Conditional proof of stake hashcash


This is a writeup of an idea that I introduced at the meetup in Bangkok here:

Proof of work was proposed in the 1990s originally as a form of email spam prevention by Dwork and Naor here. The idea is that a user’s email client would only show emails that come with a proof of work nonce n attached, such that n is the solution to some math problem based on the contents of the email; in Adam Back’s hashcash it could be simplified to hash(email\_message + n) < \frac{2^{256}}{D}, where D is a difficulty parameter. This requires all email senders to do a small amount of computational work to send an email that the recipient will read, with the hope that legitimate users (who have a high valuation for the ability to send an email) will be willing to do this cost but spammers (who have a low valuation) will not.

The problem is that (i) there’s an imbalance in favor of the spammers, as specialized implementations can do proof of work better than regular users (not to mention smartphones), and (ii) it turns out the happy medium that’s low enough for users and too high for spammers does not really exist.

But we can improve this approach using proof of stake! The idea here is that we set up a smart contract mechanism where along with an email the recipient gets a secret key (the preimage of a hash) that allows them to delete some specified amount (eg. $0.5) of the sender’s money, but only if he wants to; we expect the recipient to not do this for legitimate messages, and so for legitimate senders the cost of the scheme is close to zero (basically, transaction fees plus occasionally losing $0.5 to malicious receivers).

The contract code might look like this:

deposits: public({withdrawn_at: timestamp, size: wei_value, creator: address}[bytes32])

def make_deposit(hash: bytes32):
   assert self.deposits[hash].size == 0
   self.deposits[hash] = {withdrawn_at: 0, size: msg.value, creator: msg.sender}

def delete_deposit(secret: bytes32):
   self.deposits[sha3(secret)] = None

def start_withdrawal(hash: bytes32):
    assert self.deposits[hash].creator == msg.sender
    self.deposits[hash].withdrawn_at = block.timestamp

def withdraw(hash: bytes32):
    assert self.deposits[hash].withdrawn_at <= block.timestamp - 3600
    send(self.deposits[hash].creator, self.deposits[hash].size)
    self.deposits[hash] = None    

An email client would check that a deposit is active and a withdrawal attempt has not yet started. Individual recipients could also demand that the secret key they receive has some properties (eg. containing their own email address at the beginning), thereby preventing reuse of the same secret key among multiple users.


  1. If a sender needs to send multiple emails at a time (eg. a group email, or a legitimate newsletter), they could publish a Merkle root of the secret keys, and give each recipient a Merkle branch of their secret.
  2. If you don’t want the sender to know if any individual recipient punished them, then you could have a game where all senders put in $0.5, by default have a 50% chance of getting $1 back, but if the recipient wishes the chance the sender will get $1 back drops to 0%. This can be done by requiring the recipient to pre-commit to a list of N values, then for each email, after some time passes and a block hash becomes available as random data, the recipient would normally see if the value they committed to for that email has the same parity (even vs odd) as the block hash, and if it is they would publish it and unlock the sender’s double-deposit gain. If a recipient has a grudge against the sender, they could simply never publish the value regardless of parity. It would be expected as a default that the committed values are deleted as soon as they are used, so that recipients could not be forced to prove how they acted.

Prediction markets for content curation DAOs

I watched your entire presentation at Bangkok and found both the email portion and the content curation very interesting. But the main portion I wanted to comment about isn’t the email implementation, but the content implementation where you talked about Twitter scammers. The idea is clearly the same pos hashcash but for social media messages than emails. The main issue in this whole situation is what happens in highly contentious situations?

Won’t the primary incentive in those situations be to stay away from voting since there is a good chance they will lose their stake? Or even worse, to vote on what they think might win rather than what they believe the common, salient reality to be? This mainly applies to situations where it is not very clear if something is a scam/spam and it is very close to 50/50 upvotes and downvotes. For example, say there is a decentralized Wikipedia where people stake up or downvotes on edits but the edit is not clearly vandalism but instead highly controversial - not necessarily false. Or let’s say a tweet that is highly controversial that is getting around 50/50 upvote and downvotes.

In those situations, it might be a complete crapshoot what the “reality” ends up being so it could highly discourage participation since people might be afraid to participate. But ironically, those situations are the most important ones for people to participate in since they are the most contentious and markets could help. What mechanisms could be implemented to solve those scenarios? Perhaps locking the voting results from being seen until a round is complete?


Or even worse, to vote on what they think might win rather than what they believe the common, salient reality to be?

Yes. But remember that the prediction market is not self-referential; it’s not like a system where those who vote the majority get the coins of those who vote the minority. Rather, it’s a prediction market for what some underlying moderation DAO would vote for. This moderation DAO could for example be 20 judges elected by DPOS by the token holders of the system, or some other mechanism. If the moderation DAO is itself corrupted, then users will stop caring about what it says, and what the prediction market for it says, and everyone will switch to a different moderation DAO that is not corrupted.


The profit-maximizing thing to do is to demand a ‘reasonable’ sum smaller than the penalty as payment for not deleting. This could be easily automated. Even if somehow genuine receivers would never to do that, if popular, it would create a new type of ransomware in which users are encouraged to send messages to false addresses.

The problem isn’t with messages, but with accounts. If accounts were hard to get spammers would be trivial to eliminate after a while. Perhaps something like being able to send messages only from an account connected to an eth address with 1 eth that’s at least X days old. This could be done in a zk way to avoid connecting the specific account to a separate identity.


The profit-maximizing thing to do is to demand a ‘reasonable’ sum smaller than the penalty as payment for not deleting. This could be easily automated.

