I received this reply from @anonymint. Note this is corrected from a post made several hours ago by @kennyP which was quickly (within a couple of hours) deleted when @anonymint independently discovered the holistic error in his conceptualization of PoA.
Thanks to @shunsaitakahashi for deleting his reply to that rescinded post, and apologies to him for wasting his time on that rescinded reply.
PoA whitepaper Section
2.1 Summary says:
A network using this protocol publishes blocks periodically at a predefined interval called slot.
“Predefined interval” implies a time interval unless otherwise stated. Yet you wrote in this thread that block approvals never expire because block proposers (aka “creators”) can continue to accept approvals for an indefinite period of time. So I was perplexed what is the meaning of “interval” in this context. But then later on I realized that slots are intended to have an expiration interval which is much longer in duration than the typical block approval completion time. Unfortunately your whitepaper didn’t make this easy for me to grok. I had to reverse engineer this understanding as you will see below as light bulb finally came on in my head as to the holistic design of your system.
I was pondering if you meant that the interval of each slot is measured as one and only one block. And by now I realize that would be an incomplete statement and instead you really mean what I wrote in the above paragraph.
Time is divided into discrete units called slots.
1. Each party in the network has a roughly synchronized clock that indicates the current slot. Any discrepancies between the clocks are significantly smaller than the length of the time represented by a slot.
2. The length of the time represented by a slot is significantly larger than the time needed to transmit messages or blocks from one party to the other.
The item #2 obfuscates that the real point is that the slot time is significantly greater than the typical time to approve a block. That is crucial for forming the Schelling point which makes voting incentives work correctly as I will recapitulate below.
My description of your system below might help others better understand PoA.
Approvers are allowed to approve as many blocks as they choose as long as the approved blocks share the same parent. If not, the approvals are considered conflicting and cannot be used.
Nodes are allowed to approve as many candidate blocks as they choose as long as they share the same parent block. In Figure 3, a node can choose to approve either D by itself or D’ and D" for the slot. But if it were to approve D as well as D’, since those don’t share the same parent, those approvals would be called “conflicted” and are rejected during validation.
The questions I originally had until I finally grokked the holistic design of PoA were as follows. How are conflicting approvals detected if they can arrive at any indefinite time in the future? How can anything ever become final if an attacker withholds a conflicting approval and broadcasts it at some indefinite time in the future? How does the chain determine which broadcast came first since network is not perfectly synchronized? IOW, it seemed to me that PoA would still need an expiration timeout on how long of a wait before the window of conflicting approvals is final. And with an expiration time the PoA design would revert back to the flaws I identified which is the ambiguity around the boundary of an expiration time.
IOW, I intially was stuck on the thought that conflicting approvals is the analogous dilemma as double-spent transactions. I thought you shifted the problem of detecting and preventing double-spent transactions into detecting and preventing double-spent approvals. And thus AFAICT made no actual progress on a viable consensus system. And I originally thought that all that has been accomplished is obfuscation of a flaw in a complex system description.
However, then the holistic understanding finally clicked into my mind as to how the security and game theory works in PoA. So now I will explain my (I am reasonably certain now) correct understanding as follows.
If we can guarantee that all honest approvers will always vote on the same fork (i.e. never vote for candidate blocks with different parents), then at any quorum approval threshold choice above
50%, then assuming the attacker possesses less approval control than the threshold, a conflicting block can’t be produced which ends up with a higher approval at any time in the future. Thus for a
50%+1 quorum, the attacker must possess at least
50%+1 approval control in order to slash
25%+1 with conflicting approvals and approve of the attacking block with attacker’s remaining
25%. In that case, the double-spent block has
25%-1 of the remaining
75%-1 total approval and the attackers winning block has
25% of that
75%-1 total approval. There can’t exist another block that has a higher approval because the attacker controls
50%+1 which was expended.
Increasing the quorum threshold above
50% increases the safety because the attacker will need to control more than the threshold, but it reduces the liveness. For example a
80%+1 quorum, the attacker must possess at least
80%+1 approval control in order to slash
70%+1 with conflicting approvals and approve of the attacking block with attacker’s remaining
10%. In that case, the double-spent block has
10%-1 of the remaining
30%-1 total approval and the attackers block has
10% of that
30%-1 total approval. Liveness is maximized at the
50% quorum threshold because up to
50%-1 of the control can be non-responding.
