Slasher: A punitive proof-of-stake algorithm
The purpose of this post is not to say that Ethereum will use Slasher as its primary mining feature instead of Dagger. Rather, Slasher is a useful construct to have in our war chest in case proof-of-stake mining becomes much more popular or provides a compelling reason to switch. Slasher could also benefit other cryptocurrencies that wish to exist independently of Ethereum. Special thanks to tacotime for the inspiration and Jack Walker for the improvement suggestions.
Proof-of-stake mining has been a topic of great interest to the cryptocurrency community for a long time. PPCoin, the first proof-of-stake based coin, was launched by Sunny King in 2012 and continues to be one of the top five alternative currencies. on a monetary basis from then. And there’s a reason for that. Proof-of-Stake has several advantages over Proof-of-Work, a mining method. First of all, Proof of Stake is much more environmentally friendly. While proof-of-work effectively requires miners to expend computing power on unnecessary computations to secure the network, proof-of-stake effectively simulates combustion, so no real energy or resources are actually wasted. Second, there is a centralization problem. With Proof-of-Work, mining has essentially become dominated by specialized hardware (“application-specific integrated circuits”/ASICs), with a high risk of being acquired by a single large player like Intel or a major bank, de facto mining it. Monopolize the market. Memory hard mining algorithms such as Scrypt dagger This can be alleviated to a great extent, but it’s still not perfect. Again, if proof-of-stake can work, it’s essentially the perfect solution.
However, proof-of-stake, as implemented in almost all currencies so far, has one fundamental flaw. As one prominent Bitcoin developer put it, “there is nothing at risk”. The meaning of the statement becomes clear when we try to analyze what exactly happens during a 51% attack attempt, a situation that all kinds of proof-of-work like mechanisms are intended to prevent. In a 51% attack, attacker A sends a transaction from A to B, waits for the transaction to be confirmed in block K1 (with its parent K), collects the product from B, and then immediately creates another block K2 on top of K. – There is a transaction sending the same Bitcoin, but this time it is sent from A to A. At this point, there are two blockchains, one originating from block K1 and the other from block K2. If B can add blocks on top of K2 faster than the entire legal network can create blocks on top of K1, then the K2 blockchain will win. This is as if the payment from A to B never occurred. The point of proof-of-work is to ensure that a certain amount of computational power is required to produce a block. Therefore, for K2 to surpass K1, B would have to have more computational power than the entire legitimate network combined.
In the case of proof-of-stake, creating a piece does not require computing power, but instead requires money. In PPCoin, every “coin” has the chance to become a lucky coin with the right to create a new valid block per second. Therefore, the more coins you have, the faster you can create new blocks in the long run. So, in theory, a successful 51% attack would not require more computing power than a legitimate network, but it would require more money than a legitimate network. But here we can see the difference between Proof of Work and Proof of Stake. In proof-of-work, miners can only mine on one fork at a time, so the legitimate network supports the legitimate blockchain, not the attacker’s blockchain. However, in Proof-of-Stake, as soon as a fork occurs, miners have money in both forks at the same time, so miners can mine on both forks. In fact, miners have an incentive to mine in both cases even if there is even the slightest chance that the attack will succeed. If a miner holds a lot of coins, he or she will want to oppose attacks to preserve the value of his or her coins. However, in an ecosystem with small miners, network security could potentially break down due to the classic public goods problem, as no single miner has any real influence on the outcome, causing all miners to act purely “selfishly.”
solution
Some have theorized that the above argument is a death blow to all proof-of-stake without at least a proof-of-work component. And in a context where every chain is only aware of itself, this is actually a provable fact. But there’s actually one clever way to solve this problem, and one that hasn’t been fully explored until now. It’s about making chains recognize other chains. Then, if a miner is caught mining on two chains at the same time, that miner can be punished. However, it is not at all clear how to do this with a design like PPCoin. This is because mining is a random process. In other words, a miner with a 0.1% stake has a 0.1% chance of mining a valid block in block K1, a 0.1% chance of mining a valid block in block K2, but only a 0.0001% chance of mining A block. Both are valid blocks. And in this case, the miner can simply withhold the second block. Because mining is stochastic, miners can still reap 99.9% of the benefits of mining on the second chain.
However, the following proposal outlines an algorithm that we call Slasher to express its harshly punitive nature to avoid this proposal. The design description provided here uses address balances for clarity, but they could easily be used to “output unspent transactions” or other similar abstractions that can be used in other currencies.
- Blocks are mined using proof-of-work. However, I make one modification. When generating block K, the miner must include the value H(n) for a random n generated by the miner. Miners must receive rewards for revealing transactions that reveal n between blocks K+100 and K+900. Proof-of-work rewards are very low, ideally recommending an energy use equivalent to about 1% of Bitcoin. The target blocking time is 30 seconds.
- Assume the total money supply is M and n(i) is the value of n in block i. In block K+1000, address A with balance B has “signing authority” if sha256(n(K) + n(K+1) + … + n(K+99) + A) < 2^256. get it * 64 * B/M. Basically, addresses have a chance of gaining signing authority proportional to the amount they hold, with an average of 64 signing rights allocated to each block.
- At block K+2000, miners with signing authority for block K will have the opportunity to sign the block. The number of signatures determines the total length of one blockchain compared to the other. Signing awards the signer a much larger reward than the proof-of-work reward, which is unlocked by block K+3000.
- Suppose a user detects two signatures written by address A in two separate blocks with height K+2000. That node can then post a transaction containing two signatures, and if that transaction is included before block K+3000, it destroys the reward for those signatures and sends 33% to the user who kicked out the fraudster.
Central to this design is how signing authority is distributed. Instead of signing authority being given randomly based on the previous block, signing authority is based on blocks 2000 blocks ago. Therefore, if a fork occurs, miners who are lucky on one chain will also be lucky on the other chain, completely eliminating possible stochastic double mining attacks on PPCoin. Another way to look at this is that since Slasher uses proof-of-stake 2000 blocks ago instead of current proof-of-stake, and the fork will almost certainly not last 2000 blocks, there is only one currency supply to mine. , so there is indeed “something at stake.” The penalty of block reward loss ensures that every node signs only one block from each block number.
Using 100 pre-committed random numbers is an idea taken from fair gambling protocols. The idea is that powerful miners try to generate many blocks and have no way to publish only those blocks for which they have assigned signing authority to their stake. Because they don’t know what other random data is used to determine stakeholders when generating their stake. block.
This system is not purely proof-of-stake. Maintaining the time gap between blocks requires a minimal amount of proof-of-work. However, 51% attacks on proof-of-work are inherently insignificant. Because proof of stake signature is the only determining factor in which blockchain will win. Proof-of-work can also reduce energy usage by 95-99%, helping solve environmental problems through proof-of-work.