Cryptocurrencies Need a Reality Check
UPDATE: Extended Talk now available.
At the time of writing this article, Bitcoin had just reached its all-time dollar high. Cryptocurrencies appear to be here to stay.
Cryptocurrencies come in many varieties, but at their core, they act as public ledgers where participants can send and receive on-chain tokens, the cryptocurrency, under the promise that after some time, any transactions that get sent will be recorded on this ledger and cannot be changed. They differ to a conventional bank, a single point-of-failure, by asking many, hopefully independent, people to record the transaction. The recorders are rewarded for this service with some on-chain tokens, a combination of newly minted tokens and transaction fees.
The current crop of protocols which underpin cryptocurrencies crucially depend on some portion of participants to act honestly and always follow the protocol, regardless of on-chain rewards that may be foregone by doing so. These assumptions are even made in the original Bitcoin paper by Nakamoto himself.
With a market capitalisation entering the trillions of dollars, does it still make sense to make such an assumption about players in cryptocurrencies? It was seen early on that Bitcoin was vulnerable to rational participants who wanted to maximise their number of coins. In a paper by Eyal et. al, it is shown that for sufficiently large participants, or miners as they are known in Bitcoin, they could increase the amount of Bitcoin they earned by deviating from the protocol in an attack known as Selfish Mining. This deviation involved withholding transactions. Imagine if your bank one day decided to not deliver your wages? Bitcoin continued to grow, and such a vulnerability was paved over, with a video of a guy buying a Lamborghini with his Bitcoin being watched more than 300 times more than the most watched video explaining how Selfish Mining works.
The owners of Bitcoin, or any other large cryptocurrency, who do not participate in the management of the respective ledgers are currently at the mercy of the relatively small number of entities who do manage it.
If one day, these ledger managers wanted to increase the quantity/share of cryptocurrency they own, the non-managing players could only watch on (or maybe not see it at all) as the former managers abandon the protocol. By not following the rules of the protocol, the properties that ensure the ledger processes transactions correctly and in a timely fashion are no longer guaranteed.
Therefore, the current legitimacy of cryptocurrencies depends on a delicately balanced Prisoner’s Dilemma where any one individual manager of the ledger could benefit by deviating if all other players do not. It is unlikely that retail investors are aware of this, and personally, this reality is quite disturbing. Consequently, it is imperative that we address this fundamentally flawed assumption and anticipate that players will always try and maximise their on-chain tokens. In a recent paper, Achieving State Machine Replication without Honesty Assumptions, we do just that.
My co-authors and I show that if players controlling a majority of the votes on what gets added to the ledger are rational, and want to maximise their amount of on-chain tokens, there are some fundamental properties that we require from a protocol in order to guarantee that these rational players will follow the protocol while maintaining a control on this majority. These are Strong Incentive Compatible in Expectation, and Fairness.
Strong Incentive Compatible in Expectation ensures that any rational player believes that following the protocol will maximise their rewards earned. Such a property is not present in most cryptocurrencies. However, we also require Fairness to ensure that no subset of players controlling less than 50% of the resources in the system can receive more than their fair share of the rewards. In the paper, it is proven that if a protocol has both of these properties, then one can guarantee the resultant public ledger will function as required, while if either property does not exist, it is proven that one cannot guarantee the output of the public ledger.
Ok, ok. These sound like nice properties, but is there a protocol that actually satisfies them? FAIRSICAL! In our paper, we provide, for the first time in literature, a protocol which satisfies these properties, a FAIR Strong Incentive Compatible in expectation ALgorithm for achieving state machine replication, the process needed to produce a decentralised public transaction ledger as envisioned by Nakamoto. We include a illustration of the steps involved in the FAIRSICAL protocol, with a full description contained in the paper.
In state machine replication protocols, it turns out that rewarding players is hard. Conventional rewarding mechanisms require some player(s) within the protocol to submit a set of players to reward. In Bitcoin, a longest chain rule protocol, if a player submits an update, they reward themselves only, while in Tezos, a Proof-of-Stake variant of the longest chain rule, the current reward formula requires one player to submit a set of players who they observed to help update the ledger over certain periods of time.
The key idea behind FAIRSICAL being fair and strong incentive compatible in expectation is the requirement that each player in the protocol submits a set of players to be rewarded for each time period, at the same time. As seen in the FAIRSICAL illustration, progress is only made if players controlling a majority of the votes submit consistent messages. This includes consistent sets of players to reward. As rational players will not omit themselves, and there is no benefit to omitting other players (as rewards are constant for each player throughout the protocol, a subtle but crucial fact in FAIRSICAL), the most probable set of players to reward is the set containing all correctly participating players. Therefore, players trying to maximise their rewards for any given round must submit the set of all players who correctly participated as the set of players to be rewarded.
FAIRSICAL removes the Prisoner’s Dilemma of legacy systems, and replaces it with a strict Bayesian Nash Equilibrium, making following the protocol the only strategy that rational players will follow, while ensuring that all players who correctly participate receive their fair share of the rewards. In the paper, it is formally proven that FAIRSICAL satisfies both of these properties, and as such, achieves state machine replication, guaranteeing the output of the protocol.
We hope that our work will make people question the promises of the protocols that underpin the cryptocurrencies/ distributed databases that exist today, and pave the way for fair and strong incentive compatible in expectation protocols, like FAIRSICAL, as standard.