译文/Translated:
2014年我提出交易作为权益证明(TaPoS)的概念来保证比特股的安全性,之后,这个概念被用在Steem, Hive, EOS和其它几个区块链上。有人认为这是我对加密圈最大的贡献。
TaPoS技术能够防止交易没用在用户签署的地方,而被用在其他分叉上,从而保证网络安全。它能防止长距离重组,保护用户不会因为错误信息签署交易。中心化的实体能够利用TaPoS运营区块链,同时能向用户保证除非所有其他用户都升级了签名,否则区块链不会被重组。
TaPoS会从最近的区块ID中获得一小部分数据,并把这些数据和交易结合起来,这样,对区块链的任何一点变动都会导致交易失败。区块链只有在绝大多数用户能够看见交易的时候才有价值,因此想进行反向交易的双花攻击就会导致几乎所有的交易都同时失效。这个情况下,大量的用户区识别哪些分叉是合法的、哪些是非法的就是小事一桩了。在其他区块链上,双花攻击可能只会对少部分用户带来不便,但是让大多数人遵守最长的区块链规则(比特币)而不是达成广泛的共识,这可要难得多。
哪怕用户很清楚地知道遇到攻击了,如果每个交易没有其他面对大众的承诺,他们也很难客观地知道那个双花攻击是合法的,哪些不是。
TaPoS能够在每个交易中加密结合一个最近的区块ID。EOSIO利用16字节代表区块号的低位,区块ID中的32字节区验证是否匹配。四个字节很难防止对单个区块链的蛮力攻击。但是,改变一个区块就需要改变所有后续区块,直到人们发现这个隐藏分叉所在,用户开始在新的分叉产生交易。这样,一个攻击的成本就是要寻找到很多32位哈希冲突。这样昂贵,但也不是不可能。这个情况下,交易的成本就会和重组的位置构成线性增长关系。在工作证明的区块链上,蛮力攻击的难度非常大,因为每一次尝试一个32位的哈希碰撞都需要完整的工作证明难度。
这个方法面对偶然的重组和有意地重放攻击效果非常好,但是在非工作证明系统的区块链中,我们一般不觉得它从加密的角度看非常安全,这些网络中人们主要还是以来拜占庭容错的生产者套装保护安全。
TaPoS的新方法
我们对Fractally的新区块链加强了TaPoS,这样所有连接到链上的加密交易不会遭受蛮力攻击,而且,相比EOSIO或HIVE,我们的成本减少了50%。EOSIO和HIVE利用6位TaPoS,我们的新链只需要3位。
这个新方法的秘诀是,交易一旦连接到某个区块链,它就用不同的方式把自己和区块链联系起来了。首先,TaPoS不是利用2个字节引用区块,而只用了一个字节,这样就可以提出过去的127字节的任意一个或者说过去六天的4096个区块链的其中一个。这样在线下签署的时候就有更大的灵活性,同时引用最近任何一个区块也简单得多。
接下来两个字节是校验和,它会检查区块ID的伪随机。我们会使用校验和字节(一般是头字节)之后的所有字节来利用交易哈希值,计算这个伪随机。这个哈希只要是确定性的、且随机分配了,那就不需要考虑加密安全。分叉的区块链意外匹配到任何单一交易的校验和的概率是1/65535,但是,每个指向同一个区块链的交易都会用区块ID的不同位置进行检查,这样,黑客想要转移50%的交易他就需要匹配20个字节的10个。相比起来,这种工作证明比拿一个比特币匹配95%的交易要难得多,而且他们的速度还得比比特币区块链的高100000倍才能跟上每秒一区块的速度。即使他们能够支付电费,也现在没有足够的硬件实现,而现有的硬件都被用在合法挖矿了。
如果一个黑客成功控制了2/3的超级节点,且他想故意创造一个分叉做双花攻击,他们就会丢掉99%的指向他们的重写的区块的交易,要么他们也会需要超过整个比特币网络的算力才能转移一小部分交易。长范围攻击也几乎不可能,除非愿意丢掉99%的交易,这样,没有人能从这个假设分叉中获得经济利益。
TaPoS 2.0 和工作证明
工作证明区块链有一些著名的缺点,比如自私的挖矿、或者依靠悄悄分叉做的各种攻击。
