Version: 0.99.0
Status: In Review

Validated Proof of Stake

VPoS is a proof-of-stake consensus protocol for distributed ordering of cryptocurrency transactions as an alternative to pure Proof of Work. Its primary unique qualities are using validators for each block, and having a mechanism to incentivize minters to mint only on top of one of the candidate longest-chains without requiring lock-in stake.

Problems with Current Solutions

Proof of work is a solid and secure mechanism for determining a canonical order of transactions, but a PoW system’s security is linearly related to expenditure of resources (which directly translates to transaction fees and/or inflation of the quantity of currency) and such a system is susceptible to centralization pressure that leaves a significant risk of a 51% attack. Also, there is the possibility (granted one that seems unlikely) that the amount of fees that must be paid for PoW to maintain enough security could be more than can be extracted via a fee market.

Hybrid protocols that mitigate some of these problems have the problems of potentially significantly increased network traffic, higher risk of censorship attacks, are susceptible to two types of mining-monopoly attacks described later in the paper, or don't allow a large fraction of coin owners to practically mint blocks (eg Decred and Memcoin2). The reliance on expensive hashpower severely limits the maximum security that any of these hybrid systems can plausibly attain. The security of hybrid protocols are discussed in more detail in the spec for Proof of Time-Ownership, which is the immediate precursor to this protocol.

Proof-of-Stake has the potential to decouple the security of the blockchain from resource expenditure, but other Proof-of-Stake systems have their own substantial problems, including the issue of resolving competing chains (the nothing-at-stake problem), the ability to cheaply create a fresh blockchain that compares as longer to the “true” chain (history attack), and the fact that requiring users to lock up funds limits how many people can participate in minting blocks, among other issues.

VPoS seeks to completely eliminate a hashpower requirement instead using coins alone to secure a cryptocurrency system. This specification defines a protocol that maintains a high level of security without exhibiting the problems exhibited by other PoS systems.

Benefits

• Is two orders of magnitude more secure than pure Proof-of-Work while using many orders of magnitude less real resources. Also VPoS is substantially more secure than other PoS proposals.
• Almost everyone can participate in minting blocks with only the resources necessary to run a full node (with the same resource usage as Bitcoin).
• Eliminates centralization of block-creation related to network propagation delay. Because of this, the system can use lower blocktimes than other protocols while remaining safe.
• Increases the incentives to run a fully validating node.

Major Tradeoffs

• Has a failure mode where an attacker can permanently capture the system once they obtain near 50% of the active stake, after which the attacker can theoretically sell a majority of their stake without losing control of the chain. Where as, in systems that have a PoW component, capturing the system requires maintaining a certain level of work (and therefore cost-expenditure) during the length of the attack. This failure mode exists in all Proof-of-Stake systems that don't have a Proof-of-Work component.
• Slightly higher network traffic than PoW due to between 2-6 times more blocks to propagate (from competing forks) and 10-100 more kilobytes per block from validator information.
• Slightly bigger blocks by 10-100 KB needed for validator information.

Contents

• Validated Proof of Stake
  • Problems with Current Solutions
  • Benefits
  • Major Tradeoffs
• Contents
• Protocol
  • Terms
  • Block Anatomy
  • Verifying a Block
  • Minter Secret
  • Determining Block Difficulty
  • Chain-length and Comparing Chains
  • Block Rewards
  • Minter Punishment
  • Proxy Minting and Proxy Validating
  • Transaction finalization
• Protocol Extensions
  • Measuring Attack-cost and Fee-level Retargeting
  • Incentivizing full validation by Proof of UTXO
  • Switchover Extension
• Analysis
  • Security: The Minimum Cost of Attack
  • Mitigating Long-range Revision Attacks
  • Minter Punishment Collateral Damage
  • Detecting attacks
  • Notes on Objections to Proof of Stake
    • Analysis of Validators
• Potential Issues
  • DOS risk
  • Nothing-at-Stake
  • Time shifting
  • Initial Coin Distribution
  • Long-term Ownership Centralization
  • Prediction Attack
  • Stake-grinding
  • History Attack
  • Progression capture
  • Selfish Minting Hidden-chain Attack
  • Economic Minting Monopoly Attack
  • Minter Bribery
  • Profit-seeking Minter Collusion
  • Participation Barriers
  • Latency-based Block-creation Centralization
• Comparisons
  • Comparison to Pure Proof of Work
    • Short-Range longest-chain Attacks
    • Long-Range Revisions
  • Comparison to Ethereum's Casper Proof of Stake system
  • Comparison to Delegated Proof-of-Stake (DPoS)
  • Comparison to PeerCoin
  • Comparison to NXT
  • Comparison to Proof of Activity
  • Comparison to Proof-of-Time-Ownership

Protocol

This document describes the protocol using Bitcoin terms, but these techniques could be applied to pretty much any cryptocurrency. The protocol hinges on four key design aspects:

• Time-bound Proof of Stake: PoS minters compete with each other to create blocks. A minter is allowed to mint transactions into a block if one of their addresses comes up in a time-release progression. A very similar process is used to decide which validators are allowed to validate a block.
• Delayed-release Distributed Randomness: Randomness created collaboratively by minters and released only long after the randomness has been set in stone.
• Validation Signatures: Each block must be validated by a set of other minters before any block can mint on top of it.
• Minter Punishments: Where minters who mint too far on the wrong chain will be fined.

In VPoS, Proof-of-Stake (PoS) minters race for each block (rather than using quorums or voting). Each address has a chance of winning the right to mint a block once per second based on the amount of coins that address contains. Just like Proof-of-Work mining is a race to find a block with a hash below a certain value, minting PoS blocks is also a race to find a hash below a certain value. However, where in PoW the number of times you can attempt per second is unbounded, in VPoS (as in most PoS systems) minters only get one try per second per transaction output. This race incentivizes PoS minters to release minted blocks promptly once they become valid. For each block, the minter who can demonstrate that their address has won the right to mint a block then creates and propagates that block as usual. Then a number of validators (eg 1000) do a similar process. Once the necessary number of signatures has been propagated, the next minter can then mint on top of that block. These validators substantially decrease the effectiveness of hidden-chain attacks.

Minters can mint for almost 0 cost, allowing almost anybody in the network to participate in block creation ("almost" anyone because a small minimum balance is required in order to mint). These minters also create an amount of randomness for each block, and include a proof in the minted block that they can later use to verify that they haven't changed their randomness when they finally reveal it to the rest of the network. This randomness is used to ensure that no one can predict in advance which addresses will get the right to mint or validate a particular block and thereby game the system.

Minters are incentivized to mint blocks on top of a very limited number of candidates for the longest chain. What provides this incentive are punishment-fines for minters who mint too far on chains that aren't the longest one. This eliminates the nothing-at-stake problem while at the same time also eliminating latency-related advantages for minters with larger stake. This is done without any locked-up stake or waiting periods, allowing anyone to use their coins to mint at any time.

Terms

Minter - An address