of each individual node, they are always in consensus rules. Even when rules are changed, and your node hard-forked off the main chain, all your node knows is its current consensus rules. Since you will only connect to nodes that are on the same chain, it follows that you and your peers will always be running the same consensus rules. This is exactly how UASF accomplished its goal of forcing segwit adoption. By only listening to miners who were signaling for segwit, the result will always be that 100% of the “network” is signaling.

Proof-of-Stake is a class of algorithms that only use data from the blockchain to chose the next block-signer. The major issues with PoS are:

  1. Nothing at stake (N@S) — when you are presented with a natural fork in the blockchain you are forced to choose one to work on in POW, with POS there is nothing stopping you from signing blocks on top of both heads, just in-case the other one survives. N@S has a known Slasher solution, where punitive rules put your stake at stake, to dis-incentivize extending multiple chains.
  2. Long-Range Attacks (Stake Grinding) — As described above, you can “grind” through the historical data that was used to choose the block-signers, and rewrite history so that you version of the blockchain is stronger and better then the “real” version. A new node, has no way to tell the difference.

PoS just doesn’t work, it’s a logical tautology. It expects you to use the content of the blockchain to decide the content of the blockchain. Gregory Maxwell

As we looked for a solution to stake-grinding, we see a glimmer of hope in the classic 2014 post On Stake by Vitalik Buterin

Image for post
Image for post
POS fundamentally resolvable

The idea is simple, to stop stake grinding, we make the set of block-signers and their public-keys static. We use the Nxt algorithm, which does not use the contents of the block to choose the next signer. So now there is nothing to grind! Delegated-Proof-of-Stake (DPOS), used in bitshares, steem, and EOS, has a similar concept, where there is a known list of 21 static “validators” signing all the blocks.

This idea may work, provided we have a known list of decentralized pseudo-randomly chosen block signers. It would almost be like having all the POW miners find the lowest hash all at once and then use them as the static list moving forward.

However, this problem of creating a list of decentralized block-signers is precisely the problem we are trying to solve in the first place, only from another angle. Since there is no way a list can be generated from the blockchain itself, there must be some real-world effort or information, just like Property #3 from above.

If you can Zero-Premine, you can create a static list of signers

Not only does PoW secure Bitcoin, it is also used to distribute new coins. Taking a step back, we could argue, that any blockchain that claims to reach decentralized consensus should be able to start with a Zero-Premine. In fact, the reason PoStake coins all have a 100% premine is that, otherwise, whomever gets the first coins will get all the coins. Again, this is all comes back to the same issue, where the only information available is what is contained inside the blockchain.

Show me a coin with a Zero-Premine and I will show you decentralized consensus

Protoblock is the first non-PoW chain with a Zero-Premined token. This is made possible by bringing sports data that already has consensus into the blockchain, via a continuous UASF like process.

  • Before the inaugural season of 2014, there were in-fact 0 Fantasybits in circulation.
  • After the first NFL game, and after every NFL game since, all nodes deterministically generated 100 Fantasybits for each Fantasy Point scored in the NFL.
  • All coins, 100% of coins, are then deterministically awarded, by all the nodes, independently, to known users wallets based on the accuracy of their projections.
  • Before each games anyone can create a wallet and sign a projectionTransaction
signed_transactions {
trans {
version: 1
[fantasybit.ProjectionTrans.proj_trans] {
season: 2016
week: 1
playerid: "1321"
points: 12
id: "e682b5e001882b0336c1ed46913bf5c09bd6d768c6446a050a510c1e7217d261"
sig: "5dzQN1XuMd5vkJoqBcGk3H5bZ3oXb9BAZJeNe1qKqzpgGbMC2R1ziNguahydqXJpMtXmPG2oY7Eao3VUJk6L53zE"
fantasy_name: "@SpreadSheetFF"

Example signed projection transaction by @SpreadSheetFF, for 2016 Week 1, playerid “1321” — projecting 12 Fantasy Points

Image for post
Image for post
player 1321 — Marqise Lee scored 4.2 Points = 420 Fantasybits

Marquise Lee scored 4.2 fantasy points from 2 Receptions and 22 Receiving yards. @SpreadSheetFF predicted 12 points. According to the distribution algorithm, he gets 0 coins. The 9 users who projected 5 points will split those 420 virgin coins.

