Proof of Stake versus Proof of Work

Proof of stake is a consensus mechanism for digital currencies that is an alternative to proof of work used in Bitcoin. The main declared advantages of proof of stake approaches are the absence of expensive computations and hence a lower entry barrier for block generation rewards. In this report, we examine the pros and cons of both consensus systems and show that existing implementations of proof of stake are vulnerable to attacks which are highly unlikely in Bitcoin and proof of work approaches in general. Version History Version Date Change description 1.0 Sep 13, 2015 Initial version © 2015 Bitfury Group Limited Without permission, anyone may use, reproduce or distribute any material in this paper for noncommercial and educational use (i.e., other than for a fee or for commercial purposes) provided that the original source and the applicable copyright notice are cited. The underlying database structure for transactions of Bitcoin and other digital currencies is a decentralized ledger, called the blockchain, which stores the entire transaction history. The name stems from the fact that transactions are bundled into blocks; each block in the blockchain (except for the first i.e. genesis block) references a previous block. Each node participating in the Bitcoin network has its own copy of the blockchain, which is synchronized with other nodes using a peer-to-peer protocol1. Any implementation of digital currency must have a way to secure its blockchain against attacks. For example, an attacker may spend some money and then reverse the spending transaction by broadcasting his own version of the blockchain, which does not include this transaction; as security of the blockchain does not rely on a single authority, users have no prior knowledge as to which version of the ledger is valid. In Bitcoin, the security of the network relies on a proof of work (PoW) algorithm in the formof block mining. Each node that wants to participate in mining is required to solve a computationally difficult problem to ensure the validity of the newly mined block; solutions are rewarded with bitcoins. The protocol is fair in the sense that a miner with p fraction of the total computational power can win the reward and create a block with the probability p. An attacker is required to solve the same tasks as the rest of the Bitcoin network; i.e., an attack on Bitcoin will only be successful if the attacker can bring to bear significant computational resources. Operation of the Bitcoin protocol is such that security of the network is supported by physically scarce resources: • specialized hardware needed to run computations, and • electricity spent to power the hardware. This makes Bitcoin inefficient from a resource standpoint. To increase their share of rewards, Bitcoin miners are compelled to participate in an arms race to continuously deploymore resources inmining. While this makes the cost of an attack on Bitcoin prohibitively high, the ecological unfriendliness of the Bitcoin protocol has resulted in proposals to build similar systems that are much less resource intensive. One possible decentralized ledger implementation with security not based on expensive computations relies on proof of stake (PoS) algorithms. The idea behind proof of stake is simple: instead of mining power, the probability to create a block and receive the associated reward is proportional to a user’s ownership stake in the system. An individual stakeholderwho has p fraction of the total number of coins in circulation creates a new block with p probability. The rationale behind proof of stake is the following: users with the highest stakes in the system have the most interest to maintain a secure network, as they will suffer the most if the reputation and price of the cryptocurrency would diminish because of the attacks. To mount a successful attack, an Strictly speaking, there exist Bitcoin nodes that do not store the entire blockchain, but rather rely on simplified payment verification [1]. We don’t consider these nodes in the following research, as they do not contribute to the security of the network.