Editor’s note: Recently, a 51% attack occurred on ETC, and the security of PoW has been hotly discussed. The founder of Ethereum, V God, also said that this proves that it is the right choice to switch from PoW to PoS. Odaily invited Fan Lei, associate professor of Shanghai Jiaotong University, to analyze why he thinks PoS may be a better choice for us.
This article was first published on Odaily. The author is Fan Lei, associate professor and director of the School of Cyberspace Security, Shanghai Jiaotong UniversityFractal Platform CTO, the original title "Security and Development Direction of Blockchain Consensus Protocol".
secondary title
1. What is a 51% computing power attack
At present, most encrypted digital currencies represented by Bitcoin (Bitcoin) adopt a consensus protocol based on Proof of Work (PoW). Miners participating in Proof of Work generate new blocks through calculations to make the blockchain continue to grow. . Since blockchain is a decentralized system, anyone can try to generate new blocks from any location. If the attacker has relatively few computing resources, the growth rate of the new fork generated by the attacker will be slower than that of the public blockchain, so a long fork that is accepted by honest users will not be formed. But if the attacker has more computing resources than honest users, the growth rate of the new fork generated by the attacker will be faster than the growth rate of the public blockchain, and he can easily form a new longer block Chain branches supersede the longest publicly available blockchain. See Figure 1 and Figure 2 for the specific process.
image description
Figure 2. The attacker has the upper hand in computing power
The attacker's computing resources are dominant. A simple mathematical description is that the attacker has mastered more than 51% of the computing power, which is also the origin of the name of the 51% computing power attack. When the attacker has mastered more than 51% of the computing resources, his attack must be successful. In fact, when the attacker has a sufficient proportion of computing resources, such as 40%, if he takes 6 blocks as the confirmation length, he can successfully implement the fork attack with a relatively high probability.
secondary title
2. Why this attack was successful
Different from general network security attacks, 51% computing power attack is a well-known attack method. The entire attack behavior and process of the attacker this time is nothing new.
Generally speaking, the stronger the overall computing power of a PoW-based cryptocurrency system, the higher the cost of controlling 51% of the computing power. Since most PoW algorithms have a similar core computing structure, computing power can be easily switched directly between different cryptocurrencies, and there are even computing power resources that can be conveniently rented according to time. Website Crypto51 (https://www.crypto51.app/) counted the cost of 1-hour 51% attacks against different digital currencies (excluding block rewards) and the proportion of computing power that can be borrowed from NiceHash. Among them, a 1-hour 51% attack on ETC only costs $5116, and 80% of the computing power can be rented from NiceHash (this data keeps changing, you can go to this website to view real-time data), the possibility of this attack is impossible Ignored.
Another factor that cannot be ignored is that the PoW algorithm needs to rely on a large amount of energy to drive mining operations. When the market value of the cryptocurrency is lower than the mining income, the mining machine will shut down and stop mining due to the drive of interests. At this time, it will cause a sharp drop in the computing power of the entire network, which will make it easier to implement a 51% attack. This 51% attack on ETC took advantage of this opportunity. For the emerging PoW-based cryptocurrencies, due to the low computing power of the entire network, the attack cost is lower.
secondary title
3. Are PoW-based blockchains still safe?
There is no doubt that in the past 10 years, the encrypted digital currency represented by Bitcoin has achieved great success, and its security has also been tested by the actual operation of the network. Not only that, cryptographers have also theoretically proved the security of PoW-based blockchains. It is believed that mathematics is the cornerstone of blockchain security, also known as In Math We Trust. However, technological development and research in recent years have shown that PoW-based blockchains also have security risks.
1) Concentration of computing power
In fact, in encrypted digital currency systems such as Bitcoin, due to the existence of super mining pools, people have long been concerned about the concentration of computing power. Large mining pools and mining pool alliances formed by stakeholders may control close to or even exceed 51% of the computing power. We cannot say that these large computing power groups will launch a 51% computing power attack on the system, but at least they have the ability to launch such an attack.
2) Hidden dangers of computing power black swan
Under the current technical conditions, the computing power of encrypted digital currency depends on the speed of hardware computing and energy supply. A hidden danger that always exists is that once there is a leap forward in computing power, the security of the system may face a major threat. For example, due to the invention of fast algorithms or the replacement of chip technology, new computing resources may overwhelmingly exceed the original resources. In this case, the security of the system will be completely destroyed.
The above analysis shows that the security of the PoW blockchain is not based on mathematics, and mathematics is only the glue between physical resources and the blockchain. Once the security assumption of physical resources is not established, the security of the blockchain system will be threatened.
