Forum
OPRR
Finance
Specials
On-chain Eco
Entry
Podcasts
Data
Opinion: PoS is subjective in nature and not objective
Summarized by AI
Original title: "Proof-of-Stake is not Objective"
Original author: Alan Szepieniec
PoS is proposed to use To replace the consensus mechanism of PoW. PoS does not consume energy, but only requires miners (often referred to as verifiers in PoS systems) to participate in the block creation process by staking digital assets. Under the incentive of the pledge mechanism, verifiers will abide by the rules in order to keep their pledges. In theory, if the validators are honest, the network can quickly reach a consensus on the order of transactions (and thus distinguish invalid double-spending transactions).
PoS has become a hot topic of controversy. Most of the criticism is around security: does PoS make attacks less expensive? There are also many people who have raised several concerns from a sociological perspective: centralization of power, centralization of wealth, plutocratic rule, and so on.
In this article, I want to make a more fundamental criticism: PoS is inherently subjective. Depending on the perspective, the correct view of the identified PoS blockchain will be different. Diverse, translated as "true" below. Within the context of this article, it can be shared with "canonical (authoritative)" below). Therefore, a) the cost of attack cannot be calculated in the internal currency unit of the blockchain, rendering the security analysis invalid; b) if the parties do not reach a consensus on which third parties are trustworthy, the debt cannot be settled; c) the settlement of disputes must Rely on the courts.
In contrast, PoW is an objective consensus mechanism, that is, any related parties and non-related parties have the same view on the real history of the blockchain consistent. As a result, any two economic actors can agree on whether or not a payment is complete without the intervention of courts or influential community members. This difference determines that PoW is suitable as a consensus mechanism for digital currency, while PoS is not suitable.
Digital currency and consensus
1. Problems to be solved
< p>One of the most basic operations a computer can perform is to copy information. This operation ensures that the original remains unchanged and creates an exact replica at zero cost. As long as it is digital, computers can copy it.
However, some things that only exist in the digital world cannot replicate. These things are both digital and scarce. Bitcoin and other blockchain-based digital assets are good examples. They can be sent, but once sent, the originals disappear with them. People may have different opinions on why the market needs these assets, but the existence of this demand itself means that these digital assets can be used as the subject of transactions. Distilled into one word: currency.
In order to achieve digital scarcity, blockchain protocols replicate ledgers across the network. The ledger can be updated, but only transactions can be added that satisfy the following criteria:
- consent has been obtained from the owner of the digital asset being spent
- Net sum of input and output is zero
- Output is positive
Any invalid update will be rejected. As long as all protocol participants agree on the state of the ledger, digital scarcity is guaranteed.
Achieving consensus proved to be a difficult task. Poor network conditions can produce different versions of history. There is also the possibility of packets being lost or transmitted out of order. Divergence is common to all networks.
2. Fork selection rules
Blockchain solves this problem in two steps. First, the blockchain sorts all transactions, and the history of different versions can be expressed as a tree graph; second, the blockchain defines standards for transaction history, and selects rules through corresponding forks ;Select the generally accepted and true branch from the version tree (canonical branch, "canonical" is literally translated as "sacred", and hereinafter translated as "authoritative" to highlight its generally accepted and correct attributes; it is worth mentioning that validity is only A necessary condition for authority, including a history of invalid transactions cannot participate in the competition).
A trusted authority or digital referendum scheme can easily confer authority. However, trusted authorities can become a single point of failure for the system, and relying on governments to provide identification services can turn an otherwise apolitical cryptocurrency into a political tool. Furthermore, both schemes assume that all parties can agree on the identity and trustworthiness of the third party.
We want to reduce this trust assumption. The ideal solution would be to base decisions on authority entirely on mathematics.
This solution based on mathematics has a remarkable feature: the calculation result is independent of the calculator. This is what the objective consensus mechanism is all about. However, one thing in particular is worth noting: we must assume that all participants agree on the same point of reference, e.g. the genesis block or the hash digest of the genesis block. An objective consensus mechanism enables any party to infer the true transaction history based on this reference point.
It does not matter which branch on the transaction history tree is considered authoritative. It is important that all participants agree with this choice. Also, the entire tree does not need to be clearly visible on any one computer. Instead, it is sufficient to store a small number of branches per node. In this case, the fork selection rule only tests two candidate transaction histories at any time. Strictly speaking, the term "authoritative trading history" is misleading. Authority here is a relative concept. Nodes discard less authoritative branches and broadcast more authoritative branches. Every time a new batch of transactions is added to a transaction history, its authority increases.
