What have PoW and PoS in common and what is different
Bitcoin's Proof-of-Work (PoW) is the first network consensus that is used to come up to a single valid state of a ledger with nodes that are spread across a globe. As any technology can be improved also the network consensus can be improved in a way that it will be faster, more secure, decentralized, and consume less energy. Cardano's Proof-of-Stake (PoS) will be such a consensus. Let's have a loo
What is a network consensus and what are its key features
A plethora of individuals has become fond of blockchain technology, mainly owing to the decentralization aspect as it enables anybody to conduct transactions with other individuals, anywhere in the world, with no entity having sufficient power that can be used to block these transactions or enforce censorship. A decentralized system is generally a kind of system that lets the users make their own, individual, decisions. In such systems, there is no designated central authority making decisions in the name of all participants. Instead, each participant makes their own autonomous decisions pursuing their own self-interest that may collide with the goals of other peers. In an open, decentralized system, there are no limits or regulations for new users to access it. Likewise, any new participant can enter or leave the system at will.
In the ideal world, each participant would have the same piece of power in the decentralized system. It is not, however, achievable due to technical limitations and with the increasing number of new participants, the distribution of power complicates. In the world of the decentralized network protocols, the network consensus power is delegated to a few participants. So, there are more types of participants with different roles depending on the chosen network consensus.
The goal of the network consensus is to enable participants to continuously agree on the single version of the truth and keep history immutable. Participants try to continuously agree on a newer version of the truth through new blocks. Participants of the network consensus basically must agree on a new block that is to be added to the blockchain. Once a block has been added, nodes will continue with the same process again and they try to add another new block. The process repeats over and over. Thus, the blockchain constantly grows. It is needed to realize that participants of the network consensus maintain their own version of blockchain on their nodes. It is their version of the truth. They do it independently of each other. The network consensus is a mechanism that enables updating the blockchain in a way that the honest majority of nodes will have the same version of blockchain. It means that if a minority of nodes do not agree with a proposed block then the majority of nodes still progress with adding new blocks.
The term 'decentralized network' suggests that there is no single point of failure or no single point of decision. Every participant's node makes a decision autonomously and independently on the decision of other nodes. In the ideal case, each node in the network would be owned by an independent entity and has exactly the same decision power. It is, however, an unachievable goal. In the world of cryptocurrencies, the decision power can be bought. There is always a resource that can be bought what makes the power of an individual stronger. Both honest and fraudulent entities can buy the resource through fiat currency and thus gain a stronger consensus power. There is nothing that could prevent it at the moment.
Decentralization is a key feature of blockchain technology when we should talk only about open and public networks. The second most important feature is security. The protocol must be resilient to short-term attacks and keep the ledger immutable in the long term. In other words, the protocol must be able to prevent or be able to recover from short-term attacks. An attacker usually targets an ongoing network consensus and tries to gain a stronger consensus power than is the consensus power of all honest actors. The security model of a decentralized network is based on the assumption that it is expensive to acquire the majority of the consensus power. If the attacker is able to acquire the necessary amount of the consensus power then the attacker's wealth must be put into danger. Thus, it prevents the attacker to commit fraud since his or her wealth is put into danger.
Security must be considered from the two points of view. The network must be resilient not only to outside attacks like the well-known 51% attack but also to attacks from inside. Big pool operators form a few single points of failure. They can abuse their power to censor transactions or they are able to orphan blocks that have been created by smaller pools. They can even decide about the minimum size of transaction fees. They can abuse their power and dictate conditions for other smaller operators or users. Theoretically, they could even change the maximum supply of coins. Remember, that humans operate nodes participating in the network consensus, thus human decisions influence network security. Pool operators can change the source code of the client so they basically can change the rules of the protocol on their nodes. The rest of the full nodes would have to probably accept new rules.
