This is a coin design that combines a lot of ideas to prevent common POW problems and enable it function as a stable value currency (without any reference to fiat) instead of just an asset. It isolates the functionality of POS, VDF, POW, and DAG methods to optimize their individual potential.
Nakamoto consensus ("POW") is amazing in that it uses only 1 message per block (the solved block itself) from a single miner to to show he won the election process, and to announce the difficulty for the next election. A sequence of these shows any newly-joining node which chain has had the fewest network partitions (the largest vote participation). In discussing distributed networks that need to reach consensus agreement to a fact, I say "vote" or "voter" instead of hash, stake, or node (of a distributed system of voting nodes not blockchain nodes) because it immediately and more precisely conveys the goal of and commonality between these other terms. Traditionally (in a distributed network of nodes trying to reach consensus), voters need to register, prove their participation in each vote, and communicate back and forth to declare they agree on the consensus. This is an enormous amount of communication. In contrast, everyone in Nakamoto consensus immediately agrees to a block by seeing if the hash solved the puzzle, without registering (it's permissionless). POW replaces the communication complexity with local computing. As I discuss below, POW does not need to waste energy any more than the traditional method. Both require time. For a given amount of latency, more communication among more nodes requires more time. In POW terminology, a time cost enables a randomization in the election of a block leader with smallish likelihood of colliding with a concurrent winner. Instead of a communication overhead to prove unique identity and presence of nodes (in a traditional distributed network) during that time period, miners prove a hash cost. The hash cost is each hash's claim to unique identity. POW does not require the existence of electricity & depreciation costs. It works optimally on up-front equipment-only costs. This is the same as up-front stake costs except POW has a time cost where the equipment must prove its existence during the vote. Stake in POS can have a cost and the initial stake itself can be created by POW. This proves unique identity, but it has no time cost that proves the identity voted only once during each vote. This inability results in complexity in PoS schemes. They have to bend over backwards to inject a source of randomness to elect a block leader, but a properly functioning election process generates its own randomness.
Time in distributed network consensus
In the next two paragraphs, a single hash (or the smallest unit of a stake) serves as a single "voting node" that's participating in reaching consensus. We can't identify individual "miners" or "stakers", so we treat individual hashes or stakes as "individuals" in the consensus vote.
Update:
CAP theorem & tradeoff triangle combined to show bandwidth is the limitation:
(C+P+PL) * N * LL = O
C & P are bytes per round per voting node to prove Consistency (Correctness) exists on the largest Partition of voting nodes.
PL = payloand = txs / round / voting node.
LL = Low Latency = fast finality = Availability = Scalability = rounds/second
O = Overhead = bytes/sec required
Scalability trilemma's "security" means C & P are proven. N = number of nodes = number of independent voters with equal voting weight = decentralized. With non-equal weight it has lower decentralization but allows faster LL.
In POW, the C and P byte requirements are incredibly low at 1 header per round and needing only a few headers, and N (distinct miners) can be small. Mining is not necessarily decentralized but it does not need to be: the security is achieved by the profit motive of miners not wanting to lose more value in their equipment than they can gain by colluding. POW is able to move the C&P bandwidth requirements off the network to computation.This frees up O for transmitting more txs.
Older text:
In distributed consensus, the
CAP theorem says we can't have Consistent data that is immediately Available to every node, and have network Partition tolerance all at the same time. If each variable can vary 0 to 1 from worst to best, you can think of this theorem as C*A*P = 0.5 so that one of them has to be 0.5 to enable the other two to be 1. This is not a literal mathematical fact but my way of thinking about how the variables are constrained. So we have to have a
time cost (lower A) to get more Consistent data and more Partition tolerance.
The
tradeoff triangle says we can't have fast finality (the C*A in CAP), Low Overhead (fewer bytes/second/transaction), and a large number of Nodes (voters) at the same time. To reveal if this is just a restatement of the CAP theorem I use (C*A)*1/(O/N) = 0.5 where P = 1/(O/N) = the inverse of Overhead per Node. This seems to be a claim that partition tolerance is easier with many voters (Nodes) and less communication (Overhead). If we require a given level of Consistency, we can use a higher
time cost (1/A) to lower fast finality (C*A) in order to get higher attack tolerance (higher P = N/O). Time cost enables POW to maximize this ratio. This might be mathematized another way: C/T = O/N where T=1/A = time. Faster finality equals more communication per node. More completely:
Another limitation, again related to the CAP theorem, is the
scalability trilemma which means we can't have scalability, security, and decentralization. It's a restatement of the tradeoff triangle where scalability means number of possible transactions which means lower communication overhead per transaction when given a limit on network bandwidth (which includes the time cost to validate). Decentralization simply put means many nodes and security means the finality in "fast finality" can be trusted.