The incentive mechanism in PoA posits to disincentivize honest approvers from choosing from candidate blocks with different parents. The choice of parent block is apparently dictated by network synchrony in that the live nodes will tend to have a Schelling point around approving all candidate blocks with the parent being the last approved block they saw that had met the quorum threshold. Presuming the slot interval expiration time is much larger than typical time to approve a block, then all or nearly all live nodes should have the same Schelling point choice for parent block. The tie breaker rules in Section
2.2.22 Approval Tie-Breaking Procedure A(·) are employed so that multiple competing approved blocks in a slot have only one Schelling point parent block.
The network synchrony assumption and Schelling point appear to maybe be what differentiates the incentive mechanism in PoA from Byteball’s 100% asynchronous incentive mechanism which allows Byteball to get stuck with
competing witness groups even with no 50%+1 attacker. Also I need more study to determine if Byteball could ameloriate additional posited vulnerabilities when the quorum threshold is greater than
50%+1. It was originally (earlier in this thread) my lack of holistic understanding of this PoA incentive mechanism and Schelling point that caused me to believe PoA would also need
⅔ quorums for 100% finality.
Same as for Nakamoto proof-of-work, there’s no Schelling point nor Nash Equilibrium in PoA if the attacker has more than the
50% threshold control. PoA’s rules of conflicting approvals force the honest nodes to accept the attacker’s fork because the attacker records the conflicting approvals in his block that orphans the conflicting block(s). Even the attacker can’t bribe by eliding conflicting approvals of those approvers who defect to his block, because the honest conflicting block will contain the objective evidence of those signed conflicting approvals, which any node can verify thus objectively choosing the honest block as the winner (that is unless the attacker has the sufficient
50%+1 control, in which case the attacker doesn’t need to elide the conflicting approvals).
The 100% finality after one block is dependent on the attacker not having
50%+1 control of
live stake. Additionally, not only can
live stake be much less than total stake of the money supply, but I earlier in this thread pointed out reasons that stake can be nearly cost-free to obtain and attack with. Also @monsterer2 has pointed out that unlike proof-of-work which burns external resources, it costs nearly nothing ongoing to sustain a
50%+1 stake attack (other than the opportunity cost of holding that stake but the attacker can offset that cost with profits due to attacking, such as taking all the newly minted money supply rewards, double-spending, and/or shorting the token on exchange).
Thus it is disingenuous to compare this claimed one block 100% finality to Nakatomo proof-of-work probabilistic finality. In essense, the finality of PoA is either fragile or dependent on a benevolent attacker (oligarchy) which collects parastic rents in ways other than double-spending. For example, DPoS has elections for the delegate witnesses and to set their compensation. An oligarchy controls the elections and can extract the maximum rents the system can bear. And
STEEM (running DPoS) and PoA can enable an oligarchy domination of the newly minted money supply. A
50%+1 attacker in PoA need not double-spend, he can just make sure he only includes his own approvers in blocks so that he takes all the minted tokens for the coin rolls consensus process.
Also there is no way that 100% of the stake will be participating. Thus, no blocks are likely to get
50%+1 approval! Thus the attacker will need much less than
50%+1 of the stake. Thus the presumption of 100% finality is not true in reality unless the system is run by an oligarchy which has
50%+1 of the control, and in which case the oligarchy can revert finality at-will.
In conclusion the major flaw in PoA is that it rewards all the minted money supply to the oligarchy that otherwise hopefully benevolently controls 50%+1 of the stake.Which is roughly the same outcome as DPoS. And the latency of confirmation and unsharded scalability for PoA is unlikely to be any better than DPoS when they’re both effectively running as (distributed but) entirely centralized oligarchy systems. Since PoA doesn’t currently propose sharding, we’ll not discuss the potential issues with EOS’ (centralized oligarchy) sharding here.
Transactions include hash of a recent block and therefore are “context sensitive”[12]. This prevents transactions from being used in an attack fork.
TaPoS is probably effective against the long-range
50%+1 attacker who had
50%+1 of the stake in the distant past, unless that attacker still maintains
50%+1 of the stake in the present. Because current hodlers of UTXO are unlikely to vote for a fork that has stolen their tokens.
Thus note that if the attacker held for example
80% or
90% of the stake at inception or anytime in the distant past, then the attacker could long-range double-spend
30% or
40% of it and still defeat the TaPoS protection.
