On 22 April 2015 The European Securities and Markets Authority (‘ESMA’)1, the equivalent of the US Securities and Exchange Commission, issued a call for evidence regarding ‘Investment using virtual currency or distributed ledger technology’.
Nxt is the example of the digital currency platform ESMA used in its ‘call for evidence’ to illustrate how distributed ledger technology works.
ESMA has now published the 18 responses it received, only two of which were made on behalf of cryptocurrencies: Nxt and FIMK (which is based on the Nxt blockchain). No response was made on behalf of Bitcoin, although one was made in support of it by an exchange called Paymium.
No response to the ESMA call for evidence was made on behalf of (or even in support of) Ethereum, Counterparty, MaidSafe etc.
One can of course understand the lack of engagement on the part of the majority of cryptocurrencies (being, as they mostly are, opportunistic Bitcoin clones), but for Bitcoin itself and other serious players such as those mentioned above not to have responded is surprising.
The cryptocurrency industry needs to fully engage in the regulatory process to make sure that the potential for independent, genuinely decentralised, blockchain technology to democratize financial power is not compromised by a failure to challenge incompleteness or other inaccuracy in the information relied on by regulators.
Some examples of incompleteness and other inaccuracies can be found in the following extract of the ESMA response from Intesa Sanpaolo (a banking group based in Italy):
“We would like to point out that, unlike Bitcoin’s Proof of Work method (which, as stated in O1, we regard as the only effective one, at least at the moment, because of the computational power dedicated to it), other decentralized double-spending prevention algorithms, like NXT’s Proof of Stake (PoS) presented in paragraph n.17, are still not validated from both a theoretical and an empirical point of view:
○ There is an ongoing debate over the “Nothing at Stake” problem affecting every system which doesn’t use any consumption of resources external to the system for the validation;
○ Every single existing PoS scheme, NXT included, is actually relying on some kind of centralization in validation checkpoints, in “currency” ownership or in nodes distribution.”
It would not of course be reasonable to expect a mainstream commercial banking group to argue in favour of a genuinely independent decentralised financial ecosystem.
Rather, it is for the proponents of that technology to correct any inaccuracies and supply any omissions in how others (doubtless unintentionally) represent it, but to do that they need to get involved in the consultation process.
Thus, by way of correcting certain inaccuracies and otherwise filling in the gaps, we shall deal with each of Intesa’s three claims in turn.
Intesa Sanpaolo claims that Bitcoin’s Proof of Work (PoW) method has been empirically and theoretically validated and that Nxt’s Proof of Stake (PoS) method has not.
Theoretically, the PoW and PoS consensus mechanisms are neither better nor worse than each other, merely different. For a description of Nxt’s Proof of Stake model, see pages 5/6 of Nxt’s Response to ESMA.
As regards, the respective theoretical formalizations of PoW and PoS, the following points should be noted:
PoW formalization
The initial Satoshi Nakamoto paper (Bitcoin: A Peer-to-Peer Electronic Cash System) only investigated the consensus algorithm security against private branch attack.
Since then other potential attack vectors, for example selfish mining, have been discovered.
The selfish mining strategy provides unfair profit for the 33+% adversary and that’s dangerous in the long-term, but not critical for consensus itself.
Most recently, in November 2014, the formal model (of a more or less appropriate quality) was published: The Bitcoin Backbone Protocol: Analysis and Applications.
PoS formalization
Whilst Proof-of-Stake formalization is currently still behind that of PoW it’s now developing faster than PoW’s formalization and therefore catching up quickly.
The first implementations of pure PoS appeared in the second half of 2013, with the first investigations started in the first half of 2014 (Math of Nxt Forging by mthcl) following which Consensus Research made simulations2 and wrote articles3 about the few types of known attacks.
Consensus Research are currently in the process of discussing deeper formalization with colleagues from mathematics and theoretical computer science.
Turning next to Intesa Sanpaolo’s claim that Bitcoin’s PoW method has been “empirically validated” and that Nxt’s PoS method has not.
