In a recent article I proposed a dual-token approach to blockchain consensus. The system aims to provide economic decentralization, fulfilling the paradigm: One entity, one vote! The model stands in a stark contrast to existing blockchains like Bitcoin, Ethereum or NXT in which the influence of a party is proportional (or even superlinear if we take into account economies-of-scale and selfish mining strategies) to its computational power or stake. My proposal can be broken down into the following key points:
- The blockchain makes use of two different tokens: minter accounts and currency units (coins)
- Blocks can only be built by minter accounts
- The creation rate of minter accounts is limited: With every block, only a predefined number of new minter accounts are created.
- Minter accounts can be bought at the moment of their creation, while further sales are strongly discouraged owing to the fact that the seller will still know the private key (and could steal the funds back any time).
- No economic incentive to own multiple accounts
In this post I will relax some of the assumptions made in my seminal article and will further explore the design space around Proof of Membership blockchains. The name “Proof of Membership” is chosen to express that every member of the system can contribute to the blockchain, while a member’s impact on the consensus is not based on stake nor on hash rate. Even though it is impossible to technically restrict the number of accounts held by a member, we can make it economically pointless to possess more than one (or maybe a few) account.
Permissionless blockchain built by “members”
First of all, let’s take a closer look at what sets Proof of Membership (PoM) apart from both Proof of Work (PoW) and Proof of Stake (PoS). In PoW and PoS, users are basically free to join any time and to acquire as much influence as they can by accumulating stake or hashing power. While this holds without exception for PoW, in PoS you need to find someone to buy your stake from. However, assuming a liquid stake market, anyone can in principle become a member of the consensus group. The protocol itself does not explicitly limit the number of users who can join the system nor does it disincentivize the level of influence a single party can have (though some restrictions are imposed by the total coin supply and the currency’s denomination).
PoM differs in that it puts a hard limit on the creation rate of new minting accounts in the primary market and economically discourages further sales in a secondary market. Nevertheless, I argue that PoM can be regarded as being permissionless since the underlying protocol doesn’t restrict who can get an account and become a member. PoM can be either based on open membership or closed (trusted) membership models, according to one’s needs.
Creating and distributing minting accounts
In my original proposal I suggested to reward minters by giving them a new minter account for every created block. They could thus invite a friend or sell their child account to someone else. This would result in a parent-child tree account model and imply that an account market exists outside of the blockchain. An off-chain payment flow to a select group of lucky minters isn’t economically desirable though. Moreover, if the sole aim of minting is receiving child accounts, every block must come with at least one new account to have a minting incentive for the entire blockchain. It would be more convenient and to the benefit of all users if we could remove these constraints by integrating the whole account market within the blockchain. Instead of relying on a tree model which privileges existing minters, we can sell new accounts by auction. Also, by “burning” the successful bid, the total coin supply can be reduced with every new account, so that ultimately everybody will profit from the capital inflow through deflation.
Fortunately, the blockchain itself offers a neat way to establish an auction platform, enabling prospective minters to bid for minter accounts. Bids (which can be implemented as a special kind of transaction) are processed by the existing minters, provided that the bidder’s account has enough funds to pay the sum. Coins in the amount of the bid price are locked once the bid gets included in a block. Bids can either have a preset lifetime (expressed by a fixed number of blocks before expiration) or they can be revoked later by making a canceling transaction. Whenever a block is created, the highest bidder obtains a new minter account, while his locked funds are burned_._ All the other bids remain active and participate in the auction for the next account until they get accepted or revoked.
The protocol can allow to auction several accounts per block or, on the contrary, only perform auctions for every k’th block. One might event think of automatically adjusting the creation rate of accounts depending on price or some other criteria.
Benefits and their effect on account price and security
It’s an important design factor if minter accounts are made to be cheap or expensive. For the price per account together with the age of the system has a direct impact on security: To get majority control over the blockchain, an attacker needs to acquire +50% of all the accounts. So, the costs of an attack will depend on the total number of accounts in existence multiplied by their price. The more accounts there are, the lower will be their relative voting power. Therefore, with a growing number of accounts (that are in use), the power share of an account will steadily decline. Note, that in contrast to PoS, the attack costs in PoM are sunk costs, i.e. they cannot be recovered no matter if the attack turns out as successful or not. If the attacker for example had to buy 10000 accounts in order to launch a double-spend, his accounts will be practically worthless afterwards as they cannot be safely transferred nor be sold on the market.