From a system perspective, PoW-based blockchains rely on computing power competition to select block producers, that is, bookkeepers. Computing power is an external resource for the blockchain ecosystem itself. The amount of computing power that can be rented by a user is not necessarily related to the assets/interests on the chain held by it. Furthermore, the emergence of computing power leasing websites makes the right to use computing power available. Quick transfer. For example, the interests of mine owners or mining machine manufacturers who own computing power are strongly bound to the security of the main chain, but computing power renters are not. The amount of computing power is the only factor for launching an attack. If selfish mining and other strategies are adopted, the current public chain can be attacked without reaching 51% of the computing power, resulting in double spending.
secondary title
4. Do we have a better option
In recent years, more and more blockchain systems and distributed consensus protocols have been proposed. One of the important directions is the equity-based consensus (Proof of Stake, PoS).
PoS was originally proposed mainly to solve the energy consumption problem of PoW. The essential purpose of PoS and PoW is the same, both are to randomly select a node among the participating nodes of the blockchain network to keep accounts. The term "random" seems simple, meaning fair, unpredictable, and not controlled by malicious nodes, but it is actually difficult to achieve in a decentralized network, because there is no God to roll the dice. The random principle of PoW is that the more computing power you have, the more likely you will become a bookkeeper. The random principle of PoS is that the more stake you have, the more likely you will become a bookkeeper. It seems that the two are very similar, but they are only used for elections. The "credentials" are different, but the design for the two and the attacks they face are very different.
PoS relies on stake to select bookkeepers. The stakes owned by those who participate in the election are recorded on the blockchain, and the stake ratio—that is, the proportion of stakes held by a user to the total number of stakes on the blockchain. For PoS to carry out a 51% attack, you need to hold 51% of the stake on the chain, and the acquisition of stake can only be purchased from existing users and cannot be invested in production outside the system. Therefore, the cost of launching a 51% attack on the PoS system is equal to the cost of purchasing stake from the market.
Taking ETC as an example, the current total issuance of ETC is 107,514,088 ETC. If the consensus algorithm is PoS, then a 51% attack on it needs to hold 53,747,044 ETC, which is equivalent to a market value of about 229,542,578 US dollars. In the case of PoW, by renting computing power Only around $5,000. The comparison of funds required for 51% attacks against PoS by other digital currencies and 1-hour 51% attacks against PoW is shown in the table below (data from Crypto51https://www.crypto51.app/, the data will change in real time, the following data was taken when the author was writing the manuscript). And the more people who hold more stakes on the legal chain, the more inclined they are to maintain the chain. If the stake is transferred and leased to the attacker, the risk it faces is far greater than the rented computing power, so it is difficult for the attacker to obtain enough by renting. stake. So in terms of 51% attack, PoS has more advantages than PoW. This is also an important reason why ETH will evolve into a PoS consensus.
secondary title
5. Concerns and Countermeasures of PoS Consensus Protocol
Compared with PoW, which has been successfully applied in many blockchain projects, the PoS consensus protocol has not yet been widely used, so many people have various concerns about the PoS consensus protocol. Here we analyze the possible attacks and weaknesses of PoS one by one.
1) PoS is a centralized system
At the beginning of PoS algorithm research, many researchers were naturally inspired by distributed computing theory and cryptography research. Byzantine Fault Tolerant Protocol (BFT) is a classic algorithm used to reach consensus in a distributed environment, so most of the proposed PoS consensus algorithms can be regarded as some variant of BFT. The advantage of the BFT algorithm is that the confirmation delay is short in an ideal network environment, but because of its high communication complexity, it limits the number of nodes participating in the consensus, so it cannot be directly used in public chains around the world. In systems such as EOS (DPoS) and Algorand, consensus is achieved by selecting some representatives to achieve a Byzantine-like agreement, thus giving people the subjective impression that PoS is a centralized protocol. In fact, current research has also proposed a competitive PoS protocol similar to PoW, so there is no need to worry that PoS is a centralized system.
2) The cold start of the new PoS chain is not safe
One point of view is that since the consensus nodes of the PoS system are determined by Token, and the system must have a pre-token distribution before it can be cold-started, the control of the PoS system belongs to a small number of early participants. Doing evil for excessive benefits and even destroying the entire system to achieve double-spending and other attacks. In practice, these concerns do not exist for the following reasons:
a) At present, the ecological development of the blockchain is relatively mature. Before the main chain of the new blockchain goes online, it often goes through multiple rounds of fundraising activities. Therefore, even the founding team cannot control too much Token share. And a rational team will not pursue too much control over shares. Only when Token is sufficiently decentralized can the system be secure.
b) In the PoS system, the rights and interests of Token owners are fully reflected in the value of Token. Causes a greater incentive to maintain the security of the system, and thus is less likely to engage in malicious actions. In the PoW system, the attacker can transfer hardware investment such as computing power to other blockchain systems after carrying out the attack to obtain short-term benefits, so the possibility of malicious behavior is higher.
c) In the startup phase of the new blockchain, if the PoW protocol is adopted, external computing resources can flood into the system uncontrollably. At this time, because the total computing power of the whole system is not high, the attacker can complete the attack with less resources, so the cold start stage of the PoW blockchain is even more insecure. In fact, except for Bitcoin, Ethereum and other PoW blockchains that have accumulated a large amount of computing power, all newly generated blockchains face this problem. The computing power competition brought about by the BCH fork in the previous stage reflects the danger of starting a new chain. In order to avoid being attacked, it is often a centralized mining pool to maintain early security, so the degree of centralization is higher than that of PoS.
