This is why we use the term General Grievous Attack at Saito to describe the hardest variant of the 51% attack to solve — the version where the bad guys just ignore the good guys, refusing to relay their messages or even include any transactions forwarded by them that might trigger routing payouts to other nodes.

This makes the attack impossible to punish in proof-of-work and proof-of-stake mechanisms under majoritarian conditions. Our attackers are not producing fewer blocks after the attack than before. They are not processing fewer fees. And they are still producing blocks faster than their honest counterparts while controlling all the “votes” that determine who gets paid — so how can it be less profitable for them to produce blocks?

In this blog post, we’ll show how “routing work” solves the General Grievous Attack. And in the spirit of generosity, we’ll do it while giving our attackers a formidable 75% of all first-hop routing work, 100% of network hashpower and 100% of the ATR payout. Other consensus mechanisms have long since collapsed. But routing work continues to function.

To see how, assume our blockchain processes 100 USD in fees per block. Our pre-attack payouts are as follows:

The mining payout consumes its reward in energy costs, making the attacker’s pre-attack income 62.5 USD:

Right away, we can see why cooperating with honest nodes is beneficial to the attacker. Were our attacker to produce a chain with only the transaction fees they are collecting, they would lose 25% of their 75 USD in mining costs and earn only 56.25 USD. But their results are even worse under the General Grievous Attack. Consider the changes:

Post-attack income is consequently:

Attackers have gone from earning 62.5 USD per block to somewhere between 31.25 USD and 56.25 USD. Not only is attacking irrational, but it is even provably costly in any network where infrastructure providers pay competitive rates for inbound fee-flow. And any rational users can increase this cost-of-attack further simply by withholding their transaction flow, or sending it to another node.

Advanced Commentary on Asymmetricality

Our attacker blockchain will eventually settle into a lower-fee equilibrium. Once enough golden tickets go unsolved (burning the routing payout for good) mining difficulty will drop. And as censored transactions join the ATR loop, their fees will help buffer some of the collapse in fee-throughput. But losses are suffered during the transition, and bourn by the attacker who proposes the blocks during this period.

Cost-of-Attack can be increased further by having consensus observe and punish any drop in new fee throughput, expansion in the set of UTXO subject to rebroadcasting, or any sharp increase in aggregate routing work by simply burning a portion of the fees collected during this period before payouts are calculated. This conditional-burning is a second type of asymmetrical tax, as it does not affect honest block producers cooperating in equilibrium.

The symmetrical attacks of proof-of-work and proof-of-stake vanish. We transcend them by shifting away from “voting systems” where any majority can impose costs on any minority and towards an efficiency tax powered by a fee-unlock “flywheel” that punishes nodes who push the network into a less efficient state. All nodes will rationally spin up the flywheel if they have access to third-party fees. More fees means more blocks for them and greater profits. And all honest nodes will accept these blocks as any efficiency gain elsewhere in the network increases their own profitability.

But attackers? Because attackers are deliberately orphaning efficiently-produced work, they must either spend and burn their own money to maintain the network in a state of artificial efficiency (burning their own money to avoid greater losses) or accept the cost of slowing the flywheel by letting it consign a quantifiable amount of the fees they are contributing to oblivion.

In this way, routing work achieves a quantifiable and asymmetrical cost-of-attack that punishes attackers without introducing symmetrical attack vectors on honest minority nodes. Problems unsolvable in the old system melt away in the new paradigm. When General Grievous threaten to abandon ship, the best strategic move is simply to let them go.

The post The General Grievous Attack appeared first on Saito.

The paper is deliberately short (2 pages) both in a nod to Paul Samuelson’s similar 1954 paper on public goods provision, and because brevity makes the material easier for non-economists to understand.

Feedback and suggestions are welcome. I’d be interested to learn from anyone more current on public choice theory if we have any non-blockchain examples of mechanisms that evade Samuelson and Hurwicz’s impossibility conjectures by inducing competition for collection of a private payment. My suspicion is that what we have is indeed new, as prior to the invention of self-provisioning ledgers all communications channels would require a trusted third party to provision, and private provision removes non-excludability.

