# Proof Of Stake vs Proof Of Work

I’ve decided to write post about the differences between proof of stake (a protocol currently being used by Neo and being worked on by Ethereum), and proof of work (a protocol made famous by Bitcoin, and currently in use by coins like ZCash and Monero).  I felt motivated to write this post because there seems to be a bit of confusion when I talk with people about the proof of stake protocol as to what exactly happens.  Many I’ve talked with seem to view it as creating money out of thin air (as if mining wasn’t that already), or at the very least less secure than proof of work.

## Proof of Work

I believe people feel more comfortable with proof of work because it’s the simpler of the two protocols.  The idea is this: Your computer is going to try billions of different inputs to a hash algorithm (it’s going to put in work), and if it comes up with the right output (it’s proved that it’s worked on the puzzle sufficiently), you’ll be rewarded. Here is an example proof of work algorithm from the Ethereum cryptocurrency tutorial:

``````// The coin starts with a challenge
bytes32 public currentChallenge;
// Variable to keep track of when rewards were given
uint public timeOfLastProof;
//Difficulty starts reasonably low
uint public difficulty = 10**32;

function proofOfWork(uint nonce){
// Generate a random hash based on input
bytes8 n = bytes8(sha3(nonce, currentChallenge));
// Check if it's under the difficulty
require(n >= bytes8(difficulty));
// Calculate time since last reward was given
uint timeSinceLastProof = (now - timeOfLastProof);
// Rewards cannot be given too quickly
require(timeSinceLastProof >=  5 seconds);
// The reward to the winner grows by the minute
balanceOf[msg.sender] += timeSinceLastProof / 60 seconds;
difficulty = difficulty * 10 minutes / timeSinceLastProof + 1;
// Reset the counter
timeOfLastProof = now;
// Save a hash that will be used as the next proof
currentChallenge = sha3(nonce, currentChallenge, block.blockhash(block.number - 1));
}``````

If you were to mine this coin, you’d essentially send your input (nonce) to the proofOfWork function in this smart contract.  If your input is below the current difficulty level, and it’s been long enough since the last block was mined, you receive a reward, otherwise the function returns (that’s what the require statement does in solidity) and you try the next input you think might result in a sha3 hash below the current difficulty.  This is proof of work mining in a nutshell.

## Proof of Stake

Proof of stake has the same goal as proof of work: to achieve distributed consensus of the state of the blockchain.  Going back to the git perspective, both protocols are trying to select maintainers of the blockchain “branch” without allowing anyone too much control.  Proof of stake does this by substituting out hash power for economic power.  The more coins you have, the more likely you, or the block you’ve chosen, is to be used and the more you’ll be rewarded for it.  I believe cryptocurrency developers are moving in this direction because unlike proof of work, proof of stake has the added property that the more coins you’re holding, the more likely you are to act in solidarity with the will of the users of blockchain when selecting blocks.  In proof of work there is a tension between miners and users of the blockchain that may not exist in a proof of stake protocol (this is yet to be seen), as often the users will also be the validators (a miner in proof of stake is often called a validator).  There’s also the added benefit that proof of stake doesn’t cost millions of dollars in power and bandwidth every year to maintain the blockchain.

## Casper

Let’s use the Ethereum casper protocol as a detailed example for proof of stake, as this one seems to be getting so many people interested in what proof of stake is.

The casper protocol will involve a smart contract being deployed to the Ethereum blockchain.  An address interested in becoming a validator will send the amount of ETH they would like to stake on blocks to the smart contract.  The smart contract will then receive two messages from validator addresses, PREPARE and COMMIT.  Prepare is essentially a validator saying “I think this set of transactions should be the next block”, if one of these blocks attains a 2/3’s economic vote in the smart contract, it becomes a possibility for a COMMIT.  After the possible PREPARE blocks have been selected, validators vote on this set of blocks with the COMMIT message, once again, if 2/3’s economic vote is found on a COMMIT block, it will be added to the block chain and all the validators who took part in selecting this block will be rewarded for minting the block in proportion to the amount of ETH they deposited to the smart contract when joining the validator pool.  As far as I’m aware, there doesn’t exist a mechanism for selecting validators*, but it could easily be something like a random subset selection of all possible validators weighted by the amount of their deposit in each dynasty.

## Nothing to Stake

One of the problems with proof of work is the “nothing to stake” problem.  The idea is as follows: If I don’t have to compute any hard hash puzzles, why not bet on every block that comes my way? Since this incentive structure exists for everyone in a nothing to stake protocol, everyone decides to stake their hard earned crypto currency on every block.  Now we have no consensus, there are 50 different chains all growing at the same rate and all possibly legitimate because no one wants to take the lead and decide on one.  Also because of this lack of consensus, double spend attacks become much easier and more likely than they are on a proof of work protocol.

