Sunday, February 5, 2023
HomeAltcoinProof of Stake: Strategy, focus, and subsequent steps

Proof of Stake: Strategy, focus, and subsequent steps

As we described in our preliminary weblog on Proof-of-Stake Analysis, we’re releasing updates to the Zcash neighborhood as we go.

On this put up we describe main technical analysis areas we intend to concentrate on shifting ahead. We’ll go over a variety of subjects, together with these focus areas, method, and subsequent steps. We’ll regulate all through the method as we uncover new wants.

Because the cryptocurrency ecosystem continues to evolve, it’s essential to know how ZEC is perhaps greatest suited to discover its area of interest within the general market. The core of this analysis is to enhance the general use expertise, and broader use case, for Zcash and ZEC.


With ECC’s North Star and analysis objectives in thoughts, we’re adopting this broad method to creating a profitable proposal:

This standing replace is concentrated on an preliminary technical analysis section as a part of a complete go-to-market course of. The broader course of has these elements:

  1. Necessities definition to ascertain particular objectives for a PoS transition proposal
  2. Market analysis to determine the goal market, consumer wants, and market panorama
  3. Technical analysis to determine the vary of possible technical designs
  4. Engineering R&D to develop a concrete design and deployment roadmap
  5. Zcash proposal (with a particular choice) to current to the Zcash neighborhood
  6. Go-to-market execution, for an accepted proposal, to ship usable and beneficial merchandise to customers

In apply, the primary three elements are interleaved: As we discover technical designs and study extra from market analysis, we’ll refine our necessities, which can require additional technical and market analysis. We’ll iterate these three efforts till we develop excessive confidence that now we have one of the best necessities.

The technical analysis course of has three predominant elements:

Protocol survey

First, we’ll concentrate on researching current proof-of-stake (PoS) protocols to know trade-offs and dangers. From there, we’ll choose our most well-liked candidate, utilizing our imaginative and prescient for ZEC and Zcash to information our selection of trade-offs. We’ll share this comparative evaluation and our most well-liked candidate protocol early in our analysis course of to get overview and suggestions from the broader neighborhood.

Our preferences: We have now a powerful bias towards protocols which have vital pre-existing deployments which have matured and hardened out there, in addition to robust theoretical underpinnings. Protocols which have each of those traits current the least attainable danger for this rising know-how.

Zcash specialization

Second, with a most well-liked protocol candidate in hand, we’ll fastidiously examine which design aspects may have customization or alteration to help ZEC. We’ll particularly take into account usability, security, privateness, and financial coverage constraints that function ZEC’s strengths.

Our preferences: We preserve a safety and technical technique that minimizes adjustments or improvements, and we strongly favor to make use of confirmed designs as a lot as attainable. The best candidate would require no adjustments. As acknowledged in our analysis objectives, our goal is to focus on a minimal viable protocol, with the idea of future enhancements, quite than goal to incorporate all beneficial potential Zcash specializations up-front.

Transition plan

Lastly, after creating a proposal for this minimally custom-made candidate PoS protocol, we’ll develop a extra complete proposal, together with a transition plan, for safely migrating Zcash from its present proof-of-work (PoW) community to the brand new goal PoS protocol. The transition plan is prone to require vital effort, and there are a selection of possible approaches. We intend to current a number of prospects earlier within the analysis course of to get neighborhood enter on their trade-offs.

Our preferences: We favor to pick out an excellent goal protocol unbiased of creating a transition plan to that protocol. If we discover the transition plan introduces new constraints or necessities on the goal protocol, we’ll refine the goal protocol necessities later within the course of.


Given our objectives and method, we’ve at present recognized a variety of main areas of technical analysis for the protocol survey and Zcash specialization phases. These analysis areas don’t but concentrate on the transition plan. We’ll flip our consideration to the transition plan as different areas, and broader market analysis and necessities, turn out to be clearer.

A excessive precedence for our technical analysis is to contemplate shielded pockets usability and safety, particularly for cellular gadgets. We don’t anticipate the consensus protocol to straight impression shielded storage and switch performance or usability. Past that, members in a PoS protocol additionally could contribute ZEC to staking bonds, validate blocks, suggest blocks, and choose blocks.

The interplay between the shielded pool and staking is an important interface of the design. Staked capital have to be in bonds seen to the protocol to pick out block producers and probably slash for misbehavior. A believable easy design for this interface can be to help single-use bond positions with a public quantity and no related addresses. These can solely be funding from, or withdrawn to, the shielded pool.