By having a time-range in which a winner can be found, it's uncommon for two more valid winners to announce themselves at about the same time. The size of the blocks and network latency place a lower limit on the time range a vote in POW needs to occur (to reduce the frequency of "simultaneous" winners).
Time isn't everything: In the above CAP and tradeoff triangle discussion, there's an assumption that Sybil attacks are not being performed. To some extent the nodes are assumed to be independent actors (or at least not colluding to attack the consensus results). The
value cost of equipment stake or coin stake addresses the Sybil/identity/uniqueness problem. Time cost prevents the same identity (based on value) from double-voting based on time as opposed to faking identity to double vote.
Physics of randomness from POW & VDF equipment
POS without VDF faces a deep problem of where to get a random number for electing the winner in a consensus vote. Generating the random number is the
reason POW equipment and VDF equipment (
with POS) is needed. The number of options (states) needed to elect a winner is limited by physics to equipment efficiency*energy*time. POW has an efficiency loss at converting energy to hashes while VDF has an efficiency loss at ensuring a computation took a number of clock cycles, so it can be a lot more efficient in establishing consensus through random selection of winner. The max number of states (at the quantum level) in the perfect POW or VDF equipment is
energy*time/4/h, which is extremely small.
Decentralized consensus requires equipment that can change state. VDF clicks with time and POW generates a hash. VDF assumes there is a max clock rate which is a source of weakness in the conversion my argument depends on, but it may have a fundamental limit such as 10 GHz possibly radiating too much energy from the line traces in the ICs. Each hash is a unique identity that isolates the winner in both space (the location of the equipment) and time (which vote it won). The lowest theoretical energy cost per block to elect a winner is joules = 4*h*N/T where N = number of candidates in the election and T = how long the election takes. Presence of attackers does not increase this cost because there is no way to hash faster except to spend more
upfront costs to have more equipment that can start with a different nonce. This is a cost which function like a provable unique identity. The
election's equipment cost is zero per election if there is a large number of elections for which the equipment is used. So protection against attacks is like a "potential" energy cost (stored, not wasted as heat except for the initial expense and consequent heat) to participate in elections, but the
election cost is the "kinetic" (heat, aka randomization) cost of elections whose lower limit is 4*h*N/T. In other words, capital costs are the source of BTC's security, not rolling costs such as wasted electricity. This has been repeatedly shown in research
such as this article, but popular twitter pundits do not seem aware of it.
In both POW and this POS-VDF-POW scheme, POW proves a unique identity. Using POW for identity in consensus allows temporary identities to vote by "off-chain" POW equipment. POS-VDF-POW uses POW to create a stake for the POS which becomes an on-chain identity. POW consensus voters are more like mercenaries than citizens. In a mature and ideal marketplace, which may likely be the case as we shift from rewards to fees, POW mining should be rentable (like a mercenary) which makes 51% attacks easy and profitable on their own in addition to enabling double spending.attacks.
By using stake derived from the
cumulative hashes (aka cumulative difficulty) in the coin's past (as opposed to
current POW hashrate (difficulty) for say 6 blocks) as the
proof of citizenship in each election, POS-VDF can require
much more equipment "energy" (equipment plus electrical expenses) to establish unique identity for voting than POW. This is why it should be a lot easier to attack with 51% hashrate in POW than with 51% total hashes (stake) in POS-VDF, if all holders of the coin ("citizens") are voting (staking). Some day POW should be be rentable.
BTW, POS without VDF requires time-locking the stakes to function like a VDF. It's inferior because it does not block long-range attacks.
Converting to a DAG
See
https://github.com/zawy12/difficulty-algorithms/issues/40
Why coins lower hashrate to increase security
ASICs, botnets, NiceHash, and Merge Mining are examples of increased hashrate (HR) that usually decrease security. This is because security is based on:
(X equipment HR)/(non-X equipment HR) > 50%
Where X can be described as staked, non-colluding, or dedicated equipment. Coins do things to lower the non-X portion which decreases the total HR but increases security. To increase the X (to be sure it is "staked"), it might be morally or culturally motivated to not attack, but it's better if the X is at risk of loss in order to prevent 51% of the miners from naturally colluding (which can evolve without communication) to harm the other 49% and users (see next section).
It's difficult if not impossible to keep the non-X equipment portion low and to keep the X portion from colluding. All coins who do not depend on a central control system can be attacked (for example, the Chinese government could force its miners to harm BTC). If stake-based consensus were possible without its usual drawbacks, it could be much more reliable in keeping the ratio above 50%.
