Note: recently 51% ETC attacks, PoW security issues are hot, etheric Fang founder V God said that from PoW to PoS is the right choice. The daily planet Odaily invited Shanghai Jiao Tong University associate professor Fan Lei, why he thought that PoS may be a better choice for our analysis.
This paper starts from the Odaily daily planet, author Fan Lei, Shanghai Jiao Tong University School of cyberspace and associate professor Fractal Platform CTO, the security and development direction of the block chain consensus protocol of original title “.
Recently, in the crypto currency appeared in the field of an important attack. The etheric Fang classic (ETC) encountered 51% force double attack in January 8th, according to the calculation of different caliber, the attack caused tens of millions of dollars of losses. This is the first successful attacker according to the top of the mainstream password monetary 51% attack, relative to the calculation of the loss of reality, deep security problems facing money behind should pay more attention to the encryption.
What is the 1. 51% attack
At present, bitcoin digital currency (Bitcoin) as the representative of the majority of passwords based on the proof of work (Proof of Work, PoW) of the consensus protocol, in the proof of work miners by calculating the new block makes the growing chain block. Because of the block chain is a decentralized system, anyone can attempt to generate a new block from any location. If the attacker have less computational resources, the attacker generated new growth rate will slow to open branch block chain growth rate, it will not be accepted by the formation of honest users long branch. But if the attacker mastered the computing resources more than honest users, while the growth rate will be a new bifurcation attacker generated faster than the growth rate of the open chain block, block chain branch he is easy to form a new longer to replace the longest open chain block. Specific processes see Figure 1 and figure 2.
Figure 1. the attacker is less
Figure 2. is the dominant force of the attacker
The computing resources dominant attackers, simple mathematical description is that the attacker mastered the calculation capacity of more than 51%, which is the origin of 51% is the name of the attack force. When the attacker mastered the computing resources of more than 51%, his attacks will be successful. In fact, when computing resources, the attacker mastered enough proportion such as 40%, if the 6 blocks as he can confirm the length, with relatively large probability of the successful implementation of the bifurcation of the attack.
Once the successful implementation of 51% force attack, block chain will switch the longest chain, the consequences have been confirmed the transaction data may be erased in the area. If the attack is intentionally, the attacker can withdraw has been confirmed in high transaction data blocks, and then the digital currency can be used again. This attack is what we often say that the double attack, apparently this attack behavior has seriously damaged the password security and credibility of digital currency.
2. why can successfully attack
Different from the general network security attacks, 51% force attack is already known as the method of attack, the attack behavior and process the attacker does not have any new ideas.
Generally speaking, PoW is the overall password monetary system based on the stronger, which control 51% of the calculated force required higher cost. Because most of the PoW algorithm has the same core computing structure, computing power can be easily in a different password switch directly or even a currency, in accordance with the time is convenient rental resources. Crypto51 website (https://www.crypto51.app/) statistics for different digital currency for 1 hours to 51% attack costs (excluding block reward) and can borrow from NiceHash is the ratio of force. For ETC, 1 hours 51% attacks only need to spend $5116, and the loan to 80% of the calculated force from the NiceHash (continuous change, the data to the site can view real-time data), the possibility of attacks can not be ignored.
Another factor that can not be ignored is that the PoW algorithm needs a lot of energy driven mining operations. When the password money market value less than mining income, driven by the interests of the machine will stop off. This will cause a sharp decline in the resources, which will make 51% attack more easily. The ETC implementation of the 51% attack is the use of this opportunity. But for the emergence of new PoW based password money, because the whole network is low, so the attack cost lower.
The possibility of ETH suffered 51% attacks to less than ETC, because ETH and ETC use the same ETH mining algorithm, but the whole network is about 20 times ETC. Nevertheless, the founder of Vitalik Ethereum in the wake of the attacks still sound said the incident proved that he was ready to shift from PoW PoS’s decision is correct.
