The trend of PoW turning to PoS is rising. Is it right or wrong? | DeepHash

The trend of PoW turning to PoS represented by Ethereum can be said to be the most important development of blockchain technology this year. The PoW mechanism and the entire mining industry behind it have been proven to have various flaws and controversies. Ethereum was the first to set the goal of turning to PoS, and after many repeated adjustments and iterations, it has finally come to the time to implement it.

However, can the switch to PoS really solve the problem? Or will it create more new problems? Is this path feasible? This week, DeepHash column invited Conflux Research Director Yang Guang to make an in-depth analysis. In the article, he compared the advantages and disadvantages of PoW and PoS in detail, and pointed out what challenges and trade-offs a public chain may face if it wants to switch from PoW to PoS. He believes that the existing mainstream public chains need to be very cautious in switching from PoW to PoS, otherwise it is likely to bring unnecessary risks to the entire consensus system, or even catastrophic consequences.

(Source: Pixabay)

By Yang Guang (Research Director of Conflux)

Just a few days ago, on May 2, it was announced at the Ethereum core developer meeting that the code for Ethereum Phase 0 Beacon Chain will be ready on June 30. The upgrade will enable a PoW/PoS hybrid consensus protocol Casper the Friendly Finality Gadget (“FFG”)—aka”Vitalik’s Casper”, which is the first step in the Ethereum 2.0 upgrade roadmap to shift the consensus mechanism from proof of work (PoW) to proof of stake (PoS).

The change of Ethereum consensus mechanism is not only a microcosm of the trend of PoS becoming more and more popular, but also as the first mainstream public chain project to transform from PoW to PoS, it will surely inject fresh blood into the PoS camp and promote the development of PoS consensus. This article will discuss how to view the trend of public chain consensus shifting from PoW to PoS.

The significance of PoW and PoS in the consensus mechanism

First of all, it needs to be clarified that whether it is proof of work, proof of stake or any other proof (PoX), they are used to resist Sybil attacks and are not equivalent to consensus mechanisms. To put it in a more vivid way, they are only used to determine who has the right to vote, and the final consensus can only be determined by counting the number of votes.

Taking Bitcoin, which is the most familiar to everyone, as an example, the proof of work only proves that a packaged block is formally legal. The final decision on whether the transactions contained in the block are valid depends on whether the block is on the longest chain. Generating a block with proof of work is equivalent to casting a vote. The chain with the most votes (i.e. the longest chain) is the valid ledger.

Ethereum, which is also based on proof of work, uses another way to count the number of votes. When encountering a fork, it does not choose according to the longest chain rule, but chooses the heaviest subtree that can be observed in a greedy manner. This consensus mechanism is also called GHOST (Greedy Heaviest Observed Subtree).

On the other hand, how to determine voting rights is a very core part of any consensus. Consensus protocols based on the same anti-sybil attack mechanism often have many similarities, and replacing the mechanism often means that the entire system needs to be redesigned. Therefore, many times we will simply use "PoW consensus" and "PoS consensus" to classify consensus mechanisms.

Characteristics of PoW and PoS mechanisms

The biggest advantage of the PoW consensus based on proof of work is its high security. This security comes from two aspects: first, the marginal cost of voting itself is relatively high, because each successful vote requires a lot of calculations to be completed, and a lot of electricity is consumed in the process; second, the votes cast and voting rights are strongly bound, because the computational problems that need to be solved by the proof of work are calculated based on the block to be voted for, and the proof of work done for a block A cannot be used to vote for another block B.

The second point is particularly important for security because it ensures that the choices made through proof of work cannot be revoked or modified, even if you want to change your past votes - unless you re-produce proof of work for other competing options, which requires a lot of time and resources such as electricity again. As a previous voter, you do not have any advantage over attackers.

Another advantage of the PoW consensus mechanism is that it is simple in structure and easy to analyze and implement. For example, the longest chain mechanism used by Bitcoin can easily analyze the behavior of ordinary miners from the perspective of game theory, so as to make a more objective judgment on its security; in addition, the logic of Bitcoin's determination of the longest chain is also quite simple and not prone to errors in implementation.

However, the disadvantages of PoW are also obvious: first of all, it consumes a lot of energy, which is also the most criticized point of PoW. For example, the National Development and Reform Commission intends to list virtual currency mining as an eliminated industry. Although some people argue that the current mining industry uses cheap electricity that is difficult to connect to the power grid for various reasons and will be wasted if not used, and that the consensus reached through PoW is worth the money, these arguments are still difficult to change the mainstream view that PoW mining wastes energy.

