An overarching problem that cryptocurrencies must address is called the Byzantine General's Problem. The Byzantine General's Problem essentially simplifies down to: How do you prevent data from being corrupted or falsified in a network where there are nodes that have economic incentive to lie about the data?
In application to cryptocurrency, the problem boils down to preventing attackers from lying about a coin's ledger, given the economic incentive of doing so. We need a way to form consensus on the ledger because anyone can create a block, while we only want a unique chain, so we want a way to decide which block to trust.
The two main schools of thought to solving the Byzantine General's Problem are Proof of Work (PoW) and Proof of Stake (PoS).
Proof of Work (PoW):
Explicitly, a "proof of work" is a piece of data which is difficult (costly, time-consuming) to produce but easy for others to verify and which satisfies certain requirements. Producing a proof of work can be a random process with low probability so that a lot of trial and error is required on average before a valid proof of work is generated. Currently Bitcoin, Ethereum, and the vast majority of other cryptocurrencies utilize some form of proof of work.
PoW (referring to the protocol itself) as it applies to solving the Byzantine General's Problem relies on the fact that producing hashes has actual economic value by recognizing that a tiny amount of computer power and electricity has to be contributed to produce valid hashes.
Under Bitcoin's protocol, which uses the Hashcash PoW system for block generation, in order for a block to be accepted by network participants, miners must complete a proof of work which covers all of the data in the block.
For a block to be valid it must hash to a value less than the current target; this means that each block indicates that work has been done generating it. Due to the very low probability of successful generation, this makes it unpredictable which worker computer in the network will be able to generate the next block, however, the miner that does generate the block receives a reward, akin to a lottery system. Chances of winning the lottery can be increased by dedicating more CPU/GPU cycles to check hashes. Each block contains the hash of the preceding block, thus each block has a chain of blocks that together contain a large amount of work. Changing a block, which can only be done by making a new block containing the same predecessor, requires regenerating all successors and redoing the work they contain, which would require the attacker to hold over 50% of the hash power of the network, or else the attacker would never be able to catch up to the original blockchain. This protects the blockchain from tampering by making history provably expensive to rewrite, thus solving the Byzantine General's Problem by adding prohibitive economic costs to falsifying data.
As a side note, PoW protocols mandate that a miner can not hash on one blockchain without consequence to another because while the protocols may be different, and the algorithms for hashing may be different, the electrical and computational resources consumed are real. A miner cannot double spend his real world resources to hash on two chains.
Proof of Stake (PoS):
PoS is a proposed alternative to PoW. Like PoW, PoS attempts to provide consensus, but differs in that PoS criticizes the usage of real-world resources in solving the General's problem. Instead of counting the weight of each node in the consensus through hash power ("one unit of CPU power, one vote"), PoS uses a system of "one currency unit, one vote".
Some argue that methods based on PoW alone might lead to a low network security in a cryptocurrency with block incentives that decline over time, like Bitcoin, due to Tragedy of the Commons, and PoS is one way of changing the miner's incentives in favor of higher network security.
In order to operate, PoS must have a method for defining the next valid block in any blockchain. In general, PoS implementations will follow a system for selecting the node that gets to mine (termed "forge" in PoS) the next block, similar to how in PoW mining, the node that generates a hash that fulfills a certain condition gets to mine the next block. This simplest methodology, selection by largest account balance, would result in undesirable centralization, as the single richest member would have a permanent advantage. Instead, several different methods of selection have been devised.
Randomized block selection: uses randomization to predict the following generator, by using a formula that looks for the lowest hash value in combination with the size of the stake. Since the stakes are public, each node can predict, with reasonable accuracy, which account will next win the right to forge a block.
