Vitalik Buterin on the History and Future of Ethereum Proof-of-Stake

Vitalik Buterin tweets about the planned transition from Ethereum to Proof of Stake. In a Tweetstorm out of as many as 75 tweets, he explains how the research on Proof of Stake began and ran, what the problems and solutions are, and where the developers are today. This is not only informative, but also shows how competing approaches can fertilize.

"Today, I'm going to do a Tweetstorm," tweets Ethereum lead developer Vitalik Buterin, "who explains the history and status of research on Caspar for Ethereum." This is followed by 75 tweets with extremely interesting, but sometimes highly technical content. Here Vitalik answers one of the perhaps most important technical questions about cryptocurrencies: Is Proof of Stake possible? What else needs to be done to bring it to Ethereum?

I try to summarize the tweetstorm as understandable as possible. Much of what Vitalik writes goes beyond my understanding. Therefore, I abbreviate at one point or another. If you want the complete, technical version, you should read the tweets yourself.

Proof of Stake

Proof of Stake means that unlike Bitcoin, it's not the miners who use computational power to decide who hangs a block on the blockchain, but investors who present their coins.

Mining at Bitcoin is called Proof of Work. The miners prove they are investing work by calculating hashs of the next block and a random variable. Each hash is a kind of lottery lottery ticket for the next block, and the more hashes the miners charge, the greater their chance for the reward. Mining is a race for who turns more electricity into lots. You can discuss how harmful it is to the environment, but power consumption is without a doubt gigantic.

Proof-of-Stake boasts being a greener alternative. The lots are not hashes, but private key signatures associated with addresses that hold certain amounts of coins. Roughly simplified, you have three addresses, each with a certain amount of ether, and thus you can submit three signatures. If one of them meets certain requirements, you will find a block. With proof of stake, it is not the owners of mining machines who compete to form a bloc, but the owners of coins, who will then effectively earn interest. The energy requirement is close to zero.

For the Ethereum developers, Proof-of-Stake was on the roadmap right from the start. On the one hand, because it is more environmentally friendly, on the other hand, because it probably allows to further reduce the intervals between the blocks and to implement, for example, sharding. Vitalik has described in more detail in his Mauve paper why proof-of-stake becomes an essential part of Ethereum's scaling plan.

Proof-of-Stake research began in January 2014 under the working title "Slasher". The algorithm that was designed was, Vitalik says, "highly suboptimal." But he has "introduced some important ideas, most notably the use of penalties to solve the nothing-at-stake problem."

Nothing at stake

Nothing-at-stake is one of the reasons many experts say proof-of-stake can not work. To understand it, let's look again at the differences between proof-of-work and proof-of-stake.

In proof of work, a miner must use his computer or Asic to find a block. Proof-of-Work reproduces the scarcity of physical space for a digital operation: the miner has physically unique hardware and needs to focus on something. Therefore, at the same time he can only mince on one chain, say Bitcoin or Bitcoin Cash, or on a spontaneous Fork from Bitcoin, which closes quickly.

With proof-of-stake nothing physical is involved. That's good, but has the disadvantage that the staker has nothing to "bind". He can work with both sides of the fork without any problems. He does not use anything directly, but only signs messages with his keys. It does not prevent him, in the case of a spontaneous Fork sign both a message for one and the other chain. For Chains competing to be true, it makes sense for the individual Staker to bet on both.

For the network, however, this is problematic for several reasons. First, because it allows double-donation attacks. Second, because it generally weakens consensus finding in a blockchain, when a staker can work with any spontaneous fork without losing anything. Proof-of-Stake weakens a crucial feature of cryptocurrencies - the compulsion to consensus.

The Ethereum developer's solution was early to introduce pledges and penalties. The Stakers must deposit a certain amount of Coins as a pledge, which can be confiscated under certain circumstances. For example, if the staker simultaneously processes two chains.

Vitalik Buterin initially set a relatively small pledge, while Vlad Zamfir, who joined the discussion in mid-2014, demanded a pledge far greater than the reward for finding a block. But in and of itself, the developers agreed that a pledge is a good way to solve the nothing-at-stake problem.

Long Range Attacks

But nothing-at-stake is not the only problem. "We spent most of the late 2014 of finding ways to deal with the 'long-range attacks," says Vitalik Buterin.

Long-range attacks mean that the attackers "pay off and use their stakes as balances on the mainchain to form an alternative 'attack scar' with more signatures so that they can persuade clients to switch to them." in a short period of time, it is manageable. Because then you can see if a Staker - Vitalik calls him "Validator" - signed two contradictory messages, and punish him accordingly. "But if the deviation happened a long time ago (hence long range attack), the attacker can pay off his pledge and prevent punishment on both chains."

Vitalik and his co-developers decided that such attacks can not be completely eliminated, but it is possible to deal with them. They introduced a new requirement: that clients have to log in at least every four months and that the payment of the deposit takes four months. This seemed to be enough to make the long-range attack largely harmless.

Economic finality

Once the developers had agreed to use pledges and penalties, they had to agree on the details. The goal was to create what Vitalik calls "economic finality": that the validators (the stakers) "sign blocks in such a way that by the time a block is 'finalized', it's not possible to have a contradictory one Block a large number of validators to sign messages that conflict with their previous messages in a way that the blockchain can detect and penalize them. "

In other words, when a block is finalized, there should be no way for the stakers to form a block that alters the history so far without being recognized and punished.

Vitalik started "a big and long, but ultimately unproductive exploration of something I've called 'consensus through betting.'" The validators should make bets on which blocks are finalized, and the bets themselves should determine which chain is a consensus Has. The idea was interesting, but not sure enough in the end.

Meanwhile, Vlad Zamfir has been trying to come up with a design that makes proof-of-stakes robust against oligopolies. He developed an approach called "Correct By Construction" (CBC). When a validator signs a message that contradicts a previously signed message, he must submit a "justification" proving that the new message has more support and therefore he has changed for legitimate reasons. An example would be that there is a planned hardfork, and all validators sign conflicting messages about it.

Meanwhile, Vitalik Buterin has been engaged in the research on "practical Byzantine fault tolerance" (PBFT) and has tried to translate this into the blockchains' con- text. For this he has defined rules that determine which combinations of messages are contradictory and thus forbidden. This led him to "Casper the Friendly Finality Gadget" (FFG).

Both Vlad Zamfir's CBC and Vitalik Buterin's FFG achieved finality in a way that would cost billions of dollars to break them. However, the two variants in the technical implementation decided considerably.

Progress on both sides

At this point it gets a bit complex and confusing. Vlad and Vitalik have developed their two variants and tested each other. They have thought through and tested various concepts of punishment and also developed measures against 51 percent attacks. Unlike proof-of-work, proof-of-stake could be safe even if more than half of miners try to break the system.

Both versions made great progress in the following years. Vitalik even managed to release a Testnet version of FFG. After that, however, the development of FFG slowed down. The reason was that Vitalik designed FFG as a smart contract. "That made some things easier, but others more difficult." In June 2018, the developers finally decided to drop this hybrid form of proof of stake and instead continue to work on full proof of stake.

Again, the two variants, FFG and CBC, were further developed. The stand has meanwhile progressed quite well in one and the other. Both, however, Vitalik believes, still have to work out "formal proofs and more precise specifications" and "drive the implementation forward with a view to safe and rapid application."

With that, the two versions of Caspar Proof-of-Stake continue to compete to make it into Ethereum's mainnet. Vitalik Buterin does not speculate about when it will happen.