The purpose of this post is not to say that Ethereum will use Slasher instead of Dagger as the main mining function. On the contrary, Slasher is a useful construction to have in our war trunk in the event that proof of the extraction of the pieus becomes significantly more popular or an imperative reason is provided to change. Slasher can also benefit from other cryptocurrencies who wish to exist independently of Ethereum. A special thank you to Tacotime for an inspiration and for Jack Walker for the improvement suggestions.
Proof of the exploitation of the pieus has long been a great area of interest for the cryptocurrency community. The first coin based on proof of evidence, Ppcoin, was released by Sunny King in 2012, and has always remained among the first five alternative currencies by monetary base since then. And for a good reason; Proof of participation has a number of advantages in relation to proof of work as a mining method. First of all, proof of participation is much more respectful of the environment; Although proof of work requires minors to effectively burn calculation power on unnecessary calculations to secure the network, proof of participation effectively simulates the burn, so that no energy or resource of the real world is never waxed. Second, there are centralization problems. With proof of work, the mining has been mainly dominated by specialized equipment (“integrated circuits specific to the application” / ASICS), and there is a significant risk that one large player such as a large bank takes the relay and the de facto monopolizes the market. Hardness extraction algorithms like Scrypt and now Dagger Imalise it to a large extent, but not even perfectly. Again, proof of participation, if it can be done to work, is essentially a perfect solution.
However, proof of participation, as implemented in almost all currencies so far, has a fundamental defect: as a Bitcoin developer said, “there is nothing in play”. The meaning of the declaration becomes clear when we try to analyze what is going on exactly in the event of an attack of 51%, the situation that any type of work proof mechanism is intended to prevent. In an attack of 51%, an attacker sends a transaction from A to B, waits for the transaction to be confirmed in the K1 block (with parent K), collects a product of B, then immediately creates another K2 block in addition to K – with a transaction sending the same Bitcoins, but this time from A to A. At this point, there are two blocks of blocks, one of the block K1 and another of Block K2. If B can add blocks to K2 faster than the entire legitimate network can create blocks above K1, the K2 blockchain will win – and it will be as if the payment of A to B has never happened. The point of proof of work is to ensure that it makes a certain amount of calculation power to create a block, so that for K2 to Outracy K1 B should have more computing power than the entire legitimate network combined.
In the event of proof of participation, it is not necessary to calculate to create a work – it is rather necessary money. In PPCOIN, each “piece” has a chance per second to become the lucky piece which has the right to create a new valid block, so the more quickly you have parts, you can create new long -term blocks. Thus, a successful attack of 51%, in theory, requires not having more computing power than the legitimate network, but more money than the legitimate network. But here, we see the difference between proof of work and proof of participation: in the proof of work, a minor can only exploit on a fork at a time, so that the legitimate network will support the legitimate blockchain and not the blockchain of an attacker. In the proof of stake, however, as soon as a fork occurs, minors will have money in the two forks at the same time, and therefore minors will be able to exploit the two forks. In fact, if there is even the slightest chance that the attack will succeed, minors have the incitement to mine on both. If a minor has a large number of pieces, the minor will want to oppose attacks to preserve the value of his own parts; In an ecosystem with small minors, however, network security is potentially disintegrating in a problem of conventional public goods because no minor has a substantial impact on the result and therefore each minor will act purely “selfishly”.
The solution
Some have theorized that the above argument is a death kick in all stakes of stake, at least without a component of evidence of work to help it. And in a context where each chain is not aware of itself, this is indeed proven. However, there is in fact an intelligent way to get around the problem, and which has so far been under-explored: sensitize the chain to other channels. Then, if a minor is caught by operating two channels at the same time, this minor can be penalized. However, it is not at all easy to do it with a PPCOIN type design. The reason is as follows: mining is a random process. That is to say that a minor with 0.1% of the participation has 0.1% chance of extracting a valid block on the K1 block, and 0.1% chance of extracting a valid block on the K2 block, but only 0.0001% likely to extract a valid block on both. And in this case, the minor can simply retain the second block – because the mining is probabilistic, the minor can always gain 99.9% of the advantage of mining on the second channel.
The following proposal, however, describes an algorithm, which we call Slasher to express its hard punitive nature, to avoid this proposal. The design description given here uses address sales for more clarity, but can easily be used to work with “unat -spent transaction outputs”, or any other similar abstraction that other currencies may use.
- The blocks are extracted with proof of work. However, we make a change. When creating a block K, a minor must include the H value (N) for an random n generated by the minor. The minor must claim the award by releasing a transaction discovering N between the K + 100 and K + 900 block. The proof of work proof is very low, ideally encouraging energy consumption equal to around 1% of that of Bitcoin. The target block time is 30 seconds.
- Suppose the total money mass is M, and N (i) is the value N in block I. In the K + 1000 block, an A address with balance B wins a “signature privilege” if sha256 (n (k) + n (k + 1) + … + n (k + 99) + a) <2 ^ 256 * 64 * b A, and on 64 average signaling privileges.
- In the K + 2000 block, minors with signature privileges of block K have the possibility of signing the block. The number of signatures is what determines the total length of a blockchain compared to another. A signature grants the signatory a reward which is significantly greater than the proof of work reward, and this award will unlock by K + 3000 block.
- Suppose that a user detects two signatures made by address A on two separate blocks with a height K + 2000. This node can then publish a transaction containing these two signatures, and if this transaction is included before the K + 3000 block, it destroys the reward for this signature and sends 33% to the user who rotated the cheater.
The key to this design is how signature privileges are distributed: instead of the signature privilege is random on the previous block, the signature privilege is based on the block there are two thousand blocks. Thus, in the event of a fork, a minor who is lucky in one chain will also be lucky in the other, completely eliminating the attack with probabilistic double mine which is possible with PPCOIN. Another way to examine it is that, because Slasher uses the proof of 2000-blocs compensation instead of the proof now, and the forks will certainly not last 2000 blocks, there is only one currency supply to be used, so there is indeed “something at stake”. The penalty of the loss of block reward ensures that each node will take care to sign a single block with each block number.
The use of 100 pre-engaged random numbers is an idea taken from youth gaming protocols; The idea is that powerful minors have no way of trying to create many blocks and publish only those who attribute to their own stake a signature privilege, because they do not know which other random data used to determine the stakeholder is when they create their blocks.
The system is not purely proof of putting; A certain proof of minimum work will be necessary to maintain a time interval between the blocks. However, an attack of 51% against proof of work would be essentially without consequence, because proof of signature of the stake is the only decisive factor in which blockchain wins. In addition, energy consumption based on work proof can be made to be less than 95 to 99%, resolving environmental concern with proof of work.
