Hey guys,
Gavin and others think that one mayor weakness of Peercoin is that it is possible to mint on several chains. Here is a quote from Gavin.
The trouble with Proof-of-stake is that there is nothing at stake." Consider the basic function of proof-of-work and the blockchain: together, they let the network come to a consensus when there are two (or more) different, competing chains. Miners must decide to dedicate their hashing power to just one chain-- they cannot "bet on" more than one. So their best strategy is to work on the chain that they think most other miners are working on, and that quickly drives the system to a consensus on a single, best chain. The trouble with proof-of-stake is there is no natural incentive stopping a miner from assigning their stake to multiple, competing chains. If you try to create such a system, you "go meta" -- you started by trying to solve the transaction double-spend problem (which proof-of-work and the blockchain handle nicely), and end up trying to solve a proof-of-stake double-spend problem.
I do not think that this is a problem, due to the fact that we have
- a duplicate stake detection.
- there is just a negligible incentive to mint on several chains
People are criticizing that the duplicate stake detection works just on the client level. Of course it would be favourable if we could prevent minting on multiple chains on a protocol level. My proposal will enforce a duplicate stake detection on a protocol level.
New Method: Voting on Blocks by Minting
The method voting on blocks by minting crossed my mind when I reflected Peercoin’s security. It is well known that the probability to conduct a double-spend successfully drops exponentially with the number of confirmation a client waits and does not correlate significantly with the time intervals between the blocks. From this point of view it would be favourable to make the blocktime interval as small as possible. Imagine Peercoin has a blocktime interval target of 1 min instead of 10 mins, this would imply that a attacker would have success probability of ~p^60 instead of ~p^6, if he wants to reorganize blocks produced in 1 hour.
But, from a technical point of view a blocktime interval of 10 mins is much more appropriated that a 1 min blocktime interval.
The solution for this dichotomy might work like this: We could introduce two PoSdifficulities. The first PoSdif1 is adjusted such that a valid kernel – a transaction output and a timestamp - is found every 10 mins in average. The owner of this kernel is allowed to build a new block. In contrast, the PoSdifficulty PoSdif2 is adjusted such that a valid kernel is found every 1min. The holder a valid kernel, such that PoSdif2 is met, is not allowed to construct a block. But he is allowed to vote on blocks. i.e. he is allowed to create a “voting transaction”, which sends his transaction-output, which found the kernel, to himself with an additionally annual reward. This transaction should also contain information about the valid timestamp of the kernel and the hash of the block this kernel is voting for.
Each time a new block is found, by a kernel meeting PoSdif1, all the voting transactions are collected. If the new block is build up on a previous block with the hash abc, all voting transactions for the block abc are allowed to be included into the new block. The chaintrust of this new blockchain should reflect how many votes are in this new block and how high the PoSdifficulties are.
bnChaintrust=(CBigNum(1)<<256) / (bnTarget1+1)+#Numberofvotes* (CBigNum(1)<<256) / (bnTarget2+1)
Here bnTarget1 is the Target for the PoSdif1 and bnTarget2 is the Target for the PoSdif2, just as in https://github.com/ppcoin/ppcoin/blob/master/src/main.h#L1269
From a security point of view, - I guess that- this new protocol behaves quite similarly as one would expected it from the Peercoin implementation with a block time interval of 1 min.
Using this technique, we can solve the dichotomy described above and thus improve the double-spend protection, while keeping a good blocktime interval.
But the mayor improvement would be that we could punish easily stakeholder minting on several chains. Imagine a stakeholder votes on two different blocks with the same kernel, by signing two voting transactions. Now a honest blockfinder could be allowed to include both voting transactions into his block. Then, every honest node sees that this kernel -transaction output - was used to mint on serveral chains. Thus, we can find a consensus on who tried to cheat. Having this consensus, we can punish these stakeholder. For example, we could freeze his account for 3 years, prohibit him to mint in these 3 years and disallow him get the annual reward for these 3 years.
I am not good at presenting new ideas, so please ask any questions, if something is not clear.
Under the bottom line this proposal has the following pros:
-improved doublespending protection
-punishment for minting on several chains
and cons:
-Peercoin’s complexity increases
-more minting outputs are used and thus a high percentage of coins might be in the 30 day maturing period.
I am curious about any comments!