POW vs. POS: A comparison of security costs in open distributed ledger protocols

Paul Sztorc recently argued on his blog that there is no way to decrease the cost of securing an open consensus protocol [1] below the costs of the work in Proof of Work.

 

Any analysis of a system requires one (or more) functional outputs that are supposed to be maximized

The overall argument here is that we need to agree on a common functional output in order to compare the amount of work wasted in POW vs POS/DPOS consensus systems. I suggest security as this functional output and argue than that POS/DPOS can require less work than POW to achieve the same amount of security although this is hard to estimate or even measure.

I agree with Paul that no „work independent“ protocol is possible in so far as security and decentralization are always costly and costs sometimes are hidden (as voter attention cost in DPOS for example). I am glad he made that point as it helps to compare (incentive) systems in terms of hidden and obvious costs. I don’t agree though that the work/cost to reach a given level of security is the same with every consensus system.

The first important point to make is that if you say „all consensus systems waste the same amount of work“ (which Paul does) you will have to say to what end if the hypothesis should have any significance. Otherwise it would be like saying an aircraft wastes as much energy as a car without adding „in order to travel the same distance“. What follows from this is that any discussion based on the assumption that POW could only be attacked by buying hashing power is pointless. A security centered discussion would have to compare the least expensive ways to attack the different consensus protocols.

 

Design goals apart from security?

I feel like I am forcing the purpose of security onto this discussion but I don’t see any other purpose of a consensus mechanism than making transaction history revisions impossible respectively as costly as possible (apart form speed, distribution of control and scalability. In non of these three parameters POW has an advantage). Paul writes:

Blockchain security is not the main function of Bitcoin’s PoW. Instead, PoW serves to delay the release of the coins such they they are still cheaply available when potential-network-joiners first discover the project (what some complain as today’s problematic “dumping” by miners).

It is right that initially the delayed release of coins was helpful for marketing. But that was only as long as mining attracted owners of consumer grade mining equipment who did not have access to subsidized industrial grade electricity. Nowadays new bitcoins are only distributed to big mining farms and such a coin distribution scheme does not help to make more people aware of and use Bitcoin. Now the argument could be made that such a delayed coin distribution helps to keep the Bitcoin price low (as it constitutes constant sell pressure) but the price of bitcoin and all crypto currencies is so relative that this argument also doesn’t make much sense.

But the important point here is to not confuse the delayed release of coins with the consensus mechanism (POW in this case). It is entirely possible to combine POS/DPOS with any kind of delayed release of coins / inflation schedule. So delayed coin distribution / inflation over time can not be a reason to choose POW.

 

Security considerations under the assumption of buying hashing power to attack POW

So let’s look at the the security implications of this discussion, assuming the easiest way to attack a POW network would be to buy hashing power which is the most favorable assumption for POW (see below). More specifically I will show why work, more specifically the money spent on mining rigs and electricity in POW, to gain x percent of hashing power in a POW system is unlikely to buy x percent in a POS/DPOS network:

Assuming a bribe attack on a DPOS network, the opportunity costs of a delegate associated with loosing his reputation are multiplied by the number of contexts and business opportunities in which a delegates makes use of the same reputation that is used to attract and retain votes in a DPOS system. There can be many such contexts: other areas of business, general social reputation. One can profit from the same reputation (tied to the respective individual / company) in various business / social contexts. So the attacker would have to take on all the opportunity costs of all the businesses of all delegates where they utilize that reputation. I consider this argument valid but there is a counterargument which weakens it partly: Someone that highly depends on his/her reputation has the cost of potentially decreasing this reputation globally if the delegate node proves unreliable or appears to be untrustworthy. This would not allow entities that highly depend on their reputation to run a delegate node. This could be the case because the delegate node ends up producing blocks on a minority chain or because there might be a malicious employee in your company in case you run your delegate as a company. But it seems rather theoretical since there are worse things employees can do to wreck your reputation.

