Machine Consensus Via Proof-of-Work
How does Bitcoin use a peer-to-peer network of computers to enforce the rules agreed upon by human participants?
“... Hardware is soft, a transient expression of ideas, and those ideas are more durable than the hardware itself.”
—Edward Ashford Lee, 2017
In the last section, we discussed how hackers organize to create a system like Bitcoin, and established that the machines in the network are used to enforce rules upon the participants. But it can also be said that the machines enforce rules upon each other, such that clever humans are frustrated when trying to change them. This section explores how computers are used to keep human participants honest.
So far, we have contended that the “problems being solved” by Bitcoin are not abstractions (ie., “central banking” or “soft money”) but the concrete challenges of coordinating specialized human labor outside a command-and-control structure. We’ve established that the motivations for avoiding a command-and-control structure are threefold:
- To minimize the opportunity and motivation for the managers of the system to cheat or hassle the participants.
- To attract skilled technologists to build the system without direct compensation (ie., FOSS and open allocation).
- To eliminate gatekeeping, and allow anyone to use the system without permission; this achieves maximum growth and success of the software.
Next, we’ll talk about how Bitcoin accomplishes this feat of machine cooperation without losing these three desirable qualities.
How machines agree on a shared transaction history
Recall the first section, discussing Nakamoto’s message in the Genesis Block. About every 10 minutes, the system collates, validates, and bundles the new transactions. These bundles are called blocks. Block producers are called miners.
Each block contains a hash of the data from the previous block. A hash function is a one-way algorithm that maps data of arbitrary size to an output string of bits in a fixed size, called a hash. Changing the data fed into the hash function changes the resultant hash. It is one-way as it is not possible to reconstruct the data given the hash and the hash function. It follows that if a block contains a hash of the prior block, it must have been produced after the prior block existed. Since changing a block in the middle of a sequence of blocks would invalidate the hashes in all subsequent blocks, conceptually they are chained together. Blocks can only be appended to the end of the chain.
The data structure which results from creating a new block and including the hash of the prior block in a continuous manner is known as the blockchain. In a blockchain-based system all participants validate the hash of a new block before updating the state of their ledger.
How block producers are selected
We have established that all machines mining on the Bitcoin network work to bundle the transactions since the last block. If they are the first to report a new block, they have a chance at being paid a coinbase reward (currently 12.5 bitcoin).
But since most honest miners will report the same bundle of transactions, there will be many “correct” blocks, and only one reward winner. How does the system choose who wins, and how are clever miners prevented from winning every block?
Bitcoin’s consensus design selects a winner pseudo-randomly from among many potential miners by requiring the winning block to meet certain hard-to-predict characteristics. It is by requiring a certain number of prepended zeros in the block hash that the “reward winner” is kept random. This is what is meant when Bitcoin miners are described as playing a “guessing game.”
The screenshot below is taken from a blockchain explorer, a free public service which allows anyone to see all Bitcoin transactions. Note the block hash with 18 prepended zeros, required by the difficulty factor at the time this block was mined:
Figure 9. The most recent block, as of the time of writing. Note the block hash (mentioned above) and block height, also known as the number of blocks since Nakamoto mined the Genesis block.
Satoshi Nakamoto set as a constant a 10 minute average block time. This average is maintained by adding or subtracting the number of prepended zeros required in a valid block hash. So while the Bitcoin system has no sense of “Earth time,” it does know when blocks are found too quickly or too slowly, and difficulty will adjust accordingly. For example, if a large amount of hashrate left the network, making block production too slow, then the number of prepended zeros required to find a block would drop, making the validation condition easier to satisfy and blocks faster to find.
Unlike block #544937 above, block #0 below only has 10 prepended zeros. Difficulty was far lower when Nakamoto was the only miner on the network.000000000019d6689c085ae165831e934ff763ae46a2a6c172b3f1b60a8ce26f
Once validation criteria are met, the lucky block is propagated about the network and accepted by each full node, and it gets appended to a chain of predecessor blocks; at this time the winning miner is also paid.
Minting bitcoins for block producers
Each time a block is produced and a miner is paid, new bitcoins come into existence. The computer which finds a lucky hash is paid a reward automatically by the network, in Bitcoin. This is called the coinbase reward. Like everyone else, miners must have a public key to receive these funds.
