Peercoin was the first Bitcoin-based monetary system to use proof-of-stake as a mechanism to ensure its own integrity. However, there are some objections to Peercoin’s proof-of-stake model. This article presents those objections along with a similar system redesigned to address them.
In a simplified version of Peercoin’s proof-of-stake design, each node can use part of its balance as a stake allowing it to chain blocks. The bigger that stake, the more chances this node has of increasing the block chain. The reward for chaining blocks is 1% of the used stake as newly minted coins, annually. Conversely, making transactions requires paying a fee that destroys 0.01 coins per transaction. For example, after having chained a block using one coin of stake, Bob makes one transaction. Then, the fee of 0.01 coins he pays for making this transaction destroys the 0.01 coins he minted in reward for chaining that block.
Here are five objections to this proof-of-stake model:
It amplifies wealth inequality. Suppose Peercoin is the only form of money for both Bob and Alice. Bob’s income is 200 coins per month, while his expenses are 80% of his income. Alice’s income is 800 coins per month, while her expenses are 50% of her income. Assuming, for simplicity, that neither Bob nor Alice has any savings — which Alice is more likely to have — Bob and Alice will be able to reserve 40 and 400 coins as block-chaining stake, respectively. Then, Alice’s block-chaining reward will be 900% bigger than Bob’s, even though her income is only 300% bigger than his.
It makes the money supply unstable. Inflation becomes directly proportional to successful block-chaining rewards, yet inversely proportional to paid transaction fees. This variable inflation adds an unnecessary source of price instability to the rather inevitable ones — exchange value of merchandise and velocity of money circulation — thus unnecessarily reducing price transparency and predictability. Peercoin should have a stable money supply, as Bitcoin will have after year 2140.
Whenever total paid transaction fees are less than total successful block-chaining rewards, all inactive or unsuccessful block-chaining nodes will pay a fee to all successful ones through inflation. This implicit value transfer disguises the cost of participating in the system.
As coins increase in value, the (now 0.01 coins) transaction fee will eventually become too valuable, thus requiring Peercoin developers to lower it. However, choosing its new nominal value is an economic decision — rather than a technological one — which creates a political problem.
System integrity depends on extrinsic incentives: both the block-chaining reward and its offsetting transaction fee need arbitrary adjustment, which again involves an economic decision, thus creating a political problem.
Transaction Rights Instead of Money
All these five objections have one common origin: the extrinsic, pecuniary nature of block-chaining incentives — the block-chaining reward less its offsetting transaction fee. Hence, only an intrinsically nonmonetary block-chaining system can address all of them. However, is that system possible?
Yes, if instead of newly minted coins — or even old ones — the reward for chaining blocks is the right to make transactions. Then, that reward no longer needs to be directly proportional to stake. For example, merely having twice the amount of money owned by Bob is not enough reason for Alice to make twice the volume of transactions made by him. Still, how to estimate the transaction volume needed by a block-chaining stake owner? Is there any objective indication of that volume?
Yes, despite only a generic one: the actual transaction volume in the system. Then, the reward for chaining a block will no longer be a monetary value, but rather the combined size of all transactions in that block as future transaction rights. However, this reward must exceed its own size for future transaction volume to grow if necessary. For example, instead of newly minting 1% of its used stake annually, a block-chaining reward — in Peercoin, a stake output — could allow its winner to make a future volume of transactions 1% greater than the combined size of all transactions in its containing block.
Here is how to implement such a nonmonetary block-chaining model:
The private key signing a block-chaining reward must sign every transaction.
Each transaction signed by the private key signing a block-chaining reward must subtract its own size from the maximum transaction volume allowed by that reward, which results in the combined size of all transactions the same private key still can sign.
This design addresses all those initial five objections:
It cannot amplify wealth inequality: neither its block-chaining reward nor its transaction fee constitutes a monetary value.
It cannot make the money supply unstable: neither its block-chaining reward creates money nor its transaction fee destroys it.
It cannot make all inactive or unsuccessful block-chaining nodes pay a fee to all successful ones through inflation: its money supply remains unaffected.
It cannot require adjusting its nominal transaction fee, which is chaining blocks, to variations in its own invariable since absent monetary value.
It cannot require extrinsic incentives to its block chaining, which is itself a requirement for making transactions.
Indeed, what block chaining essentially collects is not money, but rather transactions: it is transaction rights that essentially depend on chaining blocks, not money creation. So the block-chaining reward is always transaction rights, even if still indistinguishable from actual transactions. Additionally, rewarding each block with the right to make a future volume of transactions exceeding that of all transactions in this block by a limited margin has the following two advantages:
Monopolizing transaction rights becomes as unlikely or ephemeral as chaining consecutive blocks.
Unilaterally expanding transaction volume becomes as unlikely or ephemeral as monopolizing transaction rights.
However, what if a node cannot earn its needed transaction rights fast enough, if at all? For example, suppose Bob has just received his first coins and must make transactions before likely chaining the right to make them: how can he make those transactions? Fortunately, nothing requires the private keys that signed a transaction-right reward and its enabled transaction inputs to have the same owner. For example, by having enough unused, excessive transaction rights, Alice can sign Bob’s transactions with the same private keys that signed her unused, excessive reward.
Still, people deserve an additional reward for using their earned transaction rights to enable transactions from other people. So, since necessarily exchangeable for those rights, this reward no longer can be any of them: it can only be money. For example, Alice can charge Bob a fee to sign his transactions with her still transaction-capable private keys.