On this easier design, block producers are prone to function utilizing the goal PoS protocol mechanics with minimal Zcash customization.

Our preferences:

  • We favor to allow any variety of shielded cellular pockets customers to delegate ZEC to staking bonds with a first-class consumer expertise.
  • We favor the believable, easy integration between stake delegation and the shielded pool described above for the preliminary PoS protocol.

A key pillar of our imaginative and prescient for ZEC’s worth in Web3 is to allow interoperability between the Zcash blockchain and any variety of different blockchains.

Our preferences:

  1. We favor protocol interoperability options with one of the best stability of present and future potential attain towards complexity. For instance, interoperability with Bitcoin could have the biggest present attain by way of market capitalization, but interoperability with the Cosmos ecosystem could have extra attain with decrease complexity.
  2. To that finish, now we have a desire for a protocol with finality, as described beneath within the Dynamic availability vs finality part.
  3. We favor to focus on current, customary cross-chain mechanisms with out requiring privateness improvements. We favor to design the interface between the shielded pool and cross-chain mechanisms equally to our desire for the interface between the shielded pool and stake delegation.

Whereas we strongly favor protocols which can be confirmed by way of real-world manufacturing hardening, we moreover require a powerful theoretical basis.

Incentives and useful resource price safety

A core idea in safety arguments for cryptocurrency protocols is incentive alignment: If it’s in one of the best curiosity of unbiased block producers to observe reinforcing consensus guidelines, the protocol needs to be strong towards deviations (aka assaults). This is a vital departure from earlier work in Byzantine consensus protocols, which generally solely distinguished between “sincere” or altruistic nodes versus malicious nodes.

If safety depends on incentives, then feasibility of an assault is determined by the payoff given the associated fee. So, for instance, a proof-of-work attacker with a tiny fraction of mining capability is unlikely to execute a protracted rollback inside some window. Nonetheless, as an attacker’s sources scale up, their capability to efficiently execute assaults improves (regardless of the bigger price of the assault).

So, arguments for safety in cryptocurrency consensus analyses typically depend on the associated fee to maliciously management a key useful resource: hashpower for proof-of-work and staked tokens for proof-of-stake. Websites like crypto51.app present price estimates for 51 p.c assaults towards PoW chains, which exemplifies this mode of reasoning about safety.

In Ethereum 2.0 Financial Assessment by Hoban & Borgers, the authors examine the estimated 51 p.c assault price towards ETH1 (PoW) to the price of controlling ample validators for a security assault towards ETH2 (PoS) as a heuristic to find out whether or not the newer protocol is as secure because the earlier protocol.

Our desire: We imagine the “assault price comparability” used within the Hoban & Borgers paper is one helpful guideline in analyzing the protection of a transition from PoW to PoS, so long as we train warning in not relying too closely on this single heuristic.

A key security mechanism in PoS protocols is an “unbonding interval” throughout which a staker can not entry their staked funds with out some delay. This delay underpins safety ensures, for instance, by making certain a bond could also be slashed a while after a slashable habits happens.

Our desire: We don’t anticipate deviating from an current candidate protocol’s design for unbonding interval size, whereas making certain it’s tuned to a conservative worth for our safety necessities.

Wrinkles in incentive area

Whereas the notion of counting on members to observe incentives appears cheap, we’re conscious about three massive dangers within the “price of useful resource” assault reasoning from the final part:

  • Assault prices could also be overestimated
  • Pay-offs could also be underestimated
  • Or extra usually, actual incentives for members will not be appropriately modeled

Assault prices could be overestimated within the easy “price of consensus useful resource” safety mannequin attributable to monetary mechanisms, in addition to mixed assault modalities. For instance, Why purchase when you may lease? explores how an attacker can use “bribery” to achieve non permanent management of PoW mining capability to execute an assault, with out incurring the bigger and long run capital price of buying the mining tools. The same case may happen in PoS if, for instance, an attacker acquires staking capital by a monetary mechanism that lowers their direct price.

Pay-offs could also be underestimated, particularly as a result of the attack-cost fashions are likely to ignore payoffs altogether. If an assault prices the equal of $X billion USD, that will appear reassuring, however what if an assault can internet $10X billion in proceeds?

