Video for Jack: PoW versus PoS

hi everyone this is charles hoskinson broadcasting live from warm sunny colorado always warm always sunny sometimes colorado i didn't have time yesterday but i have a little bit of time in my schedule today before i go home i wanted to talk a little bit about proof of work versus proof of stake and actually this video is made for jack dorsey so yesterday jack said yeah proof of work is better than proof of stake because proof of work is less centralized and more secure and this is a common thing that people that are indoctrinated in the school of bitcoin tend to say and it's a bizarre thing normally most people laymen don't have strong opinions on consensus protocols in computer science it's kind of like saying what is your favorite surgical procedure or method to stitch up a patient like if you're a surgeon you'll probably have a way of going about that and an opinion but if you're a layman you'd be i have no idea i don't know i like cholecystectomies or something like that who knows and and so what's happened though is because everybody wants to be an expert everybody wants to talk about these things what we've had is this unfortunate conversation which is really difficult to actually converge to anything meaningful and the purpose of this video is to kind of talk a little bit about how to think about these things and if you're actually curious of doing the hard work of developing a good opinion i actually i'm going to give you guys some great resources specifically for that so let me go ahead and share my screen and there we go okay so the first thing to look at is this lovely paper from leslie lamport and actually this is one of the most famous papers in computer science times clocks in the ordering of events and distributed systems and leslie published this back in i think it was the 1970s and it has about 12 000 citations it's one of the most cited papers in the history of computer science and this this paper really outlines kind of a difficult problem and it discusses ways you go about thinking about it and solving it so ordinarily when you're just a single person and you're observing something so let's say that you're alice okay and we'll give her a nice little dress and you you see an event and we'll call that event a and then you see event b okay and this is occurring in a local setting alice can order these and say oh okay well event a happened first and then event b all right but the problem is when you start introducing more actors like right here is bob and he's witnessing it and from bob's perspective looking at it he saw event b first so that happened first and then he saw event a so that happened second so the question is who's right is it bob or is it alice it's a really interesting question and lamport actually discusses this amongst other concepts and he calls it kind of a partial ordering and there's all kinds of things that have come from here i and it's actually created a beautiful lovely field of computer science called distributed systems and for this work and other work lampport was awarded the nobel prize at computer science the turing award and he's a lovely guy i he recently came spoke at our internal seminar and we had a chance to talk about tla amongst other things i was trying to go to him into talking about clocks and paxos and he's like oh i don't do that anymore i do a tla now and if you're really curious you really want to learn all these principles first you kind of have to learn these types of things running on a single computer then you go to the next level up which is a collection of computers that are in different locations and i have two wonderful resources for you guys first a series of lectures out of mit it's mit 6.824 the distributed systems class and it covers introduction rpc and threads gfc and replication and go and threads and so forth all the way down and it actually eventually talks about bitcoin at the very end and then there's another series of lectures from martin klepman over at university of cambridge and these cover all kinds of cool topics as well and it's eight part lecture series so i'd recommend both of these very highly they're not for the layman you have to kind of have a pretty good programming background and understand computer science to be able to make the best out of it but the point is this is a this is a topic unto itself and it's something that's why i mentioned the surgery situation it's something you really have to have a lot of knowledge to start developing a strong opinion about certain things but in general when you talk about these types of problems the first thing that you do is you try to work on definitions and foundations and one of the things that our scientists did they wrote a lovely paper which actually has about 100 citations and this is the gkl paper it's its formal name is the bitcoin backbone protocol analysis and applications and this has been cited as much as pretty much any other crypto paper 1100 times a very famous paper it's by juan grey who's at texas a m and two eyewitch klums agalos our chief scientist and nicola larnatus who is running the university athens lab with others and basically what this paper does is it tries to create definitions and foundations so it creates some foundational functions this concept of a content validation predicate an input contribution function and so forth and it gives you a way of talking about a cryptocurrency protocol and so then you get properties out of it and two in particular the common prefix property and the chain quality property and what this is really nice is it's a theoretical foundation and you can prove all kinds of interesting and nice properties about this foundation but then once you have that what you can do is develop what's called a security model okay so what a security model does is it says all right i have some sort of adversary and he's evil so give him a little monocle and a top hat and a cane and the adversary basically is always trying to break things and what your security model basically tells you is when they're going to win and when they're going to lose okay so what attacks are you defend against and what attacks are you not defended against and that's always connected to the capabilities of the adversary okay so your capabilities for example do they have a classical computer do they have access to your computer can they ease drop on the communication medium and and collect messages or maybe they have a quantum computer okay