Satoshi’s New Favourite Cryptocurrency
This article contains the final part of my four-part mega-article Defusing Crypto’s Ticking Time Bomb. I have also turned Parts 1 and 2, as well as Part 3 of the mega-article into separate articles, if you wish to read them as distinct pieces.
Without the context of parts 1 and 2, much of this article will probably not make sense. I highly recommend going through at least that section before proceeding here.
Here, I outline the workings of what I believe to be the most revolutionary cryptocurrency since Ethereum. As we shall see, it offers a new consensus mechanism which constitutes a significant improvement on Proof of Work and Proof of Stake systems — and solves problems which were previously thought to be impossible to solve. The end product is a version of Bitcoin which is scalable and can facilitate web3 — while offering greater security guarantees than Bitcoin. Sound too good to be true? That’s exactly what I thought, too.
Snapping Back to Reality
Let us recall our key problems. We have the volunteer problem, which creates on the one hand the blockchain trilemma (due to the data storage and scalability problems) — and on the other hand, the network closure problem.
In addition to all of this, we have the problems of majoritarian attacks, discouragement attacks, block subsidy reliance, the commodification of the work functions of PoW and PoS chains, and other incentive-based problems such as header-first mining and delayed block propagation.
In response to this stack of problems, we have come up with a myriad of impressive and innovative technical solutions to try and squeeze the most we can out of the trade-offs which constrain us. Statelessness, state expiry, sharding, off-chain scaling, off-chain data storage — we’ve covered them all. However, these technical solutions either fail to address the fundamental issues at hand, or further sacrifice the Satoshi Properties in some way.
In discussing so many technical ideas, we fall deeper into the dream and forget what the problems really are. What are they again?
- The p2p network is comprised of volunteers, and we free-ride on the work they do and the critical network infrastructure they provide. This work is not paid for — and so it is underprovided. This problem gets worse at scale.
- We also dump data on the chain today which nodes bear the cost of in the future, leading to blockchain bloat and an eventual collapse of the network infrastructure which the p2p network provides.
These problems mean that the self-sufficiency of every network which has decided to scale is in question. The benefits of scalability today don’t matter if we the chain isn’t going to exist tomorrow.
As a refresher, let’s go back to Bitcoin. Bitcoin (BTC) doesn’t fix these problems. Bitcoin accepts these problems, and then decides not to scale in response to them. Remember why can’t Bitcoin scale? Because scaling would increase costs to unsustainable levels for the volunteer p2p network, leading to a crumbling of essential network infrastructure and a loss of openness and security.
And why is transaction collection, validation, propagation; the provisioning of user-facing infrastructure; the storage of data not paid for to begin with? Because Proof of Work and Proof of Stake blockchains pay only for mining and staking.
The fundamental problems here are not technical problems. They are incentive problems. When all is said and done, no amount of technical tinkering will have solved the core problems which create the blockchain trilemma.
In the face of these problems, I am going to discuss a new set of solutions proposed by the innovative new blockchain Saito, which I believe solve the fundamental incentive issues at the heart of our current blockchain paradigm. I am going to discuss the blockchain design, and then the consensus mechanism design. These two solutions go hand-in-hand, so I suggest reserving all judgements until the whole thing has been covered.
Just to dispel any misconceptions before I begin — Saito is designed as a layer 1 blockchain unto itself. It can play a supporting role for other blockchains (which we will discuss later), but to avoid any confusion it should definitely be understood as its own self-sufficient blockchain. It provides a basis for a sound monetary ledger (like Bitcoin) as well as being a ledger to support web3 applications (like Ethereum). I’ll say it now: Saito is different. But keep an open mind, and you might just find some very interesting treasures in the unknown.
A New Kind of Blockchain
Let’s start by looking at how Saito addresses the data storage and pricing problems with a new kind of blockchain design.
