What kind of consensus algorithm do we need?

"The reason we need the blockchain is because the biggest concern for the centralized system is not the size of the cost, but it is precisely the cost of doing things that cannot be estimated and cannot be quantified.

The return of evil is not limited to the system, but can also be outside the system. Even the most transparent listed companies, we can't know all the sources of revenue for shareholders, so we can't quantify how much benefit they can get outside the system by doing evil.

Whether it is POS or POW, when the "big node" in the blockchain is too concentrated, we will face the same problem as the centralized system – we can't quantify the security of the system, so we have to pin the security on the node. Trust, not quantifiable on the cost of evil. This is Dr. Ren's third article on POW vs POS, which will be the final article in this series.

Author: Maxdeath, Dr. Ren Jie, a senior fellow at the only chain block chain, the main research directions include block chain consensus algorithm, expansion, application, has published many papers in international academic block chain conference.

"Because POW and POS (or any other algorithm) have different attributes on different attributes, they are each suitable for different scenarios, so they will coexist in reality, and different blockchains can use different algorithms."

This seems to be a more popular view now, and it is also a more ambiguous and ambiguous view.

But this is not my opinion.

My opinion has actually been clearly expressed in the last two articles, I think –

In the face of security, other features are the last quarter.

Similarly, I think the algorithm that is inferior in security is the worse algorithm.

So, we went back to the last question we wanted to discuss but didn't discuss yet –

What kind of consensus algorithm do we need?

In fact, the above arguments may be more focused 2-3 years ago. In the eyes of many people, even if I write expansion, fragmentation or chain technology, it is already an obsolete thing in the previous two years. What's more, "POW" and "security" seem to have been discussed since the era when the public chain project exploded in n years ago. As a result, most of the public chains have died and there is no result. So now both sides have decided to take a step back. Said: "There are different scenarios for the advantages and disadvantages of the two."

So why should I write this question? Why not write some of the more popular topics, such as Defi, such as chain governance, such as Staking Economy, such as value capture, such as ecological construction, etc…

Because in my opinion, this problem is not out of date, and it has never been so important.

Because all the above problems are in my opinion, they are all security issues.

Because the blockchain itself solves the security problem.

"Safety" means that the system can reliably do what it should do according to our assumptions.

So, what is the security of the consensus algorithm?

On the one hand, we have already introduced in the previous two articles – "security that everyone thinks", not really security. At the same time, "it has not been broken in reality" is not a guarantee of security.

So, is it theoretically safe? With the paper, with mathematical proof, it is always safe enough.

In fact, it is not entirely true.

In theory, we can prove that the consensus algorithm is Byzantine fault-tolerant from the distributed system method, or we can prove from the perspective of cryptography that all the mechanisms using cryptography are safe, we can also use the Bitcoin backbone protocol. The model proves that an algorithm is suitable for blockchain consensus because it has the same characteristics as bitcoin. However, all these proofs about security are based on certain theoretical models or assumptions, and do not mean that they are in reality. It must be safe.

For example, in BFT, the assumption of more than 2/3 honest nodes is not true for different algorithms. If you require an honest node to install a client, the client verifies 1MB every ten minutes. The transaction, then most nodes may be honest; but if this algorithm requires honest nodes to verify 1M transactions per second, then many nodes with insufficient bandwidth and computing power are not able to complete, so, in BFT In the model, these nodes become "dishonest." At this time, if each node can receive the corresponding incentives, they will become honest again. Therefore, an algorithm that proves to be Byzantine fault tolerance is not necessarily safe in reality, and an algorithm that can handle 1/3 of fault tolerance is not necessarily safer than fault tolerance 1/5 in reality.

Another example is that bitcoin is theoretically "safe" regardless of selfish mining, because our assumption is that "a malicious node cannot control more than 50% of the computing power." But as we have said before, this assumption is not practical in itself. The difficulty of obtaining 50% of computing power is very low. Secondly, in practice, more than 50% of the computing power of some POW projects is controlled by one or several nodes.

In other words, in fact, even in academia, there is currently no definitive definition , or a well-recognized, very realistic model to describe the reality of the “safety” of blockchain systems, so we There is no proof that what is a "safe" consensus algorithm.

A provable, secure consensus algorithm just illustrates its security under certain assumptions and in some models. Although this is better than no proof, when we are still looking for a model that can better describe the blockchain, it is said that this algorithm is the "safe" consensus algorithm we are looking for. The blockchain system is used. They can sit back and relax, it is too early.