Lastly, these two issues are extra particular circumstances of the actual incentives of members being incorrectly modeled. On this extra basic level, evolving real-world incentives could threaten the safety of consensus protocols even when there is no such thing as a “attacker” with malicious intent. In Aggressive equilibria between staking and on-chain lending the researchers analyze how the quantity staked in a PoS protocol interacts with a mannequin defi lending platform. In that evaluation, staking safety could turn out to be perilously low by self-interested habits of members, none of whom intends to “assault” the community. The meltdown of the Terra staking token Luna, as described by Bloomberg columnist Matt Levine, would appear to be a real-life occasion associated to this analysis that’s prone to turn out to be a canonical instance of how financialization mechanisms when connected to a proof-of-stake token can result in safety disasters.

So, many sorts of financialization or monetary mechanics can impression safety, together with defi, bridging, multi-asset help, and off-chain custodial monetary companies impression safety.

All of this complexity not solely complicates evaluation of a protocol, but it surely additionally opens the design area to incorporating financialization mechanisms. Current networks are exploring this space of design area with staking derivatives, resembling staking-backed by-product tokens (typically merely referred to as “staking derivatives” or “liquid staking”), superfluid staking, and extra. On Staking Swimming pools and Staking Derivatives mentions a standard argument that liquid staking could decrease safety and it then presents an argument that for some given assumptions it will possibly truly improve safety.

Lastly, all of this dialogue of incentives has skirted round a core financial design part impacting PoS safety, the Issuance Coverage, which we focus on individually beneath. 

Our desire: Our preferences round issuance are described within the Issuance coverage part. Our perception round financialization is that it usually produces worth, is inevitable, and that ZEC could be safely integrated into it, as long as we perceive and mitigate dangers as they develop. Our desire for incorporating financialization into the consensus protocol is to be extraordinarily conservative and solely take into account such mechanisms, resembling liquid staking, when there’s a robust argument for his or her profit versus their danger and complexity. We favor to suggest a less complicated “V1” protocol and should take into account such mechanisms in later iterations of future PoS protocol enhancements.

Dynamic availability vs finality

The analysis literature highlights a basic trade-off in consensus protocols between “dynamic availability” vs “finality”. This extends earlier analysis from distributed computing round the same trade-off popularized because the CAP theorem.

Dynamically out there protocols can proceed making progress throughout community partitions, at the price of reverting transactions when the partitions later reconnect. Finalizing protocols be certain that as soon as a transaction is last it can’t be reverted, at the price of halting the community throughout a partition.

Each transaction reversion (aka “rollbacks”) and community halts trigger financial injury to members. A protocol which permits transaction reversion can result in “half-executed” financial exchanges, which depart one occasion harmed. Protocols that may halt will forestall the customers from accessing their capital, introducing alternative prices.

An instance of a half-executed trade in a dynamically out there protocol (resembling Zcash PoW), is when Alice sends Bob 0.001 ZEC, and Bob makes and provides Alice a latte, then Alice consumes it. If there may be subsequently a community rollback that reverts the switch, Bob is not going to obtain the 0.2 ZEC, thus inflicting Bob to not be compensated for his or her work. In contrast, in a finalizing protocol, if Bob receives the fee he has a assure it can’t be reverted, and might safely promote the latte. In the meantime, if a finalizing protocol halts, Alice can not pay Bob in any respect. Neither occasion loses out in direct phrases, however they can’t full an trade which has alternative prices. (For instance, ought to Alice wait within the cafe? For the way lengthy?)

Nonetheless, it’s essential to notice that community halts in finalizing protocols could be significantly damaging for financialized mechanics that ought to reply in real-time to market circumstances, resembling collateralized programs that will liquidate positions when real-time costs cross some threshold.

Our desire: We have now a powerful desire for finalizing protocols. A community halt impacts all customers constantly whereas a rollback solely reverts a portion of transactions (these on one in every of a number of partitions) and harms one participant in each financial trade for all reverted transactions. At present, the Zcash community has minimal programmability enabling use circumstances resembling monetary programs that reply to real-time value oracles, so we suspect that class of hurt from community halts is decrease than different crypto networks. Lastly, we imagine, separate consensus protocols which offer finality can interoperate extra safely with much less complexity.

Block producer decentralization and resilience

As a result of permissionlessness is a key property of Zcash, we have to take into account how resilient the consensus infrastructure is.

