Vitalik Buterin: "Cypherpunk spirit" is more than just idealism

Vitalik Buterin

24-07-02 17:16

Read this article in 14 Minutes

AI summary

View the summary

Original title: A Proof of Stake Design Philosophy

Original author: Vitalik Buterin

This article was originally published on December 29, 2016.

Systems like Ethereum (and Bitcoin, NXT, Bitshares, etc.) are a whole new class of crypto-economies — decentralized, jurisdictionless entities that exist entirely in cyberspace and are maintained by a combination of cryptography, economics, and social consensus. They are a bit like BitTorrent, but they are different from BitTorrent because BitTorrent has no concept of state — a distinction that is crucial. They are sometimes described as decentralized autonomous companies, but they are not exactly companies — you can’t hard fork Microsoft. They are a bit like open source software projects, but they are not exactly the same — you can fork a blockchain, but not as easily as forking OpenOffice.

These cryptoeconomic networks come in many forms — ASIC-based PoW, GPU-based PoW, naive PoS, delegated PoS, and hopefully soon Casper PoS — and each inevitably carries its own underlying philosophy. A well-known example is the maximalist vision of proof-of-work (PoW), where the “correct” blockchain is defined as the chain created by miners spending the most economic capital. Originally just an in-protocol fork choice rule, this mechanism has been elevated to sacred dogma in many cases. Bitshares’ delegated proof-of-stake (DPoS) presents another consensus philosophy, all again derived from a simple principle: shareholder voting.

Each philosophy — Nakamoto consensus, social consensus, shareholder voting consensus — has its own conclusions and forms a set of values that make perfect sense on its own terms, though they can be criticized when compared to one another. Casper consensus also has a philosophical basis, though it has not yet been so succinctly expressed.

Myself, Vlad, Dominic, Jae, and others all have their own opinions on why proof-of-stake protocols exist and how they should be designed, but here I intend to explain my personal starting point.

First list the observations, then jump straight to the conclusions.

In the 21st century, cryptography is very special because it is one of the few fields where adversarial conflict continues to significantly favor the defender. A fortress is easier to defend than to destroy, an island can be defended but still potentially attacked, but an average person's ECC key is secure enough to withstand even nation-state attackers. The cypherpunk philosophy was essentially about using this valuable asymmetry to create a world that better protects individual autonomy, and cryptoeconomics is in some ways an extension of this thinking, only this time protecting the security and liveness of complex coordination and collaborative systems, not just the integrity and confidentiality of private messages. Systems that consider themselves the spiritual successors of the cypherpunks should maintain this fundamental property of being harder to destroy or disrupt than to use and maintain.

The "cypherpunk spirit" is not just idealism; it is also sound engineering practice to design systems that are easier to defend than to attack.

In the medium and long term, humans are pretty good at consensus. Even if an attacker has unlimited hash power and launches a 51% attack, rolling back the history of any major blockchain to convince the community that the chain is legitimate is much harder than simply outstripping the hash power of the main chain. They would need to subvert block explorers, every trusted member of the community, the New York Times, archive.org, and many other sources on the Internet; in short, in the information technology-intensive 21st century, convincing the world that a new attack chain came first is harder than convincing the world that the US moon landing never happened. These social considerations ultimately protect the long-term security of any blockchain, whether the blockchain's community recognizes it or not (note that Bitcoin Core does recognize the primacy of the social layer).

However, a blockchain secured by social consensus alone would be extremely inefficient and slow, prone to persistent disagreements (although this has happened despite great difficulty); therefore, economic consensus plays an extremely important role in protecting liveness and security in the short term.