so oftentimes you'll hear things like cryptocurrencies are not secure against quantum computers what they're basically saying is if your adversary has a quantum computer capability then the security model may not hold and the adversary may be able to win and this is what cryptographers think about when they're modeling and building protocols so there's plenty of protocols that allow you to sort out orders and decide when events have happened your transaction or my transaction and basically be the engine of a distributed system so in the case of cryptocurrencies you have to move from one block to another block and those protocols may be what are called byzantine fault tolerant or non-byzantine altars they might not be able to admit by teen actors in other words can you have an adversary in your system and can and it will the presence of that adversary break the system or not so here's an example of a non-byzantine fault term very simplistic protocol let's say you have a set of seven people and what you do is you say oh okay we're gonna pick from this set of seven people who gets to be in charge and make a block for our blockchain and what we're gonna do is have a random number generator and have each and every one of them run a random number generator and whichever one is the minimum that's going to be the winner for that round okay and actually intel did do this this is i think a proof of elapsed time or something like that for something called sawtooth now on normal computers this is actually not a secure algorithm because what i can do is i can just hijack my random number generator and let's say it returns something from zero to one i can just hijack my random number generator and say all right just always return zero which means i always win because everybody else will have a value equal to or greater than mine okay so that does not admit a byzantine actor sawtooth does because the random number generator actually runs on sgx so you can't modify the code now this is an example so there's a lot of nuances and elegance to how these protocols are developed but you always whenever you're developing a protocol even proof of work implicitly or explicitly you need some notion of a definition and a and you need to create some sort of security foundations it was unfortunate that satoshi did not do that it was a brilliant and inspired protocol based on hashcash proof of work but it took years for cryptographers to get around to retroactively building a foundational model to kind of understand what happened with nakamoto proof of work and actually it turns out that there's a lot of nice security properties of proof of work and let's talk about that so really when you think about a cryptocurrency protocol in a blockchain you have three things that happen first you have to pick someone to make a block okay that's step one then two you need to go ahead and make the block and distribute it make and push to the network and then three the network has to accept the work all right so all the energy consumption of bitcoin occurs here and the picking part to make a block so what happens is you have this proof of work that people do and they're they're basically buying like computational lottery tickets and if you get a magic number you hit a magic value that's below some target then you have a a valid block okay and this is a egalitarian meritocratic process and it's an extra an external resource so mining is not incumbent within bitcoin it's an external thing i have to have an external miner i have to have an asic to basically do this process competitively and i can either do it solo or i can do it with a private pool with just many asics together or i can do it with a distributed pool or actually contribute with some sort of work unit and so forth now proof of stake and proof of work are functionally identical on these two sides number two and number three is so pos does this proof of work does this you make and push blocks you do it the same way you could take a proof-of-stake algorithm and plop it on top of bitcoin's system and for the most part it's going to be that way with some implementation detail differences and then you're going to have validation rules ledger rules and acceptance rules for whether those blocks look good or not so the easiest way of thinking about this conceptually is kind of a poker game somebody has to be the dealer who shuffles the deck and deals out the cards step two is the dealing of the cards step one is picking the dealer and step three is you picking up the deck and looking at it and looking at those cards and what that effectively does is you have five aces if you have a the information card a joker you'd say well hang on a second here this is not a valid hand and so the question is can you do a complete validation or a partial validation or a blind validation what level of validity can you have with the way the blocks are made so various consensus algorithms and ledger rules in the cryptocurrency space because there's many of them have different levels of things in the case of bitcoin it's a it attempts to be a completely trustless system so when you receive that block you can check the proof of work you can check the contents of the block and you'll have an entire collection of the history you'll you're able to validate assuming honest majority that that block is is real and legitimate and not going to be rolled back so it's a very powerful deterministic system and that's actually quite rare to have with complete decentralization that's why bitcoin is still great but that first step that collection the magic value as i mentioned is where all of the energy consumption occurs 99.9999997 of all the energy occurs there and basically what proof of stake does is it says okay let's invent some sort of synthetic resource so mining capabilities asics are a resource that's the way to think about them and that for any given time period there's going to be some set of all asics so if you can unify union that whole set of asics and add them all together this right here is the the total pool of resource and when you think about a synthetic resource basically what you're doing is saying okay well if i have 25 percent let me zoom up here of the a6 on average i should be able to find those magic numbers 25 of the time so so if i have 25 on of this synthetic resource on average my expected value should be 25 of the time i get to be the dealer i get to be that person who gets to make the block and then i can go