PoS - How does it really work? Long and maybe confusing thread incoming ;)

[TL;DR]
Peercoin is awesome because of PoS! It is the future of crypto coins! Get Peercoins! The devil takes the hindmost!
[/TL;DR]

Full version:
I tried to explain Peercoin, especially PoS, to someone and found out that I don’t really understand how it works. And unfortunately I’m not good enough in coding to look in the source code for answers…

It might be helful (not only for satisfying my curiosity) if there is an explanation of how it works to which one can refer. I think an ELI5 explanation (for which a thread was created but never really finished) would be good as not anyone wants to understand things in detail. But a more detailed explanation might be useful, too.
How can you convince someone without being able to explain how it works? I rather want to persuade people from Peercin than to cajole them…

The Peercoin whitepaper says:

The proof-of-stake in the new type of blocks is a special transaction called coinstake (named after Bitcoin’s special transaction coinbase). In the coinstake transaction block owner pays himself thereby consuming his coin age, while gaining the privilege of generating a block for the network and minting for proof-of-stake. The first input of coinstake is called kernel and is required to meet certain hash target protocol, thus making the generation of proof-of-stake blocks a stochastic process similar to proof-of-work blocks. However an important difference is that the hashing operation is done over a limited search space (more specifically one hash per unspent wallet-output per second) instead of an unlimited search space as in proof-of-work, thus no significant consumption of energy is involved.
[...]
Minting based on Proof-of-Stake
A new minting process is introduced for proof-of stake blocks in addition to Bitcoin’s proof-of-work minting. Proof-of-stake block mints coins based on the consumed coin age in the coinstake transaction. A mint rate of 1 cent per coin-year consumed is chosen to give rise to a low future inflation rate. Even though we kept proof-of-work as part of the minting proc ess to facilitate initial minting, it is conceivable that in a pure proof-of-stake system initial minting can be seeded completely in genesis block via a process similar to stock market initial public offer (IPO). 

What really doesn’t explain how it works - at least not to me…

Here is what I (mis)understand (the result of grubbing lots of threads):

PoS minting uses coin-age to secure the block chain.

Coin-age is aggregated over time for unspent coins. It is determined by a timestamp that is saved together with the transaction.
For PoS you invest coin-age (can you say: you put it at stake? Or does this rather mean to risk them? In fact the only thing you risk losing is the coin-age…) whereas you invest hashing power for PoW.

Coin-age is consumed when generating a PoS block with this particular coin-age. Minimum coin-age for generating PoS blocks is one month (30 days? I bet it is a number of seconds :slight_smile: ).
The involved coins (the ones that are put at stake) are increased by the reward for putting them at stake (1% per coin-year?), transition to the status “immature” and mature after 520 blocks (as “generated” coins).
The coin-age counter is set to 0 for received coins. Is it 0 for generated coins as well (I bet so)?
Is there a maximum of coin-age that can be aggregated? I think so, because being involved in the PoS process needs to be incentivized. It is welcome to have a Peercoin client running with parts of the Peercoins at stake.
If the coin-age would be unlimited, it could be possible to attack the network with a small share of Peercoins which have had aged for aeons (just like Futurama-Fry’s 93 Cents on the bank account growing to Billions over time; ok, the metaphor doesn’t really work, but you know what I mean :wink: ).
So I assume the coin-age that can be aggregated is limited; but to which value (useful to know if you don’t want to lose a part of the possible PoS minting)?
Is the chance of generating a PoS block in a linear relation to the aggregated coin-age (up to the maximum if that exists)?
From the whitepaper I understand PoS as stochastical process. How can that be brought in line with the “hashing operation […] over a limited search space”, which sounds like generate hashing power by aggregating coin-age but not very stochastically.
As a stochastical process I explained it to myself as taking part in a raffle; total coin-age correlates to the number of raffle tickes in that analogy. In difference to most real-life raffles you don’t have to buy new tickets for each round of raffle, but once you won the lottery (PoS block solved -> coin-age consumed) your tickets are invalidated from taking part in coming raffles; you trade them for the win. But I have no clue about that “hashing operation over a limited search space” thing if it comes to lottery…

PoS consumes few energy because it operates in a “limited search space” (ok, I still don’t understand that, but it is in difference to PoW). I can confirm that PoS needs only few energy by having tested peercoind on a RaspberryPi. I was able to stake-mint without having more than some percent (roughly 20%) of CPU load, which is not much considering the total CPU power of a RaspberryPi.

PoS makes attacks of the blockchain less attractive than attacks on “PoW only” coins because you need a large share of all coins to make a successful PoS attack (which would work like a 51% PoW attack?). Gathering this large share is costly (unless max. coin-age is unlimited) and a successful attack renders those coins worthless or at least much less valuable.

