Tezos A Self-Amending Crypto-LedgerPosition PaperL.M GoodmanAugust 3, 2014\Laissez faire les propri etaires.| Pierre-Joseph ProudhonAbstractThe popularization of Bitcoin, a decentralized crypto-currency has in-spired the production of several alternative, or \alt, currencies. Ethereum,CryptoNote, and Zerocash all represent unique contributions to the crypto-currency space. Although most alt currencies harbor their own source ofinnovation, they have no means of adopting the innovations of other cur-rencies which may succeed them. We aim to remedy the potential foratrophied evolution in the crypto-currency space by presenting Tezos, ageneric and self-amending crypto-ledger.Tezos can instantiate any blockchain based protocol. Its seed protocolspeci es a procedure for stakeholders to approve amendments to the proto-col, including amendments to the amendment procedure itself. Upgradesto Tezos are staged through a testing environment to allow stakeholdersto recall potentially problematic amendments.The philosophy of Tezos is inspired by Peter Suber’s Nomic[1], a gamebuilt around a fully introspective set of rules.In this paper, we hope to elucidate the potential bene ts of Tezos, ourchoice to implement as a proof-of-stake system, and our choice to write itin OCaml.1Contents1 Motivation 21.1 The Protocol Fork Problem . . . . . . . . . . . . . . . . . . . . . 31.1.1 Keeping Up With Innovation . . . . . . . . . . . . . . . . 31.1.2 Economics of Forks . . . . . . . . . . . . . . . . . . . . . . 41.2 Shortcomings of Proof-of-Work . . . . . . . . . . . . . . . . . . . 51.2.1 Mining Power Concentration . . . . . . . . . . . . . . . . 51.2.2 Bad incentives . . . . . . . . . . . . . . . . . . . . . . . . 61.2.3 Cost . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71.2.4 Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81.3 Smart Contracts . . . . . . . . . . . . . . . . . . . . . . . . . . . 81.4 Correctness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 Abstract Blockchains 102.1 Three Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102.1.1 Network Protocol . . . . . . . . . . . . . . . . . . . . . . . 102.1.2 Transaction Protocol . . . . . . . . . . . . . . . . . . . . . 112.1.3 Consensus Protocol . . . . . . . . . . . . . . . . . . . . . 112.2 Network Shell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 Proof-of-Stake 123.1 Is Proof-of-Stake Impossible . . . . . . . . . . . . . . . . . . . . 123.2 Mitigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133.2.1 Checkpoints . . . . . . . . . . . . . . . . . . . . . . . . . . 133.2.2 Statistical Detection . . . . . . . . . . . . . . . . . . . . . 133.3 The Nothing-At-Stake Problem . . . . . . . . . . . . . . . . . . . 143.4 Threat Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 Potential Developments 154.1 Privacy Preserving Transactions . . . . . . . . . . . . . . . . . . 154.1.1 Ring Signatures . . . . . . . . . . . . . . . . . . . . . . . . 154.1.2 Non Interactive Zero-knowledge Proofs of Knowledge . . . 154.2 Amendment Rules . . . . . . . . . . . . . . . . . . . . . . . . . . 154.2.1 Constitutionalism . . . . . . . . . . . . . . . . . . . . . . 154.2.2 Futarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164.3 Solving Collective Action Problems . . . . . . . . . . . . . . . . . 164.3.1 Raising Awareness . . . . . . . . . . . . . . . . . . . . . . 164.3.2 Funding Innovation . . . . . . . . . . . . . . . . . . . . . . 161 MotivationIn our development of Tezos, we aspire to address four problems we perceivewith Bitcoin[2]2- The \hard fork problem, or the inability for Bitcoin to dynamically in-novate due to coordination issues.- Cost and centralization issues raised by Bitcoin’s proof-of-work system.- The limited expressiveness of Bitcoin’s transaction language, which haspushed smart contracts onto other chains.- Security concerns regarding the implementation of a crypto-currency.1.1 The Protocol Fork Problem1.1.1 Keeping Up With InnovationIn the wake of Bitcoin’s success, many developers and entrepreneurs have re-leased alternative crypto-currencies \altcoins. While some of these altcoinsdid not diverge dramatically from Bitcoin’s original code1, some presented in-teresting improvements. For example, Litecoin introduced a memory hardproof of work function2 and a shorter block con rmation time. Similarly,Ethereum has designed stateful contracts and a Turing-complete transactionlanguage[3]. More important contributions include privacy-preserving ring sig-natures CryptoNote[4] and untraceabletransactions using SNARK Zerocash[5].The rise of altcoins has inspired a vast competition in software innovation.Cheerleaders for this Hayekian growth, however, miss a fundamental point fora cryptocurrency to be an effective of money, it needs to be a stable storeof value. Innovation within a ledger preserves value through protecting thenetwork effect giving the currency its value.To illustrate