Node's security might be compromised by a network attack or there might be pressure to node operators to act dishonestly. If an operator possesses significant decision power and is able to commit an attack then it is only about his or her decision to do so. If an adversary compromises the node's security then the node's decision power can be misused. In fact, security is very closely related to decentralization. A network is more secure the more is decentralized. The reason is that where there are more independent participants that make their own decisions and it is more difficult to compromise them. The sense of the decentralization is to minimize the single points of failure. Nowadays, we have very secure databases. They are fast and it is cheap to operate them. What is a problem here is the presence of administrator(s). They are single points of failure since any of them can compromise the database. In the cryptocurrency space, we strive mainly for decentralization, which is sufficiently secure at the same time.
The basic concept for the creation of a new block
It might be a surprise for you that Bitcoin’s PoW and Cardano’s PoS have one significant similarity. When a new block is to be created and added to a blockchain, there is usually one block producer and many validators. The role of block producer is rotated among a few nodes that are capable to do so.
Every full node is capable to validate a block, including the transactions in it, and make the decision about acceptance or rejection. Not every full node in the network, however, is configured to create new blocks. In both PoW and PoS networks, there are nodes of pool operators that have the role of block producers. With the increasing number of new users, there will always be fewer block producers than users that can have the role of the validator.
It can happen in a network that more blocks are produced in a short time and thus more blocks are received by validating nodes. Moreover, validating nodes might receive blocks in a different order due to network latency. It is caused by the fact that nodes are geographically distant from each other so block propagation takes different time. For example, a block created in the middle of Europe is likely to be propagated faster throughout Europe than it gets to the USA or China since it must travel a longer distance. Every node must deal with the situation autonomously and it does it by applying protocol rules that select the correct chain of blocks. A protocol is a set of rules that dictates what should happen in every expected situation. The decision about the winning chain of blocks is based on the next blocks that will arrive after the block that caused a fork. The fork is a description of the situation when there are more possible blocks that could be added behind a given block. Thus, there can be more chains of blocks and the protocol must be able to decide which chain will be the one that will represent the single version of the truth. The same version of clients (full node) has the same consensus rules. Thus, the majority of nodes tend to make the same decisions in the longer term. Once nodes receive more blocks the honest majority will select the same chain of blocks. Thus, nodes will maintain a single version of the truth in the longer term despite the fact that the version of blockchain might be different on nodes in the short term.
The speed of block propagation is critical mainly for nodes that produce new blocks. Such nodes need to receive the last block as fast as possible since they need to extend the blockchain. A node that wants to create a new block must firstly select a chain of blocks to which it appends a new block. It can be easy if there is only one chain of blocks or more difficult when there are more candidates. Once a chain of blocks is selected a new block can be produced and propagated to the world to other nodes.
How a block is created by Bitcoin’s PoW
As we said, the principle of one producer and many validators is the same for PoW and PoS networks. However, the details are significantly different. Let’s have a look at a PoW node that is configured to create blocks. Let’s add that it is a node of a pool operator.
- Creating blocks in the PoW system is an open competition between all pool nodes. Every node can produce a block after resolving the electricity-demanding math puzzle. Until a node does not receive a new valid block from a competitor it works on resolving the puzzle on its own block. The nodes select transactions from the mem-pool to insert them to a new block and begin with the work (solving the puzzle).
- If the node resolves the puzzle and no block from the competitors has been received then it propagates the block to the rest of the nodes. If it is the only block that was produced and there is no competing block that would be created at a similar time then the block will be added at the end of the blockchain and remains there forever. If there is the competing block then the next blocks will decide about the destiny of the block that was currently produced by the node. Let’s add that every node stops working on the current block and starts from step 1 if a valid block is received from the competitor. The reason is that the node must extend the longest chain. So the node must add a new block behind the received block from the competitor. The block has been added to the blockchain by all honest full nodes.
- Let’s assume that the node has propagated the block and there is no other competing one. Other nodes in the network are now in the role of validators. They receive the block and validate it. The block validation consists mainly of the validation of transactions and the validation of the proof that the node resolved the puzzle. The validation can be done within a second and if the block is valid then all honest nodes add it to the blockchain.
