RepuCoin: Monash reveals 51%-resistant, 10k TPS PoW blockchain
You can get some incredible results by embracing the inevitable proof-of-work oligopoly.
- It's a proof-of-work system that can theoretically offer a much higher degree of security than Bitcoin and others
- It can achieve a throughput of 10,000 or even more than 20,000 if you relax some assumptions
- At its heart, RepuCoin works by embracing the assumption that mining will be an oligopoly. The heightened security assumptions can make it work, while the high throughput comes from taking advantage of this degree of centralisation
On 21 March, Monash University announced that researchers at the university were part of an international team which developed a successful proof of concept of a proof-of-work (PoW) blockchain claiming a high degree of resistance to 51% attacks, while boasting potential throughput of over 10,000 transactions per second.
It's called RepuCoin.
As the name suggests, RepuCoin is a reputation-driven blockchain.
"But make no mistake, this is not about subjective reputation in the sense of social networks," said Professor Paulo Esteves-Verissimo, a contributing researcher from the University of Luxembourg. "It is about physics."
Reputation in brief
In a nutshell, RepuCoin works with proof-of-work mining similar to Bitcoin, except it also gives miners a reputation score. Reputation grows based on the total amount of valid work a miner has contributed to the system over time and the regularity of that work.
This helps directly solve some of the main 51% attack vectors, such as attacks carried out with rented hashrate alone.
By the numbers, this means carrying out a majority attack on a mature RepuCoin-based blockchain would take more than 51% of the hashrate, would take a lot longer than traditional PoW blockchains and would overall be much, much more expensive.
"When RepuCoin has operated for a year, attacking the system with 68% of its total mining power would take at least six months and would be at least 5,760 times as expensive as conducting the same attack on Bitcoin," said Dr Jiangshan Yu of Monash University.
Reputation in less brief
Turning reputation scores into a workable blockchain security model obviously isn't quite as simple as just adding extra weight to the most senior miners, especially if you're trying to avoid the miner centralisation that's endemic to more standard proof-of-work systems.
RepuCoin gets around this by creating a "consensus group" of miners within the network. Miners can still earn rewards even if they're outside the consensus group.
The Consensus Group
The consensus group is basically the "real" miner network within the wider miner network. It's solely responsible for reaching consensus. Based on how the group is formed, it will inevitably include the miners with the highest reputation on the network, and because a miner's reputation score is largely dependent on their long-term application of hashrate, you can also expect the consensus group to include much of the network's hashrate.
The consensus group is dynamically built and adjusted.
The consensus group size is defined as the minimum number of miners with enough decision-making power to ensure safe and live control of the system, according to the rules for reaching consensus.
The rules for reaching consensus are that consensus is only reached (transactions are only processed) in the following situations:
- More than two-thirds of all nodes (on the network as a whole) reach agreement on that transaction, as per traditional byzantine fault tolerant theory
- The two-thirds of those nodes collectively have more than two-thirds of the cumulative reputation power within the consensus group
This clever dynamic essentially creates a situation where the network dynamically adjusts in order to ensure consensus can always be reached, but consensus cannot realistically be reached when the network isn't extremely secure. It can be adjusted as needed.
When miners attack
To attack this system, an adversary would have to control more than one-third of the nodes on the network, as well as have more than one-third of the cumulative reputation of the consensus group.
This means RepuCoin gets more secure the longer it stays up, and in a relatively short period of time becomes highly unfeasible to attack. The table below shows just how difficult it would be to break the system.
RepuCoin: Your Reputation is Your Power, p. 13
The column on the left refers to how long the RepuCoin network has been live, while the top row refers to how long an attacker would have needed to be mining on the network. The percentages filling in the table show what percentage of the network's computing power an attacker would need to have over that period of time.
For example, once RepuCoin has been up for 12 months, an attacker would need to have been controlling at least 68% of the system's computing power for at least 6 months in order to viably break the system. And with less than 27% of network power, an attacker would need to spend at least 108 years on mining before they can attack.
So even if a hostile miner manages to consistently scrape up enough computing power for long enough to attack, it would still be inordinately expensive in a sufficiently developed system.
This more complex system also offers a great deal of protection in more subtle ways. It reduces the danger of 51% attacks perpetrated by secret ASIC miners or a sudden surge of rental hashrate, and means successful collusion would have to involve the largest and oldest mining outfits.
RepuCoin is so fast largely due to its use of a system of key blocks and microblocks, as first posited in Bitcoin NG and now used by various blockchains such as Aeternity, and because having a more reliable consensus group allows for a few handy shortcuts.
