Slasher: A Punitive Proof-of-Stake Algorithm – Ethereum Blog
The purpose of this postbode is not to say that Ethereum will be using Slasher te place of Dagger spil its main mining function. Rather, Slasher is a useful construct to have te our war chest ter case proof of stake mining becomes substantially more popular or a compelling reason is provided to switch. Slasher may also benefit other cryptocurrencies that wish to exist independently of Ethereum. Special thanks to tacotime for some inspiration, and for Jack Walker for improvement suggestions.
Proof of stake mining has for a long time bot a large area of rente to the cryptocurrency community. The very first proof-of-stake based coin, PPCoin, wasgoed releasd by Sunny King te 2012, and has consistently remained among the top five alternative currencies by monetary base since then. And for good reason, proof of stake has a number of advantages overheen proof of work spil a mining method. Very first of all, proof of stake is much more environmentally friendly, while proof of work requires miners to effectively burn computational power on worthless calculations to secure the network, proof of stake effectively simulates the searing, so no real-world energy or resources are everzwijn actually wasted. 2nd, there are centralization concerns. With proof of work, mining has bot essentially predominated by specialized hardware (“application-specific integrated circuits” / ASICs), and there is a large risk that a single large player such spil Intel or a major canap will take overheen and de-facto monopolize the market. Memory-hard mining algorithms like Scrypt and now Dagger mitigate this to a large extent, but even still not flawlessly. Once again, proof of stake, if it can be made to work, is essentially a ideal solution.
However, proof of stake, spil implemented te almost every currency so far, has one fundamental flaw: spil one vooraanstaand Bitcoin developer waterput it, “there’s nothing at stake”. The meaning of the statement becomes clear when wij attempt to analyze what exactly is going on ter the event of an attempted 51% attack, the situation that any zuigeling of proof-of-work like mechanism is intended to prevent. Te a 51% attack, an attacker A sends a transaction from A to B, waits for the transaction to be confirmed ter block K1 (with parent K), collects a product from B, and then instantly creates another block K2 on top of K – with a transaction sending the same bitcoins but this time from A to A. At that point, there are two blockchains, one from block K1 and another from block K2. If B can add blocks on top of K2 quicker than the entire legitimate network can create blocks on top of K1, the K2 blockchain will win – and it will be spil if the payment from A to B had never happened. The point of proof of work is to make it take a certain amount of computational power to create a block, so that te order for K2 to outrace K1 B would have to have more computational power than the entire legitimate network combined.
Ter the case of proof of stake, it doesn’t take computational power to create a work – instead, it takes money. Ter PPCoin, every “coin” has a chance vanaf 2nd of becoming the fortunate coin that has the right to create a fresh valid block, so the more coins you have the swifter you can create fresh blocks ter the long run. Thus, a successful 51% attack, ter theory, requires not having more computing power than the legitimate network, but more money than the legitimate network. But here wij see the difference inbetween proof of work and proof of stake: ter proof of work, a miner can only mine on one fork at a time, so the legitimate network will support the legitimate blockchain and not an attacker’s blockchain. Ter proof of stake, however, spil soon spil a fork happens miners will have money ter both forks at the same time, and so miners will be able to mine on both forks. Te fact, if there is even the slightest chance that the attack will succeed, miners have the incentive to mine on both. If a miner has a large number of coins, the miner will want to oppose attacks to preserve the value of their own coins, te an ecosystem with puny miners, however, network security potentially falls speciaal te a classic public goods problem spil no single miner has substantial influence on the result and so every miner will act purely “selfishly”.
Some have theorized that the above argument is a deathblow to all proof of stake, at least without a proof of work component assisting it. And ter a setting where every chain is only aware of itself, this is indeed provably true. However, there is actually one clever way to get around the kwestie, and one which has so far bot underexplored: make the chain aware of other chains. Then, if a miner is caught mining on two chains at the same time, that miner can be penalized. However, it is not at all evident how to do this with a PPCoin-like vormgeving. The reason is this: mining is a random process. That is to say, a miner with 0.1% of the stake has a 0.1% chance of mining a valid block on block K1, and a 0.1% chance of mining a valid block on block K2, but only a 0.0001% chance of mining a valid block on both. And ter that case, the miner can simply hold back the 2nd block – because mining is probabilistic, the miner can still build up 99.9% of the benefit of mining on the 2nd chain.
The following proposal, however, outlines an algorithm, which wij are calling Slasher to express its harshly punitive nature, for avoiding this proposal. The vormgeving description given here uses address balances for clarity, but can lightly be used to work with “unspent transaction outputs”, or any other similar abstraction that other currencies may use.
- Blocks are mined with proof of work. However, wij make one modification. When creating a block K, a miner vereiste include the value H(n) for some random n generated by the miner. The miner vereiste voorkoop the prize by releasing a transaction uncovering n inbetween block K+100 and K+900. The proof of work prize is very low, ideally encouraging energy usage equal to about 1% of that of Bitcoin. The target block time is 30 seconds.
- Suppose the total money supply is M, and n[i] is the n value at block i. At block K+1000, an address A with balance B gains a “signing privilege” if sha256(n[K] + n[K+1] + … + n[K+99] + A) <, 2^256 * 64 * B / M. Essentially, an address has a chance of gaining a signing privilege proportional to the amount of money that it has, and on average 64 signing privileges will be assigned each block.
- At block K+2000, miners with signing privileges from block K have the chance to sign the block. The number of signatures is what determines the total length of one blockchain versus another. A signature awards the signer a prize that is substantially larger than the proof of work prize, and this prize will unlock by block K+3000.
- Suppose that a user detects two signatures made by address A on two distinct blocks with height K+2000. That knot can then publish a transaction containing those two signatures, and if that transaction is included before block K+3000 it demolishes the prize for that signature and sends 33% to the user that ratted the cheater out.
The key to this vormgeving is how the signing privileges are distributed: instead of the signing privilege being randomly based on the previous block, the signing privilege is based on the block two thousand blocks ago. Thus, te the event of a fork, a miner that gets fortunate te one chain will also get fortunate te the other, entirely eliminating the probabilistic dual-mining attack that is possible with PPCoin. Another way of looking at it is that because Slasher uses proof-of-stake-2000-blocks-ago instead of proof-of-stake now, and forks will almost certainly not last 2000 blocks, there is only one currency supply to mine with, so there is indeed “something at stake”. The penalty of block prize loss ensures that every knot will take care to sign only one block at each block number.
The use of 100 pre-committed random numbers is an idea taken from provably fair gambling protocols, the idea is that powerful miners have no way of attempting to create many blocks and publishing only those that assign their own stake a signing privilege, since they do not know what any of the other random gegevens used to determine the stakeholder is when they create their blocks.
The system is not purely proof-of-stake, some minimal proof-of-work will be required to maintain a time interval inbetween blocks. However, a 51% attack on the proof of work would be essentially inconsequential, spil proof of stake signing is the foot determining factor te which blockchain wins. Furthermore, the energy usage from proof of work can be made to be 95-99% lower, resolving the environmental concern with proof of work.