- Pool nodes create a new block immediately after receiving the valid block and start solving a new puzzle. The process is repeated from step 1. Full nodes just wait for another block. The node that has resolved the puzzle starts working on the new block as the first one. Others can begin after receiving the block and it depends on the network latency what will be the delay.
The creation of a new block and the validation process takes a second. Solving the math puzzle takes approximately 10 minutes (it can be an hour) and a lot of energy is consumed. For your imagination, currently, it is a similar amount of energy as it can be consumed by a medium-sized European state. The math puzzle has two purposes. The first one is the generation of randomness. It cannot be determined which node will find the solution of the puzzle first. Each node solves a different puzzle but the difficulty is the same. There is a high probability that the pool’s node that disposes of a high amount of hash rate will win. But it is just a probability, not a certainty. Generally speaking, the higher the hash rate a pool has for disposal the higher chance of winning it has. The second purpose is security. There must be a lot of electricity consumed in the PoW system to produce a block. Thus, it is financially expensive to produce a block. The network rewards a node that has successfully created a new block that remains in the blockchain forever. A reward is paid per block. If a block is not added to the blockchain since another on was then there is no reward for a pool operator. In the case of a fork, only one block can be added to the blockchain. Operators would like to see their block like a winner of a fork competition. Due to the high cost of block creation, operators are motivated to produce only valid blocks and do not cheat.
How a block is created by Cardano PoS
Let’s begin with a theory. In Cardano, time is divided into specific logical periods called an epoch. Each epoch is split into 21 600 time slots with each slot lasting approximately 20 seconds, therefore, each epoch lasts approximately 5 days. Rewards are paid off after the end of each epoch. At the beginning of each epoch, a snapshot of the blockchain is made to find out how the coins are distributed. The snapshot reflects the state of distributed staked coins in the last block 2 epochs ago. Here, the Follow-the-Satoshi mechanism is applied, in which each staked Lovelace (0,000001 ADA) is something like a winning ticket that could win the right to create a block. The more tickets the user has in the game, the higher the odds of winning. The snapshot is one of the inputs for generating randomness that is used to determine nodes that will obtain the right to create a block in a given slot.
Let’s now have a look at how a new block is produced via Cardano’s PoS Ouroboros consensus.
- If a particular node wants to partake in consensus, it has to connect to the network and synchronize the ledger. Afterward, the node is registered to the Global Clock function, which is utilized by the protocol for timing. Global Clock function provides the node with the information saying in which epoch and slot the ledger is.
- Before the beginning of any epoch, all slot leaders are drawn randomly by the network in a way that no one can foresee in which slots the nodes will get the right to produce a block.
- At the beginning of each slot, each node has to ask whether it is a slot leader for the current slot. The answer is provided through the Verifiable Random Function (VRF), which is based on modern cryptography. The node needs to send several inputs in order to get the response. The inputs are an actual slot index, timestamp, and the key of a given node. Random Oracle will take random “V” numbers that are included in the first 2 thirds of slots from the previous epoch, hashes them, and accordingly, a random seed is created. The last third of the blocks are not taken into account as these blocks do not have the necessary number of verifications and are still subject to change. Based on the inputs present in the query from the node, Random Oracle sends back to node the random “V” number.
- If the “V” number has a lower value than a certain threshold value, the node becomes the slot leader and can produce a new block. There are two important outputs stemming from VRF. Apart from the “V” number, a proof “P” is generated, which will be also put into the newly created block. Let’s assume that the node won the right to create a new block.
- From then on, everything is simple for the winning node. The slot leader selects transactions and inserts them into the new block. The slot leader adds “V” and “P” variables. Afterward, the node generates a new private key to sign the next block. The current key will be used to sign the current block. For that, Key Evolving Signature (KES) cryptography is used. KES allows keeping the same public key the same while a new corresponding private key can be generated over and over. So a new block can be signed by a private key that can be deleted right after that. Thanks to this measure, it is impossible to counterfeit the key, effectively making it impossible to rewrite the blockchain history as every block is signed by a unique private key. Only the node that has signed the block knows the private key that was used for the signature. It can be mathematically proved that even if the node made the key public or if the key was stolen and other nodes would follow with revealing the private keys, then if there are enough honest nodes in the network, the attackers cannot utilize the knowledge of the keys for their advantage.
