Proof of Work, Proof of Stake and The Bitcoin Halving

You probably know that bitcoin’s security system is called Proof of Work (if not, see here). It’s based on the idea that the amount of work required to attack the system is a deterrent. The costs you would incur from changing transactions that were processed several blocks ago, to either double-spend or to modify details of the embedded data, would be greater than the potential gain. The same applies to what you could gain from denial of service or consensus attacks. By requiring a lot of computer power, Proof of Work assures the integrity and security of the system.

But Proof of Work is not the only game in town. It may not even be the best one.

by Aditya Siva for Unsplash
by Aditya Siva for Unsplash

What are the potential flaws in this system? For one, it consumes a LOT of electricity. A report came out recently suggesting that bitcoin mining (the generation of new bitcoins through successful block validation) will end up consuming as much electricity as Denmark by 2020. While this could well be exaggerated, it does help to envisage the scale of the energy needs. Some innovative ideas suggest that bitcoin mining rigs (the powerful computers used to generate new bitcoins and validate blocks) could simultaneously be used to heat buildings. There’s an ecological thought.

Two, imagine that electricity prices come down and computing power becomes more energy-efficient. And, imagine that there are billion dollar transactions on the network. It’s therefore not hard to imagine that there would be a strong economic incentive to try and change a previous transaction. The costs to engineering an attack on the system would not be so high. The cost of Proof of Work could cease to be a deterrent.

Three, given the current concentration of mining power in China, it’s not hard to see how a consortium could “break” the system by pooling their resources together. All an attacker looking to influence or change the course of the blockchain needs is 51% of the system’s computing power (different types of attacks could be pulled off with less). The top 3 mining pools in China hold 61%. And while there is no indication that they would ever do this (in fact, they have taken steps to dilute their power to avoid such doubt), it is technically possible. The incentives could be personal, or as a response to state pressure, or as a result of bribery, extortion or blackmail.

proof of stake
graph via blockchain.info

So what are the alternatives? One alternative used by some blockchains is Proof of Stake. While Proof of Work depends on computing power, Proof of Stake depends on the amount of the currency owned. In most Proof of Stake systems, a block validator “pledges” or “deposits” a certain amount of coins. That amount influences the likelihood of that validator processing the next “winning” block. While the reality is somewhat more complex than that, the premise is simple enough: to have a say in the development of the chain, you need to have a stake in the currency.

Proof of Stake has similar vulnerabilities to Proof of Work. But the likelihoods are lower, and the consequences very different. It is theoretically possible for an attacker to accumulate 51% of a cryptocurrency’s supply, especially in the younger, lower value currencies. In the case of Bitcoin, however, that would cost almost $5 billion at today’s price. And that’s assuming that the price holds still, which it obviously wouldn’t if someone started buying that many bitcoins. The real cost would be much, much higher. The bounty would have to be pretty spectacular to warrant that type of investment. Comparing this security with Proof of Work, it’s unlikely that accumulating 51% of Bitcoin’s computing power would cost anything like that. In this aspect, Proof of Stake would ensure greater security than Proof of Work.

Another shared vulnerability is that of centralization. As I mentioned before, Proof of Work tends to centralize through access to the “work” resources, specifically electricity (cheaper in some parts of the world than others) and computing hardware (more accessible in some parts of the world than others). Proof of Stake would centralize by making it easier for those with a higher stake to generate new coins through block validation. The higher your stake, or deposit, the easier the problem that needs to be solved. So the new coins tend to go to those who already have a high stake. But, those who hold a large amount of the currency are more likely to act in the currency’s interest, than those whose stake is high-powered computing equipment. Again, in this aspect, through the power of incentives (or disincentives), Proof of Stake would ensure greater security than Proof of Work.

And, it’s cheaper. Proof of Work implies a lot of computing power churning calculations and consuming electricity. Proof of Stake also uses resources, but fewer.

And, it’s more “democratic”. To mine bitcoins with Proof of Work, you need to invest in the equipment that can do the work. And you need to know how to operate and maintain it (or hire someone who does). It requires a significant initial outlay. With Proof of Stake, you need to buy the currency. That’s accessible to everyone. True, you need to have the funds and the tech knowledge to open a wallet, but it’s definitely easier.