In normal blockchains, we add data to the chain today and it stays there forever. We start with block 1, and then add block 2 on top of that — and then blocks 3, 4, 5, …, 742686. The blockchain grows block by block, indefinitely. As we know, the problem with this is that the costs of storing the infinitely growing amount of data forever are not paid for — and volunteers bear the burden. Over time, we get blockchain bloat and network collapse. This is a serious and unsolved problem.
To fix this, Saito first establishes for its blockchain a unit of time called an ‘epoch’. An epoch lasts a certain number of blocks (e.g. every 100 blocks the chain adds). Epoch length can be specified by consensus code.
Saito then specifies that when a block falls out of the current epoch, the transactions within it become unspendable. For example, imagine a Saito chain with an epoch length of 100 blocks. When the 101st block gets added to the chain and a new epoch begins, all of the transactions in block 1 are made unspendable.
However, any transactions in the old block (block 1) which have enough tokens to pay a special fee called a ‘rebroadcasting fee’ must be included by the block producer within the new block that was just added to the tip of the chain. So whoever creates the new 101st block is forced by consensus to include in block 101 all transactions from block 1 that have enough money to pay this special fee. Whoever creates the 102nd block will need to rebroadcast all transactions in block 2 with enough to pay the fee. This system is called ‘Automatic Transaction Rebroadcasting’ (ATR).
A neat side effect of the ATR system is that block-producers are forced to store a full copy of the chain, as they are not allowed to produce blocks unless they have all the historical transactions to rebroadcast into their current block. This is nice, because now we no longer need to worry about security issues like header-first validation, or problems like the provisioning of archive nodes. Not only this — they are paid for it.
After two epochs pass, block producers are allowed to delete an old block’s data. So in the example with a 100-block epoch, nodes will delete block 1’s data once block 200 is produced. Two epochs must pass before block 1 can get deleted: the epoch covering blocks 1–100 AND the epoch covering blocks 101–200. Similarly, block 2’s data will be deleted when block 201 is produced.
This whole mechanism gives us some interesting properties. What we have here is not a blockchain where the number of blocks grows forever. Instead, it is a blockchain of a fixed length of whatever the epoch length is. It is best conceived as a looping, circular chain.
The blocksize can be set to be any fixed value, or allowed to float freely, where block producers can create blocks of whatever size they want. This is purely a consensus decision. We’ll get back to this later.
From the outset, what the introduction of ‘epochs’ into the blockchain has done is create a rent style system which forces data to pay to stay on chain at fixed intervals. If you put transact and put data on the chain, you will need to pay a rebroadcasting fee to have it stay on the chain (since you are responsible for the chain size growing). This is just like the real world, where if you use cloud storage providers like Google Drive, Microsoft OneDrive or Dropbox — you pay something like a monthly fee to compensate for the provision of the service. Since blockchains are essentially giant databases, this comparison makes sense. One might object: “but on chain X you don’t need to pay to keep data on chain, so why would you do it on Saito?” However, other chains are only the way they are because the cost of growing the chain (which the user who adds a transaction to the chain is responsible for) is offloaded to volunteers. The real burden of proof is on chains who don’t pay for their own data storage costs to explain why they’ll be able to get away with doing so in the long-term without facing catastrophic infrastructural problems as pressures on volunteers grow worse.
One of the biggest lies the crypto space has convinced itself of is that data storage on blockchains is somehow able to be free just because it’s on a blockchain, and can remain free forever without the chain collapsing. That *somebody* is going to pay for it, so you don’t need to worry about it.
A question arises here. How is this automatic transaction rebroadcasting fee actually determined? We don’t want central planning, because that gives us no guarantee we’ll set the right price. But we also don’t know how much the ATR fee should be to sufficiently cover the costs of storing the data for nodes. How can we solve the data pricing problem with this system?
The solution to the data pricing problem is that the ATR fee which transactions pay to stay on the chain is made to equal a positive multiple of the (smoothed) average fee paid by transactions over the most recent epoch. For example, the ATR fee could be set to equal to 2x, 1.5x or 1.1x the average per-byte fee in the last epoch. But it must be a positive multiple, because fees lower than what nodes are currently accepting would mean fees below what is profitable for them to accept.