- By combining “P” with “V” number, other validator nodes can easily verify, if the producer node truly had the right to create a block in the given slot. An adversary node, therefore, cannot randomly produce a block that would be accepted by others as it does not have a chance to generate the right combination of “V” and “P”, making it easy for other nodes to expose an adversary one. It is also easy to verify the block signature.
- If we are still in the same epoch the process continues by step 3 and a new slot leader is assigned the right to produce a new block. If the epoch just ended, then rewards are paid to stake-holders and the process continues by step 2.
As you can see the principle of having one block producer and many validators is the same as in the PoW network. The slot leader has to insert the cryptographic proof confirming that it got the right to produce the block and sign the block by a unique private key. Similarly, as in PoW, it is nearly impossible for the attacker to prevent adding new blocks into the blockchain, censors the transactions or commits the 51% attack.
Notice that the timing of the protocol is important for PoS. Nodes need to have a notion about the current epoch and slot. Thus there is the Global Clock function that provides the time service for all nodes. The Ouroboros protocol is able to assign a node the right to produce a new block. A node sends a query and gets a prompt response. In PoS there is no open competition between nodes that takes place in the PoW network. So to assign the node the right to produce a block can take just a second. That’s why Cardano’s PoS can have a significantly shorter block time. A new block can be created within a few seconds while it takes approximately 10 minutes in the Bitcoin network. User experience will be much better in the Cardano network since a transaction can be confirmed and settled within a very short time. We speak about tens of seconds at maximum.
Comparison of security of Bitcoin’s PoW and Cardano’s PoS
Once the slot leader is selected in PoS the block creation costs almost nothing. This introduces a famous Nothing on stake problem, where a malicious node can randomly try to create additional branches of the chain of any length just due to the fact that it costs nothing to create a block. As we have already explained, an adversary cannot randomly generate a random chain that would be based on the same genesis block since the set of slot-leaders is still the same from the beginning. Notice that every slot leader has two key-sets: its own private key as a node and a special block-signing key set that is derived from the private key. The node’s private key is used as input for the KES key generation. The adversary would have to somehow corrupt the real existing nodes that were leaders at that time and retrieve their keys that have been already deleted. The security of PoS fully relies on advanced cryptography. Key Evolving Signature allows a node to generate a new secret key before broadcasting the new block. Thus any secret key is used only once for the block signature and it is deleted after that. To recreate a private key would require the consumption of a huge amount of energy. The higher amount that is consumed for creating a single block in PoW. From the 51% attack’s perspective, the security of PoS is very similar to PoW. If the majority of consensus participants are honest then the blockchain remains immutable and secure. PoW network consumes energy to secure the blockchain as a part of the block creation while PoS uses cryptography. To break the cryptography would require a significant amount of energy to be able to recreate needed private keys that would enable the attack.
Security budget
Building a security budget is a requirement of public decentralized networks as they are inherently vulnerable to a 51% attack. The network is maintained by volunteers from around the world who are economically motivated to behave honestly. The attack is thus a matter of technical feasibility and cost. The vector of the attacks is obvious. Once the attacker has the necessary amount of money to buy a needed resource for the attack, he has a solid chance of succeeding since he can obtain a dominant position within the network consensus. So the question narrows down to how expensive the attack is.
In Bitcoin’s PoW the security budget consists of newly created coins and transaction fees:
SECURITY BUDGET = NEW COINS + TRANSACTION FEES
To motivate miners to behave honestly the security budget must be higher than the cost of mining to satisfy miner’s needs and provide margin. Let’s look at how high is the daily security budget:
HW COST + OPERATION COST ≤ SECURITY BUDGET
Let’s simplify the calculation to take into account a daily operation cost. Let’s neglect the price of the ASIC miner assuming that it can be hired or an attacker bought older devices. Do not take us wrong, the hardware cost might be significant but there are described attack vectors where an adversary can misuse the existing hash rate for the attack.
