Proof of Work (PoW) Concept

Proof of work should not be viewed as a mysterious or wasteful system, but rather as something functional, natural, and potentially valuable to the design of any communication protocol.

Text | Daniel Krawisz. The Proof-of-Work Concept. 2013/6/24.

search

Perhaps the least intuitive aspect of the Bitcoin network is the concept of proof of work. It is defined as the process by which a new set of transactions (a “block”) is generated and added to a distributed database of transactions (the “blockchain”). This concept, which has its roots in the early cypherpunk movement[1], is new to monetary theory and feels a bit out of place in computer science. I will show that biology provides the most appropriate framework for understanding it.

All blocks in the Bitcoin blockchain are attached to a small string of meaningless data (called a nonce). Miners are required to find the correct string of meaningless data such that the entire block satisfies a certain arbitrary condition. Specifically, the SHA-256 hash of the block is required to have a certain number of leading zeros[2]. Hashes are one-way functions, so there is no easy way to find the correct nonce or otherwise produce a correct block. The only known way to find a good nonce value is to simply try random numbers until one succeeds. Khan Academy provides a visual explanation of proof of work:

https://www.khanacademy.org/economics-finance-domain/core-finance/money-and-banking/bitcoin/v/bitcoin-proof-of-work

Remember, this process is completely arbitrary. It’s just an extra complexity, like a ritual, to make blocks harder to generate. Anything else will do, as long as it’s computationally difficult. Other cryptocurrencies use other hashing algorithms. There are no special conditions in number theory that only people like Shinichi Mochizuki can understand. [3]

While the role of miners is to do accounting for the blockchain, most of the work they actually do is finding good nonce values, not anything to do with bookkeeping. The energy used to find the nonce is lost forever. Energy does not "back up" the value of Bitcoin the way gold backs up an honest banknote, as some have argued. Of the vast amount of computing power that goes into Bitcoin mining, all but a tiny fraction of it is clearly serving no purpose.

When one person upgrades their mining machine, they mine at a faster rate, thus earning more Bitcoin. However, when everyone upgrades, mining as a whole does not become more efficient. No matter how hard the network works, there should only be one new block every ten minutes. Instead, the network updates the difficulty to impose stricter conditions on future blocks. All miners may work harder, but no one will be richer. It's more like a forest where each tree tries to grow as tall as possible in order to absorb more light than the other trees, and eventually most of the solar energy is used to grow long, dry trunks.

Why tie every Bitcoin block to a difficult Procrustean bed? The correct way to think about the proof-of-work concept is as a means of building consensus among a group of self-interested people, none of whom are subordinate to anyone else, against considerable incentives to reject consensus. If everyone is perfectly honest and selfless, Bitcoin might work perfectly well without proof-of-work. If not, then consensus is hard to come by.

Before a new block is generated, there may be many payments floating around in the network, and there is no objective answer as to where they should go. Some may be invalid, so they all need to be checked. Some may not include any transaction fees, so a decision must also be made whether to kindly allow these free riders through or ignore them. Finally, there may be sets containing more than two payments, so not all payments may be valid at the same time, but some subset of them are. For example, a wallet may try to spend the same bitcoin twice at the same time. In this case, the choice of which payments to allow is arbitrary.

So for a given set of payments, there may be multiple possible blocks that can be constructed from them, none of which is objectively correct. There won't necessarily be any agreement on which outcome is more appropriate, because different possible blocks have different benefits for different people. First, the reward comes from producing a block containing a batch of new bitcoins. This is necessary because without it, no one would have an incentive to keep accounts in the first place; but with the reward, each miner will naturally prefer the new blocks he proposes to those proposed by others.

Even without considering rewards, there are other, more subtle issues. A miner might refuse to validate transactions from his enemies, or he might be more or less altruistic in what fees he accepts. He might even want to cheat others by double spending: in this case, he would pay the victim in exchange for a good, but would only validate another conflicting payment that he made at the same time to another wallet that he also owns. This would invalidate his first payment, so he would end up with a good that he did not pay for.

