An Introduction to Qtum Proof of Stake Mining — A Racing Story

Let’s Race — Magic Coins — Berlin graffiti artist TOBO, with some dubious commentary about block reward probability.

Hello boys and girls. I am here to share an Explain Like I’m 5 (ELI5) story about running races. We will visit Berlin to hear about the recent Berlin Marathon and I will tell a story about running races and mining coins.

Your storyteller is an independent researcher, not affiliated with Patrick and his friends (the Qtum Team) but has a great appreciation for the technical stories they tell, and he has some additional stories for grownups on Medium.


Part 1. Introduction to the PoW Marathon and the PoS Race

This story is an update on the tortoise and the hare fable for Proof of Work mining (PoW — think bitcoin) and Proof of Stake mining (PoS — think Qtum). This explanation is targeted at a 5-year-old unless the 5-year-old is a full-stack blockchain developer. For inspiration, we consider the recent BMW Berlin Marathon, with Eliud Kipchoge of Kenya winning the men’s race in 2:03:32 and Gladys Cherono, also of Kenya, winning the women’s race in 2:20:23. They are very fast runners.

Marathoners (but not these elite athletes) can hit “the wall” at about 30 km where they lose energy and may quit the race. Fortunately, the Berlin Marathon course passes the East Side Gallery (surviving piece of the Berlin Wall) only 13 km along the race course, so the marathoners shouldn’t have a problem hitting the Berlin Wall there. The Berlin Marathon winners each get to say “I won!” and win a shiny gold coin (and USD 250,000). You can see the winners of the men’s race with their gold coins here and notice they are very thirsty after running 42 km and are holding some refreshing glasses of apple juice.

Now let me tell you a story about some other fun races, the PoW marathon, and the PoS race.

PoW runners start a marathon lined up at the starting line, and many times runners will put their feet on special starting blocks fixed on the race track to get better traction for a quick start in the race.

For our story, the starting line will be a single block, which also announces the start of the race. The runners all line up at the starting line and when the block says “start”, they all run as fast as they can for 42 km, all the while asking the same question over and over again: “did I win?”, “did I win?” Only the fittest athletes (miners) can compete in the PoW marathon.

These athletes are working really hard, and as soon as one calls out “I won!”, the winner gets a prize of 12.5 magical digital coins and the honor of starting the next race because the winner’s new block says “start” and everyone starts running another full marathon.

Let’s compare the PoW marathon to the PoS race, and let’s be honest, some of the contestants lining up at the PoS race starting line have not laced up their trainers recently — because anyone can run this race (Raspberry Pi), not just elite athletes (ASIC mining farms).

When the PoS race starts (the block says “start”) all the contestants take a single step forward, stop, and ask themselves “did I win?” If no one shouts out “I won!”, 16 seconds later all the runners take another single step forward, stop, and ask themselves again “did I win?”

You can see this is a very easy race compared to the hard work of the PoW marathon, and the race (really more of a stroll in the Tiergarten park) goes on for a while, step-by-step, until one of the contestants shouts out “I won!”

In this race, the winner receives a prize of 4 magic digital coins and the honor of starting the next race (their wallet receives a block reward and gets to publish the next block on the blockchain). The next race begins immediately (because the new block says “start”) and all the runners take a step forward and ask the same old question.

Before we go on with the story, let me tell you a little more about the blocks. Each block records the winner’s name (wallet address) the prize they won (block reward), and some other stuff I’ll describe later in the story. The race goes on and on, with a block for each winner, and the blocks are linked together in an endless chain from the very first race, which is why we call this race course the blockchain.

In this loosely organized race, any contestant (wallet) can join the race at any time. There is no centralized authority registering the runners, sending out the race number bibs, etc. This is a decentralized trustless system, there is no server in The Reichstag data center authorizing participants or running a database for the blockchain. There are only wallets talking to each other peer-to-peer, carefully receiving and storing each block on the blockchain. Furthermore, each wallet has to answer the question “did I win?” all by itself. How do they do that?

