Mechanism Design Approaches to Blockchain Consensus

The mechanism we propose is a special case of the Simultaneous Report (SR) Mechanism analysed by Chen et al., (2022).⁴⁴4The SR mechanism is a simplification of the multi-stage mechanisms explored by Moore and Repullo, (1988). The baseline idea is that messages are broadcast publicly by blockchain users to the network and participating nodes assemble them into blocks of a fixed size based on time broadcast. When a block is proposed to be committed to the blockchain, each node has in their possession a block of messages they have received. We assume that this block is common across all nodes, however, there are no restrictions on nodes in proposing an alternative block. The goal is to ensure that nodes, while able to propose alternative blocks, only propose and accept truthful blocks.

Suppose there are nodes, $i\in\{1,...,n-1\}$ each of whom assemble ledger entries into a block of fixed size. If a node ends up proposing a block that is accepted, they receive a block reward, $R$. There is also an $n$th node who proposes a manipulated block. If that block is accepted, they receive a payoff $\theta$ that is private information in addition to the block reward, $R$. Nodes can send any message from a countably infinite set.

Consider the following mechanism that is run after messages have been sent to the mempool:

1. 1.

   One node is randomly chosen to be the proposer, $p$, and another node, $c$, is chosen to be the confirmer.

2. 2.

   The proposer proposes a block in the form of a message, $M_{p}$ while the confirmer sends a message, $M_{c}$.

3. 3.

   If $M_{p}=M_{c}$, then the block is committed to and added to the blockchain. The proposer receives $R$.

4. 4.

   If $M_{p}\neq M_{c}$, then the challenge stage begins with both $p$ and $c$ being fined, $F>0$.

The challenge stage involves:

1. 1.

   $p$ sends a new message $M^{C}_{p}$ based on knowledge that there is a disagreement.

2. 2.

   If $M^{C}_{p}=M_{c}$, then $M^{C}_{p}$ is committed to the blockchain, $p$ receives $R$, and $c$ is refunded $F$.

3. 3.

   If $M^{C}_{p}\neq M_{c}$, then $p$’s proposal is discarded and the process begins again with $p$ and $c$ excluded from subsequent rounds.

Given this, we can prove the following:

Now suppose that the selected pair includes node $n$. If node $n$ is the confirmer and the challenge stage is reached, then, we have already shown that the proposer will set $M^{C}_{p}=M_{T}$. Given this, node $n$ will find it optimal to set $M_{c}=M_{T}$ and earn $0$ rather than $-F$.

Alternatively, if node $n$ is the proposer, by our earlier argument, the other node will set $M_{c}=M_{T}$. If $n$ sets $M_{p}\neq M_{T}$, then there is a challenge round. In that round, $n$ will earn $R-F$ by setting $M^{C}_{p}=M_{T}$ and $-F$ otherwise. Given this, it is optimal for $n$ to set $M_{p}=M_{T}$ as it will earn $R$ rather than $R-F$.   

It is useful to stress how remarkably powerful this mechanism is for obtaining consensus on truthful blocks. We note the following:

• •

  $F$ can be arbitrarily small and the true block will be confirmed by any pair.

• •

  Any randomly-selected pair is sufficient to confirm a block. Unlike BFT mechanisms, there is no need for multiple confirmation rounds, pre-commits or messages sent from more than two nodes. Once block transactions have been communicated publicly and formed into the truthful block, the mechanism can take place and confirmation is instantaneous.

• •

  If there is more than one node who has a private value that arises should a block other than the truthful block occur, the true block will still be confirmed. This outcome occurs even if two nodes with private preferences happen to be paired. This will happen so long as those nodes have preferences for distinct blocks. However, as we explore in the next section, if nodes have preferences for the same non-true block, the game is more complex (e.g., if there is a coalition of nodes).

• •

  A key part of the mechanism is that while all nodes have common knowledge of the message for the true block, privately preferred blocks are unknown beyond individual nodes. This subverts any method by which coordination could arise on a non-true block. Once again, a coalition of nodes with a non-true preferred block could potentially coordinate and subvert the mechanism.

Finally, it is useful to note some practicalities in terms of implementing this mechanism. The mechanism relies on the two nodes being selected randomly. As will be discussed in detail below, randomness plays an important role in the mechanism working when there is more than one attacking node. Finding a pure randomisation device on-chain is a challenge for blockchains and, thus, we expect that it is likely that this part of the mechanism will rely on an external randomisation input. The mechanism itself can itself run on-chain but it would be as a smart contract coded into the protocol. This is something that is a feature of many proof-of-stake protocols for other elements.

