Proof of Stake Design Philosophy

Author: Vitalik Buterin

Original Title: “A Proof of Stake Design Philosophy”

Publication Date: December 29, 2016

Systems like Ethereum (and Bitcoin, NXT, Bitshares, etc.) are essentially a new generation of cryptoeconomic organisms - decentralized, jurisdictionless entities that exist entirely in cyberspace, maintained through a combination of cryptography, economics, and social consensus. They are somewhat like BitTorrent, but they are not exactly like BitTorrent because BitTorrent lacks the concept of state - which is a crucial distinction. They are sometimes described as decentralized autonomous corporations, but they are not corporations - you cannot hard fork Microsoft. They are somewhat like open-source software projects, but they are not entirely so - you can fork a blockchain, but it is not as easy as forking OpenOffice.

These cryptoeconomic networks come in many styles - ASIC-based PoW, GPU-based PoW, simple PoS, PoS, PoC, etc., with Casper PoS expected to be available soon, and each style inevitably carries its own underlying philosophy. A well-known example is the maximal vision of proof of work, where "the correct blockchain, singular" is defined as the chain created by the miners who consume the most economic capital. Initially just a protocol fork choice rule, this mechanism has in many cases been elevated to a sacred principle - see this Twitter discussion between Chris DeRose and me, an example where someone seriously wants to protect the pure form of this idea even in the face of hard forks that change the hashing algorithm. Bitshares' delegated proof of stake presents another coherent philosophy, where everything stems from a single principle but can be more simply described: shareholder voting.

Each consensus philosophy - Satoshi consensus, social consensus, shareholder voting consensus - has its own set of conclusions and guides a value system that is quite meaningful from its own perspective - although it will certainly face criticism when compared to one another. Casper consensus also has a philosophical foundation, although it has not yet been articulated as clearly.

I (Vitalik Buterin), Vlad, Dominic, Jae, and others have our own views on why proof of stake protocols exist and how they should be designed, but here I intend to explain where my perspective comes from.

I will list all observations and then directly provide conclusions.

Cryptography is truly special in the 21st century because it is one of the few areas where adversarial conflict still largely favors the defender. It is easier to destroy a castle than to build one; islands, while defensible, can still be attacked; but an ordinary person's ECC key is secure enough to even defend against state-level actors. Cyberpunk philosophy fundamentally seeks to leverage this precious asymmetry to create a world that better protects individual autonomy, and cryptoeconomics is, in a sense, an extension of this, only this time protecting the security and survival of complex coordination and cooperation systems rather than the integrity and confidentiality of private information. Systems that consider themselves the rightful heirs of the cyberpunk spirit should maintain this fundamental property, and the cost of destruction or disruption should be higher than the cost of its use and maintenance.

"The cyberpunk spirit" is not just idealism; building systems that are easier to defend than to attack is simply sound engineering.

On a medium to long-term time scale, there is considerable consensus among humans. Even if an adversary could gain unlimited hashing power and launch a 51% attack on any significant blockchain, rolling back history from last month, persuading the community that this chain is legitimate is harder than surpassing the hashing power of the main chain. They would need to subvert block explorers, every trusted member of the community, "The New York Times," archive.org, and many other sources on the internet; in short, convincing the world that the new attack chain is the first main chain in the information technology-intensive 21st century is as difficult as claiming that the moon landing by the United States never happened. These sociological considerations will ultimately provide long-term protection for any blockchain, regardless of whether the blockchain community acknowledges it (note that Bitcoin Core recognizes the primacy of the social layer).

However, a blockchain that relies solely on social consensus for protection would be inefficient and slow, and it would easily allow divergences to persist (though it still happens); thus, economic consensus plays a very important role in protecting activities and securing property in the short term.

Since the security of proof of work can only come from positive block rewards (in Dominic Williams' terms, it lacks two of the three Es), and miners' incentives can only come from the risk of losing future block rewards, proof of work must necessarily operate on the logic that large-scale hashing power corresponds to substantial rewards. Recovering from a PoW attack is very difficult: the first time this happens, you can change the PoW with a hard fork, rendering the attacker's ASICs useless, but there is no such option again, so the attacker can repeat the attack. Therefore, the scale of the mining network must be so large that an attack is unimaginable. By making the network continuously consume X every day, attacks less than X will not occur. I reject this logic because (i) it consumes trees, and (ii) it does not realize the cyberpunk spirit - the cost of attack and defense is 1 to 1, so there is no advantage for defenders.