We assume “empirically validated”, as applied to Bitcoin’s PoW and Nxt’s PoS technologies, is intended to mean: proven to work in practice in accordance with their objectives.
Since both technologies demonstrably do work in practice in accordance with their objectives, at least up until now, they can therefore both be said to have been empirically validated: Bitcoin as a payment system and Nxt as a financial ecosystem which includes a payment system (see: Nxt Core Features, as described on pages 15/16 of Nxt’s response to ESMA).
But blockchain technology in general is still in its infancy and faces a number of significant practical challenges, including that of blockchain bloat and scalability – a problem which, at some stage, will have to be addressed and resolved (if they are to remain viable) by all blockchain technologies, including of course Nxt itself.
However, due to the large and (as currently anticipated) increasing number of transactions being processed through its network, Bitcoin now needs to address that problem as a matter of urgency and it is running out of time in which to do so.
According to Bitcoin Foundation Chief Scientist Gavin Andresen speaking in an interview in June 2015, Bitcoin will be reaching its 1 MB block size limit “some time in the next 6 to 12 to 18 months….”. In the interview Mr Andresen goes on to warn of what could happen if the problem isn’t resolved.4
In an apparent attempt to force the pace as regards tackling the block size issue, a patch to the Bitcoin Core was released on August 4 and is now available to download here: https://bitcoinxt.software/
It remains to be seen whether the Bitcoin network as a whole will accept or reject what in effect is a hard fork or indeed whether the network will split, resulting in the creation of two versions of Bitcoin, thereby crashing the value of one, if not both.
What is certainly clear is that the Bitcoin XT debate (whether or not to replace the current hard-coded block size limit of 1mb with a patch that, amongst other things, supports larger blocks) has polarized opinion.5
And it is doing so for the reason explained in this article in The Wall Street Technologist:
“What we have here is an ideological schism in Bitcoin. Most people fail to realize that this is what the block debate is really about. On one hand you have folks who believe Bitcoin should be the new VISA system. They believe that Bitcoin should be able to handle all the transactions on planet earth, from everyone’s daily coffee purchase, to everyone’s house purchase, to how Google cars should be paid for their services. On the other hand, you have those who believe Bitcoin’s core value is the fact that it is a hedge against fiat currencies, and by extension, governments (in the case they decide to infringe upon your liberties). Bitcoin CANNOT be both. It’s just not possible.”
Whilst, as already mentioned, the scalability problem is common to all blockchain technologies, the following empirically observed problems are exclusive to Bitcoin and should also be borne in mind when reassessing the accuracy of any claim that Bitcoin is empirically valid:
- the inherent tendency of the underlying economics of the Bitcoin network to create a vicious circle whereby increasingly sophisticated mining rigs generate increased hash output resulting in increased difficulty which in turn drives the need for evermore powerful rigs thereby making it uneconomic for any but the biggest miners and pools to operate. The end result: increasing centralisation of mining power; i.e. a shrinking network of nodes, making it less secure.6
- over-dependency on a few manufacturers of the prohibitively expensive ASIC mining equipment.
- high energy consumption involved in miners competing for blocks to validate, making the process environmentally very unfriendly.
Intesa Sanpaolo claims that “there is an ongoing debate over the “Nothing at Stake” problem affecting every system which doesn’t use any consumption of resources external to the system for the validation.”
The unqualified use of the word “problem” might suggest to the uninformed reader that Nxt, as a PoS system, has actually been subjected to a Nothing-at-Stake attack. In fact, it has not.
Like Bitcoin’s PoW, the Nxt PoS consensus algorithm is a work in progress; the current state of thinking and research regarding any theoretical vulnerability to a N@S attack can be summarised as follows:
A. The first more or less formal definition (at least in the form of computer code) has been produced by Consensus Research:
PoS forging algorithms: multi-strategy forging and related security issues.
