Yves here. We’ve long regarded blockchain as a technology looking for a use, and haven’t seen money as a great fit. This paper examines one purported fix for computational limits and finds them wanting.
By Joshua Gans, Professor of Strategic Management and Jeffrey S. Skoll Chair of Technical Innovation and Entrepreneurship, Rotman School of Management, University of Toronto and Neil Gandal, Professor of Economics Berglas School of Economics Tel Aviv University. Originally published at VoxEU
Cryptocurrencies such as Bitcoin rely on a ‘proof of work’ scheme to allow nodes in the network to ‘agree’ to append a block of transactions to the blockchain, but this scheme requires real resources (a cost) from the node. This column examines an alternative consensus mechanism in the form of proof-of-stake protocols. It finds that an economically sustainable network will involve the same cost, regardless of whether it is proof of work or proof of stake. It also suggests that permissioned networks will not be able to economise on costs relative to permissionless networks.
The blockchain itself is typically associated with the innovations of Satoshi Nakamoto (2008). The history, however, begins much earlier, with distributed ledger technologies. Haber and Stornetta (1990) tackled the question of how to timestamp a digital document. They argued that there was no need for a central authority to verify the timestamp. Instead, at the time the stamp is created, it is recorded on a ledger that is distributed amongst (what we will refer to here as ‘nodes’). When someone wants to verify the timestamp of a particular digital document, they can communicate with one or more of the nodes for that verification.
Haber and Stornetta went on to demonstrate the practicality of their solution by publishing a hash of their ledger each week inThe New York Times. The hash is a unique ID that can only be recreated if you have the original records. With the hash published in it, every New York Times edition still in existence is a distributed record of the ledger. Changing the ledger after it is recorded requires all copies of the Timesto be changed.
Significantly, Haber and Stornetta did not just publish a hash of the entries that they had received that week in the Times. Instead, each group – or as we call them now, ‘block’ – of entries was hashed along with the hash of the previous block of entries. This formed a chain. In other words, in order to change an entry from 1992, you would not only have to change the record from that time but from all future times. Suffice it to say, tampering with the blockchain would be seemingly impossible. The Haber and Stornetta blockchain has been operating for almost three decades.
The proposal for Bitcoin outlined by Nakamoto (2008) took this basic idea and scaled it in a way that would allow it to handle the speed and transaction volume required for a network of digital payments. Bitcoin would be a ledger that recorded the ownership of digital assets (called ‘bitcoins’), the supply of which would be regulated by the protocol. At any given time, the ledger would identify the ownership (or technically, the public key) associated with each bitcoin (or fraction of a bitcoin). Thus, if someone wanted to offer the transfer of ownership of a bitcoin as payment for some other service, they would only need to verify their ownership and then send a message to the network to transfer that ownership to another user. These messages would then be bundled into blocks of transactions.
This led to the second new element in the Bitcoin blockchain – the consensus mechanism. How do nodes in the network ‘agree’ to append a block of transactions to the blockchain as part of the immutable record? Nakamoto outlined what is now termed a ‘proof of work’ scheme.
The proof of work concept had actually been developed much earlier by Cynthia Dwork and Moni Naor (1993). They proposed it as a way to deter spam email. In cryptocurrency blockchains using proof of work, nodes compete in a game to solve a computational puzzle and the winner earns both a reward and the right to propose the next block to the chain.
The rewards to node operators not only cover the costs of processing records. It is critical that they also ensure the incentives of ‘bad’ actors are muted. In order to prevent attacks by bad actors, some cost must be placed on becoming a node in the network; there must be a cost in proposing a block to be added to the chain.
At present, the main consensus mechanisms are based on proof of work, which involves a cost to being a proposer (node) in terms of real resources. In the Bitcoin protocol, for example, being a proposer requires winning a computational game. The prize for winning is a block reward and transaction fee. The former is set by protocol and, if it is in cryptocurrency, the value of the currency. The latter is often set by users of the network. The cost of the contest is performing the computational task – i.e. having computer hardware and energy resources. Bitcoin is a ‘permissionless’ blockchain in which anyone can be a node (i.e. there is free entry).
Using the properties of the Bitcoin blockchain, Budish (2018) formally examines when Bitcoin and other cryptocurrencies using proof of work would be vulnerable to being hijacked. He develops an equilibrium model that includes the (i) mining game (the supply side) and (ii) incentive compatibility (the demand side), i.e. ensuring that it will be too costly for attackers to highjack the blockchain.
Realistically, Budish (2018) considers two limiting factors on a simple majority attack.
- Some activities from dishonest miners may require more than a simple majority to implement.
- For some activities that involve interaction outside the blockchain (such as a multi-spend attack), control of the blockchain cannot be confined to just the block in question but may require a time period to elapse. Thus, the dishonest node may have to control the network for a time, which translates into adding a certain amount of blocks.
Budish includes these elements in his model, which shows that that Bitcoin ‘would be majority attacked if it became sufficiently economically important’ (Budish 2018).
‘Proof of stake’ protocols are an attempt to allow for consensus mechanisms without relying on real resources (as in proof of work). This is achieved by requiring nodes to stakea sufficient quantity of tokens in order to be considered as a validator for a new block of transactions. There are different ways in which validator nodes are selected.