The second disadvantage is that the design of controlling the orphan block rate by PoW consensus to ensure security brings about high latency, slow confirmation speed and low throughput. In fact, this disadvantage can be alleviated to a certain extent by other PoW-based consensus protocols (such as the DAG-based GHOST protocol and the tree graph-based Conflux protocol, etc.), but the relevant technology still needs to be tested by practice and time.

Finally, there is the governance problem caused by the PoW consensus mechanism, especially when the interests of miners conflict with the interests of developers and users. The existing governance method is difficult to balance among the three, and the slightest inappropriate handling may lead to community division and public chain hard fork.

The biggest advantage of the PoS consensus based on proof of stake is that it almost perfectly solves all the shortcomings of the PoW consensus: first, PoS has a very low demand for energy consumption; second, the main bottleneck of PoS confirmation delay and throughput is network communication. There is no need to deliberately reduce the block speed and throughput like the PoW consensus that adopts the longest chain rule. Through reasonable design, the transaction confirmation speed and system throughput can be increased to a more ideal level; finally, since the PoS consensus (except DPoS) does not require miners who specialize in proof of work, there are only two roles: developers and users, so the governance of the community is relatively simpler.

On the other hand, PoS consensus has almost lost all the advantages of PoW consensus mentioned above.

In terms of security, the essence of PoS consensus requires that determining voting rights and exercising voting rights are separated from each other, so the same voting right can be used to generate two votes with different contents, and both votes appear to be legal individually. This directly leads to two attack methods that have never been seen in PoW consensus: "nothing-at-stake attack" and "long-range attack".

"No-stakes attack" refers to the problem that a voter can vote for both forked branches at the same time, thereby obtaining voting benefits on both branches; "Long-range attack" means that an attacker can obtain the voting rights of a vote that occurred some time ago by purchasing other users' private keys. If the assets corresponding to this voting right have already been transferred, then the cost for the attacker to purchase the corresponding private key will be much lower than the cost of actually holding the voting rights of the same share of assets.

In addition, because the voting rights are always determined before voting in the PoS consensus, and because of the communication volume limitation, only a part of users can be selected to participate in each round of voting, so attackers can also purchase targeted or block the voting rights that are about to take effect through DDoS and other methods, thereby obtaining voting rights far higher than their asset share in a specific round. This is the so-called bribing attack.

It can be said that the design process of each PoS consensus protocol is inevitably a process of fighting against the several attack methods mentioned above. For this reason, the PoS consensus protocol has to design various complex rules to detect or resist these attacks on the PoS mechanism, which directly leads to the fact that the PoS consensus mechanism is often more complicated and much more difficult to analyze and implement than the PoW consensus. Even so, the existing PoS and DPoS consensus (compared with the PoW consensus) also need to make some concessions in security and/or decentralization.

Is it right or wrong to switch from PoW to PoS?

From the comparison in the previous section, we can see that the PoS consensus has obvious improvements in efficiency, especially the speed of reaching consensus, compared with the PoW consensus. The disadvantages mainly lie in the more complex protocol design and analysis, as well as potential security risks (proxy PoS, namely DPoS, actually gives up part of the decentralization to reduce the complexity of the system and further improve the performance of the consensus protocol).

Ideally, PoS consensus can confirm a transaction in just two rounds of broadcasts, a speed that PoW consensus can never achieve. Because according to PoW consensus, to confirm a transaction, you must wait for the block containing the transaction to obtain majority computing power support, which means waiting for other miners to generate enough blocks. The time and number of broadcast rounds required are definitely much longer than the ideal PoS consensus. Although the actual PoS consensus may require more than two rounds of broadcasts, and the delay of each round of broadcasts may also be significantly higher than the PoW consensus network composed of professional miners, this cannot shake the advantages that PoS consensus has already shown in terms of confirmation speed and its higher upper limit.

In terms of throughput, the upper limit that PoS consensus can achieve is not significantly better than PoW consensus, and may even be slightly lower. However, due to its fast confirmation feature, the additional cost required for PoS consensus to obtain high throughput can be significantly lower than the existing PoW consensus protocol. For example, the PoW-based Conflux consensus protocol requires many improvements from theory to algorithm to achieve higher throughput while ensuring security similar to that of PoW using the longest chain rule; and the voting process, which takes the most time, is actually irrelevant to the block size in most PoS consensuses. The throughput can be increased to the limit of node processing capacity by simply expanding the block - the cost of doing so is to increase the confirmation time, so it should not be used excessively.

