Most public blockchains rely on nodes known as miners to process transactions into blocks, a task for which they earn rewards. The economic incentives are such that miners from around the globe race to include the next block in the chain, often producing competing blocks due to either network latency delaying message broadcasting or the presence of faulty nodes. When this happens, the blockchain network must decide on which block to include in the chain using a mechanism known as the consensus protocol.
Bitcoin used Proof of Work (PoW) in 2009 and it remains to this day the protocol of choice for most public blockchains. To produce a new block, nodes must solve a cryptographic puzzle in a compute-intensive trial-and-error game known as mining that only rewards the successful block producer.
To maximise their chances miners keep their nodes running 24*7, this way perpetuating the longevity of the blockchain and increasing the network’s security and value as per Metcalfe’s law and the Lindy effect.
This mining process serves four purposes:
- Eliminate the need to whitelist block producers by introducing a cost barrier or a proof of “skin in the game”, if you will;
- Incentivise honest miners with block rewards for securing the network;
- Increase the network token supply or inflation control;
- Discourage attackers who can maximise their investment and skills with honest mining;
Competition tends to heat up once the popularity of the network increases demand for its token and popular chains now see prospectors making large investments in specialised hardware in a bid to increase their chances of winning the coveted block rewards. The cumulative hashrate produced acts as an “economic firewall” that both raises the difficulty of producing the next block and the costs associated with executing an attack on the blockchain.
As of May 2018, a 51% attack on Bitcoin would cost an estimated 2.4B Euros in hardware using the Antminer S9 price and specifications as a benchmark, but blockchains such as Bitcoin Gold, MonaCoin or Verge have a much lower barrier of entry and become vulnerable. If PoW’s assumption that miners maximise their profits by protecting the network instead of attacking it fails, it’s because the network token is disproportionally valued compared to the number of nodes securing the chain and its public cost-benefit.
A 51% attack resembles a hostile takeover where a miner takes advantage of the permissionless security model and the fork-choice rule favouring the highest accumulated hashrate to gain a dominant position and take control of the block production and rewards, however it also opens the doors to fraud and double-spend attacks that can destroy the token’s value as a censorship-resistant, unfalsifiable form of money.
Laszlo’s CPU had been winning, at most, one block of 50 Bitcoins each day, of the approximately 140 blocks that were released daily. Once Laszlo got his GPU card hooked in he began winning one or two blocks an hour, and occasionally more. On May 17 he won twenty-eight blocks; these wins gave him fourteen hundred new coins that day.
Satoshi knew someone would eventually spot this opportunity as Bitcoin became more successful and was not surprised when Laszlo e-mailed him about his project. But in responding to Laszlo, Satoshi was clearly torn. If one person was taking all the coins, there would be less of an incentive for new people to join in.
“I don’t mean to sound like a socialist,” Satoshi wrote back. “I don’t care if wealth is concentrated, but for now, we get more growth by giving that money to 100% of the people than giving it to 20%.”
As a result, Satoshi asked Laszlo to go easy with the “high powered hashing,” the term coined to refer to the process of plugging an input into a hash function and seeing what it spit out.
But Satoshi also recognized that having more computing power on the network made the network stronger as long as the people with the power, like Laszlo, wanted to see Bitcoin succeed. — Nathaniel Popper, “Digital Gold”
PoW is the most secure and proven solution for distributed consensus but the energy vs security tradeoff raises questions around its long-term sustainability and environmental impact, while blockchain nerds are quick to point some cryptoeconomic weaknesses.
Satoshi Nakamoto predicted that PoW’s competitive reward mechanism would lead to the arrival of application-specific integrated circuits (ASICs) to mining but didn’t consider that economies of scale would favour geographical and political centralisation, resulting in a handful of wealthy investors collecting the majority of the 656250 BTC issued in 2017, worth north of 4B Euros today.
This loss of decentralisation compromises user’s operational security because solo-mining as a “one-way anonymous decentralised exchange” (V.Buterin) is out of reach for most of us, so we must buy our BTC from an established market maker such as an exchange or reseller on localbitcoin.com, leaving a permanent trace back to our real identities.