利用这个新方法做TaPoS,我们就可以修改工作证明共识算法,这样,每个转移都会产生TaPoS销毁天数(TCDD)这个副作用,其计算方法是把新产生的TaPoS区块数量减去输入代币交易的TaPoS去快速再乘以生产的代币数量。
“最好的链”是有最多TCDD的链;但是,为了扩展链也需要新的区块有足够的工作证明。任何隐藏的分叉都不能在自己的代币之外产生新的TCDD,且需要的工作证明和公链一样。让比特币升级支持这样的功能并不需要硬分叉,换言之,新旧节点都可以读取利用TaPoS验证的交易。任何隐藏的分叉都会被新节点忽略。尽管旧节点在一小段时间里还可能涉及隐藏链,但几乎没有主要的基础架构能够识别它们,而旧的节点也必须升级,从黑客攻击中恢复。这样一来,成功率就会下降,第一时间就防止这样的攻击出现,这就是说,网络上有了足够的采用了新TaPoS协议(每个交易只需要3个字节)的主要用户,那么网络就可以获得群体免疫。
最终结果就是混合工作恒明和权益证明系统,这样就有了两个系统的优点,同时还能避免两个系统单独运行的很多缺点。
TaPoS有用吗?
aPoS很明显有一些理论上的优点,但是实际应用上它们的好处真的会抵消这些微薄的成本吗?首先,TaPoS已经在Hive和EOS上用了几年了,但这些链并么有任何长距离攻击的迹象。超级节点选择算法和其他社交力量意味着成功攻击的几率已经非常小了。
aPoS的第二个用途是加速有意的社区分叉同时避免重放攻击。尽管TaPoS让它减少了,它还可以利用对签名验证算法细微改动使之成为启动新分叉的一个部分实现。
在Fractally,我们通过一个稳健的治理过程有一个新的主观责任等级,能够让技术层面上的任何攻击都没有意义,不管有没有利用TaPoS。
所以TaPoS的主要优点还是确保工作证明的区块链安全,也能让中心化的私人区块链使用。私人公司可以在自己是区块的唯一生产者,但是社区是区块的分散验证者的情况下启动区块链。利用TaPoS,私人企业将不能分叉区块链进行双花攻击,除非和转移到新的分叉的足够多的消费者碰撞并且在分叉期间导致客户的所有交易失效。这就是说,私人公司也不会有选择性的伤害消费者,这样私链的唯一弱点就是审查。但如果审查的范围广,那么为新的中心化的并带有去中心化验证的超级节点准备社区主导的分叉就可以解决这个问题。
结论
aPoS的成本相对低,而且它给每个人提供了足够的保护,哪怕是针对最中心化的超级节点。它的出现意味着没什么必要去做长距离攻击,哪怕这些攻击最终只是暂时破坏一下。每秒1000个交易,其总成本是每秒3KB,即带宽的0.01%。
起来TaPoS是低成本的解决大多数理论上可行、但实际难操作的、针对各种已有的共识协议的方法。所以对于关注整个加密圈和客观安全的用户来说,TaPoS看起来值得投入时间。对于想要中心化区块的企业来说,TaPoS看起来也是最好的为过去提供加密保证但不放弃未来的方法。这样比哈希到另一个公链的成本更低、安全性更高。
如果你关注相对理论风险和实际应用的相对情况,并且适应主观安全,那么TaPoS就可能是没必要的成本了。但是,闭口不谈一些可能让客户担心的理论存在、却不实际的风险这个事情也还是要考虑一下的。
此我相信,不管区块链用的共识机制是什么,它应该是每个区块链的一个功能。
原文/Original:
In 2014 I introduced the concept of Transactions as Proof of Stake to secure BitShares and it has been used on Steem, Hive, EOS and many other chains since. Some people consider it one of my biggest contributions to the crypto space.
