HashLinked Databases and Consensus via Proof-of-Work and Proof-of-Stake
Instructors: Andreas Park & Zissis Poulos
Rotman – MBA
How does it all work and why?
What's needed for trust in anonymous deals?
Authority
Execution
Continuity
A deep dive into the "How?"
Workflow of a transaction
Security
B3
B1
B2
B4
B5
Contains transaction from Sue to Bob
Question: Can Sue rewrite history?
immutability
No! Because: Economics!
Incentive to support longest Chain
B3
B1
B2
B4
B5
B6
Where to add a new block B7?
- Add to B3?
- => people after still more likely to add to B6
- lose "coinbase" reward
Altering the past?
B3
B1
B2
B4
B5
- needs to be faster than anyone after who adds to B5 and build a longer chain
- or needs to be able to mine repeatedly
B8
B7
B9
B10
B6
Contains transaction from Sue to Bob
Sue wants to undo the transaction by rewriting history with B6
Sidebar: this type of attack is also referred to as "selfish mining"
How do you agree though that something happened, or, what is consensus?
Problem statement:
- Who gets to propose changes to the distributed database?
- How do we agree on making a change so we all know that everyone makes the same change?
How can we reach consensus (of whether or not to make a change? The Byzantine Generals' problem
Blockchain protocols establish consensus
With more players, the problem is less severe
t
t
t
t
t
t
t
t
t
One approach to reach consensus: re-broadcast proposer message and follow majority
t
t
x
t
t
t
t
t
x
t,t,x
t,t,x
t,t,t
Reaching Consensus with a Rogue/Faulty Player?
x
y
z
y
x
z
y
x
z
x,y.z
x,y,z
x,y,z
Reaching Consensus with a Rogue/Faulty Proposer?
General result
- proposed messaging yields consensus
- as long as no more than 1/3 cheats/are faulty/compromised
Proof-of-Work
Technical Process in Proof of Work
How do you find the NUMBER (NONCE) that works? You do not know which works, you need to try (=guess) many many times
This Hash starts with a pre-specified number of zeros!
Claim: Can be used for a Byzantine Fault Tolerant Algorithm
consensus is reached if hash starts with right number of leading zeros
Blockchain BFT
= 00000xd4we...
= 00000xd4we...
= 00000xd4we...
Proof-of-Stake
Blockchain organization
Slot 1
Slot 2
Slot 32
...
12 seconds
epocht
epocht+1
epocht−1
Block inclusion
Committee #1 of validators
Slot 1
Slot 2
Slot 32
...
proposer #1 assembles transactions in block and proposes to a committee
attests validity
Block inclusion
Committee #2 of validators
Slot 1
Slot 2
Slot 32
...
proposer #2 assembles transactions in block and proposes to a committee
attests validity
Block inclusion
Committee #32 of validators
Slot 1
Slot 2
Slot 32
...
proposer #32 assembles transactions in block and proposes to a committee
attests validity
Blockchain finality rules
Slot 1
Slot 2
Slot 32
...
12 seconds
epocht
epocht+1
epocht−1
checkpoint
checkpoint
checkpoint
checkpoint
Blockchain finality rules
...
epocht
epocht+1
epocht−1
checkpoint
checkpoint
checkpoint
checkpoint
all validators vote on validity
all validators vote on validity
all validators vote on validity
all validators vote on validity
(for clarity: checkpoint voting happens over time, by all validators)
Blockchain finality rules
...
epocht
epocht+1
epocht−1
checkpoint
checkpoint
checkpoint
checkpoint
valid?
⇒ "justified"
last justified block becomes "final"
valid?
⇒ "justified"
last justified block becomes "final"
- a checkpoint is "justified" once 32 of all validators vote for validity
- once a checkpoint is justified, the last justfied checkpoint becomes final
valid?
⇒ "justified"
Validators, Committees, Proposers
ETH owners lock up funds (≥32ETH) in a special smart contract
validators selected at random based on proportional ownership of total stake
Slot 1
proposer
Slot 2
proposer
Slot 32
proposer
Validators, Committees, Proposers
Slot 1
proposer
Slot 2
proposer
Slot 32
proposer
validation
committee
validation
committee
validation
committee
128 validators per committee (⇒ 32 x 128) are selected at random based on proportional ownership of total stake
Rewards and Punishments
What do we need from validators?
- Participation
- Honesty
if "lazy"
misses out on rewards
if dishonest
Concretely they need to
- vote on checkpoints
- attest in committees
- propose valid blocks
What rewards?
proposer
- coinbase
- "tips"/fees
- MEV
Committee
- coinbase
What penalties?
offline
- small penalty based on time offline
misbehavior
- stake slashing (usually 1 ETH)
- exclusion from validation
- goes per node
Economics of Proof-of-Work and Proof-of-Stake
Effects of an attack
B3
B1
B2
B4
B5
- the longer you wait to consider a tranaction "done", the harder it becomes to attack
- BUT: the attacker earns a block reward for each selfishly-mined block!
B8
B7
B9
B10
B6
Goal: Attackers wants to create an alternative history
SOme Insights for Proof of Work Economics
Double spend attack prevention
- Validation rewards are taken as given, but they are crucial in
- determining incentives to participate,
- to support the chain, and
- to expense electricity and computing power
Basic idea of competitive equilibrium
aggregate mining cost = aggregate reward
Double spending attack
- expense resources but:
- win N block rewards until "confirmation" block
- ability to double-spend
condition that prevents it
(Chiu & Koeppl RFS 2018)
PoS vs PoW Economics of Coinbase Rewards
-
PoW:
- coinbase reward go to outside party for performing a service
- proportional to resources committed
-
PoS:
- fees go to existing coin holders for "community service"
- proportional to stake
PoS Coinbase Rewards: do the rich get richer?
stakes
20%
80%
rewards
PoS Coinbase Rewards: do the rich get richer?
stakes
20%
80%
PoS Coinbase Rewards: do the rich get richer?
stakes
20%
80%
- still have the same wealth share
- mathematically: wealth shares are a Martingale that converges to the initial distribution