B. The number of possible forks grows exponentially over time. A Nothing-at-Stake attack could therefore only be made by a multi-branch forger contributing to N best forks and since it’s impossible to predict whether 2 forks will be within N best forks from the exponentially growing set for k confirmations (a significant imponderable), this attack vector is inherently unpredictable making it very difficult to enforce in theory, let alone in practice.
C. The correlation with stake size is still the open question but, contrary to what has been stated by Vitalik Buterin,7 it’s nearly impossible to attack a proof-of-stake currency with “1% stake even”.
D. A solution to make the PoS consensus algorithmically enforced (as in PoW) is theoretically possible.
E. The N@S simulation tool is published here: https://github.com/ConsensusResearch/MultiBranch for people to carry out their own experiments. Unfortunately, there is not currently any easy-to-understand (i.e. non-technical) visualization of the non-feasibility of a Nothing-at-Stake attack.
In practice, the Nxt forging algorithm provides a defence against a Nothing-at-Stake attack in the form of what has been termed Transparent Forging (TF), the main feature of which is the ability to predict which account will generate the next block.
Other TF aspects of the Nxt forging algorithm are:
- account balance having to be older than 1440 blocks;
- the ability to lease account balance for forging;
- requiring the forging account to have had its public key announced for 1440 blocks before being able to forge; and,
- not accepting a forged block if its timestamp is more than 1 second after the predicted time to forge.
Improvements to take effect in release 1.7 are a minimum effective balance requirement of 1000 NXT for an account to be eligible to forge, and preventing very long blocks by an improved base target adjustment algorithm.
Elements of the TF concept which have not yet been implemented include: achieving higher transaction processing speeds by sending transactions directly to the node expected to generate the next block, and reducing the time interval between blocks based on the knowledge of the next few predicted block generator accounts.
Further protection against any ‘Nothing at Stake’ attack can be achieved by temporarily reducing to zero the forging power of accounts which should have generated a block but skipped their turn.
At present though, the currently implemented components of TF are considered sufficient to protect against such an attack.
Those TF elements mentioned above which are designed to increase the possible transaction throughput will only be implemented once the need for it appears, and certainly not until blockchain pruning has first been implemented.
Intesa Sanpaolo claims that “Every single existing PoS scheme, NXT included, is actually relying on some kind of centralization in validation checkpoints, in “currency” ownership or in nodes distribution.”
At their current level of technological development, no blockchain (arguably Bitcoin least of all) is 100% decentralised.
Nxt validation checkpoints
The Nxt protocol includes a rolling checkpoint whereby any block submitted at a height more than 720 blocks behind the current block height is automatically rejected. This in effect limits chain reorganization to the most recent 720 blocks.
The Nxt protocol also includes some hard-coded checkpoints (e.g. at Block 333,000). Their purpose is to prevent any possibility of a so-called “history rewriting attack” in which somebody buys redundant early stakeholder accounts in order to try to build a complete alternative blockchain.
Another reason for the hard-coded checkpoints is performance optimization, specifically: improved blockchain download speeds for peers downloading the blockchain from scratch, the improved speed being due to the fact that they don’t need to check with multiple peers in respect of the blockchain before the latest hard-coded checkpoint whether or not the current fork they are on is the best one.
Most importantly, such hard-coded checkpoints are only added at blocks more than 720 blocks before the current (at the time of adding the checkpoint) last block. At this point, the consensus has already been reached and set in stone by the rolling 720 block checkpoint limit, therefore the hardcoded checkpoint does not influence the decentralized consensus.
Whether or not these validation features can be regarded as “centralised” is debatable and in any case neither are critically needed for blockchain survival.
Bitcoin, of course, has its own hard-coded checkpoints (see further: https://github.com/bitcoin/bitcoin/blob/master/src/chainparams.cpp )
Nxt currency ownership and node distribution
Nxt does not rely, as a matter of technical design, on centralisation of currency ownership or node distribution and the authors of this article are unaware of any PoS model (or indeed any other blockchain consensus mechanism) that does.
