Proof of Stake


However, there is one SHA256 alternative that is already here, and that essentially does away with the computational waste of proof of work entirely: proof of stake. Rather than requiring the prover to perform a certain amount of computational work, a proof of stake system requires the prover to show ownership of a certain amount of money. The reason why Satoshi could not have done this himself is simple: before 2009, there was no kind of digital property which could securely interact with cryptographic protocols. Paypal and online credit card payments have been around for over ten years, but those systems are centralized, so creating a proof of stake system around them would allow Paypal and credit card providers themselves to cheat it by generating fake transactions. IP addresses and domain names are partially decentralized, but there is no way to construct a proof of ownership of either that could be verified in the future. Indeed, the first digital property that could possibly work with an online proof of stake system is Bitcoin (and cryptocurrency in general) itself.

There have been several proposals on how proof of stake can be implemented; the only one that is currently working in practice, however, is PPCoin, once again created by Sunny King. PPCoin’s proof of stake algorithm works as follows. When creating a proof-of-stake block, a miner needs to construct a “coinstake” transaction, sending some money in their possession to themselves as well as a preset reward (like an interest rate, similar to Bitcoin’s 25 BTC block reward). A SHA256 hash is calculated based only on the transaction input, some additional fixed data, and the current time (as an integer representing the number of seconds since Jan 1, 1970). This hash is then checked against a proof of work requirement, much like Bitcoin, except the difficulty is inversely proportional to the “coin age” of the transaction input. Coin age is defined as the size of the transaction input, in PPcoins, multiplied by the time that the input has existed. Because the hash is based only on the time and static data, there is no way to make hashes quickly by doing more work; every second, each PPCoin transaction output has a certain chance of producing a valid work proportional to its age and how many PPCoins it contains, and that is that. Essentially, every PPCoin can act as a “simulated mining rig”, albeit with the interesting property that its mining power goes up linearly over time but resets to zero every time it finds a valid block.

It is not clear if using coin age as PPCoin does rather than just output size is strictly necessary; the original intent of doing so was to prevent miners from re-using their coins multiple times, but PPCoin’s current design does not actually allow miners to consciously try to generate a block with a specific transaction output. Rather, the system does the equivalent of picking a PPCoin at random every second and maybe giving its owner the right to create a block. Even without including age as a weighting factor in the randomness, this is roughly equivalent to a Bitcoin mining setup but without the waste. However, there is one more sophisticated argument in coin age’s favor: because your chance of success goes up the longer you fail to create a block, miners can expect to create blocks more regularly, reducing the incentive to dampen the risk by creating the equivalent of centralized mining pools.