Schedules, player data, gametime, and game results are all external data brought into the blockchain, which already reach decentralized consensus on the outside, and does not need a centralized oracle.

Fantasybit are a token of the skill of predicting NFL statistics.

  • All virgin FantasyBits generated and distributed actually have two parts. FantasySkill (Skill) and FantasyBit (Stake).
  • Skill is tied to your public-keys forever and is non-transferable
  • Stake is the typical cryptocurrency counterpart. So when you first transfer your virgin coins, the Skill remains and you only trasfered away the Stake
  • Now we have FantasySkill, a static list of public-keys that were generated from a Pseudo-Random decentralized process of predicting NFL statistics!

Proof-of-Skill — putting it all together to reach consensus

Property #1: Known problems are the thousands of random data points from the upcoming games which comes from the Schedule data that has consensus

Property #2: Results are independently verifiable by each node operator by bringing his own feeds or ultimately re-watching the games and scoring the results

Property #3: Efforts of obtaining the skill of predicting NFL FantasyPoints over the past 1–30 years, is implicitly tied to the key of the block-signers

  1. Nxt Forging algorithm is used over the static set of FantasySkill holders
SHA256(pk(block-signer) + pk(prev-block-signer)) < X * FantasySkill(block-signer) * seconds-since(prev-block)
  1. Slasher is used for N@S, where if you are caught signing multiple chains, your will lose some of your Skill. So now your Skill,and block-signing rights IS at stake.
  2. The list of FantasySkill holders is static, which solves the Long-Range-Stake-Grinding attacks. Approx 5 million skill coins are added to the static pool each year, keeping it fresh with new incentivised stake holders.
  3. There is real world effort required to obtain Skill in predicting NFL data, which comes from outside the blockchain, so it cannot be easily gamed.

For a user to verify that the blockchain is in a good state, all he would need to do, is confirm that the NFL schedule and the results are correct. Everything else falls into place with the assumption that Skilled predictors are sufficiently distributed among the masses.

Compare this to PoW. How can one verify that in fact the work is correct? You would have to check the code, make sure its correct, compile the code, then test the code. But in reality, you are just trusting your bitcoin core software, and relying on a small group of specialized bitcoin coders, to sound the alarm if something was wrong.

Sybil attacks are a real threat and are mitigated by requiring a small amount of coins in an account in order to make projections. However, even without this mitigation, the threat is manageable. There are 40⁶⁵⁰ total possible projection combinations for each week. Attackers would need to create 40⁶⁵⁰ accounts, and would finish with a perfect week 1. However, for week 2, there is no way to have the same account score perfect. So he would end up with lots of Fantasybit stake, with uncountable many accounts with low Skill value. All we need to do, to mitigate his block signing, is to put more weight on higher Skill balances, which would force the attacker to ensure the same accounts win each week, and this can only be done with real skill. In the end, those will real skill, will always be at least equal to the attacker. Either way, the attack would be evident and we would/could consensus fork, or just charge a small fee for each projections.

Fantasybit Utility

Protoblock is a distributed decentralized futures/forwards exchange for hedging and speculating in the $50B fantasy sports markets. FantasyBit, the stake part, is used for margin when trading on the exchange. We have up to 1200 contract available to trade now, live, and in production. Our blockchain was written from scratch over the past 4 years in C++/QT and currently runs on Windows and OSX. There are also light clients for iOS and Android.

Utility is similar to Augur, but only for our specific NFL data that already has consensus, and is in the blockchain. No oracles needed.

The code is now open source and there there was no ICO nor preMine. We have been “live” since 2014, so there around 20 million coins are in circulation (based on 200,000 Fantasypoints scored by NFL players).

Each year from September through December, there will be around 5 million more coins up for grabs, and in 2018 almost every early adopter will earn coins. Actual expert skill would come into play in the future when blocks start reaching capacity.

Image for post
Image for post
Fantasypoint scoring | Fantsybit Distribution
Image for post
Image for post
Decentralized Forwards Market on Blockchain

Jay has 20+ years' experience designing and delivering complex software solutions with a focus on financial market trading and more recently bitcoin/blockchain

Get the Medium app