An Introduction to Blockchain FinalityThursday, 7th of March 2019 · by Raul Jordan
We do not truly own our digital fiat — banks do, but do we truly own our crypto assets?
Say you log in to your current bank account: you immediately see your checking account balance, your savings, how much you owe on your credit card, etc. You leave the app with a feeling of confidence that money is “yours” and any wire transfer or transactions from your cards will get “settled” by the banks the merchants without much risk. The system “works” and you trust in the system. But, do you truly own that money?
Digital ownership of assets is a concept deeply entrenched in our society since the roots of the Internet revolution. The concepts of a digital password and an email address as an identity have been accepted as standards for what were previously concrete, physical identity credentials. This phenomenon of digital ownership is not only quite artificial in nature, but it is also a highly social concept. Ownership of assets means nothing unless others recognize that ownership — namely, others whom you may wish to transact with.
Blockchain technology has reshaped our notion of what digital ownership signifies. Instead of putting our hard earned assets into the a bank, we have the ability to control the keys to personal freedom, using strong cryptography to give us the ability to move cryptocurrencies in a ledger through our wallets. But even then, do we truly own that money? The answer, as is in the legacy financial system, is no.
The concept of a blockchain wallet is, indeed, a misnomer. Wallets only store keys which give us the right to transact with a value everyone else in the protocol believes we digitally own. Indeed, users own private keys which give them access to transacting with a blockchain ecosystem, but these keys are only the credentials which unlock access to assets existing in cyberspace, namely, entries in a decentralized ledger.
This report will focus on what ownership in proof of work blockchain protocols means at the lowest level as well as explore its limits. As a first example, the power of a Proof of Work blockchain such as Bitcoin comes down to its security as a monotonically increasing function of time (that is, the security of the network only increases as time goes on). Every block coming in represents the output of a collective race to use the fastest possible machines to find an answer to a cryptographic puzzle: a competition where typically those with the highest, yet most efficient expenditure have an edge over others. Thousands of machines and mining rigs around the world spend tens of millions in electrical energy and operational costs to participate and earn block rewards from Bitcoin and other cryptoassets.
The assets miners own then have value by proxy, as there was significant electrical input put into creating any one of them coupled with cryptographically guaranteed scarcity and a global, public competition that every miner agrees to participate in. Every subsequent block created by miners then leads to a cumulative increase in security on previous blocks and transactions, meaning it would require some other miner to create an entire new chain from scratch that is longer than the cumulative work put in by everyone else. This model, Proof of Work, is the basis of the security guarantees of networks such as Bitcoin and Ethereum.
Transaction Settlement: An Introduction to Finality
Participants in the network by default agree that the chain with the highest “difficulty”, or more blocks put into it, is the “canonical ledger”. Having everyone reach consensus on the canonical ledger is what truly drives the trust behind digital ownership in blockchain. If tomorrow, a new ledger is accepted as the true ledger without your transactions or coins on it, you lose out and can no longer participate in the system, as the system no longer recognizes your “ownership” despite you having a local copy.
The above holds true for all longest chain variants of blockchain protocols such as Bitcoin and Ethereum as of writing. Despite this, the security guarantees of these protocols are not absolute. In these protocols, there is no guarantee your transactions will never get reverted or that a new, longer chain will come along in the Bitcoin protocol. That is, the notion of security in Proof of Work blockchains is probabilistic. The more time and more blocks come in, the less likely it will be that your transactions will ever get reverted. It’s quite obvious that once 50 or even 100 blocks go by the chance of a reversion occurring is neigh impossible, but it isn’t entirely obvious if a single or two blocks go by. However, the longer a proof of work chain is, such as Bitcoin, the lower the likelihood its previous transactions will get reverted. This concept is known as settlement finality.
Reversions, or chain splits, fall into the greater umbrella of phenomena known as blockchain forks, in which a portion of the network has a different collective belief of what the canonical ledger is. Forking can have vast implications for digital ownership, as it is a highly social process that can happen for various reasons. In the Ethereum network, scheduled forks happen in order to upgrade the network and add new features. Sometimes, contentious forks happen in which a vocal group disagrees with decisions made in a protocol and decides to convince some part of the network to split into its own, new chain (for example, Bitcoin Cash was a very contentious fork that split from the Bitcoin Core chain).
However, forking is not an uncommon, unique scenario. In fact, forking occurs at almost every block interval in Bitcoin due to network conditions. Since not everyone can see broadcast blocks at the same time, two miners might create perfectly valid blocks, but only one will be rewarded in the end by the protocol.