Coin age based selection: combines randomization with the concept of "coin age," a number derived from the product of the number of coins times the number of days the coins have been held. Coins that have been unspent for at least 30 days begin competing for the next block. Older and larger sets of coins have a greater probability of signing the next block. However, once a stake of coins has been used to sign a block, they must start over with zero "coin age" and thus wait at least 30 more days before signing another block. Also, the probability of finding the next block reaches a maximum after 90 days in order to prevent very old or very large collections of stakes from dominating the blockchain. This process secures the network and gradually produces new coins over time without consuming significant computational power. Proponents of this selection system claim that this makes a malicious attack on the network more difficult due to the lack of a need for centralized mining pools, and the fact that purchasing more than half of the coins is likely more costly than acquiring 51% of proof-of-work hashing power.
Advantages of Proof of Stake:
A major flaw of PoW is that the costs of attacking the system are equal to what is spent to run the system. High security thus can only be achieved at high operating costs. The idea is that the honest participants just outspend the dishonest. This is already today highly inefficient. It's estimated that both Bitcoin and Ethereum burn over $1 million worth of electricity and hardware costs per day as part of their consensus mechanism. Also, as soon as the block subsidiary/reward starts reaching zero, the ratio between the Market Capitalization and the costs of attacking Bitcoin becomes critical. Details are presented here.
PoS promises to solve this problem. An honest validator is expected to have very low costs, compared to the costs an attacker would incur. Relating to electricity costs, economies of scale also become much less of an issue, helping to prevent centralization.
Because of the lack of high electricity consumption, there is not as much need to issue as many new coins in order to motivate participants to keep participating in the network. It may theoretically even be possible to have negative net issuance, where a portion of transaction fees is burned and so the supply goes down over time.
The incentives of the block-generator are also different. Under PoW, the generator may potentially own none of the currency they are mining. The incentive of the miner is only to maximize their own profits. It is unclear whether this disparity lowers or raises security risks. In PoS, those "guarding" the coins are always those who own the coins, although several cryptocurrencies do allow or enforce lending the staking power to other nodes.
Additionally, PoS opens the door to a wider array of techniques that use game-theoretic mechanism design in order to better discourage centralized cartels from forming and, if they do form, from acting in ways that are harmful to the network (eg. like selfish mining in PoW).
Problems with Proof of Stake
Most glaringly, PoS removes the economic inputs that were required to solve the Byzantine General's Problem. This is known as the "Nothing at Stake" problem.
A very simple PoS algorithm requires the miner mining the block to sign it with the private key to the address holding their coins, where the block is valid if sha256(PREVHASH + ADDRESS + TIMESTAMP) <= 2^256 * BALANCE / DIFFICULTY where PREVHASH is the hash of the previous block, ADDRESS is the signer's address with balance BALANCE, TIMESTAMP is the current Unix time in seconds and DIFFICULTY is an adjustable parameter to regulate the frequency of successful signatures. At first glance, this algorithm has the basic required properties: every miner has some random chance per second of succeeding, and if your address has twice as much money in it then you have double the chance of success.
However, this algorithm has one important flaw: there is "nothing at stake". In the event of a fork, whether the fork is accidental or a malicious attempt to rewrite history and reverse a transaction, the optimal strategy for any miner is to mine on every chain, so that the miner gets their reward no matter which fork wins. Thus, assuming a large number of economically interested miners, an attacker may be able to send a transaction in exchange for some digital good (usually another cryptocurrency), receive the good, then start a fork of the blockchain from one block behind the transaction and send the money to themselves instead, and even with 1% of the total stake the attacker's fork would win because everyone else is mining on both. Creating forks is costless when you aren't burning an external resource.
Another problem to keep in mind that falls under "nothing at stake" is the issue of so-called "long-range attacks": attacks where the miner attempts to start a fork not five or ten blocks behind the head of the main chain, as happens normally, but hundreds of thousands of blocks back. If an algorithm is designed incorrectly, it may be possible for an attacker to start from that far back, and then mine billions of blocks into the future since no proof of work is required, and new users would not be able to tell that the blockchain with billions of blocks more is illegitimate. This can generally be solved with timestamping, but special corner cases do tend to appear in over-complicated designs.
To give an example of what simulating a PoS blockchain would look like: Suppose initially all coins are owned by a single user, say, Justin. So in block 1, Justin owns all coins. In block 2, he might transfer some of his coins to Natalie. In block 3, Natalie transfers some of her coins to Vincent. And so on. Perhaps at block 100,000, Justin no longer has his coins.
