In this chapter I recount the story of Casper’s birth as an application of the principles of Aviv Zohar and Jonatan Sompolinsky’s GHOST to proof-of-stake.
I called it “the friendly ghost” because of incentives designed to guarantee censorship resistance against the oligopolists: incentives that force the cartel to be friendly to non-cartel validators.
Censorship Resistance in the Cartel Model
February 2015 — friendly incentives
Having seen the oligopoly, I set out to find a way to create a proof-of-stake protocol that was robust under cartel analysis. It had to be the case, in this protocol, that the cartel was not incentivized to censor validators who are not in the cartel.
I realized by doing the cartel analysis of proof-of-work consensus, that a cartel of 51% was incentivized to censor the miners who are not in the cartel. They would immediately be rewarded with more fees and eventually also would get more block rewards (after difficulty re-adjustment).
I already knew that the strength of proof-of-stake over proof-of-work is that the protocol had access to the anti-Sybil assets (deposits), whereas proof-of-work blockchains could not directly handle mining power.
So I realized that it would be impossible for a proof-of-work protocol to detect that censorship had occurred, since proof-of-work was external to the protocol. This led to the observation that would (and will) forever characterize Casper research, as far as I’m concerned:
The cartel cannot censor the absence of censored validators.
[edit: clarification: this is to say that the cartel cannot hide the fact that the censored validators are missing]
So I saw that it is possible to create a protocol where the cartel was not incentivized to censor validators. And it was elegantly simple. The cartel had to be punished whenever validators appeared to be missing. It has to be punished severely enough and for long enough so that it is not in its interest to censor non-cartel members.
I was excited; this definitively showed that proof-of-stake was fundamentally more censorship resistant than proof-of-work, reaffirming my intuition that security deposits are king.
It was possible to see how this could be implemented: if a validator failed to get their blocks into the chain, all of the validators who did have their blocks in the chain would be penalized. It also became clear that the cost of censorship resistance in the cartel model is that a validator could deliberately go offline in order to make online validators lose money.
It was therefore also necessary to penalize validators who go offline, because it could not be clear to the protocol whether they were being censored, or whether they were offline of their own accord.
I immediately suggested to Jae Kwon and Ethan Buchman that Tendermint should adopt this rule. They both rejected the idea because they thought it was unacceptable to penalize all of the validators when some validators go offline. Jae also argued that censorship would not be a problem because it would be noticed by the community, who would promptly rebel against the cartel and stop using the blockchain.
I reluctantly agreed that this was probably true, but did not feel that it justified not doing everything possible in-protocol to guarantee that the cartel wouldn’t censor non-cartel members.
A definition of decentralization
February or March 2015
Sometime early March (or was it February?), Matthew Wampler-Doty came up with an interesting definition of decentralization:
A protocol is decentralized only if it can fully recover from the permanent removal of all but one of its nodes.
This definition was inspired by biology, by the way that mycelium is able to recover from a single cell. The idea was very interesting because it led to the observation that Tendermint was less decentralized than traditional blockchain protocols like proof-of-work, or proof-of-stake as seen in PPC or NXT.
Tendermint can’t recover without a hard fork if the network doesn’t have more than 2/3 of validators-weighted-by-stake available to sign blocks. On the other hand, Bitcoin, PPC, and NXT would be able to recover if even a single miner or staker remained online (although it would take a very long for them to produce any blocks).
The Birth of The Friendly Ghost
March 2015 — GHOST meets proof-of-stake
Vitalik and Gavin Wood were set to visit me in London, mid March, and I was meant to be able to show them a specification for a proof-of-stake protocol, and I was nowhere near ready.
I desperately did my first dive into the traditional Byzantine fault tolerant consensus literature. And I hardly learned anything at all. What did become clear to me, however, was that the literature was almost entirely focused on consensus protocols that only ever make “safe decisions” (which roughly means “only creates finalized blocks on which all protocol-following nodes will eventually reach consensus”). These consensus protocols, like Tendermint, never had any forking.
I learned that traditional byzantine fault tolerant consensus protocols require a “Byzantine quorum” to be available in order for the protocol to make decisions, and therefore would not be able to meet Matthew Wampler-Doty’s definition of decentralization. A Byzantine quorum, by the way, is a set of nodes so large that it must contain a majority of correct nodes (this definition is parametric in a fault count; we will hear more about this in later chapters).
I therefore decided that I needed a consensus protocol that favoured availability, rather than only ever making safe decisions (favouring consistency). I needed a protocol that produced blocks optimistically, so that even one validator acting alone could produce a blockchain.
Achieving finality would still be possible (whenever it is also possible for a traditional protocol) by having a Byzantine quorum (if available) decide on blocks after they are produced.
With Vitalik and Gavin practically on my doorstep, I made the following decision in a bit of a confused and desperate state: I would adapt GHOST for proof-of-stake. I already knew and loved GHOST, because it informs part of the Ethereum proof-of-work specification.
I resolved that validators would produce a DAG of blocks and “validation signatures” (signatures on blocks, which would attest to their validity and to their consensus weight). There would be a function that would take any such DAG and returned a “canonical” ordering of transactions. A record of all of the consensus activity would be recorded in the DAG and would be used for incentivization.
And of course, if any validators failed to get their blocks into the canonical order often enough, everyone would be penalized.
This description, although not actually a working, fully specified protocol, was general enough that I was confident that I could make it work.
It was the shape of a protocol that had these properties:
- One validator would be able to produce the blockchain if necessary.
- The DAG captured all of the information one could possibly find useful for the protocol’s incentive mechanisms.
- Cartel censorship would be penalized.
I explained to Vitalik and Gavin the work that I had done. Neither were too impressed (since they had expected a full protocol spec), but both could see that I had done enough work to earn my paycheck (so I was happy!).
Casper was born as simply “the friendly ghost”, an adaptation of GHOST to proof-of-stake, complete with incentives that would make a cartel “friendly” to non-cartel validators.
How “the friendly ghost” became “Casper: The Friendly Ghost”
A couple of people told me to name this “friendly ghost” “Casper” (unfortunately I can’t remember who with any certainty) before John Dilley convinced me to call the protocol “Casper” at a party at Jeremy Gardner’s “Crypto Castle”, in San Francisco.
At this party I trolled Andrew Poelstra with the idea that security-deposits solved the nothing-at-stake and long-range problems. (Don’t worry, concerned reader, we made up and had a nice time chatting in a friendly way, some time later.)
Coming up next, in the history of Casper…
The following chapter will describe my struggle to define this “canonical ordering” function of the Casper DAGs. It includes the discovery of “by-block consensus” (an event that occurred before this party where Casper got its namesake). Finally, the chapter will end in Berlin in July of 2015, when Vitalik and I finally figured out how to make Casper converge with finality.