Proof of Stake

Background:

We need a way to agree on the ultimate, final chain (i.e. a Consensus Protocol to solve the consensus problem). With Proof of Work, we say “Those who have put the most computation into calculating the correct next node, decides the next node”.

But in PoS? Your probability is proportional to how much cryptocurrency you own. If the system were to collapse, those with the most skin in the game would lose the most value.

What:

Proof of Stake is a lottery. If you hold 10% of the stake, you should win 10% of the blocks.

Design Restraints:

• The lottery can’t depend on mutable data (e.g. block content). If it did, the attacker could keep changing data until they found a value that lets them win.
• Attackers should not be able to overwrite history.
• Attackers should not be able to change history, even if they hack an innocent party (before or after lottery wins)

Final Design (PoS Lottery):

• Each participant computes a secret lottery value (VRF) using their secret key and current seed.

• A participant wins if $\text{VRF-Output}<\text{f}(\text{Stake})$, where:

  • $f(\text{Stake})$ is a number that scales based on your stake. The more stake you put in, the higher the number and the more likely you are to win.

• Time is divided into slots (e.g. every 10 seconds), so if no one wins, we just move onto the next 10 seconds.

• Participants and their stake is frozen for the duration of an epoch (groups of slots).

• To prevent pre-calculating winners, each epoch uses a random string $R$ made up of the VRF outputs of the previous blocks. Also, after each block, minors rotate their keys and delete the old ones. Thus, keys blocks can’t be historically changed.

• We also don’t trust the longest chain (because and attacker could go and create a history from genesis). Instead, we trust a chain that is dense (because honest parties will collectively win most slots, in a simulated chain with only a single party, the slots won’t be densely computed). (As in Ethereum)

• Coin owners stake their cryptocurrency to earn the opportunity to validate transactions. Your coin becomes collateral.

• You run a Verifiable Random Function (VRF), presumably timestamped. You encrypt it with your private key. If you won, others can decrypt it with your public key, proving it’s yours.

• We split up the entire timeline into epochs. At the beginning, everyone “locks in” their stake and VRF key.

  • After, a random seed is generated for the epoch.

• We also have block density protection. If a a chain is dense with just a single user’s blocks, after a long time it could grow to overtake the real one. This would meanwhile be free for the attacker.