RE: Scaling, Decentralization, Security of Distributed Ledgers

You are viewing a single comment's thread from:

Scaling, Decentralization, Security of Distributed Ledgers

in cryptocurrency •  6 years ago  (edited)

Ethereum’s Plasma (et al)

In addition to their design teams ostensibly not accepting that social consensus (including the paradigm of voting aka democracy) is not a Nash Equilibrium, the underlying flaw in the 3+ years of Ethereum’s attempts to scale such as for example in the (now deprecated?) Casper/Slasher proposal, has been (as I also explained) the inability to model liveness formally (combined with safety).

The more recent Plasma proposal’s August 11, 2017 “working draft” whitepaper (which allegedly recycles some of Peter Todd’s old Treechain proposal) also has a fundamental liveness flaw. Treechain was rejected because as Todd says, “Ultimately rejected as insecure. – fraud proofs are invalid and can hide large-scale financial fraud in small amounts of data.” An even more fundamental flaw is that fraud proofs do nothing to prevent 50+% collusion of the stake which can censor the fraud proofs. Oligarchy control over proof-of-stake is the norm¹ because there’s nothing-at-stake (i.e. no external resource irrevocably consumed) for the power-law distribution of wealth (c.f . §References) which could enforce a Nash equilibrium of non-malevolent consensus. And alternatively, there’s nothing in the proposed designs which enables the minority of the stake to fork off from the malevolent majority.

There’s another flaw with fraud proofs which are designed to award the confiscated bond to the finder of the fraud. That is there’s no way to fairly to determine who found the fraud first. If the proof is sent unencrypted to the blockchain, then it can be intercepted and duplicated before confirmation of who was first. If it’s encrypted and then later the submitter reveals the decryption password after confirmation on the blockchain, then the cheater (whose bond is confiscated) can submit innumerable encrypted copies of the fraud proof and reveal the passwords when or if the others do.

Recursive zk-snarks or zk-starks are being proposed as a solution which is posited to eliminate the need for fraud proof challenges for asset transfers:

Currently at the proof of concept stage, Plasma Snapp aims to effectively remove much of the complexity of Plasma integration through the use of ‘zero-knowledge succinct non-interactive arguments of knowledge’ (‘zk-SNARKS’), removing the need for confirmation signatures and even exit challenge games.²

Vitalik has also recently elaborated on the use of zk-SNARKS in scaling, providing a proposal that wouldn’t require transacting parties to always be ‘online’. This makes progress in solving the data availability issues that would be present within current Plasma implementations, which is caused by their liveness assumptions regarding eventual consensus¹.

But it’s not yet known if or when they’ll be viable for general Turing-complete smart contracts.

Yet even eliminating the need for fraud proofs doesn’t solve a remaining liveness flaw when sufficient validating nodes (in a shard) become (intentionally) unresponsive. The only recourse is a mass exit from the shard, and the adversary repeating this can be the basis of a denial-of-service attack (with the adversary profiting perhaps by shorting the market price). Or analogously a safety/consistency flaw where (due to nothing-at-stake) a majority of validating nodes claim that other validating nodes are unresponsive thus ignoring conflicting transactions. Proof-of-work never ignores work because there’s a burnt economic cost of doing so.

Thus, such unresponsiveness can’t be deterministically penalized because it’s (in terms of what can be proven cryptographically³) indistinguishable from an attack where a majority of the validating nodes pretend the minority is unresponsive and cause the minority to forfeit their bonds. The threat of which forces all validating node into a colluding oligarchy in order to secure the promise of protection. But a promise is not trustless (aka trustproof) thus in actuality such a design lacks a (non-malevolent oligarchy) Nash equilibrium.

Tangentially note that the NOCUST – A Securely Scalable Commit-Chain’s §3.2.5 Disputes has the analogous underlying liveness flaw.

¹ I wrote in response to a blog:

[…] analyzing why Ethereum failed (other than as an ERC-20 ICO speculation FOMO engine) to displace the centralized Web 2.0, contrasted with Bitcoin successfully disintermediating traditional stores-of-value and permissionless payments:

So what happens when a low-value application [(e.g. dApp transactions)] is on the same platform as a high-value application [(e.g. power-law distributed wealth)]? Unless they both offer comparable economic value, the low-value application may be entirely priced out.

Correct. The controlling oligarchy (or miners or stakers) in extant […] distributed consensus ledger systems (including PoW, proof-of-stake (PoS), and DAGs) must have a greater profit incentive to provide a secure ordering than could be obtained by (e.g. shorting the market and) attacking the security with for example double-spends and/or transaction-fee tragedy-of-the-commons outcomes. Extant systems thus maximize the extraction from token owners’ wealth that said users can be fooled into participating in. FOMO and greater fool speculation pumps being an example extraction paradigm.

With that said, there have been a few categories of dapps which have provided enough economic value to survive. Most notably they are gambling, decentralized exchanges for on-chain tokens, prediction markets, ICOs, and collateral-backed loans. What they share is that people are willing to pay on par with baseline transaction fee for these workflows. (It is not a coincidence that they involve moving potentially large sums of money at once.) The problem, however, is that these are niche applications whose values are way out of line.

0x, one of the most popular dex protocols, has collected only $2000 in lifetime transaction fees despite having a market cap of $160M […] Augur, the most popular prediction market, has only $40k staked in predictions yet has a $170M market cap.

Indeed, the power-law distribution of wealth implies that only a small fraction of the tokens will transact. So transaction fees are a relatively smaller revenue stream (as compared to wealth-oriented return-on-investment, speculation, gambling, etc) even if dApps are eventually popular.

So extant PoS systems are doomed because the stakers have much more incentive to extract wealth from the participants than to promote transaction volume growth.

A flawed argument is there’s an incentive against malfeasance for all PoS systems because stakers should want growth of popular use-cases of the ledger. But given speculative demand trumped and so far exceeded non-speculative, non-wealth-based use-case demand, a greater incentive is to extract maximum wealth in the short-term, forsaking any long-term investment thesis (except for Bitcoin as a long-term HODL store-of-value wherein token price will rise enough to offset nominally but not faster than rise in transaction fees proportionally).

² A blog explains the “exit challenges” but is otherwise is blind to the fundamental Plasma flaws.

³ The fundamental FLP theorem is at the generative essence of why such attacks are not deterministically provable in an inherently asynchronous network (i.e. regardless of whether the chosen consensus protocol is synchronous).

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!
Sort Order:  
Loading...
Loading...