Discussion about dPoW solution (1)

It’s a positive sign that Komodo has starting drawing some attention instead of being regularly ignored! I hope that with improved documentation many misunderstandings will be solved and more developers will see the advantages of building on Komodo technology.

Today Justin Ehrenhofer published a critical article about dPoW on Medium:

“No, dPoW Isn’t a Perfect Solution”
https://medium.com/@JEhrenhofer/no-dpow-isnt-a-perfect-solution-7e6e43cc20be

After a brief exchange on Twitter, I invited him to join Komodo Discord and talk directly with lead developer jl777. There’s an ask-jl777 channel and he’s one of the most accessible developers in this space.  I edited the conversation that followed in this post.

########BEGIN

jl777
He is totally wrong: “Well, if my suspicions are correct, then the original chain is dropped in favor of the attacker’s longer chain. The greyed-out arrow indicates that the network ignores the notarization as inaccurate”. Once a height is notarized, it is not dropped, reorganized, etc. so his entire premise (dPoW works just like PoW) is incorrect. Also he is conflating the easy mining KMD does for only KMD, that is not really linked to dPoW at all, it just happens that for KMD the notaries get easy mining, when notarizing other chains NN have no mining advantages.
All nodes verify all notarizations, so it is validated by all nodes and this does not allow NN to have any special powers. Once a notarization is validated locally, it will reject any attempt to reorg, so his picture above is totally invalid.

Alright
https://cdn-images-1.medium.com/max/800/1*_MWF2Noj2FomT79pmQuJcg.png
That’s where he got it wrong. I don’t understand how he could think that scenario is possible. If that scenario was possible, dPoW would be doing nothing

jl777
He starts from the assumption that dPoW doesn’t do anything and then concludes exactly that by demonstrating that if it did nothing, it would be doing nothing. I assume we can rebut such nonsense?

Alright
I can do that in one sentence:
The nodes need to determine if they will accept or reject the new chain. More on that later, but let’s suppose that the nodes will accept the chain with more difficulty for now.
-> They will reject it.

Mylo
Hi Justin, thanks for the article. I think there are a some misunderstandings. On the recent Tech Tuesday for Komodo I’ve detailed the process of dPoW that might clear up the caveats section?
Figure 3 in your article is not possible. An attacker cannot mine past a notarization point and have the rest of the network just accept the attackers chain. If you read the latest Tech Tuesday:  https://komodoplatform.com/tech-tuesday-update-13/  the notarization hashes form part of the network wide consensus. The attacker does not have the recent hashes and will be ignored. The way you’ve drawn Figure 3 is just normal PoW ignoring dPoW features in the consensus. Also, the KMD easy mining is only for KMD chain. Notary nodes do not get easy mining for any other chains. All the best with your writing, thanks for taking the time to check out dPoW - it has a history of protecting weaker chains.

sgp
Author here, if this is the case, what prevents nodes from notarizing malicious blocks? These nodes could mine their own chain and completely reject the traditional PoW system then.

jl777
ALL nodes in the network need to validate blocks normally. ALL nodes in the network validate that all notarizations are valid. If anybody tries to reorg the chain past a validated notarization, it is rejected. What is a malicious block? If it includes a double spend, then it is invalid, and will be rejected. All blocks need to be valid to be validated. Now the blocks that are not notarized are subject to the normal rules, but once notarized (and validated) it is not accepted to change it. any block that tries to change it is rejected. There is no valid block that is malicious, as it is a valid block. Once it gets notarized, then it can’t change. At the moment of notarization, there can only be a single spend as at that moment in time the chain is valid, the notarization is valid, ALL nodes validate it. Once that happens, any tx that is notarized won’t be able to be double spent as that would violate the notarization rule

sgp
Give me a second to create another diagram to show you the other concern I have if you trust these notarized blocks explicitly

Alright
You don’t trust the blocks. They are validated by consensus rules

sgp
Yeah, but it’s HOW it’s validated that matters. Let me get that diagram, one sec

Emmanuel
Think of them as decentralized checkpoints. Every node validates, as normally

Alright
How are BTC blocks validated?

sgp
It’s a matter of what blocks are validated, not what nodes validate them that I’m concerned about

Emmanuel
It doesn’t matter what block, as long as it is valid. If your concern is “the evil notary nodes might censor a transaction” or something like that, well, that’s why it is decentralized.