No central server or blockchain database in The Reichstag

Part 2. Did I win?

Each of the PoS racers just happens to be carrying a bag of magical coins that help answer the question “did I win?” With each 16 second step, the racer (wallet) does a quick calculation with all their coins, which are actually stacked together in small groups (Unspent Transmission Outputs — UTXOs). Each group of coins has some unique data to help answer “did I win”, where the chance of winning is directly proportional to the number of coins in that group. For example, if you have 200 coins in your wallet, and your friend has 100, you will get to yell “I won!” twice as many times, but the spacing between those wins is somewhat random, and you need to look at this over a really long time, maybe until your next birthday.

With each step, the racers take out a calculator and add up some numbers from the “block” starting line, plus the unique data from each group of coins, and some other secret sauce (not really, it’s all open source) to answer the question “did I win?”

The stepping race is fun and easy to play, but the people that made up the game actually have a lot of rules (source code) that controls the race. Some of the rules were created by Satoshi and his friends, a long time ago before you were born, more rules were added for other races over the years, and some of the rules were written more recently by Earlz and Neil and their friends. These are not rules like “don’t cross the street without holding your Mom’s hand”. These are rules in a special language that computers understand because I’m sure you realize by now that it is really computers that are playing the stepping game, and you have to talk to computers in a very simple way (even more simple than ELI5) so they will understand.

A good way to talk to these computers is with the “C++” language. This is not “C” for “Computer” language, but really from a succession of better ways to talk to computers: there was a “B” language, a “C” language, and C++ (pronounced “C plus plus”) is a computer science way of saying “C language with some incremental new features”. I thought by this point in the story you would like to see what some of the rules for the stepping race actually look like.

We can start out by looking at a comment that describes how the program works. People writing programs for computers often include comments, which the computer can’t read, but are for other people to read to help understand the program. Here is a comment from the wallet program that goes right to the heart of the “did I win?” question:

// BlackCoin kernel protocol
// coinstake must meet hash target according to the protocol:
// kernel (input 0) must meet the formula
// hash(nStakeModifier + blockFrom.nTime + txPrev.vout.hash +
// txPrev.vout.n + nTime) < bnTarget * nWeight
// this ensures that the chance of getting a coinstake is
// proportional to the amount of coins one owns.
// The reason this hash is chosen is the following:
// nStakeModifier: scrambles computation to make it very difficult
// to precompute future proof-of-stake
// blockFrom.nTime: slightly scrambles computation
// txPrev.vout.hash: hash of txPrev, to reduce the chance of nodes
// generating coinstake at the same time
// txPrev.vout.n: output number of txPrev, to reduce the chance
// of nodes generating coinstake at the same time
// nTime: current timestamp

What does this comment mean?

Blackcoin is another PoS blockchain (Blackcoin uses PoS V3.0, the predecessor to Qtum PoS). The comment identifies this code as coming from the Blackcoin developers.

Coinstake is the way you say “I won!” in a block on the blockchain and is a special transaction that gives all the details about the block reward.

The comment describes how the program will mix together some information from the start of the race, and stack of coins, and then does a calculation to get a really big number.

This comment precedes the C++ source code below, which will be translated (compiled) into a binary program (just “1”s and “0”s) that the wallet computer can actually execute.

// Calculate hash
CDataStream ss(SER_GETHASH, 0);
ss << nStakeModifier;
ss << blockFromTime << prevout.hash << prevout.n << nTimeBlock;
hashProofOfStake = Hash(ss.begin(), ss.end());
// Now check if proof-of-stake hash meets target protocol
if (UintToArith256(hashProofOfStake) > bnTarget)
return false;
return true;

(Logging statements omitted for clarity. Your storyteller knows just enough C++ to be dangerous.)

What does this code mean? This is the part of the wallet program that is answering “did I win?” using a hash calculation to produce a random number (more on hash below).

First, the program assembles a list of the 5 inputs for the hash algorithm described in the comment. The calculation from the Hash algorithm is assigned to the variable hashProofOfStake:

hashProofOfStake = Hash(list of inputs)

This gives hashProofOfStake a nice random number, and all we have to do is check if we won, which the program does next.

