A natural question is to ask why exactly this issue arises, and what can be done about it.
For Bitcoin and other permissionless Blockchain Systems, the central issue is “proof of work,” and it arises because of two factors: the rewards for mining, and worries about a form of DDoS vulnerability. In Bitcoin, the miner that creates a block of transactions and is able to place it in the Blockchain by computing a nonce value that will result in a SHA5 hash with the requisite number of zeros is paid for the effort: the block will “issue” a new coin to the miner, and the value of the coin combines a fee on the transactions it contains, plus a small additional reward for placing the block itself.
Because the cryptographic system used is not known to offer any computational shortcuts, computing the nonce is a brute force task: a miner computes a next block and then tests various nonce values until it finds one that results in a hash with the desired characteristic. There is no way to avoid the brute force task of sifting through nonce values, at present. This Bitcoin rewards computational power. The more powerful your mining center, in terms of hashes it can compute per second, the more money (coins) you earn.
Could we imagine a Bitcoin or Blockchain protocol wired to locality, so that the right to create blocks could be fairly shared between miners in the USA, Canada, France, Russia, China, India, Uzbekistan, etc? Not really. Doing this would just incent global mining consortia that would run proxy computers in those countries, but would outsource the actual nonce computation back to the farms in China, allowing the existing mining cartel to preserve its monopoly on the income, and its power to attack the global Blockchain.
So why, exactly, did we need proof of work? The DDoS worry stems directly from the anonymity of Bitcoin: any computer that wishes to join the Bitcoin pool can do so just by downloading the proper software and attaching itself to the network, using a virtual “name” that isn’t tied to any physical computer address in a direct way. Thus one real computer could fork off hundreds of clones, and they could generate huge rates of transactions by just selling bubblegum to one-another at preposterously high rates. Bitcoin is designed to discourage such behavior: first, the fees paid to log transactions make it expensive to generate huge numbers of them. And second, the intent of the hashing thing is to spread the odds of creating the next block broadly, “fairly.” Here we can see a flaw in the design: fairness breaks down, and once a cartel gains control of the show, most other properties of anonymity and non-fiat currency characteristics are out the window too.
Better, it seems to me, would be a permissioned model in which non-anonymized players (call them “banks”) maintain local ledgers. We would have a local ledger of transactions at Bank of America, another local one at the Bank of Russia, etc. Individual branches could have their own local sub-ledgers. I’m not proposing that these logs replicate all the transactions in the world. Just local logs, using hyperledger or a similar technology to record banking and business contracts and e-coin transactions.
Such a local ledger won’t need to be permissionless because a branch of the Alternatives Federal Credit Union knows perfectly well which machines play server roles. So we can use membership management protocols, and in fact are looking at a problem like the one solved by Corfu, or by Derecho in its persistent mode. Perhaps it would be wise to harden the solution against Byzantine attacks, also a solvable, classic problem.
Then we could create a protocol for banks to talk to one another, more or less SWIFT (the widely used standard interbank protocol) but enhanced to deal with inter-bank transfers. Here, I think we see an interesting distributed transaction problem: how would one specify the required properties? For example, if I ask Alternatives Federal Credit Union to purchase euros for me, then wire them to my sister-in-law in Belgium to pay my share of our house for the summer vacation rental, the money moves through a chain of perhaps six banks. Each wants to know that after a clearing delay (as short as possible: zero would be best) its own local log is finalized. We don’t want a lingering dependency period during which the ledger for the international branch of Chase Bank somehow can’t be audited for correctness without also auditing the one at Alternatives FCU in Ithaca.
But this seems solvable to me. We could then eliminate proof of work (banks do charge fees for transactions, so those will avoid DDoS scenarios, and there is no anonymity, so the fairness aspect is moot). We would simply have found a clean way to introduce Blockchain technology into standard banking, with or without cryptocurrency (honestly, I’m not s big believer in the stuff, but one can have Blockchain solutions for any kind of contract, and if you want to treat large numbers as commodities with value, who am I to stop you? In fact the earliest banks operated precisely that way: “... just present this unforgeable document to my brother in Milan, and he will give you two gold florins”). It would work just as well for crates of oranges, or contracts describing mortgage-backed securities.
Bottom line: my colleagues have shown that in effect, Bitcoin is currently a cartel, ultimately controlled by China. All that stuff about anonymity and fairness? Basically, a hoax, except that the end users do seem to be anonymous, hence Bitcoin remains very helpful for drug transactions, prostitution, money laundering, international weapons sales. Stuff like that, where real cash and credit is “awkward”. Tax evasion. Yet we can have Blockchain solutions without anonymity, and doing so allows high transaction rates, eliminates the monopoly data mining element, gets rid of the wasted power and cooling for all that SHA5 hashing, and if you want e-coins, you can have them too.
So it all comes down to the permissionless model, which in turn is ultimately a political statement by Satoshi Nakamoto, stemming from his distrust of fiat currencies and his views about global political structures. He favors anonymity as a kind of enabler for anarchy, and envisioned a new global political system fueled by a fiat-free currency. Yet his vision stumbles, we now see, on it’s substitution of computing power for political power, leaving China in control. I myself would prefer to just have a system that really works (I pay my taxes, and don’t engage in money laundering or Bitcoin barter for illicit stuff). If Bitcoin and anonymous Blockchain Systems are at risk of foreign domination and attack, I say: enough with this pretense of anonymity! Let’s just go with Blockchains!
Are there consensus algorithms for permissionless models that provably cartel-resistant? Can that even be done?
ReplyDeleteUnder readonable assumptions I think the answer has to be no. I wrote a separate blog post on this last year. With consensus, rollback would never occur. But in the permissionless model, you cannot know how large the participant pool might be, so there is no way to talk about acknowledgment by a majority, or by every participating machine. Even a single machine with a secret but long chain (a block-mining superhero with magic nonce-finding powers) can trigger a rollback. So in that model, consensus is seemingly impossible.
DeletePermissioned Blockchain poses no such problems, and can be build on a consensus protocol such as Paxos, by adding cryptographic signatures and linkage of the blocks (to agree in content and later, prevent tampering). So that has a robust theory and many practical tools available.