The coinbase reward is cut in half every 210,000 blocks, an event known as halving. Halvings make bitcoin a deflationary currency; eventually the emission rate of bitcoins will drop to zero. Only about 21 million will be created by the network. Miners are theoretically incentivized to continue mining after the reward period ends around the year 2140, because they will continue to receive transaction fees set by the sender of an individual transaction.
In this way, Bitcoin creates its currency through a distributed process, out of the hands of any individual person or group, and requiring intensive computing and power resources.
Turning energy into hashes crystallizes value
As more blocks gets added to the chain, the cost of reverting a past transaction increases, and hence the probability of the transactions in the block being finalized increases. Proof-of-Work is cumulative in the sense that with more computing power on the network, it becomes more expensive to attack it, making the ledger more secure.
In Bitcoin’s original whitepaper, Section IV “Proof-of-Work” is written as the following:
“To implement a distributed timestamp server on a peer-to-peer basis, we will need to use a proof-of-work system… Once the CPU effort has been expended to make it satisfy the proof-of-work, the block cannot be changed without redoing the work. As later blocks are chained after it, the work to change the block would include redoing all the blocks after it.”
Conceptually, Proof-of-Work burns energy in block-issuance, which allows network participants to view immutability objectively. Proof-of-Work reduces the entropy level within the system by consuming energy to create machine consensus around an ordered set of transactions. The cost of electricity consumption is borne collectively by miners to find “order” in “chaos” without a central coordinating agent. This is the process through which physical resources (ie., energy) are transformed into digital resources in the form of blocks of transactions, and the coinbase rewards which are the outcome of block production. Because these digital assets (ie., blocks and transactions) are encoded on physical computer memory, it can be said that the Proof-of-Work process sublimates electricity into a physical bearer instrument, similar to the way that gold mining and minting can produce gold coins.
Blocks order transactions
We have said that Bitcoin hashes groups of transactions to create a single, verifiable block. We’ve also said that the blockchain creates a transaction history that cannot be changed without expending enormous amounts of energy. But accomplishing these two feats required some ingenuity on Nakamoto’s behalf.
Bitcoin users exist all over the world, and their individual transactions must travel slower than the speed of light, so latency causes nodes to receive messages at different times, or out of order.
In any financial system, errors in transaction-logging can create disagreements between parties because balances will appear incorrect, or transactions will be missing. If disagreements are constant, the system is not usable. Whether in a paper ledger or a digital database, cheaters or saboteurs who want to erroneously increase their own balance (or simply wreak havoc) need only to change the order of transactions (ie., their timestamp) or delete them outright to cheat other participants.
The practice of “writing” ledger data into a hard-to-alter physical record is at least 30,000 years old, as exemplified by the clay tablets used by the ancient Sumerians used before the development of paper, and the more recent wooden “tally sticks” (seen below) which were still legal tender in the United Kingdom until the 19th century.
Figure 10. Medieval tally sticks, notched and carved to record a debt on 32 head of sheep, owed to a local dean in Hampshire, England.
Of course, keeping track of changes is no sweat for a spreadsheet on a single computer. When applications span multiple computers, networks are required to carry messages between them. Multi-computer applications deal with slow connections by using asynchronous algorithms, which are tolerant of dropped, latent, or out-of-order messages and are not driven by a time-based schedule. In an asynchronous system, computers engage in parallel processing, but without moving forward in lock-step. Instead, messages (often user actions) trigger a change on each and every machine as it hears about the message.
Nakamoto consensus is highly reliable
Bitcoin too is an asynchronous event-driven system. But unlike conventional distributed systems, participants are not permissioned, meaning they have not been authenticated and authorized prior to participating. Yet somehow they all transition the state of their ledger together without a leader or any sort of coordinating mechanism beyond their own self interest. How can self-interest be used to coordinate a group of disparate, unvetted, and possibly hostile individuals?
One of the many strokes of brilliance in Bitcoin is the use of economic incentives to keep miners producing valid blocks on schedule. Miners earn rewards denominated in the unit of account for the ledger they maintain; that is, in bitcoin. Nakamoto’s conjecture was that the desire to corrupt the ledger, which threatens the coin of the realm, would be outweighed by the desires of those with a vested interest.
This way, miners in a distributed system like Bitcoin can come to agreement about the order of transactions, even if some of the nodes are slow or even maliciously producing invalid blocks. This happens without the restrictive requirements of permissioned consensus.
