Instructors: Andreas Park & Zissis Poulos
Rotman – MBA
Motivation: Silos vs Common Infrastructures
Change ledger entry locally
Sue's bank transfers from Sue's account to Bob's bank's account
Bob's bank transfers from its account to Bob's account
Sue's bank transfers from Sue's account to its own account
Bob's bank transfers from its account to Bob's account
Central Bank
Central bank transfers from Sue's bank's account to Bob's bank's account
Sue's bank transfers from Sue's account to its own account
Bob's bank transfers from its account to Bob's account
use the Swift network of correspondent banks
very complex
many parties
lots of frictions and points of failure
very expensive
How does it all work and why?
A deep dive into the "How?"
Workflow of a transaction
Cryptography: only Sue can spend her money
Problem: double-spending
How can we trust that
Contains transaction from Sue to Bob
Question: Can Sue rewrite history?
Where to add a new block B7?
Contains transaction from Sue to Bob
Sue wants to undo the transaction by rewriting history with B6
Sidebar: this type of attack is also referred to as "selfish mining"
How do you agree though that something happened, or, what is consensus?
Problem statement:
How can we reach consensus (of whether or not to make a change? The Byzantine Generals' problem
With more players, the problem is less severe
\(t\)
\(t\)
\(t\)
\(t\)
\(t\)
\(t\)
\(t\)
\(t\)
\(t\)
One approach to reach consensus: re-broadcast proposer message and follow majority
\(t\)
\(t\)
\(x\)
\(t\)
\(t\)
\(t\)
\(t\)
\(t\)
\(x\)
\(t,t,x\)
\(t,t,x\)
\(t,t,t\)
Reaching Consensus with a Rogue/Faulty Player?
\(x\)
\(y\)
\(z\)
\(y\)
\(x\)
\(z\)
\(y\)
\(x\)
\(z\)
\(x,y.z\)
\(x,y,z\)
\(x,y,z\)
Reaching Consensus with a Rogue/Faulty Proposer?
General result
Equilibrium
Blockchain requirement
Proof-of-Work
Technical Process in Proof of Work
How do you find the NUMBER (NONCE) that works? You do not know which works, you need to try (=guess) many many times
This Hash starts with a pre-specified number of zeros!
Claim: Can be used for a Byzantine Fault Tolerant Algorithm
consensus is reached if hash starts with right number of leading zeros
= 00000xd4we...
= 00000xd4we...
= 00000xd4we...
Contains transaction from Sue to Bob
Sue wants to undo the transaction by rewriting history with B6
Sue's objective
What does it take?
How does Proof of Work prevent this?
Back of the envelope calculation
Proof-of-Stake
Proof of Stake (PoS) - What is the goal?
Validation and leader election
random
32 ETH
Blockchain organization
Slot 1
Slot 2
Slot 32
...
12 seconds
epoch\(_t\)
epoch\(_{t+1}\)
epoch\(_{t-1}\)
Block inclusion
Committee #1 of validators
Slot 1
Slot 2
Slot 32
...
proposer #1 assembles transactions in block and proposes to a committee
attests validity
Block inclusion
Committee #2 of validators
Slot 1
Slot 2
Slot 32
...
proposer #2 assembles transactions in block and proposes to a committee
attests validity
Block inclusion
Committee #32 of validators
Slot 1
Slot 2
Slot 32
...
proposer #32 assembles transactions in block and proposes to a committee
attests validity
Blockchain finality rules
Slot 1
Slot 2
Slot 32
...
12 seconds
epoch\(_t\)
epoch\(_{t+1}\)
epoch\(_{t-1}\)
checkpoint
checkpoint
checkpoint
checkpoint
Blockchain finality rules
...
epoch\(_t\)
epoch\(_{t+1}\)
epoch\(_{t-1}\)
checkpoint
checkpoint
checkpoint
checkpoint
all validators vote on validity
all validators vote on validity
all validators vote on validity
all validators vote on validity
(for clarity: checkpoint voting happens over time, by all validators)
Blockchain finality rules
...
epoch\(_t\)
epoch\(_{t+1}\)
epoch\(_{t-1}\)
checkpoint
checkpoint
checkpoint
checkpoint
valid?
\(\Rightarrow\) "justified"
last justified block becomes "final"
valid?
\(\Rightarrow\) "justified"
last justified block becomes "final"
valid?
\(\Rightarrow\) "justified"
Validators, Committees, Proposers
ETH owners lock up funds (\(\ge32\)ETH) in a special smart contract
validators selected at random based on proportional ownership of total stake
Slot 1
proposer
Slot 2
proposer
Slot 32
proposer
Validators, Committees, Proposers
Slot 1
proposer
Slot 2
proposer
Slot 32
proposer
validation
committee
validation
committee
validation
committee
128 validators per committee (\(\Rightarrow\) 32 x 128) are selected at random based on proportional ownership of total stake
Validation and leader election
random
random
random
Committee 1
Committee 2
random
Block formation
Committee 1
Committee 2
...
Committee 32
attest
attest
Slot 1
Slot 2
Slot 32
...
12 seconds
Finality!
...
checkpoint
...
vote
vote
When final?
2/3 of stake has voted
Rewards and Punishments
What do we need from validators?
if "lazy"
misses out on rewards
if dishonest
Concretely they need to
What rewards?
proposer
Committee
What penalties?
offline
misbehavior
Security
What is dishonest?
TLDR
Performing a 51% attack still possible but "almost equivalent to having your entire mining farm burn down while you are doing it" -Zamfir
Other malicious behaviour
What about forks??
Still possible
Protocol Rule
"The canonical chain is the one with greatest weight of attestations in its history"
Economics of Proof-of-Work and Proof-of-Stake
Goal: Attackers wants to create an alternative history
Double spend attack prevention
Basic idea of competitive equilibrium
aggregate mining cost = aggregate reward
Double spending attack
condition that prevents it
(Chiu & Koeppl RFS 2018)
PoS vs PoW
https://ethereum.org/en/developers/docs/consensus-mechanisms/pos/
PoS vs PoW Economics
Basics:
validators receive:
PoS vs PoW Economics of Coinbase Rewards
PoS Economics of Coinbase Rewards
Question: do the rich get richer?
Intution
PoS Coinbase Rewards: do the rich get richer?
stakes
20%
80%
rewards
PoS Coinbase Rewards: do the rich get richer?
stakes
20%
80%
PoS Coinbase Rewards: do the rich get richer?
stakes
20%
80%
PoS Other Questions