The Economic Limits of Permissionless Consensus

Abstract

The purpose of a consensus protocol is to keep a distributed network of nodes "in sync," even in the presence of an unpredictable communication network and adversarial behavior by some of the participating nodes. In the permissionless setting, these nodes may be operated by unknown players, with each player free to use multiple identifiers and to start or stop running the protocol at any time. Establishing that a permissionless consensus protocol is "secure" thus requires both a distributed computing argument (that the protocol guarantees consistency and liveness unless the fraction of adversarial participation is sufficiently large) and an economic argument (that carrying out an attack would be prohibitively expensive for an attacker). There is a mature toolbox for assembling arguments of the former type; the goal of this paper is to lay the foundations for arguments of the latter type. An ideal permissionless consensus protocol would, in addition to satisfying standard consistency and liveness guarantees, render consistency violations prohibitively expensive for the attacker without collateral damage to honest participants. We make this idea precise with our notion of the EAAC (expensive to attack in the absence of collapse) property, and prove the following results: 1. In the synchronous and dynamically available setting, with an adversary that controls at least one-half of the overall resources, no protocol can be EAAC. 2. In the partially synchronous and quasi-permissionless setting, with an adversary that controls at least one-third of the overall resources, no protocol can be EAAC. 3. In the synchronous and quasi-permissionless setting, there is a proof-of-stake protocol that, provided the adversary controls less than two-thirds of the overall stake, satisfies the EAAC property. All three results are optimal with respect to the size of the adversary.

Figures (4)

• Figure 1: Summary of main results. While only "classical security" is achievable in the dynamically available setting (in which non-malicious players may be periodically inactive) or the partially synchronous setting (in which the communication network may suffer unbounded periods of unreliability), proof-of-stake protocols with slashing can achieve additional "economic security" in the quasi-permissionless and synchronous setting.
• Figure 2: Theorem \ref{['neg']}. No non-trivial EAAC guarantees are possible in the dynamically available setting, even with synchronous communication: once an adversary is large enough to cause consistency violations, it is also large enough to avoid asymmetric punishment. A $\rho$-bounded adversary is one that controls at most a $\rho$ fraction of each resource (such as hashrate or stake) used by a protocol.
• Figure 3: Theorem \ref{['neg2']}. No non-trivial EAAC guarantees are possible with partially synchronous communication, even in the quasi-permissionless setting: once an adversary is large enough to cause consistency violations, it is also large enough to avoid (even symmetric) punishment.
• Figure 4: Theorem \ref{['posres']}. Non-trivial EAAC guarantees are possible in the quasi-permissionless and synchronous setting. The parameter $\Delta$ is an upper bound on message delays during "normal operation," while $\Delta^*$ bounds the time required for honest players to communicate (over the network or out-of-band) when the protocol is under attack.

Theorems & Definitions (9)

• definition 1
• theorem 1: Impossibility Result for the Dynamically Available Setting
• theorem 2: Impossibility Result for the Partially Synchronous Setting
• theorem 3: Non-Trivial EAAC Protocols in the Quasi-Permissionless Setting
• lemma 1
• lemma 2
• lemma 3
• lemma 4
• lemma 5