KasMedia Logo

(This post is part of the Understanding GHOSTDAG series)

It is “common knowledge” that many people have that PoW is “better than” BFT, because PoW is secure against 49% attackers, whereas BFT is only secure against 34% attackers. This is not quite the case. Formally speaking, BFT and PoW are incomparable, and each has advantages and disadvantages. Of course, we can and should discuss which trade-off is practically better, but that is not an inquiry that math can resolve.

Security

Can we ever be certain that a transaction will never be reverted? In BFT, we pretty much can. A BFT protocol can provide deterministic finality, meaning that once a decision is made, it is set in stone, and all future decisions happen in this reality.

PoW, on the other hand, provides a slightly weaker form of security called probabilistic finality.

Probabilistic finality means that there is always some chance that a transaction reverts, it “just“ becomes very small very fast. This might sound disconcerting initially, but if you stop to think about it, you’ll realize that all of us constantly substitute unlikeliness for impossibility. Do you think your money is safe because you keep the only copy of your secret key under your pillow? Well, I still have a one in 21282^{128} chance to guess it through dumb luck alone. The fact is that every aspect of security in our lives, digital or otherwise, is eventually probabilistic. At this point, I either assuaged your reservations about probabilistic finality or drove you into an all-out existential crisis beyond cryptocurrencies. Either way, we are good.

In a future post, we will revisit probabilistic finality more formally and quantifiably. For now, we can ask ourselves: what do we gain from trading off deterministic finality? We get that any honest majority suffices to provide this finality. As long as most miners follow the protocol, it is guaranteed that a decision will be made.

Now let me ask you a tricky question: say that there is some important decision to be made; say that 60% of the participants are for the decision, while 40% are against it. Also, say those against it are not of high moral fiber and are willing to stray from the protocol. In BFT, we know that a 40% collusion can delay the decision indefinitely. In PoW we know that, since 60% are honest, a decision will definitely arrive. So here is my question: will that decision definitely be the one supported by the majority?

Surprisingly enough, the answer is no. This is due to a phenomenon called selfish mining first reported by Ittay Eyal and Emin Gun Sirer in their paper Majority is not Enough: Bitcoin Mining is Vulnerable. We will dive more into selfish mining in the next chapter, but the point is that a dishonest collusion of 34% of the miners can operate in a way that assures they create more than 50% of the blocks (assuming the rest of the miners are honest).

“But wait,” you might ask, “if they make the majority of the blocks, doesn’t that mean they can control the network?”. Well no, it does not, because they can only do so by piggybacking on the work of the honest network. Their blocks will necessarily be interleaved with honest blocks and not arranged in a competing chain. If that last paragraph went over your head, I recommend that you wait for the next chapter, where I will explain this stuff in more detail. Currently, the moral of the story is that security is far from being as straightforward as some people think.

Decentralization

The “decentralization of BFT” is not well-defined. Recall that a prerequisite for decentralization is Sybil resistance. A BFT does not have Sybil resistance out of the box, it rather assumes that the list of voters is already determined.

BFT based DLTs must also provide Sybil resistance in some form, and that choice has great bearings on how decentralized the resulting consensus actually is.

Since PoS is by far the most common form of Sybilness used for BFT, I will use it for the comparison. Some readers might protest that this limits the scope of the discussion, but in my experience, all other forms of Sybilness for BFT rely on intrinsic scarcity (that is, the voting is proportional to something emanating from the protocol: coin, reputation, history, mana, etc.), and are all susceptible to similar weaknesses.

With that in mind, I will now present two details that, in my opinion, make PoS inherently less decentralized than PoW.

The first detail is the cost of maintaining an advantage. In PoS, once someone holds a portion of the coins, their portion of the total coin can never decrease as long as they keep staking. Large holders will remain as large forever for negligible operational costs. Since in PoS coins translate to influence, this opens the door to censorship attacks and other disproportionate ways to coerce the network. Conversely, maintaining an advantage in PoW is expensive. Even if somehow someone managed to obtain 80% of the hashrate, they would have to pay the utility costs required to keep their hardware running. Worse yet, they would have to constantly purchase hardware as more/better miners become available.