Bitcoin’s system has shown its resilience in both operational uptime and integrity of the ledger. Importantly, it can accomplish this feat without needing to vet the individual nodes on the network; machines can join or drop off at will, and the properties of the system remain the same.
Industrial mining in a nutshell
Compared to launching an ICO, venture investing, or volatility-trading, a mining operation is the least exposed to capital market “narratives,” making it the most predictable cryptocurrency investment activity. Mining profitability is driven by semiconductor cycles, energy expenditure, and the overall performance of the cryptocurrency market. While a mining investment is fundamentally a long position, it comes with a lower cost basis, so long as a miner optimizes for overhead costs and buys their machines at a fair retail price. A miner’s decisions to buy hardware or support a given network are much less influenced by short term market fashions than on the fundamental qualities of the network protocol, and the technological life cycle of hardware being purchased. Considerations for miners include, but are not limited to, fundamental factors such as:
- Choosing a viable network.
- Sourcing from the right hardware manufacturers, at a fair price.
- Timing the purchase with the hardware cycle.
- Cost of energy and other overheads at host facility.
- Security and staffing at host facility.
- Liquid reward management.
- Local regulation and tax.
There are two main factors driving mining market dynamics: hashrate growth and price movement. Fundamentally the two factors are deeply intertwined. Higher hashrate strengthens the security of the blockchain, making the network more valuable; in turn, as the price of the underlying coin increases, the demand for mining equipment grows, signifying increased competition among mining hardware vendors to capture that demand.
Bitcoin hashrate has been increasing at a breathless pace despite the spot price having been butchered year-to-date. Since January 2018, Bitcoin miners and traders have lived in completely separate universes, with miners reinvesting in hardware and facilities, anticipating the next cycle of price appreciation that is expected to accompany continued engineering progress at the core protocol level. Because miners control liquidity, this amounts to a self-fulfilling prophecy. (An appendix discussing popular conceptions about price trends appears at the end of this paper.)
Figure 11. Hashrate continues growing in spite of dropping bitcoin prices.
The mismatch between hashrate growth and price movement is the result of the different paces between hardware markets and capital markets. Under normal circumstances, mining difficulty can be predicted by semiconductor foundry TSMC’s wafer shipments, which account for a majority of Bitcoin ASIC production. Foundry lead times are longer than the Bitcoin price cycle, meaning wafers that are already in production during a downturn in the Bitcoin price would cause capacity to overshoot.
Figure 12. TSMC wafer demand may decline given unsustainable mining profits.
(Source: Morgan Stanley Research)
On the other hand, due to the cumulative nature of Proof-of-Work, higher hashrate poured into a network makes the system more secure and robust. A higher degree of finality means the system is more stable to support transaction volume, and more robust for third-party developers to build on the system.
In Proof-of-Work cryptocurrencies, capital markets and distributed networks are tied together by design. As Bitcoin price continuously climbed up over the past decade, mining grew into a huge industry. In the first half of 2018, the largest cryptocurrency ASIC manufacturer Bitmain, reported $2.5 billion in revenue and $1.1 billion in profit.
Figure 13. Bitcoin miner revenue over time. (Source: Frost & Sullivan)
The rise of specialized hardware
Over the years, cryptocurrency mining has graduated from CPU to GPU to specialized hardware such as FPGA (Field-Programmable Gate Array) and ASICs. Because of the competitive nature of mining, miners are incentivized to operate more efficient hardware even if it means higher upfront cost paid for these machines. As some hardware manufacturers upgrade to faster and more efficient machines, others are forced to upgrade too, and an arms race emerges. Today, for the notable networks, mining is largely dominated by ASICs. Bitcoin’s SHA256d is a relatively simple computation; the job of a Bitcoin ASIC is to apply the SHA256d hash function trillions of times per second, something that no other type of semiconductor can do.
First introduced in the 1980s, ASICs transformed the chip industry. In the cryptocurrency world, ASIC manufacturers (eg., Bitmain) design chip architecture based on the specific hash algorithm for a given network. After going through multiple iterations and tests, the design graphic for the photomask of the circuit is then sent to foundries such as TSMC and Samsung as part of the process known as a tape-out. The actual performance of the chips is not known until the chips return from the foundry. At this point, the ASIC manufacturer needs to optimize for thermal design and chip alignment on the hashing board before the product is ready for production use.