So, what is the "safe" blockchain consensus algorithm?

The security I am talking about here is not the security in traditional information security.

Here, "security" means that the system can reliably do what it should do according to our assumptions.

This matter, in my opinion, above all other attributes, is the primary responsibility of the blockchain consensus algorithm.

Because the primary responsibility of the blockchain is also security.

This is another rather "non-mainstream" view – I guess many people will say: "Is the primary responsibility for the blockchain not decentralized? "

Of course, I admit that decentralization is very important. Decentralization is the biggest feature of the blockchain. It is the biggest difference between the blockchain and the centralized system. If there is no “decentralization”, then the blockchain cannot Call it a blockchain.

But don't forget that Bitcoin was born out of the original password punk group. The reason we need to go to the center is not because we don't believe in the security and reliability of the centralized system, that is, although a center, such as a bank, For example, the government tells me that it will do something and tells us that "this is a digital currency. The money in it is safe in my system, please rest assured." However, we do not fully believe that it will abide by ours. Do you agree to do this reliably?

All practitioners in the blockchain field should remember one thing –

We need blockchains, but others don't care. What they need is a better system—whether it's centralized or decentralized.

So, we need to decentralize, but its purpose is that we need to provide a decentralized blockchain so that we can better quantify its security without relying on trust in a certain center. In the end, get a system that is safer than a centralized system.

So if both sides of the balance are decentralized and safe – then I will choose security anyway; if both sides of the balance are a “more decentralized, but less secure system” and a “less decentralized system” , but a safer system," then I will choose the latter anyway.

However, at this stage, we really need to explore the “not so safe, but more decentralized” approach , but please remember that if we all go in this direction and do not go back Too far, then the ones that are eventually abandoned will not be a system, but the entire blockchain technology.

Therefore, in my opinion, security is the first.

In other words, we can not care whether a blockchain can "effectively" do what it should do, whether it can do what it should do "quickly" , whether it can be "enough enough to do it " Doing things, even, we can not care whether it can do what it should do “energy-saving” , we don’t care if its method of doing things is simple enough, elegant enough to attract everyone to participate in ecological construction, or is it not Be able to start on your own, evolve on your own, self-govern, and spontaneously form a healthy ecology…

Because in addition to "reliable", others have already been implemented in the centralized system.

Yes, we may only know how to implement these in a centralized scenario, but we don’t know how to implement this in the context of decentralization. This is indeed the focus of current academic and industrial research. The current media and the focus of this circle under the spotlight.

However, if there is no security, it all becomes a passive source of water.

Because the problem we can't answer is –

Even if we can make a decentralized system, even if we find out all the decentralized implementation methods above, if the system that implements all these functions is not reliable, the security cannot be quantified, or even the final security is still Mainly depends on the trust of a certain center, a founder, a company, some miners, then why are we giving up the already mature centralization scheme to use the blockchain system?

In other words, the reason why we promote the blockchain and invest in this field is not because we think that a centralized system is not "reliable". Therefore, we hope to replace "trust" with "algorithm" and use "machine". To replace "people"?

What's more, as I said above – in fact, everything we are discussing is, in the final analysis, still a security issue. Because whether it is under-chain technology, chain governance, incentives, ecological construction, economic models… all of this, as long as it is implemented in the chain, will return to the security of the blockchain consensus algorithm –

If the consensus algorithm is not secure, why do you believe that the node will perform the decision to vote on the chain?

If the consensus algorithm is not secure, why do you think the node will honestly allocate the incentives?

If the consensus algorithm is not secure, why do it think it is the infrastructure of the so-called value Internet?

If the consensus algorithm is not secure, why can you use the blockchain as a trusted third party, build sidechains, branches, run Dapp, and build an entire ecosystem?

This is why I think this thing is not out of date, and it just needs to happen at this time –

Recently, the cooling of the consensus algorithm and the ebb of the public chain have led capital and public opinion to start chasing new topics and projects. At the same time, it also brought this blind optimism to the consensus algorithm as a mature infrastructure illusion , completely ignoring a fact –

The most commonly used and most common POW that is considered to be absolutely safe is actually far less secure than we think. And, we have been discussing the issue of POW vs. POS, and there has never been a result. Everyone is in the future of the blockchain, envisioning how to build an ecosystem around the blockchain, how to use the blockchain to reshape the economy, how to change the world through the blockchain, only a few people and very few voices Pay attention to whether this blockchain can be used or not.

Therefore, we always need the discussion and research of this returning essence – we need what kind of consensus algorithm. And, what a really safe blockchain should look like.