POW security comes from risk of equipment loss (not waste)
The "rolling costs" of equipment depreciation and electricity costs are not in the previous equation. They even decrease security by decreasing the reward+fees that miners can spend on equipment. This up-front cost keeps them dedicated, assuming they do not have a more profitable coin to turn to. If equipment depreciation could be minimized (Moore's law bypassed), even more value could be spent on up-front equipment costs. If large equipment owners attack the coin, and the coin is the largest for that POW, then their equipment value decreases (if the coin loses value due to the attack). This is why Chinese miners do not collude to do 51% attacks on BTC. All this can be summarized in a second equation that determines POW security.
(current+future equip value lost in attacking) > (attack profits)
If you do not agree with the above, here are appeals to authority (aka references):
A popular research paper last year and
Nick Szabo has said pretty much the same thing.
Hashes/second is low-entropy/second production, not joules/second
It's clear you can spend more on equipment to spend less on electricity. Hashes do not theoretically require any energy, except for
Bremermann's incredibly low physical limit (Energy per bit change = h/4/second => 1.5 watts to switch 100 quadrillion perfectly efficient transistors at 10 quandrillion Hz). This shows a measurable amount of energy is not a fundamental to equipment operation, but only in manufacturing it, which is a
value. Likewise in this new consensus mechanism, a "stake-rate" to replace hash-rate will not require energy, but it does require energy in its creation. Hashing looks for low-entropy solutions, so POW equipment is an engine that produces lower-entropy/second instead of joules/second. Hashing requires energy only because our equipment is not yet close to the ideal. Stake-rate in this system will also produce lower-entropy/second and it is already at the ideal. Wasted energy puts value on the chain. Low-entropy production produces consensus. BTW, lower entropy increases net available work (energy) in systems at a given temperature, so it may have a value that can be viewed as
energy
, but I think that's a red herring.
Replacing hash-rate with stake-rate by assigning stakes a time denominator
I've shown the perfect POW equipment does not waste energy other than in its creation, so that the hashes/time it produces can be equated to equipment value. I've shown stake value can't replace equipment value in solving the identity problem for voting. But we can look at the hash/time output of equipment and replace hash value with stake value and give the stake a time denominator by forcing it to be occupied (in time) during a vote to prevent double voting. To force stakes to be occupied, we need the VDF function in the next section. We can't simply use a time-lock or tighten the FTL and MTP limits on timestamps. There is a random number seed (and it's modification during each block provided by the indeterminacy of the wide voting population) that needs to pass "
through the stake-time marriage" during the vote (during the block-leader selection process).
Chia's use of VDF is Not Like This
Chia was started by BitTorrent creator Bram Cohen and has at least $3.3 M in funding. They are developing and paying $100,000 in competition for optimizing their
Verified Delay Functions (VDF). A VDF requires many sequential steps that can go only as fast as the computer's clock. They are supposed to be the ultimate in non-parallelizable functions, except they also provide a way for validators to prove the "miner" (farmer) expended the time. I was directed to them after tweeting about the importance of time if we want to use stakes, and the VDF was exactly what I was looking for even though I did not know what I was looking for. All I knew is that I needed a time denominator to create stake-rate as opposed to hashrate. I was not even thinking about needing a way to validate a time delay and a random output as proof the delay was suffered. It helped congeal my thoughts and made this article possible, solving POW's 51% attack problems and greatly simplifying POS. But I am doubtful Chia's proof of space is as good as using POS.
Why stake-rate POW requires reversing Nakamoto consensus
The only working method of using VDF-delayed stake I could find required reversing the consensus process by starting with a nonce and ending with block creation. If it's not done this way, grinding attacks and/or contamination of the randomness occurs. From a theoretical standpoint, it had to be done backwards because POW takes time to prove equipment value. Time comes before the proof of value. But in stake-rate POW, the stake's proof of value must come before the time-delay calculation because we have to use the stake's quantity to determine how much time it should be delayed compared to other stakes of different quantity. Surprisingly, this conflict can be resolved by running the consensus backwards. In other words, we can view the consensus as going backwards in time, so that the time delay still comes "before" the proof of value, as in POW. But we still get to use the stake quantity to properly adjust the time delay.
BTW, doing block creation at the end allows the staker to create many different blocks quickly, but it does not allow a grinding attack because the block hash is not our seed for randomness. We use the output of the VDF as the seed for the next block. As in POW, our random adjustment to the previous seed comes from the population of value-weighted voters (hashers or stakers).