Like in Bitcoin and Ethereum, the fees of new transactions in Saito are set by the supply of and demand for blockspace — and block producers will not accept new transactions whose fees do not cover their marginal cost of being processed. Meaning, they will charge fees for new transactions which at minimum cover the relevant costs associated with them (e.g. processing, bandwidth). But unlike Bitcoin and Ethereum, in Saito block producers must pay an upfront cost of storing the entire previous epoch’s worth of data (the entire chain) before they can start producing new blocks. Because of this, in Saito block producers will not take on new transactions unless their fees are high enough to cover the costs of processing the transaction and the data (transaction) storage costs they have incurred. Data storage costs are factored in to the marginal cost of new transactions.
In chains like Bitcoin and Ethereum, block producers get paid today to process transactions which they don’t need to store forever, but which stay on the chain forever. They can leave the network, or pass these costs onto volunteers in the p2p network or other miners/stakers, and continue on with their header-first validation. Saito, however, makes chain storage a necessary cost of block production — incentivising block producers to charge a fee which also covers the data storage costs.
Since the ATR fee is not set by block producers, block producers can only raise fees on new transactions that come onto the chain. However, the amount which old transactions have to pay in ATR fees is directly determined by the cost of new transactions (it is necessarily a positive multiple of the recent epoch’s average fee) — so in reality, block producers can influence the ATR fee which old transactions pay also to ensure that they cover all relevant costs. (note here that for reasons we can discuss later, Saito’s fees will still be much lower than other chains)
Let’s summarise. Block producers will charge whatever fees recuperate their operational costs. Saito makes them pay upfront costs for the thing we want them to do (store the whole chain) in advance, so they are forced to raise fees on new transactions (which raises ATR fees paid by old transactions) to cover these costs. In contrast with other blockchains, which infinitely add data to the chain without pricing or paying for it, and offload more and more of this data to volunteers who eventually won’t be able to store it — we now have a blockchain which pays for its own data costs. In Saito, block producers aren’t paid upfront and just expected to stay around and cover future costs — future costs pay for themselves, because old transactions pay ATR fees.
An incredible consequence of the fact that individual transactions fall off the chain if they don’t pay a fee to stay on the chain is that the blockchain could never collapse from growing too large in size, even if we allowed it to scale. Suppose we were to remove the blocksize cap and allow block producers to post blocks of any size — scaling the chain as fast as possible. Suppose next that the blockchain grew so large in size that data processing and per-epoch storage costs were growing so high as to make nodes unprofitable. (There is a marginal cost to processing transactions which rises as throughput does, so there is a level of fees producers cannot accept without accepting losses). In this case, the fees charged on new transactions would rise to cover costs, which would increase ATR fees even more (they are a positive multiple of regular fees). This would continue right up until the point where enough data was pruned off the chain (for not being able to pay the higher ATR fee) that costs would go down and it would no longer be unprofitable to accept new data onto the chain. In this way, the ATR mechanism would allow the chain to self-regulate its own size based on what network participants can afford to store.
Put another way: if the per-byte storage and processing cost of a transaction is covered by a fee, then there would be an incentive to accept the fee and grow the chain. But if the marginal (additional) amount of data put on the chain is unprofitable to accept, then the chain will not grow. In fact, if the chain was so large that maintaining it was unprofitable, it would prune off data and shrink in size until it the marginal transaction was no longer unprofitable to process. This system with a variable blocksize would give us an equilibrium chain size determined by free market forces, where the amount of data coming into the chain is equal to the amount of data which goes out.
In this thought experiment, with a freely fluctuating blocksize and massive demand to meet it, only those with the hardware to store a high-throughput blockchain would be able to participate. However, we are not in the same situation as traditional blockchains. Because Saito actually compensates nodes for the costs of running this hardware, rather than hoping volunteers just continue to bear the burden, the amount of ‘decentralisation’ lost by scaling would be significantly less than volunteer-based systems.