Although it may sound like it, I’m not saying that Proof of Stake is better than Proof of Work. Conceptually, it has advantages. But practically, it hasn’t been tested at large scale. Technically, it is vulnerable to certain attacks (convoluted and rare, but a vulnerability is a vulnerability). And theoretically, on its own it isn’t ideal for consensus. Consensus is about everyone rapidly reaching a conclusion as to what is the “correct” chain. What’s to stop stakeholders from “betting” on multiple chains and thus reaching a stalemate? In its purest form, Proof of Stake is unlikely to work. The currencies that use it (Peercoin, BitShares, NXT, and Novacoin are a few) have each come up with ways to solve that problem, many of them using a combination of Proof of Work and Proof of Stake. Ethereum, the crypto-currency with the second-largest market capitalization, is planning to switch from Proof of Work to a Proof of Stake hybrid next year.

What does all this have to do with the halving?

First of all, what is the halving (sometimes called “the halvening”)? It’s when the amount of bitcoins that the block validators (the “miners”) get as a reward for processing transaction blocks is reduced by half. The bitcoin protocol has the reward falling by 50% every 210,000 blocks, to control the supply of bitcoins and permit a gradual tapering off of new coins as the limit of 21 million is approached (we have a way to go yet, that’s not expected until 2140). The last halving was in November 2012, when the reward fell from 50 bitcoins to 25. The next one is expected in mid-July of this year.

And here’s the thing: in theory, the halving increases Proof of Work’s vulnerability. But not Proof of Stake’s. Or at least, by not nearly as much.

Why would Proof of Work be more vulnerable after the halving? Because if everything else remains the same, it will lead to increased centralization. With increased centralization, miners would find it easier to collude to distort the system and to control block creation. Why would that lead to increased centralization? Because with the act of validating the blocks suddenly so much less profitable, it is possible or even probable that many participants would drop out. If the marginal ones drop out, that concentrates power in the larger miners and in the mining pools.

However, that theory does not take into account price movements. A doubling of the price would offset the reduction in the number of bitcoins received as a reward. And the price of bitcoin has gone up considerably since the beginning of the year – up 60% at time of writing. Is that enough to keep validation profitable for the marginal miners?

That’s hard to say, and harder to maintain. Bitcoin’s price is relatively volatile. It went up sharply and quickly (90% of the increase has been over the past month!). It could fall sharply and quickly. It’s an unreliable metric to base predictions of mining profitability on.

With Proof of Stake as a consensus method, this would not be as much of a problem. Proof of Stake requires less computation power, and as such, lower hardware costs and lower electricity costs. With lower costs, a lower reward is not as punitive. Centralization is always a risk with Proof of Stake, as we saw above. But in this case it would not be because of a contraction in production.

Obviously, bitcoin is not going to switch to Proof of Stake or any of its derivatives any time soon. Proof of Work is so deeply ingrained in its protocol and its culture that a switch would be turbulent, to say the least (and the Core developers do not seem eager to embrace radical change of any sort). But the comparison of the two systems and the increasingly obvious flaws in the decentralization assumptions of the bitcoin design highlight that we are all of us still learning as we go along. Bitcoin and other alternative currencies are still an experiment. In the case of bitcoin, one that’s shown impressive reach, resistance, activity, support and real-world potential. But nevertheless, an experiment. And in the grander scheme of things, when it comes to attempts to profoundly change the way society works, seven years is not a very long time. It’ll be interesting to see what happens next.

(This post was originally published on LinkedIn. Sometimes I publish there first, sometimes here. Experimenting.)

What is Proof of Work?

Bitcoin uses Proof of Work to ensure blockchain security and consensus. Fine, but what does that mean?

“Proof of Work”, as its name implies, requires that the decentralized participants that validate blocks show that they have invested significant computing power in doing so. As we saw in “How does Bitcoin work?”, bitcoin validators (known as “miners”) compete to process a block of transactions and add it to the blockchain. They do this by churning enough random guesses on their computer to come up with an answer within the parameters established by the bitcoin program.

