banner
CKB 中文

CKB 中文

CKB 是理想的比特币 Layer 2

Dr. Zhang Ren: My bias against all consensus protocols except for Satoshi Nakamoto consensus

On April 9, Dr. Zhang Ren, a researcher from Nervos & Cryptape and the designer of the CKB consensus algorithm NC-Max, was invited to participate in the Hong Kong "Web3 Scholar Summit 2024" and delivered a keynote speech titled "My Biases against Every Consensus Protocol that is not Nakamoto Consensus."

Watch the speech video (bilingual subtitles, must be viewed in the WeChat public account article): https://mp.weixin.qq.com/s/UWqZQGgZcMh5Zed_cxftOA

The following is a summary of Dr. Zhang Ren's English speech (if there are discrepancies with the video content, the video shall prevail):

When I received the invitation to speak here, I was surprised to find that this was a scholar conference among a series of industry summits. This fact once again brought out the core question in my not-so-long research career: What role do researchers play in the blockchain world? More specifically, what is my role? What exactly are researchers?

Some researchers are seen as gods; they make the impossible possible and give rise to a huge industry, like Satoshi Nakamoto. Some play the role of gods, pursuing truth without being bound by law and morality. Others are the ones who convey oracles, reminding humanity of its limitations and revealing the laws of the universe. However, the blockchain world no longer needs gods and oracle conveyers. Developers and entrepreneurs do not need us to tell them what cannot be done. At least, I am not yet sufficient to be that kind of person.

Therefore, when I realized that I could not create or reveal something great, I took pleasure in destroying those who claim to be great. I discovered my true talent. This discovery stemmed from my criticism of a Bitcoin scaling protocol called Bitcoin Unlimited, and I will tell you that story later. My true talent is making others unhappy. Being the culprit of others' unhappiness brings me great joy. I am not alone. After reviewing today's agenda, I found that most of the speakers are recognized security researchers. Choosing to be a security researcher means we must have some deep-seated psychological issues. In German, there is even a word to describe this pleasure, called Schadenfreude.

Therefore, I hope to be a gadfly. Socrates compared himself to a gadfly when defending his life, stinging people and provoking them to anger, all for the sake of truth. What am I doing here? I am spreading biases. These are my viewpoints. Sometimes, they are rejected several times before being accepted and published by some open-minded reviewers. Outside of academia, these viewpoints are loved by some and hated by others. As my alma mater's Professor Zheng Yefu often said: "A PhD gives one the ability to persuade others to believe in one's biases. How boring it is to have no biases!"

"My Biases against Every Consensus Protocol that is not Nakamoto Consensus," this is the title of my speech. I will delve into five different types of protocols. I know most of you are curious about Ethereum, so I will leave it for last. In case I go a bit over time, the host will feel a little guilty for having to interrupt me!

First, regarding Bitcoin Unlimited. The following image is of Yonatan Sompolinsky, the designer of the GHOST protocol and the founder of Kaspa. He guided me early in my PhD career. Back in 2017, he told me on a call: "Bitcoin is about to split into two chains; maybe you can do something."

Image1

Figure: Yonatan Sompolinsky

So, what happened at that time? For those too young to remember, in 2017, there was a debate about how Bitcoin should increase its throughput. The most popular method among miners was a protocol called Bitcoin Unlimited, which claimed it could increase the block size limit without splitting the network. Its supporters were so confident in its superiority that they claimed they would launch a 51% attack once they became a supermajority. However, the community was concerned about its security. Supporters of Bitcoin Unlimited claimed that such an attack would "make the cost for the attacker far exceed that of the victim."

Image3

Due to time constraints, I do not have time to introduce its technical details; I will only mention a little. In BU, there is no consensus on block validity, which means that a block that is valid for you may be invalid for others, and each miner chooses for themselves. What does a valid block mean? Each miner has their own block size limit. In this study, we analyzed the claims of BU supporters under three different incentive models, and the results showed that BU weakened Bitcoin's security in all cases.

Essentially, in BU, an attacker can generate a block that causes the honest mining power to split into two different chains. Ultimately, these two chains will converge such that a block from an attacker can make multiple honest blocks orphaned. So in my view, BU's slogan should be changed to "Bitcoin Unlimited unleashed potential attacks."

After our paper "On the Necessity of a Prescribed Block Validity Consensus: Analyzing Bitcoin Unlimited Mining Protocol" was published, BU's support immediately declined. CoinDesk reported our findings, ending the debate over BU's security. A few months later, BU's support dropped to zero. This paper was published at the end of the year in CoNEXT.