As for security, the disadvantages of the PoS consensus system are mainly more potential risks and the possibility of being attacked. The security of Bitcoin's consensus mechanism has been tested for a long time, and the security and reliability of mainstream PoW public chains such as Ethereum have also been proven by time, but no PoS public chain has been tested to the same level. The existence of various attack methods such as disinterested attacks, long-range attacks, and bribery attacks also makes it more difficult for people to believe in the security of PoS consensus - even if they can resist these attacks, who can guarantee that there are no other attacks that are not yet known to people?

The fact that voting rights and voting behavior are not bound together in the PoS consensus means that consensus participants can take much more actions than miners in PoW, which means that attackers have greater freedom and it is more difficult to analyze how other participants will act.

The security of many existing PoS consensuses relies on an "honest majority", but in reality it is difficult to find so-called "honest participants" who unconditionally execute the protocol. People in the real world are closer to the "rational people" discussed in economics and game theory - a rational good person will not do things that harm others and himself, but when there is a large enough profit drive, he may also do "bad things" that violate the consensus protocol.

Therefore, in addition to ensuring that a secure PoS consensus system is secure when most participants are honest, it must also ensure that every rational participant abides by the consensus protocol through the design of an incentive mechanism, rather than trying to obtain greater benefits by violating the protocol. This is called "incentive compatibility" in game theory. The existing mainstream PoW consensus is incentive compatible. For example, according to the rules of Bitcoin, only the producer of the block on the longest chain can get the mining reward, so miners will mine behind the longest chain according to the rules in order to get the reward. For the PoS consensus system, its own rules are already very complex, and the participants have a relatively large space for action. Therefore, it is naturally more difficult to deeply analyze the PoS consensus system and prove similar incentive compatibility.

From the above, we can see that the security shortcomings of PoS are actually more of a hidden danger rather than an unfixable loophole. It is possible to partially or even completely eliminate them through perfect design and precise analysis. In some appropriate scenarios, we can even get acceptable security by making sacrifices in other aspects. Therefore, the author believes that under the premise that the security of PoS consensus can meet the requirements of the application scenario, using PoS consensus instead of PoW consensus has more advantages than disadvantages.

In addition, the original PoW chain switching to PoS actually has an additional benefit, which is to avoid the problem of excessive concentration of tokens in the early stage of the release of the public chain with PoS consensus. Usually when a public chain project is first released, all tokens are in the hands of the development team and early investors, which brings the risk of the revenue generated on the chain and even the consensus of the entire chain being monopolized by a few people. Of course, because Ethereum has been operating under the PoW consensus for many years, its tokens have long been dispersed to a large number of users, and there is no problem of a few users who control a large number of tokens controlling the entire chain through the PoS consensus.

Finally, the author still believes that the current mainstream public chain needs to be cautious in switching from PoW to PoS. After all, there is no PoS consensus that is recognized as a safe alternative to the existing PoW. The rash use of a PoS consensus mechanism that has not yet been proven to be safe is likely to bring unnecessary risks to the entire consensus system, or even catastrophic consequences. The Ethereum community is obviously very aware of this, so since Vitalik Buterin first proposed the plan to switch to PoS consensus in December 2015, the PoS protocol designed for Ethereum upgrades has gone through repeated discussions and iterations of multiple versions, and has planned an upgrade route that first adopts Casper FFG with a PoW/PoS hybrid consensus, and then transitions to Casper CBC with a pure PoS consensus.

Here, we wish Ethereum's "pioneer" upgrade all the best, and that it can serve as a model for successful transformation and provide the entire blockchain community with more experience in using PoS consensus. Of course, even if Ethereum encounters some twists and turns during this upgrade, it will definitely contribute to everyone's better understanding and use of PoS consensus in another form.

Yang Guang

Yang Guang graduated from Tsinghua University Yao Class and received his Ph.D. in Computer Science from Tsinghua University Institute of Cross-Disciplinary Information Sciences. Before joining the Conflux team, he worked as a researcher at Aarhus University in Denmark, Institute of Computing Technology of the Chinese Academy of Sciences, and Bitmain. His research interests include cryptography, game theory, and blockchain. His doctoral thesis won the Outstanding Doctoral Dissertation Award of the Chinese Cryptography Society.