Hang on, that’s confusing. So, they wildly guess and hope that their resulting answer ends up in a certain range? Sort of. The main character in this game is called a “nonce”, which for trivia lovers, is an abbreviation of “number used once”. In the case of bitcoin, the nonce is an integer between 0 and 4.294.967.296.

The other main character is a “hash”, which is an algorithm (= a really long and complicated formula) that converts any sequence of characters (it could be the word “dog”, or it could be an entire novel) into a string of 64 letters or numbers.

Hashes are a big part of what makes bitcoin secure. If you change so much as a comma in the text that is hashed (= has the algorithm applied to it), or if you so much as add a space, you get an entirely new hash. It could be a little different, or it could be very different, the outcome is random. Only it’s not really random, because every time you pass a particular text through a hash, you get the same string. If you change something, it’s different. For a given text, it’s always the same. Change one thing, and it’s not.

So, if you hash a real estate purchase agreement or a last will and testament or a stock purchase deal, and put that on the blockchain, no-one can change the details without everyone knowing. If a hash on the blockchain suddenly changes, things get messy. That’s what makes historical bitcoin transactions and records tamper-proof.

by Paulo Vizeu for Unsplash - proof of work
by Paulo Vizeu for Unsplash

Now, let’s leave hashes for a second. You have a block of transactions to process. You want to be the first one to process it, because then you get the “mining reward”. The “mining reward” is an amount of new, fresh bitcoins awarded to the first one to process a block. Fresh bitcoins are a good thing to have. So, how do you get them?

You know the hash of the previous block of transactions. That’s public information, it’s on the blockchain. That will form the beginning of your block of text. Next, you take the current block of transactions, the one you want to process, and add it onto the hash of the previous block. Your block of text is growing.

Now, you pick a nonce, the random number that we mentioned above, and add that to your block of text. You perform a hash of that block (= apply the algorithm to it), which now consists of the hash of the previous block + the transactions + a random number. The resulting hash needs to be a string that has a certain number of zeros in front of it.

That doesn’t sound too complicated, right? Well, bear in mind that to find the number, your computer has to perform approximately 10^21 computations. That’s a LOT. It takes on average 10 minutes to find a nonce that gives you the desired string. That is why it takes about 10 minutes to completely process a bitcoin transaction, to get it registered on the blockchain. There isn’t only one nonce that will do it, there are probably several, but you have no way of knowing what they are.

(And if you know your numbers and thought that the possible range for the nonce given above is not very large, you’re right. In most cases all possible nonces in that range won’t get you the hash you want. So then you go and change a second nonce that is buried in the block, incrementing it by 1 or whatever you want, and you start all over again. Complicated, huh? So the total number of possible nonces from the combination of the two is 4.294.967.296^2, which gives you a really huge number.)

Sometimes computing power improves and the pesky nonces are found increasingly quickly. If that happens, the difficulty is increased. This means that the number of zeros needed in front of the resulting hash for the block to be accepted is increased.

Given the immense amount of work that your poor computers have to do, you can see why this system is called “Proof of Work”.

How does that ensure security and integrity?

Imagine that you wanted to go back and change something in a transaction or a document registered on the blockchain a few blocks ago. As I explained above, if you change so much as a comma, the entire hash changes. And since that hash forms part of the next hash, that would change too. And so on. You would effectively have to re-mine every subsequent block. If one is difficult and expensive, how difficult and expensive would it be to successfully get several re-mined? Prohibitively so. Proof of Work helps maintain bitcoin transactions’ integrity.

It can also prevent double-spending attacks. Let’s say that you send bitcoins to one person. The person that you sent the coins to in the first transactions sees that you did that, and releases or sends the goods you wanted to purchase. A second later, you send the same bitcoins to another address that you own. Given bitcoin’s latency (it can take a few seconds for transactions to spread around the nodes, and your second one may arrive at some nodes before your first one), it’s possible that your second transaction gets processed and validated first. Your first transaction is invalid. Are you going to send back the goods? Probably not. This is why, if you are a merchant accepting bitcoin, it is recommendable to wait for a few blocks to pile on top of the one that sends you the bitcoins, to make sure that yours is the one that got processed, not the “nice try!” fraudulent attempt by the sender.

