Slasher: A Punitive Proof-of-Stake Algorithm

The purpose of this post is not to say that Ethereum will use Slasher instead of Dagger as its primary mining feature. Rather, Slasher is a useful configuration to have in your arsenal in case proof-of-stake mining becomes significantly more popular or provides a compelling reason to switch. Thrasher could also benefit other cryptocurrencies that want to exist independently of Ethereum. Special thanks to tacotime for inspiration and Jack Walker for suggestions for improvements.

Proof-of-stake mining is an area that has long been of great interest to the crypto community. The first proof-of-stake-based coin, PPCoin, was released by Sunny King in 2012 and has consistently remained among the top five alternative currencies. By monetary base since then. There’s a good reason for that. Proof of stake has many advantages over proof of work as a mining method. First of all, proof of stake is much more environmentally friendly. Proof-of-work requires miners to effectively consume computing power on useless computations to secure the network, whereas proof-of-stake effectively simulates that consumption. , no real-world energy or resources are actually wasted. Second, there are concerns about centralization. In proof-of-work, mining is essentially monopolized by specialized hardware (“application-specific integrated circuits”/ASICs), effectively taken over by a single large company such as Intel or a major bank. There is a big risk. Monopolize the market. Memory-hard mining algorithms like Scrypt and current dagger This is greatly reduced, but still not completely. Again, if you can make proof of stake work, it is essentially a perfect solution.

However, there is one fundamental flaw in proof-of-stake, which has been implemented in almost every currency to date. As one prominent Bitcoin developer put it, “nothing is at stake.” The meaning of this statement becomes clear when we try to analyze what exactly happens when a 51% attack is attempted. This situation is intended to be prevented by any kind of proof-of-work-like mechanism. In a 51% attack, an attacker A sends a transaction from A to B, waits for the transaction to be confirmed in block K1 (which has parent K), collects the product from B, and immediately places another on top of K. Create block K2. – Same transaction sending Bitcoins, but this time from A to A. At this point, there are two blockchains, one from block K1 and one from block K2. If B can add blocks on her K2 faster than the entire legitimate network can create blocks on her K1, then the K2 blockchain wins and the payment from A to B is as if it had never happened at all. Masu. The point of proof-of-work is to ensure that a certain amount of computing power is required to create a block. Therefore, for K2 to outperform K1, it requires more computational power than the entire regular network combined.

With proof of stake, no computing power is required to create the work. It costs money instead. In PPCoin, every “coin” becomes a lucky coin that has the right to create a new valid block with his per second probability, so the more coins you have, the more likely you are to create new blocks in the long run. You can create it quickly. So, in theory, a successful 51% attack would not require more computing power than a legitimate network; it would require more funding than a legitimate network. But here you can see the difference between proof of work and proof of stake. With proof-of-work, a miner can only mine on one fork at a time, so the legitimate network supports the legitimate blockchain, not the attacker’s. However, with proof-of-stake, as soon as a fork occurs, the miner has money in both forks at the same time, allowing the miner to mine on both forks. In fact, miners have an incentive to mine both if there is even the slightest chance of a successful attack. If a miner owns a large amount of coins, they will want to oppose attacks to preserve the value of their coins. However, in ecosystems with small miners, where no single miner has much influence on the outcome and all miners act purely “selfishly”, network security becomes a classic public good. It could potentially collapse in trouble.


Some theorize that the above argument is fatal to all proof-of-stake, at least without a proof-of-work component to support it. And this has certainly proven true in situations where every chain knows only itself. But there’s actually one clever way around this problem that hasn’t been explored yet. It’s about making chains aware of other chains. If a miner then finds out that he is mining on two chains at the same time, he could be penalized. However, it is not at all clear how to do this with a design like PPCoin. Here’s why: Mining is a random process. In other words, a miner with a stake of 0.1% has a 0.1% chance of mining a valid block with block K1, a 0.1% chance of mining a valid block with block K2, but a miner with a stake of 0.1% can mine a valid block with block K2. The probability is only 0.0001%. Blocks valid for both. And in that case, the miner can simply suppress her second block. Since mining is stochastic, the miner can get his 99.9% of the mining profits even on her second chain.

However, the following proposal outlines an algorithm (we call it a slasher to express its harsh and punitive nature) to circumvent this proposal. The design description here uses address balances for clarity, but manipulates “unspent transaction output”, or other similar abstractions that other currencies may use. Easy to use.

  1. Blocks are mined using proof of work. However, I would like to make one modification. When creating a block K, the miner must include a random n value H(n) generated by the miner. Miners must claim the reward by releasing a transaction that reveals n between blocks K+100 and K+900. Proof-of-work rewards are very low, ideally incentivizing energy usage equivalent to about 1% of Bitcoin. Target block time is 30 seconds.
  2. Suppose the total money supply is M, n.[i] is the n value of block i. In block K+1000, address A with balance B gains “signing privileges”.[K] +n[K+1] + … + n[K+99] + A) < 2^256 * 64 * B / M. Basically, an address has a chance to earn signing privileges proportional to the amount of money it holds, and on average 64 signing privileges are allocated per block. Masu.
  3. At block K+2000, miners with signing authority for block K have the opportunity to sign the block. The number of signatures determines the total length of one blockchain versus another. The signature will give the signer a significantly larger reward than the proof-of-work reward, and this reward will be unlocked at block K+3000.
  4. Suppose a user detects two signatures created by address A on two different blocks of height K+2000. That node can then issue a transaction containing these two signatures, and if that transaction was included before block K+3000, it will discard the reward for that signature and blame the wrongdoer. Send his 33% to the user who did.

The key to this design is how signing privileges are distributed. Signing privileges are determined based on the block 2,000 blocks ago, instead of being determined randomly based on the previous block. Therefore, in the case of a fork, a miner who gets lucky on one chain can also get lucky on the other chain, completely eliminating the stochastic dual mining attack that is possible with PPCoin. Another way to look at it is that Slasher is using proof of stake from 2000 blocks ago rather than the current proof of stake, and since the fork almost certainly won’t last 2000 blocks, he has only one currency supply available to mine. That means there is. , so there is indeed “something at stake”. The block reward loss penalty forces every node to sign only his one block with each block number.

The use of 100 pre-committed random numbers is an idea taken from proven fair gambling protocols. The idea is that powerful miners don’t know what other random data is used to determine stakeholders when creating a block, so they can create many blocks and sign their stake. It means that there is no way to try to expose only what you assign privileges to. block.

This system is not purely proof of stake. Minimal proof-of-work is required to maintain the time spacing between blocks. However, his 51% attack on proof-of-work is essentially unimportant because proof of stake signature is the only determining factor for a blockchain to win. In addition, proof-of-work energy usage can be reduced by 95-99%, solving environmental problems caused by proof-of-work.

Related Article


Leave a Comment