As noted above, while the proposer, if selected, has an incentive to tell the truth this is based on a specific assumption that could not be guaranteed for a permissionless blockchain (and maybe not all permissioned ones either): that the proposer and confirmer are different entities. What if the proposer and confirmer are the same person or part of an attacking coalition that share the same incentive to confirm an alternative, non-true block?

Suppose that an attacking coalition has a share, $s$, of all nodes. If they are the proposer, then, with probability $s$ they will be able to confirm the distorted block and receive $R+\theta$ and receive $-F$ otherwise. If they do not distort, they receive $R$ with certainty. (This assumes that the attacker has full knowledge of the fact that they are the proposer before setting $M_{c}$). Thus, the proposer will try to attack if:

$$s(R+\theta)-(1-s)F>R\implies s>\frac{R+F}{R+\theta+F}$$

(1)

From this, it can be seen that this mechanism is not robust to an attack if the attacker has sufficient share ($s$) of the network.

We can compare this threshold to that typically considered for BFT networks. Attacks that may delay the confirmation of transactions are not possible in those networks if $s<\frac{1}{3}$. Notice here that the SR mechanism lowers this possibility if $R+F>\frac{\theta}{2}$. Thus, depending on the environment, the consensus protocol proposed here may be more secure than the usual BFT protocol. Moreover, security can be enhanced by increasing $R+F$ rather than exogenously set as it is under usual BFT consensus.

If we require nodes to send their messages before knowing who is a proposer, then this slightly changes the equation. Now the attacker only succeeds with probability $s^{2}$ but also has an additional cost in that their confirmer role automatically leads to a fine. Thus, an attacker’s choice depends on:

$$s^{2}(R+\theta)-s(1-s)F-(1-s)F>R$$

and so the threshold becomes $s>\sqrt{\frac{R+F}{R+\theta+F}}$ which is an order of magnitude stronger (modulo, integer issues which we ignore here).⁵⁵5In this case, the SR mechanism is more secure than the usual BFT consensus if $R+F>\frac{\theta}{8}$.

The above calculations assume that an attack is considered by the attacker to be a once-off opportunity. This certainly is the case if, in the next round, truthful consensus is reached and the opportunity for an attack is removed. However, when there are multiple nodes, the incentive compatibility conditions in our proposed mechanism need to be reformulated for the possibility that, should consensus not be reached with one pair, at least one additional round of the mechanism will result with a new pair of nodes.

To consider this, note the following:

• •

  Truthful consensus will arise if both selected nodes are honest (i.e., have no distortion payoff, $\theta$). At the outset, this happens with probability $(1-s)^{2}$;

• •

  Truthful consensus may arise if a proposer is honest and a confirmer is potentially not. Recall that in the mechanism, the proposer will propose an honest block and continue to do so in a challenge round. Thus, if the confirmer proposes anything other than the true block, they are fined $F$ and another pair is selected. Let $V_{sN-1,(1-s)N-1}$ be the expected payoff to the attacking coalition if there are $sN-1$ remaining coalition nodes and $(1-s)N-1$ remaining honest nodes. Then the incentive compatibility constraint for the confirmer is $V_{sN-1,(1-s)N-1}<F$. This scenario occurs, initially, with probability $(1-s)s$.

• •

  What happens if the proposer is not honest? Recall that nodes cannot see each others messages in the mechanism – only if they match or not. Thus, if a proposer of a distorted block is matched with an honest node, they will have a choice as to whether to adjust their message or not. In effect, they can either continue the disagreement or confirm the true block (under the assumption that the node they are paired with must be honest). Thus, their incentive compatibility constraint in the challenge stage is to propose an honest block if $V_{sN-1,(1-s)N-1}<0$. If this constraint is satisfied, then a proposer will propose a distorted block only if $s(R+\theta)-(1-s)F\geq R$. If this constraint is not satisfied, then the proposer will propose a distorted block only if $s(R+\theta)-(1-s)(F-V_{sN-1,(1-s)N-1})\geq R$.

Examining these conditions, therefore, requires solving for $V_{sN-1,(1-s)N-1}$.