We need a standard to measure blockchain security

This question, in fact, I have expressed my opinion from the analysis of the previous paragraph – the first criterion of a blockchain consensus algorithm is the ability to reliably implement its design. We must know that when we use algorithms to replace the "trust" part, the consensus reached must be reliable, and its reliability can be quantified . Otherwise, the entire blockchain is meaningless, because all the centralized systems it can do can do it even faster and better. However, we are not sure that it is more reliable than a centralized system.

This kind of quantifiable security is not enough to satisfy the level of "we feel safe". It is not enough to stay at the level of "never happened", even staying at "we can prove it theoretically" At the level of exploration in the early years, it may still be barely enough. It is also stretched out when the huge amount of capital has begun to build an ecological environment on it. We need a quantitative analysis method and model to calculate the security of a consensus algorithm. More ideally, we can quantify the security of each attribute according to the application scenario requirements of the consensus algorithm.

For example, a secure hash function, we can calculate how much computing power is needed to "crack" it (find a conflict), so we can quantify the attack cost of the hash function based on the price and time of the corresponding hardware. Similarly, we can also calculate the attack cost of elliptic curve encryption. In fact, in the field of information security, such analysis is very common from theory to practice.

Now, I think it's time to extend such a model to the realm of blockchains, even though we need to overcome many difficulties –

The core question is how we define security and how to define attacks, which is not easy for blockchain.

In the case of Bitcoin, if we evaluate Bitcoin by cryptography, its security is full of loopholes—for example, for a hash function, we think that as long as there is a better solution than exhaustive, this The Greek function is not safe. However, for Bitcoin, and not to mention the most famous "selfish mining" problem, from the perspective of the empty blocks in the bitcoin chain, it is clear that miners have a more favorable method than "honest" to dig out blocks. . Some people may say – this does not affect security, but in fact it affects the activity of Bitcoin, just like "dust attack", it is also an attack that affects activity.

And this is also the limitation of the current proof of the security of the blockchain consensus algorithm – to prove the absolute security of the algorithm, we can only make sacrifices in the practicality of the hypothesis – for example, we need to assume more than 50% Computational power is honest, or 2/3 or more nodes are honest, and cannot care about the reality behind this hypothesis, for example, is there enough incentive for these nodes to honestly perform every step of the algorithm, or In the application scenario, can we make such an assumption. The drawbacks of this approach are already evident in the analysis of the previous POW algorithm that is easily attacked by 51% – we can of course make "most people honest assumptions" for all resources, but if this assumption is Reality does not hold, then using this assumption proves that security is also meaningless.

On the other hand, the security of the consensus algorithm is separate from its application scenario. For the safety of a consensus algorithm, we either prove through BFT that "it can achieve Byzantine fault tolerance", can agree and be active for all data, or prove that we can get a growing, consistent book by the Bitcoin Backbone Protocol model. That is to say, the former, we regard the blockchain as a distributed database of Byzantine fault tolerance, the latter, we regard the blockchain as a kind of distributed ledger similar to Bitcoin. However, the application of the blockchain above this has far exceeded the scope of distributed databases and books. For example, for distributed ledgers, consistency is more important than activity (so many people might think that empty blocks are not a breach of bitcoin security).

Therefore, Bitcoin's POW algorithm does not guarantee the activity of the transaction, but only guarantees the activity of the transaction that can be chained. At the same time, the model of the transaction fee is used to encourage the miners to add the transaction as much as possible, that is, to ensure that the transaction fee is given. Enough activity of enough transactions. However, serious problems can arise when applying this consensus algorithm to other applications that require high transactional activity—for example, FOMO3D is actually attacked against the activity of the Ethereum transaction , despite Bitcoin and Ether. The model of Fangfang does not guarantee the activity of trading. It is not a secret to the industry, but it is undeniable that since Ethereum or other blockchains have such applications, this situation is excluded in the analysis of the security of consensus algorithms. In addition, it also shows that this model is not complete.

Therefore, we need a more practical, application-oriented, goal-oriented and scenario-based evaluation of blockchain security , and:

1. Compared to the provable security of each mechanism, we are more concerned about whether the system can achieve its due function.

2. We are more concerned with the relative security in real-world context than the absolute security under certain conditions. This is consistent with our previous analysis, that is, we are more concerned – the cost of destroying the system so that it can't do what it should do.