TaPoS is a technique for securing a network by preventing transactions from being applied to forks other than the one seen by the user at the time they signed the transaction. This protects a network against long-range reorganizations and protects the user from signing a transaction based upon a false view of the world. With TaPoS it is possible for centralized entities to operate a blockchain while ensuring the users that the chain cannot be reorganized without all other users updating their signatures.
TaPoS works by incorporating a small amount of data from a recent block id into the transaction such that any change to the blockchain would invalidate the transaction. A blockchain only has value if the vast majority of the users can see their transactions incorporated so a targeted double-spend attack that attempts to reverse one transaction would also have to invalidate almost all other transactions at the same time. Given this situation it would be trivial for the large mass of users to identify which fork was legitimate and which is illegitimate. On other blockchains a double spend attack would only inconvenience a small minority of users and it would be much harder for the majority to reach broad consensus other than following the longest chain rule (Bitcoin).
Even if it was clear there was an attack, it would be difficult to objectively know which of the double-spend transactions was legitimate and which was not without some other public commitments in each transaction.
TaPoS works by cryptographically incorporating a recent block id into each transaction. EOSIO implements this using 16 bits to represent the lower bits of the block number and 32 bits from the block id to validate the match. Four bytes is not enough to prevent a brute force attack on a single block; however, changing one block would require changing all subsequent blocks until the secret fork is revealed and users start producing transactions on the new fork. This makes the cost of an attack equal to finding many 32 bit hash collisions. Expensive, but not impossible. In this case, the cost grows linearly depending upon how long back a reorganization is attempted. On proof of work chains, the difficulty of a brute force attack would be infeasible as each attempt at finding a 32 bit collision would require the full proof of work difficulty of the block.
While this approach works well against accidental reorganizations and replay attacks on intentionally forked chains, it could not be considered fully cryptographically secure on non-proof-of-work systems where users must still rely mostly upon the security from the byzantine fault tolerance producer set.
New Approach to TaPoS
For Fractally’s new chain we are enhancing TaPoS such that all transactions cryptographic linked to the block cannot be brute force attacked and we are doing this with 50% less overhead per transaction than EOSIO or HIVE. EOSIO and HIVE each use 6 bytes for TaPoS while our new chain only requires 3 bytes.
The secret to the new approach is that every transaction that references a particular block links itself to that block in a different way. For starters, instead of using 2 bytes to reference a block TaPoS uses 1 byte which can reference any of the past 127 blocks or 1 out of every 4096 blocks in the past 6 days. This enables more flexibility for offline signing while still allowing easy reference to any of the recent blocks.
The next 2 bytes are the checksum which requires checking a pseudo-random offset within the block id. This pseudo-random offset can be calculated by using the hash of the transaction with all bytes after the checksum byte (typically in the header) or other similar means. This hash need not be cryptographically secure so long as it is deterministic and well distributed. There is a 1 in 65,535 chance that a fork block will accidentally match the checksum of any single transaction; however, every transaction that references the same block is checking a different part of the block id which means an attacker would have to match 10 of 20 bytes in order to migrate 50% of the transactions. They would have to solve a more difficult proof of work than a bitcoin block to match 95% of the transactions and they would have to do that work 100,000 times faster than the bitcoin blockchain to keep up with 1 block per second. Even if they had the money to afford the electricity, there is not enough hardware in existence to perform that task and the hardware that does exist is already being used for legitimate mining.
If an attacker who managed to control over 2/3 of the block producers wanted to intentionally create a fork to attempt a double spend they would have to drop over 99% of all transactions that reference the block(s) they are rewriting or they would require more computational power than the entire bitcoin network to migrate even a small fraction. Long range attacks would be virtually impossible without dropping 99% of everyones transactions which means no one would have any economic interest in the hypothetical fork.
