Vitalik Buterin, ethereum’s inventor, has recently published a paper this October 25th on Casper, the biggest upgrade of any major public blockchain since bitcoin’s invention.
The fairly technical paper, containing some maths, deals mainly with a high level view of the protocol, aiming to “prove some desirable features, and show defenses against long range revisions and catastrophic crashes.”
One such desirable feature is maintaining one chain within a set of rules, which is in some ways the main purpose of proving work was done, or in this case proving there is a stake. The paper says:
“If a validator violates a rule, we can detect the violation and know which validator violated the rule. Accountability allows us to penalize malfeasant validators, solving the “nothing at stake” problem that plagues chain-based PoS.
The penalty for violating a rule is a validator’s entire deposit. This maximal penalty is the defense against violating the protocol. Because proof of stake security is based on the size of the penalty, which can be set to greatly exceed the gains from the mining reward, proof of stake provides strictly stronger security incentives than proof of work.”
That’s a fairly big claim, and the paper doesn’t directly compare the level of security of proof of work and proof of stake, clarifying instead they are to use a “Byzantine fault tolerant (BFT) based proof of stake” system which:
“Typically have proven mathematical properties; for example, one can usually mathematically prove that as long as > 2/3 of protocol participants are following the protocol honestly, then, regardless of network latency, the algorithm cannot finalize conflicting blocks.”
That suggests there may be a 34% attack vector, which in practice is similar to bitcoin as shown by Emin Gün Sirer’s paper on selfish mining. But, initially, eth will have both PoW and PoS to secure the blockchain. The paper says:
“The proposal mechanism will initially be the existing proof of work chain, making the first version of Casper a hybrid PoW/PoS system. In future versions the PoW proposal mechanism will be replaced with something more efficient. For example, we can imagine converting the block proposal into a some kind of PoS round-robin block signing scheme.”
We might hear more about what a round-robin block signing scheme is today at Devcon3, but, in simple terms, it suggests validation might be time limited, thus going around. As far as the initial version is concerned:
“We assume there is a fixed set of validators and a proposal mechanism (e.g., the familiar proof of work proposal mechanism) which produces child blocks of existing blocks, forming an ever-growing block tree… the root of the tree is typically called the “genesis block.”
By tree they mean a chain-split, which then itself chain-splits and so on like a tree. Something we don’t want at all as “we expect that the proposal mechanism will typically propose blocks one after the other in a linked list (i.e., each “parent” block having exactly one “child” block).”
That is, just one blockchain. To achieve that, there will be checkpoints. “Rather than deal with the full block tree, for efficiency purposes Casper only considers the subtree of checkpoints forming the checkpoint tree. The genesis block is a checkpoint, and every block whose height in the block tree (or block number) is an exact multiple of 100 is also a checkpoint.”
The rectangles represent a checkpoint, with the dashed lines representing 100 blocks between each checkpoint. The way we get those nice red (pink?) lines forming one chain is through the “supermajority link.”
That is, 2/3 of validators (weighed by deposited amounts) select it as the correct chain based on a new rule, rather than the longest chain, it’s “the chain containing the justified checkpoint of the greatest height.”
Justified being where there is a supermajority link between the checkpoints, as opposed to conflicting where there are nodes on both chains.
The paper thus concludes, before going on to provide the maths that proves the statement, its ability to maintain consensus within one chain, stating:
“We prove Casper’s two fundamental properties: accountable safety and plausible liveness. Accountable safety means that two conflicting checkpoints cannot both be finalized unless ≥ 1/3 of validators violate a slashing condition (meaning at least one third of the total deposit is lost).
Plausible liveness means that, regardless of any previous events (e.g., slashing events, delayed blocks, censorship attacks, etc.), if ≥ 2/3 of validators follow the protocol, then it’s always possible to finalize a new checkpoint without any validator violating a slashing condition.”
Which translates to the chain can continue growing securely as long as 2/3 of the deposited eth remains honest, otherwise the dishonest 1/3 loses their deposit.
The paper also presents ways to prevent certain attacks, such as the one above, described in the paper as:
“The withdrawal delay after a validator’s end dynasty introduces a synchronicity assumption between validators and clients. Once a coalition of validators has withdrawn their deposits, if that coalition had more than 2/3 of deposits long ago in the past, they can use their historical supermajority to finalize conflicting checkpoints without fear of getting slashed (because they have already withdrawn their money). This is called the long-range revision attack.”
The solution is “in simple terms, long-range attacks are prevented by a fork choice rule to never revert a finalized block, as well as an expectation that each client will “log on” and gain a complete up-to-date view of the chain at some regular frequency (e.g., once per 1–2 months).”
This is addressing a very edge hypothetical case of targeted attack where the coalition shows a fake chain of sorts to a node that has been off for months and suddenly comes on with its operator sort of unaware of the chain history since.
As long as the node comes on at least once every two months, then even the targeted attack would not work according to the paper, which concludes:
“Casper remains imperfect. For example, a wholly compromised block proposal mechanism will prevent Casper from finalizing new blocks. Casper is an PoS-based strict security improvement to almost any PoW chain.
The problems that Casper does not wholly solve, particularly related to 51% attacks, can still be corrected using user-activated soft forks. Future developments will undoubtedly improve Casper’s security and reduce the need for user-activated soft forks.”
That is, the system continues to be based on a majority honesty assumption, the old: why attack it when you can get free eth?
The claim that it is more secure than PoW, which is likely based on the punishment aspect for misbehaving – something PoW doesn’t have in a direct manner – will have to be backed up, but generally the paper provides proof for PoS’s security and liveliness, so maintaining consensus within one chain.