Proof of stake ensures security through penalties rather than rewards, thus breaking this symmetry. Validators put money ("deposits") at stake, and because they lock up capital and maintain nodes, they receive a small compensation and take additional precautions to ensure their private keys are secure, but most of the cost of recovering from attacks comes from penalties that are hundreds or thousands of times greater than the rewards they receive. Therefore, in a nutshell, proof of stake is not "security comes from burning energy," but rather "security comes from the loss of economic value." A given block or state can have $X security if you can prove that achieving the same level of termination state for any conflicting block or state is impossible unless malicious nodes simultaneously attempt to pay the protocol penalty of $X.

Theoretically, a majority of validators colluding could take over a proof of stake blockchain and start acting maliciously. However, (i) through clever protocol design, their ability to manipulate for extra profit can be limited as much as possible, and more importantly (ii) if they attempt to prevent new validators from joining or execute a 51% attack, the community can simply organize a hard fork and remove the deposits of the guilty validators. A successful attack might cost $50 million, but the process of cleaning up the aftermath would not be more burdensome than the consistency failure of geth/parity in 2016. Two days later, the blockchain and community would be back on track, the attacker would lose $50 million, and the remaining community might be wealthier due to the ensuing supply crunch, as the attack would lead to an increase in the value of the tokens. This is the asymmetry of your attack/defense.

The above should not be taken to mean that periodic hard forks will become routine events; if necessary, the one-time cost of a 51% attack on proof of stake can be set to be as high as the permanent cost of a 51% attack on proof of work, and the cost and ineffectiveness of the attack should ensure that such an attack is virtually impossible in practice.

Economics is not everything. Individual actors may be influenced by extraordinary motives; they may be hacked, they may be kidnapped, or they may simply be drunk and one day decide to destroy the blockchain at the corresponding cost. Beyond that, from a positive perspective, individual moral forgiveness and inefficient communication often raise the cost of attacks far above the nominal value loss defined by the protocol. This is an advantage we cannot rely on, but at the same time, it is an advantage we should not unnecessarily throw away.

The best protocols are those that work well under various models and assumptions - economic rationality and coordination choices, economic rationality and individual choices, simple fault tolerance, Byzantine fault tolerance (ideally adaptive and non-adaptive adversary variants), behavior economic models inspired by Ariely/Kahneman ("we all cheat a little"), and ideally any other models of reality and practice. At the same time, having two layers of defense is important: economic incentives prevent centralized cooperative groups from taking antisocial actions, and anti-centralization incentives prevent the initial formation of cooperative groups.

Fast-running consensus protocols are risky and should be handled very carefully, as if the incentives on which the possibility of fast running relies, such a combination would create very high systemic risk leading to network-level centralization (e.g., all validators running on the same hosting provider). Those who do not care about the speed at which validators send messages, as long as it is within an acceptable long interval (e.g., 4-8 seconds, as we know from experience that Ethereum's latency is typically around 500ms-1s), will not have these concerns. A possible middle ground is to create protocols that can run quickly but have mechanisms similar to Ethereum's uncle mechanism to ensure that the marginal rewards for nodes increasing their network connectivity beyond some easily reachable point are relatively low.

From here, of course, there are many details and many ways to diverge on details, but the above at least outlines the core principles on which my ideal version of Casper is based. From here, we can certainly debate the trade-offs between competing values. Should we give ETH a 1% annual issuance and incur the cost of a $50 million forced remedial hard fork, or a 0% issuance and incur the cost of a $5 million forced remedial hard fork? When should we increase the security of the protocol in economic models at the expense of reducing its security in fault-tolerant models? Do we care more about having predictable security levels or predictable issuance levels? These are questions for another article, and the various ways to achieve different trade-offs between these values are the subject of more posts. But we will get there :)