Return to site

Network Security and Proof of Work: Do We Need an Alternative?

The Bitcoin protocol is designed using a proof of work mechanism, which determines who is permitted to sign the transactions that need to be verified. A proof of work (PoW) is a piece of data which is computationally difficult to achieve, meaning that it required a lot of either time or hashing power (or both) to find the solution, but it’s easy to verify that this work was actually completed. Bitcoin uses a proof of work algorithm called hashcash, which has been around a lot longer than bitcoin itself, and was created with the purpose of being an anti denial-of-service (DOS) measure. Hashcash is fairly versatile and can be implemented with a number of functions; bitcoin uses hashcash-SHA256^2.

The proof of work consists in finding a target number that is below a certain target value, and in doing so the miner essentially “proves” that she performed a certain amount of “work” in trying various inputs. If I input a string into the SHA-256 hash function, there is no known way of determining what the output will be. Trial and error is the only way to find an input that will generate a hash that fits the desired criteria. In theory, you could nail it on the first try, but the probability of this happening is very small.

Given the current combined hashing power of the network, on average a solution is found every 10 minutes, at which point the block has been mined and the bitcoins are released as a reward. Every 2016 blocks, which ends up being approximately every two weeks, the algorithm moderates itself and either increases or decreases the difficulty of the problem. In practical terms, this means that it either increases or decreases the target value, so it’s easier or harder to find a value below it. This ensures a relatively smooth rate of release for newly mined bitcoins, and avoids flooding the market with coins at any given time.

It doesn’t matter whether I am using a supercomputer or a laptop to do the proof of work, it’s simply that with a super computer I can go through the attempts much faster, which means I have a higher chance of solving the problem before anyone else and therefore claiming the reward. The only thing that is important is how many hashes I can go through per unit of time, which is why the power of mining hardware is measured in MH/s, GH/s or TH/s (mega, giga and terahashes per second).

Some people in the cryptocurrency community have voiced the concern that miners may not be incentivized to continue mining if the price of bitcoin plummets, or simply because the reward for solving a given block decreases over time. Both are valid concerns but deserve to be addressed separately. In the first case, the assumption is that the reward amount would be too low for it to be worthwhile financially, and once all 21 million bitcoins have been mined this reward goes away entirely. Currently miners are primarily incentivized by the coinbase reward rather than the transaction fees, which is why many blocks end up with few transactions. Miners profit from the transaction fees, and the more transactions they include in a block, the more money they can make, but the opportunity cost of continuing to work on that block rather than go after a new one is high, as a competing block may win, rendering their work a waste of time and computing power.

Let’s assume that for whatever reason the price of bitcoin collapses, and therefore it is significantly less lucrative (net negative, once you factor in the cost of electricity) to mine. If miners are rational actors, most of them will stop mining, which is a problem for the network. The unintended consequence, however, is that mining would become dramatically less competitive, and therefore substantially more lucrative for those miners who continue to mine — at least in the short term. As I mentioned earlier, the algorithm self regulates to keep the average pace at which blocks are solved at around 10 minutes per block. As the bitcoin developer guide explains,

Every 2,016 blocks, the network uses timestamps stored in each block header to calculate the number of seconds elapsed between generation of the first and last of those last 2,016 blocks. The ideal value is 1,209,600 seconds (two weeks).

Based on a comparison to the ideal value, the algorithm either increases or decreases the difficulty of the problem to solve, essentially recalibrating to try and get as close to 1,209,600 seconds as possible. To date, the difficulty has increased as more and more advanced ASIC miners continue to be developed, and more computing power is needed to have a chance at being the first to solve a block. However, the algorithm can also self-regulate in the opposite direction, making it easier to solve the problem by increasing the target value. Difficulty can be decreased by as much as 75%. This component of the protocol is particularly brilliant in design, as it basically guards itself against market shocks that could be produced by sudden swings in the mining power being inputted at any given moment.

Even if the bitcoins they are mining are worth substantially less post crash, if the miners believe that the expected future value of their bitcoins is significantly greater than it is at present, then it would make sense to continue mining. Alternatively, if a large percentage of miners quit because they didn’t anticipate the future value of bitcoin to make their present expenditure worthwhile, the new environment could still attract a new class of miners who are not currently mining because they don’t have the hashing power needed to make it lucrative, but if competition decreased dramatically, it would be. Presumably at this point other miners who had been mining previously would also see this and start getting back into the game, which would ultimately increase competition and start driving things in an upward direction again.

The likelihood that we see a huge drop in the price of bitcoin also decreases substantially over time, as it becomes less probable as the network expands. One of the main reasons bitcoin prices have been fairly volatile to date is that the network (by which I mean the number of consumers with wallets and merchants who accept bitcoin as a form of payment) is still relatively small. Bitcoin’s market cap has been hovering between 7 and 10 billion dollars, which means that any hedge fund worth its salt could take a position and dramatically swing the market. Bridgewater Associates, for instance, is the world’s largest hedge fund with $150 billion in global investments under management. In theory, they could buy ALL the bitcoins that have been mined to date 19x over, and still have enough left to throw in six Instagram acquisitions in for fun. And that’s only one of the top funds. Because the market cap is small, bitcoin to date has been subject to the whims of large actors; as the cap increases, there’s a strong chance that this will change.