Now suppose an attacker obtains Justin's old key. Now he can simulate the whole blockchain: he can make his own version of block 2, where he will transfer money to Natalie2 -- a new fake account he created. He can do this process for the whole blockchain, and he will own all the coins on the fake blockchain.
Now the problem is, it's impossible to say which blockchain is fake; they are identical aside from keys/signatures. To tell which one is real, you need to have followed from the beginning. So hypothetically, someone or group of people could buy up 51 percent of the coins. Sell the coins and the simulate the whole blockchain again, essentially forking it into two identical versions. But it's going to fool only users who were not continuously connected to the blockchain.
In other words, pure PoS doesn't actually solve the byzantine generals problem for anyone who wasn't present when the blockchain began. Instead it requires a trusted source for the initial blockchain data. It requires users to solve the trust problem some other way to be able to bootstrap a node. Hence, it doesn't qualify as being trustless.
Thus PoS needs to rely on subjectivity: you need some point of reference outside of the protocol when you join the system, meaning you need not just code, but also data on some recent blocks, e.g. few month or years ago. PoW on the other hand is objective, in that you can simply look at which blockchain has the most proof of work to determine the correct chain.
Certain forms of PoS also includes a problem where real world resources can be consumed to find an advantage in the PoS protocol. An example of such an attack is "Stake grinding": a class of attack where a miner (termed "validator" in PoS) performs some computation or takes some other step to try to bias the randomness of forge selection in their own favor. For example:
- In Peercoin, a validator could "grind" through many combinations of parameters and find favorable parameters that would increase the probability of their coins generating a valid block.
- In one now-defunct implementation, the randomness for block N+1 was dependent on the signature of block N. This allowed a validator to repeatedly produce new signatures until they found one that allowed them to get the next block, thereby seizing control of the system forever.
- In NXT, the randomness for block N+1 is dependent on the validator that creates block N. This allows a validator to manipulate the randomness by simply skipping an opportunity to create a block. This carries an opportunity cost equal to the block reward, but sometimes the new random seed would give the validator an above-average number of blocks over the next few dozen blocks. See here for a more detailed analysis.
What this means is that certain forms of PoS are reducible to inelegant PoW. The consensus can be exploited by someone willing to actually spend the resources. If there are PoW attacks that can be carried out on PoS chains, then the ideology behind PoS doesn't hold, and the so called "PoS" breaks down to inelegant PoW. With PoW, "problems" like ASICboost, which boosts mining productivity by 20%, self correct. Once the "problem" is discovered, it now behooves every miner to use ASICboost. But with the way that Bitcoin scales to match hash power, if every miner uses ASICboost to boost their hashing productivity by 20%, the Bitcoin network will scale its difficulty to match, making sure that anyone who exploited the advantage to make money will have their advantage reverted to the mean. This sort of self-healing isn't possible in PoS unless we concede that PoS is indeed reducible to inelegant PoW. And if that's true, then that means that PoS will have exactly the same real-world costs as PoW, without the transparency that exists in a simple PoW scheme like Bitcoin's.
Ethereum's Casper Protocol: A Solution to Proof of Stake's Problems
Ethereum is moving towards PoS under its new "Casper" protocol. Casper is a security-deposit based economic consensus protocol. This means that nodes, so called "bonded validators", have to place a security deposit (an action Ethereum calls "bonding") in order to serve the consensus by producing blocks. The protocol's direct control of these security deposits is the primary way in which Casper affects the incentives of validators. Specifically, if a validator produces anything that Casper considers "invalid", their deposit are forfeited along with the privilege of participating in the consensus process. The use of security deposits addresses the "nothing at stake" problem; that behaving badly is not expensive. There is something at stake, and bonded validators who misbehave in an objectively verifiable manner will lose their stake.