For computer scientists wandering into fee-optimization problems, I hope the paper helps understand how economics models this class of optimization problem. It is surprising how few people in distributed systems cite the work of Paul Samuelson and Leonid Hurwicz. This is particularly surprising given that Hurwicz invented the term “incentive compatibility“, authored a seminal paper on “informational decentralization” and won a Nobel Prize for mechanism design theory.

In this specific case, a lack of familiarity with their work can lead to fundamental analytic errors:

• forgetting that the token is a fungible form of value, which means that we cannot have an “optimal” transaction fee unless the user cannot get more utility from spending the same fee on other goods or services.
• not understanding that pareto optimality is a prerequisite for an incentive compatible and collusion-proof mechanism: if any subset of parties can costlessly improve their utility without making others worse off then that same group can always increase their utility by following a byzantine strategy.
• failing to differentiate between forms of collusion that lead to sub-optimal outcomes and forms of price negotiation which create optimal outcomes, which in turn indicates lack of awareness of optimal and sub-optimal market structures and collective action problems.
• incorrectly assuming that global pareto optimality (“Global SCP”) is harder to achieve than incentive compatibility (“1-SCP”), an error that seems to step from the idea it must be harder to coordinate an optimal outcome if there are more participants involved, whereas it is easier to achieve pareto optimality globally since it is a necessary but not sufficient condition for incentive compatibility, which is what is needed to make collusion irrational.

On a closing note, I believe it follows fairly directly from the work presented here that the ability of users to collude with block producers in ways that are socially sub-optimal depends on the ability of the block producer to increase their profits from another source: either free-riding on an inflationary block reward or on the unreciprocated and irrational willingness of peers to propagate unconfirmed transactions. It is possible that no mechanism with an inflationary block reward can ever be secure against collusion, as it cannot be secure against free-riding.

With luck, the issues with the way computer scientists are framing and analysing these economic problems in blockchain will self-correct as more people become aware of how powerful economic frameworks and tools are for analyzing these mechanism design problems.

The post Socially Optimal Transaction Fee Mechanism Design appeared first on Saito.

1. a majoritarian voting system, which creates
2. an economic penalty on minority opinion, which creates
3. a self-reinforcing incentive to side with the majority

Keynes intended his contest as an analogy for the stock market, but it equally describes Nakamoto Consensus, where consensus around the longest-chain also emerges through a voting mechanism that punishes anyone who disagrees with majority opinion.

Despite the obvious parallels, few academics working on “cryptoeconomics” have read Keynes, or other economists like Mancur Olson who focus explicitly on incentivizing collective action. Instead, computer scientists focus overwhelmingly on building distributed voting mechanisms.

This intellectual bias has led computer science to approach consensus as a problem that requires voting. The blindness to other approaches starts with the way academics conceptualize the problems – consider the way the Byzantine Generals Problem is invariably described with the assumption that participants must honestly or dishonestly signal their preferred courses of action. They vote and only then do they act.

This drift away from incentives towards voting mechanisms is a major intellectual hurdle in distributed systems development, because as soon as we create voting mechanisms we automatically create majoritarian attacks on them. But isn’t our goal is to avoid incentivizing collusion? Deciding how to distribute money based on majority opinion is not a workable approach.

And this is why understanding the Keynesian Beauty Contest matters. Because knowing that Satoshi designed Bitcoin as a beauty contest mechanism allows us to ask a simple question: why bother with the first step at all? Why add a voting mechanism? Why not look for a way to impose a cost-of-attack guarantee on malicious nodes that punishes attackers regardless of whether they control majority opinion?

Few people in distributed systems conceptualize the challenge this way, not trivially because many consider it an impossible problem, but there are already formally-proven methods of accomplishing exactly this. In our case, Saito Consensus does it by using “routing work” to increase the cost of producing blocks that orphan honest blocks, while also decreasing the amount of revenue attackers can earn from producing those blocks. Because of the way the payout mechanism works, attacking a routing work mechanism always costs money. Incentives impose a cost-of-attack directly of indirectly via a gameable voting mechanism.