The average generation time of a block in the Peercoin network is 10 minutes regardless of the type of block (PoW/PoS). This means the difficulty is not only based on the hashing power for doing the PoW but the coin-age taking part of the PoS process as well. What number of blocks is used to calibrate the difficulty?
The Peercoin network is intended to transition from a mainly PoW driven network to a mainly (or completely?) PoS driven network.
How is the block spacing determined once it is mainly PoS?
Is the difficulty then derived from the total of “one hash per unspent wallet-output per second” of all running Peercoin clients? How does the difficulty regulate the chance for generating PoS blocks?
What happens if lots of clients start PoS minting with age-old coins bringing lots of coin-age into play? Is this treated like lots of miners joining the PoW process?

I’m deeply sorry if this post confuses more than it helps understanding PoS. But I hope that somewhen, after having received lots of helpful answers, this might be useful enough to be integrated in peercoin.net.

Very interesting post. Subscribed.

Could we arrange a in-depth interview with Sunny to clarify these questions? Or perhaps the other PPC contributors in this forum can explain the process?

[quote=“ppcman”]I’m someone who bought PPC, let them age two months, saw no minting out of them, then sold them.

It was only 300 PPC and they were held in a ppcoind wallet (headless client on Linux).

I could find out no information from ppcoind on how old the coins were, when minting might begin. I think I found one command that said something like minting was set to true, but that’s it.

I now own a lot more PPC, and this time I’m using a Windows version of ppcoin-qt, which is unlocked for minting purposes. I’ll wait about 2 months before I check it.

Counters that record “failed minting attempts” or “coins eligible for minting” would be very helpful. Something that tells us if its currently working, or at least when it will be ready to start working…

Or something on the PPC block explorer that could look up a wallet address and perform these functions would be most helpful. Maybe if there was a tool on peercoin.net that could do this, if it couldn’t be added to the client that easily?

Finally, if none of this is possible, how about a PPC calculator, with odds or estimated situations? Something like the mining calculators out there?

Online calculator:

Enter amount of PPC in wallet
Enter amount days coins have aged
Anticipated Minted coin range to be expected (low) and (high)

This way people that buy 5 PPC could figure out what a conservative, or lucky result could look like…

OR someone who owns 500 PPC or someone who owns 5000 PPC

But since I’m still scratching my head figuring out minting until I’ve minted my first coin and understand how I did it, and why I was able to do it by reading debug.log – I’ll have to wait until someone else can explain things for me…

(BTW, I did RTFM, I’m just confused by what it says…)[/quote]Agree with you completely on all points. We will be adding many of that stuff in the future, but at this point it is just a waiting game. If you really want to see it move forward I suggest you just put a bounty on it.

Aha, well said. I did come up with a bunch of ideas, not sure which one is harder or easier than another.

Also when bounties are advertised, instead of one person offering a bounty, might be nice if everyone chips in whatever they want to donate. Like a Kickstarter campaign, only payable in PPC.

I believe the maximum coin age is 90 days.

Help needed. In-depth knowledge about PoS required! This post might sound a bit dramatically. Forgive me, I try to awake people :wink:
For those who don’t want to by confused by my thoughts, please read the bold paragraphs only!

I have another discussion going on regarding PoS and how it works. I’d really like to defend this concept better, but I lack the hard facts. Is anyone able to counter the allegation posted here with facts: https://bitcointalk.org/index.php?topic=326216.msg3527194#msg3527194 ?

Allegation (an attack vector based on creating fraudulent PoS blocks):
“If the attack is unsuccessful, the coin age is not consumed. It is therefore instantly reusable to attempt the attack again. So even if you have only a 1% chance of succeeding, you WILL succeed eventually.”

I’m sorry that I can’t disprove that. The allegation sounds reasonable to me; although you have a low chance of performing a successful attack with a minority of coins in the PoS process, the chance seems to exist. I don’t know enough about PoS to tell why this is wrong.
Do you need majority of coin-age being spent for bringing a fraudulent block into the chain? Or can you achieve it with a minority of coin-age?

I still don’t know whether coin-age is being capped at some point.
It would be good for the integrity of the PoS process if the coin-age was capped at some point (is it the 90 days that limits the coin-age?) and if you did need a majority of aggregated coin-age to create a PoS block.
By having a maximum coin-age that can be aggregated by a coin and by needing some relatively high minimum total amount of coin-age to practically be able to create a PoS block, you had some sort of defense against this attack (because you might need coinage from others to reach that minimum).
But this is completely theoretical. I stil understand creating a PoS block as a kind of raffle with coin-age being the tickets. From this understanding I consider a low-coin-percentage-attack being completely possible. But I don’t know enough about it. I can’t counter the allegation plausibly… I lack the knowledge to do so properly. Help would be very much appreciated.

Problem:
If we can’t defend PoS reasonably against those allegations, we can’t claim PoS being superior to PoW…

Possible solution:
Profound knowledge about the details of PoS!

Failure of PoS:
Allegation can’t be disproven; attack vector is existing.

Have you read the posts on this topic yet? http://www.peercointalk.org/index.php?topic=591.msg7635#msg7635
Does that help?

It helped. Wanna consider joining the discussion at https://bitcointalk.org/index.php?topic=326216.0
It might be crucial to reliably explain why PoS is at least as safe as PoW to finally attract people as this might be one of the biggest concerns for them…

You could argue that a 1-confirmation of ppc is somewhat weaker than 1-confirmation of btc. But that’s not necessarily a failure of proof-of-stake. Market should self adjust to a reasonable number of confirmations for comparable level of security to bitcoin. Keeping in mind, as number of confirmations increases, the difficulty of the attack increases exponentially, as demonstrated by Satoshi.