Exploring $V_{sN-1,(1-s)N-1}$, note that:

$$V_{sN-1,(1-s)N-1}=\tfrac{sN-1}{N-2}\Big{(}\max\{\tfrac{sN-1}{N-2}(R+\theta)-\tfrac{(1-s)N-1}{N-2}(F-V_{sN-2,(1-s)N-2}),R\}\\ +\tfrac{(1-s)N-1}{N-2}\max\{V_{sN-2,(1-s)N-2}-F,0\}\Big{)}$$

(2)

The first probability is the probability that a potential attacker is selected as a proposer or confirmer. If they are a proposer or confirmer, the outcome depends upon whether their incentive compatibility constraint is satisfied or not. These are the next two terms within the brackets. Note that each of these depend upon $V_{sN-2,(1-s)N-2}$ which is the attacking coalition’s expected payoff should no consensus be reached in the round.

An important property of the recursive structure here is that, for $s\leq\frac{1}{2}$, $V_{sN-1,(1-s)N-1}\geq V_{sN-2,(1-s)N-2}$ and this property continues between rounds if no consensus is reached. In this case, if the incentive compatibility constraint is satisfied for the proposer in the first round, it will continue to be satisfied and, thus, there will be no incentive for the attacker to start or continue the attack so long as $s<\frac{R+F}{R+\theta+F}$.

What if $s>\frac{1}{2}$? In this case, the expected payoff from an attack could rise between rounds. Indeed, if the penultimate round is reached, then the attacker knows they will have both the proposer and confirmer with certainty in the final round allowing them to confirm the distorted block and receive a certain payoff of $R+\theta$. In this case, in the penultimate round, there is one honest node and, say, $x$ nodes of the coalition. The incentive compatibility condition for the penultimate round would have to be such that $\frac{x}{x+1}(R+\theta)-\frac{1}{x+1}(F-R-\theta)<R$ or $(x+1)\theta<F$. Note that this is equivalent to $s<\frac{F}{\theta}-\frac{1}{2}$ as $s=\frac{1+2x}{2}$ or $x=\frac{2s-1}{2}$. It can be seen that so long as $F>\frac{3}{2}\theta$, then an attack is never worthwhile.

This makes it appear that $F$ has to be very large. In fact, the protocol could adjust $F$ so that it increases with each round. Precisely what this formula would be, however, is a complex matter and we have not been able to calculate it yet. In any case, as $\theta$ is a free variable calibrating it to that would be a challenge.

That said, the conditions here are similar to those regarding so-called “majority” attacks under both POW and POS. The difference is rather than building out forks of existing chains, here the attack conditions take place on a block by block basis. The effect is the same, as is the cost of an attack in terms of resources – real or financial (see Gans and Gandal, (2021)). Our contention would be that our proposed consensus mechanism is not more vulnerable than existing ones but that it has the advantages that (a) it is significantly more efficient to run and operate under normal conditions; (b) continues to make an attack probabilistically difficult including forked-chain attacks and (c) can be indicated by the number of rounds a mechanism needs to run to confirm a block – that is, in the absence of an attack, there will be few rounds while an attack with a close to 51 percent majority will still likely take many rounds. We believe that it would be possible to calculate these probabilities more precisely but that is left for future work.

Now consider the following mechanism. If a fork appears (without loss of generality, $B$) and is within $x$ of the same number of blocks as fork $A$ then the following mechanism is run between nodes that claim to hold a full record of the blockchain.

1. 1.

   For each fork, the blocks subsequent to the last common parent are unpacked and transactions are compared.

2. 2.

   Valid messages that appear in both sets are immediately confirmed and at the minimum of the time stamp between the two forks.¹⁰¹⁰10Valid messages will have different time stamps but otherwise the same content. However, as they cover multiple blocks there are some practical issues to resolve in comparing messages as being equivalent on each chain of the fork. Other messages are collected and marked as disputed.

3. 3.

   One node from each chain is selected at random ($a$ for $A$ and $b$ for $B$). The node from the chain where a transaction does not appear is asked to confirm that the transaction is invalid. In this case, both are fined $F$, and they enter the dispute stage for each disputed transaction.

We now need to specify preferences of each type of node. An honest node has an interest in preserving the true blockchain. That preference has a monetary equivalent value of $H$ and they have a disutility arising from another blockchain being built upon of $D$ with $H>D$. By contrast, a dishonest node is only interested in having their preferred chain continue for which they receive a monetary equivalent value of $\theta$.

Given this, we can now prove the following:

In the first round, anticipating this, $b$ will decline to confirm the removal of the transaction as this will result in a fine of $F$ for sure and no transaction being removed. Given that, it is not worthwhile attempting the attack in the first place.

Now suppose that there are no dishonest nodes and that, in this case, $b$ is a node on a chain where the transaction does not appear (e.g., it may have been missed because of network issues). In this case, as $b$ knows they are honest and that dishonest nodes only attempt to remove transactions and not place them, $b$ is choose to not assert the transaction is invalid. Thus, the transaction will remain and neither node will be fined.   