Obviously, one could still impose a blocksize cap on a Saito-type chain if they wanted to ensure a minimum level of decentralisation. But keep in mind we’re only talking about fixing the data storage/pricing problem here — not the blockchain trilemma. The solution we have discussed introduces a pruning mechanism which prices and pays for data for chains of any level scalability — ensuring that even a blockchain like Solana would never collapse. However, this doesn’t remove the trade-off between scale and decentralisation. We’ll get to how Saito dismantles the blockchain trilemma later.
The introduction of fixed length epochs and ATR fees gives the blockchain a way to create a market price for data. In regular blockchains, we can’t price the data storage costs of transactions because they are on the chain forever. These unpaid costs are borne as losses by volunteer nodes, who will eventually drop off the network as costs rise over time. In a Saito based blockchain, the transaction pays rent (an ATR fee) every epoch (fixed period of time) to stay on the chain. This periodic fee creates a pricing and payment mechanism for on-chain data. It can be considered an advanced form of state expiry, with state automatically paying rent at prices set by market forces rather than by a central planner. For some simple videos explaining this mechanism, see here, here and here.
At this point I would remind you that the only possible coin which has a chance (but no guarantee) of being able to handle infinitely increasing chain size is Bitcoin, under the hope that hardware storage costs decline at a sufficiently high rate to lower or keep flat storage costs over time. Offloading data to Arweave relies on questionable assumptions, as discussed — and data sharding requires an ever-increasing (but never incentivised) node count.
In non-Saito blockchains, mining/staking nodes often prune (delete) data because they have already been paid — even though they are not supposed to. The data has already paid its fee, and its deletion is incentivised because it won’t pay anything else in the future, despite the blockchain’s promise of perpetual storage. Even in Bitcoin, miners are guilty of blockchain pruning. A Saito-style chain design forces nodes not to prune, because you can’t make new blocks if you prune old data. All the work of storing data and validating blocks happens before getting paid. Nodes are forced to store data forever as long as there is money to pay for it to be stored. Moreover, a market-based price is used for data storage. After transactions stop paying ATR fees, then the network allows them to fall off the chain. In my opinion, this is preferable to both indiscriminate data pruning and degrading the p2p network over time.
What we have discussed here is a new kind of blockchain design that, for a given level of throughput, solves the data storage and pricing problem. This means we have a blockchain which is not subject to blockchain bloat and collapse, helping to achieve the Satoshi Property of self-sufficiency/self-funding/chain sustainability on a level beyond security.
But we are only just getting started with Saito.
A New Kind of Consensus Mechanism
Saito brings with its novel chain design a new kind of consensus mechanism, as an alternative to Proof of Work and Proof of Stake. It’s got a bit too many moving parts for a ‘Proof of X’ style name to be valid, which is why it’s instead named ‘Saito Consensus’. If we were to go along with naming convention, the least reductive name (one I’ve seen suggested by a community member) would be ‘Proof of Value’, as what Saito Consensus does is incentivise nodes to deliver value to users, as defined by what users are willing to pay for.
Without any further hesitation, let’s explore Saito Consensus.
Saito Consensus Part 1: Routing Work & Block Production
Let’s quickly review how PoW/PoS consensus mechanisms work.
- Users interact with the network. Their transactions are received by a node, which then shares it across the network to other nodes. Those nodes then propagate the transaction even further across the network. Without a volunteer p2p network, or at scale, we run into network closure as there is no economic incentive for block producers to broadcast transactions.
- Miners/Stakers bundle transactions they have received into blocks, and compete to put them on the chain. They expend work (hash/stake) to produce blocks, and get paid when they propose a valid block.
In Saito, things work differently. It is the peer network which produces blocks. To produce a block, they are required to have a certain amount of ‘routing work’. Routing work is a measurement of the efficient collection of fees.