3. PoW block chain based on still safe
There is no doubt that in the past 10 years, the encrypted digital currency bitcoin represented a huge success, its security has been testing the real operation of the network. Not only that, cryptographers also theoretically proved the safety chain based on block PoW. People believe that mathematics is the foundation of block chain security, which is also called the In Math We Trust. But in recent years the development of technology and research show that based on the PoW block chain is also a safety hazard.
1) is the stress concentration problem
In fact, in the bitcoin digital currency system password, because the super pool exists, people of long-standing concerns focus. The ore mine pool and large pool of stakeholders which might be close to or even exceed 51% is. We cannot say that these large hashrate group will launch 51% system to calculate force attack, but at least they have the ability to launch such attacks.
2) is a black swan hidden
In the current technical conditions, is the password digital currency depends on the hardware operation speed and energy supply. There is always a danger is that when there is the leaping progress, the security of the system may face a major threat. As a result of replacement of the invention or chip process of fast algorithm, a new computing resources may be overwhelmingly more than the original resources, in this case the security system will be completely destroyed.
The above analysis shows that the PoW block chain security is not built on the basis of mathematics, mathematics is only the adhesive between the physical resource and the blockchain. Once the security assumptions of physical resources is not established, the safety block chain system are under threat.
From the system level, the PoW block chain is selected to rely on competition is based on block producer, accounting people. Is to block chain ecosystem itself belongs to external resources, a user can rent is the size of its holdings of chain assets / interests are not necessarily related, and counting the force that is rental site use right transfer. For example, mine owners or machine manufacturers own hashrate owners’interests and main chain security binding, but is not the rental. How much stress is the only factor to attack, if the selfish mining strategy can not reach to the current public chain attack force of 51%, produced honeysuckle.
Therefore, in the PoW block chain system, the value system of foreign investment by an attacker can compute resources threaten existing digital currency. Due to the existing PoW algorithm, a high degree of homogeneity, a large amount of computing resources in the system can be user completely unaware of the case injected in this process, any user can even do not have any involved in the ecological system. Use “body” in a sentence: “I destroy you, has nothing to do with you.”
4. we have no better choice
In recent years, more and more block chain system and distributed consensus protocol is presented. One important direction is the interests based on the consensus (Proof of Stake, PoS).
PoS originally proposed is mainly to solve the existing problems of energy consumption PoW. PoS and PoW are essentially the same, in order to participate in the block chain network node randomly selected a node to account. The word “random” appears to be simple, that is fair, unpredictable, not by the malicious nodes, but in a decentralized network is very difficult, because there is a God to throw the dice. The principle of random PoW is owned is more likely to become more functional, the principle of random PoS is more stake have more likely to become accounting people, both look very similar, just for the election of the “certificate”, but according to their design and attack their faces are very different.
PoS relies on stake to select accounting people, to participate in the election of people who have stake are recorded in the block chain, a proportion of stake – a user holds the stake block chain accounted for the proportion of the total number of stake. For the PoS to 51% attacks, need to hold a chain of 51% stake, and stake obtained only from the existing user to buy investment in production system. It launched 51% attacks on the PoS system cost is equal to the cost from the market to buy stake.
In the case of ETC, the total issued ETC is 107514088 ETC, if the consensus algorithm is PoS, the 51% attack needs to hold ETC on the 53747044, equivalent to the market value of about $229542578, while in the case of PoW by renting only about $5000 of work force. Other digital currency funds required for PoS 51% attacks against PoW and contrast 1 hours 51% attack cost as shown in the following table (data from Crypto51https://www.crypto51.app/ data, real time changes, the following data from the time of writing). Hold stake and more people in the legal chain more inclined to maintain the chain, if the stake transfer leased to the attacker, the risk is much greater than the rent is, so the attacker is difficult to get enough stake through the rent. So the 51% attacks, PoS has more advantages than PoW. This is also an important reason for the evolution of ETH to PoS consensus.
