Proof of Community

In cases of emergency when the network comes under attack, the Proof of Community can seamlessly step in and ensure a correct functioning network.


The Proof of Community system is a way to help secure the network, it is based on the Digital Trust Protocol. It is designed to help nodes identity and run on the correct fork of the network in the time of crisis. The idea of PoC is to use it as a part of a governance mechanism to an existing network securing mechanism, like Proof of Work, Proof of Stake or HashGraph. It is possible to add PoC to any existing network. Why and how PoC works is the subject of this document.

Problem to solve

The various consensus algorithms, like PoW, PoS, etc. have different benefits and downsides when used to secure a decentralized, permissionless network. A common theme between them all is that they become less effective when the network is small, with only limited participants, relative to other similar networks with extensive resources.

With PoW, Bitcoin is on the very edge of the race; there is simply no more resource to find for increasing the hash rate significantly, that not are already booked to get online; this naturally limits the possibility of a 51% attack.

But with other smaller PoW secured networks like Ethereum Classic, they have a high risk of 51% attack as there is an abundance of hardware resources available put on, on a quick notice. The same problem also applies to most other consensus algorithms.

consensus algorithms that use centralization invalidates the point of having a decentralized, permissionless pseudo-anonymous network and is not considered further.

Common attacks

The most common problem for any network is the 51% attack. In Proof of Work, someone can rewrite the history of the lastest blocks.

In Proof of Stake, if someone has 51% of the Stake, they can control the network forever. Furthermore, coin stakes can be hedged or delegated to someone else without permission.

“In the cryptocurrency version of PoS, votes can be bought, borrowed, custodied by banks, and likely also taxed by governments. Imo this makes PoS coin designs much more vulnerable than real world political democracies.” - Tuur Demeester, Twitter

In HashGraph, if someone controls more than 33% of the validating nodes, they can block the network and with 67% they can control the network permanently.

The speed of attacks

Attacks are typically quickly executed. Many times an attacker uses transaction congestion or creates an invalid state on the network for a short period before exploiting the victims. Therefore there is usually little to no time for manual intervention.

Prolonged attacks are rarer, as there is time for human intervention. More often, long attacks are made as a fork of the network to divert and split the community. Identifying the correct fork of the system can be a problem for new or out of update nodes.

The idea behind Proof of Community is to minimize the risk of sybil attacks and 51% attacks.

Types of attacks

Consensus attack plays on changing the consensus state of the network. Making the victim believe in a false state of the transaction and then reverting on the victim when the attack is over.

DDOS attack plays on the limitation of the performance of physical hardware. This is usually done by overloading the system with data and then executing transactions without competition.

Bug exploits attacks are very hard to protect against with a protocol and usually require human intervention.

Proof of Community is used to mitigate the effects of attacks that go after the consensus of the network. It may only have limited effects on attacks that focus on hardware limits. If implemented correctly into smart contracts, it may be able to negate the effects of exploits of bugs in code.

Proof of Community is not a hard protocol algorithm, but it relies on a community to solve the problem; therefore, it does not guarantee a correct outcome by math. Its design is to help the community preserve the correct state of the network and limit attacks.


Nodes are the soul of any Distributed Ledger Technology. They form the backbone of the DLT network. Nodes are used for validation of transactions and blocks according to the protocol specification. Nodes define the rules of the network.


Each node is a community member’s commitment to the consensus. The node is the implementation of a specific protocol. It is the incentive for each member of the community to keep the system strong and not divide it to preserve the value of the token in the system.

The value of a token comes from the willingness to exchange a token for a specific price. For the token to keep its value, it needs trust that the community is willing to buy it tomorrow. Electronic tokens do not have any intrinsic value at all; it comes down to trust and confidence alone. Currency in general has no intrinsic value either and most tradable commodities only have value in a specific context.

It is the community around a token that gives the value to a token. Break up the community, and you destroy the token value.

Tokens that are backed by other assets require a centralized entity to guarantee the underlying. The underlying assets community now defines the value of the token.


A Stake is a representation of energy. A Stake can represent any form of energy, physical goods, electricity, money, information, trust, and security. Money is also a representation of energy; therefore money can efficiently be used as an Stake.