the problem of many competing altcoins, let us compare acrypto-currency and a smart phone. When purchasing a smart phone, the con-sumer is paying for certain features, such as the ability to play music, checkemail, message his friends, and conduct phone calls.Every few weeks, a newer smartphone model is released on the market whichoften contains enhanced features. Though consumers who have the older modelmay be jealous of those with the latest model, the introduction of newer smart-phones does not render older smartphones dysfunctional.This dynamic would change, however, if the newest phones could not com-municate with older models. If the many models and styles of smartphone couldnot be used together seamlessly, the value of each smartphone would be reducedto the number of people with the same model.Crypto-currencies suffer from the same fate as smartphones which are in-compatible with one another; they derive their value from a network effect, orthe number of users who have given it value. To this end, any innovation thatoccurs outside of a crypto-currency will either fail to build enough network effectto be noticed, or it will succeed but undermine the value of the savings in theold currency. If smartphones were incompatible with older models, there would1wow, such unoriginal2scrypt mining ASICs are now available3be either very little innovation or extremely disruptive innovation forcing olderphones into obsolescence.Side-chains are an attempt to allow innovations which will retain compatibil-ity with Bitcoin by pegging the value of a new currency to Bitcoin and creatinga two-way convertibility. Unfortunately, it’s unclear whether they will be ex-ible enough to accommodate protocols substantially different fro Bitcoin. Theonly alternative so far is to fork the protocol.1.1.2 Economics of ForksTo understand the economics of forks, one must rst understand that monetaryvalue is primarily a social consensus. It is tempting to equate a cryptocurrencywith its rules and its ledger, but currencies are actually focal points they drawtheir value from the common knowledge that they are accepted as money. Whilethis may seem circular, there is nothing paradoxical about it. From a gametheoretic perspective, the perception of a token as a store of value is stable solong as it is widespread. Note that, as a ledger, Bitcoin is a series of 1s and 0s.The choice to treat the amounts encoded within unspent outputs as balances isa purely social consensus, not a property of the protocol itself.Changes in the protocol are referred to as \forks3. They are so calledbecause, in principle, users have the option to keep using the old protocol. Thus,during a fork, the currency splits in two an old version and a new version.A successful fork does not merely require software engineering, but the co-ordination of a critical mass of users. This coordination is hard to achieve inpractice. Indeed, after a fork, two ledgers exist and users are confronted with adilemma. How should they value each branch of the forkThis is a coordination game where the answer is to primarily value the branchother users are expected to primarily value. Of course, said users are likely tofollow the same strategy and value the branch for the same reason. These gameswere analyzed by economist Thomas Schelling and focal points are sometimesreferred to as \Schelling points[6].Unfortunately, there is no guarantee that this Schelling point will be the mostdesirable choice for the stakeholders, it will merely be the \default choice. A\default could be to follow the lead of a core development team or the decreesof a government regardless of their merit.An attacker capable of changing social consensus controls the currency forall intents and purposes. The option to stick with the original protocol is widelyirrelevant if the value of its tokens is annihilated by a consensus shift.4Core development teams are a potentially dangerous source of centralization.Though users can fork any open source project, that ability offers no protectionagainst an attacker with enough clout to alter the social consensus. Even as-suming the likely benevolence of a core development team, it represents a weak3not to be confused with blockchain forks which happen within a protocol4The argument that there can never be more than 21 million bitcoin because \if a forkraised the cap, then it wouldn’t be Bitcoin anymore isn’t very substantive, for Bitcoin iswhat the consensus says it is.4point on which an attacker could rcise leverage.Tezos guards against the vulnerabilities wrought by the source of centraliza-tion through radically decentralized protocol forks. It uses its own cryptoledgerto let stakeholders coordinate on forks. This allows coordination and enshrinesthe principle that forks are not valid unless they are endogenous, making itmuch harder to attack the protocol by moving the consensus.Suppose for instance that a popular developer