Second, regarding the other 9 PoW protocols. To improve Nakamoto Consensus (NC), I designed a model and evaluated dozens of ideas, but none were perfect. However, these flawed ideas continue to be published with little or no security assessment. I believe people need to be informed. I am a bit ashamed to admit that this aligns with the "if I can't have it, you can't either" crab mentality.

Many protocols claim to improve NC, but the real question is: Is there a protocol that comprehensively surpasses NC in security? To assess this, we first need to understand how to improve NC.

The main weakness of NC is its poor chain quality, which leads to three types of attacks:

First, selfish mining attacks. The process of selfish mining is the same as that of chain quality attacks, but the purposes of these two attacks are different. The goal of selfish miners is to increase profits, while the goal of chain quality attackers is to increase the percentage of main chain blocks. These two attacks are not equivalent in other consensus protocols.

Image4

Second, double-spending attacks. I think I can skip this part; everyone knows what a double-spending attack is.

Image5

Third, censorship attacks. In a censorship attack, the attacker claims to invalidate all blocks that confirmed certain transactions. If some miners disagree with the attacker's claims, the attacker will attempt to invalidate those blocks. Although the success rate of this attack is low, the rational choice for honest miners is to join the attacker, making the attacker the de facto owner.

Image6

There are other mining-related attacks, but they do not directly target consensus protocols.

Our evaluation framework consists of four metrics. A protocol that surpasses NC needs to achieve better chain quality or better resist the three attacks mentioned above. Therefore, we divided all protocols claiming to surpass NC into two groups:

  1. Better chain quality protocols, which claim "I can improve the quality of the chain and fundamentally solve all attacks," usually adopting different fork resolution strategies.
  2. Attack-resistant protocols, which claim "I do not need to improve the quality of the chain; I can resist attacks." We further divided this group into three subgroups:
  • All-reward protocols: compensating the losers so that there is no incentive for selfish mining.
  • Punishment protocols: identifying all competing blocks, thus punishing double-spending regardless.
  • Lucky reward protocols: only rewarding certain lucky blocks, hoping these lucky blocks serve as anchors for a stable network.

Our results show that no protocol comprehensively surpasses NC. They either only improve chain quality in certain attacker scenarios or sacrifice one type of attack resistance for another.

Image7

We identified a series of attacks targeting specific protocols and explored the reasons these protocols fail to achieve their goals; this speech can only introduce two.

First, rewards do not solve the attack problem. Attempting to design a novel incentive mechanism to resist certain attacks is a common mistake. Attackers have different motivations, and no single reward mechanism can deter all attacks. We discovered a dilemma called "reward the good, punish the bad." If all mining products are rewarded, there is no risk of double spending, as double-spending attackers will receive rewards regardless. If all competing blocks are punished, it effectively provides attackers with a new tool for censorship attacks. If only lucky blocks are rewarded, attackers can exploit lucky blocks to claim rewards while using unlucky blocks to attack honest miners.

The second insight is about how to design consensus protocols. We should not design overly complex protocols that are difficult to analyze. We also should not only target one attack strategy, one attacker incentive, or use real-world parameters for security analysis. As Knudsen used to say, "If a protocol cannot be proven secure, then it is likely not secure." But in reality, Knudsen never said that; what he said was: "If it can be proven secure, then it may also not be secure." However, I believe the modified statement is also valid, unless you are Satoshi Nakamoto.

My paper "Lay Down the Common Metrics: Evaluating Proof-of-Work Consensus Protocols’ Security" was published in IEEE 2019.

Due to time constraints, I will skip the third part — sharded blockchains. Just remember that sharding is very difficult.

Fourth, regarding two DAG-based protocols. For those who are not too young, you should know that Bitcoin makes trade-offs in security performance. If you want to enhance performance by increasing block size or shortening block intervals, you will ultimately get more orphaned blocks, as Yonatan illustrates in this image. If there are more orphaned blocks, both security and performance will actually worsen: security decreases because attackers can mine longer chains with less mining power; performance also deteriorates because all the bandwidth wasted on propagating these orphaned blocks does not help transaction confirmations.

The NC-Max I designed solves this problem, but there is no time today to explain how it works. You must trust me that NC-Max solves this problem. However, getting the NC-Max paper "NC-Max: Breaking the Security-Performance Tradeoff in Nakamoto Consensus" published was not easy either. Before being accepted, we were rejected several times. One of the reasons it was hard to get accepted was that reviewers kept asking us, "Since DAG protocols have already solved the security-performance trade-off problem, why design a chain-based protocol?" This prompted us to conduct another study to convince the community that DAG protocols do not solve the security-performance trade-off problem.

What are DAG-based protocols? To achieve higher throughput, Yonatan proposed replacing the blockchain structure with a Directed Acyclic Graph (DAG). Each block can have multiple predecessor blocks, and multiple concurrent blocks can contribute to transaction confirmations. However, early DAG-based protocols either had weak security guarantees or could only provide partial security analysis.

Only two DAG-based protocols, Prism and OHIE, can prove their security. They can demonstrate their security and performance by decoupling transactions, synchronization, and confirmation. Due to time constraints, there is no time today to explain how they work, but their main ideas are very simple and similar to NC-Max. Therefore, the responsibility for transaction confirmation falls on a series of NC chains composed of small blocks. Why use NC chains in DAG protocols? The benefit of doing so is that you can borrow the security proof of NC, which is very mature and rigorous.

Can they really make trade-offs in security performance? Of course not. The problem with these two protocols lies in a hidden assumption. They use multiple small blocks, hoping these small blocks have only brief and constant delays and are always immediately accepted, thus escaping the security-performance trade-off. But this assumption does not hold, and we found two phenomena indicating that this assumption is incorrect.

The first phenomenon is called block congestion. Suppose the network can only process one block per second, and you mine three blocks in 2 seconds; then at least one of those blocks cannot complete propagation within 2 seconds, regardless of how small they are; the bandwidth is insufficient.

The second situation is called late predecessor. Suppose you have a small block, the orange block, which references a large number of large blocks. Even if this small block is immediately propagated to all miners, miners cannot mine on it until they receive all the larger predecessor blocks. Miners must wait for the large blocks, even though they are the predecessors of the small blocks. We did some clever mathematical analysis, and the results show that they are also affected by the security-performance trade-off.

However, getting this paper published was not easy either. Reviewers kept asking us, "Since chain-based protocols have already solved the security-performance trade-off problem, why analyze DAG-based protocols?" I know there may be different reviewers, but that ironic feeling is real. I spent two years writing this paper because you said my previous paper was not persuasive enough. Now that this paper is complete, you tell me that you were convinced two years ago. So I found myself in an awkward position. To get my paper published, I hoped that the protocols they attacked would become more popular, convincing people that they were worth attacking.

Later, the paper "Security-Performance Tradeoff in DAG-based Proof-of-Work Blockchain Protocols" was accepted by NDSS, the same conference that accepted the NC-Max paper. May the best conferences receive the best papers.

Finally, regarding all PoS protocols. For those who enjoy the technical parts, I apologize; this speech is too short to waste on attacking PoS protocols. If you are really interested, you can check out my 2019 speech video, where I spent an hour explaining why PoS can never be as secure as PoW.

How many attacks remain to be formally analyzed? We did some simple statistics. Our research group conducted a small project, and from 2020 to 2022, there were 585 blockchain papers appearing in top CS conferences. Surprisingly, PoW papers still outnumbered PoS papers.

We found the following insights. For the formal analysis of Nakamoto Consensus, researchers found it to be more secure than previously thought. But for PoS protocols, researchers discovered more attack vectors, which were essentially instantiated in my 2019 speech. As for new PoS designs, we are uncertain whether they can achieve the same level of security as PoW. There has been no analysis or measurement research on the PoS ecosystem because they are either too centralized or too homogeneous.

Image8

A special example is Ethereum's PoS. I mention it because it is so interesting. In Ethereum, a block that is valid for some may be invalid for others, which means there is no consensus on block validity. Ethereum uses a synchronous model for issuing rewards and a partially synchronous model for confirming blocks. Recall that if a protocol cannot prove it is secure, then it is likely not secure. Therefore, it may reward the good and punish the bad. Recall that rewards do not solve the attack problem.

Image9

I think this is a great research topic. However, I arrived too late, as many researchers have pounced on it like a pack of wolves, and some of the issues have already been resolved. Ethereum claims to have a future, but those who do not remember the past are doomed to repeat it.

What is the next step? With so many researchers attacking Ethereum, it is hard for me to find new angles, let alone new information. But I still managed to find one, although I write slowly. Therefore, I will conclude this speech with my most sincere blessing for Ethereum: Please do not die before I finish.

Thank you.

Related links:

  1. On the Necessity of a Prescribed Block Validity Consensus: Analyzing Bitcoin Unlimited Mining Protocol: https://eprint.iacr.org/2017/686
  2. Lay Down the Common Metrics: Evaluating Proof-of-Work Consensus Protocols’ Security: https://www.esat.kuleuven.be/cosic/publications/article-3005.pdf
  3. NC-Max: Breaking the Security-Performance Tradeoff in Nakamoto Consensus: https://eprint.iacr.org/2020/1101
  4. Security-Performance Tradeoff in DAG-based Proof-of-Work Blockchain Protocols: https://eprint.iacr.org/2023/1089
  5. Dr. Zhang Ren's 2019 speech video: https://www.youtube.com/watch?v=gxFm1QieUdE
Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.