Also remember, in the longer term the security provided by proof-of-stake might exceed the security provided by proof-of-work. This is because the level of security provided by proof-of-work is dropping lower in terms of ratio to money supply, due to the reduction of inflation rate, whereas for proof-of-stake this level remains fairly constant in terms of ratio to money supply.

[quote=“masterOfDisaster, post:6, topic:648”]Help needed. In-depth knowledge about PoS required! This post might sound a bit dramatically. Forgive me, I try to awake people :wink:
For those who don’t want to by confused by my thoughts, please read the bold paragraphs only!

I have another discussion going on regarding PoS and how it works. I’d really like to defend this concept better, but I lack the hard facts. Is anyone able to counter the allegation posted here with facts: https://bitcointalk.org/index.php?topic=326216.msg3527194#msg3527194 ?

Allegation (an attack vector based on creating fraudulent PoS blocks):
“If the attack is unsuccessful, the coin age is not consumed. It is therefore instantly reusable to attempt the attack again. So even if you have only a 1% chance of succeeding, you WILL succeed eventually.”

I’m sorry that I can’t disprove that. The allegation sounds reasonable to me; although you have a low chance of performing a successful attack with a minority of coins in the PoS process, the chance seems to exist. I don’t know enough about PoS to tell why this is wrong.
Do you need majority of coin-age being spent for bringing a fraudulent block into the chain? Or can you achieve it with a minority of coin-age?

I still don’t know whether coin-age is being capped at some point.
It would be good for the integrity of the PoS process if the coin-age was capped at some point (is it the 90 days that limits the coin-age?) and if you did need a majority of aggregated coin-age to create a PoS block.
By having a maximum coin-age that can be aggregated by a coin and by needing some relatively high minimum total amount of coin-age to practically be able to create a PoS block, you had some sort of defense against this attack (because you might need coinage from others to reach that minimum).
But this is completely theoretical. I stil understand creating a PoS block as a kind of raffle with coin-age being the tickets. From this understanding I consider a low-coin-percentage-attack being completely possible. But I don’t know enough about it. I can’t counter the allegation plausibly… I lack the knowledge to do so properly. Help would be very much appreciated.

Problem:
If we can’t defend PoS reasonably against those allegations, we can’t claim PoS being superior to PoW…

Possible solution:
Profound knowledge about the details of PoS!

Failure of PoS:
Allegation can’t be disproven; attack vector is existing.[/quote]

In terms of ratio to money supply, will the ratio for PoW supply over PoS supply approach to around 1? Thanks!

[size=14pt]I found this image on the web of proof of stake earned in a ppcoin-qt wallet.[/size]

The receiving wallet address of this screenshot was PNywpYi6qMMQLTmE9f4bbM7diatb5Wvt8a

If he successfully minted 5.72 coins on 6/15/2013, and his coins were a minimum of 30 days old, he had around 14,000 coins in his wallet at the time of the successful mint.

I might completely wrong (oops?) … but this is what I have figured out in the last 3 minutes.

[size=10pt]It looks like he started successfully minting coins EVERY DAY! Sometimes he minted multiple coins in the same day! [/size]

Depends on the coin age. So who knows, right?

is there a way to have total amount of wallet always in PoS?
or else do we have to transfer it from wallet to wallet once (lets say) a month? :slight_smile:
yes, i haven’t understand anything about PoS!

[quote=“seki, post:13, topic:648”]is there a way to have total amount of wallet always in PoS?
or else do we have to transfer it from wallet to wallet once (lets say) a month? :slight_smile:
yes, i haven’t understand anything about PoS![/quote]

If I understand things correctly, the following statements are all true:

The coins in your wallet automatically earn Stake after 30 days if they sit there, and are not transferred out.

As soon as you transfer a coin, it loses its coin-age (or stake) and it resets back to 0 days again.

If you plan on spending some of your coins in the near future, you should keep some of them in your “reservebalance” so they don’t get used as stake during the minting process. Otherwise, you might have to wait 520 block confirmations to get access to your original coins that were used to mint new coins.

If I’m wrong, someone please correct me. Thanks.

Yep, that’s correct.

Initially, for my own use, I was going to set up a document that walked through the current setup for PoS on a PPCoin-QT wallet, and then a description and model of how PoS worked, in practice. As soon as I get a partial draft up, I’ll share it here, because I’d love for you all to validate that I’ve got it right. Expect something in the next day or two.

waiting :slight_smile:

It’s on my list to get finished off. I’ll see if I can spend some time this evening to get the initial content down.

It's on my list to get finished off. I'll see if I can spend some time this evening to get the initial content down.
Ben would love to see this as I prep for the London conference

I’ve posted the first (simple) draft and set of questions showing how Peercoins move through a Proof-of-Stake minting flow. Here’s the link to the topic:

I’d really like your feedback. Thanks!