Why is PoS better at preventing 51% attacks than PoW?

Editor's note: Recently, ETC suffered a 51% attack, and the security of PoW has been hotly debated. Ethereum founder Vitalik Buterin also said that this proves that the transition from PoW to PoS is the right choice. Odaily Planet Daily invited Fan Lei, an associate professor at Shanghai Jiaotong University, to analyze why he thinks PoS may be a better choice.

This article was first published in Odaily Planet Daily. The author is Fan Lei, associate professor at the School of Cyberspace Security of Shanghai Jiao Tong University and CTO of Fractal Platform. The original title is "Security and Development Direction of Blockchain Consensus Protocol".

Recently, an important attack occurred in the field of cryptocurrency. Ethereum Classic (ETC) suffered a 51% double-spending attack on January 8, which caused losses of tens to millions of dollars depending on the calculation caliber. This is the first time that an attacker has successfully achieved a 51% attack on the computing power of a top-ranked mainstream cryptocurrency. Compared with these calculable real losses, the deep-seated security issues facing current cryptocurrencies are more worthy of attention.

1. What is a 51% hashrate attack?

At present, most cryptocurrencies represented by Bitcoin use a consensus protocol based on Proof of Work (PoW). Miners participating in the Proof of Work generate new blocks through calculations, which makes the blockchain continue to grow. Since the blockchain is a decentralized system, anyone can try to generate new blocks from any location. If the attacker has fewer computing resources, the growth rate of the new fork generated by the attacker will be slower than the growth rate of the public blockchain, so it will not form a long fork accepted by honest users. However, if the attacker has more computing resources than honest users, the growth rate of the new fork generated by the attacker will be faster than the growth rate of the public blockchain, and he can easily form a new longer blockchain branch to replace the longest public blockchain. See Figure 1 and Figure 2 for the specific process.

Figure 1. The attacker has less computing power

Figure 2. The attacker has a superior computing power

The attacker has an advantage in computing resources. A simple mathematical description is that the attacker has more than 51% of the computing power, which is also the origin of the name of the 51% computing power attack. When the attacker has more than 51% of the computing resources, his attack will definitely succeed. In fact, when the attacker has a sufficient proportion of computing resources, such as 40%, if 6 blocks are used as the confirmation length, he can successfully implement the fork attack with a relatively high probability.

Once a 51% computing power attack is successfully implemented, the longest chain of the blockchain will be switched, and the consequence is that the transaction data that has been confirmed on the block may be erased. If this attack is intentionally constructed, the attacker can withdraw the high-value transaction data that has been confirmed on the block, thereby making this part of the digital currency reusable. This attack is what we often call a double-spending attack. Obviously, this attack behavior seriously undermines the security and credibility of encrypted digital currencies.

2. Why was this attack successful?

Unlike general network security attacks, 51% computing power attacks are a well-known attack method, and the attacker's entire attack behavior and process this time were nothing new.

Generally speaking, the stronger the overall computing power of a PoW-based cryptocurrency system, the higher the cost of controlling 51% of the computing power. Since most PoW algorithms have similar core computing structures, computing power can be easily switched between different cryptocurrencies, and there are even computing power resources that can be conveniently rented according to time. The website Crypto51 (https://www.crypto51.app/) counts the cost of a 1-hour 51% attack on different digital currencies (excluding block rewards) and the proportion of computing power that can be borrowed from NiceHash. Among them, a 1-hour 51% attack on ETC only costs $5,116, and 80% of the computing power can be rented from NiceHash (this data changes continuously, you can go to the website to view real-time data), and the possibility of this attack cannot be ignored.

Another factor that cannot be ignored is that the PoW algorithm relies on a lot of energy to drive mining operations. When the market value of a cryptocurrency is lower than the mining income, the mining machines will shut down and stop mining due to the profit drive. This will cause a sharp drop in the computing power of the entire network, which will make a 51% attack easier to achieve. The 51% attack on ETC took advantage of this opportunity. For the newly emerging PoW-based cryptocurrencies, the cost of attack is lower because the computing power of the entire network is lower.

ETH is less likely to suffer a 51% attack than ETC, because ETH and ETC use the same mining algorithm, but ETH's total network computing power is about 20 times that of ETC. Despite this, Ethereum's founder Vitalik still said after the attack that this incident proved that his decision to switch from PoW to PoS was correct.