3) PoS wealth centralization is serious
In the previous discussion, we have analyzed that in the startup phase, the PoS blockchain often has realized the initial distribution of Token. The initially obtained Token will indeed bring further investment income in the subsequent growth of the blockchain, so some people worry that the rich will get richer and cause wealth concentration. For this problem, we analyze as follows:
a) Wealth concentration occurs in any economic system, and it is no more serious in PoS systems. Existing economic research shows that even in the most equitable economic system, there will be wealth concentration. The 28th distribution of wealth we often say is the embodiment of the formal wealth concentration phenomenon. The initial Token distribution of the PoS system is more decentralized and transparent than the equity distribution of most listed companies that have become giants in the initial stage.
b) As long as a fair and transparent trading environment is provided, the phenomenon of wealth concentration will not amplify indefinitely, so there is no need to worry. If Token can circulate freely in the secondary market, Token will naturally get a fair price valuation in the market. If enough interest is attracted, the original investors will also sell to make a profit; if they are optimistic about the prospects of the system, later investors will buy rationally. Therefore, there is no need to worry that latecomers will not be able to buy it, or that wealth will be completely concentrated.
In fact, since participating in PoW system mining requires a lot of hardware investment and power input, scattered participants are far inferior to large-scale mining pools in terms of cost. When the currency price market fluctuates, it is often small-scale miners who first Exit, so the centralization of wealth and computing power will be more obvious in the PoW system.
4) PoS will be attacked by Nothing-at-Stake
Nothing-at-Stake means that in the PoS system, since trying to generate a block does not consume a lot of hardware resources, the attacker can try to generate new blocks after different blocks without following the protocol. This gives us a clear intuition that PoS systems are more prone to forks. But a well-designed PoS system is completely resistant to Nothing at Stake attacks.
an article we wroteThesis[1]A brand new PoS protocol iChing is given in , which is a competitive consensus protocol similar to PoW. The paper makes a theoretical analysis of Greedy Attack (an attack strategy based on Nothing-at-Stake), and the results show that the attacker's greedy attempt to expand anywhere in the chain will indeed benefit the attacker, but the profit is not Infinity. It is manifested in that if the attacker holds the same proportion of stake as the honest node, the growth rate of the chain generated by the attacker will be at most e times that of the honest chain (e is a mathematical constant, about 2.71828), so PoS can tolerate The proportion of malicious stake in the stake does not exceed 30% (see the paper for the calculation process). In response to this situation, the paper gives a countermeasure. Under the strategy of encouraging honest nodes to be moderately greedy, the proportion of malicious stake that can be tolerated can reach more than 43%. So Nothing at Stake is not an insurmountable attack.
5) PoS will be attacked by Long-Range
Long-Range attack refers to the method used by attackers to attack the PoS system through long-term accumulation, and its specific manifestations may vary. The most direct Long-Range attack is that the attacker collects or purchases a large number of stake accounts valid at a certain point in the past, so as to initiate a fork from an earlier point in time. In the paper [2], an attack strategy belonging to Long-Range is proposed, which is called Stake-Bleeding attack. In this attack, the attacker launches a fork attack after accumulating enough reward tokens through long-term secret fork mining.
secondary title
6. The characteristics that the next generation blockchain should meet
In order to support more practical applications, the blockchain must not only meet the basic requirements of security and decentralization, but also solve problems such as low throughput rate and prolonged confirmation time.
The low throughput rate is mainly due to the traditional single-chain structure of the blockchain and network transmission delays. Therefore, the recently proposed DAG structure, transaction packaging method, and transaction fragmentation processing method are all researches done to improve the blockchain throughput rate. .
Prolonged confirmation time is a problem that all competing blockchain consensus algorithms have. This problem can be improved by superimposing a fast confirmation protocol on the upper layer.
We believe that the next-generation blockchain must meet the following characteristics in order to truly support safe, efficient, and flexible application landing:
1) The PoS-based consensus algorithm avoids the security dependence on external resources and eliminates the threat of attacks from outside the system.
2) Adhere to the decentralized design and avoid entrusting the system consensus rights to a small number of nodes, otherwise it will fall back to the existing centralized system.
3) The sophisticated data distributed storage design avoids the broadcast and storage of transaction data in the whole network to support high-throughput applications.
References:
References:
[1] Fan L, Zhou H S. iChing: A Scalable Proof-of-Stake Blockchain in the Open Setting. https://eprint.iacr.org/2017/656.pdf
[2] Gaži P, Kiayias A, Russell A. Stake-bleeding attacks on proof-of-stake blockchains. 2018 Crypto Valley Conference on Blockchain Technology (CVCBT). IEEE, 2018: 85-92