By delivering what actually matters (the penalty and its results) without the need for a voting mechanism, routing work gives us all the benefits of the incentive structure in the Keynesian beauty contest (a self-reinforcing emergent consensus and natural incentive to cooperate) without adding the crippling majoritarian attacks. It gives us the properties that matter for distributed consensus without the technical vulnerabilities that come from adding majoritarian voting.

It will be interesting to see how long it takes computer science as a discipline to throw off its intellectual shackles. Until that happens governance will continue to add attack vectors into distributed systems. And the solution to those problems will doubtless be yet more governance. This circularity is a problem with using voting mechanisms, but not a fundamental feature of consensus design. We can do better. And in order to solve the fundamental problems we have to.

The post Nakamoto Consensus is a Keynesian Beauty Contest appeared first on Saito.

The advance is possible in mechanisms where attackers must expend a costly resource (“work”) to participate in consensus. Under these conditions, a malicious majority can be tolerated if the consensus mechanism can asymmetrically strip attackers of “work” over time and restore honest participants to majority status.

Asymmetrically punishing attackers is accomplished by taxing the only activity attackers perform which honest nodes do not: the orphaning of work from other participants. There is a precedent for this type of tax in Bitcoin, but the penalty fails under majoritarian assault. Securing a consensus mechanism beyond that requires making work-orphaning expensive even in situations where attackers produce all of the blocks on the longest-chain.

Framing the problem this way makes it clear why proof-of-work and proof-of-stake blockchains cannot solve it. In those mechanisms, the cost of orphaning work is identical to the cost of proposing blocks once attackers can propose a majority of blocks. When attackers spend resources to push the chain into stasis, the honest network is forced to spend an equivalent amount to resolve the deadlock. Honest nodes face symmetrical losses which prevents their recovering majority status.

The theoretical solution that improves security involves migrating the “work” used to produce blocks into the transactions that constitute them. Attackers may still produce blocks that route around those proposed by honest nodes, but the newly-orphaned transactions can be shifted costlessly into a new block and deposited at the tip of the attacker’s chain to resolve the deadlock. Preventing this requires a more aggressive form of work-orphaning: attackers must move the work-bearing transactions into their own chain. This form of orphaning-by-inclusion is profitable in proof-of-work and proof-of-stake designs but can be made quantifiably costly in others.

Routing work — the addition of cryptographic routing signatures to transactions — is the first known strategy that accomplishes it, modulating down the value of transactions for producing blocks as well as the expected payout from their inclusion. With a sufficiently high per-hop decay (50% or greater) attackers who orphan-by-inclusion face an expected loss from doing so, even if they produce all of the blocks in the blockchain. A properly designed mechanism not only exposes attackers to this cost, but forces them to pay it in a way that reduces their ability to generate work and participate in consensus.

The post Tolerating Malicious Majorities – Advances in Distributed Consensus appeared first on Saito.

We start with two straightforward claims:

proposition #1
nodes that use public routing work to produce blocks are disincentivized from delaying the production of those blocks, as that strictly reduces expected income.

proposition #2:
all participants are incentivized to share transactions publicly to induce direct competition between peers under proposition #1 and thereby secure the fastest confirmations for the lowest fee.

These claims can be formally proven but should be self-evident to anyone familiar with Saito Consensus. Under them, adding unnecessary routing hops to transactions is a strictly inferior strategy unless attackers compensate for the fall in the final-hop value of their transactions by adding their own fee-bearing transactions.

On The Irrationality of Self-Generated Routing Work

All sybil-attacks necessarily involve transactions where the attacker does not occupy the first-hop in the transaction path. This is trivially true: attackers cannot increase their payout by adding hops to transactions where they already have 100% of the claims on payout.

The irrationality of sybilling second-hop transactions can be proven by examining what happens when an attacker sybils a block with only one transaction, such as the following block produced by NODE B that contains 50 units of final-hop routing work.

With 100 SAITO in total fees and fifty-percent of those burned in the costly lottery, only 50 SAITO are available for the routing payout in this block. As transaction #1 is the only transaction that exists it has a 100% chance of selection in the payment lottery and NODE A has 2/3 and NODE B has 1/3 of the expected routing payout. We can easily calculate their expected income as 33.3 SAITO and 16.6 SAITO respectively.

The sybil attack we are concerned with involves NODE B adding an additional hop (“self-cloning”) to transaction #1 to increase its share of that transaction’s overall routing payout, while simultaneously creating the smallest fee-paying transaction needed to keep its final-hop routing work constant at 50 SAITO as per proposition #1.

This gives us the following attack block:

With 125 SAITO in total fees there are now 62.5 SAITO available for the routing payout. Our golden ticket mechanism will select the first transaction with ( 100 / 125 ) probability and the second with (25 / 125 ) probability. NODE A has ( 100 / 175 ) chance of winning if the first transaction is selected and ( 0 / 25 ) if the second transaction is selected.  NODE B has ( 75 / 175 ) chance of winning if the first transaction is selected and ( 25 / 25 ) if the second transaction is selected.  NODE B must finally deduct the 25 SAITO it has contributed to the block (that it spent to sybil) from its profits. Its expected income is now:

NODE A = 62.5 * (( 100 / 175 ) * 0.8 ) + ( 62.5 * (( 0 / 25 ) * 0.2 )) = 28.57 SAITO
NODE B = 62.5 * (( 75 / 175 ) * 0.8 )) + ( 62.5 * (( 25 / 25 ) * 0.2 )) – 25 = 8.92 SAITO

The attacker has decreased their expected income from 16.6 SAITO to 8.92 SAITO. It is easy to demonstrate that losses accelerate as the attacker adds more routing hops to transaction #1.

An Intuitive Understanding of Sybil-Proofing

Something fascinating happens when an attacker sybils a routing-work blockchain. Whereas all the fees in the block were previously potential income to the attacker, the lottery is now taxing their wallet directly.

For a routing work mechanism to be sybil-proof, it is sufficient to show that the tax on self-generated routing-work is greater than the total income a node 1-hop deeper in the network can expect from an equivalent amount of final-hop routing work. In the Saito Classic mechanism the tax is 50% of all fees put into the block, and first-hop nodes earn at minimum 50% of routing payout. Since any additional fees in the block by definition come from the attacker, it is theoretically impossible to generate positive expected income.

As long as the lottery tax remains provably costly regardless of the amount of routing work that the attacker has in the block, any network that has the same work-decay and payout-decay functions as Saito Classic by definition inherits the same sybil-proof properties.

In practice, our goal is to force cost-of-attack significantly above 100% of fee-throughput, so that in a best-case scenario the attacker is hemorrhaging money rather than merely breaking even. This requires the introduction of a staking payout and the increase in cost-of-attack that can come from the added difficulty of finding combinatorial lottery solutions that simultaneously issue the routing payments from multiple blocks to the attacker .

In the paper referenced above, we show very clearly that cost-of-attack is a minimum of 137 percent in a network with such a structure. This means an attacker must spend ~137% of network fee-throughput to earn 100% of the fees in that block which do not come from their own wallet.

With full control of the staking table, the attacker can eke out profits at approximately 75% control of the staking table.  This can easily be addressed in the paper as mentioned – by the imposition of an income cap that limits payouts to 125% of a smoothed average. Under these situations cost-of-attack rises much higher than 137% to start, and remains above 100% even if attackers gain full control of the staking payout.

The post A Simple Proof of Sybil Proof appeared first on Saito.

https://timroughgarden.github.io/fob21/l/l9.pdf

From the Saito perspective there are some problems though. The most significant is that it is incorrect to view public blockchains as sybil-resistance mechanisms wrapped around consensus algorithms. We understand why many researchers like this dichotomy. The distinction is easy to teach and feels productive.

But the dichotomy is incorrect. Once any network offers an outbound payment for performing a work function that function no longer constitutes a sybil-resistance mechanism: you cannot refund payments and still count purchases as expensive. Under these conditions what imposes cost-of-attack is the consensus layer, which decides which nodes receive spendable tokens in exchange for their work.

Computer scientists typically deal with this problem by axiomatically assuming that a majority of miners/stakers are honest. Under these conditions there *must* be a cost-of-attack, and if there is a cost-of-attack surely we should attribute it to the hashing or staking function where the money is spent? This feels like a harmless exercise – no shortage of papers start by making assumptions about node honesty and then derive formal proofs of security from these and other axioms. The problem is that we are doing this to maintain the illusion that the sybil-resistance layer is operating independent of the consensus layer.

Once you break this illusion you are pulled towards a more powerful reality – the realization that consensus mechanisms impose cost-of-attack by asymmetrically taxing attackers. Nakamoto Consensus achieves this by keeping hashing costs constant for all nodes, but decreasing the expected return for attackers, who must build multiple blocks in the same time their honest peers need produce only one.

It is true that in Bitcoin this asymmetrical tax collapses in the face of a Byzantine majority. And while there is no theoretical reason to believe this problem is unsolvable (do all forms of asymmetrical taxation have this weakness?), the coincidence will likely stir critics to ask why we should favor any particular framework over another if both end up predicting failure in the face of majoritarian assault?

And the answer here is that both approaches are not equally vulnerable. If you believe that your sybil-resistance and consensus functions are distinct in the way Tim and others posit, you do end up trapped: it is pointless to strengthen your consensus mechanism against malicious majorities if their existence undermines a fundamental axiom you need to keep your network secure. The framework you adopt essentially defines majoritarian attacks as an unsolvable problem.

But if you focus on the way consensus mechanisms asymmetrically tax attackers you have an open road ahead. Because you are suddenly looking for additional behavioral differences between honest nodes and attackers that can be (1) observed in distributed systems, and (2) leveraged to make proposing changes-of-state more costly for attackers than honest nodes.

This more accurate worldview encourages us to manipulate the same economic levers that Nakamoto Consensus does. It teaches us to improve on Satoshi’s solution not only by decreasing the payouts we offer attackers, but even doing things that no proof-of-stake or proof-of-work network can accomplish: asymmetrically increasing the cost that attackers pay to propose blocks. The routing work mechanism that Saito Consensus introduces simultaneously accomplishes both of these objectives.

At the end of the day, definitional frameworks matter. With an inaccurate worldview, partisans are forced into axiomatic frameworks that make progress a theoretical impossibility and steer them away from viable solutions. Shifting to a more accurate framework easily doubles the size of our solution space, and permits the development of mechanisms like Saito that can continue to impose cost-of-attack on attackers even in the face of malicious majority coalitions.

The post An Open Comment on Tim Roughgarden’s Lecture Notes on Blockchain appeared first on Saito.

French Whitepaper – Whitepaper en Français

As a personal aside, it’s particularly nice to have a French version of the Saito whitepaper given that some of the more radical ideas in our advanced section are quietly indebted to the great French philosopher Alexis de Toqueville, one of the first political theorists to suggest that self-balancing coalitions are the best way to create stable and open governance mechanisms. Saito’s idea of having routers, miners and users engage in a tripartite battle over the network PAYSPLIT harkens back to him in an obvious way.

Although many English-speakers will have read snippets of his Democracy in America, not many tackle his second and arguably greater work The Old Regime and the Revolution, in which Alexis returned to the French Revolution to ask why it failed and why France descended back into authoritarian control. His answer: with the contending minority interests of French society effectively decimated by the willful centralization of pre-Revolutionary royal rule, French society lacked the complex domestic forces needed to prevent its democratic experiment from descending into tyranny and mob rule.

There should be much more awareness of these ideas — and much less naiveté about on-chain voting generally — in the blockchain space. One of the questions Saito asks — and one to which we are not sure of the answer — is whether we can modify our current mechanism and balance participants off against each other in ways that allow us to do things like spend more on scale when needed and increase cost-of-attack when appropriate. We hope that as more people come to understand Saito we will get more assistance thinking through these questions as a community.

In the meantime, we hope that this translation will help some of these “radical ideas” reach receptive ears on their native soil. Thank you again, Maxime!

The post Saito Whitepaper – French Translation appeared first on Saito.

On the off-chance you haven’t heard of Friedrich Hayek, he was one of the mid-20th century economists who witnessed the ascent of the Soviet economic model and fought a rear-guard action in defense of capitalism. Whereas his fellow Austrian emigre Joseph Schumpeter saw free markets as superior because of their ability to drive innovation (“creative destruction”), Hayek argued they were necessary to set prices at levels which are “not given to anyone in [their] totality” and thus cannot be optimized by central planners.

Hayek’s seminal essay The Use of Knowledge in Society outlines this most succinctly, asking how state planners can ever know how to allocate resources? What Hayek saw that many others missed is that prices do more than incentivize people to produce things: they value all goods and services in relation to each other at rates Hayek called their “marginal rates of substitution.” Letting these rates self-adjust in response to the floating preferences of consumers and producers is how free markets allocate resources efficiently, incentivizing more of X and less of Y if doing so provides greater social value.

The subtlety of Hayek’s emphasis on relative-prices is usually missed by crypto-libertarians, who see tokens incentivizing arbitrary forms of work and imagine they have a free market at work. Ask exactly how the market is pricing work and most will get confused: isn’t the free market providing hashpower to Bitcoin? Aren’t users paying fees? Yet the problem has never been creating incentive structures or charging fees: state planners do both of those very well.

To see the actual problem, try inverting Bitcoin. Imagine we paid nodes in the P2P network and asked volunteers to hash for free. Would we get an optimal amount of security? What about an optimal number of P2P nodes? If more hashing would encourage more P2P nodes and greater network usage, would volunteers be incentivized to spend more money on hashing?

The intellectual error most people make here is forgetting that when a consensus algorithm pays nothing for something, it is assigning a price (of zero) and manually defining the “marginal rates of substitution” between that and other necessary inputs. The fact that the consensus mechanism is a machine does not stop it from acting as a de facto central planner. Robots can fix prices too!

Were Hayek still alive, he would be the first to point out this abuse of free market economics. He would also never accept the what-me-worry reassurances of technocratic dilettantes that perhaps things will work out. As Hayek would point out, the fact that we have an external market controlling the flow of funds into an internal market means that our two layers are never independent, and can never be subject to a rationalizing outside force.

In this environment, the only way the free market can price inputs efficiently is by putting the cross-market allocation of resources within the firm, so that internal profit-maximization strategies minimize wasteful spending. Like this approach or not, the result will clearly look much less like a permissionless network and much more like Google or Amazon. Replacing volunteers with firms doesn’t suddenly make firms behave like volunteers.

This news is depressing for those who have eyes to see it, in part because so few people seem aware of it, and in part from the irony of watching Silicon Valley’s libertarian class repeat the same price-fixing errors their Marxist counterparts did a century ago. The machines may change, but the technocratic hubris remains the same.

So while we can get to Saito Consensus by reading public choice theory, even the Chicago School can teach us something most libertarian crypto-bros fail to see: the rise of dominant network-layer service providers like Infura and TAAL is far from a swan song of “centralization” before technical maturity delivers a golden age of radical decentralization — it is the direction the free market itself is steering POW and POS networks out of their need to induce provision of the infrastructure their consensus mechanisms cannot price and pay for, but on which they are dependent for continued survival.

The post Technocratic Hubris: what Hayek would say about Bitcoin appeared first on Saito.

David presented to a panel arguing that It’s Openness Not Decentralization That Matters in Blockchain. The Saito co-founder argues that the properties that people believe come from decentralization actually stem from openness – the inability to exclude people from the chain.  He continued that openness is not free; we need to pay for open data flows that support it and allow free competition in the network. In the original design, bitcoin, volunteers took care of this work but as these networks scale the responsibility for doing that needs to shift to for-profit firms in the private sector and as it turns out economics has a ton to say about the massive problems that computer scientists are running into doing this. This is what’s happening with the peer to peer network right now. In every scalable blockchain miners and stakers do not want to run the network. They are letting their responsibility for that be handled by other people. This is the Ethereum network where everybody is free riding on Infura.