3. Is the PoW-based blockchain still safe?

There is no doubt that in the past 10 years, cryptocurrencies represented by Bitcoin have achieved great success, and their security has been verified by the actual operation of the network. Not only that, cryptographers have also theoretically proved the security of PoW-based blockchains. People believe that mathematics is the cornerstone of blockchain security, which is the so-called In Math We Trust. However, technological developments and research in recent years have shown that PoW-based blockchains also have security risks.

1) The problem of concentrated computing power

In fact, in cryptographic digital currency systems such as Bitcoin, people have long been concerned about the concentration of computing power due to the existence of super mining pools. Large mining pools and mining pool alliances composed of stakeholders may have close to or even more than 51% of the computing power. We cannot say that these large computing power groups will launch a 51% computing power attack on the system, but at least they have the ability to launch such an attack.

2) Black swan risk of computing power

Under current technical conditions, the computing power of cryptocurrencies depends on hardware computing speed and energy supply. A hidden danger that always exists is that once there is a leap forward in computing power, the security of the system may face a major threat. For example, due to the invention of fast algorithms or the replacement of chip technology, new computing resources may overwhelmingly exceed the original resources, in which case the security of the system will be completely destroyed.

The above analysis shows that the security of PoW blockchain is not built on a mathematical foundation. Mathematics is only the glue between physical resources and blockchain. Once the security assumption of physical resources is not established, the security of the blockchain system will be threatened.

From a systemic perspective, PoW-based blockchains rely on computing power competition to select block producers, or bookkeepers. Computing power is an external resource for the blockchain ecosystem itself. The amount of computing power that a user can rent is not necessarily related to the assets/interests on the chain they hold. Moreover, the emergence of computing power rental websites allows the right to use computing power to be quickly transferred. For example, the interests of mining farm owners or mining machine manufacturers who own computing power are strongly bound to the security of the main chain, but this is not the case for computing power renters. The amount of computing power is the only factor in launching an attack. If strategies such as selfish mining are adopted, the current public chain can be attacked without reaching 51% computing power, resulting in double spending.

Therefore, in the PoW blockchain system, external attackers can threaten the existing value system of digital currency by investing computing resources. Since the existing PoW algorithm is highly homogeneous, a large amount of computing resources can be injected into the system without the knowledge of users in the system, and this process may not even involve any existing users in any ecosystem. To borrow a sentence from "The Three-Body Problem": "I will destroy you, and it has nothing to do with you."

4. Do we have a better choice?

In recent years, more and more blockchain systems and distributed consensus protocols have been proposed. One of the important directions is the consensus based on equity (Proof of Stake, PoS).

PoS was originally proposed mainly to solve the energy consumption problem of PoW. The essential purpose of PoS and PoW is the same, both of which are to randomly select a node from the participating nodes of the blockchain network to keep accounts. The word "random" seems simple, meaning fairness, unpredictability, and not controlled by malicious nodes, but it is actually difficult to achieve in a decentralized network because there is no God to roll the dice. The random principle of PoW is that the more computing power you have, the more likely you are to become a bookkeeper, and the random principle of PoS is that the more stakes you have, the more likely you are to become a bookkeeper. It seems that the two are very similar, except that the "credentials" used for election are different, but the design of the two and the attacks they face are very different.

PoS relies on stake to select bookkeepers. The stakes held by those who participate in the election are recorded on the blockchain. The stake ratio is the proportion of the stakes held by a certain user to the total number of stakes on the blockchain. For PoS to conduct a 51% attack, it is necessary to hold 51% of the stakes on the chain, and stakes can only be obtained by purchasing from existing users and cannot be invested in production outside the system. Therefore, the cost of launching a 51% attack on the PoS system is equal to the cost of purchasing stakes from the market.

Take ETC as an example. The total issuance of ETC is 107,514,088 ETC. If the consensus algorithm is PoS, then a 51% attack on it requires 53,747,044 ETC, which is equivalent to a market value of about 229,542,578 US dollars. In the case of PoW, it only takes about 5,000 US dollars to rent computing power. The comparison of the funds required for other digital currencies to attack PoS 51% and the cost of a 1-hour 51% attack on PoW is shown in the following table (data from Crypto51https://www.crypto51.app/, the data will change in real time, and the following data is taken at the time of writing). And the more people who hold stakes on the legitimate chain, the more inclined they are to maintain the chain. If the stake is transferred to the attacker for rent, the risk is much greater than renting computing power, so it is difficult for the attacker to obtain enough stakes through renting. So in terms of 51% attack, PoS has more advantages than PoW. This is also an important reason why ETH has to evolve into a PoS consensus.