Expensive accounts
By making accounts as expensive as possible, we can increase the security of the system by raising the economic costs of an attack. Accounts will generally gain their value from the benefits they carry. Their value can in theory be maximized if the rewards go exclusively to the members, i.e. to the owners of minter accounts. That way, the price paid to become a member would reflect the net present value of all the future income that the (highest bidding) member hopes to achieve. Though, we have to be very careful when designing our reward scheme so as not to create any incentive of owning multiple accounts. While paying a fixed reward to the minters like in Bitcoin would go directly against this important design goal, it’s less obvious that even a fixed percentage interest rate paid on the minter’s stake wouldn’t fully meet our requirement: By splitting up the funds between several accounts, a minter could still lower the average payout intervals and thus maximize his compound interests.
On the other hand, we can reward membership as such, for example by paying interest to all members whenever a new block is created (by anyone). Of course, such a reward scheme does not incentivize minting of blocks whatsoever and cannot be used on its own, as we don’t want to solely rely on altruism for minting. The question arises if we can design a reward scheme for minting that is incentive-compatible with our one-entity-one-account approach. To solve the dilemma, we can combine both schemes and credit interests to every minter with every block, but lock the accrued interests until the minter actually builds a block himself. This model guarantees incentive-compatibility with regard to compound interests since the latter don’t depend on the frequency of block generation anymore. Depending on individual liquidity needs and costs, a minter may still decide to use several accounts for minting in order to get faster access to his interests. But the benefits of using multiple accounts would be rather limited.
Cheap accounts
The downside of expensive accounts is the fact that not everyone will have the means of becoming a member of the system. That’s why in the expensive setting, “free” accounts are needed to make the blockchain de facto permissionless and accessible for everybody. It’s easy to add free accounts to the system by letting anybody generate a valid keypair. Such a free account could be created anytime and would not have the benefits of a member account.
If we don’t make membership expensive, we must accept the fact that an attacker “only” needs a lot of time to acquire majority control. In fact, assuming that every member is taking part in minting, the attacker would have to keep buying accounts for a time period longer than the age of the system at the time when the attack started. To make 51% attacks more difficult, we can also use a “trick”. Instead of allocating the accounts to the highest bidder, we can allocate them to the bidder who destroys the highest coin age, i.e. number of coins multiplied by their respective age. Once an attacker starts his plot, he would compete against all the longtime stakeholders with older coins aiming for membership. It is safe to assume that many users will first buy coins to try out the system before eventually deciding to become members, so the competition would be rather steep. An attacker who is not able or willing to pay a much higher price for the accounts would need to be even more patient than in the standard case. For increased security, one might even consider the coin age of the Bitcoins that were converted into the new currency (see below “Coin supply and initial distribution”).
With cheap accounts in mind, we can abandon the idea of paying financial rewards to minters (and/or members) whatsoever and give them another type of benefit instead. For example, one could impose a minimum transaction amount on free accounts, while only members that have already built a block would be allowed to make transactions of any size. Members would thus try to mine a block in order to become eligible for microtransactions. Another approach addresses the issue of transaction fees. In any case, fees reduce the risk of transaction spamming and also encourage minters to include transactions in their blocks. But that doesn’t mean that there are no alternatives to paying transactions fees to the minters. Instead of letting them collect the fees (which would violate the goal of not having incentives for using multiple accounts), one could give them the right to make free transactions for every transaction they have included in their block. This would encourage users aiming for making frequent payments to take part in minting in order to build up a credit for free transactions. The ledger would keep track of every minter’s transaction credit which would be tied to the account and couldn’t be transferred to anyone else.
Yet another solution would be to let minters emancipate from the burden of heartbeat transactions (or some other duty). As laid down in my previous article, members are required to make “heartbeats” in order to stay alive, i.e. keep their minter accounts active. This means that they have to leave their clients running all the time or at least turn them on regularly. Once a minter has successfully built a block, he could be exempt from this duty for a certain period of time or even permanently. This might seem appealing to most home-users.
Benefits of membership versus benefits of minting
You may have already noticed that benefits can be based on two different types of approaches:
- Benefits tied to membership
- Benefits tied to minting
Even though both types of benefits have an impact on account price, their game-theoretic implications are quite different. While minting benefits lead to a “race” to generate the next block, the benefits of membership might result in a “race” to become a member (provided that the demand for minting accounts is higher than the supply). A recent academic paper suggests a completely race-free DAG block model and proves it to be incentive-compatible. I argue that it’s not possible to achieve race-freeness in a simple blockchain design without relying on altruism for mining. However, I think that by using an alternative incentive scheme instead of financial rewards, we can create an incentive-compatible system of minting in PoM. Selfish mining, stubborn mining and other optimal mining strategies all relate to the fact that you can make a direct profit in proportion to the number of blocks mined and that you can adversely affect the profit of others by orphaning their blocks.