The second detail is the rich-get-richer phenomena. The security of PoS crucially relies on much of the coin being staked. If only a sliver of the currency is ever used for voting, then attacking the network becomes cheap. Coin holders are generally decentivized from staking their funds: it requires them lock money that they could have used otherwise, and take the risk of being slashed (which could happen due to an honest mistake, or even connection issues). To overcome this, most PoS protocol compensates users for staking. The compensation for the staking is necessarily proportional to the amount of coin staked (do you understand why?), meaning that people who are rich enough to stake large amounts become even more richer and their proportion increases (unless in the absurd scenario where 100% of the coin is staked at all time, which means the network is not used for anything but staking). As time passes, influential entities become more influential. In the long run, it could be unavoidable that a small select few (or even a single select one) will hold most of the coin, completely dominating the network indefinitely.

Speed, Scale, and The BlockChain Trilemma

A deeply rooted prejudice against PoW is that it cannot securely scale while remaining decentralized. For example, in the next chapters we will see that if we naively try to increase the block rates or sizes in Bitcoin, the security quickly deteriorates.

There is a long lineage of PoW protocols trying to overcome this boundary, but for a long time, they all failed. In 2014, Vitalik Buterin coined this observed trade-off as the BlockChain Trilemma. It is not implausible that this statement was a consequence of the realization that the GHOST rule, the first meaningful breakthrough in PoW consensus since Satoshi‘s original paper, is still very limited in its scaling capacities (as we will cover extensively in the next chapter).

The BlockChain Trilemma is probably the most misunderstood and taken out of context statement in the history of cryptocurrencies. It was meant as a statement on the state-of-the-art of DLTs in 2014. However, some have tried to elevate it to the status of a law of nature, making absurd claims such as “the Trilemma can’t be solved, only worked around,” reinforcing the narrative that Bitcoin cannot be significantly improved upon. This interpretation of the Trilemma was publicly rejected by Vitalik.

Around 2016, the notable approach of parallel chains emerged, and have appeared in several projects. The core idea is straightforward, instead of having one chain, have a few of them, but somehow “glue” them together so that it is only possible to revert one chain by reverting them all. The benefit of parallel chains is obviously the increase in capacity. This was reason enough for several such projects to arrogantly crown themselves as “trilemma solvers” before the drawbacks of this approach were properly understood. When this idea just emerged, it was already clear that parallel chains do not improve the confirmation times for transactions, so at best, they only partially solve the scaling issue. In the following years evidence to more severe drawbacks started to accumulate. Mainly, it is mathematically provable (and we will see the proof) that the confirmation times in parallel chain architectures increase as we add more chains. This increase is rather mild, but still meaningful enough so that fantasies of “ten thousand chains” are completely unreasonable. Other evidence show other problems, which we will discuss in a future chapter, but the underlying motive is that breaking your network into small constituents introduces a lot of fragility. A clever “gluing” technique can retain the 51% security of the entire complex of chains, but more subtle attacks on individual chains seem to become much cheaper as the hash power is divided between more chains.

This sordid turn of events has naturally caused a lot of disdain. All self-proclaimed Trilemma solvers proved to be a dud, and more often than not, the team behind these flops conducted in a manner that is far from professional. This caused a very legitimate disdain for any project claiming to have solve the Trilemma, and cemented the belief that scaling PoW is a pipe dream and the Trilemma might just be a universal truth of creation.

Then came GHOSTDAG, the first PoW protocol that actually manages to solve the trilemma. But given the landscape and history of the space, not to mention the relative complexity of the tech itself, it is a hard sell. Why should you believe me? Because I can explain exactly how it does it, and I can mathematically prove my claims. How does it do it? How can it fully retain the same decentralization and security as Bitcoin while furnishing throughput and reactiveness that are competitive with any PoS? Explaining that is what the rest of this book is for.

Enjoyed reading this article?

More articles like this

Comments

M

Mehdi

Does the idea, if practical, of having the list of participants maintained by the consensus itslef circumvent the idea of permissioned settings having to centrally maintain a list of participants?

D

Deshe

I have yet to have seen a protocol that achieves this, and it sounds counter-intuitive to me. It only takes ONE TIME of successfully injecting a collusion to dominate the network forever.

Post a comment

KasMedia logo