What Do You Want in Proof.

There’s a persistent rumor in Dogecoin development the past couple of years, namely that there may one day be a transition from Proof of Work to Proof of Stake.

As a core Dogecoin developer let me first say that there are currently no concrete plans or proposals to change from Dogecoin’s existing Proof of Work implementation. As of this writing in October 2022, I see no reason to believe any prediction that this will ever happen or that there is a date by which it may happen. It’s irresponsible to suggest otherwise; if such a thing were to happen, the core developers should know about it and the core developers should be transparent and direct about it.

Let that ease your mind.

With that said, I believe it’s entirely responsible to consider if the system we have could be improved, especially in a future where we want more people to participate in the community, more transactions to provide more utility, and may have to deal with additional pressures with regard to technology, regulation, and threats.

In other words, “No, not now” doesn’t necessarily mean “Not ever”, but it also doesn’t have to mean that Proof of Work will eventually be replaced by Proof of Stake or anything else.

What it does mean is that we should consider changes… if they align with our values.

First, we need to talk about our values.

Trust the Network, but Trust No One

Suppose I wrote “I’m Satoshi’s nephew and I hold a few million Bitcoin, but more importantly, I hold a couple of hundred billion Dogecoin, and I’ll sell them for 40% off the current price”. (I’m not and I don’t so I can’t. It’s hypothetical.)

That’d be pretty cool, if it were true. (It’s not true.) You could buy as much as you want at a discount and I could raise a few billion dollars.

Eventually you’d want me to prove my claims somehow. Otherwise any joker in the world could make those claims and some people would fall for it. (This scam is so common it has its own name: crypto token.)

Eventually I’ll have to put up or shut up, so to prove my Dogecoin holding, I need to demonstrate that I have the private key or keys associated with one or more wallets that hold unspent transactions of the hundreds of billions of Dogecoin I claimed.

I can make any transaction I want and publish it to the Dogecoin network and point you at it, but you should believe it only after multiple other nodes confirm that transaction. Let other people and computers validate my truth claim. Either the transaction I create with my secret key is valid (proves I have the other half of the key representing the wallet address) and I have the unspent fund in that wallet or not.

Think about all of the things that have to happen here.

I need to prove that I have a private key that corresponds to a public key. When I create a transaction, I perform a little math game to prove this, and you can verify it by using the public key.

I need to prove that I have the funds available to fulfill the transaction. If you’ve verified my little math game, you should also be able to look at the entire history of the Dogecoin I claim this wallet contains to prove that they didn’t come from nowhere and they’re still where they say they should be and that there are enough of them to do what I want to do with them.

That’s a lot of trust.

I hope you can see why that’s all important. At any step, I could be lying about something small or large. You shouldn’t have to trust me just because I have a cool domain name and a nerdy blog and make puns on Twitter and have fixed a few bugs, added a couple of features, reviewed some code, and helped wrangle a few Dogecoin Core releases.

You should trust me because, at every step, I give you and the rest of the Dogecoin network the ability to verify my claims.

The same goes for every other person performing every other transaction on the network. We’re all equal.

I think this gives us a couple of values.

First, openness is essential. We trust each other because we have mechanisms that let us trust each other.

Second, we reject bad actions. If you can’t verify a transaction, you should reject it.

Third, everyone is an equal participant. Even if you trust me, you should reject a transaction that claims to be from me (or is from me) if you can’t validate it. No matter if Galactic President Zaphod Beeblebrox himself claims out of both mouths that my bad transaction is good, you have the power to reject it if you can’t validate it.

Those seem useful. How do they fit with Proof mechanisms?

Proving Our Values

I alluded to one enforcement mechanism earlier: the asymmetric public/private key signing mechanism that gives you the ability to verify that I have the private key corresponding to a public address. We collectively believe this mechanism works because hard-working cryptographers have analyzed the math behind it and know of no way currently to break the trust in this approach.

Please note that I’m going to talk about Proof mechanisms in vague, high-level, hand-waving terms: not because I don’t want to talk about the details, but because I don’t want to get lost in the details while thinking about what we want. We can’t accept, reject, or modify these systems until we have a shared set of values and outcomes and a common way of talking about what’s important. That’s what I’m trying to provide here: a way to have this conversation.

If someday we discover a way to break the trust (computers get fast enough, computers get quantum enough, someone finds a good way to tell if an elliptic key is an odd or even multiple of the starting value), we’ll have to migrate to a different system.

We should think about what that looks like, but that doesn’t mean we have to abandon Proof of Work.

Another enforcement mechanism is the blockchain itself: the distributed ledger of all accepted transactions from the beginning of time, B1CE (blockheight 1, Coinbase Era, but don’t make me explain the joke).

With the blockchain, we have a way to ask “what is true” at any point in time since B1CE: we examine the blockchain ourselves and verify it against the network.

If, at some point, someone discovers the ability to spoof the network, we’ll have to migrate to a different system.

If you’ve been around for a little bit, you’ve probably already heard of a 51% attack, which means that, unless you have a pristine, artisanal copy of the blockchain you’ve been curating by hand since the first coinbase block, you’re going to rely on other nodes in the network to get an accurate history of all transactions.

If someone can get a majority of those nodes to serve up an alternate history, that alternate history has a chance of replacing actual history.

You could get a majority of nodes to do what you want in one of two ways. First, get a majority of nodes under your control (buy and run more, take over existing nodes, bribe node runners, inject your history via some flaw in their systems, use the Major League Baseball spy satellite to change the bits on their hard drives from space). Second, reduce the number of nodes on the network that you don’t control (crash their machines, take a backhoe to their network connections, burn down their data centers, use the Major League Baseball spy satellites to send an EMP pulse to their apartments).