In order for the network to quickly generate consensus and find authoritative transaction history, the fork selection rule needs to have two characteristics. First, the rule must be well-defined and can be used to efficiently evaluate any two transaction histories; second, the rule must be transitive across any three transaction histories. Converting it into a mathematical language is: Assuming that U, V and W represent any three transaction histories, "<" means that the fork selection rule prefers the transaction history on the right side more than the one on the left side, then:
< br>
Either U < V or V < U
U < V plus V < W gives U < W
In order for the ledger to support updates, the transaction history must be able to be continued in a way that is compatible with the fork selection rules. Therefore, the fork selection rule needs to have two other properties. First, assuming there are two transaction histories, one is a continuation of the other, the fork selection rule must favor the continuation; second, compared to the continuation of a non-authoritative transaction history, the (past) authoritative A continuation of the transaction history has a higher probability of being judged legitimate. Assuming that E represents the content of continuation, and || represents the operation of continuation, then:
U < U || E
U < V => Pr [U || E < V || E] > 1/2
This last feature will incentivize honest extenders Focus on continuing to write an authoritative transaction history, rather than a transaction history that is not known to be authoritative. Under the influence of this incentive, honest but contradictory continuations of transaction histories differ only at the top, that is, only in relation to recent events. The earlier an event is recorded, the less likely it is that another, earlier and more authoritative version of history will reorganize and overturn it. From this perspective, the authoritative historical version can be defined as the limit reached by the continuous convergence of historical versions in the network.
A glaring shortcoming of the process described in the previous paragraph is that it requires honesty from the continuation writer. What if the continuation writer does evil ? If the perpetrator can control the random variable implicit in the probability expression, he can change the variable in his own favor and increase the success probability of initiating a deep reorganization. Even if the perpetrator cannot control random variables, as long as he can generate candidate continuation content at low cost, he can test the fork selection rule locally indefinitely until he finds an early divergence point and the corresponding continuation content, becoming More authoritative than any other branch in broadcasting, so far.
What needs to be added here is not a mechanism that can prevent dishonest content from continuing. In a bad online environment, it can be difficult to define dishonesty. Attackers can completely ignore or delay the broadcast of messages they don't like, and then blame the network. What we need is a mechanism that makes deep reorgs more expensive than shallow reorgs, and the cost increases with depth.
3. Cumulative PoW
Satoshi Nakamoto's consensus mechanism is a typical cumulative PoW. In order to rewrite a version of history with a new batch of transactions (called a "block"), potential rewriters (i.e., miners) must first solve a computational problem. The problem is expensive to solve but easy to verify, so the mechanism is cleverly named PoW (Proof of Work). Only when the problem is solved, the new block (and the history to be rewritten) is eligible to participate in the competition of authoritative history. There is a "knob" that can be used to automatically adjust the difficulty value of the puzzle, and thus adjust the expected time to find the next solution, regardless of the number of people involved in solving the problem or the number of resources invested. Another function of this knob is to unbiasedly reflect the amount of work required to solve the problem through a unit of difficulty.
Anyone can participate in the problem-solving process, regardless of authority, key material and hardware conditions. The limiting factor is only the resources a miner is willing to spend to have a chance of finding a valid block. The probabilistic and easily parallelizable nature of the puzzle favors cost-effective miners, that is, miners who can generate as many computations as possible for the same amount of energy invested, or even lower computations per second.
As long as we know the target difficulty parameter (knob) of each block, we can easily estimate the total amount of work that a particular historical branch represents. The PoW fork selection rule favors the fork with the higher estimated total work.
Miners compete to find the next block. The first miner to find a block and successfully broadcast it wins the race. Assuming miners don't withhold valid blocks, they will add new blocks from other miners to the top of the branch of authoritative transaction history when they receive them, because not doing so would be to their disadvantage. It is irrational to build a new block on a known outdated block, because miners who do so must catch up with other miners in the whole network and find two new blocks to succeed (with the existing authoritative historical version compete). On average, it's twice as hard as extending the longer latest branch. In PoW blockchains, reorganization tends to only happen at the top of the transaction history tree, not because miners are honest, but because the cost of reorganization grows with depth. To give a good example: According to the answer on StackExchange , excluding forks caused by software upgrades, the depth of the longest fork on the Bitcoin blockchain is 4, that is, 0.0023% of the block height at that time.
