Cardano: The nitty-gritty of next generation blockchains
IOHK's Charles Hoskinson talks about scalability and consensus.
Blockchain design always boils down to some sort of trade-off profile. The factors involved are security, scalability and maintaining a high degree of decentralisation.
Having every node process every transaction is highly secure, but it doesn't scale particularly well. A proposed solution is sharding, where a smaller subset of nodes verify transactions; enough to remain secure, but sufficiently few that the system can process many transactions in parallel.
The IOHK team designed its Ouroboros proof of stake (PoS) algorithm with this in mind. The network uses a random selection process to elect certain nodes, called slot leaders, to mine each block. This process is divided into epochs, which are split into slots, the period of time in which one block can be created. Cardano can increase the amount of slots per epoch and run multiple epochs in parallel.
There are a number of ways to create sharding architectures; generally speaking these schemes gain performance but lose some Byzantine resistance.
Charles Hoskinson, CEO, IOHK, said: "We are probably not going to lose a lot of Byzantine resistance. These epochs that we have come up with, there's no reason they can't be run in parallel, and because these are mostly independent of each other, even if actors are bad within those committees it's as if it was in the single threaded profile."
It's not unusual these days to hear blockchain builders saying they have achieved throughput of 10,000 transactions per second, maybe a lot more. But transaction throughput is not the full story. If you are thinking about scaling to millions of users, you also have to consider network bandwidth and, going forward, data storage.
So, on the network side of things, how to go about moving all that data? If you're doing a million transactions per second and they are a kilobyte each, that's a gigabyte every second. If everybody has to stay connected and synched to the network, that means being able to download a gigabyte per second. That's a very fast internet connection.
True scalability
True scalability means figuring out more intelligent ways of chopping up data and moving it around, so you don't have to download the entire state of the system to stay in synch with it. Cardano wants to split up the network into sub-networks using a technique called Recursive InterNetwork Architecture (RINA).
Then ultimately you have to store that data somewhere. When you're talking about something in the terabytes and petabytes, fewer and fewer people will be able to store a full copy of the blockchain. Looking ahead, Cardano is considering a number of techniques such as compression, pruning and partitioning.
"It's not just how do I shard my protocol so I can get a higher transaction per second rate," said Hoskinson. "It's also about how do I chop up my network so not everybody has to have access to the same data, and it's still secure.
"And also how do I chop up my blockchain so that no one has to have a full copy of the chain, yet we can still put the whole thing back together if you really want to, and you know the data that you are seeing is correct."
Side chains and interoperability
This idea of scalable sub-networks that can communicate with one another feeds into another area of Cardano's research, which is blockchain interoperability. Cardano's conception of side chains, Hoskinson likes to call "interledger transactions".
Think of this in terms of a source ledger, a destination ledger and some form of an asset. For example, the source ledger could be Litecoin, Bitcoin might be the destination ledger, and litecoin the asset.
Hoskinson said: "So validators in Bitcoin are going to get this transaction which says I just sent you a bunch of litecoin. They need to prove two things: one, they need to prove that the litecoin actually exists, so it's an existential proof. Then they also have to prove the non-existence of a double spending, so they know you haven't also sent those litecoin to a different chain, like Dash or something.
"So the question really can be broken down to, what is the minimum amount of knowledge necessary for a validator in the destination chain to know that the transaction they are seeing from the source chain is correct; the asset exists and hasn't been double spent."
IOHK has published a paper on this research, which it calls "non-interactive proofs of proof of work". This research is now being extended for the proof of stake role. Once generated, these proofs can be given to a cell phone client, or a light client, so they don't have to have a full copy of the blockchain, said Hoskinson.
"That proof alone, that small representation of a blockchain, is sufficient for them to verify that the history that they are seeing from their chain is correct – and that's where we would like to go with this stuff.
"We have made some great progress. These proofs tend to be very small; they are in the kilobytes to megabytes for a multi-gigabyte blockchain on the proof of work (PoW) side.