Now let’s assume again that you’re an unethical bitcoin user (shame on you!). To make it likely that your block with the dodgy transaction is the one processed and added onto the chain, you would need to control over 51% of the validating nodes. If it weren’t for the amount of work that each validating node has to perform, you could create as many as you wanted. As many as you needed, in fact, to get 51% of the network. With Proof of Work, you simply can’t afford to. All of those nodes would have to, you know, do the work. There’s no way that the colossal cost would be compensated by the economic benefit.

What does that have to do with consensus?

For any system to work, you have to assume that at least half of the participants have good intentions. You don’t know who they are, though. With bitcoin, it doesn’t matter. Since there’s no way of knowing who the successful validator will be (because the successful choice of the necessary nonce is random), there’s a greater than 50% chance that it is an honest participant.

But that’s not really consensus, true. That’s where the concept of the chain comes in. In bitcoin you can assume that the longest chain, the one with the most blocks, is the “correct” one, and has the network “consensus” behind it. Why? Because the most amount of work has gone into that chain. We’ve seen how each block requires a lot of computing power. So the one with the most blocks has the highest amount of accumulated work invested in it.

And bear in mind that since the blockchain is distributed amongst all participants, they all know what’s on there. If the validators are adding on to a chain, and if it is impossible to know who the validator is going to be, then we can safely trust that the longest chain has the network’s consensus.

If it turned out that we could not trust at least half of the bitcoin validators, and that there was a strong chance that bitcoin transactions could be filtered, manipulated or duplicated, we would pack up and go home and start work on a new system in which we could rely on that assumption. If that happened, all bitcoin validators would lose not only the value of the bitcoins that they hold, but also the investment they made in the super-fast computers that do the validating (and they’re not cheap). So, the network has an economic incentive to stay honest. The network needs the trust in the system to remain intact.

Another way in which Proof of Work helps consensus is the time it takes for each block to be validated. In 10 minutes, you can be reasonably sure that the latest blockchain has been propagated to all nodes. Everyone has had time to receive the updated version. That version has consensus.

by Aaron Li for Unsplash - proof of work
by Aaron Li for Unsplash

Problem solved, right? Not so fast.

Let’s look at the drawbacks.

First, it’s inefficient. Imagine hundreds of computers all around the world churning power looking for a solution to a pointless puzzle. It sounds crazy, right? But the puzzle is only pointless in that it that it doesn’t solve anything. It just acts as a barrier. It does its best to make mining difficult, so that it would be expensive to fake.

Second, it’s expensive. Electricity costs. The super-fast computers cost. To compensate for the high cost of processing these blocks and churning computer power to find the elusive nonce, the first participant who finds the elusive nonce automatically gets a reward of new bitcoins. This is why the block processors are called “miners”. It’s almost as if they dig fresh “gold” out of the ground.

Third, the high cost is leading to centralization of bitcoin block processing. Remember how I said “hundreds of computers all around the world”? Well, they’re not really. Most of them are in China, where electricity is cheap. A kilowatt/hour in China costs $0.11, vs $0.18 in the US and $0.21 in the UK. In Spain, where I live, the variable rate for heavy users reaches almost $0.17/KwH. There are not a lot of miners in Spain (we had headlines just last week of bitcoin miners getting arrested for, among other things, stealing electricity from the neighbours to run their fast computers). Over 70% of bitcoin computing power (evocatively called “hashing power”) is in China.

So where does that leave us?

That leaves us with a secure and decentralized protocol that solves the problem of verifiable consensus, and incentives. It works. It’s not perfect, but so far it seems to be the best option available, at least for bitcoin. It’s not the only option, though, and we will soon look at alternatives, both conceptual and real. The number of blockchains out there is increasing, and each uses a different way of achieving security and consensus. Some are based on Proof of Work, some aren’t, and each has advantages and disadvantages. And if that weren’t confusing enough, there are more and more ideas emerging to improve on or even radically change the current Proof of Work system. Innovators don’t tend to sit still for long.