jl777
blocks that are in the local nodes blockchain are what the local node validates

sgp
Here’s what I could make in 2 seconds
https://i.imgur.com/cIgX0ca.png

jl777
The notaries notarize the public chain, otherwise ALL the nodes in the network wouldn’t validate it as a valid notarization

sgp
Why do they need to do that though? Why not mine a private chain and only reveal to the network when notarized?

jl777
How can it get notarized if it isn’t public?

sgp
They make it public as they notarize it but they notarize the data that doesn’t include their transaction

jl777
I think you are missing that it is mutually exclusive. A block is notarized or not. If it is privately mined, it can’t be notarized and validated. So the only way is to publish the private blocks and then notarize it. Once it is notarized, it can’t be undone as the nodes already validated it with the initial tx.

sgp
Doesn’t the ability to rule over any unruly PoW chains though, also mean that they can rule over any non-malicious PoW chains? I don’t understand how the scenario would prevent the notaries from acting malicious

jl777
There is no “ruling over”. The notaries run normal nodes then then reach a consensus as to what a specific height blockhash is.

sgp
My point is simply to emphasize that the notarized blocks are valued more in consensus than non-notarized ones

jl777
No, let me finish before you jump to your conclusion. The notaries send out a tx with the height + blockhash of a recent block, usually 10 blocks from the last one. This then gets mined by some miner (plz ignore that notaries easy mine KMD, that has nothing to do with notarization). Now, when that notarization tx gets mined into a block, ALL nodes see it, ALL nodes check locally if indeed at the height that it had the same blockhash that they already had locally. There is no forcing a tainted block onto the other nodes. If and only if a valid notarization is seen is the notarization height changed locally. This is done by all nodes (including the notaries). Once we have this notarized (and validated by all nodes) height, each node then applies it as a test for all new blocks coming in. If it tries to reorg past the notarized height, it is rejected, so, once a tx gets notarized, it can’t be double spent. This has been tested extensively internally and also live in the field. dPoW does not protect blocks that have not been notarized yet, that uses the normal satoshi consensus. @sgp curious as to what problems you see. I am eager to fix any actual problems

sgp
What would happen in an example were a malicious notary creates a new chain from the point of the last notarization and notarizes the next block at the expected blockchain height? It’s my understanding the nodes would drop the other PoW chain in favor of the malicious one

Mylo
Notarization is a multi-signature process between 13 randomly allocated nodes (out of the 64). A single notary cannot “just notarize if they want to”. It is distributed process.

sgp
Yes, I understand that.

Emmanuel
Again, what makes it “malicious”?

sgp
@Emmanuel in this case, it simply indicates notaries acting against the interests of the greater network, that’s all

jl777
One malicious notary can’t do anything, so we need to assume enough malicious notaries are colluding. Now what exactly do these colluding notaries do? They can publish a notarization for a (height + blockhash), if ALL the nodes in the network have that (height + blockhash) it is validated, if not, it is ignored. So what exactly does the evil notaries do?

sgp
This example is simply to indicate that 13 colluding notaries have an opportunity to regulate the new block generation. I want to ask another question about how the network would work if these notaries have less mining power than the normal chain. If they have less mining power, would it just cause a hard fork and the two networks would operate independently?

jl777
No they don’t have the ability to regulate block generation, that seems to be where you are assuming things that don’t exist

sgp
My understanding is that they would if they had the majority of mining power and had the ability to collude to create these notarizations

jl777
The KMD mining ability is totally independent from the notarization process. Ok, for KMD, yes if enough notaries colluded they could control the mining but they could only notarize the public chain, so even then they can’t double spend

Emmanuel
Easy mining is not part of dPoW

jl777
With 25% of blocks mined by external miners, notaries even if 100% collude, still can’t censor
so colluding evil notaries on KMD (but not on any other chain) generate blocks, but they can’t force invalid notarizations to be accepted

sgp
> with 25% of blocks mined by external miners, notaries even if 100% collude, still cant censor
This is where I’m confused. couldn’t they theoretically force a reorg to remove these blocks?

