Is Network Anonymity Alone Sufficient for Resilient Proof of Stake Systems?
In the ever-evolving world of blockchain technology, the concept of Proof of Stake (PoS) has emerged as a significant alternative to the energy-intensive Proof of Work (PoW) systems. Unlike PoW, which relies on computational power to validate transactions and secure the network, PoS uses the amount of cryptocurrency a person holds and is willing to "stake" as a means to ensure trustworthiness. But with this innovation comes a critical question: Is network obfuscation alone sufficient for resilient proof of stake systems?
The Essence of Staking and Privacy
Imagine playing a high-stakes game where everyone's bets are public, but you are wearing a mask. This is somewhat analogous to participating in a PoS blockchain. Validators, or those who validate transactions, publicly stake a certain amount of cryptocurrency. This stake acts as their ticket to participate and their bond of trust. The more you stake, the more you can validate, but also, the more visible you become.
The good news is that the initial staking transaction is somewhat obscured, protecting the history of your funds up to that point. But here’s the catch: all future actions by the validator are traceable back to this staking transaction. It is like leaving digital breadcrumbs back to your stash, potentially painting a target on your back for those looking to exploit this information.
Voting: A Double-Edged Sword
Voting on transactions, blocks, or proposals is a fundamental aspect of the PoS mechanism, where your vote's weight is proportional to your stake. However, this system introduces the potential for self-censorship and targeted attacks. Validators might hesitate to vote freely, fearing repercussions if their voting patterns become too predictable or if they attract unwanted attention from adversaries. Deciding the system’s truth is essential, and while it can be done through voting, it doesn’t necessarily have to be the only mechanism.
In PoS blockchains, validators select transactions included in the next block when proposing new blocks to be added to the blockchain. Stricter OFAC (Office of Foreign Assets Control) regulations make validators avoid including transactions that are linked to blacklisted addresses or activities.
For consensus, where a leader's identity can be compromised, this becomes an even bigger issue. In order to protect themselves, leaders will opt to build blocks that minimise risk to themselves, leading to potentially compromised decentralisation and credible neutrality. This is a process known as self-censorship. Ethereum block building is heavily affected, while attestation could also be affected. It is key to mention that Nomos will not have attestation, but more details will be provided in future articles.
Attestation in the context of blockchain refers to the process of cryptographically voting or supporting a transaction or block.
This implies that validators can still freely participate in the consensus process without the same restriction or self-censorship applied to block building due to regulatory concerns. It is our goal at Nomos to reach the same standard and offer impeccable network resilience.
Privacy Analysis in Voting: A Focus on Findings
At Nomos, the security of our users and network resilience is of utmost importance. Therefore, we analysed the ease of de-anonymising validators through mixnets (mixnets or Mix networks are routing protocols designed to establish communications that are challenging to trace. They achieve this by employing a series of proxy servers, referred to as mixes. These mixes receive messages from various senders, shuffle them, and then transmit them in a random order to the subsequent destination, which may be another mix node) when they participate in on-chain voting.
Mixnet nodes collect messages from numerous senders, shuffle them, and redistribute them in a randomised sequence to their following destinations. They play a crucial role in maintaining the anonymity of communications. However, our analysis found that there is a probability of identifying validators, thereby opening avenues for malicious activities.
Consider the following:
- voting is happening as often as possible (async protocol, no time delay between blocks)
- just one tracked message is enough to de-anonymise the validator
Given these conditions and acknowledging that mixnet privacy assurances fall short of cryptographic privacy levels, let us assume we have an idealised mixnet that provides a 1 in a million (10^-6) likelihood of a privacy breach. This corresponds to a 10-layer mixnet with 1/4 of nodes controlled by bad actors.
Considering a scenario with 1000 validators, where each validator casts one vote per block through the mixnet, we arrive at 1,000,000 votes navigated through the mixnet to generate 1000 blocks. This activity translates to a 50% probability of de-anonymising a random validator within every 1000-block interval. Given Ethereum's daily production of approximately 7000 blocks, this model forecasts the de-anonymisation of 3.5 validators daily.
Secrecy and Voting
In some ideal scenarios, since we expect privacy when we vote, it is natural to expect secrecy for validator voting in the blockchain context, for example:
- Country elections and referendums go to great lengths to ensure voter privacy.
- Survivor has its contestants place their vote in private.
- Confidential shareholder voting is a common practice in public companies.
Whenever there is potential for specific coercive action against voters, society has adopted a secret ballot system, covered by examples in international law. In Nomos, instead of relying on the human factor, we aim to provide the necessary supporting mechanisms through technology.
Moving Forward: The Need for Attack Resistance
The findings suggest a pressing need for more robust resilience mechanisms within the PoS framework. It is not just about protecting validators from targeted attacks; it is also about ensuring the system remains decentralised and secure by allowing participants to operate without fear of exposure.
At Nomos, we believe that network resilience is paramount. We provide foundations for protocols that believe in the principles of plausible deniability. Each node should be able to contribute to the system without making political or preferential choices. This is when on-chain governance and voting mechanisms can fully reach their potential.
The goal of strengthening the network’s privacy is to shield the system from attacks (which matters precisely in the Network State infrastructure), but what is equally important is, by doing this, we aim to establish trust and integrity of the entire Nomos blockchain network — which is needed for greater adoption.