In short, compared to PoW, PoS there are two biggest advantages, one is to avoid the waste of energy, but also reduces the cost of nodes participating in the consensus, the other one is that it can produce 51% attack threshold, in the current calculation of stress concentration under the situation of PoS relative to PoW to more security. But, as some of the whole network is smaller emerging digital currency like PoS digital currency consensus algorithm in the initial phases of the 51% are also vulnerable to attack, because the initial chain total stake small, 51% attack the funds needed for the corresponding is relatively small, so the need to strengthen security during the initial startup good coping strategies, prepared in advance.
Worry and deal with the 5. PoS consensus protocol
Compared to PoW has been more than a block chain project has been successfully applied in the PoS protocol, consensus has not been large-scale application, so many people are on the PoS consensus protocol concerns. In view of our attack and the weakness of PoS may exist are analyzed.
1) PoS is a centralized system
In the study of PoS algorithm at the beginning, many researchers naturally inspired by distributed computing theory and cryptography. The Byzantine fault tolerance protocol (BFT) is a classical algorithm for consensus in a distributed environment, so PoS consensus algorithm has been proposed for most BFT can be seen as a kind of deformation form. The advantages of BFT algorithm in the ideal network environment to confirm the time delay is short, but it is because of the high communication complexity limits the number of nodes participating in the consensus, so the public in the world in the chain can not be used directly. In EOS (DPoS), Algorand and other systems, by selecting the representative part of achieving consensus implementation of Byzantine agreement, so to bring PoS is a subjective impression of centralized protocol. In real time, the present study has also made a similar PoW competitive PoS agreement, do not have to worry about is the centralized PoS system.
2) PoS new chain cold start is not safe
One idea is that due to the PoS system of consensus node is determined by Token, and the system must have the prior distribution of token before the cold start, so the control of the PoS system belongs to a small amount of these early participants, in order to obtain excess interest and monopolist may even destroy the whole evil system to achieve double attack. In practice, these concerns are not exist, the reasons are as follows:
A) the current ecological development block chain has been more mature, the new block chain backbone before the line often after several rounds of fund-raising activities, so even the founding team could not control the excessive Token share. And the rational team would not be too much to share control, only Token system is safe enough to disperse.
B) in the PoS system, Token has the rights of fully reflected in the value of Token in. Which have greater power to maintain the safety of the system, and therefore more difficult to participate in malicious action. But in the PoW system, the attacker attacks can obtain short-term interests will be transferred to other investment force hardware block chain system, so take the possibility of malicious behavior is higher.
C) in the start-up phase of new block chain, if using PoW protocol, external computing resources can be poured into the uncontrolled system. At this time due to the whole system’s power is not high, the attacker uses fewer resources to complete the attack, so the cold start phase of PoW block chain more secure. In fact, in addition to bitcoin, Ethernet square has gathered PoW block chain is the new force, the block chain are facing this problem. The first stage is to bring the BCH bifurcation competition reflects the risk of new chain starting, in order to avoid being attacked is often the center of the pool to maintain the safety of early, so concentrate on more than PoS.
3) PoS concentration of wealth is serious
In the preceding discussion, we have analyzed the start-up phase in the PoS block chain often has achieved the initial allocation of Token. The initial Token growth in the subsequent block chain process will indeed bring further investment returns, there is concern that the rich get richer by centralization of wealth. To solve this problem, we analyzed as follows:
A) in any economic system will be a wealth concentration phenomenon in the PoS system and no more serious. Economic research has shown that even in the most equitable economic system will also appear in the phenomenon of concentration of wealth. Reflect the fortune 28 distribution phenomenon we often say that the formal wealth concentration. The initial Token distribution PoS system than most equity allocation giant listed companies in the initial stage of more dispersed and transparent.
As long as b) provides a fair and transparent trading environment, wealth centralization phenomenon does not magnify without fear. If Token can in the two free market circulation, Token will naturally get a fair market price valuation. If you get enough benefits to attract, the original investors will sell; if the good of prospects, later investors are rational purchase. So don’t worry about that later do not buy, or wealth fully centralized.
