This guarantees that a fork where only a small fraction of stakeholder con- tribute will exhibit a low rate of block creation. If this weren’t the case, a CPU denial of service attacks would be possible by tricking nodes into verifying a very long chain claimed to have a very high score. 3.2.3 Generating the random seed Every block mined carries a hash commitment to a random number chosen by the miner. These numbers must be revealed in the next cycle under penalty of forfeiting the safety bond. This harsh penalty is meant to prevent selective whitholding of the numbers which could be sued to attack the entropy of the seed. Malicious miners in the next cycle could attempt to censor such reveals, however since multiple numbers may be revealed in a single block, they are very unlikely to succeed. All the revealed numbers in a cycle are combined in a hash list and the seed is derived from the root using the scrypt key derivation function. The key derivation should be tuned so that deriving the seed takes on the order of a fraction of a percent of the average validation time for a block on a typical desktop PC. 3.2.4 Follow-the-coin procedure In order to randomly select a stakeholder, we use a follow the coin procedure. Principle The idea is known in bitcoin as follow-the-satoshi. The procedures works “as-if” every satoshi ever minted had a unique serial number. Satoshis are implicitly ordered by creation time, a random satoshi is drawn and tracked through the blockchain. Of course, individual cents are not tracked directly. Instead, rules are applied to describe what happens when inputs are combined and spent over multiple output. In the end, the algorithm keeps track of a set of intervals associated with each key. Each intervals represents a “range” of satoshis. Unfortunately, over time, the database becomes more and more fragmented, increasing bloat on the client side. Coin Rolls We optimize the previous algorithm by constructing large “coin rolls” made up of 10000 tez. There are thus about one million rolls in existence. Adatabase maps every roll to its current owner. Eachaddress holds a certain set of specific rolls as well as some loose change. Whenwedesire to spend a fraction of a full roll, the roll is broken and its serial number is sent in a LIFO queue of rolls, a sort of “limbo”. Every transaction is processed in a way that minimizes the number of broken rolls. Whenever an address holds enough coins to form a roll, a serial number is pulled from the queue and the roll is formed again. 11