Since proof-of-work (PoW) security can only come from block rewards (it is missing two of the three Es, in Dominic Williams' terminology), and miners are only motivated by the risk that they will lose future block rewards, proof-of-work necessarily has a huge energy consumption logic, incentivized by huge rewards. Recovering from an attack is extremely difficult: the first time it happens, you can hard fork to change the PoW, thereby invalidating the attacker's ASIC, but the second time you no longer have this option, so the attacker can attack again and again. Therefore, the size of the miner network must be so large that the attack is unthinkable. An attacker smaller than size X avoids this by making the network constantly spend X every day. I reject this logic because (i) it consumes natural resources and (ii) it fails to live up to the cypherpunk ethos of a 1:1 ratio between the cost of attack and the cost of defense, with no defender advantage.

Proof of Stake breaks this symmetry by relying on penalties rather than rewards. Validators put up capital (“deposits”) and receive some reward to compensate them for locking up capital, maintaining nodes, and taking extra steps to keep private keys secure, but the main cost of rolling back transactions comes from penalties that are far higher than the rewards they receive. The “one-sentence philosophy” of proof of stake is therefore not “security comes from expending energy” but “security comes from the loss of economic value invested.” A block or state has $X security if you can prove that achieving the same level of finality cannot be accomplished without malicious nodes attempting to switch.

In theory, a majority of validators could band together to take over a proof of stake chain and begin acting maliciously. However, (i) their ability to make additional profits through such manipulation can be limited as much as possible through clever protocol design, and more importantly (ii) if they attempt to prevent new validators from joining, or perform a 51% attack, the community can simply coordinate a hard fork and delete the offending validators' deposits. A successful attack might cost $50 million, but the process of cleaning up the consequences would be no more onerous than the geth/parity consensus failure on November 25, 2016. Two days later, the blockchain and community return to normal, and the attacker is $50 million poorer, while the rest of the community may be richer because the attack caused the token value to rise. This achieves an asymmetric attack/defense.

The above should not be interpreted as suggesting that unplanned hard forks will become the norm; the cost of a single 51% attack under proof of stake could be made as high as the cost of a permanent 51% attack under proof of work if desired, and the cost and ineffectiveness of the attack should ensure that it will almost never be attempted in practice.

Economics is not everything. Individual actors may be driven by additional protocol incentives, they may be hacked, they may be kidnapped, or they may simply get drunk and decide to destroy the blockchain, whatever the cost. Moreover, on the plus side, individual moral restraint and communication inefficiencies will often raise the cost of an attack to levels far above the nominal protocol-defined loss value. This is an advantage we cannot rely on, but it is also one we should not throw away lightly.

Thus, the best protocols are the ones that work well under a wide range of models and assumptions — with economic rationality of coordinated choice, with economic rationality of individual choice, simple fault tolerance, Byzantine fault tolerance (ideally including both adaptive and non-adaptive adversary variants), Ariely/Kahneman inspired behavioral economic models (“we all cheat a little”), and any other realistic and practical model. It is important to have two layers of defense: economic incentives to discourage centralized cartel antisocial behavior, and anti-centralization incentives to discourage cartels from forming.

Consensus protocols that run as fast as possible are risky and should be adopted very cautiously, because if running as fast as possible is combined with incentives, the result is to reward risky centralization at the network level (e.g. all validators run on the same hosting provider). Consensus protocols that don’t care too much about how fast validators send messages, as long as they send them within some acceptable interval (e.g. 4-8 seconds, we know from experience that Ethereum latency is typically ~500ms-1s), don’t have these concerns. A possible middle ground would be to create a protocol that can run very fast, but similar to Ethereum's uncle mechanism, ensure that the marginal reward for a node to increase its network connectivity beyond some easily achievable point is fairly low.

From here, of course there are many details and many ways to disagree on the details, but the above are at least the core principles of my version of Casper. From here, we can certainly debate the trade-offs between different values. Do we give ETH a 1% annual issuance rate and get a $50 million forced hard fork cost, or a zero annual issuance rate and get a $5 million forced hard fork cost? When does it increase the security of the protocol under the economic model in exchange for reducing security under the fault tolerance model? Do we care more about having predictable security or predictable issuance? These are discussions for another post.