Proof-of-stake must have a way of defining the next valid block in any blockchain. Selection by account balance would result in (undesirable) centralization, as the single richest member would have a permanent advantage. Instead, several different methods of selection have been devised.
Randomized Block Selection
Nxt uses a pseudo-random algorithm to predict the next block generator i.e. forger, by calculating a hash value which should be lower than a target value using the combination of the account stake, time since last block, signature of the previous block and the forger account public key. Since all these parameters are publicly available, each node can predict, with reasonable accuracy which account will forge the next block.
It might be that what Intesa Sanpaolo meant to say in its ESMA response was that in certain PoS models a relatively small number of accounts are in practice currently responsible for the majority of the work of validating blocks and earning the transaction fees for doing so.
In the case of Nxt the original distribution of the currency was made to the 73 subscribers who participated at the start and as a continuing, albeit slowly improving, legacy effect of that relatively small distribution, it is true to say that a large percentage of the Nxt currency has been owned by a relatively small number of account-holders.
Nxt critics have long sought to portray this as an inherent irremediable weakness of the system. It is not and over time, as more people get involved in Nxt, the number of accounts will continue to increase and ownership become more diffuse.
In the meantime, having a large percentage of the currency concentrated in a relatively few hands has had some advantages for the system, not least of which is the relative absence of speculative manipulation (i.e. pump and dump) and the funding of development and marketing that would not have happened but for the generous bounties made available by large Nxt account holders.
Meanwhile, Proof of Stake blockchain technology, of which Nxt is the leading example, continues to innovate and improve.
The features planned for the next hard fork (Release 1.7) are coin shuffling, account control for phased transactions (whereby an account is only allowed to submit phased transactions that require the approval of one or more other accounts), more stable block times and various usability enhancements. A security enhancement, 2FA using hash chains, will be added in Release 1.8.
Nxt core developers will also be adding features that make it easier to use the platform in regulated financial environments, for example “account properties” which can be used to endorse accounts as having been verified or authorized by third parties (to be implemented in Release 1.7) and “controllable assets”, designed to satisfy legal requirements that only authorized accounts can purchase certain types of asset (planned for Release 1.8).
Update: Since this article was published, a new version of The Nxt NRS client software has been released: NRS v.1.7.0e
This is an experimental release for testing only. Source code is not provided.
—————————
Acknowledgments
Many thanks to kushti, Jean-Luc, Riker, mthcl and ChuckOne who all reviewed and variously commented on and contributed wording to the article.
Footnotes
1. ESMA states on its website that it:
‘…is interested in how different virtual currencies and the associated blockchain, or distributed ledger, can be used in investments. There are now facilities available to use the blockchain infrastructure as a means of issuing, transacting in and transferring ownership of securities in a way that bypasses the traditional infrastructure for public offer and issuance of securities, trading venues like exchanges and central securities depositaries or other typical means of recording ownership. ESMA would like to find out more about these market developments and in particular to know to what extent the use of the blockchain could enter the financial mainstream, and how it could be used.’
2. https://github.com/ConsensusResearch/ForgingSimulation.
3. https://github.com/ConsensusResearch/articles-papers.
Kushti is currently discussing joint papers possibilities with colleagues and preparing a paper to be published in a peer-reviewed journal.
4. In the interview (at 6:43 mins), Bitcoin Foundation Chief Scientist Mr Andresen, who has a less apocalyptic vision than his colleague Mike Hearn as to what might happen to Bitcoin in a worst case scenario, nevertheless warns that:
“…people will just stop sending transactions if they notice that their transactions are not getting confirmed in a day or two or three or a week. The nature of transaction confirmation and the nature of how blocks are found softens that a little bit so every once in a while we’ll get a period of time when transactions really pile up because blocks are found more slowly than normal and every once in a while we’ll have a period of time where lots of transactions get confirmed because we’re finding lots of blocks.
