Algorand scales because it generates a new block in two phases, each of which scales perfectly.
Phase 1: A user is randomly selected and proposes a new block
A random user i.e., public key 𝓁 is randomly selected among all current users, with probability proportional to the amount of money she owns in the system. All Algorand users learn that 𝓁 is the selected user. The role of 𝓁 is to choose a new block B from all valid transactions that are not yet in the blockchain. If she is honest, she digitally signs and propagates the same chosen block B to the network.
Phase 1 scales because each user plays her own secure lottery to check whether she has been selected to produce the new block. This internal cryptographic lottery is super-fast and independent of how many users there are in the network. The user 𝓁 who wins the lottery automatically gets a short, unforgeable proof that she has been selected. Thus, by propagating this short proof, 𝓁 makes it clear to the entire network that she is in charge to propose the new block.
Phase 2: A small group of users is randomly selected to verify and agree on the block.
A random set of 𝑘 verifiers is randomly selected among all users, proportionally to the amount of money that each of them owns in the system. All users learn who the verifiers of the new block are. The role of these verifiers is to agree on the block proposed by 𝓁. The new block is the one digitally signed by at least 𝑡 of the verifiers.
Again, the verifiers select themselves by individually playing an internal and secure lottery, that is both super-fast and independent of the total number of users in the network.
In addition, the values 𝑘 and 𝓁 are fixed, no matter what the numbers of users may be. Thus, the agreement protocol that the verifiers execute, not only is itself super-fast too but also independent of the total number of users in the network.
Security in Proof-of-Work
Blockchains based on proof of work assume that the miners have the majority of the computing power necessary to generate the next block. Proof of work, however, has concentrated power in a few mining pools. In Bitcoin, just three such pools control the blockchain. Such concentration of power, in entities that are not accountable to anyone, is unacceptable for a system that aspires to be decentralized and is in fact potentially very dangerous.
Security in Delegated Proof of Stake
In a blockchain based on delegated proof of stake, the power to generate a block is given to a small and publicly known group of users for a long interval of time. This approach may be less costly than proof-of-work, but is admittedly quite centralized Here, security relies on the honesty of the majority of this small group, but any small group of users is an obvious target to attackers.
Security in Bonded Proof of Stake
In a blockchain based on bonded proof of stake, every user could put at stake some of her money. Those who do so have the power, proportionally to their stakes, to choose a new block. In principle, they might lose their stakes, if they detectably misbehave but this may not be much of a deterrent if they stand to make much more money by misbehaving. An ordinary user, however, can afford to put at stake only but a small fraction of his money. As a result, the system may fall prey to rich dishonest individuals, who put at stake large amounts of money to control the blockchain.
Security in Algorand
Algorand is guaranteed to work securely if the majority of the money in the system is owned by honest users. Notice that we are not talking about the majority of the money owed by some special users, but about that owned by all users. Moreover, a user in Algorand does not need to put any fraction of his money at stake. A user’s money always remains in her hands, ready to be spent how she wishes.
Algorand cannot be censored
A block in Algorand is generated in two phases. First, a user is randomly selected and proposes a new block, then a small group of users is randomly selected to verify and agree on the block proposed by the first user. In both cases, users are selected proportionally to the amount of money they have in the system. Assuming that the majority of the money belongs to honest users, then (1) most of the time, the block proposer is honest, and thus does not exclude the transactions of any other user from her block; and (2) most of the verifiers are honest, guaranteeing the approval of an honestly proposed block. In sum, therefore, no valid transaction will be censored. It may not be included in a block proposed by a dishonest user, but it will enter a new block as soon as its proposer is honest.