Eligibility for microtransactions, on the other hand, is a non-cumulative benefit. In other words, there’s no point in keeping minting once you have created your first block that gives you the (permanent) right to make microtransactions. Granted, impatient people might want to buy several accounts in order to reduce the expected time to get eligible for such transactions. So, your chances of getting the benefit are still cumulative. If your only minting reward is the exemption from the obligation of regular “heartbeats”, using multiple accounts for mining would be downright counter-productive. In fact, you would have to mine a block with every one of your accounts to get (fully) emancipated, which would take longer on average. Here, the counter-productivity is tied to your chances since making heartbeats is virtually cost-free (or very cheap), so it doesn’t really matter if you must do them several times with multiple accounts as you must run your machine anyway. If your duty consists in doing some kind of heavy computational work, then things are different. In such a case, owning multiple accounts would be counter-productive in both ways.
Benefits tied to membership are much simpler in nature. As per our design goal, these benefits must be absolutely non-cumulative to prevent centralization through accumulation of accounts. That’s as simple as it gets. Well, almost. Theoretically, if the benefit consists in an interest on stake, denying others’ interest by buying up the whole supply of new accounts might seem relatively profitable to some people. Though one should keep in mind that a profitable strategy cannot be based on the nominal value of your coins, but it must take their real value into account. One has to assume that deterring other investors from buying into the currency would negatively affect the price of your own stake.
In the end, it seems possible to build an incentive scheme with a clear financial reward of membership combined with some “alternative” minting benefits. That way, you could have the best of two worlds: Expensive accounts and a blockchain that is practically safe from selfish mining strategies.
Coin supply and initial distribution
An important aspect of every blockchain with regard to security and credibility is how everything gets started, particularly how the currency is distributed in the first place. The coins can be created and allotted to the stakeholders before the currency is officially launched, e.g. by premining or an ICO. Or the coins can be distributed continually via block rewards like Bitcoin does. As an alternative, new coins could also be created and attributed in exchange for burning some amount of BTC or other existing cryptocurrency (Proof of Burn; see Counterparty as an example). Another way of ensuring coin supply is to attribute the coins to the current owners of Bitcoins, in proportion to their stake (see Ardor for NXT as an example). This could be done automatically or by requiring the owners to perform any action, i.e. declaring their interest within a fixed period of time. Also, one might think of taking a snapshot of historic coin ownership (or even averaging snapshots of different points in time) to even out disparities. The possibilities are endless!
Double-spending attacks
Double-spending is the result of successfully spending some money more than once. It requires that the attacker can build an alternative chain longer than the main chain once he got the merchant to deliver the goods. Usually, the latter will wait a certain number of confirmations before sending the item. Assuming that this number is sufficiently high, an attacker will thus need to control more than 50% of the accounts (currently in use) in order to carry out a double-spend. He can do so by either buying the majority of accounts himself or by bribing other members into helping him.
Attacker buys 51% of all accounts
To buy the majority of all currently active accounts, the attacker will have to pay a lot of money and, depending on the age of the blockchain, spend a lot of time. Let’s assume that he nevertheless achieves to acquire more than 50% of the accounts. It is obvious that he will only be able to buy the accounts that were created after his first appearance at time t, so older accounts will still be owned by honest users. Therefore, the attacker’s secret chain would be statistically distinguishable from the right chain (even for newly connecting nodes) as it would contain no blocks built by members that joined before t. To account for the possibility that the attacker might have bought a few older accounts from friends, we can use an adapted chain scoring rule that gives blocks built by older accounts a higher weight. Such a rule would make it very difficult to attack the system since older members would have a higher relative voting power. Of course, this defense doesn’t work if the attacker is an old member who started collecting accounts at an early stage.
Attacker controls 51% of all accounts
As accounts are not suitable for being rented (for the same reason as they cannot be securely sold except when created), an attacker might try to bribe existing members to build an alternative chain. To be successful, he would need to control all 51% of the accounts at the same time. However, the sheer number of members and their anonymity will prevent them from being approached directly by the attacker. Instead, the attacker will have to announce his bribery to the public and wait for the members to contact him. Of course, by doing so, the attacker couldn’t make his fork in secret but would also reveal his plot to possible victims of his double-spend. In contrast, due to their centralized nature, in PoS and PoW it is much easier to get in touch with the top few stakeholders/miners, which facilitates bribe attacks.
I think that in PoM bribery attacks are practically infeasible and out of scope for most attackers. To control the blockchain, the adversary would have to reach several majorities. Let f1 be the fraction of nodes reached by the attacker’s campaign, f2 the fraction of corruptible members, f3 the fraction of people who trust to be paid by the adversary and f4 the people who correctly follow the latter’s instructions. Assuming that these fractions are independent from each other, the adversary must thus control a set of accounts (all at the same time) so that f1 ∙ f2 ∙ f3 ∙ f4 > 0.5 is fulfilled, which seems extremely hard. And finally, open bribery attempts might result in countermeasures taken by honest nodes (see http://fc16.ifca.ai/bitcoin/papers/Bon16b.pdf, Chapter 3.1 “Counter-bribing by miners”).