The rise of application-specific hardware is inevitable and a natural trend in the computing hardware evolution. Much like how technology in gold mining and oil drilling developed over time as the base commodities became more and more valuable, application-specific hardware is improving quickly as the result of cryptocurrency becoming more attractive. While short-term price action is mainly driven by speculation and has been observed to decorrelate with hashrate, over the long run the two factors form a virtuous feedback loop.
Figure 14. Market size of the blockchain hardware market by revenues and growth rate globally, 2012-2020.
(Source: Frost & Sullivan) 
Figure 15. Market size of blockchain hardware market by revenues and growth rate in China, 2013-2020. (Source: Frost & Sullivan) 
Past, present, and future of ASIC manufacturing
A cryptocurrency miner is a heterogeneous computing system, which refers to systems using multiple types of processors. Heterogeneous computing is becoming more common as Moore’s Law slows down. Gordon Moore, originator of the eponymous law, predicted that transistor density in semiconductor manufacturing would produce continuous and predictable hardware improvements, but that these improvements had only 10-20 years before they reached fundamental physical limits.
The first generation of Bitcoin ASICs included China's ASICMiner, Sweden's KNC, and Butterfly Labs and Cointerra in the U.S. Application-specific hardware quickly showed its promise. The first batch of ASICMiner hit the market in February 2013. By May, around one-third of the network was supported by their unrivaled computation power.
Integrated circuit competition is all about how quickly a company can iterate the product and achieve economies-of-scale. Without sufficient prior experience about hardware manufacturing, ASICMiner rapidly lost market share due to delay and a series of critical strategic mistakes.
Around the same time in 2013, Jihan Wu and Ketuan Zhan started Bitmain. In the early days of Bitcoin ASICs, simply improving upon the previous generation’s chip density, or tech node, offered an instant and efficient upgrade. Getting advanced tech nodes from foundries is always expensive, so the challenge was less about superior technical design, but more about the ability to fundraise. Shortly after the launch of Bitmain, the company rolled out the Antminer S1 using TSMC’s 55nm chip.
In 2014, the cryptocurrency market entered into a protracted bear market, with the price of Bitcoin dropping nearly 90 percent. By the time the market recovered in 2015, the Antminer S5 (Bitmain’s then-latest machine) was the only product available to meet the demand. Bitmain quickly established its dominance. Subsequently, the lead engineer from ASICMiner joined Bitmain as a contractor, and developed the S7 and S9. These two machines went on to become the most successful cryptocurrency ASIC products sold to date.
The semiconductor industry is fast-paced. Increased competition, innovations in production, and economies of scale mean the price of chips keep falling. For large ASIC mining companies to sustain their profit margins they must tirelessly seek incremental design improvements.
How the hardware game is changing
In the past, producing a faster generation of chips simply required placing transistors closer together on the chip substrate. The distance between transistors is measured in nanometers. As chip designers begin working with cutting-edge tech nodes with transistor distances as low as 7nm, the improvement in performance may not be proportional to the decrease in distance between transistors. Bitmain has reportedly tried to tape-out new Bitcoin ASIC chips at 16nm, 12nm, and 10nm as of March 2018. The tape-out of all these chips allegedly resulted in failure which cost the company almost 500 million dollars.
After the bull run in 2017, many new original equipment manufacturers (OEMs) are entering the Bitcoin ASIC arena. While Bitmain is still the absolute leader in terms of size and product sales, the company is clearly lagging behind on performance of its core products. Innosilicon, Canaan, Bitfury, Whatsminer (started by the same engineer designed S7 and S9), and others are quickly catching up, compressing margins for all players.
As the pace of tech node improvement slows down, ASIC performance becomes increasingly dependent on the company’s architectural design skills. Having an experienced team to implement fully-custom chip design is therefore critical for ASIC manufacturers to succeed in the future. In the long term, ASIC design will become more open-source and accessible, leading to commoditization.
Figure 16. Mining hardware & mining difficulty
(Credit: “The evolution of bitcoin hardware”)
Bitcoin mining started out as a hobbyists’ activity which could be done on a laptop. From the chart above we can see the accelerating move to industrialized mining. Instead of running mining rigs in a garage or basement, industrialized mining groups, cloud mining providers, and hardware manufacturers themselves today build or renovate data-centers specifically tailored for cryptocurrency mining. Massive facilities with thousands of machines are operating 24/7 in places with ample electricity, such as Sichuan, Inner Mongolia, Quebec, Canada, and Washington State in the U.S. 