make the block and push it and of course if it's accepted i get paid for that profit okay so the question is the distribution of this synthetic resource is it fair and also is it secure okay so you need a security model against an adversary to even be able to have a meaningful discussion which is why this paper is so incredibly important because you can then have a very rigorous conversation about what security properties does proof of work provide and then if you're going to create a synthetic resource and build a different type of system what security properties does that system have and we wrote that paper so this paper or boris originally came out in 2017 but it was updated in 2019 to reflect all kinds of new cool interesting things that were gathered and this is built with that gkm model so basically what the paper does is it talks about the design challenges of a proof of stake and really they're saying okay how do i get that synthetic resource to work properly and how do i use that synthetic resource to correctly pick a collection of people to make those blocks and you of course have to model this and you have to create rigorous security proofs for these types of things and so you go down and you can actually take a look at the entire model and it talks about time and synchrony where have we seen that before well here we go 1978 lampport stuff you probably even cite lamport's paper wouldn't surprise me in this paper everybody does it's academia works and it talks about liveness properties and all those things honest chain growth existential chain quality and the common prefix from gkl and what it does is it over times builds up a big security model it kind of discusses that if you use this under the assumptions that are inside this paper that basically you'll have equivalent security to the proof of work security now the problem is we're using that term assumption it is the most dangerous term in all of computer science that ideal functionality those are the two and those assumptions basically it says that this evil adversary we have here can only be defeated under the model and the assumptions that we've made for defeating them and just because we have a peer-reviewed paper doesn't mean that if there's guaranteed security against all types of adversaries and all types of conditions for example the computers that are talking to each other there's different communication models so when you send a signal between the computers you can have them all occur in a synchronous time or they could occur in a partially synchronous time or they can be asynchronous and there's a very thin cool thing called the fisher-lynch patterson impossibility result that actually talks about some fundamental limitations if your system is asynchronous versus synchronous or partially synchronous or so forth about the level of security that you can have and it's just how messages are passed another thing is how many byzantine actors can you have in your system is it a third that's very common for sharded protocols and asynchronous systems is it a fourth is it fifty percent and it turns out actually bitcoin has a lot of really amazing properties with proof of work for example you have the ability to recover from attacks so let's say that there is a attack on the system over time an honest minority can if they stick around and keep mining and the attacker stops the minority chain can undo the majority chain and we can recover so you there's a a disaster recovery mechanism that is within proof of work proof of work mostly is partially synchronous or asynchronous depending upon who you ask this is a bug bear of a few people in space like andrew miller and that means that it can operate in very uncomfortable network conditions you don't know ahead of time who's going to find that magic value that's not necessarily the case in a lot of consensus algorithms a lot of consensus algorithms who the next person is going to be to make that block it's like knowing who the next dealer is going to be so you can go and coerce or attack that dealer and bitcoin is not predictable in addition to that bitcoin actually generates a pretty reasonable source of randomness it's not perfect and it's subject to grinding attacks but you get a reasonable supply of that so you have a lot of great security properties in addition to a 50 so one-half byzantine resistance and so to replicate those for proof-of-stake is non-trivial you have to come up with creative new ways of getting sources of randomness to be able to make the selection of people fair you have to be able to recover from 51 attacks you have to be able to have a proper clock for the system and usually what people do is they inherit that clock from a system like ntp to synchronize things but there's actually ways to get around that and actually create clock from within the system we wrote a paper called chronos specifically for that so a lot of people ask why do we have so many auroboros papers and the reason we have so many our boar's papers is that a lot of those properties were not solved in this paper right here the original orborus paper if you actually go to eprint which is an iacr eprint which is the kind of the cryptography archive for for most academic work in the domain of cryptography and you go ahead and enter in agalos he's our chief scientist you'll see a lot of the papers that he's written recently he's an extremely verbose academic but actually let's enter the keyword aura boris there we go and you'll see how many different aura boris papers oroporus so proust and universally composable time model we got orborus chronos which is the the couple clock krypsinis is how to preserve privacy orbor's bft is a piggyback protocol to help with side chains and federated protocols genesis allows you to bootstrap from genesis that's another great security property of proof-of-work style systems you never have to have a checkpoint you can just redo the proof of work and check it all the way from the chain you're giving and you're able to have proper chain selection prows puts adaptive security and moves it to a semi-synchronous model and actually you're not done because there's other papers like for example ledger redux is one and ledger redux talks about recovery from 51 attacks oh consensus redux excuse me and also recovery from and and also fast finality and things like that so it says in this work we talk thorough treatment of self-healing properties proof of work and proof of stake and so forth so