# 以太坊 2.0：从 PoW 到 PoS

Bitshares 的委托权益证明机制 (DPoS) 展现了另一种符合逻辑的哲学，也就是一切又再次从单一的信条衍生而来。这种信条可以更简单描述为：股东投票。

➤ 密码学在 21 世纪中确实是非常特殊的，因为在对立冲突中仍大多站在防御者一方的领域已经不多了，密码学就是其中一个。比起建造一个城堡，摧毁它会更加容易；岛屿的防御性更强，但也会被袭击；但是一个普通人的椭圆曲线密码 (ECC) 密钥却能足够安全，甚至能抵御国家级的入侵。

➤ “密码朋克精神”并不单单只是理想主义，而建造一个易守难攻的系统，单就工程设计而言也理应如此。

➤在一个中期到长期的时间范围里，人们非常擅长共识。即使敌手拥有无限的哈希算力，并且能对任意主要区块链系统进行 51% 攻击，甚至将其回滚到一个月前，但比起超越主链的哈希算力，要说服社区该链具有有效性要难得多。他们还需要篡改互联网上许多其他信息源，例如区块浏览器、社区中每一位可靠的成员、纽约时代、http://archive.org 等等。

➤ 然而单单由社会共识保障的区块链还是太低效率了，运行的速度也不够快，并且很容易让分歧无休止地持续下去（不管怎么去防止它，结果还是发生了）；因此，在短期内，经济共识机制在保护区块链活性以及安全性上起到了非常重要的作用。

➤ 因为只能用区块奖励保证工作量证明机制的安全性（用 Dominic William 的话来说，就是三个 Es 当中少了两个）译者注：即 Entry cost (进入成本)，Exist cost (存在成本), Exit penalty (退出惩罚)，再加上矿工的激励仅仅来自于他们可能失去区块奖励的风险，因此，工作量证明机制的运行逻辑是：通过巨额奖励来催生大量算力。

➤ PoS 权益证明机制不再依靠为网络安全性提供奖励的机制，而是通过惩罚措施来打破这种对称性。质押资金（存款）的验证者会得到小小的奖励，这是为了对他们锁定资本、维护节点以及还要额外警惕私钥安全性做出的补偿，但是回滚交易受到的惩罚是他们同时间所获奖励的成百上千倍。因此权益证明机制的“一句话哲学”并不是“消耗能源来获得安全性”，而更应该是“提高损失的经济价值来保障安全性”。

➤ 理论上来说，大多数验证者勾结起来有可能会控制权益证明区块链，然后就开始作恶。然而（i）通过巧妙的协议设计，他们通过这种操纵手段攫取利润的能力就会尽可能被限制，而且更重要的是，（ii）如果他们尝试阻止新的验证者参与网络，或是执行 51% 攻击的话，那么社区就可以简单地协调好某个硬分叉并清除行为不端的验证者的存款。

➤ 上述并不能拿来表明非计划性的硬分叉将来会发展成为规律性事件；必要时，可以将在 PoS 中发起单次 51% 攻击的成本设置得和在 PoW 中进行永久的 51% 攻击一样高。这样庞大的费用和攻击的低效性应该能够保证在实际状况中不会有人尝试攻击。

➤ 经济学并不是万灵丹。有些个人可能是出于协议外的动机，比如说他们的计算机可能会遭到入侵、他们可能会被挟持或者可能仅仅因为某一天喝醉了，然后决定破坏这条区块链，完全不计成本。

➤ 因此，最优的协议应该是那些在多种多样的模型和假设当中仍能够正常运行的协议——具备协调选择的经济理性、具备个人选择的经济理性、简单的容错机制、拜占庭容错机制（在理想‘情况下既是适应性也是非适应性的对抗变体）、受到 Ariely/Kahneman 启发的行为经济模型（“我们都只是轻微作弊”）以及在理想条件下既具有现实意义又具有实践意义的经得起推敲的模型。

➤运作充分快速的共识协议具有一定风险，需要非常谨慎地对待，因为如果系统效率和激励挂钩，那么这样的结合将会带来高额奖励，以及足以引发系统性风险的网络层中心化（例如所有的验证者都在同一个主机服务商中运行）。有些共识协议并没有这些担忧，这类协议并不要求验证者发送信息有多快，只要他们能够在在可接受的时间间隔内发送信息就行了（4-8 秒，根据经验我们知道以太坊延迟时间通常在 500 毫秒-1 秒）。

Systems like Ethereum (and Bitcoin, and NXT, and Bitshares, etc) are a fundamentally new class of cryptoeconomic organisms — decentralized, jurisdictionless entities that exist entirely in cyberspace, maintained by a combination of cryptography, economics and social consensus. They are kind of like BitTorrent, but they are also not like BitTorrent, as BitTorrent has no concept of state — a distinction that turns out to be crucially important. They are sometimes described as decentralized autonomous corporations, but they are also not quite corporations — you can’t hard fork Microsoft. They are kind of like open source software projects, but they are not quite that either — you can fork a blockchain, but not quite as easily as you can fork OpenOffice.