In summary, compared to PoW, PoS has two biggest advantages. One is that it can avoid energy waste and reduce the cost of nodes participating in consensus. The other is that it raises the threshold for 51% attacks. In the current situation of concentrated computing power, PoS is safer than PoW. However, just like some emerging digital currencies with relatively small network computing power, digital currencies with PoS as the consensus algorithm are also vulnerable to 51% attacks in the initial stage. Because the total amount of stake on the chain is small at the beginning, the funds required for a 51% attack are also relatively small. Therefore, it is necessary to strengthen security protection at the initial startup and prepare response strategies in advance.

5. Concerns and responses about PoS consensus protocol

Compared to PoW, which has been successfully applied in many blockchain projects, the PoS consensus protocol has not yet been widely used, so many people have various concerns about the PoS consensus protocol. Here we analyze the possible attacks and weaknesses of PoS one by one.

1) PoS is a centralized system

At the beginning of the study of PoS algorithm, many researchers were naturally inspired by the distributed computing theory and cryptography research. Byzantine Fault Tolerance (BFT) is a classic algorithm for reaching consensus in a distributed environment, so most of the proposed PoS consensus algorithms can be regarded as some kind of deformation of BFT. The advantage of BFT algorithm is that the confirmation delay is short in an ideal network environment, but its high communication complexity limits the number of nodes participating in the consensus, so it cannot be directly used in the global public chain. In systems such as EOS (DPoS) and Algorand, consensus is achieved by selecting some representatives to implement a Byzantine-like protocol, which gives people the subjective impression that PoS is a centralized protocol. In fact, current research has also proposed a competitive PoS protocol similar to PoW, so there is no need to worry that PoS is a centralized system.

2) Cold start of new PoS chains is unsafe

One view is that since the consensus nodes of the PoS system are determined by tokens, and the system must have pre-distributed tokens before it can be cold-started, the control of the PoS system belongs to a small number of early participants. These monopolists may do evil to obtain excess profits and even destroy the entire system to implement double-spending attacks. In reality, these concerns do not exist for the following reasons:

a) The current blockchain ecosystem is relatively mature. Before a new blockchain main chain goes online, it often goes through multiple rounds of fundraising activities. Therefore, even the founding team cannot control too many token shares. And a rational team will not pursue too much control over shares. Only when the tokens are sufficiently decentralized can the system be secure.

b) In the PoS system, the rights and interests of the token owner are fully reflected in the value of the token. This gives them a greater motivation to maintain the security of the system, and therefore makes them less likely to engage in malicious actions. In the PoW system, attackers can transfer hardware investments such as computing power to other blockchain systems after carrying out attacks to gain short-term benefits, so they are more likely to take malicious actions.

c) In the startup phase of a new blockchain, if the PoW protocol is used, external computing resources can flow into the system uncontrollably. At this time, since the total computing power of the entire system is not high, attackers can complete the attack with fewer resources, so the cold start phase of the PoW blockchain is even more insecure. In fact, in addition to Bitcoin, Ethereum and other PoW blockchains that have already gathered a lot of computing power, all newly generated blockchains face this problem. The computing power competition brought about by the BCH fork in the previous stage reflects the danger of starting a new chain. In order to avoid being attacked, centralized mining pools are often used to maintain early security, so the degree of centralization is higher than PoS.

3) PoS wealth concentration is serious

In the previous discussion, we have analyzed that the PoS blockchain often implements the initial allocation of tokens in the startup phase. The initial tokens will indeed bring further investment returns in the subsequent growth of the blockchain, so some people are worried that the rich will get richer and cause wealth concentration. In response to this issue, we analyze it as follows:

a) Wealth concentration occurs in any economic system, and it is no more serious in the PoS system. Existing economic research shows that wealth concentration occurs even in the most equitable economic system. The 28 wealth distribution phenomenon we often talk about is a manifestation of wealth concentration. The initial token distribution of the PoS system is more decentralized and transparent than the equity distribution of most listed companies that have become giants in the initial stage.

b) As long as a fair and transparent trading environment is provided, there is no need to worry about the phenomenon of wealth concentration. If the token can be freely circulated in the secondary market, the token will naturally get a fair market price valuation. If there is enough interest, the original investors will also sell for profit; if the system prospects are good, the later investors will also buy rationally. Therefore, there is no need to worry about the later comers not being able to buy, or the wealth being completely concentrated.