In the cut-throat game of mining, a constant cycle of infrastructure upgrades requires operators to make deployment decisions quickly. Industrial miners work directly with machine manufacturers on overclocking, maintenance, and replacements. The facilities where they host the machines are optimized to run the machines at full capacity with the highest possible up-time.  Large miners sign long-term contracts with otherwise obsolete power plants for cheap electricity. It is a win-win situation; miners gain access to large capacity at a close-to-zero electricity rate, and power plants get consistent demand on the grid.
Over time, cryptocurrency networks will behave like evolving organisms, seeking out cheap and under-utilized power, and increasing the utility of far-flung facilities that exist outside present-day industrial centers. Proof-of-Work cryptocurrencies depend on appending blocks to the chain to maintain consensus.
Over the years, many have voiced concern around the high amount of energy consumed in producing Bitcoin. Satoshi Nakamoto himself addressed this concern in 2010, saying:
“It's the same situation as gold and gold mining. The marginal cost of gold mining tends to stay near the price of gold. Gold mining is a waste, but that waste is far less than the utility of having gold available as a medium of exchange. I think the case will be the same for Bitcoin. The utility of the exchanges made possible by Bitcoin will far exceed the cost of electricity used. Therefore, not having Bitcoin would be the net waste.”
The “Delicate balance of terror” when miners rule
In a permissionless cryptocurrency system like Bitcoin, large miners are also potential attackers. Their cooperation with the network is predicated on profitability; should an attack become profitable, it’s likely that a large scale miner will attempt it. Those who follow the recent history of Bitcoin are aware that the topic of miner monopolies is controversial.
Some participants believe ASICs are deleterious to the health of the network in various ways. In the case of hashrate concentration, the community is afraid of miners’ collective ability to wage what is known as a 51 percent attack, wherein a miner with the majority of hashrate can use this computing power to rewrite transactions or double-spend funds. Such attacks are common in smaller networks, where the cost of achieving 51 percent of the hashrate is low.
Any mining pool (or cartel of mining pools) with over 51 percent of the hashrate owns the “nuclear weapon” in the network, effectively holding the community hostage with raw hashrate. This scenario is reminiscent of Cold War-era nuclear strategist Albert Wohlsetter’s notion of a delicate balance of terror:
“The balance is not automatic. First, since thermonuclear weapons give an enormous advantage to the aggressor, it takes great ingenuity and realism at any given level of nuclear technology to devise a stable equilibrium. And second, this technology itself is changing with fantastic speed. Deterrence will require an urgent and continuing effort.”
While large miners can theoretically initiate attacks that bends the consensus history to their liking, they also risk tipping off the market to their attack, causing a sudden collapse of the token price. Such a price collapse would render the miner’s hardware investment worthless, along with any previously-earned coins held long. In the case where manufacturing is highly concentrated, clandestine 51 percent attacks are easier to achieve.
Figure 17: Miner concentration by pool.
In the past few years, Bitmain has dominated the market both in the form of hashrate concentration and manufacturing concentration. At the time of the writing, analysts at Sanford C. Bernstein & Co. estimate that Bitmain controls 85 percent of the market for cryptocurrency-mining chips.
“Tyranny of Structurelessness” when core developers rule
While hostile miners pose a constant threat to permissionless cryptocurrency systems, the dominance of the core software developers can be just as detrimental to the integrity of the system. In a network controlled by a few elite technologists, spurious changes to the code may not be easily detectable by miners and full node operators running the code.
Communities have taken various approaches to counter miners’ overwhelming amount of influence. The team at Siacoin decided to manufacture its own ASIC miner upon learning of Bitmain’s Sia miner. Communities such as Zcash take a cautiously welcoming attitude to ASICs. New projects such as Grin designed the hashing algorithm to be RAM (Random Access Memory) intensive so that ASICs are more expensive to manufacture. Some projects such as Monero have taken a much harsher stance, changing the hashing algorithm just to render one manufacturer’s ASIC machines inoperable. The fundamental divide here is less about “decentralization” and more about which faction controls the means of producing coinbase rewards valued by the marketplace; it is a fight over control of the “golden goose.”