In fact, due to the participation of PoW system needs a large number of mining investment of hardware and power input, scattered participants from a cost point of view is far less than the large pool, when the price of currency market volatility is often the small scale miners first exit, so centralized wealth in the PoW system and the force will be more obvious.
4) PoS will be attacked by Nothing-at-Stake
Nothing-at-Stake is in the PoS system, the attempt to produce a block does not consume a large amount of hardware resources, so the attacker can not abide by the agreement and has produced a new attempt to block behind different blocks. This gives us a clear intuition, PoS system is more prone to bifurcation. But the design of a good PoS system can resist Nothing attack at Stake.
An essay written in  we put forward a new PoS iChing protocol, this protocol is competitive consensus protocols like PoW. The Greedy Attack (an attack strategy based on Nothing-at-Stake) is analyzed, results show that the attacker greedily try to scale at any position of the chain does allow an attacker to profit, but the profit is not infinite. If an attacker and its performance in the honest nodes hold the same proportion of stake, e times generated by the attacker chain growth rate will reach the most honest chain (E is a mathematical constant, about 2.71828), so PoS can tolerate malicious stake ratio does not exceed 30% (see the calculation process). In view of this situation, this paper gives a new strategy, in the strategy of encouraging moderate greedy honest nodes, can tolerate malicious stake ratio can reach more than 43%. So Nothing at Stake is not an insurmountable attack.
5) PoS will be attacked by Long-Range
Long-Range attack refers to the attacker through the long-term accumulation of the attack on the PoS system means that the concrete forms may vary. The most direct Long-Range attacker to collect or purchase of a large number of stake accounts available at some time in the past, which began to diverge from the earlier point in time. This paper presents a  belonging to the Long-Range attack strategy, called Stake-Bleeding attack. In this attack, the attacker through the branch mining long time secret, accumulated enough reward after token launched the attack bifurcation.
The Long-Range attacks we made a classified summary of overall Long-Range attack takes a long time to implement the preparation and operation. According to the characteristics of Long-Range can adopt corresponding technical means to avoid or eliminate, including setting up a regular detection point (check points). In fact, in order to improve the blockchain verification speed, detection technology in PoW block chain is often adopted. Therefore, Long-Range attacks on the real PoS block chain system does not have a serious threat.
The characteristics of the block chain 6. next generation should meet
In order to support more practical application of floor, block chain in addition to the basic requirements to meet the characteristics of safety, to the center, but also solve the throughput rate is not high, confirm the delays.
Low throughput is mainly due to the traditional structure of block chain and network transmission delays, so recently proposed DAG structure, transaction mode, transaction processing chip package are studied in order to improve the throughput and make the chain block.
Confirm when the extension is competitive blockchain consensus algorithm has problems to solve this problem can be improved by rapid confirmation in the upper protocol stack.
We believe that the next generation must meet the following characteristics of block chain can really support the safety, efficient and flexible landing:
1) PoS algorithm based on consensus, to avoid security dependence on external resources, to eliminate the threat of attack from the outside of the system.
2) adhere to the center of the design, will be entrusted to avoid system consensus right for a small node, otherwise it will fall back into existing center system.
3) the design of distributed data compact, avoid transaction data in broadcasting and storage network to support the application of high throughput.
4) high speed algorithm to achieve fast superposition confirmation, confirmation of the normal business, to support the application of the scene in real time.
 Fan L, Zhou H S. iChing: A Scalable Proof-of-Stake Blockchain in the Open Setting. https://eprint.iacr.org/2017/656.pdf
 Ga P Kiayias A, I Z, Russell A. Stake-bleeding attacks on proof-of-stake blockchains. Crypto Valley Conference on Blockchain Technology 2018 (CVCBT). IEEE, 2018: 85-92