jl777
Not if it was notarized

sgp
I’m talking about all future block issuance

jl777
100% notary collusion would only get 75% of blocks. Now the colluding notaries are either notarizing or not. If they are, as soon as one of the external miners mines a notarization tx, the notarization locks the chain. If they don’t, then there is no notarization and that is a signal in and of itself that something is wrong. We have the dpowconfs for “confirmations” field where it stays at 1 until it is notarized, so if you wait for 2 or more confirmations, you basically won’t trust a tx until it is notarized. Once it is notarized, (that means all nodes on the network validated it) then the network will reject any attempt to double spend

sgp
Let me walk through the concern I have in individual steps

jl777
Ok

Mylo
dPoW confs for reference: https://docs.komodoplatform.com/komodo/dPOW-conf.html

sgp
At the moment I’m only looking at the future block generation, not any previous block replacement. The normal KMD miners continue on their jolly way, mining blocks as normal. They add new, non-notarized blocks to the end of the chain. The notaries also decide to mine, but they do so on their own chain from the point of the last notarization. if they have enough mining power, they would be able to keep up with the pace of the normal miners. At the moment, this chain doesn’t mean anything, at a certain point, the notaries mine a block with the same or greater block height than the normal miners, and they share their malicious chain and the accompanying notarized block to the network. Nodes look at both the normal chain and the diverging chain, notice that one is longer and has the notarization, and thus reorg and drop the normal chain in favor of the other one

jl777
Sure, that is just normal mining

sgp
Does this make sense? yeah

jl777
For users that are looking at the “confirmations” field, it stays at 1 and then if it was in the evil chain, it gets notarized and goes above 1 and now can’t be changed. If it wasn’t in the evil chain, then it goes back into the mempool. So , sure the notaries could maybe boost their mining by preventing their mined chain from ever being orphaned, but they still have to mine. This is a slight economic advantage equal to the normal orphan rate of mined blocks. Is this really the giant disaster to make you write such articles as you have?

Emmanuel
Based on all this, would be good saying “don’t vote pool owners as notary node operators”?

jl777
Well the premise that all notaries will collude together is quite a remote possibility, so as long as there are no significant attacks possible it seems keeping NN spots open to all is the best way

Mylo
So, the dPoW of the non-KMD chains is not affected by these malicious notaries mining because they cannot mine other chains to compete with miners. dPoW is 100% safe for those blockchains. No colluding notaries.

jl777
Also, if a notarized chain starts having regular reorgs all the way back to the notarization, then it becomes pretty clear the notaries are doing evil mining to boost their mining ROI. Even on non-KMD the notaries can gain a small bit, by orphaning competing chains. If the average orphan rate is 1%, this is a 1% boost of revenues but it will be visible that it is happening and requires majority of notaries to colllude. If this is the big downside of dPoW, it seems well worth the gains

sgp
KMD could configure its clients to not reorg under certain conditions, but I am also concerned about the possibility of an attacker spinning up a number of malicious nodes. What would prevent these malicious nodes from ignoring the notarized blocks and attempting to reorg further? I understand existing nodes could reject these changes, but how would new users know what chain to connect to?

jl777
The new users can find the current notarized chain by following the historical notarizations, so unless a new user is only connected to the attacker, then it will see a notarization and tend to get back onto the notarized chain. however, when there are competing chains we do see some peers get onto the non-notarized chain for a while, especially if the alternate chain is longer. As soon as the notarized chain is the longest, then it reorgs to the notarized chain and is locked in.
it is not easy to maintain a competing chain without notarizations against the notarized chain with notarizations as one will reject the other, while the competing chain won’t reject the notarized chain. @sgp any other concerns?

SHossain
Notary Nodes mines only KMD with easy diff, and NO other chain. They don’t have power to reorg another chain based on mining.

sgp
fwiw I don’t believe I ever claimed that notary nodes have an easier time mining Bitcoin. I thought that would be obvious

gcharang
@sgp normally “control over blockchain” –> The following malicious actions are possible:
1)double spends
2)censor transactions
3)mine empty blocks
Are you satisfied that a dPOW’d system won’t allow double spends?

sgp
To be honest not really. I understand that a built-in protection against reorgs past a notarized block could complicate things, but I don’t see how an attacker still couldn’t attempt to fork off at a past point, run with it and make it longer than the notarized chain, and then throw a bunch of nodes on the network to cause confusion.