Due to the highly dynamic nature of decentralized networks, to swiftly act against power concentration around miners could lead to the opposite extreme: power concentration around developer figureheads. Both types of concentration are equally dangerous. The latter extreme leads to a tyranny of structurelessness, wherein the community worships the primary committers in a cult of personality, and under a false premise that there is no formal power hierarchy. This term comes from social theorist Jo Freeman, who wrote in 1972:
“As long as the structure of the group is informal, the rules of how decisions are made are known only to a few and awareness of power is limited to those who know the rules. Those who do not know the rules and are not chosen for initiation must remain in confusion, or suffer from paranoid delusions that something is happening of which they are not quite aware.”
A lack of formal structure becomes an invisible barrier for newcomer contributors. In a cryptocurrency context, this means that the open allocation governance system discussed in the last section may go awry, despite the incentive to add more development talent to the team (thus increasing project velocity and the value of the network).
Dominance of either miners or developers may results in changes to the development roadmap which may undermine the system. An example is the erroneous narrative perpetuated by “large block” miners. The Bitcoin network eventually split into two on August 1, 2017 as some miners pushed for larger blocks, which would have increased the costs for full node operators, who play a crucial role in enforcing rules on a Proof-of-Work blockchain. Higher costs might mean fewer full node operators on the network, which in turn brings miners one step closer to upsetting the balance of power in their own favor.
Another example of imbalance would be Ethereum Foundation. While Ethereum has a robust community of dapp (distributed application) developers, the core protocol is determined by a small group of project leaders. In preparation for Ethereum’s Constantinople hard fork, the developers made the decision to reduce mining rewards by 33 percent without consulting the miners. Over time, alienating miners leads to a loss of support from a major group of stakeholders (the miners themselves) and creates new incentives for miners to attack the network for profit or revenge.
Market consensus is achieved when humans and machines agree
So far we have discussed human consensus and machine consensus in the Bitcoin protocol. Achievement of these two forms of consensus leads to a third type, which we will call market consensus:
Figure 18. Consensus in the marketplace results from human and machine consensus.
(Credit: Narayan et al., Bitcoin and Cryptocurrency Technologies, p.169)
The three legs are deeply intertwined, and they require each other for the whole system to work well. Many cryptocurrency projects including Bitcoin, have suffered from either a “delicate balance of terror” and/or “tyranny of structurelessness” at various times in their history; this is one source of the rapidly-changing perceptions of Bitcoin, and the subsequent price volatility. Can these oscillations between terror and tyranny be attenuated?
Attenuating the oscillation between terror and tyranny
Some projects have chosen to reduce the likelihood of a “delicate balance of terror” by resisting the participation of ASIC miners. A common approach is to modify the Proof-of-Work algorithm to require more RAM to compute the block hash; this effectively makes ASIC miners more expensive (and therefore riskier) to manufacture. However, this is a temporary measure, assuming the network grows and survives; as the underlying cryptocurrency becomes more valuable, manufacturers are incentivized to roll out these products, as evidenced in Zcash, Ethereum, and potentially the Grin/Mimblewimble project. 
Some think that mining centralization in Proof-of-Work systems is an ineluctable problem. Over the years there have been various proposals for different consensus protocols that do not involve mining or energy expenditure. The most notable of these approaches is known as Proof-of-Stake.
Proof-of-Stake consensus is a poor alternative
While there are various ways to implement Proof-of-Stake, an alternative consensus mechanism to Proof-of-Work, the core idea is that in order to produce a block, a miner has to prove that they own a certain amount of the network coins. In theory, holding the network asset reduces one’s incentive to undermine the network, because the value of one’s own positions will drop.
In practice, the Proof-of-Stake approach proves to be problematic in systems where the coins “at stake” were not created through Proof-of-Work. Prima facie, if coins are created out of thin air at no production cost, the value of one’s stake may not be a deterrent to a profitable attack. This is called the “Nothing-at-Stake” critique.
So far in this section, we have not discussed other ways of producing coins besides Proof-of-Work mining. However, in some alternative cryptocurrency systems, it is possible to create pre-mined coins, at no cost, with no Proof-of-Work, before the main blockchain is launched. Projects such as Ethereum called for the pre-mining of a vast majority of the circulating supply of coins, which were sold to insiders at a fraction of miners’ cost of production. Combining a pre-mine with Proof-of-Work mining for later coins is not necessarily a dishonest practice, but if undisclosed, gives the erroneous impression that all coins in existence have a cost-of-production value. In this light, Ethereum’s stated transition to Proof-of-Stake should be viewed with some skepticism.