The Target value has been set to a multiple of “my weight” for the wallet (the value of mature coins that are staking) a few lines of code above this excerpt — this is why having more QTUM coins gives you a better probability of winning a block reward:

bnTarget *= bnWeight

This code means the Target is assigned to be Target x Weight.

We are getting real close now to the answer, with only three more lines of code to answer “did I win?”

If hashProofOfStake is greater than the Target number, we did not hit the target, and didn’t win (return false). Otherwise, we are a winner and the last line of code (return true) reports back to the rest of the wallet program “I won!” The Target number is sent from the previous block (in the difficulty bits), and is used to adjust the spacing between blocks.

A hash is a computer calculation which takes some input data and creates a unique output number, the “hash”. Slight changes in the input data will produce a very different output number. Qtum uses the Secure Hash Algorithm with 256-bit outputs (SHA-256) just like bitcoin. SHA-256 hash numbers are 32 bytes long and look like this[3], written as 64 character hexadecimal (base 16 numbers):

0000000fa10564d7b5ed51577210ecf0560cb123487ec860ee3529ab88078ef1

You can try out some SHA-256 hashes at this site. The hash above “0000…” comes from the input 84987767594945548952717643416095151961999326332588125091496497242250742672094 (try it, but no extra spaces or line returns) and the nature of hashes is that it is virtually impossible to find another input that will produce the same hash output.


Part 3. Running Team

Some big vats of apple juice at Pfefferbräu

Let’s get back to our story. Our racer decides to try and improve their odds of winning by joining a team, and (being Berlin) they join Team Pfefferbräu on Schönhauser, (Team PoS). Pfeferbräu is a nice restaurant in Berlin where grownups like to drink some apple juice. The team decides to pool their magical coins, and after a few cold apple juices, they pick a few designated team members to join the race carrying bags of their pooled coins.

Since the odds for “I won!” depend only on the number of coins packed into each group, will Team PoS get to yell “I won!” more times if they split their groups of coins between multiple racers (wallets) or multiple bags (addresses) carried by a single runner? Of course not, and since how often you get to yell “I won!” depends only on the number of the magic coins you have, not on how your coins are distributed. However there is a way for your wallet to do a little cheating (look ahead staking), and pre-answer part of the “did I win?” question by looking about 7 steps into the future, and there is one guaranteed way to improve your odds (don’t tell anyone: just buy more magic coins).

I know this is a fun story and you are starting to get interested in the magic coins, but you probably have some questions by now, such as, where do the magical coins come from and who got the PoS race started? The answer is easy, the stepping race was made up by Patrick, Neil, Earlz and their friends, and they borrowed some good ideas from other races, including the PoW marathon (forked the bitcoin blockchain) and another stepping race (Blackcoin PoS 3.0). But the best part is the race just makes up the magic coins out of thin air (the wallets minted all the coins in the genesis blocks, and mint all the block rewards).


Part 4. Maturity

A few more odds and ends before we finish the story.

Whenever you are dealing with real coins or magic digital coins it is important to handle them carefully and safely, because there are always bullies and bad kids on the playground that want to take your lunch money. The people that made up the PoW Marathon (Satoshi and his friends) and the earlier versions of the PoS stepping race came up with some good ideas for protecting the magical coins (private keys to cryptographically sign transactions, cryptographic hashes).

One thing added to help protect the magic coins in earlier versions of the PoS stepping race was a “waiting period” after the coins move around before you can use them in the stepping race. This is like when a grownup says a kid is “immature”. When the coins are immature, they cannot be used in the stepping race (can only use mature coins for staking). We know about this because the rules for the stepping race say:

COINBASE_MATURITY = 500

Unlike when you are texting your friend, the upper-case letters here do not mean the rules are shouting, but only that this number is a constant for the rest of the program and shouldn’t change. Here the word “coinbase” refers to the first transaction written into a block, and is also the name of a big cryptocurrency bank in California, USA. In Qtum blocks, the coinbase transaction is always left blank (in reverence for Satoshi and his friends who created the first race), and all the actions starts with the 2nd transaction in the block, called the “coinstake”, for reasons we will get to shortly.