Alright
They can do that, but it will have 0 effect on the network other than a bunch of misbehaving peer prints

Mylo
You can’t run longer than the notarized chain (as per Figure 3 in your article)

Emmanuel
It already happened, dPoW demonstrated to be very resilient

jl777
Yes, the confusion can be created, but ALL nodes will notice this as the “confirmations” field would be stuck at 1 until there is a notarization and at that point the confusion is irrelevant.

Emmanuel
Because people (especially exchanges) will notice immediately: 2 confs or no deal

Alright
Exchanges will automatically halt deposits with no human intervention needed, dpowconfs is one of the most clever things KMD has

jl777
If you eclipse attack all new nodes who don’t bother to check the explorer and don’t check for confirmations >1, then yes they could be confused

Alright
During an eclipse attack (if attacker is broadcasting >pow unnotarized chain), won’t new nodes coming onto the network find the notarized chain anyway?

sgp
@Alright wouldn’t they find and select the longer one but only report 1 confirmation? For any sent transactions

Alright
I don’t believe they would, I could be wrong

jl777
The eclipse attack assumes they never connect to any valid peers (somehow), eclipse attack assumes govt agency is controlling all your network traffic

gcharang
@sgp you explained here how the notaries colluding will be able to drop an external chain. Even if we consider that possible, how do they double spend after this?

jl777
@gcharang I think he is convinced double spend can happen

sgp
@jl777 but if you’re a new node and see two chains: 1 with a more recent notarization, and 1 with a longer chain, which do you choose?

jl777
The notarized chain trumps the non-notarized chain and if you are connecting to nodes on the notarized chain, they are rejecting the nodes on the attacker chain and wont relay that to your node

sgp
Well now I’m back to square 1 at being more confused… lol. What if the NOTARIZED chain was the malicious chain? What if the longer chain is simply normal miners having more mining power than the malicious notaries?

jl777
We have seen some cases where a node ends up on the longer chain and rejects the notarized chain as it is not compatible with it, but in this case “confirmations” stay at 1. A chain isn’t evil or good, it is valid or invalid. Now you can play games by reorging a chain if it doesn’t have notarizations, but whatever the currently valid chain is on a node, is a valid chain as far as that node is concerned. If a notarization happens and it is valid (your node agrees with height/blockhash), now it can’t be reorged. @sgp what scenario do you have where people can be made to lose money? Other than they ignore “confirmations” and don’t verify they are on the main chain?

Alright
I don’t see any situation where user would have to verify they are on the correct chain from a 3rd party source. If there node gets 1 peer that is on the valid chain, their node will sync that chain

sgp
If an attacker forks an old block, makes the chain longer, and gets a successful notarization, it would at the minimum cause a lot of confusion. At that point, it seems that the network would be protected by individual nodes’ local caches. New participants would select the malicious chain as accurate

Alright
What attack are they performing?

jl777
But once the longer chain gets a notarization, that is the notarized chain.

Emmanuel
Reorgs happen every day on any blockchain (dPoW or not), they don’t cause “a lot of confusion”

jl777
I think the one thing you did find was that notaries have the power to orphan competing miners blocks back to the last notarization and have a much lower orphan rate. This economic benefit is <1% increase in mining revenues and requires collusion of majority of notaries and expenditures of 51%+ mining power and it can be detected. So it isn’t very economical and they will be caught. It seems not a very practical attack

sgp
@Emmanuel I’m specifically referring to reorgs with two chains, each with their own set of valid notarizations

gcharang
The very fact that a conflicting notarization came in, implies that the network is being attacked

Emmanuel
@sgp in every reorg there are more than 1 chain, or am I missing something? But both can’t have valid notarizations

sgp
The difference is it for a longer history, allowing for notarization confirmations and double spends

jl777
There is no double spends, you keep making that up

Emmanuel
That’s the whole point – you can’t have deep reorgs with dPoW, that’s its point

jl777
@sgp you need to think through the blocks being added to the chain and apply the notarization rules, not just make up that double spends are magically possible. What sequence allows a double spend of a notarized transaction???

sgp
I’ll have to make another diagram later to show you what I mean, but at this point I’m running out of time. Ironically, it looks similar to the post I made earlier

jl777
You can’t double spend a tx in a notarized block since the notarized block can’t be reorged, it can’t be changed. Which means any utxo spent in a notarized block can’t be double spent. You can double spend non-notarized tx but once it is notarized, it just can’t be undone. We have tried and tried to break this without any success. The only advantage is notaries can gain a bit of mining ROI by the orphan rate, but that requires collusion that is detectable and actually 51% attacking a chain. No double spends of notarized tx