Bitcoin adds 144 new blocks to the blockchain per day. The reward for the block is 6.25 BTC in 2020 after the halving. So the network creates 900 new coins a day. The collection of fees per block is approximately 0,2 BTC, so in total it is ~30 BTC per day. The security budget of the Bitcoin protocol is ~930 BTC per day. The BTC price at the time of writing is $9,700 so the daily security budget of Bitcoin is approximately $9M.
As we said, an adversary needs the hardware for the attack so the cost of the attack is higher. Let’s now explain the security budget of Cardano’s PoS.
The Cardano network does not have to directly maintain a security budget to pay for its protection via block reward. Rewards are paid at the end of each epoch to all pool operators and stakeholders. The security budget is always present through all coins that are actually used for staking. It is a collection of ADA coins that are owned by pool operators and coins that are delegated to pools by stakeholders. The cost of the attack can be calculated like this:
COST OF ATTACK > ~STAKED COINS / 2
The adversary needs more than half of the staked ADA coins to be able to commit the attack. It can be assumed that the majority of the coins will be used for staking, but definitely not all coins. An adversary needs to buy ADA coins on the open market and it can be assumed that the demand would push the price higher. This would make the attack very expensive. Let’s now calculate the cost of the attack. At the time of writing, Cardano’s capitalization is approximately $2,100,000,000. Let’s assume that half of the ADA coins would be used for staking. It would be $1,050,000,000. The adversary would need at least $525,000,000 assuming that it would be possible to buy all ADA coins at the same price.
Both PoW and PoS rely on the market price of coins. Halving is a mechanism that halves the number of block rewards every 4 years. Thus the block reward is gradually reduced and it is expected that either the price will be so high that the security budget will be fine or transaction fees will cover the cost of mining. There is nothing like halving in Cardano. The new coins will be released in a few first years of the network running and then only transaction fees will be used for rewarding pool operators and stakeholders.
It is very expensive to keep the PoW network running in comparison with PoS. Thus, the PoS network is more likely to survive in the long term if there will be processed a sufficient amount of transactions. If it is the case then the transaction fees might be low and the network will earn a sufficient amount of ADA coins to reward pool operators and stakeholders. So the security will not be compromised by halving or other similar mechanisms. The Bitcoin protocol will probably never scale on the first layer so transaction fees are likely to rise in the future. It might be even hundreds of dollars after a few halvings.
Decentralization
One of the possible views of how to measure decentralization is the number of pools in the network. Nodes that are configured to produce blocks are the most important in the network and have the right to select transactions that will be included in blocks. They can also select the chain of blocks for appending a new block in the case a fork occurs. Full nodes can validate produced blocks but there is no mechanism that would allow disagreeing with a block that has been produced. Let’s assume that pool operators decide to change the rules of the protocol. The full node might reject the proposed blocks if they are not valid. Nevertheless, when nodes of pool operators consider the blocks as valid and add them to the blockchain then there is no way how owners of full nodes might protest. They just need to upgrade their client and accept new rules of the protocol. If pool operators decide to ignore some transactions for any reason then full nodes have no power to persuade pool operators to behave correctly. You could consider pool operators as dictators. The only way to weaken their power is to ensure that there will be a bunch of them all around the world.
In PoW, there is no protocol mechanism of how to regulate the number of pools in the network. As every pool operator always strives to maximize the profit they need to obtain the consensus power. Small miners want to obtain the reward as often as possible so they delegate the hash rate to the biggest pools. As history showed us there are only a few big pools in the Bitcoin network and a few small pools. The trend is obvious. The big pools seize bigger and bigger amounts of consensus power and small pools slowly disappear. It is very difficult to maintain a high level of decentralization if it depends on resources that can be bought on the market. Unfortunately, there always will be whales in the ecosystem of cryptocurrencies.