A similar argument can be applied to POS – this applies to DPOS and POW only if the delegate/miner holds stake/coins –  where the opportunity costs of a loss in value of stake/coins for stake/coin-holders gives an incentive to the block producers to be honest and would therefore be a cost to the attacker.

In case of a bribe attack on a DPOS network the following additional costs apply: If delegates assume that it will be unlikely to get 50% of delegates to collude the attacker faces another cost which is the mental cost for delegates to calculate the overall profit of an anyway unlikely event. This is the more effective the higher the number of delegates is who the attacker would need to bribe. This doesn’t equally apply to POS and POW, as both suffer from centralization of block producers because of economies of scale. In contrast DPOS allows for a fixed number of block producers. BitShares which uses DPOS has 100 delegates at the moment which are operated by roughly 70 unique individuals. Under those circumstances an attacker would have to bribe at least 35 individuals to gain 50% control of the network as compared to 3 mining pool operators (at the moment: AntPool, BitFury and F2Pool) which control more than 50% of the mining power for Sha256 hashing (date: 8/7/2015) which brings us to practical security considerations.

 

Security considerations in practice

Overall the above is an „academic exercise“ in so far as such an analysis ignores what the least expensive way to attack a POW network would be and assumes that the only way to subvert a POW network is to buy the hashing power. The other option would be to bribe miners or more simply mining pool operators, of which exist about a hand full that control the majority of the mining power for Sha256 / Bitcoin. This would be far less expensive than bribing delegates (DPOS) or forgers (POS) and most likely also cheaper than „malicious campaigning“ attacks in a DPOS system, especially if market capitalization / maturity of ecosystems are comparable. Mining pool operators are few, have no stake in the network (as compared to POS) and have made a commitment to miners and not to Bitcoin holders respectively the Bitcoin network. One counterargument would be that miners (in order to protect their mining business which depends on the price of the native token (e.g. bitcoin) which would go down in case of a prolonged attack) would quickly change to honest pools in case of an attack. The same re-balancing mechanism would apply to DPOS where stakeholders would vote out dishonest delegates in case of a bribing attack. This though does not defeat the point that it would be easier to bribe mining pool operators in the first place.
Another practical and even less expensive attack on a POW network would be to set up a pool that pays miners more than other pools and attack the network when the pool has reached 51% of all hashing power. This is analogous to vote buying in a DPOS system with the difference that the stake miners have in the Bitcoin ecosystem is not as high and not as direct as stakeholders do in the respective DPOS ecosystem. Such a „generous pool“ attack could either be done by telling everyone in advance that the reason this pools pays considerably more is a future attack which would make it more likely that miners would stay in the pool during and after the attack or without talking about the purpose of such a well paying mining pool which might bring miners on more quickly.

The POW vs. DPOS security discussion can be summarized with the following scheme:

Mining pool operators have the same potential as delegates and stakeholders the same potential as miners to harm the network. Mining pool operators can be replaced by miners, like delegates can be replaced by stakeholders.

There are two kinds of efficient attacks that apply to POW and DPOS:
(1) „Malicious campaigning“: A mining pool can attract miners only in order to attack. Equally a delegate can attract stakeholder votes only in order to attack.
(2) „Bribing“: One can try to bribe mining pool operators and delegates – there is the same potential for harm in both cases. In both cases stakeholders respectively miners can switch delegates respectively mining pools if the bribe attack becomes apparent.

The differences are:
(a) There are more delegates to bribe or campaign for than there are mining pools.
(b) Delegates have made a commitment to work in the interest of stakeholders whereas mining pool operators work in the interest of miners who’s first interest is not necessarily the health of the Bitcoin network.

Regarding DPOS specifically Paul argues that voting is not „capitalisitic“ in that no capital can be gained and none can be lost when voting thus not giving stakeholders the incentive to invest enough effort and time into voting which results in a sub optimal voting outcome. Paul writes: „DPoS, like all voting, is not capitalistic. Capitalism is not about ‚one dollar, one vote‘, it is instead ‚one dollar risked, one vote‘.“ I totally agree with the conclusion that there is a tragedy of the commons issue at play here. On the other side I consider it „good enough“ like shareholder voting in publicly traded companies which suffers from the same problems, as pointed out by Paul, but works good enough for companies to manage (the owners vote for executives which then make operational decisions) to successfully compete with companies where the owners are the same individuals as those in control of the company’s operations. Also there is the remedy of setting a proxy that votes for a stakeholder.