Importantly, the mechanism takes into account the possibility that chains have arise as a result of, say, network latency issues, rather than an attack. In this case, both nodes are honest. Given that nodes know that attacks involve the removal of transactions, when the mechanism is triggered by an accidental fork, the node from the chain without the transaction will agree their fork should be discarded if the transaction is, indeed, valid. Thus, the ‘correct’ fork persists.

Nonetheless, as the proposition qualifies, the mechanism does not prevent dishonest forks from arising when neither selected node is honest. This would require an attacker to distribute nodes across both forked chains; a possibility we consider next.

As noted earlier, the ‘traditional’ strategy for a double-spend attack on POS with the LCR is for an attacker to create private chain without the transactions that appear in the main chain and then build that change to be at least as long, and perhaps longer, than the main chain. The idea of the Solomonic mechanism is that when a fork appears, regardless of the length of competing chains, the mechanism resolves the dispute. As Proposition 2 shows that, so long as one honest node is selected to be part of the dyad in the mechanism (which will happen if the attacker has concentrated its resources to build the private chain), the dishonest chain will be discarded. Hence, if it is expected that an honest node will be selected, there is no incentive for an attacker to create a dishonest fork in the first place.

The Solomonic mechanism is engaged as a mechanism to resolve forks in lieu of a race to produce the longest chain. One implication of this is that there is no longer a concern about the ‘nothing-at-stake’ problem. Recall this problem arose because there were incentives for nodes to stake on two chains that were part of a fork which would have the implication of slowing down the resolution of one chain into the longest chain. At the extreme, the nothing-at-stake problem could make it easier for an attacker to create the longest chain. Hence, current POS networks using the LCR, create penalties for nodes who stake on multiple networks. However, when a Solomonic mechanism is used to resolve which chain should be confirmed, whether nodes stake on multiple chains is no longer a concern and, therefore, there is no reason to discourage this, let alone impose a slash penalty. Indeed, as will be argued here, there is reason to encourage multiple chain staking.

The reason for this is that an attacker has an interest when the mechanism is in place to try and control the mechanism by having its own nodes selected for the mechanism excluding an honest node. If this happens, the attack can be successful and it is possible a dishonest chain is confirmed. Thus, in contrast to a protocol operating under the LCR, with a Solomonic mechanism an attacker has an incentive to stake all of its nodes on both chains.

Suppose that an attacker has a share, $s$, of all nodes. If $A$ is the main chain and $B$ is the dishonest fork, as all nodes – honest or not – stake on each chain, the attacker may ‘control the mechanism’ with probability, $s^{2}$. This assumes that the attacker does not know when engaging with the mechanism in the first round whether the other node is one of their own. This can be achieved by sequentially drawing those nodes with the first node forced to commit to a message before the second node is identified.

What does this do to the incentive to engage in a double-spend attack? Suppose that the fork is $k$ blocks long. Recall that $B$, as it was produced by the attacker, will result in block rewards of $kR$ being awarded to them if $B$ persists. If $A$ persists then that agent receives $skR$ in expected block rewards. Thus, the expected return to malicious agent is:

$$(1-s)skR+s\Big{(}-F+s(kR+\theta)+(1-s)skR\Big{)}$$

Note that, if the attacker does not attack, there is no fork and the attacker earns $skR$. Comparing this to the return to an attack, we can see that an attack will only take place if:

$$s>\frac{1}{2}+\frac{\theta-\sqrt{(\theta+kR)^{2}-4FkR}}{2kR}$$

so long as $\frac{(kR+\theta)^{2}}{4kR}\geq F$. The higher is $F$, the less likely these conditions are satisfied and the less likely an attack occurs. Note that so long as $\theta\geq\frac{4F-kR}{2}$, the threshold to deter an attack is higher than the usual condition for LCR consensus that $s<\frac{1}{2}$. Thus, as with our mechanism for BFT consensus, here a mechanism has the potential to provide more security depending upon the choices of $F$ and $R$.

The above mechanism involves eliminating forks created by traditional double-spend (or double-spend like) attacks. The traditional double spend attack involves an attacker confirming a transaction that spends their tokens to the original chain and then removing that transaction with a dishonest chain in the hope of getting that latter chain accepted as consensus. This allows the attacker to spend those tokens again. The current Solomonic mechanism subverts that attack by making it impossible for the attacker to remove the original confirmed transaction as part of a forked chain.