Satoshi’s paper described Bitcoin’s privacy model as relying on the owner of the keypair used to generate the address transacting on-chain remaining anonymous, but now the coin is less suitable for money laundering than traditional banking services and may fail to protect the privacy of those who may need it the most.
With credit cards, a technology from 1949, the standard chargeback limit is 120 days, but PoW allows only for probabilistic economic finality as a result of favouring a permissionless security model that allows anyone to be a miner but leaves the chain vulnerable to 51% attacks, although Bitcoin’s hard-coded checkpoints used to mitigate against Sybil attacks would prevent an attacker reverting transactions past 2014/04/09. Economic finality is the term used to describe the point at which reverting a single transaction is no longer economically viable and “probabilistic economic finality” means that the risk of a payment reverting decreases as the chain grows because of the increased cost of a hypothetical hard-fork.
Because PoW cannot punish attackers with the loss of property, the protocol fails to provide an economic advantage to the defender, meaning that the costs of attacking the blockchain are not higher than the costs of maintaining it and thus a motivated foe can sustain an attack for as long as there is electric power available.
Systems that consider themselves ideological heirs to the cypherpunk spirit should (…) be much more expensive to destroy or disrupt than they are to use and maintain. — V. Buterin
Ethereum’s Ethash is a GPU-friendly PoW algorithm designed for ASICs resistance by cunningly requiring more RAM than manufacturers where soldering on their integrated chips back in 2015, knowing that the costs of replacing hardware would be discouraging for a number of years. As it happens, that number was “3” since the free market graced us with Bitmain’s E3 recently, an arrival that surprised no one but likely disappointed NVIDIA who made $289M from GPU mining in Q1 this year.
The response from the community was largely negative because ASICs mining gives wealthy investors a “dollar for dollar” advantage over hobbyist GPU miners competing for a part of the 1.5B Euros worth of ETH block-rewards paid out in 2017. More productively, an Ethereum Improvement Proposal (EIP) introduced a promising variation of the Nakamoto consensus protocol named ProgPOW whose design benefits the commodity hardware inside a laptop over ASICs.
Peercoin introduced Proof of Stake (PoS) in 2012 with a design that combined PoW with PoS for added security, but with a token issuance model based on the individual balances meaning that those with more wealth received more block rewards. In PoS, the block producer role rotates among a set of accounts whose substantial economic stakes in the network grant them the right to append blocks to the chain.
Fork decisions are often based on weighting stakes while Byzantine Fault Tolerant (BFT) styled variants introduce a multi-round voting process, designed to increase the protocol’s fault tolerance up to one-third of dishonest validators.
The security model is an economic one, based on the “game-theory” assumption that the cost of acquiring the tokens necessary to become a block producer is more than an attacker is willing to bear, that couples the network’s security to the value of its token, ie: the higher the value of the token, the more secure the network becomes.
The appeal of a low energy footprint decentralised consensus protocol with short confirmation times has Cosmos’ Tendermint and Ethereum’s Casper pushing the barriers of cryptoeconomic research, while the less ambitious Delegated Proof of Stake (DPoS) sees adoption in projects looking for the throughput that a small number of managed “super-nodes” can provide. Loom Networks, of CryptoZombies fame, does this with their game development environment and EOS with their production one.
PoS chains can be vulnerable to bribery attacks if the block reward issuance and distribution cause a “tragedy of the commons” problem. When validators feel their vote alone cannot alter an outcome, they may see a small bribery as a risk-free opportunity to maximise their investments.
PoS protocols where stakes are not deposited as collateral can’t penalise misbehaviour. Without economic penalties for attackers, the chain can suffer nothing-at-stake attacks where stakers are incentivised to validate all proposed forks to maximise their returns.
Tendermint was the first to address PoS’s weaknesses back in 2014 by requiring a deposit-as-collateral model for whitelisting validators. These stakes remained locked for a long period of time to dissuade cash-grab attacks looking for quick liquidity through an exchange.
Casper is the name for a family of PoS consensus protocols developed by the Ethereum Foundation (EF), with the first release dubbed the Friendly Finality Gadget (FFG) arriving on the mainnet later this year.