- Key blocks. These are blocks discovered in periodic intervals by miners, similar to how Bitcoin miners will periodically uncover Bitcoin blocks. The difference is that these key blocks aren't intended to carry all the transactions by themselves. The miner who discovered the most recent key block is known as the "leader."
- Microblocks. These are the blocks that carry the bulk of the network transaction volume. They essentially ride along on the same proof of work as the preceding key block. So functionally, the leader is issuing microblocks.
So in the end, key blocks function kind of like checkpoints, while microblocks pop out every few seconds and do the heavy lifting. The problem with this system by itself is that the leader can theoretically disrupt the system by refusing to issue microblocks.
To get around this, RepuCoin decouples key block discovery from leader selection and shares mining rewards between the miner of the key block and the leader, like so:
- A miner finds a key block and earns a portion of the reward
- The leader is picked at random from within the consensus group and earns the rest of the reward
- The leader processes transactions on microblocks and commits them to the blockchain
- The rest of the consensus group verifies the microblock transactions to prevent double spending by a leader
So, a miner's performance in terms of how quickly they verify transactions, issue microblocks as the leader and so on, affects their reputation. Higher reputation means more rewards, so there's a direct incentive to perform highly. This means the consensus group tends to be composed of the highest performing miners who are able to issue and verify microblocks the quickest.
If a member of the consensus group is holding things up by not performing as it should, it will be bumped out of the consensus group and replaced by the next-highest reputation candidate. Similarly, if a leader tries to tamper with the network, such as by failing to commit microblocks, its reputation will suffer and it will get bumped from the consensus group.
How fast is fast?
RepuCoin's calculable throughput depends on two key factors.
The first is the size of the consensus group at any given time because it affects how many people need to verify microblocks. The smaller the consensus group, the faster the network, but the larger the consensus group, the more secure the network is.
The other factor is block size. If it's too small, each block carries too few transactions to be optimal, but if it's too large, it takes too long to propagate blocks around the consensus group, especially for large consensus groups.
To work out where the sweet spot is, the researchers calculated the optimal block size for a highly secure consensus group size and worked out how many transactions per second the blockchain could handle in different situations.
RepuCoin: Your Reputation is Your Power, p. 11
As you can see, the larger the consensus group size, the slower things get up to a certain point.
In this case, the consensus group size estimates are based on the current state of Bitcoin's network. If it seems a little on the small side, remember that each of those consensus group members will theoretically be an entire mining pool containing many individual miners.
So, using the state of Bitcoin's mining distribution as a guide, the researchers worked out that on an equivalent RepuCoin network, a consensus group of 4 would cover 44.7% of network hashing power on the low end. On the other end, a consensus group that covers 90% of the network computing power would have 13 participants.
This is where that "over 10,000 TPS" figure comes from.
It specifically means that if you assume the state of mining on the RepuCoin network looks similar to the current state of the Bitcoin network, a consensus group size that incorporates 90% of the network computing power, and therefore consists of 13 members, would be able to process over 10,000 transactions per second with a block size of 2MB.
A reasonable assumption
One of the most ingenious parts of RepuCoin's design is that it assumes mining will turn into an oligopoly. This is a very, very good assumption, and one that has been borne out by approximately 100% of all proof-of-work blockchains to date.
For perspective on the assumptions of miner centralisation made by RepuCoin, where you can cover 90% of network hashrate with just a dozen participants, consider the current state of Bitcoin mining pools.
Count clockwise around the circle starting from the BTC.com mining pool, and you can see just how far you can get with a small handful of participants. It's pretty reasonable to assume that as few as 10 members of a consensus group can cover the majority of a network's hashrate.
One of the most brilliant parts of RepuCoin is that it leans into the assumption of miner oligopolies. It assumes the network will experience a fairly high degree of hashrate centralisation and implements a system where this is much less of a security threat. Then, it takes advantage of this relatively high degree of centralisation to dramatically bolster throughput.
And remember, even if just one mining pool starts dominating the network, the leaders who produce microblocks are still randomly selected from the consensus group, so in the event of extreme centralisation, there's a possibility of smaller miners earning disproportionately large rewards for relatively little hashrate, which should theoretically help balance things out and keep various nodes jockeying for a spot in the consensus group.
According to Monash University, researchers are engaging with a number of international bodies who are interested in rolling out RepuCoin across their networks to maintain data security.
Disclosure: The author holds ETH at the time of writing.