there's a lot to this and it's it's a very very complicated thing but the easiest way i think of thinking about this in general is an engine and when you have an engine the engine has this concept of throughput okay this engine has this concept of your latency how long does it take to deliver the power how much power can you you deliver and kind of a capacity notion and proof of work is a type of engine it's the thing that runs the bitcoin blockchain and other blockchains like ethereum and basically it says okay you can get a certain amount of work done with every block over a certain amount of time so the distance between these blocks can be 10 minutes it can be 10 seconds okay so it can be some value time t it's your latency consideration and capacity is how much can i i put in those blocks and so proof of stake is just another type of engine and it has a throughput and a latency and a capacity concept and also there's all kinds of other things like if you have a synthetic resource you can have n synthetic resources so right now in cardano your synthetic resource is ada but you could include an arbitrary amount of other tokens and create some sort of waiting between them and perhaps one is more merit-based instead of just plutocratic with proof of work every resource that you put in requires physical hardware and so that means that that resource tends to monopolize itself and you tend to have a situation where you have a race to the to centralization you go from many machines to just a few a much smaller set because the smaller set has an economy of scale usually subsidized power and first access to asics or patented hardware that's not easy to replicate and get into market and that's why people often say there's only a small set of miners there's less than 10 major mining operations control more than 50 of bitcoin's resource with a synthetic resource you can move it instantly anywhere in the world and also you can have multiple synthetic resources okay and you can weight them accordingly so already that's a that's a much better property of the engine and because this is a gargantuan computational task it's very expensive these two things suffer as a consequence you first have to use a lot of energy a lot of cost and a lot of resources real life resources for that if this is cheap then you have overall more energy for your system more power other things to actually start accelerating these guys and you also can optimize latency and capacity and so forth so as a consequence proof of stake systems actually tend to be much faster and they also tend to be able and faster in terms of block time and they also tend to be able to have a much higher throughput higher tps now the other thing is because your selection algorithm the pickle of these people can be done ahead of time there's a lot of advantages theoretical and practical to knowing what your leader schedule is going to be and you can obfuscate that so that an outsider doesn't know but the individual does know so you end up getting much more efficient utilization of resources and a lot more optimization of resources and in practice this actually creates a proof of stake system usually a heterogeneous network the heterogeneous means that there are different actors there's specialization so we start as single cell organisms but evolution says hang on a second here differentiation of specialization actually allows you to have brains and eyes and other body parts so similarly you can start as a homogeneous network but when you start actually creating heterogeneity in an effective way you can develop different organs and that specialization allows you to optimize and create economy of scale that's why proof of stake tends to be better the other thing is that proof-of-stake from a security viewpoint is an endogenous system endogenous so instead of exogenous outside and dodges inside you have internal security when you look at a proof-of-work system the problem with proof-of-work and one of the security challenges is it doesn't like nearest neighbors what i mean by that is if you have two proof-of-work systems proof of work one and proof-of-work two and they use the same algorithm okay i'll write algo alpha if you have an external actor comes in who has enough hash power to perform a 51 attack what that actor's incentive is is to destroy one of the chains this is called a gold finger attack short sell make profit because the chain is unusable and confidence in the chain is lost and then switch the mining power over to the other chain assuming that the market price of these two chains is roughly equivalent okay so let's say this is z cash and this is etc so i think they use the same mining algorithm and i'd have to look it up but i believe they do so let's say you have enough to actually perform a 51 attack on one and for a time both their market caps are relatively comparable it makes sense to go 51 attack destroy the market value make some money and then after you've made the money just simply mine the other thing you get to reuse all the mining equipment and your identity is is usually anonymous in these types of things so nobody even knows you're the one who did it and you can kind of get away with that this is why proof of work tends to be maximalist and winner takes all proof of work only really works when you don't have nearest neighbors you you have one coin that's up here with tons of hash power and everything else is kind of down here and that's actually where bitcoin is at right now and that's why bitcoin works so well at the moment proof of stake doesn't care at all about that polka dot shares a very similar consensus algorithm to cardano and cardano polkadot are relatively comparable for the most part in price some days they're up and sometimes we're not up but that doesn't mean anything to our security because the security is not external it's internal the security comes from people who are vested inside the system and you can actually quantify the dollar value of the security it's hard to know how many miners are out there and what the value of all those things are and actually how much people paid for things but you sure as hell can know the token price of a proof-of-stake system now it's not perfect and there's actually a lovely paper that some of our people wrote and it's called cryptocurrency egalitarianism a quantitative approach and it kind of discusses the concept of asic resistance and proof of work systems but actually curiously and nice and fun since