4. PoS solution
PoS is a solution proposed by people to replace PoW. What determines the authoritative transaction history is not the maximum amount of work spent on solving a cryptographic puzzle, but the public key held by a special node called a verifier . Specifically, validators propose new blocks by signing them. Participating nodes verify the authenticity of the transaction history based on the signatures on the constituent blocks.
The node does have a way to tell whether the transaction history is valid (valid). The point is, if a block is backed by a signature (or signatures), it just means it's a strong contender for the top of real transaction history. It is impossible for a validator to sign multiple competing blocks at the same time, because the signature would prove that they are doing evil, causing them to lose their collateral.
This process is publicly visible. Anyone who deposits a certain amount of cryptocurrency into a special escrow account can become a validator. The cryptocurrency deposited into the escrow account is the collateral: if the verifier acts maliciously, the collateral will be forfeited. The node verifies that the signature on the new block matches the public key provided by the validator when depositing the collateral.
In a PoS blockchain, the definition of true transaction history is completely recursive. New blocks are only valid if they contain the correct signature. Only signatures that match the verifier's public key are valid. The public key depends on previous blocks. The fork selection rules of PoS are not defined for competing transaction history pairs. As long as the two transaction histories are self-consistent, the fork selection rules are powerless.
In contrast, in the PoW blockchain, the real transaction history is also recursively defined, but does not exclude external input. Specifically, the fork selection rule in PoW relies on randomness, whose unbiasedness is objectively verifiable.
External input is the main difference between PoW and PoS: In PoW, fork selection rules are defined for It is a prerequisite for discussing authority (canon) . In PoS, we can only define authenticity relative to previous history.
5. PoS is either subversive...
Is this important? In theory, if there are two self-consistent but contradictory transaction histories, someone must have lied somewhere. Liars may be found out and punished. It is possible for the blockchain to roll back to the first point of divergence, i.e., where the set of validators did not dispute, and start over.
The problem here is that time is not taken into account. If a validator starts signing two contradictory blocks from 10 years ago (i.e., only now signs and publishes a block that contradicts a block that was confirmed 10 years ago), the history of transactions since that moment is to rewrite. The malicious validator's collateral will be forfeited. Transactions that spend staking rewards are voided, as are downstream transactions. Given enough time, staking rewards for malicious validators can permeate the blockchain economy on a large scale. The recipient of the token cannot be sure that all dependencies will remain valid in the future. There is no finality at all, because deep restructuring is not more difficult and costly than shallow restructuring.
6. Either it is subjective
The only way to solve this problem is to limit the allowable depth of reorganization. In other words, if a history contradicts the currently accepted history, and the first point of divergence is earlier than a certain threshold, that history version will be ignored. If the node finds that the first point of divergence between the competing transaction history and the current approved transaction history is too long, it will directly reject it without verifying its authenticity. This continuity is ensured as long as there are nodes online at any one time: the blockchain can only expand in one direction when reorgs that are too deep are prohibited.
This solution turns PoS into a subjective consensus mechanism. “What is the current state of the blockchain?” The answer to this question depends on who you ask, and cannot be verified in an objective way. An attacker can create a transaction history that is as self-consistent as the real transaction history. If a node wants to know which transaction history is true, it can only choose a set of peer nodes and trust their answers.
One might argue that if the cost of falsifying transaction history is too high, the above hypothetical attack is not a concern. While this argument may be true, cost is an objective metric, meaning whether the argument is true depends on external factors that are not reflected on the blockchain. For example, an attacker may forfeit all his collateral in one transaction history, but he doesn't care a bit, because he can use legal or social means to ensure that another transaction history is accepted. Any security analysis or attack cost calculation that only focuses on the on-chain world without considering the objective world is inherently flawed.
In PoS cryptocurrencies, not only is the cost subjective, but so is the reward. If the attacker deploys the attack in exchange for not simply a reward, but the official developer team broadcasting an explanation of why they chose another branch, what is their purpose? Possibly for extrinsic rewards. For example, they buy put options, or like to wreak havoc. The point is that the argument that an attacker’s payoff is largely dependent on the market cap of the PoS cryptocurrency simply doesn’t hold water since the attack’s aim is to earn intrinsic rewards that are unlikely.