There’s also the issue to consider that even in the absence of a price crash, incentives to mine naturally decrease over time as the amount of bitcoin received as a reward for mining a block is halved every 210,000 blocks, or approximately every four years. Theres is reasonable cause for concern that without the incentives provided by block rewards the network will no longer be secured, in that the transaction fees will not be sufficient to support the cost of securing the network. This is a manifestation of the game theory concept of the “Tragedy of the Commons” in which no individual actor wants to perform work or contribute to the community because he believes that she can reap the benefits regardless, but when everyone behaves this way, the system ends up collapsing and leaves everyone worse off. No one wants to pay transaction fees, but if everyone avoids paying them, the miners will have no incentive to keep security levels high, which could result in a systemic collapse.

To some extent, the point in time at which this problem becomes a reality will depend on the price of bitcoin, and no one can accurately predict when the network will reach that point, but even if prices continue to grow this is likely only a case of delaying the inevitable. If a bitcoin today is worth $600 and I receive 25 when mining a block, and in ten years I only receive 6.25 bitcoins for doing the same work, yet each one is worth $100,000, mining still makes a lot of sense. Even considering the investment in mining equipment, assuming that the amount of electricity I will have to expend will be higher, and discounting for 2-3% annual inflation, there’s still a substantial potential upside. There are a number of external factors (exact cost of electricity, price of ASICs or other mining equipment, etc) that will play into this and influence whether the network incentives to mine remain high enough, so it is worthwhile considering other mechanisms, prominent amongst which is proof of stake.

Proof of stake (PoS) is an idea that came about as an alternative solution to proof of work, primarily as a safeguard to some of the original protocol’s perceived shortcomings. Apparently it was first proposed in 2011 in the bitcoin talk forum by “QuantumMechanic”, and since then several models for implementation have been developed. A proof of stake scheme is similar to proof of work in that it is also a mechanism for determining who will sign the transactions in a given block, but instead of relying on hashing power, it uses ownership as the deciding factor. Simply put, if Alice holds 5% of all coins, she has the ability to mine 5% of the blocks.

Theoretically this should increase network security by making it more difficult to mount a 51% attack. In order to do so, someone (probably a mining pool) would have to control over half of all coins in existence, which is much harder to do than controlling 51% of the hashing power. It’s worth considering that this isn’t impossible, as a large centralized pool could form and come to control over half the coins in circulation through a combination of owned coins and loans, for example. Realistically, however, in a proof of stake situation it wouldn’t make much economic sense to mount this type of attack. It would substantially reduce confidence in the network’s security, and likely cause the price to plummet. By crashing the value of a coin in which it is so heavily invested, the malicious mining pool would essentially be shooting itself in the foot. To some degree this is also true in a PoW scenario, but the disincentive is much stronger where PoS is being applied.

Although there’s no way to know exactly if and when an alternative to proof of work will become necessary due to a lack of mining incentives, a proof of stake scheme could also be a desirable solution for environmental and efficiency reasons. Since the proof of work process does not actually solve real-world problems, the energy is essentially burned without a real return, which is suboptimal. Implementing PoS, either in the form of a fork from the main proof of work blockchain or via the use of an altcoin that uses it (ie Peercoin, or something similar) could be significantly less costly than bitcoin mining as it currently stands, because the current system gobbles up a huge amount of electricity. Because PoS uses far less energy, as almost none is expended in the mining process, it would be substantially cheaper to make a profit mining than in a PoW scenario. It would also meaningfully reduce transaction fees in the long run, as miners wouldn’t have to charge high fees in order to cover their power and hardware costs.

We still lack a perfect solution to all these issues, and PoS is not a panacea either. One problem I see with implementing a PoS mechanism is that it could cause illiquidity in the market and lead to great concentrations of wealth. Miners would be incentivized to hold their bitcoin in order to be allowed to mine more, and therefore large concentrations pools of currency would accumulate. Currently, miners have an incentive to convert some of their mined bitcoins into dollars by selling them, but this is largely true because of a) price volatility – it is still risky to hold everything in bitcoin and b) there are still many assets that cannot be purchased using bitcoin. If PoS were implemented, and as both a) and b) become less relevant as the network expands, this could lead to a vast majority of coins being held by very few.

Despite the considerable improvements that proof of stake offers over proof of work in certain spheres, ultimately neither proof of work nor proof of stake offer a perfect solution to long-term network security concerns. Still, both clearly have useful characteristics which, applied in conjunction, could help overcome some of their own shortcomings. Just as I was wrapping up this writeup, Ryan Selkis passed along a fascinating paper by Bentov, Lee, Mizrahi, and Rosenfeld which proposes a third option, called Proof of activity (PoA). PoA is predicated on the belief that neither PoS nor PoW are flawless, and seeks to pull in some of the better aspects of both. Given that this piece has already gotten quite lengthy in just looking at proof of work and proof of stake, I’ll write about the PoA paper separately sometime soon. The paper, titled “Proof of Activity: Extending Bitcoin’s Proof of Work via Proof of Stake”, is fairly technical, but