Casper’s design principles favour availability over consistency (ref: CAP theorem) and provide:
- Attack/defence cost asymmetry so that defenders have an economic advantage over attackers;
- Explicit cryptoeconomic mechanism-design to disincentivise censorship and prevent economies of scale;
- Account safety so that only misbehaving validators get penalised;
- Plausible liveness mechanism based on a minimal synchronicity assumption that nodes come on-line at least once every three months to avoid having their deposits slashed, meaning that unless one-third of validators are actively attacking the blockchain, there are always enough voters available to keep the blockchain safe;
FFG is a PoW / PoS hybrid that improves the cryptoeconomic security, network decentralisation and on-chain scalability of Ethereum by retaining PoW’s block creation mechanics and adding the PoS functionality and configuration as a smart-contract, reducing friction between the many client implementations which should result in a smooth upgrade process.
Hodlers wishing to become validators will need to deposit at least 1500 ETH in the Casper contract and have a node with stable connectivity ready within the ramp-up period of about 30 days after the hard-fork before they can begin their dynasty. The term dynasty defines the period in which a given account is able to vote to finalise checkpoints, being that a checkpoint is the last block in an epoch.
With the current average block-interval of 14 seconds, an epoch lasts about 12 minutes or the time it takes to produce 50 blocks.
When a checkpoint (cb) is appended to the chain, it’s not immediately finalised but only justified because we can only guarantee that it was voted in by two-thirds of the validator set. In order for the checkpoint to be finalised, it needs another epoch with a succeeding checkpoint (cb+1) to be appended to the chain because the validator set is randomised between the two elections and the second vote establishes the consensus view that checkpoint cb is definitely in the canonical chain.
The 50 blocks produced between the two checkpoints, cb and cb+1, are now part of a supermajority link that can no longer be reverted, thereby producing economic finality at ~20-minute intervals, or every 2 epochs.
The validator’s signature on a checkpoint provides non-repudiable attribution for their vote and locks their deposit as collateral against fraud or other attacks for a period that extends 1500 epochs beyond the end of their dynasty. This withdrawal delay window eliminates the nothing-at-stake problem and long-range-attacks by ensuring that misbehaving validators always have something at stake and can suffer significant economic losses if a slashing condition is detected.
Slashing conditions occur when a validator breaks one of the protocol rules and attempts to sign two conflicting checkpoints either by double-voting or by surround voting. Validators that stay offline for more than three weeks at a time will also face partial slashing, a measure that encourages keeping an updated view of the chain and penalises under-performers.
Punishable offences can be reported by anyone with an Ethereum account by sending a specially crafted message to the Casper contract, which will then pay 4% of the slashed amount as bounty and burn the rest of the offending validator’s penalty reducing the total supply of Ether.
Risk aversion and the prospect of a prolonged economic value-at-risk exposure can lead some investors not to take part in securing Ethereum, but they have the nice side effect of favouring decentralisation because converging on a few staking-pools and common infrastructure would attract constant cyber attacks, and increase the likelihood of slashing penalties due to a single software bug or connectivity fault. A staking-pool allows hodlers who can’t afford the 1500 ETH deposit on their own to take part in securing the Ethereum network by pooling smaller amounts, e.g: the minimum deposit with Rocket Pool is 32 ETH.
Impact on issuance
Casper will use a balance of 1.25M ETH to attract validators who, for their service, will be paid a fractional return proportional to the total deposited amount at stake. With an estimated 10M ETH at stake, the yield would be 5% per year for up to two years, a far more egalitarian distribution than is possible with PoW.
After the balance is exhausted this “credit-crunch” will force a new hard-fork, similar to how the “difficulty-bomb” in Ethash should prevent miners from running an old chain after an upgrade.
FFG significantly reduces the role of hashrate difficulty in securing Ethereum and miners will see block-rewards taper from the current 3 ETH to 0.6 ETH, a reduction of 80% over the course of 12 months after the upgrade.
The reduced inflation rate and the significant portion of total issuance deposited at stake will reduce the circulating ETH supply and, assuming demand over time continues to increase as Ethereum reaches deeper into the mainstream, this should reflect in the fiat exchange rate volatility, which is a strong incentive to participate in securing the network.
