Hello Traxo and @anonymint,
I must admit that language and writing have never been my forte and the paper can benefit from improved writing
. And I do appreciate your writing of the alternate summary + explanation which would definitely help.
Good summary of approval process in PoA:If we can guarantee that all honest approvers will always vote on the same fork (i.e. never vote for candidate blocks with different parents), then at any quorum approval threshold choice above
50%, then assuming the attacker possesses less approval control than the threshold, a conflicting block can’t be produced which ends up with a higher approval at any time in the future. Thus for a
50%+1 quorum, the attacker must possess at least
50%+1 approval control in order to slash
25%+1 with conflicting approvals and approve of the attacking block with attacker’s remaining
25%. In that case, the double-spent block has
25%-1 of the remaining
75%-1 total approval and the attackers winning block has
25% of that
75%-1 total approval. There can’t exist another block that has a higher approval because the attacker controls
50%+1 which was expended.
Increasing the quorum threshold above
50% increases the safety because the attacker will need to control more than the threshold, but it reduces the liveness. For example a
80%+1 quorum, the attacker must possess at least
80%+1 approval control in order to slash
70%+1 with conflicting approvals and approve of the attacking block with attacker’s remaining
10%. In that case, the double-spent block has
10%-1 of the remaining
30%-1 total approval and the attackers block has
10% of that
30%-1 total approval. Liveness is maximized at the
50% quorum threshold because up to
50%-1 of the control can be non-responding.
The incentive mechanism in PoA posits to disincentivize honest approvers from choosing from candidate blocks with different parents. The choice of parent block is apparently dictated by network synchrony in that the live nodes will tend to have a Schelling point around approving all candidate blocks with the parent being the last approved block they saw that had met the quorum threshold. Presuming the slot interval expiration time is much larger than typical time to approve a block, then all or nearly all live nodes should have the same Schelling point choice for parent block. The tie breaker rules in Section
2.2.22 Approval Tie-Breaking Procedure A(·) are employed so that multiple competing approved blocks in a slot have only one Schelling point parent block.
The network synchrony assumption and Schelling point appear to maybe be what differentiates the incentive mechanism in PoA from Byteball’s 100% asynchronous incentive mechanism which allows Byteball to get stuck with
competing witness groups even with no 50%+1 attacker. Also I need more study to determine if Byteball could ameloriate additional posited vulnerabilities when the quorum threshold is greater than
50%+1. It was originally (earlier in this thread) my lack of holistic understanding of this PoA incentive mechanism and Schelling point that caused me to believe PoA would also need
⅔ quorums for 100% finality.
Same as for Nakamoto proof-of-work, there’s no Schelling point nor Nash Equilibrium in PoA if the attacker has more than the
50% threshold control. PoA’s rules of conflicting approvals force the honest nodes to accept the attacker’s fork because the attacker records the conflicting approvals in his block that orphans the conflicting block(s). Even the attacker can’t bribe by eliding conflicting approvals of those approvers who defect to his block, because the honest conflicting block will contain the objective evidence of those signed conflicting approvals, which any node can verify thus objectively choosing the honest block as the winner (that is unless the attacker has the sufficient
50%+1 control, in which case the attacker doesn’t need to elide the conflicting approvals).
The 100% finality after one block is dependent on the attacker not having 50%+1 control of live stake.
Correction, the assumption is that attacker has <50% (more accurately <(ρ − δ − νc − νa − νe)) of the
total stake.
The 100% finality after one block is dependent on the attacker not having 50%+1 control of live stake. Additionally, not only can live stake be much less than total stake of the money supply, but I earlier in this thread pointed out reasons that stake can be nearly cost-free to obtain and attack with. Also @monsterer2 has pointed out that unlike proof-of-work which burns external resources, it costs nearly nothing ongoing to sustain a 50%+1 stake attack (other than the opportunity cost of holding that stake but the attacker can offset that cost with profits due to attacking, such as taking all the newly minted money supply rewards, double-spending, and/or shorting the token on exchange).
Thus it is disingenuous to compare this claimed one block 100% finality to Nakatomo proof-of-work probabilistic finality. In essense, the finality of PoA is either fragile or dependent on a benevolent attacker (oligarchy) which collects parastic rents in ways other than double-spending. For example, DPoS has elections for the delegate witnesses and to set their compensation. An oligarchy controls the elections and can extract the maximum rents the system can bear. And STEEM (running DPoS) and PoA can enable an oligarchy domination of the newly minted money supply. A 50%+1 attacker in PoA need not double-spend, he can just make sure he only includes his own approvers in blocks so that he takes all the minted tokens for the coin rolls consensus process.
