Use Proof of Stake to influence which Bitcoin chain gets extended by Proof of Work in the following way. After each Proof of Work block, create a Proof of Stake block that commits to the Proof of Work block. The next Proof of Work block must satisfy a higher than normal difficulty target if it does not commit to this Proof of Stake block. As a result, mining in public takes place at a lower difficulty than mining secretly, and it is more difficult for large miners to censor transactions.
Proof of Work
Proof of Work has hardware gatekeepers and efficiency of scale that tend to centralize control of the ability to generate valid blocks. A mining hobbyist who buys electricity at residential prices to power a 10 terahash ASIC will pay much more than a vertically integrated industrial mining operation adding 10 terahash. Also, the retail user must pay hardware companies to construct ASICs, and thereby increase the power of those hardware companies.
As the ability to create valid blocks centralizes under the control of a few people controlling a large fraction of the hashpower, these people gain the ability to censor transactions by refusing to include them in blocks and by refusing or hesitating to build on blocks which include them. They also gain the ability to gain an unfair advantage or create mischief by mining valid blocks or chains and waiting before they publish them.
Proof of Stake
With Proof of Stake, whether you are staking your first $1,000 or your hundredth $1,000 — both are equally profitable. Complaints about Proof of Stake “favoring those with more resources” miss an important point. The proposed “more fair” alternative, Proof of Work, favors those with more resources much more due to the efficiency of scale. POW is similar to a POS system that periodically pays out 1% if you stake $1,000 but 3% if you stake $1,000,000.
With Proof of Stake, ordinary users need not pay a hardware gatekeeper. The “equipment” needed for staking would be Bitcoins, which are available to everyone, and cost the same to everyone.
Proof of Stake alone cannot secure a crypto currency because with POS it is cheap to generate a valid alternative history. Given a choice between two valid histories, a user is forced to fall back on external methods for coordinating with other users on which history to use going forward. In other words, they must rely on something else besides Proof of Stake.
Would it be possible, though, to use a combination of Proof of Stake and Proof of Work to achieve something better than Proof of Work alone?
Selecting a Minter
You don’t want miners to be able to stop people from becoming minters, so the transaction that qualifies you as a minters should be indistinguishable from any other transaction. You also don’t want miners to have multiple minted blocks to choose from, so it would be nice if only one Minter is valid during each round. However, you would also like to select someone who is likely to be an active participant.
As an initial stab at the problem, you could imagine scoring utxos by starting with the set of utxos that are less than 200 days old, and for each one hashing bytes representing the previous block hash, the txid and the vout representing the utxo, and then multiplying by the value of the utxo. Whatever utxo gets the highest score is the Minter. If they are not paying attention then no block will be minted during that round. Perhaps the key used to sign the minted block could be somehow committed to in the transaction that creates the utxo in a taprooty way that doesn’t increase the size of the transaction and allows the private key for minting to be different from the private key for spending.
Paying for Minters
Given Bitcoin’s issuance plan, the only way to pay people for Minting would be for them to collect transaction fees. Ideally, PoS blocks would have the ability to include ordinary transactions, but perhaps a 2 way pegged sidechain could work.
Selfish mining is discouraged by this scheme, assuming that the miner is not in control of the Minting utxo. Once a miner discovers a block, they should broadcast it immediately in the hopes that a Minter will build on it, because that is the most likely way their block will not go stale. A large miner trying to build a secret attack chain faces a higher than normal difficulty because they can create few or zero mint blocks in their attach chain.
Processing Censored Transactions
Transactions in minted blocks are curated by a much more diverse set of people compared with mined blocks. These people would be less likely to respond to coercion or to have a motive to censor transactions. Miners wishing to censor transactions must pay with a higher difficulty once the transactions are included in a minted block.
Some Comments on Design Choices
What we’re trying to do here is to have a random process (guessing a valid block hash) select exactly 1 output and give whomever controls it the ability to mint the next block. The reason you want to pick exactly 1 candidate is that you do not want the miners to have a choice about which PoS block to mine on top of. If there are two candidates, miners could choose the one they find most favorable. If miners have this power, then minters will have a reason to make their block favorable to miners, which defeats the anti-censorship benefit and dilutes the need for the miners to make their blocks public. As a strategy to get exactly 1 qualified candidate we are going to score all candidates and pick the one with the highest score.
It is true that during this scoring step it must be provable that there are no hidden candidates. If a candidate were hidden, it introduces the possibility that everyone will make a mistake about which candidate has the highest score. Hiding candidates, however, is not necessary in order to prevent the miners from censoring them. For example, if creating a bitcoin transaction makes you a candidate, then the only way miners could censor candidates would be to prevent everyone from making transactions except for the miner themselves. Obviously the miners are not going to want to do this, since if they did no one could buy and use the Bitcoins being mined.
I do worry about other things with this design though. For one, I worry that the scoring calculation would take a long time. Right now there are about 60 million utxos. A normal CPU could maybe do 30 megahash/s? So that means the scoring step takes around 2 seconds, and the utxo is likely to be larger in the future.
For another, I worry that many PoS blocks would simply never be mined, because the owner of the coins would not be paying attention.
The impact of these problems can be reduced making the set of candidates smaller than the full utxo set. For example, you could start with the utxos created in the last 200 days, sort them by size, and then pick from the largest utxo down until you had picked 50% of the satoshis — thereby truncating the “long tail” of utxos that have a low probability of having the highest score.
Two other ways participation might be improved:
- There is an incentive for keeping your node operational and monitoring the network. After all, you might win the lottery and get to mint a block.
- People could give their minting keys to 3rd party delegates, who could monitor the network on their behalf. (Less ideal, but let’s be realistic.)