Cardano’s PoS protocol has an advantage that it owns the resource that is used for determining consensus power. It can be configured how many ADA coins a pool operator needs to stake to be competitive. The maximum stake of a pool can be also regulated in a way that if the stake is bigger it does not generate more rewards. If a pool is too large then it gets saturated at a certain point. The network decreases rewards to oversaturated pools. Thus a pool operator can either delegate earned coins elsewhere or sell them. A lower number of coins cannot increase the operator’s consensus power. The operator needs a higher amount of coins to be able to operate another competitive pool. The system is a bit more complex but it can be expected that we will see a few hundreds of pools with the size close to the saturation point.
If we define an index of decentralization that would be based on the number of pools that create at least a few blocks a day then Bitcoin would achieve the mark from 10 to 20. It is very likely that we will see 1000 pools in the Cardano network within a year. So we can say that Cardano will be approximately 50x more decentralized than Bitcoin. It is very important for the Cardano network for security reasons. Nodes producing blocks have to delete keys that have been used for signing blocks. Security of the Cardano network increases together with the decentralization. In the ideal case, there would be 1000 autonomous and independent pool operators around the world. It would be very difficult for an adversary to compromise all of them to obtain private keys. Moreover, it is impossible to steal keys that have been deleted in the past.
Decentralization is a dynamic process and it will evolve over time. A network can be decentralized at the beginning and as different externalities come the network can become centralized. It can be needed to update the parameters of the protocol to ensure that the network will remain decentralized over the decades. It is the team’s responsibility to keep the network decentralized and the team has to listen to the community. Bitcoin was definitely more decentralized when many people mine BTC on laptops. Nowadays, we have pools and ASIC miners. The result of that is that the network is rather centralized. It is the evolution to which the core team must face and do something with it.
Decentralization of the consensus power
We could have a look at decentralization from the point of distribution of the resource that is needed for the consensus power. To have a consensus power in the PoW network, an individual has to pay for the electricity that is transformed to a hash rate. In the PoS network, it is needed to buy native ADA coins. Both can be bought by fiat money.
The cost of electricity differs around the world so Bitcoin mining is centralized in countries where the business is cheap. Moreover, to enter the mining business and compete with big mining halls is very risky. To buy an ASIC miner is expensive and with the combination with the cost of electricity, the mining is unprofitable in many countries. Thus the consensus power is in the hands of a few people owning big mining halls. Moreover, pool operators often own mining halls so their consensus power is even bigger.
In the Cardano ecosystem, every holder of ADA is a stakeholder. Every stakeholder can delegate coins to an arbitrary pool and thus increase the pool’s consensus power. It can be said that the decentralization of the network increases with the distribution of ADA coins among people. ADA coins have the same market price all around the world. Thus there are no limitations in buying ADA. Every holder of ADA actively participates in the network’s decentralization. Even a single ADA can be delegated to a pool. When a stakeholder delegates ADA coins to a pool and the pool succeeds in producing blocks, then the pool operator and stakeholders are rewarded. Passive income could be attractive for users so it can be assumed that there will be a natural demand for ADA coins.
Both PoW and PoS networks are systems where individuals delegate consensus power to pools. As we said, it is important to strive for having a higher number of pool operators in the network. It is also important to distribute the consensus power to as many people as possible. PoS is better in that than PoW since in PoS every user holds a piece of the power in the network consensus. ADA holders are basically owners of the network. The same cannot be said about the PoW system where mining is a separate business and BTC holders have no power in the network consensus.
Summary
The basic principle of having one block producer and many block validators in a given round is the same for both PoW and PoS networks. This is probably the only similarity and the rest is quite different. Bitcoin has been running for more than 10 years. Cardano will have to show the world that PoS is a useful alternative that can be more decentralized than PoW networks and also secure. We have no worries about it and believe that Cardano will shine.