Blockchain networks are imperfect, as anyone in the world can run a node. With all sorts of Internet connections and latency issues, blocks often take longer to propagate throughout bigger networks, and those offer more time for potential forks to occur in the intervals between consensus.
Blocks that are valid but fail to be included in the ledger the majority of the network accepts are referred to as uncle blocks. In Ethereum, these miners creating orphaned blocks are rewarded a small amount for their efforts, and the rate at which these orphans are created is known as the “uncle rate”.
This value serves also as a great proxy of network latency and inefficiencies in Ethereum. That is, if blocks are using too much gas (using too much computation), these blocks will be larger in size and take longer to propagate throughout the network, increasing the probability of more uncles happening throughout. In times of high usage, the network becomes congested, and tons of these uncles happen at a higher rate than usual.
Forking and the possibility of chain reorgs are the reasons why exchanges such as Coinbase take a while for you to be able to use coins you receive or send out of the exchange, typically waiting around 30 blocks as a safe confirmation timeframe as exchanges try as much as they can to ensure a high probability their users will not lose ownership of their respective assets.
Alternatives & Tradeoffs
So in Bitcoin and Ethereum as they stand, participants can only increase their likelihood transactions will not get reverted over time, but can never be 100% certain. This concept is baked into the protocol itself, as it depends on the network deciding the “real”, canonical ledger is the one with the most blocks and highest difficulty put into it. Are the protocols where transactions can reach explicit finality? What are the tradeoffs?
A key alternative to Bitcoin’s proof of work is proof of stake: a mechanism in which participants lock up and “stake” some cryptoasset in order to participate in reaching consensus on a global ledger. If participants act maliciously, they risk losing their full stake or a large portion of it, creating a mechanism that is based on penalties rather than rewards. Ethereum has always wanted to transition to proof of stake, and efforts are well underway to create the next iteration of the Ethereum protocol.
In proof of stake based protocols that are based on a variant of the longest chain decision rule, there is no notion of real world, electrical expenditure required to create a longer chain, so there are no cryptographic guarantees of when transactions can be considered final. Instead, these protocols opt for baking in settlement finality as a fixed parameter. That is, these protocols state that after X blocks, transactions can never be reverted, and everyone operates by the rules of that protocol. That also means that there is no incentive to maintain or store the entire history of transactions before every finalized period, which is a major tradeoff of this approach. In Bitcoin, new nodes joining the network independently download and verify the entire ledger since the first block, reaching the same “truth” as the other participants effectively.
How Proof of Stake Systems Achieve Finality
Proof of Stake mechanisms such as Ethereum’s Casper the Friendly Finality Gadget rely on deposit-weighted votes received by a group of validators (the proof of stake term for miners) to decide on when to finalize a certain sequence of blocks. That is, nodes in the network have a built in protocol which says to disregard blocks before a certain point in time for consensus if certain conditions are met. Typically, this vote threshold is in line with Byzantine Fault Tolerance to ensure that at least 2/3’s of the validator balances voted in a given period of time as a safety measure.
In Proof of Stake based models which have “finality checkpoints”, new nodes that join after a long period of time instead only need to verify the state of the ledger since the last finalized checkpoint. That is, if the protocol specifies that every 1000 blocks where a certain threshold of votes was reached, transactions at that point cannot be reverted, as new nodes only need to accept the truth from that point on and need not care about preceding blocks. Verification of the state of the world becomes more subjective than objective in this scenario. In fact, Vitalik Buterin quotes this property of Proof of Stake as weak subjectivity.
What Does This Mean for the Average User?
For the average user interacting with the blockchain, similar to how ownership of fiat assets stored in a bank work today, assets on a blockchain are merely records in a ledger. For fiat money in a bank, your ownership of your money exists because there are records in its centralized database attesting your balance. In blockchain, users only own their cryptoassets because the majority of a protocol accepts their ownership as being part of some “hard truth” (i.e. what we call a “canonical” ledger). If tomorrow, the chain gets attacked and a deep block reorg happens without your transactions in it, your private keys and wallet are useless. Even if you “have” the coins, the majority of the protocol thinks you do not. Digital ownership on a blockchain carries a risk as big as the security flaws of its underlying protocol.
It is important to remember consensus is a social process, and even in blockchain, settlement finality is not 100% guaranteed. Blockchain finality, however, provides an important, new primitive that helps us question how we reason about digital ownership, security, and the social nature of consensus, both in traditional systems and in the bleeding edge of this new technology.