Part 5. Chance of Winning

In the story, we have talked about most of what you need to figure out your chance of winning the race, but let me tell you a few more details and give an example to help explain how often you can yell “I won!”

You know the chance of winning (probability of winning) is directly proportional to the number of magic coins in your bag.

The rules say there should be 675 races every day. Suppose there were 675 racers, and each had the same number of coins, then everyone should win once per day, and that seems fair. In practice, because of the random values produced by the SHA-256 hash, there will be some random variation in the results, but if everyone ran all the races for a year, it should sort of even out.

With this example, we can make some changes with the racers and see how the probability of winning changes. Suppose you had twice as many coins in your wallet as all the other miners had in their wallets? Then your Target will be twice as high as the others, and you will win twice as often.

Suppose another 675 people joined the race (all with the same size bags), then your wins would drop by half because the random values from the SHA-256 hash would be picking among these new runners half the time.

To calculate the probability of winning you need to compare the coins in your bag to the number of coins in all the other bags of the other racers. It doesn’t really matter how many other wallets there are, only how many total coins are in the race. As more people join the race with their bags of coins, your probability of winning will change. But because of security and privacy, we can’t just go to everyone in the race and ask about their bags to calculate the odds of winning. Instead, the wallet estimates the total number coins based on the recent winners (calculates the Network Weight) and we can use that number to figure out our chance of winning. The formula below says, the probability of winning any one race is simply the number of your coins divided the total number of coins in the race, and you have that chance of winning 675 times each day because there are 675 races:

Your storyteller likes to understand how the math works, but you can usually find a smart friend to do the calculations for you, like @calbert65 with his staking calculator site.


Part 6. Collecting the Prize

There are a few more secrets about the race I wanted to tell you. When you win the race, the current prize is 4 magical coins, but to keep the race fair and safe, this is not paid immediately to the winner, and there has been some misunderstanding about how this works.

To make it easier to understand we will look at some pictures of Euros in place of the magic coins — magic coins are really just computer files and they do not take a very good selfie. The reward for winning the race (block reward) is 4 Euros, but that amount gets paid out over time. For this example, we have two groups of Euros in our bag (wallet addresses) and each group (UTXO) has 6 Euros.

This picture above shows that we are in the stepping race, on the race course (but we are not running in the Berlin Marathon!), happily stepping along and asking “Did I win?” To make the example easier to follow each race has a number (relative block written in red), and we are starting above in race 0, then we take the next step, and (you knew this was coming) get to yell “I won!”

As the winner, you will need to put one group of your coins in a timeout (stake) where they are not allowed to continue in the race. It is not that they did anything bad, this keeps the race fair and safe, and also proves that you really owned the group of coins. Your wallet selects the UTXO for staking as the one with the PoS hash less than the Target. This hash calculation generates the random probability for selecting the winner among all the wallets staking all their UTXOs as we saw in the source code above

As the winner, you also get an initial payment of €0.4 (plus a share in the transaction fees), that makes up part of the overall €4.0 reward. As you might have guessed, this €0.4 payment also goes into a timeout (stake). This selfie shows that you won race 1 (relative block 1), with €6.4 off the racecourse in timeout (stake), and €6 still in your bag (wallet address) for continuing the stepping race. This last part is important because even though a few of your magical coins are staked, the rest of your wallet is still eligible to win more races (you can absolutely get overlapping block rewards — this is why your storyteller recommends filling your staking wallet with UTXOs of 250–400 QTUM).

Once you win the block reward, you can exit your wallet, turn off your computer, etc. and still get the rest of the block reward payment, as we see in the story below.

The race continues until you get to block 501 when your coins end their timeout and are sent back to you to join the race (the stake is returned + the initial 0.4 QTUM). According to the rules of the race (source code) this is exactly COINBASE_MATURITY races (block confirmations) after the timeout started (stake started). At block 501 you are racing with €12.4 in your bag (12.4 mature coins staking).