These cryptoeconomic networks come in many flavors — ASIC-based PoW, GPU-based PoW, naive PoS, delegated PoS, hopefully soon Casper PoS — and each of these flavors inevitably comes with its own underlying philosophy. One well-known example is the maximalist vision of proof of work, where “the” correct blockchain, singular, is defined as the chain that miners have burned the largest amount of economic capital to create. Originally a mere in-protocol fork choice rule, this mechanism has in many cases been elevated to a sacred tenet — see this Twitter discussion between myself and Chris DeRose for an example of someone seriously trying to defend the idea in a pure form, even in the face of hash-algorithm-changing protocol hard forks. Bitshares’delegated proof of stake presents another coherent philosophy, where everything once again flows from a single tenet, but one that can be described even more simply: shareholders vote.

Each of these philosophies; Nakamoto consensus, social consensus, shareholder voting consensus, leads to its own set of conclusions and leads to a system of values that makes quite a bit of sense when viewed on its own terms — though they can certainly be criticized when compared against each other. Casper consensus has a philosophical underpinning too, though one that has so far not been as succinctly articulated.

Myself, Vlad, Dominic, Jae and others all have their own views on why proof of stake protocols exist and how to design them, but here I intend to explain where I personally am coming from.

I’ll proceed to listing observations and then conclusions directly.

Cryptography is truly special in the 21st century because cryptography is one of the very few fields where adversarial conflict continues to heavily favor the defender. Castles are far easier to destroy than build, islands are defendable but can still be attacked, but an average person’s ECC keys are secure enough to resist even state-level actors. Cypherpunk philosophy is fundamentally about leveraging this precious asymmetry to create a world that better preserves the autonomy of the inpidual, and cryptoeconomics is to some extent an extension of that, except this time protecting the safety and liveness of complex systems of coordination and collaboration, rather than simply the integrity and confidentiality of private messages. Systems that consider themselves ideological heirs to the cypherpunk spirit should maintain this basic property, and be much more expensive to destroy or disrupt than they are to use and maintain.

The “cypherpunk spirit” isn’t just about idealism; making systems that are easier to defend than they are to attack is also simply sound engineering.

On medium to long time scales, humans are quite good at consensus. Even if an adversary had access to unlimited hashing power, and came out with a 51% attack of any major blockchain that reverted even the last month of history, convincing the community that this chain is legitimate is much harder than just outrunning the main chain’s hashpower. They would need to subvert block explorers, every trusted member in the community, the New York Times, archive.org, and many other sources on the internet; all in all, convincing the world that the new attack chain is the one that came first in the information technology-dense 21st century is about as hard as convincing the world that the US moon landings never happened. These social considerations are what ultimately protect any blockchain in the long term, regardless of whether or not the blockchain’s community admits it (note that Bitcoin Core does admit this primacy of the social layer).

However, a blockchain protected by social consensus alone would be far too inefficient and slow, and too easy for disagreements to continue without end (though despite all difficulties, it has happened); hence, economic consensus serves an extremely important role in protecting liveness and safety properties in the short term.

Because proof of work security can only come from block rewards (in Dominic Williams’ terms, it lacks two of the three Es), and incentives to miners can only come from the risk of them losing their future block rewards, proof of work necessarily operates on a logic of massive power incentivized into existence by massive rewards. Recovery from attacks in PoW is very hard: the first time it happens, you can hard fork to change the PoW and thereby render the attacker’s ASICs useless, but the second time you no longer have that option, and so the attacker can attack again and again. Hence, the size of the mining network has to be so large that attacks are inconceivable. Attackers of size less than X are discouraged from appearing by having the network constantly spend X every single day. I reject this logic because (i) it kills trees, and (ii) it fails to realize the cypherpunk spirit — cost of attack and cost of defense are at a 1:1 ratio, so there is no defender’s advantage.

