In 2009, Nakamoto proposed bitcoin, which kicked off the blockchain era. The PoW protocol in Bitcoin provides a new direction for research on how to reach consensus on large-scale networks. Although in the past decade, the PoW protocol has been maintaining the stable operation of the blockchain system, the problems of PoW e.g energy waste and power concentration are obvious. To solve these problems, a series of PoS protocols have been proposed. Currently, most of PoS protocols are variant of the traditional Byzantine Fault Tolerant (BFT) protocol, and the participants in the protocols are often only tens or even dozens, which completely loses the core spirit of the blockchain — decentralization. Decentralization is the “1” in blockchain, others are the “0”s following the “1”.
After a long period of thinking, we gradually find out what kind of consensus protocol to be made: 1) PoS protocol, the problems of PoW is our determination to make a PoS protocol; 2) a permissionless consensus protocol for a large-scale network with participants. Decentralization is the soul of the blockchain, and can never be relegated to the end.
The PoS protocol currently available is full of enthusiasm, but most of them are only a crude imitation of PBFT (Byzantine fault tolerance available). In the traditional consensus protocol such as PBFT, due to the interaction between nodes, the communication volume in the system is very large. Therefore the number of participants is very limited (no more than 100 nodes). So it is difficult to support large-scale networks, and decentralization of blockchain cannot be guaranteed. Therefore, from the beginning, we abandoned the BFT class consensus protocols, but hope to build a competitive PoS protocol by simulating PoW.
We first briefly review Nakamoto’s design idea. The miner in bitcoin attempts to find a valid puzzle solution nonce which can satisfy the following hash inequality:
Where Bpre denotes the latest block of the longest chain in miner’s view; payload denotes the set of valid transactions to be included in the new block; coinbase denotes the address of miner which used to receive reward of mining; and T denotes the target of proof-of-work puzzle difficulty (which specifies how difficult to identify a puzzle solution by making a hash query attempt). Miner solves the inequality by changing payload and coinbase. Therefore, the competition between miners is the number of hash function calculations per second (competition of computing power). To transform the competition based on computing power into the competition based on stake, the following properties should be met: 1) The miner can’t change the field of the inequality at will. If the miner can change the filed of inequality at will, to generate a new block, the rational miner will change the field content constantly to solve the inequality, which returns to the competition of computing power. 2) The miner needs to change the field content of inequality slowly with a certain rule; 3) The difficulty of finding the solution of hash inequality is directly proportional to the stakes owned by the miner.
To satisfy property 1, we remove the mutable field payload and nonce. To satisfy property 2, we introduce a new filed r which denotes current time. For simplicity, assume the uint of r is second. Now, inequality is:
In inequality 2, miners can calculate the hash function once a time per second. In order to ensure r is the time the miner solved the inequality, the r should : 1) larger than the r of Bpre; 2) when a miner N receives a new block Bᵢ, the current time of N can’t be advance of r in Bᵢ.
Here we introduce an assumption of synchronization: the miners in the system have the same local clock, but the assumption of synchronization of iChing is much weaker than others PoS protocol and the assumption can be achieved by NTP (Network Time Protocol).
In the above description, for simplicity, we describe our protocol in the “flat” model, where all miners are assumed to hold the same number of stakes. In reality, player s have different amounts of stake. To satisfy property 3, consider a miner Mᵢ holding vᵢ number of stakes, we adjust our inequality to:
For any miner, the probability of generating a block in some round r is directly proportional to the stakes he holds.
Note that, the resources miners hold in PoW protocol are computing power, and computing resources are holden by miners locally. Therefore the filed coinbase is only used to announce the address of miner to receive the reward of mining. That means the resources holden by miners are departed from their addresses. However, in PoS protocol, the resources holden by miners are stakes, which are tightly bound with miners’ addresses. So we should no only announce an address to receive rewards of mining, but also a digital signature to prove the ownership of the account. Otherwise, an adversary can generate a new block easily by trying different addresses (with mounts of stakes) in inequality. In this way, the adversary can destroy the blockchain system effortlessly. To prove miners’ identity, we introduce a signature filed in the inequality, which is the signature on the new block generated by the miner with his private key sk. We note that the general signature scheme isn’t deterministic, which means for the same content, the result of each signature is different. This violates property 1(miner can sign constantly to try to solve nequalities). Therefore, we use the unique signature scheme in the process of mining. Now, we get the final inequality:
Where, PK denotes the public key of the unique signature scheme holden by the miner, σ denotes the unique signature on the new block generated by the miner.
In order to construct a hash inequality applied to PoS protocol, we eliminate the block payload (e.g., transactions). Now we show how to add transactions back. For simplicity we define some notations first:
In iChing miner generate a core block by solving inequality and then create a corresponding data block to add transactions back. As following:
Remark that, in PoW protocol, when a core block B is generated the transactions in it is determined. While in iChing the transactions are added to the blockchain after the generation of core block. There is a question: can miners reduce the security of the system by choosing special transactions? Our answer is : iChing is as safe as the PoW protocol in this respect. In the PoW protocol, the miner also can choose transactions at will, which doesn’t affect the probability of solving the hash inequality. As a result,
adding transactions back doesn’t reduce the security of iChing (the security of iChing is the same as PoW protocol in this respect).
In iChing, there are two pairs of keys. One of them is a pair of keys of the general signature scheme, which used to send transactions, deploy and call contracts. It is responding to an account in the system. The other is a pair of keys of the unique signature scheme, which is used to mine block. Miners should register their a pair of keys for mining in the system. In the above condition, there is such kind of attack: An adversary A receives a block B in r round. Then adversary A try different pairs of keys of the unique signature scheme locally until find the pair of keys (SK,PK) which satisfies the inequality. The adversary A registers (SK,PK) into the system and generates a new block. In this way, an adversary tries different pairs of keys locally to generate blocks, which destroys the security of the system. To address this problem, we introduce new ideas to iChing: consider a block Bᵢ, the public key in it must be registered m blocks earlier. Because miners can’t know the content Bᵢ₋₁ of when Bᵢ₋m was generated. Therefore, an adversary can’t generate blocks with a higher probability by trying different pairs of keys for mining.