- A detailed critique of both the Proof of Work system used by most cryptocurrencies and blockchains, and schemes such as Proof of Stake that have been proposed to replace it.
- An alternate scheme for securing blockchains based on combining Proof of Space with Verifiable Delay Functions.
I'll first outline Cohen's critiques of Proof of Work, Proof of Stake, and Proofs of Other Things, then summarize his proposed scheme combining Proof of Space with Verifiable Delay Functions (PoSp/VDF), and conclude by addressing the aspects of his talk that concerned me. I have tried to refer to quotes, concepts and slides by the time at which they appear in the video thus [MM:SS] but these times are approximate. I apologize if the quotes are mis-transcribed from the audio.
Proof of WorkBitcoin's massive energy consumption.
|Cost of rewriting attack
powerful miners have the ability to rewrite the block chain and replace their own transactions, allowing them to take back previous payments. The cost of this attack depends on the percentage of total network hash rate the attacking miner controls. The more centralized mining becomes, the less expensive the attack for a powerful miner.They provide a real example:
In September 2013, someone used centralized mining pool GHash.io to steal an estimated 1,000 bitcoins (worth $124,000 USD) from the gambling site BetCoin. The attacker would spend bitcoins to make a bet. If he won, he would confirm the transaction. If he lost, he would create a transaction returning the bitcoins to himself and confirm that, invalidating the transaction that lost the bet. By doing so, he gained bitcoins from his winning bets without losing bitcoins on his losing bets. Although this attack was performed on unconfirmed transactions, the attacker had enough hash rate (about 30%) to have profited from attacking transactions with one, two, or even more confirmations.More details of this attack are here.
Proof of StakeProof of Stake is an alternative consensus system for cryptocurrencies in which holders put some or all of their holdings "at stake", a process known as "bonding". Blocks of transactions are validated by a quorum of the currency "at stake". Misbehavior by holders is deterred by "slashing", miscreants lose their stake. It appears attractive, in that it can vastly reduce the energy demand of Proof of Work systems such as Bitcoin's. It is especially attractive to core team members and early adopters of a cryptocurrency, since they will be large holders and will thus be able to control the currency.
- Its threat model is weaker than Proof of Work.
- Just as Proof of Work is in practice centralized around large mining pools, Proof of Stake is centralized around large currency holdings (which were probably acquired much more cheaply than large mining installations).
- The choice of a quorum size is problematic. "Too small and it's attackable. Too large and nothing happens." And "Unfortunately, those values are likely to be on the wrong side of each other in practice."
- Incentivizing peers to put their holdings at stake creates a class of attacks in which peers "exaggerate one's own bonding and blocking it from others."
- Slashing introduces a class of attacks in which peers cause others to be fraudently slashed.
- The incentives need to be strong enough to overcome the risks of slashing, and of keeping their signing keys accessible and thus at risk of compromise.
- "Defending against those attacks can lead to situations where the system gets wedged because a split happened and nobody wants to take one for the team"
Proofs of Other Things
- Peers need to be able to audit proofs locally, which isn't true of proofs of participation, importance or more nodes.
- The system needs to adjust the "difficulty" of proofs, which requires an exponential distribution of "difficulty", which these other types typically lack.
Proof of Space and Verifiable Delay Functions
- Bring in verifiable delay functions (VDFs) and alternate between proofs of space and time
- Split between the 'trunk' of the blockchain which challenges come from and the 'foliage' which contains transactions
- Attach public keys to proofs of space so there's no choice after one wins
- Use canonical proofs of space, verifiable delay functions, and signatures
- All we have to do is invent a new proof of space algorithm, verifiable delay algorithm, and method of combining them
As I understand it, the proof of space technique in essence works by having the prover fill storage space with an array of pseudo-random points in [0,1] via a time-consuming process. The verifier can then pose to the prover a question that can be answered either by a single storage access (fast) or by repeating the process of filling the storage (slow). By observing the time the prover takes the verifier can distinguish these two cases, and thus be assured that the prover has stored the (otherwise useless) data.
As I understand it, verifiable delay functions work by forcing the prover to perform a specified number of iterations to generate a value that the verifier can quickly show is valid.
- To use in a blockchain, each block is a proof of space followed by a proof of time which finalizes it.
- To find a proof of space, take the hash of the last proof of time, put it on a point in [0,1], find the closest proof of space you can to that.
- To find the number of iterations of the proof of time, multiply the difference between those two positions by the current work difficulty factor and round up to the next integer.
- The result of this is that the best proof of space will finish first, with the distribution of arrival times of finalizations the same as happens in a proof of work system if resources are fixed over time.
- The only discretion left on the part of farmers is whether to withhold their winning proofs of space.
Just as with Bitcoin's Proof of Work, farming pools would arise in PoSp/VDF to smooth out income. The pool would divide up [0,1] among its members.
ConcernsOne aspect of the talk that concerned me was that Cohen didn't seem well-informed about the landscape of storage. Here are a few quotes:
2016 Media Shipments Exabytes Revenue $/GB Flash 120 $38.7B $0.320 Hard Disk 693 $26.8B $0.039 LTO Tape 40 $0.65B $0.016
- Cohen's first slide claims "Storage is an over $100 billion a year industry with about 50% utilization". The vast majority of hard disks are now purchased by cloud companies. The idea that, for example, Amazon Web Services has purchased twice as much hard disk as it needs is ludicrous.
- [43:50] "You have this thing where mass storage medium you can set a bit and leave it there until the end of time and its not costing you any more power. DRAM is costing you power when its just sitting there doing nothing". A state-of-the-art disk drive, such as Seagate's 12TB BarraCuda Pro, consumes consumes about 1W spun-down in standby mode, about 5W spun-up idle and about 9W doing random 4K reads. Clearly, PoSp/VDF takes energy, just a lot less energy than Proof of Work. Cohen might argue that, since PoSp/VDF expects to use the empty 50% of drives that store actual user data, the energy cost is zero. But these drives are not just part empty, they are in standby much of the time too. Using them for Proof of Space means they are active somewhat more of the time, because they have to wake up from standby at least once every block time. They are thus consuming energy that the owner has to pay for. Also, the drives are typically warranted not "until the end of time" but only for 5 years.
There is another economic impact. The consumer drives I believe he is thinking about are intended for consumer workloads, and are thus designed to be idle much of the time. They are specified with a "rated workload". The 12TB BarraCuda Pro specifies:
Maximum rate of 300TB/year. Workloads exceeding the annualized rate may degrade the drive MTBF and impact product reliability. The Annualized Workload Rate is in units of TB per year, or TB per 8760 power on hours.Thus the drive is specified to average no more than about 35GB/hr over its lifetime. The drive has a maximum sustained transfer rate of 0.238GB/s or 857GB/hr. So the drive is designed for a duty cycle of about 4%. The Proof of Space workload would increase the drives' duty cycle somewhat, since it requires a few disk accesses per block time. It would thus wear the drives out somewhat faster, imposing further costs on the storage owner.
Write endurance vs. cell size
Once again Economies of Scale in Peer-to-Peer Networks was prophetic.
PS - I have not had time to analyze in detail the FileCoin proposal, which has some similarities to PoSp/VDF. It has many significant differences, in that it stores user data rather than verifies transactions, uses a combined Proof of SpaceTime rather than separate proofs, and employs bonding and slashing. It also appears to depend upon Lightning-style off-chain payment channels.