Proof of stake breaks this symmetry by relying not on rewards for security, but rather penalties. Validators put money (“deposits”) at stake, are rewarded slightly to compensate them for locking up their capital and maintaining nodes and taking extra precaution to ensure their private key safety, but the bulk of the cost of reverting transactions comes from penalties that are hundreds or thousands of times larger than the rewards that they got in the meantime. The “one-sentence philosophy” of proof of stake is thus not “security comes from burning energy”, but rather “security comes from putting up economic value-at-loss”. A given block or state has $X security if you can prove that achieving an equal level of finalization for any conflicting block or state cannot be accomplished unless malicious nodes complicit in an attempt to make the switch pay$X worth of in-protocol penalties.

Theoretically, a majority collusion of validators may take over a proof of stake chain, and start acting maliciously. However, (i) through clever protocol design, their ability to earn extra profits through such manipulation can be limited as much as possible, and more importantly (ii) if they try to prevent new validators from joining, or execute 51% attacks, then the community can simply coordinate a hard fork and delete the offending validators’ deposits. A successful attack may cost $50 million, but the process of cleaning up the consequences will not be that much more onerous than the geth/parity consensus failure of 2016.11.25. Two days later, the blockchain and community are back on track, attackers are$50 million poorer, and the rest of the community is likely richer since the attack will have caused the value of the token to go up due to the ensuing supply crunch. That’s attack/defense asymmetry for you.

The above should not be taken to mean that unscheduled hard forks will become a regular occurrence; if desired, the cost of a single 51% attack on proof of stake can certainly be set to be as high as the cost of a permanent 51% attack on proof of work, and the sheer cost and ineffectiveness of an attack should ensure that it is almost never attempted in practice.

Economics is not everything. Inpidual actors may be motivated by extra-protocol motives, they may get hacked, they may get kidnapped, or they may simply get drunk and decide to wreck the blockchain one day and to hell with the cost. Furthermore, on the bright side, inpiduals’ moral forbearances and communication inefficiencies will often raise the cost of an attack to levels much higher than the nominal protocol-defined value-at-loss. This is an advantage that we cannot rely on, but at the same time it is an advantage that we should not needlessly throw away.

Hence, the best protocols are protocols that work well under a variety of models and assumptions — economic rationality with coordinated choice, economic rationality with inpidual choice, simple fault tolerance, Byzantine fault tolerance (ideally both the adaptive and non-adaptive adversary variants), Ariely/Kahneman-inspired behavioral economic models (“we all cheat just a little”) and ideally any other model that’s realistic and practical to reason about. It is important to have both layers of defense: economic incentives to discourage centralized cartels from acting anti-socially, and anti-centralization incentives to discourage cartels from forming in the first place.

Consensus protocols that work as-fast-as-possible have risks and should be approached very carefully if at all, because if the possibility to be very fast is tied to incentives to do so, the combination will reward very high and systemic-risk-inducing levels of network-level centralization (eg. all validators running from the same hosting provider). Consensus protocols that don’t care too much how fast a validator sends a message, as long as they do so within some acceptably long time interval (eg. 4–8 seconds, as we empirically know that latency in ethereum is usually ~500ms-1s) do not have these concerns. A possible middle ground is creating protocols that can work very quickly, but where mechanics similar to Ethereum’s uncle mechanism ensure that the marginal reward for a node increasing its degree of network connectivity beyond some easily attainable point is fairly low.

From here, there are of course many details and many ways to perge on the details, but the above are the core principles that at least my version of Casper is based on. From here, we can certainly debate tradeoffs between competing values . Do we give ETH a 1% annual issuance rate and get an $50 million cost of forcing a remedial hard fork, or a zero annual issuance rate and get a$5 million cost of forcing a remedial hard fork? When do we increase a protocol’s security under the economic model in exchange for decreasing its security under a fault tolerance model? Do we care more about having a predictable level of security or a predictable level of issuance? These are all questions for another post, and the various ways of implementing the different tradeoffs between these values are questions for yet more posts. But we’ll get to it 😃

• 点赞
• 评论
• 分享
x

海报分享

扫一扫，分享海报

• 收藏
• 手机看

分享到微信朋友圈

x

扫一扫，手机阅读

• 打赏

打赏

Yoke ic

你的鼓励将是我创作的最大动力

C币 余额
2C币 4C币 6C币 10C币 20C币 50C币
• 一键三连

点赞Mark关注该博主, 随时了解TA的最新博文
09-10 2295

05-14 1万+
05-14 1万+
08-26 224
05-14 1万+
06-26 105
07-26 151
01-20 3922