In fact, since participating in PoW mining requires a lot of hardware and electricity investment, the cost for individual participants is far less than that for large mining pools. When the currency market fluctuates, small-scale miners are often the first to withdraw. Therefore, the concentration of wealth and computing power in the PoW system will be more obvious.

4) PoS will suffer from Nothing-at-Stake attacks

Nothing-at-Stake means that in the PoS system, since trying to generate a block does not consume a lot of hardware resources, attackers can disobey the protocol and try to generate new blocks after different blocks. This gives us a clear intuition that the PoS system is more prone to forks. However, a well-designed PoS system can completely resist the Nothing at Stake attack.

In a paper we wrote [1], we proposed a new PoS protocol, iChing, which is a competitive consensus protocol similar to PoW. The paper conducted a theoretical analysis of Greedy Attack (an attack strategy based on Nothing-at-Stake), and the results showed that the attacker's greedy attempt to expand at any position in the chain will indeed benefit the attacker, but the profit is not infinite. This is reflected in the fact that if the attacker and the honest nodes hold the same proportion of stake, the growth rate of the chain generated by the attacker will at most reach e times that of the honest chain (e is a mathematical constant, approximately 2.71828), so the malicious stake ratio that PoS can tolerate does not exceed 30% (see the paper for the calculation process). In response to this situation, the paper proposed a response strategy. Under the strategy of encouraging honest nodes to be moderately greedy, the tolerable malicious stake ratio can reach more than 43%. Therefore, Nothing at Stake is not an attack behavior that cannot be overcome.

5) PoS will suffer from Long-Range attacks

Long-Range attack refers to the attacker's attack on the PoS system through long-term accumulation. Its specific manifestations may vary. The most direct Long-Range attack is that the attacker collects or purchases a large number of stake accounts that were valid at a certain point in the past, thereby initiating a fork from an earlier point in time. The paper [2] proposed a Long-Range attack strategy called Stake-Bleeding attack. In this attack, the attacker accumulates enough reward tokens through long-term secret fork mining and then initiates a fork attack.

The paper summarizes the attack methods of Long-Range by classification. Generally speaking, Long-Range attack requires a long time to prepare and run before it can be implemented. In view of this feature, Long-Range can be avoided or eliminated by adopting corresponding technical means, including setting up regular check points. In fact, in order to increase the verification speed of blockchain, check point technology is also often used in PoW blockchain. Therefore, Long-Range attack does not pose a serious threat to the real PoS blockchain system.

6. Features that the next generation blockchain should meet

In order to support more practical applications, blockchain not only needs to meet the basic requirements of security and decentralization, but also needs to solve problems such as low throughput and extended confirmation time.

The low throughput is mainly due to the traditional single-chain structure of the blockchain and network transmission delays. Therefore, the recently proposed DAG structure, transaction packaging method, and transaction sharding processing method are all studies aimed at improving the blockchain throughput.

Extended confirmation time is a problem common to all competing blockchain consensus algorithms. This problem can be improved by adding a fast confirmation protocol on top.

We believe that the next generation of blockchain must meet the following characteristics to truly support secure, efficient, and flexible application implementation:

1) Based on the PoS consensus algorithm, it avoids security dependence on external resources and eliminates the threat of attacks from outside the system.

2) Adhere to decentralized design and avoid entrusting system consensus rights to a small number of nodes, otherwise it will regress to the existing centralized system.

3) Sophisticated data distributed storage design avoids broadcasting and storage of transaction data across the entire network to support high-throughput applications.

4) Superimpose a high-speed confirmation algorithm to achieve rapid confirmation of normal transactions to support quasi-real-time application scenarios.

References:

[1] Fan L, Zhou H S. iChing: A Scalable Proof-of-Stake Blockchain in the Open Setting. https://eprint.iacr.org/2017/656.pdf

[2] Gaži P, Kiayias A, Russell A. Stake-bleeding attacks on proof-of-stake blockchains. 2018 Crypto Valley Conference on Blockchain Technology (CVCBT). IEEE, 2018: 85-92