Why It Is Better for a New Blockchain to Start with Proof-of-Work?
It is impossible for an Internet or financial company to be commissioned by users for trillion-dollars transactions without strong technical capabilities, p- muscular financial strength, as well as endorsement by governments and other large companies. However, Bitcoin has supported transactions worth a trillion dollars in the past year without any government or company endorsement. This phenomenal success of Bitcoin is enabled by its consensus protocol together with its Proof-of-Work (PoW) mechanism to ensure that Bitcoin full nodes across the globe consistently maintain its ledger in a peer-to-peer and decentralized way.
PoW mechanism is not perfect. One major concern is that a blockchain using the PoW mechanism requires a lot of energy to compute hash function results to secure the blockchain system. Proof-of-Stake (PoS) is proposed as an alternative to Proof-of-Work. Because of the energy efficiency and the support of several prominent blockchain projects including Ethereum, many people now believe that PoS is always superior to PoW and that any future blockchain system should adopt PoS.
However, we strongly disagree with this argument and in fact, we believe it is especially better for a new blockchain to start with PoW rather than PoS. A new blockchain starting with PoS mechanism will suffer from consensus centralization, i.e., the ledger is determined de facto by few centralized super nodes rather than all participants. A Pure PoS mechanism also faces the threat of long-range attacks, which eventually would require new users to trust a centralized node to join the network and make the blockchain no longer permission-less.
On the other hand, a blockchain starting with PoW will make decentralized consensus possible from day one. After the initial stage passes, it is also possible to make a transition from PoW into PoS or a composite mechanism. Note that, a common misunderstanding about PoW is to tie PoW with the scalability problem of the blockchain. We often see sentences in media and white papers like ‘’because Bitcoin uses Proof-of-Work, it can only process 3–7 transactions.’’, which creates this misconception. In fact with proper designs, PoW consensus algorithms like GHOST and Conflux can enable significantly higher block generation rate and therefore process thousands of transactions per second.
PoW v.s. PoS: How to Determine the Voting Power
The main difference between PoW and PoS is how to determine the voting power in the consensus for the blockchain ledger. In PoW, one’s voting power in the system is proportional to his/her computation power. The more hash function results one can compute per second, the more likely he/she will win the right to generate the next block in the blockchain ledger. In PoS, one’s voting power in the system is proportional to his/her stakes. The more money one owns in the blockchain system, the more votes he/she has for determining the next block.
At the Very Beginning: Stake Centralization Leading to Consensus Centralization
For a new blockchain, stake centralization at the very beginning is unavoidable. At the launch time of the blockchain, most stakes in the system are often owned by project developers, private equity investors, and early adopters, the number of which is often limited. In the PoW mechanism, this does not affect the security of the blockchain because the consensus process is still decentralized, i.e., the next block of the blockchain is determined collectively by miners joining the network. For a blockchain which adopts anti-ASIC puzzle, everyone owned a GPU can participate in the consensus protocol and work as a miner. This can promote large-scale participation in mining and achieve the computation power dispersion at the beginning age. As long as more than 50% of the miners are honest, transactions confirmed in the ledger are secure and irreversible.
However, in the PoS mechanism, the stake centralization leads to consensus centralization. The next block of the blockchain now is determined de facto by only a few players who own the initial stake in the system. If these players are malicious, they can perform double spending attacks to the ledger. Even though developers and investors are unlikely to perform such attacks to destroy their own creation, it means that the new blockchain is operating at the mercy of benevolent monopolies at day one. What makes things worse is that only these players with stakes can claim block rewards and transaction fees (if any). It is therefore extremely unlikely for the blockchain system to break out from this stake centralization. The core value of blockchain derives from the decentralized consensus process to guarantee the correctness, irreversibility, and consistency of each transaction in the blockchain ledger. Without the decentralized consensus, blockchain has no advantage compared with a traditional centralized server, i.e., for anything a blockchain system can do, a centralized server can do it more efficiently. For a new blockchain, it is better to start with PoW to avoid consensus centralization to damage the core value of the blockchain.
Long-Range Attack and Weak Subjectivity
In a public chain, if an attacker owns majority computing power or stakes, it is undoubtedly able to break the security of the public chain. However, in the PoS public chain, if the attacker obtains several private keys, which control more than 51% of the stakes at any certain time in history, the attacker can launch an attack to create a forked chain to represent an alternative fake transaction history. This attack is called a long-range attack.
In a long-range attack, the attacker obtains some private keys first. As long as these keys have controlled enough stakes at a certain time of history, the attacker can fork at this time and create an alternative chain, regardless of how many stakes they currently control. Because the PoS chain does not require
computation power to generate, the attacker can make the forked chain catch the original chain in a short time without consuming many computation power.
It is not a fantasy for an attacker to obtain such private keys. The attacker can buy the private keys from investors who own stakes in the genesis block and have sold out stakes in the secondary market. Since some investors pursue short-term gains rather than value investments, it is possible to buy private keys from them.
After that, the attacker broke the safety guarantee. Several solutions are proposed to face the long-range attack, for example, using the key-evolving signature in response to key theft. But this can not prevent the investors from selling its signature seed. Other solutions are based on the fact that a node that is running in the system for a long time can detect the forked chain. But it still has the following problem.
The forked chain in long-range attack is different from the forked chain in PoW chain. For a forked chain from Bitcoin, miners can easily find out which one is the correct chain from the accumulated computation power difference. In a PoS chain, most stakeholders are only users and don’t run a server at all time. Once the attacker control stakes as many shares as consensus participants controlled, it can generate an indistinguishable forked chain with original chain. With the help of the Sybil attack, the new participants cannot distinguish the right chain via both block history nor its network neighbors’ response. The only way left is choosing manually according to developers’ notification or news. The problem for the new participants to recognize the correct chain is called Weak Subjectivity. The consequence of the Weak Subjectivity is that the system is no longer fully permissionless. New participants have to consult a trusted node to safely join the system.
Nothing-at-stake attack is another attack type of PoS. When a blockchain forks due to network delay, long-range attack or some other reasons, mining on multiple forked chains simultaneously is a violation of consensus protocol. In a PoW chain, if a miner wants to mine on multiple chains, it must spread its computation power on them, the sum of computation power on all the forked chains cannot exceed its total computation power. For most miners, the optimized solution is to concentrate all its computation power to the chain chosen by the consensus protocol.
However, mining on multiple forked chains on PoS only incurs a negligible extra cost but allows the miners to obtain stable reward no matter which chain wins at last. But if the miners follow the protocol and mine on the chain prescribed by the protocol, it will lose reward if this chain is dropped at last. A miner who only cares about its profit will be incentivized to violate protocol and mine on multiple forked chains, which is helpful for breaking the security assumption and results in a long time fork.
Unlike long-range attacks, a careful incentive mechanism design may be able to prevent the nothing-at-stake attack. But nothing-at-stake attacks are just examples to show how hard to get the Proof-of-Stake right.
Proponents of PoS chains believe that PoS can avoid useless energy consumption in PoW chains. However, it is shown that PoS chains without “useless hash” are more vulnerable under several attack cases, which don’t have perfect solutions now. Although PoS has the advantage over PoW of being energy efficient, it carries many technical and security threats. Before the safety issue of PoS chains resolved, the energy consumed by PoW chains resembles the military expenses in peacetime. Many of these threats are particularly deadly for a new blockchain and this is why we believe it is better for a new blockchain to start with PoW instead.