our simulations show as expected that asic resistance increases the cryptocurrency's egalitarianism which means it's more equal in its distribution of participation we also measure the egalitarianism of proof-of-stake based protocol in particular oro boris and a hybrid proof-of-stake proof-of-work cryptocurrency decred and we show that stake-based cryptocurrencies under correct selected parameters can be perfectly egalitarian perhaps contradicting folklore belief so it's a really cool paper and highly recommend you guys read it and look at it and think about it but the the thing you should take away from this entire conversation is there's no silver bullet there's no notion of proof of work better than proof of stake or proof of stake better than proof of work it really depends upon your adversary and the security assumptions and the capabilities that you care about your network structure and what you value heterogeneity do you value external security or do you want security coupled and connected internally to the network what are performance requirements and so forth what what how much how expensive do you want to make an attack be are you worried about goldfinger attacks or these types of things where chains have nearest neighbors and so forth and also the other thing you should take away from this is that proof of stake is ridiculously hard in practice you have to know a lot about time you have to know a lot about random number generation vrfs or other types of protocols or things like that you have to really think carefully about recovery models is it okay to have a checkpoint do you not want to have a checkpoint and so forth your network assumptions is it a synchronized network it is not a synchronized network the more pristine things are with your assumptions like for example a fixed quorum and in a synchronized network the higher the performance can be but it's a glass cannon it's very brittle the more disastrous your assumptions are as you go from synchronous to asynchronous and affixed to a floating committee and the more egalitarian your selection mechanisms are generally that hurts your performance inside your system and this is a super well studied problem and if you actually take the time to go through these two collections of courses you'll actually understand and practice how remarkably intricate and beautiful this particular space is so i i just wanted to make this video to try to sort fact from fiction and let you guys know where these things sit i'm i'm really proud of the research that's been done with oro boris i mean if you you look at these these are these are not easy papers to write if you actually go through them and spend time with them this wasn't just some babble there there was a huge amount of deep thought and very precise language every single one of these things were reviewed time and again and external people looked at them and they said sometimes very harsh things and you have to be intellectually honest with these types of papers like when you go to the oroboris original paper let's find it for you guys i might have moved it but actually if you google it or as that is 906 980 times if you actually go in it you'll notice something it says previous work and also it'll give credence to related and follow-up work so for example you look through it mentions fruit chain and mentions al grand and all these other things and actually if you go to the algorithm paper so 31 here let's go to the citations yeah sylvia mccauley al goran you'll notice something the paper actually cites if you go agalose another paper close to us orovorus approvally secure proof-of-stake protocol and it actually cites us and right there is the citation there and that's just how academia works there's so much tribalism and brutal competition that exists inside the cryptocurrency space but in the academic world this is just best practice everybody knows each other they talk about each other they they learn from each other and they piggyback there are some really cool and interesting and fun things in the algorithm paper that macaulay put together and macaulay is another one of those guys who got the nobel prize at computer science he's one of the smartest guys in the entire cryptocurrency space and it's just extraordinary that he's decided to honor this industry by being in the industry and mccauley's work stands for itself and similarly the the work that's done here stands for itself by the citation count the fact that it was accepted through the peer review process and this doesn't make a product the product is everything else it's the collection of assumptions economic assumptions the social dynamics inside the system and what that engine actually does when we talk about throughput not all transactions are created equally okay so a transaction on bitcoin is a very specific thing a transaction on ethereum is a very very different thing okay one is a general purpose computer the other one is not if you think about ethereum or cardano or any of these systems that aspire to have or do have smart contracts basically you could be talking about a uniswap transaction you could be talking about purchasing a cryptokitties you can be talking about running and executing some sort of decentralized uber all bitcoin can do is move a bitcoin from one location to another location one address to another address and it carries with it some crypto capabilities so you can build layer two infrastructure and some metadata capabilities so you can embed some metadata but transactions in themselves are incredibly rich there's actually five properties of them four to the transaction and one meta property you have assets that runs on the rail you have identity so those are the people behind it you have metadata that runs with it so for everything from the time stamp to why you're doing the transactions and forth the contractual construction and then the jurisdictions or the geographies and law the legal component okay so bitcoin really only moves one particular asset says nothing about identity limited metadata capabilities almost nothing about contractual capabilities and is completely blind deaf and dumb to the jurisdictions that it operates in well this is why we built ethereum because it does a lot more it actually allows you to do all those things but to do those things with a high throughput high-capacity engine does a lot of work for every block and those those things can happen quickly and do it low latency and be always available 99.