Forged, not Found (an orphan inclusion proposal)

The tip of the blockchain can be hardened through the inclusion of orphaned blocks that had valid stake but were not as timely as the blocks that made it into the chain. These orphans contain valid blockchain states which can be used against consensus when ignored, but could be used to strengthen consensus if included. By referencing these orphans twice, once upon initial inclusion and again upon redemption, we harden the tip of the chain against attackers.

An ‘orphan’ is determined as any valid chain state with lower chainweight than another valid chain state (dubbed the ‘main chain’) that has a most recent timestamp preceeding the timestamp of the block in the main chain at the same block height plus one. I.e. an orphan is found at the same height, but after the block that was chosen for the main chain, but before the subsequent confirming main chain block.

‘Inclusion’ of an orphan means referencing the block hash and its staking input as additional bits of information in the main chain at any block height after the orphan was produced. We may want to limit this to, say, 6 block depth. We could also impose a 1 block depth and only consider most recent orphans. This depth will be considered a secondary parameter.

‘Redemption’ occurs when an included orphan successfully mints and adds a block onto the main chain. When this occurs, an additional block subsidy is added as a reward for previous minting behavior when producing the orphan. We can assume that such a reward will motivate minters to always broadcast their orphans, even if they have no chance of them actually becoming main chain blocks. This incentivizes making such near-minting coinstake public and producing additional valid chainstates that are cross referenced in the chain. The magnitude of this redemption reward is also considered a secondary parameter.

The inclusion of an orphan will increase the chainweight of the including block. Each orphan will therefore contribute to chain security against private chain attackers who will not have access to these publicly broadcasted orphans when seeking to cause multi-block reorgs. The magnitude of this chainweight increase should be small, some fraction of a proof of stake difficulty point (such as +0.01 chainweight, or being dependent on the timestamp of the orphan), so as not to compete with the block height as a measure of chainweight in any real capacity. This additional chainweight should be seen as a critical parameter that will provide the quantitative benefit of this proposal as far as chain security is concerned.

By having many virtual chain states pointing back to the true chain state, this proposal hardens the tip of the chain against attack. While a private minter will be able to use privately found orphans to bolster an alternative chain history, they will be competing with the entire minting network producing orphans (especially if a 1-block chain depth orphan inclusion limit is introduced). An attacker with less than 51% of the minting power can be thwarted in this way.

While the security implications can be chosen via the critical chainweight parameter as being negligible or impactful, the resulting minter behavior will be fundamentally different than it is now. While we see ~1 orphan a day currently, under this proposal we should expect to see an orphan every block or so. It is worth stressing that these nearly-competitive valid coinstakes exist whether they are broadcasted or not, this is merely a way to publicize their existance. This proposal directly addresses the ‘nothing at stake’ concern by identifying alternative block histories and indexing them.

Finally, we can look at the economic and minter behavior implications of the redemption reward. More than likely, some static number will be chosen independent of coinage consumed, as no coinage is actually consumed in the production of the orphan. As such, it will likely be a static number, or a direct increase of the static component of the reward. For example, redeeming an included orphan may gain you 2x the static portion. In such case, and assuming an orphan is included every block, we could expect to see a direct inflation increase of 2x the static component, or 0.25%/year. As an alternative, we could directly increase the total block subsidy, coinage consumption included, by say 10%. The issue with such coinage-based redemption rewards is that the original orphan did not have as much coinage as the redeeming coinstake. As such, you could gain an unfair amount of block subsidy by intentionally creating orphans rather than real blocks, a possibility that we certainly do not want to encourage. An additional static reward per redeemed orphan up to the current static reward is therefore the limit of a safe policy. In determining this number, we should look to the knock-on implications to the minimum viable and ideal minting stake size that an additional static reward will generate. We could also simply reduce the static subsidy and give the difference to included orphans instead.

Hardening the chain tip will provide some wiggle room for faster finality, such as a faster 5 minute block time or fewer expected block confirmations.

This sounds like a much more robust proposal compared to your previous one, but I am a blockchain layman so I would be curious to hear what others think.

I only really have one question, and that is, would the inclusion of orphaned blocks affect the coin inflation rate?

We can choose how we want the redemption reward to be sourced. I address this in the second to last paragraph of the OP. Basically, we could increase inflation by like 0.05% or something, or just reduce the static reward by the same amount to keep it constant. It will certainly make things less predictable, so more variability in inflation for sure, but depending on our choices the magnitude of that variability could be low. I think my current favorite is to keep the current stuff the same and tack on an extra 0.05% annualized redemption reward per orphan.

There should be some attention paid to how to avoid ddos’s based on orphans. These are valid stakes, so the short term frequency of occurence is no big deal. Ideally, we would compare the timestamp of the orphan to the timestamp of he subsequent mainchain block. We should make sure it is trivial to check the hash validity and the timestamp.

On another note, it is temping to try to use the orphan list as a ban list of some kind. This is the key complexity of Nothing at Stake proposals, and constitutes our ‘awareness’ of potential reorgs. However, while I would not go so far as to say that chainweight adjustment is the only sufficient way to do this, one must be very cautious in banning alternative iterations of the chain, for fear of causing a network split. The potential history of chains is a labyrinth, and you do not want to commit to a dead end so suddenly. Rather, if we are to try to gain some additional sense of finality at the back end of the chain, we should look to the largest reorg depth as perhaps a source of inspiration, given its intrinsic relationship with weak subjectivity. So called “seen stake” proposals can build off of this list in complex ways to create networks of trust, if such a layer 2 solution is desired.

What is it exactly that is causing the number of orphans to increase under this proposal? Or are you saying that this large number of orphans has always existed, but under the current system the vast majority of them (99%) are simply never broadcast? If so, how come only one or two a day are currently broadcast and not all of them?

It’s kind of an existential concept because it is about the question of potential futures for the chain, what is the ‘real’ immutable record, and ultimately concepts of finality (which is why we have hope that this can be used to get faster blocks with quicker finality). The mint window for an active minter passes slightly after a block has been submitted at this height. If you receive that block, then you know it is futile to form a block as it will be orphaned, so you do nothing. If you didn’t receive that block yet, you will form your new block thinking you won a reward, but of course everyone else will orphan you because you didn’t get there quite in time. That is how it is now.

Under this proposal, you would see that you have no hope to won, but you would submit your block anyway, knowing it will be orphaned. It’s kind of an “also ran”-type prize. Once you do this, others can include your orphaned block in the chain and both of you will profit a little. This means there is an incentive to always broadcast the orphans even if they have no chance of winning.

The question comes down to why we would design a system in which this occurs. The trick is to know that the valid coinstake that was never formed into a block is still a threat to the network until it is buried in new blocks. Even if no one knows about it, it represents a hypothetical alternative chain tip that could be built off of to overtake the current chain. By incentivizing people to show their cards, per say, we can tie those orphans back in and have a concept of “seen stake”.

The ultimate question is how to use this process to truly “harden” the chain. On the one hand, we don’t want to make the chain less stable by creating ways that later blocks can orphan earlier blocks. On the other hand, we do want a chain with more included orphans to have a greater chainweight, ultimately.

With all of this in mind, I’m still working out the exact chainweight/difficulty modification method. I am leaning toward either a) increasing the chainweight a block or two after the orphan is included, or b) some kind of virtual difficulty whereby it is easier to mint with a “seen” stake, but it doesn’t affect the chainweight or difficulty, thereby driving up the difficulty a little bit on average.