One class of methods is chain-based. In that method, a validator is chosen at random from nodes that hold the requisite stake. This means that validators have a probability of proposing a block (and receiving a block reward) based on the amount they have staked to the network. Like proof of work, it typically takes some time (in terms of t blocks) before a block is treated as final and relied upon.
What about protection against attacks by dishonest nodes? With proof of stake, there is no such resource cost. The main challenge is that new nodes or nodes that were offline cannot tell which is the legitimate chain. Thus, for an attack to be successful, the dishonest node needs to take actions that would shift the share of online versus other nodes.
Such attacks rely on the attacker building on both the main chain and their alternative at the same time. Networks have implemented various methods to guard against this. One such method is called ‘slashing’. This involves the stake of a node being reduced or destroyed if it is found that they have worked on multiple chains. This is something that can be algorithmically detected. In some newer networks, slashing can automatically arise if blocks appear to be altered, and it may involve the attacker losing part or all of the stake itself – which would make the attack more costly. Nevertheless, such attacks are still possible.
In a recent paper (Gans and Gandal 2019), we extend the blockchain sustainability framework of Budish (2018) to consider proof-of-stake consensus mechanisms. We show that, perhaps surprisingly, an economically sustainable network will involve the same cost regardless of whether it is proof of work or proof of stake. In the latter, the cost will take the form of illiquid financial resources.
We then examine permissioned networks where the number of nodes is fixed. We show that regulating the number of nodes (a permissioned network) does not lead to additional cost savings that cannot otherwise be achieved via setting block rewards in a permissionless (i.e. free entry) network. This suggests that permissioned networks will not be able to economise on costs relative to permissionless networks.
See original post for references
I found a non-paywalled version of the paper on the arXiv: https://arxiv.org/ftp/arxiv/papers/1911/1911.12318.pdf
Although I agree with the insight that Proof of Stake is not a “cure-all” for the limits of Proof of Work, the paper does not dispute that there will be computational resources saved by Proof of Stake. Instead, the network pays the cost of maintaining the blockchain by “staking” an equivalent amount of money (staked currency), and that the “cost” of running the network in terms of the cryptocurrency is unchanged.
However, importantly, Proof of Stake does not require nearly as much computational (physical) or environmental (how we power the computations) resources. This means that externalities implied by the consumption of computational and environmental costs in proof of work operations are not borne by the proof of stake system. So although the monetary cost of the two systems is mathematically equivalent, proof of stake does not allow the blockchain to offload costs to other sectors in such a magnitude as the Bitcoin blockchain is doing today.
I apologize in advance for being too ignorant to appreciate this rube goldberg device. WTF? Proof of Work (mining) needs an alternative consensus mechanism because proof of work is so very expensive. Oh good. Is there such a thing as senseless consensus? Assuming this is leading to an entirely independent system of payments, completely independent of the need to exchange a certificate of proof of work for sovereign currency, it is still counterfeiting because it drains social energy out of any system – the real energy behind “money”. Crypto is a grandiose scheme to privatize money. Which is an oxymoron. Even a “permissionless blockchain” is an intrinsic oxymoron. These guys are nuts. Money for the sake of money. How very circular. All this decentralizing of proof (aka information) should be put to some constructive use instead of this nonsense. It sounds like a design plagiarized from brain tissue to be used like a network of dishonest nodes. Etc.
Susan, Blockchain is an accounting system. A single entry accounting system at that. You could use it for all sorts of things.You could for instance (if the companies were so inclined) use it to trace where your food came from. You could use it to verify the veracity of provenence of wine. You could use it to judge to quality of the particular year of BMW 3 series brake calipers, etc. Money is only one use, but contracts and provenence are where the killer use case of such an accounting system will be found.
This article didn’t do a good job of explaining in lay terms what the authors were actually addressing. Namely the underlying computational and resource complexity in generating the next block (record) in the chain.
A “killer use case” that has yet to actually materialize. Seems like a solution looking for a problem, as Yves says in the intro.
If 51% of nodes in Bitcoin collude they can change the ledger.
Currently 62% of Bitcoin validating nodes are physically located in The People’s Republic of China.
Draw your own conclusions.
A lot of the premises behind blockchain are kind of dumb considering how many versions of consensus algorithms are used elsewhere daily and don’t require a proof of work for validation. The two most common, one of which is used in almost every single distributed application (including not a few distributed columnar databases which is basically a ledger), are Paxos and Raft. Every single application that has to ‘scale’ in this age of platforms is a distributed application, meaning they all use consensus under the hood. Someone asked above, can there be senseless consensus? And the answer is of course, And How!, but the lack of sense is around fixation on the chain aspect of the ledger to make it ‘hackproof’. An endless chain – a ‘single point of truth’ – requires that single point to stay up permanently. THAT’S the impossibility without making the blockchain a standard with a central arbiting authority.
I think the term “savings” is the clutch phrase E.g. this much expenditure to ramp up a perceived accounting function with long legs in buffing a balance sheet and again …. legal constructs don’t do maths well.
So were right back at applying high order physics to a human condition, in a multivariate environment, currently under going a energetic period.
Remind me again what perceptions enabled the GFC again.