The intent of this post is not to assert that Ethereum will substitute Dagger with Slasher as its primary mining methodology. Instead, Slasher serves as a strategic asset in our arsenal should proof of stake mining gain considerable traction or if a persuasive rationale emerges for a transition. Additionally, Slasher could also benefit other cryptocurrencies aiming to operate independently of Ethereum. Special acknowledgment to tacotime for some inspiration, and to Jack Walker for suggestions on enhancements.
Proof of stake mining has been an area of significant interest for the cryptocurrency community for an extended period. The first coin based on proof-of-stake, PPCoin, was introduced by Sunny King in 2012 and has persistently remained among the top five alternative currencies by market capitalization since that time. And this is justified; proof of stake offers several benefits over proof of work as a mining approach. To begin with, proof of stake is considerably more eco-friendly; while proof of work necessitates miners to essentially waste computational power on unproductive calculations to secure the network, proof of stake simulates this waste, ensuring no actual energy or resources are squandered in reality. Secondly, there are concerns regarding centralization. Proof of work has predominantly been controlled by specialized hardware (“application-specific integrated circuits” / ASICs), presenting a significant risk that a single dominant player like Intel or a prominent bank could monopolize the market. Memory-hard mining algorithms such as Scrypt and now Dagger partially mitigate this issue, but not completely. Once more, proof of stake, if effectively implemented, could be an almost flawless solution.
Conversely, proof of stake as currently executed in nearly all currencies exhibits a fundamental shortcoming: as one prominent Bitcoin developer articulated, “there’s nothing at stake”. The implications of this statement become evident when we scrutinize the dynamics involved during an attempted 51% attack, which proof-of-work mechanisms are intended to thwart. During a 51% attack, an attacker A transmits a transaction from A to B, waits for its confirmation in block K1 (with parent K), collects a product from B, and then promptly creates another block K2 atop K – including a transaction directing the same bitcoins back from A to A. At that moment, there exist two blockchains, one stemming from block K1 and another from K2. If B can append blocks to K2 at a faster rate than the entire legitimate network can add to K1, then the K2 blockchain will prevail – making it seem as if the payment from A to B never took place. The essence of proof of work is to necessitate a certain computational effort to generate a block, so that for K2 to outpace K1, B would need to possess more computational power than the entire legitimate network combined.
In the context of proof of stake, it does not require computational power to create a work – rather, it requires capital. In PPCoin, each “coin” has a probability per second of being the fortunate coin that earns the right to generate a new valid block, meaning the more coins one possesses, the swifter they can generate new blocks over time. Therefore, a successful 51% attack, theoretically, necessitates not greater computing power than the legitimate network, but more capital than the legitimate network. However, this highlights the distinction between proof of work and proof of stake: in proof of work, a miner can only mine on one fork at any given time, ensuring the legitimate network supports the authentic blockchain instead of an attacker’s chain. Conversely, in proof of stake, once a fork occurs, miners will hold capital in both forks simultaneously, thus allowing them to mine both forks. In fact, if even a remote possibility exists that the attack might prosper, miners have the incentive to mine on both. If a miner possesses a substantial number of coins, they will aim to counteract attacks to maintain their coins’ value; however, in an environment with numerous small miners, network security could potentially collapse due to a classic public goods dilemma, where no single miner has a significant influence on the outcome, leading every miner to act purely “selfishly”.
The Solution
Some analysts argue that the above reasoning could undermine all proof of stake, at least without a component of proof of work supplementing it. And within a framework where each chain is solely conscious of itself, this assertion is demonstrably accurate. However, a clever workaround actually exists, and it has largely gone unexamined: make the chain cognizant of other chains. Consequently, if a miner is discovered mining across two chains simultaneously, that miner can face penalties. Yet, how to accomplish this within a PPCoin-like framework is not straightforward. The rationale is as follows: mining is inherently a random endeavor. In other words, a miner possessing 0.1% of the stake has a 0.1% probability of mining a valid block on block K1, and a 0.1% probability of mining a valid block on block K2, but merely a 0.0001% probability of mining valid blocks on both. In such a scenario, the miner can simply withhold the second block – since mining is probabilistic, this allows the miner to still reap 99.9% of the benefits of mining on the second chain.
The subsequent proposal delineates an algorithm, which we have termed Slasher to reflect its strictly punitive nature, aimed at circumventing this predicament. The design description provided here utilizes address balances for transparency, but it can readily be adapted to function with “unspent transaction outputs,” or any other comparable abstraction utilized by other currencies.
- Blocks are mined through proof of work. Nevertheless, we introduce one adjustment. When establishing a block K, a miner must incorporate the value H(n) for some random n generated by the miner. The miner must claim the reward by submitting a transaction revealing n between block K+100 and K+900. The proof of work reward should be minimal, ideally promoting energy consumption equivalent to roughly 1% of that of Bitcoin. The target block interval is set at 30 seconds.
- Let’s assume the total monetary supply is M, and n[i] represents the n value at block i. At block K+1000, an address A with balance B acquires a “signing privilege” if sha256(n[K] + n[K+1] + … + n[K+99] + A)
- At block K+2000, miners holding signing privileges from block K are granted the chance to sign the block. The quantity of signatures will determine the comparative length of one blockchain against another. A signature will reward the signer with a significantly larger bounty than the proof of work reward, and this bounty will unlock at block K+3000.
- Imagine that a user identifies two signatures created by address A on two separate blocks with height K+2000. That node can subsequently publish a transaction containing these two signatures, and if this transaction is included prior to block K+3000, it eliminates the corresponding reward for that signature and grants 33% to the user who reported the cheating.
The crux of this architecture lies in how the signing privileges are allocated: rather than being randomly assigned based on the previous block, the signing privilege derives from the block two thousand blocks earlier. Thus, in the event of a fork, a miner fortunate on one chain will also correspondingly benefit on the other, entirely eliminating the probabilistic dual-mining threat possible with PPCoin. Another perspective is that since Slasher utilizes proof-of-stake-2000-blocks-ago as opposed to proof-of-stake at present, and given that forks will almost certainly not persist for 2000 blocks, there exists effectively one currency supply available for mining, thus establishing “something at stake.” The penalty of losing the block reward guarantees that each node remains diligent in signing only one block for each block number.
Employing 100 pre-committed random numbers is an idea borrowed from provably fair gambling protocols; the concept is that powerful miners are incapable of attempting to generate multiple blocks and publishing solely those assigning their own stake a signing privilege, as they remain unaware of what any other random data utilized in determining stakeholder status is at the time they produce their blocks.
This system is not purely proof-of-stake; a minimal element of proof-of-work will be necessary to maintain a temporal interval between blocks. However, a 51% attack on the proof of work would be largely inconsequential, as proof of stake signing is the singular deciding factor regarding which blockchain prevails. Furthermore, energy consumption from proof of work can be significantly reduced to 95-99%, addressing environmental concerns related to proof of work.
