Emerging cryptocurrencies, such as Bitcoin and Ethereum have reached market capitalizations in the billions of U.S. dollars and transactions volumes in the hundreds of millions of U.S. dollars per day according to coinmarketcap.com. The underlying technology of blockchains to achieve distributed consensus has been touted as a solution to many challenges in decentralized systems. A key feature of a blockchain is the presence of miners that validate and timestamp transactions. Miners achieve this by solving computationally complex challenges. Even before the recent popularity of blockchains, proof-of-work protocols have used a similar principle, requiring computation to solve a challenge, to achieve a fundamental level of trust.
In this post, I argue that building systems that require large amounts of brute-force processing for normal operation (i.e., to support benign users performing valid transactions) is not only a terrible waste of resources; it is equivalent to computer programmers and engineers waiving the proverbial white flag and surrendering any elegance in system and protocol design to a crude solution of last resort.
Attacks in distributed systems
In the absence of perfect security, the traditional approach to security has been to make the cost of a successful attack high enough to ensure that an attacker sees little benefit in pursuing the gain obtained from conducting the attack. For example, standard cryptographic operations can be performed with comparably low computational resources if an entity has access to the correct key(s). An attacker that does not have key information, in contrast, needs to conduct brute-force trials of large numbers of key guesses in order to achieve the same effect.
In large-scale distributed systems, such as the Internet, resources can be accessed by anyone without using strong identities and access control. As a result, denial-of-service attacks are a concern in these environments that involve many actors, some of whom cannot be trusted. Interactions in a distributed system typically require a commitment of resource by all entities in the interaction. If there is an imbalance between the cost of initiating the interaction and responding to the interaction, then there is an opportunity for a denial-of-service attack: An attacker can cause the target of its attack to commit a disproportionate amount of resources without committing a comparable amount by itself. As a result, the target can be swamped and not respond to other, benign requests. This problem has been observed in a number of systems, such as web servers (SYN flooding attacks) and electronic mail (spam).
Elegant protection mechanisms
Defenses against such attacks can be developed by improving the protocols that are used between the entities. The overall strategies of these solutions are to reduce the resource commitment in response to the initial request and thus defusing the impact of the denial-of-service attack. For example:
- Access control: Using authentication and access control mechanism, responses can be limited to those of authorized users. The only resource commitment at the time of first contact is that of conduction an access control check for the credentials provided by the sender. The access control verification step is typically significantly simpler than the actual response to the request. If the credentials are invalid, no further action (or resource commitment) is conducted. This technique requires a suitable setup of identities and access control mechanisms. Example: to verify a user, a simple cryptographic verification (e.g., verification of an encrypted nonce) can be used.
- Gradual resource commitment: In this case, resources are not fully committed during the first response by the system. Instead, additional interactions (and valid responses by the sender) are necessary to establish sufficient (temporary) trust to commit the full resource set. This scenario does not require identities or other trust mechanisms since trust is established by properly responding to protocol operation (and thus mutually escalating the resource commitment). Example: SYN cookies can be used to require the initiator of a web request to properly respond before connection state is established.
In these cases, somewhat elegant protocols are used. (I distinguish “elegant” from “brute force” in the sense that domain-specific operations are implemented to avoid the need for brute force.)
Blockchains and proof-of-work protocols
A solution to denial-of-service attacks that has emerged in recent years is a technique called “proof of work.” In proof-of-work protocols, the initiator is required to commit resources in order to show that they are serious about wanting to conduct a transaction. The responder sends a challenge to the initiator and requires the solution to the challenge before continuing the interaction. The challenge is designed to be difficult to solve, but easy to verify. For example, finding an input to a cryptographic hash function with a key provided by the challenger such that the last n bits are zero requires a lot of brute force testing of different inputs (since the one-way hash function is hard to reverse). Once a result is found, verifying the correctness of the result is a simple, single hash calculation. Using such an approach, the initiator of a request is required to commit considerable amounts of resources before the responder does so. Thus, a denial-of-service attack would become significantly more expensive or difficult to conduct for an attacker.
In blockchains, the idea of proof of work has been extended to protect the transaction history in the system. Miners solve computationally complex problems and then lock the current state of the system with the results of these computations. Alterations to the transaction history would require an attacker to outperform the computational power of all legitimate miners to create an alternate history of transactions. This principle of protecting transactions from alterations clearly works.
Impact on environment and society
At first glance, proof-of-work protocols and block chains get the work done. However, there are significant drawbacks to these solutions that are outside the technical scope. It has been reported by numerous outlets, including IEEE Spectrum, that the current blockchain miners consume vast amounts of electrical power. The current consumption of the Bitcoin network, as reported by digiconomist.com, at the time of writing exceeds the total electricity consumption of Ecuador. This level of computation demand has been deemed unsustainable, as described in an article on Motherboard, which shows that a Bitcoin transaction requires approximately 5,000 times the energy of a credit card transaction.
Another aspect of brute-force processing in systems is that it enhances economic imbalances across society. The ability to conduct large amounts of computations is limited to those entities that can afford the capital and operational expenditures necessary for the underlying computing infrastructure. Thus, only wealthy individuals, businesses, and countries can be major players in this environment. This is contrary to the design of other large-scale systems, such as telecommunications and the Internet, which have aimed to make access to information more accessible to everyone – independent of economic status. Considering the wide use of (even low-end) smartphones in all parts of the world, such design goals can actually translate into real achievements.
Where do we go?
Committing huge processing resources makes economic sense for the miners since fees are paid to them for recording transactions in the blockchain. However, in the larger perspective, these operations are a huge waste of resources for the small value that they provide to a system. Recording a transaction with suitable privacy such that its outcome is immutable should not require an energy consumption that is comparable to an entire country’s energy budget!
There is ongoing work to develop new principles for blockchains, such as shifting from proof of work to proof of stake. However, we also need to explore the underlying desire for using blockchain-based systems. The properties provided by blockchains, such as immutable consensus, can easily be achieved by (physically or logically) centralized systems. However, the concern about control of a centralized system is deeply rooted in some communities. What is the right tradeoff between anonymity, privacy, distributed control and the danger that we put a huge burden on the environment and society through massive brute-force computation because we mistrust centralized systems?
About the Author: Tilman Wolf is Senior Associate Dean and Professor of Electrical and Computer Engineering at the University of Massachusetts Amherst.