Fully dressing-down Proof-of-Stake consensus is beyond the scope of this essay, except to say that it is not a viable replacement for Proof-of-Work consensus mechanisms. Some Proof-of-Stake implementations try to circumvent attack vectors with clever incentive schemes, such as in Ethereum’s yet-to-be-released Slasher mechanism.
The critical fault of Proof-of-Stake systems is the source of pseudorandomness used to select block producers. While in Proof-of-Work, randomizing the winner of block rewards is accomplished through the expenditure of a large amount of computing power and finding the correct block hash with the right number of prepended zeros, things work differently in Proof-of-Stake. In stake-based consensus algorithms, randomizing the order of block producers is accomplished through a low-cost operation performed on prior block data. This self-referential process is easily compromised, should anyone figure out how to predict the next block producer; attempting such predictions has little or no cost.
In short, consensus on history built with Proof-of-Stake is not immutable, and is therefore not useful as the basis for a digital economy. However, corporate or state-run projects may successfully deploy working Proof-of-Stake systems which limit attack vectors by requiring permission or payment to join the network; in this way, Proof-of-Stake systems are feasible, but will be slower-growing (owing to the need to vet participants) and more expensive to operate in practical terms (for the same reason, and owing to the need for security measures that wouldn’t otherwise be needed in a PoW system, which is expensive to attack).
The necessary exclusivity required for PoS to function limits its utility, and limits the growth potential of any network which relies upon PoS as its primary consensus mechanism. PoS networks will be undermined by cheaper, more reliable, more secure, and more accessible systems based on Proof-of-Work.
Proof-of-Stake as an abstraction layer on top of Proof-of-Work
Whether some form of Proof-of-Stake will ever replace Proof-of-Work as the predominant consensus mechanism is currently one of the most-debated topics in cryptocurrency. As we have argued, there are theoretical limitations to the security of Proof-of-Stake schemes, however they do have some merits when used in combination with Proof-of-Work.
In Nakamoto Proof-of-Work consensus, it can be said that “one CPU is one vote.” In Proof-of-Stake, it can be said that "one coin is one vote.” Distributing influence over coin holders arguably creates a wider and more liquid distribution for coinbase rewards than the mere paying of miners, who (as we have discussed) have incentive to cartelize in an attack scenario. Therefore, Proof-of-Stake may be an effective addition to Proof-of-Work systems if used to improve human consensus about network rules. However, it is not robust enough to be used alone.
Taking a step back, Proof-of-Work and Proof-of-Stake can be considered to exist at two different abstraction layers. Proof-of-Work is the layer that is closest to the bare metal, connecting hardware and physical resources to create distributed machine consensus. Proof-of-Stake may be useful for coordinating dynamic human behavior in such a system, once immutability of the underlying ledger and asset is guaranteed by Proof-of-Work.
An interesting architectural design is to use Proof-of-Work to produce blocks, and Proof-of-Stake to give full-node operators a voice in which blocks they collectively accept. These systems split the coinbase reward between miners and full-node validators instead of delivering 100 percent of rewards to miners. Stakeholders are incentivized to run full-nodes and vote on any changes miners want to make to the way they produce blocks.
The thinking goes like this: When compensated, full node operators can be trusted to act honestly, in order to collect the staking reward and increase the value of their coins; similarly, miners are incentivized to honestly produce blocks in order that their blocks are validated (not rejected) by stakers’ full nodes. In this way, networks with Proof-of-Work for base-layer machine consensus, and Proof-of-Stake for coinbase reward distribution and human consensus, can be said to be hybrid networks.
Such hybrid PoW/PoS architectures may prevent the network from descending into a delicate balance of terror (miner control) or into tyranny of structurelessness (developer control). These systems allow decisions about the rules of machine consensus to be taken by more than one group of stakeholders, instead of solely among core developers (as in traditional open allocation) or among large miners in a cartel.
In this section, we have elucidated how computers on the Bitcoin network achieves decentralized and distributed consensus at a global scale. We’ve examined why Proof-of-Work is a critical enabler of machine consensus, and how Proof-of-Stake, while flawed, may be used in addition to Proof-of-Work to make human consensus (ie., project governance) more transparent and inclusive. In the next section, we will discuss the value of public cryptocurrency systems when stakeholders are held in a stable balance of power.