A user’s transaction comes into the blockchain, being first received by node A on the p2p network. Node A broadcasts it to peer nodes B, C and D — who then further broadcast it to other nodes E, F, G — and so on. Each time the transaction (or, fee) is broadcast to another node, we say it ‘hops’ deeper into the network. In this example, the first hop was from the user to node A. The second hop was from node A to nodes B, C and D — and the third hop was from nodes B, C and D to nodes E, F and G.
Note that the one fee has multiple ‘routing paths’ through the network. Routing paths trace the different ways a transaction hops across network nodes. They are kept track of by every node attaching cryptographic ‘routing signatures’ to a transaction before rebroadcasting it. Keep in mind that even if a node has a transaction, it does not automatically mean that it is on every routing path a transaction has. As below, node B and node C both have the same transaction given to them by node A — but are on different routing paths (blue and orange).
I said that in Saito nodes need a certain amount of ‘routing work’ to produce a block, and that routing work is ‘a measurement of the efficient collection and sharing of fees’. How exactly does this measurement work?
Each fee generates a certain amount of routing work ‘points’ for a node depending on how many hops deep it is into the network. Every hop deeper a transaction is into the network, the amount of routing work it gives to the node collecting it halves. The first node to collect a fee from a user gets the most routing work points out of it. The second node gets half as many routing work points as the first node did. The third node gets half as many routing work points as the second node. And so on. This means that the deeper you are in the network, the more inbound fee-flow you need to produce blocks at a competitive pace.
As the above diagram shows, a single transaction can generate a bunch of routing work for different nodes as it passes through the network. The earlier nodes to collect the transaction get more routing work from it.
When a transaction is put into a block by a node, it contributes ‘routing work’ to that block. The amount of routing work a transaction contributes to a block is equal to the amount of routing work it generates for the node putting it into a block. When a node accumulates enough total routing work — when it meets a routing work threshold — they can publish a block on the chain.
Let’s run through this mechanism:
First, a transaction enters the network. Then, it gets broadcasted around the network by different nodes, creating multiple routing paths. A transaction is worth more to nodes who are quicker to collect it, because nodes earlier on in the transaction’s routing path gain exponentially more routing work from collecting a given transaction. Eventually, one of the nodes that is in one of the transactions’ many routing paths accumulates enough total routing work (from collecting other fees as well) to publish a block containing that transaction (among others in their mempool) onto the blockchain.
Here’s a key detail. The payout mechanism in Saito is probabilistic.
Every block contains transactions, and every transaction in a block has a unique routing path with a total amount of routing work associated with it. The total amount of routing work for any given transaction is equal to the sum of routing work points it generated for all the nodes in its routing path. Every block therefore has a ‘total’ amount of routing work, equal to the sum of total routing work for all of the transactions inside it.
The probability of getting paid is the amount of routing work a node contributed to a block divided by the total routing work in the block.
If you contributed 10% of routing work to a block, you have a 10% chance at receiving the block reward. If you contributed 90% of the block’s routing work, you have a 90% chance at being paid the block reward. This means that on average, nodes get paid proportionally to the amount of routing work they contribute to any published block. Even if somebody else publishes the block.
This, combined with the fact that the amount of routing work nodes get halves per hop, has several implications.
The first is that if you are not the only node with a transaction, and do not have enough routing work to publish a block, you will be racing to get that transaction to as many other nodes as possible — in the hopes that they will then put it on the chain so that you can get a chance at being paid. If the same transaction with an alternate routing path that you are not on gets put on the chain, then you are not eligible to get paid.
The second, and hugely important implication, is that it means that the nodes which are facing and closest to users will get paid more.
Nodes on Saito are incentivised to contribute value to the network, which requires operating public infrastructure. If you are a third-hop node, you have an incentive to become a second and first hop node. This means positioning yourself closer to users, which means improving your efficiency at servicing users — becoming a better ISP. Network-layer efficiency is not something other blockchains create competition for.
