Dr. Zhang Ren: My bias against all consensus protocols except for Satoshi Nakamoto consensus

On April 9, Dr. Zhang Ren, a researcher from Nervos & Cryptape and the designer of the CKB consensus algorithm NC-Max, was invited to participate in the Hong Kong "Web3 Scholars Summit 2024" and delivered a keynote speech titled "My Biases against Every Consensus Protocol that is not Nakamoto Consensus."

Watch the speech video (bilingual subtitles, must be viewed in the WeChat public account article): https://mp.weixin.qq.com/s/UWqZQGgZcMh5Zed_cxftOA

The following is a summary of Dr. Zhang Ren's English speech (if there are discrepancies with the video content, the video shall prevail):

When I received the invitation to speak here, I was surprised to find that this is a scholarly conference among a series of industry summits. This fact once again raised the core question in my not-so-long research career: What role do researchers play in the blockchain world? More specifically, what is my role? What exactly are researchers?

Some researchers are seen as gods; they make the impossible possible and give rise to a huge industry, like Satoshi Nakamoto. Some play the role of gods, pursuing truth without being bound by law and morality. Others are the messengers of the divine, reminding humanity of its limitations and revealing the laws of the universe. However, the blockchain world no longer needs gods or messengers. Developers and entrepreneurs do not need us to tell them what cannot be done. At least, I am not yet sufficient to be that person.

Therefore, when I realized that I could not create or reveal something great, I took pleasure in destroying those who claimed to be great. I discovered my true talent. This discovery stemmed from my criticism of a Bitcoin scaling protocol called Bitcoin Unlimited, and I will tell you that story later. My true talent is making others unhappy. Being the culprit of others' unhappiness brings me great joy. I am not alone. After reviewing today's agenda, I found that most speakers are recognized security researchers. Choosing to be a security researcher means we must have some deep-seated psychological issues. In German, there is even a word to describe this pleasure, called Schadenfreude.

Thus, I hope to be a gadfly. Socrates compared himself to a gadfly while defending his life, stinging people and provoking them to anger, all for the sake of truth. What am I doing here? I am spreading biases. These are my viewpoints. Sometimes, they are rejected several times before being accepted and published by some open-minded reviewers. Outside of academia, these viewpoints are loved by some and hated by others. As my alma mater's Professor Zheng Yefu often said: "A PhD gives one the ability to persuade others to believe in one's biases. How boring it is to have no biases!"

"My Biases against Every Consensus Protocol that is not Nakamoto Consensus," that is the title of my speech. I will delve into five different types of protocols. I know that most of you are curious about Ethereum, so I will leave it until last. In case I go a bit over time, the host will feel a little guilty for interrupting me!

First, regarding Bitcoin Unlimited. The following image is of Yonatan Sompolinsky, the designer of the GHOST protocol and the founder of Kaspa. He guided me early in my PhD career. Back in 2017, he told me on a call: "Bitcoin is about to split into two chains; maybe you can do something."

Figure: Yonatan Sompolinsky

So, what happened at that time? For those too young to remember, in 2017, there was a debate about how Bitcoin should increase its throughput. The most popular method among miners was a protocol called Bitcoin Unlimited, which claimed to increase the block size limit without splitting the network. Its supporters were so confident in its superiority that they claimed they would launch a 51% attack once they became a supermajority. However, the community was concerned about its security. Supporters of Bitcoin Unlimited claimed that such an attack would "make the cost to the attacker far exceed that of the victim."

Due to time constraints, I do not have time to introduce its technical details; I will just mention a little. In BU, there is no block validity consensus, which means that a block valid for you may be invalid for others, and each miner chooses for themselves. What does a valid block mean? Each miner has their own block size limit. In this study, we analyzed the claims of BU supporters under three different incentive models, and the results showed that BU undermined Bitcoin's security in all cases.

Essentially, in BU, an attacker can generate a block that causes honest mining power to split into two different chains. Eventually, these two chains will converge such that a block from an attacker can make multiple honest blocks become orphaned. So in my view, BU's slogan should be changed to "Bitcoin Unlimited unleashed potential attacks."

After our paper "On the Necessity of a Prescribed Block Validity Consensus: Analyzing Bitcoin Unlimited Mining Protocol" was published, BU's support immediately declined. CoinDesk reported our findings, ending the debate around BU's security. A few months later, BU's support dropped to zero. This paper was published at the end of the year in CoNEXT.