Ethereum’s casper protocol circumvents the nothing to stake protocol by locking the funds in the smart contract discussed above, only paying them out after a sufficient amount of time, and destroying the ether, or penalizing it, for various kinds of behaviour (to include malicious).

## Conclusion

I think people are uneasy about proof of stake due to a misunderstanding of proof of work more so than anything else.  As I stated in my git perspective of the blockchain the only reason miners exist is to act as the “maintainer” of the blockchain, and since we want this maintainer to change often, mining was used as a mechanism to distribute time as the maintainer evenly.  With proof of stake, the same thing is happening, it’s just the mechanism to choose maintainers is based on the amount of cryptocurrency a person holds, rather than their hash power.  The 51% attack we saw in the previous post  now becomes a 51% currency attack, whereby you’d have to own 51% of the cryptocurrency in which you’re attacking.  This is a presumably much more difficult feat to accomplish than purchasing 51% of the hash power.  In the currency case, you’ve just purchased 51% of the currency, all the while raising it’s market price and only have 49% of the rest of the currency to defraud, at which point, news will probably have broken that someone purchased 51% of the currency on the market, and the currency is now socially worthless.  In the case of proof of work, you just secretly buy more computing power, or bribe, or even hack existing mining pools, and rather than defrauding 49% of the currency you’re able to defraud all of it.

As you can see, we aren’t creating money out of thin air, at least in the casper protocol, there is a very real chance of losing your money, and your money is also stuck in the smart contract, so it’s no different than a government bond gaining interest, or mining for that matter.

Until next time!

* if someone has any information let me know.  There is a reddit discussion here, but since it’s a year old, I hesitate to trust it given how much Ethereum proof of stake has changed, this seems to suggest its proportionate to the ETH you deposit, Vlad also mentions it as a possibility here.  I looked briefly at the casper source code and didn’t see validator selection anywhere, but since I was brief, there’s a very good chance I wasn’t looking in the correct place.

## 7 thoughts on “Proof Of Stake vs Proof Of Work”

1. cpryke says:

“at the very least would make devising an anonymous proof of stake protocol much more difficult. ”
So how does PivX achieve this?

Like

1. It looks like PivX is using masternodes, which seems very insecure to me. Without looking into the details of the masternodes, if you’re able to hack into a majority, or even 1 (since they’re trying to fill the same niche as Dash) masternode, there is a severe drop in privacy.

Also, from their whitepaper: “The additional benefits of masternodes can lead to less number of users conducting Proof of Stake (PoS) mining activities and thus lowering the security of the PoS network” They even admit that users staking lowers the security of the network, which is what my intuition was telling me.

Like

Very informative article, much appreciate your analysis. While I understood the 51% PoW attack scenario, I hadn’t quite pieced together its equivalent in PoS. But this does indeed beg the question:

At only (relative to greater financial systems and whales, i.e. banks – looking at Jared Diamond right now) ~30Billion in total market capitalization, what is to prevent large vested interests from killing even the great crypto that is ethereum, should it suit their interests?

Being still in its relative infancy it seems a little premature to assume this wouldn’t or couldn’t happen when we compare crypto to economies of scale.

On a similar note, it seems to me like the giant farms that dominate bitcoin still don’t quite have the stranglehold on ethereum yet to pose a 51% PoW attack, as a large contingent are still relatively small operations spreading out and maintaining some semblance of decentralization. As far as pools taking on that role, I know I for one will jump ship from any of the major pool that creeps too close toward this threshold.

I think the risk of a bank/govt/ultra-rich secretly building giant farms to surreptitiously seize the 51% hashing power still a possibility, so the community consensus counter by watching a buyout is a legitimate check on that. I just feel at this time, it is a bit premature. Once tangible assets are built on ethereum, crypto debit cards, and other goods trading mechanisms cause ethereum’s value to make another exponential leap, its market capitlization will make it that much more difficult for a 51% PoS attack.

Like

1. I suppose that’s the question specifically for Ethereum’s PoS switch: Is the market cap of ether being staked equivalent to the amount of electricity currently being spent by miners?

I’m working on a follow up post exploring this idea. Particularly that of the total cost of electricity spent by miners as a sort of value investing indicator for the price of a cryptocurrency.

Like