announces his intention to forkTezos without making use of the protocol’s internal procedure. \Why would heattempt to bypass this process might ask stakeholders. Most certainly, be-cause he knew that he wouldn’t be able to build consensus around his proposedfork within Tezos.This signals to the stakeholders that their preferred consensus would be toreject this fork, and the Schelling point is thus to refuse it, no matter the cloutof that developer.1.2 Shortcomings of Proof-of-WorkThe proof-of-work mechanism used by Bitcoin is a careful balance of incentivesmeant to prevent the double spending problem. While it has nice theoreticalproperties in the absence of miner collusion, it suffers in practice from severeshortcomings.1.2.1 Mining Power ConcentrationThere are severalproblems with proof-of-workas a foundation for crypto-currencies.The most salient problem, which is all too relevant as of 2014, is the existenceof centralized mining pools, which concentrate power in the hands of a fewindividuals.The proof-of-work mechanism is decentralized, which means that users donot need to explicitly trust anyone to secure the currency. However, implicitly,Bitcoin has yielded a system where all users have to trust the benevolence ofone or two pool operators to secure the currency.A conspiracy of miners holding more than 50 of the hashing power isknown as 51 attack[7]. It allows the attackers to prevent transactions frombeing made, to undo transactions, to steal recently minted coins and to to doublespend[8].A centralized mint signing blocks would be just as secure, and far less waste-ful, as a miner controlling 51 of the hashing power. If a centralized mint isunacceptable to Bitcoin users, they should not tolerate de facto centralizationof mining power.The concentration of mining power is no coincidence large mining poolsface less variance in their returns than their competitors and can thus afford togrow their operation more. In turn, this growth increases their market shareand lowers their variance.To make things worse, the large mining pool ghash.io has hinted at a businessmodel where they would prioritize \premium transactions ted directly5to them. This means that large miners would earn proportionally more thansmaller miners. Sadly, p2pool has had trouble attracting hashing power as mostminers sel shly prefer the convenience of centralized mining-pools.Many have argued that fears of market concentration are overblown. Theyare generalizing hastily from the real world economy. Real businesses competein a rapidly changing landscape where Schumpeterian creative destruction r-cises constant evolutionary pressure on incumbents. Real businesses need localknowledge, face organizational issues and principal agent problems. Bitcoinmining is a purely synthetic economic sector centered around hashing power, apurely fungible commodity. It would be mistaken to hastily generalize and thinkthat such a sterile environment is endowed with the same organic robustnessthat characterizes a complex, fertile, economy.5Furthermore, the economic argument generally holds that natural monopo-lies have few incentives to abuse their position. The same could be said abouta Bitcoin miner | after all, why would a dominant miner destroy the valueof their investments by compromising the currency Unfortunately, this stillcreates a huge systemic risk as such miners can be compromised by a dishonestattacker. The cost of cuting a double spending attack against the networkis no more than the cost of subverting a few large mining pools.There have been proposals intended to address this issue by tweaking theprotocol so it would be impossible for pool organizers to trust their members notto cheat. However, these proposals only prevent pools from gathering miningforce from anonymous participants with whom there is no possibility of retali-ation. Pooling is still possible between non-anonymous people organizers mayoperate all the mining hardware while participants hold shares, or organizersmay track cheaters by requiring inclusion of an identifying nonce in the blocksthey are supposed to hash. The result of such proposals would thus be to in-crease variance for anonymous mining operations and to push towards furtherconcentration in the hands of mining cartels.Proof-of-stake, as used by Tezos, does not suffer from this problem inasmuchas it is possible to hold 51 of the mining power, this implies holding 51 of thecurrency, which is not only much more onerous than controlling 51 of hashingpower but implies fundamentally better incentives.1.2.2 Bad incentivesThere is an even deeper problem with proof-of-work, one that is much harder tomitigate than the concentration of mining power a misalignment of incentivesbetween miners and stakeholders.Indeed, in the long run, the total mining revenues will be the sum of the alltransaction fees paid to the miners. Since miners compete to produce hashes,5It is possible that a n