Second, regarding the other 9 PoW protocols. To improve Nakamoto Consensus (NC), I designed a model and evaluated dozens of ideas, but none were perfect. However, these flawed ideas continue to be published, often with little or no security assessment. I believe people need to be informed. I am a bit ashamed to admit that this aligns with the "if I can't have it, you can't either" crab mentality.

Many protocols claim to improve NC, but the real question is: Is there a protocol that comprehensively surpasses NC in security? To assess this, we first need to understand how to improve NC.

The main weakness of NC is its poor chain quality, leading to three types of attacks:

First, selfish mining attacks. The process of selfish mining is the same as that of chain quality attacks, but the purposes of these two attacks are different. The goal of selfish miners is to increase profits, while the goal of chain quality attackers is to increase the percentage of main chain blocks. These two attacks are not equivalent in other consensus protocols.

Second, double-spending attacks. I think I can skip this part; everyone knows what a double-spending attack is.

Third, censorship attacks. In a censorship attack, the attacker claims to invalidate all blocks that confirmed certain transactions. If some miners disagree with the attacker's claim, the attacker will attempt to invalidate those blocks. Although the success rate of this attack is low, the rational choice for honest miners is to join the attacker, making the attacker the de facto owner.

There are other mining-related attacks, but they do not directly target the consensus protocol.

Our evaluation framework consists of four metrics. A protocol that surpasses NC needs to achieve better chain quality or better resist the three attacks mentioned above. Therefore, we divided all protocols claiming to surpass NC into two groups:

Better chain quality protocols, which claim "I can improve the quality of the chain and fundamentally solve all attacks," usually adopting different fork resolution strategies.
Attack-resistant protocols, which claim "I do not need to improve the quality of the chain; I can resist attacks." We further divided this group into three subgroups:

All-reward protocols: Compensate the losers, so there is no incentive to selfish mine.
Punishment protocols: Identify all competing blocks, so double-spending will be punished regardless.
Lucky reward protocols: Only reward certain lucky blocks, hoping these lucky blocks serve as anchors for a stable network.

Our results show that no protocol comprehensively surpasses NC. They either only improve chain quality in certain attacker scenarios or sacrifice one type of attack resistance for another.

We identified a series of attacks against specific protocols and explored the reasons why these protocols fail to achieve their goals; this speech can only introduce two.

First, rewards do not solve the attack problem. Attempting to design a novel incentive mechanism to resist certain attacks is a common mistake. Attackers have different motivations, and no single reward mechanism can deter all attacks. We discovered a dilemma called "reward the good, punish the bad." If all mining products are rewarded, there is no risk of double-spending because double-spending attackers will receive rewards regardless. If all competing blocks are punished, it effectively provides attackers with a new tool for censorship attacks. If only lucky blocks are rewarded, attackers can exploit lucky blocks to claim rewards while using unlucky blocks to attack honest miners.

The second insight is about how to design consensus protocols. We should not design overly complex protocols that are difficult to analyze. We should also not focus solely on one attack strategy, one attacker incentive, or use real-world parameters for security analysis. As Knudsen used to say, "If a protocol cannot be proven secure, then it is likely not secure." But in reality, Knudsen never said that; he said, "If it can be proven secure, then it may also not be secure." However, I believe the modified statement is also valid, unless you are Satoshi Nakamoto.

My paper "Lay Down the Common Metrics: Evaluating Proof-of-Work Consensus Protocols’ Security" was published in IEEE 2019.

Due to time constraints, I will skip the third part — sharded blockchains. Just remember that sharding is very difficult.

Fourth, regarding two DAG-based protocols. For those who are not too young, you should know that Bitcoin makes trade-offs in security performance. If you want to enhance performance by increasing block size or shortening block intervals, you will ultimately get more orphaned blocks, as Yonatan illustrates in this image. If there are more orphaned blocks, both security and performance will actually worsen: security decreases because attackers can mine longer chains with less mining power; performance also worsens because all the bandwidth wasted on propagating these orphaned blocks does not help with transaction confirmations.

The NC-Max I designed solves this problem; there is no time today to explain how it works. You must trust me that NC-Max solves this problem. However, getting the NC-Max paper "NC-Max: Breaking the Security-Performance Tradeoff in Nakamoto Consensus" published was not easy either. Before being accepted, we were rejected several times. One of the reasons it was hard to get accepted was that reviewers kept asking us, "Since DAG protocols have already solved the security-performance trade-off problem, why design a chain-based protocol?" This prompted us to conduct another study to convince the community that DAG protocols do not solve the security-performance trade-off problem.

