Before EOS and Ethereum: How much has Proof-of-Stake evolved since PPCoin?

David Yakira
Jun 25, 2018 · 10 min read
Image by Marina Rudinsky

Forming PoS Blocks in PPCoin

First, we note that PoW blocks are found similarly to Bitcoin’s blocks. PoS blocks are different. Each PoS block must spend an old coin, thus consuming its coin age. An old coin is eligible to create a PoS block at time time_in_seconds if:

  • time_in_seconds is simply the current time, in precision of seconds. PPCoin, as Bitcoin, relies on the assumption that honest nodes have synchronized clocks (with minor deviations). A node should reject a block whose timestamp is later than its current time, or earlier than that of the block it extends.
  • d is a tunable difficulty parameter whose goal is to have stakeholders find PoS blocks once every 10 minutes on average.
  • prev_blocks_data is the most interesting parameter in the formula and also the trickiest one. Its job is to make sure the coins that satisfy the formula (and are thus eligible for PoS blocks) aren’t known in advance and their choice is non-manipulable. This parameter accounts for the system’s fairness, or the process in which stakeholders are chosen to produce blocks (we sometime refer to this process as leader election — a stakeholder should be chosen with probability proportional to the total coin age she owns, and without knowing in advance when will she be chosen). We’ll check several alternatives for prev_blocks_data and see that they are all problematic.
  • More importantly, in PoW, miners get as many attempts per second as their hardware allows to find a valid block. We saw in the last post that as of June 2018, the Bitcoin network made ~35 million tera hashes per secondmuch more than the one attempt per second (per coin) in PPCoin.

Fair Leader Election

This all seems very promising until now. Let’s examine the system more deeply by looking at prev_blocks_data. Here are three possible alternatives:

  • prev_blocks_data = previous block’s hash. Here, the problem of “seeing into the future” is much less severe as prev_blocks_data changes every block. The problem however, is that the proposer of a block can choose its block such that a specific coin would be eligible for a PoS block in the near future. This makes the leader election process highly manipulable. Worse, a relatively strong stakeholder could build (with only minimal cost) a rather long hidden chain if she splits her coins correctly. She could then double-spend using the hidden chain. Tweaking blocks in order to manipulate the leader election process is generally referred to a grinding attack.
  • prev_blocks_data = previous PoW block’s hash. Naturally, this choice mitigates the problem of grinding attacks as miners are unlikely to relinquish valid PoW blocks they found (in PoW, selfish mining can be seen as a form of grinding, which is rather limited). This choice also limits “seeing into the future” — now, it would only be possible to “see” as many seconds as it takes for the next PoW block to be found. The problem with PoS though remains. A simple analysis shows that a stakeholder with ¼ of the stake would be eligible to generate six sequential PoS blocks once every 4⁶=4096 blocks in average (if her coins were split correctly). This is of course true also for PoW blocks, the difference is that a potential attacker would know in advance whether she obtains a long sequence of PoS blocks and plan her attack accordingly. Building a hidden PoW chain (for a miner with < ½ of the hash rate) bares a great risk and thus miners are strongly disincentivized to try such an attack. In PPCoin though, if for instance the PoW block rate is set to sixhours, then if a stakeholder is to find out she has a six-long sequence of blocks in the near future she could use it to execute a six-long reorg. That would be a hidden chain attack without cost. Additionally, it would be very hard to keep PoW miners around if the block rate is so slow. If we make it faster, our PoS system is no longer very “Proof-of-Stakey”.

Rational Forks

To understand this problem, let’s rethink PoW for a second — a miner in a PoW-based chain that knows a single tip constructs a block on top of it and checks its validity. She immediately gets a response. If the block is valid, she publishes it. Otherwise, she increments the nonce and tries again. The point is that at any point in time her compute resources are fully utilized. Thus, if our miner was introduced with an alternative tip she would have to decide how to split her resources. Her best strategy is to devote her resources where it’s most likely that the network would include her block, if indeed she were lucky to find one, as a part of the canonical chain.

“Nothing-at-Stake”

Another way to think of the above problem is what’s known as nothing-at-stake. Stakeholders may attempt attacking the main chain by building alternative (secret) chains. They would try to extend recent blocks all the time until at some point they find a sequence of blocks. Since these attempts are practically free, they have nothing to lose. If they see the main chain becomes much longer than their hidden fork they would simply abandon it and try again from scratch with a more recent block. It is important to mention that while the attack takes place they could try to extend the main chain as well to make sure they don’t suffer any reward losses. Conducting such an attack would eventually succeed, but worse, it would bare no cost to the attacker.

Compromising on Decentralization? Fairness and Incentives

To make sure stakeholders don’t manipulate the election process of future coins for PoS blocks, a rather complicated function was chosen for prev_blocks_data (look here for more details). PPCoin developers designed prev_blocks_data to reduce the influence a stakeholder has by choosing her block this way or the other. However, it is difficult to assess to what extent this is actually achieved. In the next post, we will discuss “low-influence functions” which are another option to achieve this.

Towards the next posts

At this point, I’d like to mention that there were three major evolution steps in PoS design. First attempts tried to mimic Bitcoin’s PoW quite naively and were prone to many vulnerabilities. These attempts include PPCoin (and its descendants Nxt and BlackCoin) and Iddo Bentov’s Proof-of-Activity and Chains-of-Activity.


The Orbs Blog

The Orbs Project Blog

Thanks to Avi Asayag.

David Yakira

Written by

Head of research @ Orbs

The Orbs Blog

The Orbs Project Blog