The infrastructure that selects from proposed blocks is essential to censorship resistance and seize resistance, though shielded transactions and the potential of a community-organized chain cut up are much more basic protections. If entrance to the set of block selectors could be restricted outdoors of freely open, nondiscretionary competitors, that presents a seize danger.

Amongst proof-of-stake protocols with nondiscretionary guidelines for changing into a block selector, there are a number of constraints to entry:

  • Participation has capital and operational prices past staking bond capital itself, resembling community connectivity, operations & upkeep, government capabilities, and so forth… We discuss with this as “out-of-band prices”.
  • Participation has aggressive in-band staking bond capital necessities, or “in-band prices”.
  • Totally different protocols could have useful resource constraints on the variety of members. For instance, Ethereum Consensus Layer goals to help 1000’s of block selector nodes, whereas Tendermint has a sensible restrict of a whole bunch of block selectors.
  • If entry is in-band, the present block selectors should settle for in-band transactions that permit new entrants to register. There’s a danger that current block selectors may censor these registrations to forestall their rivals from freely coming into the system.

Our preferences: For every of the above constraints, our preferences are:

  • We favor to prioritize permissionless entry and competitors into block producer infrastructure.
  • We favor in-band staking bonds to be delegatable with low price and ease of use by a really massive variety of customers. We imagine the power for customers to freely redelegate their stake to completely different block selectors permits free competitors between the selectors.
  • We favor the sensible “flooring” quantity of ZEC for delegating stake to be as little as possible, ideally lower than $1 USD.
  • We favor to not prioritize having a lot of block selectors based mostly on the assumption that delegatable stake helps free competitors sufficiently. We additionally imagine finalizing protocols are likely to have decrease limits on the variety of block selectors supported, and our desire for finality supersedes the will for a lot of block selectors.
  • We strongly favor protocols that shield the permissionless entry of latest validators in free competitors to protect general consensus permissionlessness, resist seize, and decrease validation charges.
  • We imagine with this mixture of properties, delegator returns ought to method block producer returns by open competitors.

Different safety dangers

There are a mess of different safety dangers associated to PoS which we anticipate will probably be shared between Zcash and different PoS networks, together with long-range assaults, quite a lot of community assaults (eclipse assaults, Denial-of-Service, preliminary node introduction dangers), and extra.

Our desire: Based mostly on the assumption that these dangers is not going to be distinctive to Zcash, we optimistically anticipate current PoS protocol designs have been hardened towards them. The place we uncover weaknesses we intend to collaborate with the broader PoS protocol design ecosystem to deal with these.

For cryptocurrencies, starting with Bitcoin’s breakthrough design, financial coverage sits firmly within the intersection of macro- and micro-economic dynamics, protocol safety, governance, utilization, and adoption. This space of protocol design is actually multidisciplinary and novel.

We goal to publish a extra detailed exploration of issuance insurance policies and PoS safety in an upcoming weblog put up.

Issuance fee safety

Current proof-of-stake protocols have quite a lot of issuance insurance policies. We’re simply starting to familiarize ourselves with analysis associated to how issuance pertains to Proof-of-Stake Safety.

Our Desire: We goal to offer supporting arguments from analysis across the protocol safety for the precise issuance coverage we suggest.

Issuance coverage discretion

There are a number of design choices round issuance coverage involving discretion and the schedule itself.

Issuance may very well be kind of discretionary. A main instance of a schedule with minimal discretion is Bitcoin’s issuance schedule, which is fastened. The one option to alter it will be a core protocol change that may require an economically dominant majority of customers to undertake a hardforking consensus rule change. An instance of a protocol with discretion over financial parameters can be MakerDAO or many different DAOs which might alter charges, charges, or different financial parameters by on-chain governance. A middle-ground instance is perhaps Ethereum, the place the present issuance schedule is fastened within the protocol, but there may be precedent to change this by consensus rule upgrades.

Our Desire: We favor an issuance coverage with as minimal discretion as attainable. As a result of Zcash already has a tradition and precedent for backwards incompatible protocol upgrades, that is prone to embrace social norms concerning the “Overton window” of acceptable issuance adjustments, putting a excessive burden on proposals to inspire adjustments to issuance. An instance from Zcash historical past of the edge to enact a big change was the institution of the Growth Fund which concerned a multiyear referendum-like course of.