With so many reasons to want to manipulate the blockchain for their own ends, it is possible for miners to agree in theory on the necessity of consensus without ever agreeing on any specific proposal. Bitcoin's solution is to add an extra requirement to the protocol that greatly increases the cost of defection. If blocks are generated randomly through difficult computations, then only one new block can be proposed at a time. Once a new block has been proposed, miners have a choice between continuing to search for a more favorable alternative block or accepting the new proposal and searching for the next block. Everyone who accepts the latest block understands that he is following the natural consensus, and if he is lucky enough to generate the next block, it may be accepted for the same reasons that he accepted the previous block. On the other hand, persisting in trying to produce a more favorable block is very risky, because he must convince enough other miners to agree with him before he can establish a new consensus.

The general rule is that the first block mined is not self-interested, because no one can plan to be first. One can only be first by luck. Any persistence is suspect, because to generate it the miner must make a choice and reject a perfectly good, potentially selfless alternative. This is not an easy thing to do.[4]

Disadvantage principle

There’s an idea in biology called the “disadvantage principle” that explains this process [5]. It says that when two animals have an incentive to cooperate, they must communicate good intentions to each other in a credible way. In order for lying to be implausible, the signal must impose a cost on the signaler, making cheating very costly. In other words, the signal itself must be a disadvantage.

This can be understood using the Prisoner's Dilemma, a famous idea in game theory that applies to a wide range of phenomena. The Prisoner's Dilemma has two players, each of whom has two choices: cooperate or defect. Often, the game is explained in terms of the story of two prisoners, each of whom can choose to remain silent or to rebuke the other. The essential feature of the Prisoner's Dilemma is that each player is better off defecting regardless of the other's choice, and the one who defected when the other cooperates gets the most benefit. The players would probably both be better off if both cooperated rather than both defected, but since they cannot ensure cooperation, they both defect.

The handicap principle solves the prisoner's dilemma by allowing each player to choose to do something one step ahead of the game, conceivably eliminating the benefit of defecting and not cooperating. It's hard to think of how the handicap principle would apply to the story of two prisoners, but suppose they are both in the same room with the prosecutor for a while, and one of the prisoners, who knows a lot about game theory, says to the prosecutor, "If the other prisoner is guilty, then I am guilty too." This statement is a clear cost to himself, because it eliminates his ability to defect to the other prisoner who chooses to cooperate. The other prisoner can then choose to repeat this statement. If he doesn't, then he knows that the only viable option for the first prisoner is to defect, but if he does, then both prisoners can choose to cooperate. This is the handicap principle.

The handicap principle has been successfully applied to a variety of biological phenomena. To take a concrete example, suppose a prey animal notices that a predator is stalking it. If the prey can communicate to the predator that it is no longer unaware, both animals benefit: if the hunt is no longer surprising, the predator may not want to hunt further, and the prey will not be killed. However, the prey may begin to randomly say "I see you!" even when it has not seen the predator, just to deter anyone who might happen to be there. As long as the prey may be lying, the predator cannot take its signal at face value and must ignore it. [6]

Within a species, the handicap principle explains a lot about how animals compete with each other and interact with mates. For example, among deer, the ones with the largest antlers are the strongest and best, because any smaller deer that try to grow larger antlers will risk consuming more energy and nutrients than they can handle. Thus, second-rate deer end up with second-rate antlers, and third-rate deer end up with third-rate antlers, and so on.[7]

In social species, the Disadvantage Principle explains morality and altruism. Just as members of a species can use disadvantages such as horns or antlers to distinguish themselves from one another in terms of strength and fitness, members of a social species can use altruism as a disadvantage to distinguish themselves from one another. For example, the book The Disadvantage Principle describes a group of social birds called Arabian Babblers that compete in altruism. The strongest and most dominant birds display their dominance by spending time guarding the flock and feeding chicks and lower-ranking birds. Babblers do not like to be fed by other babblers of the same rank because they do not like to feel inferior. The Disadvantage Principle even describes an observation in which a bird fed a worm to another bird, only to have the same worm pushed straight back down its own throat! [8]