There are other security considerations for POS systems like long ranging nothing at stake attacks but those have been widely discussed with the conclusion that open consensus processes finally rest on social consensus which also applies to Bitcoin like the recent block size debate shows.

[1] Open consensus protocol here implies that participation in the consensus process is open to anyone that can prove some objective / measurable resource (hashing power in POW, stake in POS, stakeholder votes in DPOS).

Interview on the nature of the coming disruption of financial services

In late November I gave an interview for the German blog BTCGermany which can be found here.

Felix asked a few very interesting questions which lead me to go into detail about what implications blockchain technology has for our financial system and how this technology will shape it. It also gives an overview about how the projects Counterparty, BitShares and Ethereum aim to disrupt our contract based financial and fiscal world.

It is written in German but I will rewrite it in English at some point.

Enjoy!

The Bitstamp breach and the next big „platform“

Decentralization or Democratization of production and consumption has been a much discussed topic over the last decade within the entrepreneurial community. What it means is that the services that were once provided by big centralized and bureaucratic businesses are now provided by more specialized and smaller service providers that interact with their customers over a platform.
Others have been more eloquent or funny  in expressing this trend.

Fred Wilson from Union Square Ventures proposes that there are three macro trends characterizing the last few decades (with respect to business opportunities or even in a more general sense with respect to human interaction):

  1. A transition from bureaucratic hierarchies to technology driven networks (if you want to just remember one trend remember this one).
  2. The unbundling of everything. Example: Today you consume one Article/Video, 10 years ago you bought the whole newspaper.
  3. We are always connected, always on the „grid“ which allows us to do business with everyone else on the grid, all the time.

With the examples below you will see that each of these trends apply to a different degree for each use case.

Examples for the decentralization of production:

  • Media corporations (TV Channels, Newspapers) -> Youtube Channels and Twitter
  • Department stores -> Ebay and Amazon merchants
  • Cab companies -> Uber
  • Hotel companies -> Airbnb

But also the consumption side of things has been „democratized“ in the sense that many have access to services and products that have only been available to a (often elitist) minority before:

  • Libraries (where a permission is needed) -> Google (the same service for everyone)
  • Wardrobe size computers -> Apple / PC (almost free for everyone compared to what we had 30 years ago)

Crypto Currencies like Bitcoin also follow this pattern. On the production side everyone can participate in the network by running a node or contribute to the open source code. But the major benefit lies on the consumer side: Prior to crypto currencies banking was reserved to those which enjoyed the fortune of having a bank account. Half the world today is „unbanked“ [1] which is a major efficiency obstacle for a global economy. Now everyone with a computer or a smartphone can have a bank account. The equation therefore might look like this:

  • Banks / Western Union -> „The blockchain“ or a few of them 

All these highly successful companies have something in common: They all are platforms or networks that allow individuals (consumers and producers) to plug into them allowing for a direct interaction between producer and consumer. [2]

But there are still elements of centralization, bundling and inefficiencies in the Bitcoin ecosystem which greatly limit the utility of the whole crypto currency concept: Big exchanges like Bitstamp that make millions [3] in transaction fees each year pose not only a risk for the funds of their customers [4] but also are expensive to use. So there is a real problem for an already existing customer base to be solved. The „pains“ for Bitcoin traders are:

  1. Expensive.
  2. Risk of lost or confiscated funds / non-transparent order books (no one really knows whether an exchange is solvent).
  3. No possibility to obtain a stable medium of exchange without going into fiat via an exchange.