TaPoS 2.0 and Proof of Work
Proof of work blockchains suffer from a number of known vulnerabilities including selfish mining and any number of attacks that rely upon building an alternative fork in secret and revealing it later.
Using the new approach to TaPoS we can modify the consensus algorithm of Proof of Work such that every transfer produces TaPoS-Coin-Days-Destroyed (TCDD) as a side effect which is calculated as the TaPoS block number of the new transaction minus the TaPoS block number of input tokens transaction times the number of coins on the input.
The “best chain” is the one that has the most TCDD; however, to extend the chain new blocks must also have sufficient proof of work. Any hidden forks would be unable to grow TCDD beyond their own coins and would require the same amount of proof of work as the public chain. Upgrading Bitcoin to support such a feature could be done without a hard fork, meaning old and new nodes could both read transactions which leveraged TaPoS validation. Any hidden forks would be automatically ignored by the new nodes. While old nodes may follow the hidden chain for a little while, little critical infrastructure would recognize it and the old nodes would have to upgrade to recover from the attempted hack. The reduced likelihood of success would likely be enough to prevent any such attempt from occurring in the first place meaning that the network could achieve herd immunity with a sufficient number of critical players adopting the new TaPoS protocol which only requires 3 bytes per transaction.
The end result would be a hybrid-proof-of-work and proof-of-stake system which has all of the advantages of both systems while eliminating many of the disadvantages of either system operating in isolation.
Is TaPoS Useful?
TaPoS clearly has some theoretical benefits, but do any of these benefits provide practical benefits to offset the meager cost? For starters, TaPoS has been in use for years on Hive and EOS but these chains have not seen any hint of a long-range attack. The block producer selection algorithm and other social forces mean that the chance of a successful attack is already quite small.
The secondary use of TaPoS is to facilitate intentional community forks while preventing replay attacks. While TaPoS makes this trivial, it can also be achieved by a small change to the signature verification algorithm as part of the launching of a new fork.
Under Fractally there is a whole new level of subjective accountability via its robust governance processes which would make any attack at the technical level almost pointless with or without TaPoS.
This leaves the primary benefit of TaPoS to securing Proof of Work blockchains and for use by centralized private blockchains. A private company could launch a chain where they are the sole producer of blocks but where the community is the distributed validator of blocks. Utilizing TaPoS the private company would be unable to fork the chain for a double-spend without collusion of a sufficient number of its customers switching to the new fork and invalidating the all of the transactions of its customers during the fork period. This means the private company couldn’t selectively harm customers leaving the only remaining vulnerability of the private chain to be censorship. This censorship, if widespread, could easily be resolved with a community lead fork for a new centralized producer with decentralized validators.
Conclusion
The cost of TaPoS is relatively small and it provides everyone involved a meaningful degree of protection against even the most centralized set of block producers. Its presence means that there is little incentive to even attempt long-range attacks even if those attacks would ultimately only be temporally disruptive. At 1000 transactions per second, the total cost is 3kb per second or about 0.01% of the bandwidth.
It would seem that TaPoS is a low-cost method of eliminating the vast majority of theoretically possible, but likely impractical, attacks against all of the other known consensus algorithms. So for those who value total crypto-graphic and objective security, TaPoS seems like it is worth the time. For companies wanting a centralized blockchain, TaPoS seems to be the best way to provide cryptographic commitment to the past without giving up control over the future. It is probably far more cost effective and secure than publishing your hashes to another public blockchain.
For those who are look at the practical realities relative to the theoretical risks and are comfortable with subjective security, TaPoS is probably unnecessary overhead. That said, there is something to be said for silencing the vocal critics that may scare your customers with theoretical but impractical risks.
For these reasons I believe that TaPoS should be a feature of every blockchain regardless of the consensus algorithm used.
原文链接/Original URL:
