Written by
2020-11-30

Eliminating 51% Attacks in Proof-of-Work Blockchains

This blog post explains how to build a proof-of-work blockchain without 51% attacks. Bear in mind this is a pure proof-of-work implementation: it eliminates majoritarian attacks rather than moving them to a governance layer with voters and validators.

Image for post

Start by noting that majoritarian attacks are possible in proof-of-work blockchains such as Bitcoin because the “work” that secures the blockchain is locked to blocks that can be orphaned. When the chain is re-organized the work in orphaned blocks is rendered useless: the attacker can collect 100% of all network revenue because they produced 100% of the blocks on the longest chain. This problem can be eliminated by moving the proof-of-work component to the transaction level.

This can be done by having users include a proof-of-work hash with their transactions instead of a transaction fee. Nodes in the network gather these hashes as they share transactions and are permitted to produce blocks once their mempool contains enough cumulative work to meet difficulty requirements. For clarity’s sake, we will call this “transaction-embedded proof-of-work” (tPOW) to differentiate it from “block-embedded proof-of-work” (bPOW).

Moving the POW component into the transaction creates several problems. The first is that multiple nodes may have enough work to produce blocks at the same time. This can be avoided by having nodes sign transactions as they pass through the network, so that each transaction has an unforgeable history of the routing path it has taken on its journey into the network. This technique is called cryptographically-secured transaction routing.

A simple implementation should specify that no node can put a transaction into a block unless it is included in that transaction’s cryptographically-secured routing path. Consensus rules should also halve the value of “work” embedded in each transaction with each additional hop that the transaction has taken through the network. Nodes will eventually stop propagating transactions once only a minimal amount of work remains: users who wish faster confirmation (deeper propagation) should attach harder proofs. Rather than paying fees and asking fee-collecting miners to purchase hashpower we are decentralizing the process and having users provide the work directly.

With these restrictions, block production will adopt the “round robin” properties of proof-of-stake systems. Centralization pressures in Bitcoin also disappear as there is now zero advantage to nodes in being tightly coupled: the node that produced the previous block is the least likely to produce the next block. Sybilling also vanishes (although the reason why is left as an exercise for the reader). What matters for block producers is positioning themselves close to a unique inbound stream of high-work transactions.

Majoritarian attacks disappear in this system. The table below shows this by quantifying the cost-of-attack attackers face in tPOW networks. In comparison to bPOW — where the attacker can keep attack costs constant as long as they have enough hashpower to defuse the work of honest miners — in tPOW networks the cost of attack rises unstoppably as work “builds up” that is unavailable to the attacker. Even the richest attacker will eventually have to permit another node to contribute to their chain (if only to lower their cost of-attack). The blockchain continues to function normally: honest users can treat intermittent blocks produced by honest nodes as the equivalent of a single confirmation.

Image for post

The graph below shows this same information in visual form. The red line represents the cost of attacking the network. There is no point at which controlling a majority of network resources reduces cost-of-attack to zero.

Image for post

The cost-of-attack in tPOW is at least double that in bPOW. Building ASICs can cheapen attacks slightly, but without mining fees to pay for the effort, pulling that off involve massive investments with zero countervailing income. And ASICs are useless since the amount of hashing required for a sustained attack depends on the honest users in the network. Where bPOW collapses in the face of a 51 percent attack, tPOW can thrive if users simply respond to attacks by increasing the difficulty of the hashes they embed in their transactions, driving up the cost of the attack in real time and bankrupting attackers.

Those who give this mechanism serious thought will discover (perhaps to their dismay!) that the economic fundamentals of this system are otherwise identical to bPOW. Worried about hash-accumulation attacks in tPOW? You should worry about capital-accumulation attacks in bPOW! Any attacks-vectors in tPOW are possible on bPOW — except worse as they can play out in external markets (i.e. for control of hash or stake) that the consensus mechanism cannot measure or defend against. One of the more subtle insights tPOW offers is that eliminating economic attacks is only possible by eliminating reliance on external markets for our network difficulty function.

The most significant problem we are left with is a throwback to the original Bitcoin scaling debate: by eliminating fees the consensus mechanism re-introduces the need for a volunteer peer-to-peer network. Solving this (collecting and redistributing fees to network nodes) without re-introducing an external market is possible, but requires careful design. We direct readers interested in how to accomplish this to the Saito whitepaper.

Written by