Very notably, a validator's signature is only economically meaningful so long as that validator currently has a deposit. This means that clients can only rely on signatures from validators that they know are currently bonded. Therefore, when clients receive and authenticate the state of the consensus, their authentication chain ends in the list of currently-bonded validators. In proof-of-work consensus, on the other hand, the authentication chain ends in the genesis block - as long as you know the genesis block you can authenticate the consensus. Here, as long as you know the set of currently-bonded validators, you can authenticate the consensus. A client who does not know the list of currently bonded validators must authenticate this list out-of-band. This restriction on the way in which the consensus is authenticated solves the "long range attack" problem by requiring that everyone authenticate the consensus against current information.
The validator list changes over time as validators place deposits, lose their deposits, unbond, and get unbonded. Therefore, if clients are offline for too long, their validator list will no longer be current enough to authenticate the consensus. In the case that they are online sufficiently often to observe the validator set rotating, however, clients are able to securely update their validator list. Even in this case, clients must begin with an up to date list of currently bonded validators, and therefore they must authenticate this list out-of-band at least once.
This "out-of-band authentication only necessarily once" property is what Vitalik Buterin, Ethereum's creator, calls weak subjectivity. In this context information is said to be "objective" (like in Bitcoin) if it can be verified in a protocol-defined manner, while it is "subjective" if it must be authenticated via extra-protocol means. In weakly subjective consensus protocols, the fork-choice rule is stateful, and clients must initialize (and possibly sometimes renew) the information that their fork-choice rule uses to authenticate the consensus. In Ethereum's case, this entails identifying the currently bonded validators.
To give an analogy to what is happening behind the scenes, Casper makes validators "bet" a large part of their security deposits on how the consensus process will turn out. Moreover, the consensus process "turns out" in the manner in which they bet: validators are made to bet their deposits on how they expect everyone else to be betting their deposits. If they bet correctly, they earn their deposit back with transaction fees and possibly token issuance upon it - if on the other hand they do not quickly agree, they re-earn less of their deposit. Therefore through iterated rounds of betting, validator bets converge.
Moreover, if validators change their bets too dramatically, for example by voting with a high probability on one block after voting with a very high probability on another, then they are severely punished. This guarantees that validators bet with very high probabilities only when they are confident that the other validators will also produce high probability bets. Through this mechanism we guarantee that their bets never converge to a second value after converging upon a first, as long as there there is sufficient validator participation.
To continue the analogy, PoW protocol is also a betting scheme: miners bet that their block will be part of the longest chain. If they eventually prove to be correct, they receive tokens, whereas if they prove to be incorrect, they incur electricity costs without compensation. Consensus is secured as long as all miners are betting their hashing power on the same chain, making it the blockchain with the most work, as a direct result of and as preempted by their coordinated betting. The economic cost of these PoW bets add up linearly in the number of confirmations (generations of descendant blocks), while, in Casper, validators can coordinate placing exponentially growing portions of their security deposits against blocks, thereby achieving maximum security very quickly.
The change from PoW to the new Casper PoS protocol promises a bright outlook for the long term future of Ethereum, especially compared to with its current PoW protocol. Ethereum Casper eliminates the shortcomings of traditional PoS, while reaping in the advantages that PoS provides over PoW.
With a successful implementation, expect to see an according increase in Ethereum's valuation. If all goes as planned, such changes could reign in a new standard for cryptocurrency protocol, with Ethereum at the forefront.
This is not to say that Bitcoin (which still runs PoW) and Ethereum are mutually exclusive: One does not have to fail in order for the other to succeed. However, the success of Casper could initiate a paradigm shift in the design of cryptocurrencies in the future, where PoS protocol becomes more widely adopted.
As always, cryptocurrencies are inherently an extremely risky asset class, yet an investor must always consider his or her options in planning the risk-reward profile of his or her portfolio and evaluate if taking on the according risk-reward of cryptocurrency is appropriate for his or her goals.
I encourage further reading on Casper from these links to Ethereum's Github:
Disclosure: I am/we are long BTC, ETH. I wrote this article myself, and it expresses my own opinions. I am not receiving compensation for it (other than from Seeking Alpha). I have no business relationship with any company whose stock is mentioned in this article.