Money and Objectivity
Money is essentially a thing used to settle debts. Settling debts actually requires a consensus between the transaction parties, especially in the choice of currency and amount. If there is a dispute, not only will there be outstanding debts, but it will also make it impossible to close the deal again on the same or similar terms.
Effective debt settlement does not require the use of world currencies. Therefore, subjective currencies can also play a role as long as they are in a region where consensus is reached. However, a global consensus is necessary to bridge the gap between any two small economies or individuals. An objective consensus mechanism can establish a global consensus, but a subjective consensus mechanism cannot.
PoS cryptocurrency cannot provide a new foundation for the backbone of global finance. The world is composed of many countries, and countries do not recognize each other's laws. If there is a disagreement between different countries about the real state of the transaction history, the only way to resolve it is to wage war.
The foundation that develops and supports the PoS blockchain, freelance developers working for the foundation, and even opinion leaders who do not participate in coding unfavorable transaction history (to the plaintiff). What happens if there are two conflicting transaction histories on a PoS blockchain, and a cryptocurrency exchange only has large deposits available for withdrawal on one of the branches? The trading platform may choose a trading history that is beneficial to its own books, but if other participants in the community (because of PGP signatures, tweets, and medium articles by foundations, developers, and opinion leaders) choose another trading history, the trading The platform pays for itself. In this case, the trading platform has sufficient motivation and obligation to find the responsible party to recover the loss.
In the end, the court will decide which transaction history is correct.
Conclusion
PoS According to supporters of PoS, PoS can achieve the same purpose as PoW, but it will not cause energy waste like PoW. They often ignore that there are trade-offs in any design dilemma. Yes, PoS does save energy consumption, but at the cost of sacrificing the objectivity of the consensus mechanism. For cases where only partial consensus is required, this is sufficient. But this begs another question: what's the point of removing trusted authorities from the consensus mechanism? For the backbone of global finance, an objective consensus mechanism is essential.
Self-referentiality gives PoS a natural subjectivity: which transaction history is correct depends on who you stand on. The question "Is PoS secure?" attempts to shift the focus of the analysis to an objective measure of cost that does not exist. In the short term, the correct fork is the one that is most popular with influential community members. In the long run, courts will have the power to decide which fork is correct, and local consensus will be bounded by the boundaries between different jurisdictions.
In a PoW blockchain, miners consume energy like a car consumes diesel. In PoW, energy is not wasted but traded for cryptographically verifiable unbiased randomness. We do not know how to create an objective consensus mechanism without this critical element.
Acknowledgments
Thanks Feedback and comments from Ren Zhang, Ferdinand Sauer, and Thorkil Vrge.
Note
1. Pursuing the right transaction The strict definition of the historical limit leads to an interesting line of thought. Between 0 and 1 on the real number line is a number whose binary expansion matches the consensus representation of transaction history, and which represents not only the past, but also the present and future. Newer blocks are encoded with less significant bits. The digital sequence of the truncated history is convergent, each element in the sequence encodes one more block than the previous element, so the limits of the transaction history are well-defined. The above calculus treats the entire monetary system as an inevitable by-product of calculating more precise approximations. However, this number is not a mere axiom, but depends on the universe, so it is more like a fundamental physical constant than a fundamental mathematical constant. Arguably, the Bitcoin blockchain is the most precisely measured physical constant in all of science.
< p>2. Conversely, if we assume that miners deliberately delay broadcasting blocks that have already been found, we analyze selfish mining attacks. After comprehensive profit and loss calculations, we found that selfish mining attacks are only profitable after difficulty adjustments, and only when the difficulty adjustment algorithm does not consider the proof-of-work of orphaned blocks. (Neptune's difficulty adjustment algorithm takes orphan blocks into account.) The presence of selfish mining attacks does not affect the conclusion that reorganizations tend to occur only at the top of transaction history, since reorganization costs increase with depth.
< p>Original link
Welcome to join the official BlockBeats community:
Telegram Subscription Group: https://t.me/theblockbeats
Telegram Discussion Group: https://t.me/BlockBeats_App
Official Twitter Account: https://twitter.com/BlockBeatsAsia