There are ways to solve this problem. The technology Bitcoin is based on (blockchain technology) is evolving: The idea is to put the order book of exchanges on a blockchain. The open source project BitShares has designed it’s blockchain to realize such a decentralized exchange which is promoted here . Counterparty (counterparty.io) is another great project that has recognized the potential. Also worth discussing in this respect is Ripple as a network that connects gateways with customers. These decentralized exchanges could be the „next big platform“ not only to make the Bitcoin ecosystem more robust but also to realize (real world) assets trading on a distributed database beyond crypto currencies.

Having an asset exchange on a blockchain would give us the „platform“ consumers and producers (gateways) can plug into to do business with each other without the bureaucratic centralized middlemen in between (centralized clearing houses, banks, centralized Stock exchanges, brokers).

Now here is the entrepreneurial challenge I want to discuss with you: The decentralized book keeping and order matching would be done by a blockchain but what it needs is gateways that have one simple task: Gateways act like escrow agents that receive funds from customers (USD, EUR, BTC etc.), store them safely and issue IOUs as „User Issued Assets“ (also called colored coins or custom assets) on the blockchain [5] and promise to redeem such IOUs for the actual asset anytime. In other words: The customer of the gateway can either send USD to the gateway and get an USD-IOU-tokens (traded on the blockchain) back or the customer sends the USD-IOU-tokens to the gateway and get real USD back. The rest of the functions an exchange provides today (book keeping and order matching) is done by the blockchain respectively by the decentralized network of software instances that maintains the blockchain.

The challenges: The solution described above does not entirely overcome the „Risk of lost or confiscated funds“. Although it might be a an advancement if exchanges can focus entirely on issuing IOUs and compete with each other solely based on their trustworthiness to keep customers‘ assets safe. But such „crypto-fiat-gateways“ must still be trusted with customer funds and can loose them.

The solution might be this: This article suggests to do the trading / order book matching in BitAssets instead of in Gateway-IUOs. So instead of trading IOU-BTC against IOU-USD users could trade BitBTC against BitUSD. Gateways would therefore exchange for example USD for BitUSD. Since these BitAssets do not have a counterparty risk, the customers can not be defrauded. There are other risks involved though – mostly a sudden fall of the collateral backing the BitAssets. These two documents helped me understand the system: http://bytemaster.bitshares.org/article/2014/12/20/BitShares-as-a-Bank/ http://bytemaster.bitshares.org/article/2014/12/18/What-are-BitShares-Market-Pegged-Assets/.

Outlook: You could have the whole New York Stock exchange on a blockchain with this concept. The overall point I want to make is a general one: Blockchain technology has the potential to decentralize not only currency, which is what Bitcoin has begun to do, but the entire Bitcoin ecosystem. And the decentralization of the Bitcoin ecosystem can then serve as a blueprint to decentralize other areas of business so that asset trading becomes democratized on a consumer side as well as on a production side (since the barriers to entry of being a gateway are lower then for being an exchange).

Reddit link to discuss this article.

[1] http://econ.worldbank.org/WBSITE/EXTERNAL/EXTDEC/EXTGLOBALFINREPORT/0,,contentMDK:23489619~pagePK:64168182~piPK:64168060~theSitePK:8816097,00.html
[2] I admit that this analogy is a bit off with Apple.
[3] The biggest exchange Bistamp makes almost a million $ per month, see http://www.forbes.com/sites/kashmirhill/2014/06/26/bitcoin-bitstamp/
[4] Widely known is the failure of the exchange Mt. Gox which lost the funds of it’s customers, http://de.wikipedia.org/wiki/Mt.Gox
[5] https://www.youtube.com/watch?v=yzruOULgmng

Blockchain 2.0 – viability and applications

Bitcoin has great potential but is in fact only one way to make use of the underlying consensus and cryptographic technology. The rather ambiguous term “Bitcoin 2.0” is regularly used to account for all those projects which apply the innovation pioneered by Bitcoin to use-cases that go beyond transferring money (i.e. bitcoins in this case). People rightfully pointed out that the term „Bitcoin 2.0″ is misguiding as it indicates a second version of the Bitcoin ptotocol. I agree with this. I therefore changed the title to „Blockchain 2.0″. What follows is a basic overview aimed at anyone with a basic understanding of Bitcoin.