Not convinced; acquiring a reputation for succumbing to blackmail is very risky. Standard email software would not include a “pay blackmail” feature, and it’s not worth it to individually negotiate with users over $0.25. If users do find even losing $0.50 uncomfortable, then the penalty could be reduced further; the intent is that only sending large quantities of undesired emails should be painful.


If users can deposit money in a smart contract, even with the built-in support, they have the ability to send money for ransom.
No individual negotiation just like with most ransomware, instead picking an amount that’s expected to maximize profits. With sufficient scale it’s only a matter of binary search assuming monotonicity. It could be trustlessly automated by making a smart contract that’s only payable if the original deposit isn’t deleted.

In any case I can’t imagine many people willing to pay something to send. For one thing this eliminates all people with low confidence as they’re going to ask themselves if what they wanted to write won’t be considered spam and write nothing. What if you have to write a mail that’s likely to make the other side seriously angry? Almost guaranteed loss.
In general it’s lot of hassle for unclear benefit, in my experience spam filters are very effective as of now.

Is email spam an actual problem for you?


In general it’s lot of hassle for unclear benefit, in my experience spam filters are very effective as of now.

They are, though at the high hidden cost of letting Google read your email, and making it much harder to spin up a new competitor in the email space, or even for existing providers to make their email end-to-end encrypted.

In any case I can’t imagine many people willing to pay something to send.

People were willing to pay $1 to send mail 30 years ago. Here it’s just a usually small risk of paying something, and the payment could be much smaller. If $0.50 is too high, then it could be something like $0.10, or more generally an amount of ETH equal to what you would pay to send 10-50 transactions.


I would gladly pay some number of pennies per email sent if it meant that I knew spammers had to pay the same. The key is picking a price point that is low enough that it would never influence my decision to spend, but will always influence a spammers decision to send. For example, at $0.01 I would never not send an email because of cost, but maybe that is high enough that a spammer would see it as prohibitively expensive?

The problem is that such a system doesn’t interface with the legacy email system, so I would need to get everyone who wanted to communicate with me to move over to this new system.


I think Vitalik is correct that the probability of people forming syndicates for blackmailing etc. will be low, and even if blackmailing starts, one could easily design a bit more complex protocol to prevent blackmailing.

Imho the real problem in this architecture is that email recipients will not have any gas to pay for the slashing call. Even if a shard or a plasma chain is used so the amount of gas is tiny, most of email recepients will have no ETH accounts, and even if they do have ETH it will be too much hassle for them to provide access to the wallet etc.

A solution to this is to provide an ability for self-paying accounts coupled with an ability for user to provide PoW in lieu of gas. This was already proposed this during the discussion of account abstraction. Essentially the user will do PoW and provide a PoW proof during the transaction submission. The contract will have an ETH reserve for gas payments. The gas available to a particular transaction will be proportional to the PoW submitted by the transaction.

Overall, the solution, if it works, maybe a worthwhile theme for a startup …


@kladkogex that sounds like a useful feature, as long as it’s rarely/never profitable for miners to do PoW just for the gas fees. Not a huge problem but the gas/PoW rate would be adjusted periodically.

Theoretically the problem could be solved by sharing the private key to a small separate account, right? But I realize the overhead would be substantial (around $.10 currently?).

A more radical alternative would be to introduce a PAYGAS opcode, let any account involved in a transaction to contribute to gas costs, and then not require transactions to be signed; it would be up to each account’s code to decide what signature(s) to require if any. Obviously a huge change though, and mitigating DoS attacks with invalid transactions would be extra challenging.


We can use a layer-2 incentivization protocol to solve this; third parties can include the secret key in a transaction on chain and get paid a small amount for it to cover gas. The sender would just need to publish the secret key.


Awesome. I really hope that tokenized systems will solve spam problem.
The payment-based anti-spam was suggested long above, but now we have a blockchain technology that can really solve it.

“Bill Gates announced that Microsoft is working on a solution requiring so-called “unknown senders”, i.e. senders not on the Accepted List of the recipient to post “the electronic equivalent of a” stamp whose value would be lost to the sender only if the recipient disapproves of the email.[1] Gates said that Microsoft favors other solutions in the short-term, but would rely on the contingent payment solution to solve the spam problem over the longer run. Microsoft, AOL as well as Yahoo! have recently introduced systems that allow commercial senders to avoid filters if they obtain a paid or pre-paid certificate or certification, which is lost to the sender if recipients complain.”


This is good idea but… Companies today are ready to pay for advertisement much more money than people could pay as non-spam guarantee. When company know who you are they will pay a lot of money to buy your attention. So popular people will became victims of high payment attacks.

Also it makes communication progress more aggressive and make communication initiator an subordinate. Communications should be free and fast. This is what information era brings to us. And payment based communication can roll us back to stone age. The first thing what we should to do is to specify spam types such a mass mailing, unwanted content, fakes and other. Hashcash-like solutions can limit unwanted content with high fees.

I think the solution should not limit regular users and should to provide instruments to identify honest users and to separate them from spammers. There is existing social filter which is based on friendship, same interests, common activities, professional links and so. We can reproduce it. And It might be handshaking based algorithm with public profile (visit cards) exchange as the first level and optional hashcash.


@rumkin The problem being solved isn’t targeted advertising, where the conversion on marketing is high. The problem being solved is spam advertising where the advertiser send out millions/billions of emails and get zero to one conversion off of it.

One can imagine that a company with a 100% conversion rate is actually helping customers it advertises to because it is making them aware of a product that they didn’t know existed but ended up wanting. On the other extreme, a company with 0% conversion rate is just annoying everyone. All marketing schemes are on this spectrum, and increasing the cost per impression results in companies moving towards the 100% side of this spectrum.