The mechanism relies on the notion that attacks involve transactions being removed rather than retained. Thus, honest nodes have an incentive to defend transactions that are confirmed and dispute transactions that are proposed to be removed. The latter is also consistent with the effect of latency issues that may cause a fork when some nodes ‘miss’ a transaction.

However, what if the attacker modifies their attack? Recall that the attacker wants to nullify a past transaction involving tokens spent by the attacker. While forking the chain is a potential way to do this, there are others. What if, for instance, the past transaction can be held to be invalid?

Normally, by virtue of being confirmed, the past transaction is valid – that is, there are tokens in the wallet that can be sent to another wallet at that time. But if the attacker is forking a chain, the attacker, under POS, can fork the chain from an earlier block. In that block, the attacker can insert a transaction that spends the tokens (aka moves them to another wallet perhaps under the attacker’s control) prior to the past transaction the attacker is trying to remove. If that is done as part of a fork, when the Solomonic mechanism is run, there will be two disputed transactions: one that appears on the dishonest chain but not on the original chain (the pre-spend) and one that appears on the original chain but the dishonest one (the original spend). When there are multiple disputed transactions, a natural way to run the mechanism would be to run it on the earliest disputed transaction first. The reason for this is that how that is resolved may have implications for future transactions. In fact, that is precisely what the attacker here is anticipating. Thus, the mechanism would, given the way it defaults to preserving transactions, preserve the pre-spend transaction and, by virtue of that, make the original spend transaction invalid. In other words, this attack can now succeed in generating the conditions of a double-spending of the tokens in question.

The problem here is that the current mechanism relies on (1) that honest nodes know they are honest and (2) that the only way an attack would work would be to nullify a transaction and honest nodes know that. However, (2) is overcome in the proposed attack and thus, the mechanism fails. In order to restore a mechanism here (2) would have to be replaced by conditions that the honest knew that the original chain was the ‘true’ chain.

What would those conditions be? Another way of looking at the fork chains is not transaction by transaction (to see which are disputed) but by paths of tokens. In the original chain, tokens may be confirmed to move from Charles to Alice while in the new chain tokens move from Charles to Bob. Thus, the dispute is over the end point of the tokens (or more generally, the path they have taken). In the case here, who owns the tokens now, Alice or Bob?

To resolve this, we propose using a variant of the Solomonic mechanism. The first step involves analysing the forked chains but instead of focusing on transactions that appear in one chain but not the other, the focus is on differences in the allocation of tokens in the last confirmed block of each chain (where we assume here that both chains are of equal length). If there has been a general double-spend attack, tokens that, say, were originally confirmed to be held by Alice would instead by held by Bob.

The mechanism is as follows: If a fork appears (without loss of generality, $B$) and is within $x$ of the same number of blocks as fork $A$ then the following mechanism is run between nodes that claim to hold a full record of the blockchain.

1. 1.

   For each fork, the allocations of tokens confirmed on the last block are compared.

2. 2.

   Transactions that lead to allocations that are in both sets are immediately confirmed at their original block time stamp. Other allocations are marked as disputed.

3. 3.

   One node from each chain is selected at random ($a$ for $A$ and $b$ for $B$). Each node is asked to confirm the current allocation of their chain based on their held full blockchain record. If they each agree on one chain, that chain is confirmed and the mechanism ends. If there is a disagreement, both are fined $F$, and they enter the dispute stage.

We will assume that an attacker weakly prefers leaving tokens in the account on the original chain than burning those tokens.¹¹¹¹11Even with a double spend attack, the attacker faces some legal risk associated with being identified as the attacker which may happen if the tokens are missing from their original spend. Given this, we can prove the following.

That said, this presumes that an honest node is part of the mechanism. This may not happen and the attacker may be able to control both nodes in the mechanism. Put differently this mechanism relies on honest nodes being able to tell which is the correct chain and hence, who rightfully owns the tokens.

This is an assumption we make here, and there may be practical difficulties in nodes being able to have a record of the blockchain and which chain was the main chain in the immediate past. That said, there is good reason to think that this assumption is justified. Honest nodes have a lot of information when they see a fork going back many transactions in the chain.

While there will always be forks due to latency issues, there will never be a “dishonest fork” on the equilibrium path of the game induced by our mechanism. Indeed, provided that the honest nodes have a higher prior that the correct chain is, indeed, the correct chain – that is, priors are biased towards the truth – the mechanism here will still have them acting as if the correct chain is the truth and will still deter attempts to confirm a dishonest chain as the consensus chain.