Proponents of Bitcoin 2.0 projects suggest that decentralized transaction ledgers – Bitcoin essentially is a decentralized transaction ledger – offer a variety of technological advantages1:

  1. Resilience against (a) a deliberate or accidental shutdown and (b) censorship by a single party. As a result users are guaranteed the accessibility of services for current and future use.

  2. The possibility for corruption is reduced because (a) users themselves are in control of their funds and transactions are enforced without a centralized, potentially corruptible intermediary. Additionally (b) all transactionsincluding the sender’s and the receiver’s addresses, which might be tied to a real world identity/organization or not, as well as the amount of tokens (e.g. bitcoins) that were sent are publicly auditable. Consequently a decentralized and public transaction ledger can help an organization to enhance trust in the service provided and increase accountability of their bookkeeping.

  3. The absence of counterparty risk, due to the relative irreversibility of transactions, reduces costs directly (credit card fraud) and indirectly (regulatory costs).

  4. No (legal) ambiguity. The open source software run by participants of a decentralized network unambiguously defines the service any user of the network can expect. The explicit definition of the service does not leave room for ambiguity, thereby reducing the risk of costly legal proceedings.

  5. Anonymity for users (to a certain degree).

There also are some obvious downsides associated with decentralized transaction ledgers:

  1. Security and network costs. Compared to a centralized solution it is relatively costly to securely maintain a unified transaction ledger in a decentralized manner.2

  2. Dependence on the network’s security. The network’s security can fail. In the long run, a consensus network is less likely to fail due to a flaw in the underlying cryptography or software but rather because of a potentially flawed incentive structure for those securing the network collectively, which, together with economies of scale, can lead to a centralization of the control over the network. The result can be that one or a few parties control the network. It is therefore fair to argue that counterparty risk is replaced by the risk that the incentive model of a consensus network fails.

  3. Lack of flexibility. The possibilities to provide a service solely based on a decentralized transaction ledger, if not combined with other solutions (e.g. external data feeds or prediction markets), is limited to those services which can be entirely reduced to conditional rules and can therefore be encoded into software and enforced by a decentralized network of software instances.

  4. Complexity and usability for the end-user. Keeping your funds safe requires a few precautious measures. If a user loses his private keys there is no way to restore his funds.

Note that this list of applies to public blockchain networks. A private blockchain network for examples does hot have increased security and network costs (downside #1 above).

Taking account of these propositions it is possible to identify potential applications particularly suitable for utilizing decentralized transaction ledgers. Some of these are being implemented or at least theorized about by various Blockchain 2.0 projects. I will cover two basic use cases below which also seeks to illustrate the rather abstract description above.

First, the creation of synthesized assets: It is possible to issue customized tokens that are uniquely identifiable (also known as “colored coins”) without creating a separate blockchain. Those customized “assets” can be used to track ownership of anything a trusted issuer attributes to them. Examples include shares in a company, tickets that grant entrance to public transportation, bonds and other financial certificates etc. These tokens can be traded peer-to-peer like Bitcoin. All the projects below do or plan to allow for this functionality.

Second, the gambling industry. A possible, simplified scenario: Digital lottery tickets are issued that come with a certain chance of winning a growing price pool. Contrary to a centralized gambling company the random number generation which determines the winner(s) as well as the ledger that keeps track of who bought how many lottery tickets is decentralized. The advantage over a traditional lottery company lies in the system’s high resistance to corruption and a potentially low ‘house’ edge. 

There are four Blockchain 2.0 projects which are suitable to introduce different types of approaches, each having a focus on different use cases and/or a different technological approach towards delivery of “decentralized services”. This selection is primarily based on the educational purpose of this paper and will introduce three categories of approaches: Utilizing the Bitcoin blockchain for specific applications (Mastercoin and Couterparty), providing one dedicated blockchain for various applications (Ethereum) and relying on one dedicated blockchain per application (Bitshares). There are other innovative projects like NXT3, Ripple4 (privately secured transaction ledger mostly utilized to transfer IOUs between trusted gateways) and Truthcoin5 (a proposal for a mechanism to get reliable real-world data into a blockchain which can be used as a basis for prediction markets; not deployed yet) which are not described here in detail.