Alright
Likelihood of being able to pull that off is slim. For getting a better mining ROI by getting notaries to collude, you would need significantly more than 13 notaries to collude because notaries can’t pick and choose who they will notarize with.

sgp
Before I go (I dispute the above), do you have a formal analysis for your dPoW setup? Anything beyond the whitepaper and recent blog post I should be referring to?

jl777
Checkpoints work to prevent reorgs past that checkpoint. dPoW is not doing anything mathematical, it is purely about the implementation. The formal analysis is that if a block is not reorged, no tx in that block can be double spent.

SHossain
Try if you can double spend notarized tx and show us

Emmanuel
He’s not proposing an attack, but claiming that notaries could perform one

SHossain
He can also try that

Emmanuel
He would need to setup a whole notary node network

jl777
The notaries can suppress notarizations but dpowconfs allows all nodes to detect lack of notarizations

SHossain
How many nodes can he align by the attackers side?

jl777
For attack analysis we assume 100% notary collusion. We show even in that case, there is no meaningful attack. I believe I have done that but @sgp feels there is still some chart that will show me notaries can double spend

Emmanuel
@SHossain his hypothesis is about notaries colluding by themselves, no attacker

SHossain
What purpose we have to collude?

jl777
Yes, it is an interesting angle and we did find that colluding notaries can gain a bit of mining ROI to 51% mine a notarized chain but it will be detected: hard to miss reorgs with every notarization

Emmanuel
It would be annoying and economically absurd, besides very very complex (technically, aligning all the colluding nodes) (well that could be solved, it would require some development)

SHossain
The way I see it: I stay with mainnet and keep my nodes well maintained to perform better securing the network and mine my allotment of easy diff KMD. If I make it top 30 nodes, I get chance to be there another year. Moar KMD

Alright
@jl777 I still find that attack vector entirely implausible. It assumes that there aren’t honest notaries

jl777
Yes, but that is what attack analysis is: assume the worst and if the worst is a bit of mining ROI gained by orphaning competing chains with the expenditure of 51% hashrate and it is discoverable, if that is the worst, then you evaluate that it is not any practical issue

Emmanuel
It would be suicidal

jl777
Yes, but if a suicidal attack could do massive double spends, that is one thing. In this case it is an uneconomical attack. You make the worst case assumptions, find the worst attack and do a risk assessment.

Emmanuel
If any significant risk is found. In this case the risk is near absolute zero, unless very bad notary node operators are elected, bad enough that they want to suicide their project (for no reason)

Alright
Always interested in testing attack vectors, if anyone does come up with a viable one, please let me know. @jl777 this has me wondering what would happen if we had two segregated subsets of the notary network both notarizing separate forks

Emmanuel
That would mean deeper reorg, I think. For example if the world internet is broken in two pieces

jl777
@Alright it would devolve to longest chain but with the number of notaries, when there have been chain splits, the notaries stop notarizing as they can’t reach consensus

Emmanuel
So, there would be just deeper reorgs by means of regular PoW, until notaries reach consensus again

jl777
Realistically such a chain split will require corrective actions, i.e. resync on nodes that end up on the shorter chain. New nodes will automatically go to the longer chain, we have seen this. But if you end up on the shorter notarized chain, then you need to resync. But such things only happen very rarely and there is a way to resolve it, just messy. Keep in mind all chain splits are a messy business.

Emmanuel
@jl777 what are the conditions for that to happen? I mean, how many blocks without notarization? We’re talking about two notarized chains that split

jl777
That is very unlikely, as notaries won’t reach consensus if there is a chain split

Emmanuel
Yes, I know, the case would be “notary network splits momentarily, then notarize two chains, and those two chains survive in different set of nodes around the world”

jl777
That is very unlikely, as notaries won’t reach consensus if there is a chain split. If it does happen, we certainly notice it and notary on the wrong chain, resync

######END

Did jl777 answer clear all doubts? I think so, but Justin didn’t seem convinced yet. I expect followup discussions soon and I will publish them as well

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s