A simple definition of trust in a social context could be

“the belief that a person or system will behave predictably, even under stress” - [ldapwiki](

One could also define trust as the expectation of a predictable, repeatable pattern that is subjective to the observer.

A way to gain trust is to repeat the same pattern again and again. To lose trust is to break the pattern unexpectedly, and this usually leads to some pain for the involved parties. Therefore it is generally harder to gain trust than losing trust.

These simple rules enable the development of relatively simple autonomous programs that can still function very efficiently.

Trust also represents energy in a specific form. The energy of trust can be express simply as:

ETrust=time * work

The time is the period that has gone by where the subject is known.

Work is energy spent where a subject proves her or his intentions and believes. A subject that has spent much time and work into proving itself qualifies for a high value of Trust. However, it is always the observer of the subject that defines the Trust value individually.

A general observation of Trust has little value. Similar to rating systems on various platforms, where ratings given by people are unknown to the observer.

It is possible to Trust pseudo-anonymous identities based on a simple name or public key. The point is that the entity behind the pseudo-anonymous can still demonstrate a predictable and repeatable pattern. It is not uncommon to see a lot of Trust on identities behind made-up names on social media platforms.

Reputation is derived from the aggregation of trust from many sources. Reputation is a vital aspect when dealing with human entities. When you are dealing with other human beings, you are making yourself potentially vulnerable in the process, and therefore to minimize risk, you rely on their reputation. However, every time you are dealing with other people, you are also putting your reputation on the line. Because reputation is built from the trust of many people, no single entity will have control of the reputation.

Securing the consensus model

There are many different ways to implement a consensus model.

“For a permissionless, pseudo-anonymous decentralized network to function properly, it requires something at stake to prevent attacks and enhance trust.” - me

All of them share the same fundamental feature - something at Stake.

Without the Stake, there is nothing to lose in gaming the system and run off with the token. Therefore, each participant needs to put a Stake to gain the benefits, like mining rewards.

The community is securing the protocol, making sure that nobody can run their version of the code with different rules. The miner’s role is to secure the transactions. Consensus securing the protocol does cost energy in itself. It is an agreement between the participants in the network on which protocol to run. Each participant simply runs the protocol the participant believes in. If someone disagrees, they will fork the network and run their version of the protocol.

Proof of work uses external energy as a way to secure the transactions of the network. You need to invest energy and only maybe get rewarded. After that, the spent energy is gone; you don’t keep the energy as a stake.

This model allows anyone to participate in securing the transactions on the network, even for a very short time. The Proof of Work consensus model works best when the subject network has peak hash power delegated to it. This makes it hard to add much new hardware to the mining process for an attack.

Proof-of-stake systems usually use their token to secure the network. Some of the issues with Proof-of-Stake enable custodial takeover. Coins are generated and have no initial cost of energy. A coin stake can always be hedged; you cannot trust others only because they apparently have some coins at stake. A coin stake is easy to transfer.

The governance of commons in the real world

The governance of commons works by using the Trust and reputation as an incentive driver.
People’s identity is known and cannot be easily changed. People have the incentive to gain the benefits of the shared system, as it is usually vital to them.
Having a bad reputation may exclude a person permanently from similar services and resources.
People stake their identity when participating in a shared system governed by the participants.
Introducing the concept of pseudo-anonymity can hide your real identity, but also makes it easy to switch to a new identity. However, from the start there is no Trust on a newly created pseudo-anonymous identity and therefore it has limited value.
A refugee traveling through with no identity papers can claim any identity and exploit the shared services and resources without fear of losing reputation, as the refugee has no intention of staying.
An attacker of shared services and resources only needs one big score, and then is forever gone.
An identity needs to build-up proof of work to gain access to the shared system/resources.

Know your adversaries

Any permissionless DLT has 3 levels of adversaries to defeat before they can be fully trusted to be decentralized and permissionless.


In the first line of adversaries are the hackers, they go after vulnerabilities in the system to extract value. They exploit every crack in the system and are very good at finding security issues. They go after vulnerabilities in the consensus algorithm for cheating unsuspected victims. However, they do mostly have limited financial resources and have no political motivations. Most DLT’s are vulnerable to this level simply because the mining or coin staking resources on the DLT are limited.


When a network becomes big enough with much business. Big Corporations will try to capture some of the business on the network. To minimize risk and optimize profit, corporations will try to insert themselves into controlling the protocol and mining of the network. For example, big Corporations now sit on the board of the Linux Foundation. To avoid punishment from the government, and to minimize risk, they will always have the incentive to change the protocol towards a permission system.

The State

The motivation of the state is unlimited control. The state has unlimited power in the form of money and violence. The state has no motivation for profit. The state may try to enforce rules and regulations on the DLT or just outright ban it, in the attempt to gain control.

The strength of Crypto’s

Bitcoin is the largest and most robust permissionless DLT, and it has defeated the hackers and minor Corporations. However, we have not yet seen what will happen when the big Corps starts going after Bitcoin. Furthermore, no big state actor has yet reacted to Bitcoin and seriously challenged its independence.

Ethereum has a well-defined leadership on its foundation; therefore, it is subject to a takeover attempt by Big Corps, just as it has happened with the Linux Foundation.

As a DLT gets bigger, it will also attract attention from more significant players. Most DLT cryptos of today are small and therefore have problems against just the hackers, and would not stand a chance if the big boys go after it.

Proof of Community

The Proof of Community (PoC) uses Trust as a way to Stake value. The purpose of PoC is to be used as a governance model on a consensus model.

The idea is to add protection from the shortcomings of other consensus models.

PoC works by the nodes in the community, trusting one or the other. This results in a Web of Trust kind of structure. The advantage of having a web of trust graph is that it enables the nodes to make decisions in the event of an attack or stress without human intervention. Because the nodes know whom to trust, they can decide on actions that allow the network to continue working without having a critical failure or being exploited.

It is not a requirement to be Trusted to operate a node; it is a voluntary system. But in times of stress, nodes that are not Trusted have less to no influence on keeping the network safe.

Having a high Trust score does not influence mining capability or reward because the intention of PoC is to keep the system safe.

The Incentive

The PoC system works on the assumption that it is harder to gain trust than to lose trust. This is the basis for the system to function properly, as it creates an incentive for a user to act appropriately to maintain the reputation. Steadily losing trust will most likely result in a loss of attention and influence.

  • The PoC protocol works on the incentive of reputation.
  • The motivation of not losing reputation will help to keep the system honest.

The incentive for the nodes is to Trust and become trusted nodes, is to make the community consensus model stronger. Nodes typically have an investment in the network, therefore, keeping the community aligned and ensuring a strong belief in the network, benefits and ensures the value of the network asset.

The identifier of a node is a public key. This enables the nodes to stay pseudo-anonymous and still be trusted.

The nodes can establish a trusted reputation on the network through proof of work, like blog posts, activity on the social platforms, etc. It is up to other nodes if they would trust the subject node to be honest in the case of an attack.

Proof of Community stake if different from the usual Proof of Stake coin, in the way that you cannot borrow, hedge, or tax reputation.

You cannot give your reputation away or hedge it against a drop in value. For taxation, how do you measure reputation? The observer defines the value of reputation on any given identity. A node’s reputation may have a different meaning for different people.

Because of the abstractness of reputation, it will take time to build up in any network. But when it gets there, it can provide a solid foundation for conflict resolution, without a central authority.

Reputation is built of many Trust messages, issued by nodes to other nodes. One Trust message is simply a claim that Node A trust Node B. Nodes can also distrust other nodes or cancel out their previous trust or distrust.

Each Trust message is atomic in the sense that there can only be one Issuer, one subject, and one trust value. Properties like activation date, expiry date, scope, and other metadata can be added to the trust message. This makes it possible to limit the time and scope of the Trust message. The atomic nature of the Trust message enables it to be stateless when it comes to adding, updating, and deleting the messages. Therefore perfectly suitable for an event-driven, permissionless DLT system.

Trust given to a node cannot be spent or given to another node; therefore, there is no need to protect against double-spending of Trust.

The system can allow for an unbalanced distribution of Trust messages for a short period, even for hours, where all nodes are not updated at the same time.

Therefore, there is no need for a consensus model to make sure that everyone is in sync. PoC simply has a built-in incentive for everyone to be a good actor within the system. So the concept of a fork in a PoC system alone is nonexistent.


HashGraph can roughly be compared to an advanced sorting algorithm built for a DLT. It is very good at solving high transaction throughput compared to other consensus algorithms. However, HashGraph BFT algorithm does not Stake energy in itself and therefore is not suitable as a governance model. HashGraph is simply just a gossip mechanism with a virtual voting algorithm that defines outcomes of transaction ordering and creates EPOCs.

Because the HashGraph is not a governance model, it is vulnerable to the majority node attack.

  • 1/3 nodes can stop the network. No more EPOCs.
  • 2/3 nodes can take over the network. Enables the attacker to delay or filter out transactions. Fork the network.

To mitigate the node majority attack, a governance model with Stake is needed to add something to lose into the system, so there are no free attacks on the system.

Using a Proof of Work algorithm for qualifying to participate in the voting process, has some downsides. It may not be simple to implement and wasteful in resources. Also, PoW is easy to attack if the network does not have majority hash power. Several PoW cryptos suffer from 51% attacks because of their current minority hash power delegation.

Using Proof of Stake where the Stake is money can be gamified easily because money can be easily transferred, borrowed, hedged, without consensus.

Proof of Community uses the node’s reputation as Stake on the governance model. It cost very little to issue a Trust message, and you cannot transfer, borrow, or hedged Trust. This makes Trust very suitable as a Stake. The down side with Trust is that it take long time and effort to build up and valuable.

Tagion consensus algorithm

The HashGraph is the basis of the Tagion consensus model, that uses voting nodes to find EPOCs.

The whitepaper proposes a solution for virtual voting node selection, with a combination of active, time, a mating process, promotion, proof of people, etc. I understand that the motivation is to make it hard to attack and gain a majority of voting nodes, however it seems a little complex, and requires the state of the node to be recorded and known by all nodes.

I would like to very humbly suggest that we rethink the voting node selection algorithm in the light of PoC. That we use an algorithm that is simple and as stateless as possible. A stateless mining/voting is where the network does not need to know the state of the node. E.g. Bitcoin uses hash power mining to create blocks. There is no state or history of the mining node kept anywhere on the blockchain. Every mining node is allowed to participate at any moment, without restrictions.

Different types of stakes can be used like PoW, PoS, Proof of Burn (PoB) and PoC.

When all voting nodes have been identified, using random nodes for voting speeds up the process of finding EPOCs looks like a good idea. If for some rounds no EPOCs have been found, a new set of random nodes is selected and a new voting process is started.

Adding a direct Stake on the voting nodes will add to the difficulty of adding more nodes to attack the network.

Combining the HashGraph and Proof of Community

When an attack on the network happens with the majority of 1/3 or 2/3 nodes, each node can detect that EPOCs are not generating or transactions are not included. It may even be able to detect the nodes involved in the attack as they are blocking normal operations.

Each node now has the option of using the Proof of Community network and looking at its trusted neighbors if they have the same problem or the node is just out of sync. If a node is in sync and can solve the consensus only by using its trusted neighbors, it will start doing this and exclude the attacking voting nodes from the calculation of the voting process.

The result is that the network has forked. However, the nodes in the web of trust network are all on the same fork, and the attacker is running its separated fork. As the community stays on the same fork, they can continue without interruption. There is no loss of value on the network token because the community didn’t split.

It is unlikely that an attacker will be able to build up a reputation on each attacking node, to gain the majority of the voting power and keep everyone on the attacker’s fork.

If a fork happens in the community, then it is not a consensus problem anymore but a split in the community about which protocol to run. Like it happened with the split to BitcoinCash.

When a node is out of sync with the network, it can use the PoC network to identify which nodes are worth trusting to get the latest state of the network.

The HashGraph algorithm can be seen as a consensus algorithm that focuses on internal adversaries, making sure that nobody cheats. The Proof of Community focuses on external adversaries, securing against outside attacks like 51%, Corporate takeover, or the governments grab for control.