Proof of work should therefore not be seen as a mysterious or wasteful system, but rather as something functional, natural, and potentially valuable to the design of any communications protocol. If a distributed system of computers is owned by one person, he can assume that they will all cooperate because he controls their behavior. If this is not the case, then different computers do need to prove that they are working toward the same goal. The ubiquity of the penalty principle in biology should be enough to make one suspicious that a protocol that does not impose costs on users will invite abuse. An interesting consideration is how many of the problems of the Internet can be attributed to not taking this principle into account. If proof of work had been understood when email was invented, we might never have had a spam problem. If Internet protocols could require proof of work for client requests, we might not have to worry about distributed denial of service (DDOS) attacks. [9]

The Bitcoin proof-of-work system can be compared to antlers and altruism. The ability to generate blocks is a sign of computing power, which is exactly what the Bitcoin network needs to help verify all transactions. But it is also a sign of community spirit, because agreeing to participate in the race for the next block shows that they are willing to respect the interests of the community and not manipulate the blockchain for their own selfish interests. This is exactly the kind of thing that should be expected to bring a community together.

Bit SMS

The latest application of proof of work is Bitmessage, an anonymous, distributed, encrypted messaging protocol that may one day be almost as important as Bitcoin[10]. It was inspired by Bitcoin, but works in a completely different way. There is no blockchain in the Bitmessage protocol, because there is no need to store all the text messages forever in a database. Instead, Bitmessage requires everyone who sends a text message to perform some work before it is relayed on the network. This ensures that every text message is meaningful: no spammer can keep his computer running for a minute or so for every message he sends. Proof of work is essential because a distributed network that relies on users donating computation cannot allow free riding. It is currently in its early stages and has not yet been fully researched to be considered secure, but it has great potential as a replacement for email.

Peercoin and Proof of Stake

No discussion of proof of work would be complete without discussing Peercoin, the third most popular cryptocurrency after Bitcoin and Litecoin.[11] Peercoin also uses proof of work to make defection unprofitable, but the cost is distributed very differently among miners: miners who hold large amounts of Peercoin for a long time have much lower requirements to produce a block than miners who hold small amounts for a short period of time. This means that people are less likely to follow the consensus proposed by the person with the most powerful computer than by the person who has the largest investment in the currency. Miners are more likely to be selected by seniority than by strength. When a miner creates a new block in the Peercoin blockchain, he must trade some of his old coins for the new coins—which means that everyone who creates a block is less likely to be able to create the next block. This system is called Proof-of-Stake.

Proof of Work and Proof of Stake have different costs and benefits in different situations. According to the Disadvantage Principle, the cost of producing a signal must be related to the meaning of the message. Proof of Stake systems demonstrate an investment in the coin itself, while Proof of Work systems demonstrate an investment in the underlying network.

Therefore, if there is a proof-of-work network and a proof-of-stake network with the same market cap, one would expect the proof-of-work coin to have a larger capacity network and be more liquid than the proof-of-stake network, and the proof-of-stake coin would have greater price stability.

Proof-of-work systems prevent antisocial miners from manipulating the blockchain by making it difficult to rely on the network to accept their blocks all the time. In contrast, proof-of-stake systems prevent antisocial miners by only accepting blocks from miners who have an incentive to ensure that the commodity (money) is absolutely trustworthy. Since proof-of-stake is exhausted as new blocks are produced, there is a constant turnover of people who can mine, and there is even less incentive to maintain the blockchain exclusively.

In the early stages, cryptocurrency networks require long-term investments in the coins themselves to gain credibility and value, while larger, more mature networks are more likely to require specialization of network infrastructure to ensure their proper functioning.

This is an academic discussion. Supporting any cryptocurrency other than Bitcoin would be counterproductive. The average consumer will not choose one currency over another because of obscure technical details that do not affect their use of it as money. They are more likely to choose the one that is more widely accepted. People who think Peercoin is more rational have little expectation that Peercoin will beat Bitcoin, but they may have a chance to convince the Bitcoin community to adopt a proof-of-stake system in a future version of Bitcoin. While this is theoretically possible and could have benefits, Bitcoin miners have a vested interest in the current system and are therefore inclined to oppose such innovation.