I came across an interesting paper under review from researchers at IC3. Among other things, it contains a mathematical proof that it is impossible to determine the “true” transaction history in a PoS blockchain without an additional source of trust. In other words, the idea of weak subjectivity promulgated by Vitalk Buterin (creator of Ethereum) is a hard requirement in the design of any PoS blockchain. The full paper from IC3 is here.

To elaborate, the proof (section 6) shows that if a node has been disconnected for a sufficiently long period of time or is bootstrapping, and is presented with two conflicting transaction histories, then it is impossible for it determine which one is the “true” chain without some external input. This is because it is impossible to know whether or not the “committee” that validates the chain is majority-honest and not post-facto corrupted (i.e. attacker-controlled). In practice, this means that the user will have to resolve the conflict out-of-band, using some a priori knowledge about the honesty of the chain’s current committee. This is not the case for PoW blockchains, where the valid chain with the most cumulative proof-of-work is always the “true” chain.

Why this is Relevant?

I bring this up because there is a lot of active research in finding open consensus algorithms that do not depend on proof-of-work. This finding has wide-ranging implications for applications built on PoS blockchains. In PoS, it is already the case that hard-forks and history-rewriting are extremely cheap, since they cost little energy to produce. Anyone can create their own history, and now we have a paper that shows that selecting the “true” history requires buy-in from the user.

I personally find this interesting because requiring users to decide on the “true” chain opens up a whole new class of “manufatured consensus” attacks against such blockchains. In a manufactured consensus attack, the adversary focuses on tricking users instead of subverting the underlying algorithms. For example, an adversary can knock nodes off-line for long enough to trick them into accepting the attacker-chosen history. This is particularly relevant for efforts that want to embed a blockchain client in IoT devices, which already have to contend with long periods of disconnected operation. As another example, an adversary can can wage a PR campaign to trick new users into accepting an alternative history where the adversary is already rich and controls many Sybil accounts. This would allow the attacker to stake more tokens than staked in the main history, and make it appear to new users like the alternative history has higher security. Neither of these attacks are feasible in PoW, since in both cases, the adversary must also produce a valid chain with more proof-of-work than any other chain.

This is not to say that PoS is insecure or is a bad idea. However, it does show that PoS and PoW make fundamentally different security assumptions. Application designers need to take these assumptions into account when choosing a blockchain to build on. For example, Blockstack calculates a per-block consensus hash that helps users select the right transaction history regardless of whether or not the underlying blockchain is PoS or PoW.