Counterparty and Mastercoin both allow for the issuance of colored coins (see above) and both run “on top” of the Bitcoin Blockchain, thereby making use of the security6 provided by the Bitcoin hashing network. Both projects allow for synthesized assets, financial derivatives such as contracts for difference and distributed betting between peers – the last two feature are based on price feeds. 

The other two projects, Bitshares and Ethereum, have a wider scope, as they both try to establish a whole ecosystem of applications running on their platforms. The most apparent difference between the two lies in the number of blockchains and the security model.

Ethereum, in its current implementation, is developing a proof-of-work based blockchain, which is intended to represent a base layer on top of which applications and contracts are to be written with relative ease using one of multiple built-in scripting languages. In contrast, the Bitshares project provides a software toolkit allowing for the creation of applications, with each application based on a separate proof of stake7 blockchain aiming at maximum scalability.

In conclusion, financial and commercial applications of peer-to-peer technology go far beyond Bitcoin. They hold the potential to redefine the relations between individuals and companies and challenge our assumptions about what constitutes an economic entity.

The article above should be seen as a basic introduction. A more detailed discussion is necessary to sufficiently address questions as: which types of applications are most suitable to make use of this new technology, a more detailed comparison and valuation of the different approaches (the described projects above), security issues of consensus networks etc. 

1Please note that the advantages 1 (a) and (b), 2 (a) and 3 hinge on the security model of decentralized transaction ledgers and the decentralization of ‘voting power’. The two most wide spread solutions to secure a decentralized transaction ledger are “proof of work” (POW) and “proof of stake” (POS). In each case the goal is to decide on one unified version of the transaction ledger without a central authority. As there is no central party to decide, because everyone can participate in the decision process over which ledger is the valid one and because one vote per participant would result in an arm’s race to create as many “virtual participants” as possible, there is a need to define a valuable resource which determines the voting power of each participant. With POW voting power equals computational power, while with proof-of-stake voting power is proportional to the amount of stake (share of tokens that are native to the network) a voter controls. In both systems one voter is selected every [x] minutes/seconds to add a new block to the blockchain, that means this voter can extend the transaction ledger by adding transactions that were newly broadcasted by users. The chance of becoming that ‚one voter‘ depends on the share of the valuable resource (computational power or stake) one has compared to other „voters“. The one ‚winning‘ voter is rewarded with transaction fees and/or newly created tokens. Any of the two alternative models above fail to provide security if voting power gets too centralized. In the extreme case where one party gets more than 50% of the voting power for a prolonged period of time this party can change the parts of the transaction ledger that have been added since the voting power majority was reached. This is because the longest blockchain is always considered to be the valid one by all network participants and anyone with 50 + x % of the voting power has a higher chance of producing a longer chain over time than the rest of the voters. An attacker could therefore build a secret chain which does not include the attacker’s transaction to a merchant and not broadcast it to the network, while the same transaction is publicly included in the chain that is considered to be official at a time where the attacker did not yet publish the secret (longer) chain. When the attacker publishes the, until then, hidden blockchain the network will accept it (if no manual/social consensus based intervention takes place) as the longest blockchain and the merchant has been defrauded of the Bitcoins he/she though to have received. In conclusion: In order to maintain a unified transaction ledger without a trusted third party it is necessary to maintain decentralized control over the ledger.

2 In addition to proof of work, other more ‘efficient‘ (when efficiency is defined as the cost of security) but yet to be (further) tested proposals have been made such as POS (Peercoin), POS (NXT), DPOS (Bitshares) and CPOS (Stephen Reed).

3 http://wiki.nxtcrypto.org/wiki/Whitepaper:Nxt.

4 https://ripple.com/ripple-gateways.pdf.

5 https://github.com/psztorc/Truthcoin/tree/master/docs.

6 See footnote 1.

7 See footnote 1.