Also there is no way that 100% of the stake will be participating. Thus, no blocks are likely to get 50%+1 approval! Thus the attacker will need much less than 50%+1 of the stake. Thus the presumption of 100% finality is not true in reality unless the system is run by an oligarchy which has 50%+1 of the control, and in which case the oligarchy can revert finality at-will.
The protocol desires that 50%+1 stake be online all the time. (If not, slots would be missing blocks.) The only way to achieve 50%+1 stake to be online is to have that stake in cloud. The PoA incentivizes all larger stakeholders to move to cloud through block rewards. (Block rewards would be difficult to receive without node being hosted in cloud.) If the parties are rational and the incentive exceeds the cost (of moving to cloud), then a quorum stake would likely be online all the time. The cost of cloud hosting at this time can be as low as $5-10/month (
https://www.digitalocean.com/pricing/).
Note that this situation is completely different from PoW protocols. In PoW, a large mining equipment is typically housed on premises of the owner and the communication latency and speed are not relevant for the rewards. Such large mining equipment couldn't be hosted in cloud or would cost a prohibitive amount. In PoA, on the other hand, a computation node with low latency and high speed wins the most rewards. A much larger computation node is unlikely to win additional rewards. The PoA tradeoff are completely different from PoW.
Due to these different tradeoffs (compared to PoW) and block rewards, I do expect most larger stakeholders to operate on cloud and be available for block approvals.
In conclusion the major flaw in PoA is that it rewards all the minted money supply to the oligarchy that otherwise hopefully benevolently controls 50%+1 of the stake.
That is correct. To my understanding, that is the basis of Proof-of-Stake.
Thus note that if the attacker held 80 or 90% of the stake at inception or anytime in the distant past, then the attacker could long-range double-spend 30 or 40% of it and still defeat the TaPoS protection.
Long rage history attack defense uses more than just TaPoS, it uses epoch and block approvals. It can be argued that TaPoS is not even needed for PoA since epoch approvals are likely to cover a large percentage of stake in the transactions.
But then I realized you had side-stepped the valid concerns I had by presuming that nearly 100% of the stake would participating in all approvals. And that is sort of disingenuous assumption and circumvention of the invariants I was holding in my head. Yeah you get your 100% finality in 1 block, but effectively only under oligarchy control of the system. But that is sort of dubious because centralized systems are short-term final and long-term anti-fragile.
PoA expect
near all stake participation in epoch approvals but not in block approvals. Epoch are expected to be 3+ order of magnitude larger than slots to achieve such a high participation.
PoA expects block approval rewards to be large enough that a single roll owner would benefit from moving to cloud. Therefore, most of stakeholders owning larger stake than a roll would likely move to cloud. Assuming a Pareto like distribution, that should constitute >50% stake online to approval blocks.
The conditions to make online stake smaller than quorum would be (failure conditions)
1. Stake distribution is too uniform. In that case, the incentive provided by block rewards may not cover cloud hosting cost.
2. Parties are not rational.
3. The block reward is too small to cover cloud hosting cost. In that case, the reward would have to be increased.
The
Theorem 3.2 (Weak Finality and Finality) has a correct but misleading and irrelevant proof:
Proof. Theorem 3.1 shows that all honest parties have the common chain prefix for k ≥ 1. Therefore, any transaction in a block buried by one or more blocks is held by all chains of all honest parties. Therefore, any honest party will report that transaction after one or more blocks have been deposited on top of the block containing the target transaction.
The problem is that the finality of a single block may never be achieved without an oligarchy in control but an oligarchy in control breaks the security assumptions. So the problem is that the definition of finality as measured by a single block is not the complete story. Thus the proof is correct but only because it’s framed out-of-context of the flaws which make the proven theorem less relevant.
Explanation above applies here. Under the rationality and stake distribution assumption in the paper, the theorem is correct and relevant.
Another summary: The significant weakness is the presumption that 100% of the stake will be live. Otherwise the attacker needs much less than 50+%. Also the finality of blocks can”t be attained if there is not 50+% live. So there needs to be a 50+% attacker just for it to become final, unless 50+% of stake is always live and always votes correctly.
Online stake requirement (for liveness) is only >50% not 100% and the attacker still needs more than (ρ − δ − νc − νa − νe) stake to be able to win. Blocks containing approvals below quorum are simply invalid. Attacker can own the stake for approving invalid blocks or bribe other stakeholders. Either way, the attacker needs to control an amount > (ρ − δ − νc − νa − νe) to win.
Regards,
Shunsai