What are DAG-based protocols? To achieve higher throughput, Yonatan proposed replacing the blockchain structure with a Directed Acyclic Graph (DAG). Each block can have multiple predecessor blocks, and multiple concurrent blocks can contribute to transaction confirmations. However, early DAG-based protocols either had weak security guarantees or could only provide partial security analysis.

Only the two DAG-based protocols, Prism and OHIE, can prove their security. They can demonstrate their security and performance by decoupling transactions, synchronization, and confirmation. Due to time constraints, there is no time today to explain how they work, but their main ideas are very simple and similar to NC-Max. Therefore, the responsibility for transaction confirmation falls on a series of NC chains made up of small blocks. Why use NC chains in DAG protocols? The benefit of doing so is that you can borrow the security proof of NC, which is very mature and rigorous.

Can they really make trade-offs in security performance? Of course not. The problem with these two protocols lies in a hidden assumption. They use multiple small blocks, hoping these small blocks have only brief and constant delays and are always immediately accepted, thus escaping the security-performance trade-off. But this assumption does not hold, and we found two phenomena indicating that this assumption is incorrect.

The first phenomenon is called block congestion. Suppose the network can only process one block per second, and you mine three blocks in 2 seconds; then at least one of those blocks cannot complete propagation within 2 seconds, no matter how small they are, the bandwidth is insufficient.

The second situation is called late predecessor. Suppose you have a small block, which is the orange block, that references a large number of larger blocks. Even if this small block is immediately propagated to all miners, they cannot mine on it until they receive all the larger predecessor blocks. Miners must wait for the large blocks, even though they are predecessors of the small blocks. We conducted some clever mathematical analysis, and the results showed that they would also be affected by the security-performance trade-off.

However, getting this paper published was not easy either. Reviewers kept asking us, "Since chain-based protocols have already solved the security-performance trade-off problem, why analyze DAG-based protocols?" I know there may be different reviewers, but that ironic feeling is real. I spent two years writing this paper because you said my previous paper was not persuasive enough. Now that this paper is finished, you tell me you were convinced two years ago. So I found myself in an awkward position. To get my paper published, I hoped the protocols they attacked would become more popular, convincing people that they were worth attacking.

Later, the paper "Security-Performance Tradeoff in DAG-based Proof-of-Work Blockchain Protocols" was accepted by NDSS, the same conference that accepted the NC-Max paper. May the best conference receive the best papers.

Finally, regarding all PoS protocols. For those who enjoy the technical parts, I apologize that this speech is too short to waste on attacking PoS protocols. If you are really interested, you can check out my 2019 speech video, where I spent an hour explaining why PoS can never be as secure as PoW.

How many attacks remain to be formally analyzed? We did some simple statistics. Our research group conducted a small project, and from 2020 to 2022, there were 585 blockchain papers appearing at top CS conferences. Surprisingly, there are still more PoW papers than PoS papers.

We found the following insights. For the formal analysis of Nakamoto Consensus, researchers found it to be more secure than previously thought. But for PoS protocols, researchers discovered more attack vectors, which were basically instantiated in my 2019 speech. As for new PoS designs, we are uncertain whether they can achieve the same security as PoW. Currently, there are no analyses or measurement studies on the PoS ecosystem because they are either too centralized or too homogeneous.

A special example is Ethereum's PoS. I mention it because it is so interesting. In Ethereum, a block that is valid for some may be invalid for others, meaning there is no block validity consensus. Ethereum uses a synchronous model for issuing rewards and a partially synchronous model for confirming blocks. Recall that if a protocol cannot prove it is secure, then it is likely not secure. Therefore, it may reward the good and punish the bad. Recall that rewards do not solve the attack problem.

I think this is a great research topic. However, I arrived too late because many researchers have already pounced on it like a pack of wolves, and some of the issues have already been resolved. Ethereum claims to have a future, but those who do not remember the past are doomed to repeat it.

What’s next? With so many researchers attacking Ethereum, it is hard for me to find new angles, let alone new information. But I still managed to find one, although I write slowly. Therefore, I will conclude this speech with my most sincere blessing for Ethereum: Please do not die before I finish.

Thank you.