By this point, you are probably wondering “what about the rest of my €4.0 winning prize?” Well, that comes next, as the winners of the next 9 races each send you €0.4 until you get the total prize of €4.0 (4.0 QTUM)).

Again, this delayed gratification is a safety feature to protect the race, but the best thing is, all these €0.4 payments coming in are sent by the winners of the future races, and this is the magical part about these coins: the winning wallets just make up these payments out of thin air (the winning wallet mints the block reward).

By block 510 you have received the 9 additional €0.4, and I’m sure you notice these new coins start off the racecourse in timeout (stake) and each must wait for 500 confirmations to become mature and be returned to your wallet for staking.

By block 1002 the first of that 2nd group of €0.4 payments matures and is added to your staking weight. Now your wallet would have a weight of €12.8. This also explains why you can get out of the race (exit the wallet app, turn off your computer, lose your network connection, etc.) after winning, and still get paid the full block reward by these other winners. The full amount of the block reward will be patiently waiting at your address on the blockchain when your return to the race. Of course, you can’t win if you are not in the race (wallet application not running).

By block 1010 the entire block reward would have matured, and you can continue staking with a weight of 16 QTUM. We have the full block reward matured and are back at the Tiergarten for the Berlin Marathon finish line. This entire sequence is also shown in a table in the appendix.


Part 7. Watching the Race

If you were not running in the Berlin Marathon yourself, you could follow along with live tracking of the leaders with 5k splits (the runners wear chips or tags that are read by sensors at 5k intervals — the marathon is over but you can see the final results on the marathon explorer.

There is even better tracking for the Qtum stepper race, with immediate results available for every race. Two blockchain explorers (explorer.qtum.org and qtumexplorer.io) show the block reward winners as soon as they announce “I won!”, along with the past history of block reward winners, and even show how many magical coins are in every bag.

The leaderboard page on the Qtum Explorer shows the winners of the most recent races (block number and address), and incoming transactions. In the example above, there are transactions for 0.8 and 132.58 magical coins that will be written into the next block by the next block reward winner. There is a lot more to see in these explorers about the race because all the race information is public and available.

Part 8. Transactions

Sometimes when you are in class at school, you want to pass a note to your friend across the classroom, and your other friends in class will pass the note to your friend. This is a called a transaction in the stepping race and is typically used to transfer the magic coins to new addresses. On the blockchain this note is called a transaction. Many wallets may want to send a transaction to a different bag in the race (address) and these transactions are sent by the wallets to the network and queue up to be included in the next block. This is a big responsibility for the wallet that yells “I won!” but easy to do using the rules of the game.

We can look at the new block that the winning block appends to the blockchain as a page of paper. We know that the first listing on the page, the “coinbase” is left blank for Proof of Stake mining, and the second transaction, the “coinstake” records details of the winner of this block. The following transactions give all the movements of magical coins on the network since the last block. This is all fairly straightforward, just a bunch of wallets sending their lunch money back and forth, and this is all the blockchain could do back from when Satoshi gave it life. Now the blockchain can even enforce agreements (smart contracts) but that is a story for another day.

I hope you enjoyed this story and have a better understanding of how the stepping race is played.

May you yell out “I won!” many times, and your block rewards light up the night, like the Berlin Festival of Lights.

JB395


Credits

Trollette for the race sketches.

References

Look-ahead Staking in Qtum — What does that even mean?, earlz.net, September 24, 2017

The missing explanation of Proof of Stake Version 3, earlz.net, July 27, 2017

Fun in Berlin

BMW Berlin Marathon 2017 race results.

Spectacular drone footage (watch in 4k if you can), and a drone close encounter with the Berliner Fernsehturm.

A shout out to the real Team PoS (3 nodes in Berlin): lass uns nächstes mal im Pfefferbräu für eine IPA treffen Ich bin im Prenzlauer Berg.


Appendix