It’s just the nature of the randomness of mining that we get this natural variation in how many transactions are confirmed in any given period of time and so I think that that natural variation plus people react so if you’re sending transactions with very low fees that aren’t getting confirmed well then you’ll bump up your fees if you can and if you can’t bump up your fees because transactions get more expensive then you find some alternative and that alternative may be: well I won’t use Bitcoin, I’ll find some other way of doing what I want to do.
So I don’t think we’ll have a crash. It won’t be a disaster. I think what we will see is people turning away from Bitcoin and using other things and I think we’ll see transaction fees rising. Both of these things I think are bad.”
5. Bitcoin XT vs Core, Blocksize limit, the schism that divides us all.
“The news recently is all abuzz about the Gavin Andresen and Mike Hearn’s fork of Bitcoin called Bitcoin XT. For the first time in the history of Bitcoin, its very existence has been put into peril by way of what is termed a ‘Hard Fork’ of the protocol. I have watched the situation develop, and I feel that I must comment on this topic as the amount of FUD coming from both sides of the camps is reaching alarming levels, and frankly I think this is hurting Bitcoin.”
As at 24 November 2015, there were 410 Bitcoin XT nodes (supporting bigger blocks) out of a total of 5018 nodes in the Bitcoin network. Source: http://www.xtnodes.com/ Accessed 24.11.2015.
6. “As a Proof of Work network becomes stronger, there is less incentive for an individual peer to support the network, because their potential reward is split among a greater number of peers. In search of profitability, miners keep adding resources in the form of specialized, proprietary hardware that requires significant capital investment and high ongoing energy demands. As time progresses, the network becomes more and more centralized as smaller peers (those who can do less work) drop out or combine their resources into pools.”
http://wiki.nxtcrypto.org/wiki/Whitepaper:Nxt#Proof_of_Stake_Attacks.
See also:
“The risk is that the trend will claim too much obsolete hardware and put many miners out of business, resulting in even more centralisation and fewer incentives to invest in the mining space.” http://www.coindesk.com/bitcoin-mining-can-longer-ignore-moores-law/
And:
“The problem is that there is little incentive to run a node anymore. That’s because powerful machines built specifically for bitcoin’s SHA-256 proof-of-work algorithm have changed its decentralized and more open nature.” http://www.coindesk.com/five-biggest-threats-facing-bitcoin/
7. Vitalik Buterin is one of the original authors of a cryptocurrency platform called Ethereum. A version of Ethereum, called Serenity, currently in development “…is meant to move from consensus through Proof-of-work to Proof-of-Stake.”
The “Nothing at Stake” attack is described by Vitalik Buterin here:
“However, this algorithm has one important flaw: there is ”nothing at stake”. In the event of a fork, whether the fork is accidental or a malicious attempt to rewrite history and reverse a transaction, the optimal strategy for any miner is to mine on every chain, so that the miner gets their reward no matter which fork wins. Thus, assuming a large number of economically interested miners, an attacker may be able to send a transaction in exchange for some digital good (usually another cryptocurrency), receive the good, then start a fork of the blockchain from one block behind the transaction and send the money to themselves instead, and even with 1% of the total stake the attacker’s fork would win because everyone else is mining on both.” Extract from Proof of Stake: How I Learned to Love Weak Subjectivity
In the following two papers, the authors also seek to prove the feasibility of a “Nothing at Stake” attack
“It Will Cost You Nothing to ‘Kill’ a Proof-of-Stake Crypto-Currency“ Nicolas Houy, University of Lyon, January 2014.
“On Stake and Consensus“, Andrew Polesta, March 2015
By contrast, here’s a detailed description, written in layman’s terms, on the practical impossibility of N@S attack by JordanLee
http://www.peercointalk.org/index.php?topic=2976.msg27303#msg27303
Discussion threads regarding the theoretical possibility of a Nothing-at-Stake attack include:
BitCoin Talk: Nothing-at-Stake & Long Range Attack on Proof-of-Stake (Consensus Research).
Nxt Forum: The Paper on Long-Range attack & Nothing-at-Stake.