Splitting coin creation & consensus removes pool centralization
POW's proof of waste is still used in this scheme to put value on the chain. Splitting them has a tremendous benefit. It enables solo mining via self-mining txns that prevent the need for pools. See Coin Specifics section.
Do not pay voters to vote. Freedom isn't free.
Paying stakers to stake could cause an unwanted concentration of wealth, but there are other reasons to believe they shouldn't be paid, and shouldn't need to be. Cryptography enables security without cost. We don't have to pay for a vault. Similarly, I hope to show decentralized consensus without cost is possible, other than operating a node. If coin holders want to keep their value, they better run a node. "Freedom isn't free." Voters should vote. They are more honest if we don't pay them to vote, but we need to try to make it inexpensive to vote. The ethos in the community should be "run your own node, or the coin's going to be attacked." Schemes that do not need us to run nodes to cast our votes are schemes that sacrifice freedom (that is, they sacrifice decentralization).
Full-time staking might be motivated with 2% interest per year to off-set an across-the-board 2% demurrage, but I will not try to pursue that route. It might help prevent large stakers from concentrating wealth. It would act like an efficient lottery (your odds are even) for small coin holders (a few lucky small holders get a big payout while many unlucky ones lose the 2%).
Getting stable value by letting stakers be the Fed
Each block winner can increase or decrease the difficulty that is used for the self-mining txns (see below). This will indirectly determine coin emission rate. Ostensibly coin holders will set difficulty low to begin with to get coin cheaply and increase it later to limit coin inflation. So hopefully there will be a shift from "store of value" to "currency". I believe they will eventually decide on stable value. The emission rate
should be more intelligent by letting coin holders dynamically determine it instead of arbitrarily setting it at coin creating.
Moore's law prevents us from using a constant difficulty to keep stable value. Difficulty increases precisely with price over the short term when coin emission rate is fixed. But due to the unpredictability of Moore's law and other advances, price would decrease if difficulty is constant for a long time due to inflation. We need an oracle to adjust for Moore's law and software changes. We do not want the centralization of off-chain oracles. Coin holders (stakers) may serve as an ideal decentralized oracle to make the adjustment on the chain as they are forming blocks.
A cryptocurrency has no inherent long-term value without stable value. A long-term holder (staker) realizing this will vote for stable value. If the majority of stakers try to increase the difficulty too much to get better returns, they will eventually lose value from insufficient users wanting to use it as a currency.
The coin's white paper and devs may need to only
recommend that block winners set the difficulty to track constant value so that it always costs miners 1 dollar in terms of year 2020 to get 1 coin (stable value in terms of 2020 dollars). There may be a desire by purchasers and users for it to track the dollar even as the dollar slowly devalues so that a wider audience immediately has a reference for its value. But there's no mechanism for determining that desire and holders (stakers) would not be willing to respond to it anyway.
A stable-valued currency occurs when coin quantity remains proportional to GDP/velocity. For example, assuming constant velocity, if $1 B is spent a week and total coin quantity is $100 B, and if $2 B/week is spent a year later due to a larger GDP, then coin quantity should become $200 B or it will be valued 2x more, which is harmful to it as a currency because that would invalidate contracts (prices and wages) and law that are expressed in terms of the coin. I would like to incorporate this knowledge as part of the difficulty adjustment, assisting (or counteracting) staker decisions. If the txn volume per week per total coin qty is increasing, I don't have a metric to determine if the increase is from a real GDP increase or if velocity is increasing, so I don't know if coin emission rate should be higher or lower. If I knew, how is the target GDP/velocity chosen? How much should coin emission rate increase to avoid too much lag on the one hand and oscillations on the other?. The fees on txns should discourage a manipulation of the metric with do-nothing txns. Transactions would be unconscious fee-weighted votes on a difficulty adjustment. Stakers could revolt by omitting txns, but that would destroy the value of their stakes.
The minimum unit should be 0.001 coin because 1/10th of a penny is dust and the txns/sec limitation in this technology is severe. This is the value of a Satoshi at 1 BTC = $100,000.
Part 2: reverse Nakamoto Consensus
This enables stake-rate to replace hash-rate. A Verifiable Delay Function (VDF) is used to get the time denominator for stake-rate. Since equipment value (hash-rate) requires time to prove its value during the vote, time comes before the proof of value. But stake value is used to adjust the time delay in stake-rate, so stake value comes before time. This prevents the value from demonstrating to the chain that it did not vote twice.This is remedied by doing the consensus backwards. This prevents problems normally seen in PoS