You can’t tell if any single actor on the network is trustworthy or unreliable from a single datapoint: what they say about themselves. You have to trust the network as a whole.

If someone discovers a way to fragment the network or take it over, we have to migrate to a new system.

Intuitively, our values offer us a mechanism to avoid this flaw: make it easier for more people to participate.

Better Than Participation Trophies

If there are five Dogecoin nodes on the network, and I run two of them and my uncle runs another and you run one more and some shibe in South Korea runs the last one, all I have to do to scam you and our friend in South Korea is conspire with my uncle (with or without his knowledge) to control 60% of the network and rewrite history in my favor.

If there are five thousand Dogecoin nodes on the network run by four thousand unique people, I have to conspire with a couple of thousand people to do bad things. That thought makes me tired, so tired I can barely even finish typing this sentence.

One way to protect out network is to make our network bigger, not just in the number of nodes running, but in the number of unique people running nodes.

If everyone is an equal participant is a value we have (and I hope it is), that means we should work hard to ensure that all sorts of people can run nodes in all sorts of situations: supercomputers, mining rigs, laptops, desktops, virtual servers in the cloud, NOCs, recycled smartphones, berry-themed single-board computers, et cetera.

We’re doing a pretty good job of that, but we could be doing a better job of it.

In theory, Proof of Work is a democratic way to ensure that everyone has a chance of getting rewards for mining a block (validating transactions and moving them through the system): as far as we know, the math required to solve the math puzzle required to mine a block means picking random numbers and seeing if they solve the puzzle.

The problem with that is that the more random numbers you can evaluate in a given period of time, the more likely you are to find a winning number.

In other words, Proof of Work tends to reward people who can afford to run more/faster hardware to mine blocks more than people who run less/slower hardware, at least in the long run. This isn’t ideal, but it has some good and bad tradeoffs.

A Sidebar about Mining

We want to process transactions quickly (you don’t want to pay for a scone in a coffee shop with Dogecoin and wait 10 minutes for the transaction to settle before you get to eat it), so when the network has the ability to solve these math puzzles quickly, it’s good for the network as a whole, which is good for utility, which is good for the community.

We also want lots of nodes and miners validating and processing transactions, because that makes the network resist bad actors and bad actions better.

I think we want some validation mechanism that requires a little bit of work, because that adds unpredictability to the system and it means that everyone who participates in mining blocks has a chance of getting rewards. Otherwise fewer people will participate because of the time and effort and expense of running hardware and software to mine blocks.

(This is also one of several reasons why setting an artificial cap on supply works against our best interests: we think we’ll have fewer miners if there are no mining rewards.)

If, however, mining is only feasible to 10% of the nodes in the system, that means any attack I want to make needs less coordination, luck, and effort than if all of the nodes in the system could participate equally. In computer science terms, I’d like the safety, security, and trustworthiness of the network to scale at least linearly (and more ideally, exponentially) with the number of nodes in the network, not just the number of nodes that can mine efficiently.

If I can control 51% of the miners in the network, I can drop transactions I don’t like, prioritize transactions I do, and possibly force through transactions no one else approves of.

Ideally we want a mining mechanism that doesn’t reward only the richest actors in a system.

Values in Practice

We want our transactions processed quickly.

We want to validate good actions and invalidate bad actions.

We want to let as many people participate as can do so, following our values and rules.

Where do we go from here?

Proof of Work has the drawback that people with lots of hardware power can get more rewards. You might as well not try to mine Dogecoin on a Raspberry Pi because the odds of you finding an answer to the math riddle required to mine a block are stacked against you.

That’s contrary to our value of participation, but it serves the purpose of helping us process transactions quickly.

We should consider threats against that approach and improvements to that approach, and we should not consider different approaches that are generally worse.

Proof of Stake, as I’ve seen it proposed, emphasizes mining power less and spreads rewards more evenly, with a big asterisk: depending on who can participate, the more coins you hold, the more likely you are to get a reward for holding coins. Furthermore, I’m not sure the right way to design a mechanism that has the potential to increase our transaction rate.

What if there are other mechanisms we can consider?

They have to be consistent with our values, first off. We should continue to reward miners, but perhaps we should find a way to let more nodes mine effectively. We should continue to validate transactions, but perhaps we should find a way to let smaller hardware do so efficiently. We should let multiple implementations of hardware/software interact on the network (you don’t have to use Dogecoin Core), but we should be able to trust them all.

Values in Practice in Practice

This doesn’t even take into account the practical matter that migrating to a new or improved system should not break the network.

If there’s what software developers call a Flag Day, when the old system gets turned off and the new system gets turned on (whoops, wrote that in the “wrong” order, because I’ve seen a few of these), we have a big problem where we might lose our history.

Our history is how we prove where we are today.

Think about what would happen if I claimed a transaction in 2014 that you can’t find in 2233 when we switch to a new scheme should be honored even if no one can quite prove it conclusively. This will end in tears for someone, maybe even manyones.

The ideal way to migrate to a new system is in tiny small steps gradually, so one day everyone wakes up and realizes that the old system is gone and no one is using it and everyone is using the new one.

The more we think about what the future might hold and the things we want to see in the future and what we value now and will value in the future, the more advance notice I hope we will have if and when we want to make changes to how we prove things. I think this will give us a better chance to migrate well.

Not perfectly, but well.

We don’t know all of the threats to the network that the future might hold, but we can imagine those that threaten our values. We should imagine those that threaten our values, and then think about ways to work around or avoid those threats.

Above all, we need to consider the tradeoffs we make. Proof of Work isn’t perfect, and I hope we can find improvements regardless whether it’s the hundred-year solution, but right now it’s what we have for very good reasons.

Any replacement should be better and should not compromise on our values.