Tagion 3 levels of adversaries

Because the Stake used is not defined yet. It is not possible to do a full analysis of each level of threat on Tagion.

But commonly, one could argue that because the community has a way to identify them self, it would be possible to correct any interruption from all 3 levels of threats.

The hacker’s motivation for trying to control the network would demise as it would be very difficult. It is assumed that no bug is exploited in the code in Tagion. Bug in smarts contracts is also not considered.

There is no clear way how a corporation can control the network by controlling the community. If someone detects that a company has bought a high trusted node, that node may get distrusted very quickly by the community.

The only tool a state actor has is to ban the network right out as there is no way to buy in or take control of the network without it forking away from the state. The state can simply not control whom you trust.


I will just have to read it twice befor making an intelligent respons :wink:

Amen to that. This is a universal truth that many people should take to heart.

@Carsten_Keutmann kan you elaborate a bit on this, how will this happen practically. How would a node decide who to trust? Would this just be the node they have the highest ‘friendship’ with?

This works by nodes looking at their Web of Trust graph from the nodes individual perspective. If the target node is trusted with a node’s web of trust network, the node can decide that it may follow the target node. However, it is always the operator behind the node who decides who to trust in advance.

1 Like

I like the idea of using the energy of creating trust relations as a stake to secure the network, it makes very good sense. The energy as a unit of analysis is very efficient to assess a node security model.

We need to clarify a bit more how the idea from Commons and the boundaries of actors, from user to prospect node, node and active node is thought. Let’s start from the latter and clarify the relation between the nodes and forks.

It is not a system, where the longest chain will win in the end like a probabilistic blockchain race system with Proof of Work or Stake. If a node does not have the same integrity of data as another node, these two nodes will simply ban each other and have a separate graph and network. It will be in parallel and they will not merge. Meaning, the longest chain cannot win in the end. It is a deterministic function thus the same goes for the graph. Thus it is not directly comparable to 51% attacks. But, still 1/3 and 2/3 attacks can still halt or fork the network, which will potentially cause damage.

The boundary from the active nodes to the nodes, the available nodes for the system, is governing the nodes operating the network and receiving the rewards for this. It has the purpose of making this selection random, UDR (Unpredictable Deterministic Random), of the active nodes to making it much more difficult to get a 1/3 or 2/3 majority of the active nodes and have a fixed and known number of active nodes. Because, the Hashgraph algorithm needs to know the number of nodes to reach consensus.

The boundary from the users to the prospect nodes is the create a certain drag to become a node, but also a commitment of an initial very small investment. To “prove” yourself as a nodes we first though of the Proof of People protocol (See old tech paper), which got a lot of good critics, which made us review the this particular boundary, where I think we can integrate the Proof of Community, or a Trust Score metric, to govern the boundary from users, prospects to nodes.

We need to integrate and discuss this to make it integrate into a whole, where the different actors, their boundaries and incentives are thought into a whole creating a sustainable ecosystem.

I just copied the overall actors diagram from the current tech paper here to describe the actors and boundaries.

1 Like

Good writeup about the 𝗣𝗿𝗼𝗼𝗳-𝗼𝗳-𝗣𝗲𝗼𝗽𝗹𝗲 protocol in whitepaper.

  1. A user creates a name record in the system to become a public user.
  2. When the name record is at least a month old the user makes a node
    transaction and pays a fee to become a node. The user then participates
    in the lottery for becoming a node. All participating users will eventually
    win the lottery.
  3. When the user has won the lottery, the user proves to the network that
    activity has taken place during the past seven days. By doing this, the user
    also accepts to become a prospect node. The next step is for two current
    nodes in the system to mate and give the new user - now their offspring -
    a gene.
  4. The prospect engages in a dialogue with three randomly chosen nodes.
    The three nodes need to socially validate that the prospect is an actual
  5. The prospect nodes follow the network and earn node reward points until
    the minimum score is obtained.
  6. The prospect engages in a dialogue with two randomly chosen nodes.
    They should all socially validate the prospect is an actual person.
  7. The prospect is now a real node, is given a birth date and an updated gene
    string in the system and can become an active node.

Step no.4 is quite fascinating, how do the nodes “socially validate”?