Existing solutions

Problem:
power concentration/Monopoly

trustworthy People

long-term Relationships

reputation

contract law

institutions

Authority

Execution

Continuity

Do you have the item?

Do you have power over it?

Tool: "key" cryptography

Can we agree that it happened?

Tool:
consensus algorithm

no trusted parties needed

everything
in code

open to
anyone

platform or network

commerce thrives

How?

Cryptography: only Sue can spend her money

Problem: double-spending

How can we trust that

1. sale happened and
2. $$ only spent once?

Contains transaction from Sue to Bob

Question: Can Sue rewrite history?

No! Because: Economics!

B3

B4

B5

B6

Where to add a new block B7?

• Add to B3?
  • => people after still more likely to add to B6
  • lose "coinbase" reward

• needs to be faster than anyone after who adds to B5 and build a longer chain
• or needs to be able to mine repeatedly

B8

B7

B9

B10

B6

Contains transaction from Sue to Bob

Sue wants to undo the transaction by rewriting history with B6

Problem statement:

1. Who gets to propose changes to the distributed database?
2. How do we agree on making a change so we all know that everyone makes the same change?

Blockchain protocols establish consensus

\(t\)

\(t\)

\(t\)

\(t\)

\(t\)

\(t\)

\(t\)

\(t\)

\(t\)

\(t\)

\(t\)

\(x\)

\(t\)

\(t\)

\(t\)

\(t\)

\(t\)

\(x\)

\(t,t,x\)

\(t,t,x\)

\(t,t,t\)

consensus is reached!

\(x\)

\(y\)

\(z\)

\(y\)

\(x\)

\(z\)

\(y\)

\(x\)

\(z\)

\(x,y.z\)

\(x,y,z\)

\(x,y,z\)

consensus is reached (no attack)

General result

• proposed messaging yields consensus
• as long as no more than 1/3 cheats/are faulty/compromised

Equilibrium

• generals pick majority message
• successful consensus as long as no more than 1/3 cheats

Blockchain requirement

• reach Byzantine Fault Tolerant consensus
• trick: messages are hard to forge

Protocol does three things

1. selects the leader

3. creates randomness in the proposer selection

2. creates a message to coordinate on

How do you find the NUMBER (NONCE) that works? You do not know which works, you need to try (=guess) many many times

This Hash starts with a pre-specified number of zeros!

Claim: Can be used for a Byzantine Fault Tolerant Algorithm

consensus is reached if hash starts with right number of leading zeros

• to create a new reality, the cheater has to create blocks faster than the rest of the network
• has to make more guesses that the rest of the network combined

What does it take?

1. needs to be predictably able to add several blocks to the chain without interference, or
2. needs to be faster than anyone after who adds to B5 and build a longer chain, or
3. needs to ability to reject new blocks that are added to B5 .

How does Proof of Work prevent this?

• mining success is random subject to resources spend:
  • computers/GPUs
  • electricity
• you need faster/more computers than 51% of the network
  • current network power: 150million tera-hashes per second (blockchain.info)

Back of the envelope calculation

• hashrate: 150,000,000 TH/s
• best hardware (ASIC) has 110TH/s per unit
• => need 150,000,000 / 110 x 0.5 = 682,000 ASICs
• 1 ASIC costs around $10,000 (conservative)
• =>Cost = $6,820,000,000
• But it doesn't end here...Power consumption at 4.5GW
• => enough to power 1M homes in the US

• Energy efficiency
  • ​No need to commit extreme compute power to solve puzzles for leader election (PoW)
• Centralization Risk
  • Can validate using simpler hardware -> more nodes can participate to validate network
• Economic cost of attacks​
  • Explicit penalties for misbehaviour (vs. PoW)

random

32 ETH

When final?

2/3 of stake has voted

if "lazy"

misses out on rewards

if dishonest

TLDR

Performing a 51% attack still possible but "almost equivalent to having your entire mining farm burn down while you are doing it" -Zamfir

Other malicious behaviour

1. Long-range attack
2. Short range reorgs (can be bad for DeFi)
3. etc.

Still possible

1. Need agreement on what the canonical chain is
2. Longest-chain rule not ideal. Why?

Protocol Rule

"The canonical chain is the one with greatest weight of attestations in its history"

Double spend attack prevention

• Validation rewards are taken as given, but they are crucial in
  • determining incentives to participate,
  • to support the chain, and
  • to expense electricity and computing power

Basic idea of competitive equilibrium

aggregate mining cost = aggregate reward

Double spending attack

• expense resources but:
• win N block rewards until "confirmation" block
• ability to double-spend

• still have the same wealth share
• mathematically: wealth shares are a Martingale that converges to the initial distribution