3. Then, for the characteristics corresponding to “should be functional”, we should analyze their importance according to the actual situation – for example, the demand for currency, consistency, activity, anti-censorship, and anonymity depends on what kind of Scenes. If the black market is demand, then anonymity may need to be above activity, but if transactions and payments are used as scenarios, we should consider the weights between them based on the requirements of a payment platform.

The above definition is not rigorous, but after all, this is only a proposal, we are not writing a thesis.

From this point of view, in fact, for the consensus algorithm of digital currency, we do not have to consider 51% attack, long-chain attack, no interest attack these methods and corresponding conditions, and do not care what under what assumptions Such algorithms can prevent them from appearing.

The problem we should care about is –

1. How much we have to pay to break the consistency and make a double payment attack : so we can judge how much value the system can carry, and when the amount of a transaction exceeds, we need to consider double payment. It is possible, and accordingly, to increase the confirmation time, or to carefully examine the dynamics of each node.

2. How much we have to pay to destroy the activity. Every delay in a block or a minute to reach a consensus : So, we can know how much loss we may suffer in a transaction that requires immediate confirmation. Then, for a "game" like FOMO3D, we know that when a coin is sold, it may be unsafe.

3. We also need to know how much it costs to break the anti-censorship : so we can know that Bitcoin is not a completely free currency. When the cost is high enough, we can eliminate the activity of an address. of.

4. Then, for an anonymous currency, we need to know how much the cost can destroy the anonymity , so we can trace the origin of a sum of money, or mark the identity of an address.

The above is for the function of "currency" – this is our starting point.

And then, the ideal state is that we should judge the properties they need for all the functions that the blockchain can achieve, and then quantify their security.

So, where is the decentralized location?

The requirements for decentralization have been incorporated into the standard of security. After all, decentralization is a means rather than an end: a system that is too decentralized will face the same risks as a centralized system. The cost is uncontrollable.

At the same time, in an over-centralized system, the consensus algorithm will also lose its meaning.

Therefore, in the safety standard, we must also take into account the degree of decentralization.

1. We need to measure the number of large nodes that actually participate in the consensus node.

2. We need to know the information about these nodes to assess their potential to benefit or collude outside the chain.

3. At the same time, we also need to determine that these nodes do have the ability to maintain the security of this system.

As mentioned before, an ideal, secure blockchain system is maintained by a sufficient number of large nodes with known identities.

So we need to know:

1. Do they have enough motivation to maintain the system – whether they have enough revenue.

2. Is the structure of the system stable? Can they also determine the direction of the system? In other words, how do we ensure that the entire system will have enough large nodes to maintain in the future, instead of the consensus node will gradually withdraw or fork due to the future development direction of the system and the expectation, which will lead to the centralization. Therefore, we need to evaluate whether the decision mechanism can represent the rights of the consensus node.

3. At the same time, we also need to ensure that all groups that have interests in the system should be able to participate in the consensus.

So, we need incentives, chain governance, and so on –

Everything, in the final analysis, is a security issue.

Written at the end

This is my last post on the discussion of POW and POS. The content and length of these three articles are far beyond my expectations. It may be that I have seen too many things I have heard since entering this field, and I have accumulated a lot of things. The reason.

Before, I wrote professional academic papers published at the top of the blockchain field. I have been working hard to write some objective and neutral science articles. I have been working hard to avoid this. New confusion has been introduced in the already chaotic industry – so I have only written some papers and techniques that have become the basis of this field, but I am not willing to write too many new, unconfirmed or tested conclusions, although some conclusions I Think it is correct. Even though my articles have been accepted or even published, I am not willing to introduce them in my column.

However, this series is different from all the articles I have written before. This one is more about personal opinions and judgments. Among them, I may have put forward a lot of "politically incorrect", "everyone does not like to see and hear" "There is still controversy in the industry," or "everyone knows but no one wants to say". Therefore, since the publication of the article, it has caused more or less controversy – and these are what I always wanted To be avoided.

The reason why such a change is made, in fact, the key reason is that I said in the article – capital and market pursuit of new gimmicks will not stop and other technological developments, so when all the people in this field seem to When we are beginning to think blindly and optimistically about long-term development, we need to reflect on it – are these things really “safe enough”?


Original: maxdeath

Source: Orange Book

The beginning of this article has been deleted. For the full version, please see: https://bbs.vechainworld.io/topic/283/%E6%88%91%E4%BB%AC%E9%9C%80%E8%A6% 81%E4%BB%80%E4%B9%88%E6%A0%B7%E7%9A%84%E5%85%B1%E8%AF%86%E7%AE%97%E6%B3%95