Worse yet, much of the stake may not participate in consensus voting and thus the attacker needs much less than
50%+1 of the stake in order to a
50%+1 attack on the consensus approvals. Somehow honest stakeholders must be able to delegate their stake power at all times when they are offline.
So for TaPoS to be effective is highly dependent on a non-manipulated distribution and a healthy uninterrupted market demand for the tokens, so that the normal power-law distribution of wealth with
50% held by the masses holds true. I had explained before this is usually not true in altcoins because of fraud and manipulation, such as issuers buying the ICO from themselves.
Here follows some thoughts I had before I grokked the holistic design of PoA, which have been edited to incorporate my current holistic understanding.
Each node collects approvals of its candidate block and computes its approval stake. Any approval with conflict or zero stake is ignored. If the node’s candidate block’s approval stake exceeds quorum, it broadcasts an approval block to the network.
Before I formed my holistic understanding, I was thinking PoA was designed with a presumption that once a block is broadcasted that it takes precedence to a block that is not yet broadcasted which receives a conflicting approval. But there’s no way to prove which block was broadcasted first without consensus about which block was first. Yet consensus is what PoA is trying to achieve. Thus I thought PoA had a hen-egg dilemma. This is what I referred to in one of my prior posts as quoted below:
That is why I wrote I thought we were not understanding each other. I thought you did not fully appreciate the significance of what I wrote before. But now with the holistic understanding of the design, I realize that unless the attacker has a
50%+1 control, then a block with
50%+1 approval is final. But the flaw is that no blocks are likely to get
50%+1 approval without
50%+1 oligarchy in control! Even if you presume multiple completing staking groups vying for mining rewards, the only equilibrium is when they come together to form an oligarchy, because the oligarchy can extract more rents than they can as competing groups. This is a Prisoner’s Dilemma.
A node can broadcast an improved version of its approval block when it receives additional approvals or when it detects approval conflict. Receiving nodes use the approval block with the most stake to create their candidate block for the next slot.
Before I formed my correct holistic understanding, I was thinking but how can the block creators for the next slot decide which approval block has the most stake when that stake can decrease if approval conflict is later detected? And when does the block creator for the next slot begin if the finality of the winning approval block is indefinite and never final? I was incorrectly thinking that the ability to slash conflicting approvals is analogous to the ability to double-spend. That it opens a liveness vulnerability which kills any finality. That it was in essence the point I’ve been making since the prior page of this thread
and since 2016.
But then I realized you had side-stepped the valid concerns I had by presuming that nearly 100% of the stake would participating in all approvals. And that is sort of disingenuous assumption and circumvention of the invariants I was holding in my head. Yeah you get your 100% finality in 1 block, but effectively only under oligarchy control of the system. But that is sort of dubious because centralized systems are short-term final and long-term anti-fragile.
When the approvals exceed the required quorum stake, the block creators broadcast the collected approvals to the network.
Again here were more of my (now irrelevant) thoughts before I grokked the holistic design of PoA. How does PoA protocol force them to broadcast at that moment? What if the attacker decides to delay for an indefinite time? How does PoA penalize delays? Incentivizing with the block creation award doesn’t penalize delays because: a) block awards are never final because an attacker can send conflicting approvals at any time later, b) the attacker may not be interested in awards, because he can short the token if he can stall the progress of the chain.
The
Theorem 3.2 (Weak Finality and Finality) has a correct but misleading and somewhat irrelevant (but not entirely) proof:
Proof. Theorem 3.1 shows that all honest parties have the common chain prefix for k ≥ 1. Therefore, any transaction in a block buried by one or more blocks is held by all chains of all honest parties. Therefore, any honest party will report that transaction after one or more blocks have been deposited on top of the block containing the target transaction.
The problem is that the finality of a single block may never be achieved without an oligarchy in control but an oligarchy in control breaks the security assumptions. So the problem is that the definition of finality as measured by a single block is not the complete story. Thus the proof is correct but only because it’s framed out-of-context of the flaws which make the proven theorem less relevant.
The significant weakness is the presumption that 100% of the stake will be live. Otherwise the attacker needs much less than 50+%. Also the finality of blocks can”t be attained if there is not 50+% live. So there needs to be a 50+% attacker just for it to become final, unless 50+% of honest stake is always live and always votes correctly.
Problem is that proof-of-stake does not function well without an oligarchy in control. Thus 50+% attack is the norm, not the exception. Normally the oligarchy in control is benevolent in terms of double-spending and extracts their rents via other schemes.