Issuance fee schedule

There are 4 main prospects for issuance schedules:

  • Hold the present Bitcoin-like schedule utterly unchanged.
  • Undertake a schedule that’s strictly equal or decrease than the present schedule, thus holding the 21M ZEC cap.
  • Undertake a “cheap” well-known schedule that doesn’t preserve the Bitcoin-like restrict.
  • One thing else additional afield.

Our desire: We have now a desire for the second choice, a fee that’s decrease than the present Bitcoin-like schedule. If that is possible from a safety perspective, we imagine it will be acceptable to the overwhelming majority of present and potential future Zcash customers, whereas reducing the prices paid by holders for the safety of the community. This selection would preserve the 21M ZEC cap. We could discover in our analysis section that this feature can not help ample safety, by which case we’ll floor the difficulty for Zcash customers as quickly as we formulate the priority.

Proof-of-stake protocols monitor the quantities of tokens in bonds, and use that info for making consensus selections (resembling which nodes are in a position to turn out to be block producers). Thus, it’s very pure to additionally allow on-chain governance mechanisms, the place the quantity of cash are used for different selections outdoors of direct block manufacturing consensus.

Our desire: We favor to not suggest binding governance on Zcash protocol growth utilizing coin-weighted polling. Nonetheless we do have a powerful desire to allow non-binding coin-weighted polling the place anybody can submit petitions or polls and ZEC holders can weigh in utilizing on-chain coin-weighting information. We imagine this offers one of the best stability between seize resistance and governance signaling, and follows the Zcash custom of incrementally enhancing governance in secure and smart phases.

Zcash has efficiently developed all through its lifetime with Bitcoin-compatible performance by Clear Addresses, and three separate shielded protocols (Sprout, Sapling, and Orchard). The advantage of this has been to allow wider technical adoption and backwards compatibility. There are a number of drawbacks to this “technical debt”:

  • Every sort of switch know-how interacts with a single widespread ZEC provide, so provide integrity failures in any of those tech stacks current a danger to the whole system. Whereas the “Shielded pool turnstile” mechanism protects the general ZEC provide, such a failure would nonetheless hurt customers and shake confidence within the general protocol.
  • The protocol have to be complicated to help a number of completely different applied sciences, making it tougher for brand spanking new implementations.
  • The identical complexity inhibits protocol designers from safely extending or enhancing the protocol, and Zcash wants steady innovation to stay related into the longer term.
  • Older shielded swimming pools are hardly ever used, so even customers who want that performance sooner or later could discover that pockets help has both been eliminated or has unintentionally accrued bugs for that hardly ever used use case.

It could be possible and a superb path ahead to couple the necessity to scale back protocol complexity with a transition course of to PoS. It could, nonetheless, introduce further complexity and danger, so that is an space that wants extra analysis and dialogue throughout the neighborhood.

Our preferences: We favor to design the brand new PoS protocol with help for under newer applied sciences, and to incorporate an ordinary migration system to deal with the difficulty of know-how evolution shifting ahead. We favor for the Zcash protocol to introduce charges for customers of older know-how to incentivize migration and moreover to limit migration to the brand new protocol to the newer know-how stacks.


As our technical and market analysis progresses, we’ll often put up articles on particular subjects, our present understanding of that space, any preferences we maintain, and subsequent steps for that matter. The subsequent matter we’ll dive into for this technical analysis weblog sequence is issuance in PoS protocols and the way that pertains to Zcash.


We’d prefer to thank Ian Sagstetter, Steven Smith, Zaki Manian, and Josh Swihart for suggestions on earlier drafts of this put up.


1. In Useful resource Swimming pools and the CAP Theorem the notion of basic “consensus sources” is used to mannequin dynamically out there and finalizing protocols (together with each PoW and PoS) in a standard framework.

2. A separate crew, qed-it, is at present creating multi-asset help for Zcash dubbed Zcash Shielded Belongings. Their newest replace is accessible right here.

3. Whereas Zcash at present doesn’t have programmability options, there may be vital enthusiasm for creating for programmable use circumstances, for instance the Zcash Basis calls contains it as a objective in a current put up defining their Zcash technique.

4. An exception right here could also be adjustments to the Bitcoin issuance schedule that may very well be adopted as gentle forks, resembling reducing the issuance fee early. Current nodes would settle for this, because it’s already acceptable for miners to say lower than the utmost out there reward of their coinbase. In any case, we nonetheless take into account this minimally discretionary.

RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Most Popular

Recent Comments