"You could use that in conjunction with compression and pruning and other techniques to reduce the overall amount of data that any one client has to have. So normal everyday people on cellphones can interact with the system efficiently and do so without burning up all their battery on their cell phone or all their 4G data and so forth."
Peer reviewed approach
Cardano takes a new approach to blockchain building. Everything progresses via peer reviewed papers submitted to academia. The traditional blockchain approach is to put something on Github, or run it on a testnet and see if it can be broken.
Ouroboros has been developed over a three phase research agenda. First the foundation was laid, which was all about security. This was started in early 2016 and concluded by the end of 2017.
The second research stream, which will be completed in the next six months, is the practicality phase. This is about tuning the algorithm to ensure things like being able to bootstrap from genesis (the equivalent of longest chain rule that PoW has).
The last part of the research agenda, which is alluded above, is about performance and the introduction of sharding; "Ouroboros Hydra" is the next generation of the protocol.
So far there have been two major papers published, one on Ouroboros and another on Ouroboros Praos. Both of these have been accepted for tier one peer review conferences. Hoskinson points out that they rewrote Ouroboros six times, and rewrote Ouroboros Praos three times.
He said: "When you engage the academic community and go through peer review it means basically inviting some of the brightest people in the world to make your life miserable and tell you where your stuff is broken.
"That's so valuable. When we went to Crypto 2017 we submitted the paper and it went through many revisions and rounds before they accepted it. And then we still had to show up and get yelled at. There's this incentive for someone to get career points and reputation and a promotion in the academic world for saying that we have made a mistake. And that's just a beautiful thing."
PoW v PoS
It seems clear that Bitcoin's PoW creates a secure ledger. The next question is can PoS, given some assumptions and configurations, also create a secure ledger equivalent to PoW. However, even if this can be proven, it still doesn't mean that PoS is practical or useful for cryptocurrencies in particular.
"You have to get into the nitty-gritty," said Hoskinson. "For example, where are you getting random numbers from? Do you want to have checkpoints or not? You have to get into the nitty-gritty of what incentives do people have to be in the honest majority, and are these incentives equivalent to the incentives that mining has and so forth.
"I think that the criticisms that the pure PoW people have aren't fair because they are criticising an entire class of protocols, and they use a particular protocol to then punish the entire class.
"They will say, there's grinding attacks, so it can't be secure. Well, using a different way of getting random numbers you resolve that.
"They say, there's nothing at stake. Well you can use forward-secure signatures. Dividing the total time that a public key is valid and using a different secret key in each time period, means that even if the current secret key is compromised, a forger cannot forge signatures for past time periods. That gets rid of nothing at stake."
"And they say, there's long range attacks. Well you can either use checkpoints or bootstrap from genesis techniques, and that resolves that."
Hoskinson would argue that PoW actually has worse incentive because you have an exogenous consensus system; you have a consensus system that lives outside of the protocol. As such, the only people who can participate are people who have access to subsidised power, the ability to manufacture ASICs and the ability to get first access to those manufactured ASICs. It's not surprising the boss of Bitfury has made it onto the Forbes list.
As well as the obvious environmental issues around PoW, Hoskinson considers what could be called geo-political threats to the protocol. "Once a mining pool has been set down, what prevents it from becoming nationalized? For example, there are a lot of mining pools in China, and the environment is getting worse there, so what happens if the Chinese government seizes those mining pools and has control of 51% of the hash power of the network.
"With PoS you can dynamically move stake from one pool to the other and it doesn't have a geography. So my argument is, it's much better to have a consensus system within your chain than a consensus system outside of your chain. If it's outside the chain there are factors that you as a holder of bitcoin cannot control, but that can have a profound impact on whether your chain is secure or not," said Hoskinson.
"So we have these philosophical disagreements about whether consensus should be endogenous or exogenous; we have disagreements about the economics of these things.
"There are plenty of ways you can tune the consensus algorithm to resolve problems that come up. It just means you have to think harder and maybe use a more sophisticated cryptographic technique."