The scheduled block-reward reduction should see the network hashrate drop linearly with miners progressively leaving for more profitable PoW blockchains . As of June 2018, the mainnet’s hashrate sits at around 275 Th/s so an 80% reduction puts us back at July 2017 levels.
The projected drop in hashrate assumes miners are rational, in a game-theory sense, and will seek to maximise their investments, however even a hashrate of 55 Th/s raises the cost of a 51% attack to 250M Euros using the E3’s advertised price and specifications as a benchmark, meaning Ethereum will remain one of the safest public blockchains by PoW alone.
Beyond the hashrate cost barrier, the hard-coded block-reward reduction and credit-crunch should dissuade new investment in Ethash-specific mining at a time the E3 hasn’t shipped yet, while Casper’s cryptoeconomic defences severely limit and discourage 51% attacks. In short:
- The finality threshold of ~20 minutes limits the number of reversible blocks safeguarding transaction history;
- The fork-choice rule now favours the chain with most finalised checkpoints over the one with highest accumulated hashrate, meaning that a minority of miners can keep the canonical chain safe during the attack;
- Validators have deposits at stake so they will not finalise blocks on the attacker’s chain and risk having their Ether irreversibly slashed;
- Miners don’t receive rewards for working on shorter forks;
Theoretically, a majority collusion of validators may take over a proof of stake chain, and start acting maliciously. However, (i) through clever protocol design, their ability to earn extra profits through such manipulation can be limited as much as possible, and more importantly (ii) if they try to prevent new validators from joining, or execute 51% attacks, then the community can simply coordinate a hard fork and delete the offending validators’ deposits. A successful attack may cost $50 million, but the process of cleaning up the consequences will not be that much more onerous than the geth/parity consensus failure of 2016.11.25. Two days later, the blockchain and community are back on track, attackers are $50 million poorer, and the rest of the community is likely richer since the attack will have caused the value of the token to go up due to the ensuing supply crunch. That’s attack/defense asymmetry for you.
The above should not be taken to mean that unscheduled hard forks will become a regular occurrence; if desired, the cost of a single 51% attack on proof of stake can certainly be set to be as high as the cost of a permanent 51% attack on proof of work, and the sheer cost and ineffectiveness of an attack should ensure that it is almost never attempted in practice. — V. Buterin
FFG is only the first step in Ethereum’s transition to full PoS that will likely come from the Correct-by-Construction (CBC) branch of research led by Vlad Zamfir. The Friendly Binary Consensus and The Friendly GHOST (TFG) are two such protocols that, although still in an early phase of development, already show some promise and highlight CBC’s novel framework for achieving consensus.
Unlike traditional consensus protocols that formally specify and prove its safety properties upfront, CBC starts with an initial partial specification and a process to derive the remainder of the protocol in such a way that it’s proven to satisfy the desired consensus-safety properties, as configured by the nodes locally. The CBC process is divided into two steps:
- specifying data types and definitions that the protocol must satisfy to benefit from the implied results;
- “filling in the blanks” — defining implementations of data structures that satisfy the types and definitions required by the proof;
Using this approach makes each node safer since attackers won’t know which safety thresholds are set locally and, importantly, allows individual nodes greater flexibility in exploring the different tradeoffs in the finality latency, resource overhead and size of network trilemma affectively named Zamfir’s Triangle.
Being that in order for a block to be finalised at least 2/3 of the validator pool in the network must validate it, any blockchain can favour at most two of the three properties in the triangle:
- Finality Latency: how fast is a block finalised after it’s been proposed;
- Decentralisation: how many consensus-forming nodes can exist in the network;
- Resource Overhead: how many blocks per second do consensus-forming nodes need to verify;
As an example, Bitcoin sacrifices finality time for the sake of having a high but variable number of mining nodes with very low network bandwidth overhead.
TFG is a consensus protocol that uses the Greedy Heaviest Observed Sub-tree (GHOST) “fork choice rule” and explores the middle of the tradeoff triangle to achieve asynchronous BFT consensus safety on each block with the same network overhead of the Bitcoin blockchain in terms of messages/block/node, in a mission to find a very reasonable compromise to the trilemma.