There are three kinds of solutions in the blockchain industry. The first is the emergence of networks that return to volunteer provision and these networks can be open. Anybody can join but they cannot scale beyond the point that volunteers will provide infrastructure. The second solution is we can invite the free market to pay. But, the private sector will create barriers to data sharing to create opportunities to profit. So we will end up with these scalable networks that are permissioned networks that are dominated by monopolies in the network layer that’s what we’re seeing with Infura.

Saito replaces mining and staking with a form of work where we can route work which adds cryptographic signatures to the network layer and it basically pays people for the work that they do efficiently collecting money for the network. So it’s a non-extractive form of work otherwise the network has the same properties as POW and POS.

The post Saito Co-founder David Says Openness & Self-sufficiency Matter in Blockchain at Blockchain Research Roundtable Event appeared first on Saito.

While honest users build on the chain-tip, attackers build from a block at least one confirmation deeper into the chain. 

This difference exists because attackers who are re-organizing the chain must produce two blocks in the same amount of time that the honest network has to produce merely one. The network exploits this difference to tax attackers: the cost of producing blocks is identical for wolves and sheep, but sheep who produce at the tip of the longest-chain are far more profitable.

So blockchains do differentiate between wolves and sheep – they do it by taxing behavioral properties that any node might exhibit, but that attackers must exhibit. It does not matter if this tax occasionally penalizes an honest node with an unfortunately dim view of consensus. As long as attackers are disadvantaged relative to a subset of honest nodes, the network can maintain its cost-of-attack while incentivizing honest behavior.

But don’t majoritarian attacks put wolves back on equal footing with sheep? Some developers may make this claim (“what I meant was…”) but note the shift in logic: they have moved from asserting there are no behavioral differences between wolves and sheep to asserting that no differences exist which can be leveraged to penalize wolves in majoritarian conditions. And this claim is also false.

All we need to disprove it is a single a difference that can systematically tilt income away from all wolves and towards an unknown subset of sheep. And it turns out there is at least one behavioral difference with this property:

When an attacker puts a transaction (that will be profitable for them to collect) into a block, they must be one hop deeper into the routing network than at least one honest node or user.

If an attacker is making money producing blocks, those blocks must by definition contain fees that come from someone else. In the absence of a block reward, every wolf that is not burning their own money to produce blocks must have at least one transaction in that block that was routed to them from an honest user or sheep, either sent to them as an unconfirmed transaction or stolen by them from a previously-published block.

As with Bitcoin’s tax on re-org depth, this difference can be leveraged to suppress the profitability of wolves: simply make block production more costly for deep-hop nodes, while forcing them to compete with shallow-hop nodes for control of the longest-chain. Saito does this by halving the value that fees contribute for producing blocks with every hop a transaction takes across the network. Any node at routing depth N+1 can produce only half the blocks and/or earn half the profits as a node at position N given the same set of transactions.

Taxing fee-transfers this way puts attackers at a disadvantage in producing blocks. This solution is counterintuitive to POW and POS developers as it requires the ratio between two variables that are fixed in their networks (cost of block production and income from producing blocks) to float. It also requires something missing in both POW and POS: cryptographic signatures that track who routes fees inwards towards block producers. Saito then tightens the noose further on wolves through a cryptographically-biased lottery that makes collecting payments less statistically likely for deep-hop nodes.

To conclude: security mechanisms in blockchains do not identify bad actors by intent. In this sense, those who insist it is impossible to tell the difference between “wolves” and “sheep” in blockchains are forgetting something they used to know: blockchains have always imposed cost-of-attack by taxing behaviors which must necessarily be exhibited by wolves and simply not caring if the trap ensnares a few unlucky honest sheep in the process.

The post Wolves and Sheep appeared first on Saito.