It also means attracting more direct fee flow so that you can become a first hop node. This could be achieved by providing anything that users value (whether you service lite clients, charge lower fees, or donate some of your profits to charity). Since users can decide who their payment is broadcast to, nodes will do whatever it is that users value and are willing to pay for.
If users want faster transaction confirmation, a node can advertise this and route transactions throughout the network. If users don’t care about transaction confirmation speed and want low fees, a node could instead not forward transactions, reducing their bandwidth costs (therefore transactions fees) and market themselves based off of that. If users want to fund the development of software or applications on the network, then they can! A dapp developer can code up their dapp to have transactions route through their node first, to provide a revenue stream (which interestingly, allows for tokenless dapps). Or if a Saito application relies on off-chain data, then nodes will be incentivised to run infrastructure to have that data so that they can collect transaction fees relevant to that app. This could even mean running nodes for other blockchains. Users could even route fees to a multisig address representing a consortium of interests (e.g. an animal welfare group), should they wish. A routing work-based system such as this pays for whatever users want by putting nodes in competition to collect user transactions first — meaning, service users.
This leads to a network which dynamically reconfigures to provide value to users — as defined by their terms.
With this innovation, the Volunteer / Free-Rider Problem and the Network Closure Problem are solved. The network now self-optimises to provide whatever infrastructure it needs — rather than simply only paying for mining or staking.
“Where other blockchains explicitly define which activities have value, Saito lets the users signal what services provide value through fee-pricing, while the network infers who deserves payment.” — Saito Whitepaper
But what we have covered so far is only half of Saito Consensus. We still need to make this entire thing at least as secure as PoW and PoS. Without security, nothing has actually been solved at all. Maybe we could even do better than Proof of Work and Proof of Stake security?
Saito Consensus Part 2: Payment and Security
In Proof of Work and Proof of Stake consensus mechanisms, miners and stakers get paid for producing valid blocks and adding them to the chain. It is expensive to produce blocks (requiring hash or stake), and after producing a block you get paid the fees inside of it, plus a block subsidy if there is one. The p2p network (apart from those nodes on it who are also mining and staking) consists of volunteers.
In Saito Consensus, the p2p network produces blocks and gets paid proportionally to routing work they contribute to each block. This incentivises the provisioning of network infrastructure using the hop-halving routing work mechanism outlined above. But it only takes routing work (derived from the efficient collection of fees) to produce a block. Which means that block production is not a very costly affair compared to PoW/PoS. This does not afford us much security.
“Saito cannot simply give the fees directly to block producers: that would allow attackers to use the income from one block to generate the routing work needed to produce the next.
Dividing up the payment between different nodes is preferable, but as long as block-producers have any influence over who gets paid a savvy attacker can sybil the network or conduct grinding attacks that target the token-issuing mechanism.”
— Saito Whitepaper
Notice I have said that in Saito Consensus, nodes must accumulate routing work in order to produce a block. I have also said that nodes get paid proportionally to the amount of routing work they contribute to blocks. But nowhere have I said that Saito nodes get paid for producing blocks.
One of the crucial differences between Saito Consensus and other consensus mechanisms is that Saito Consensus does not pay for block production. Producing a block and getting paid are not co-incidental events in a Saito-style blockchain. Instead, the production of blocks is merely a precondition for getting paid.
So how does Saito do it then? How does the chain achieve security? The answer is: instead of making block production the expensive activity, Saito Consensus makes getting paid the expensive activity.
Saito pays nodes with the fees inside of blocks. There is no block subsidy. Once a node produces a block, all of the fees inside of it are burned (destroyed). To resurrect the fees so that they can get paid, nodes need to do some work. Each block has attached to it a hashing puzzle, called a ‘golden ticket’. Miners compete (by spending money) to find the golden ticket solution for the newly produced block, and if they successfully find it and broadcast it around the network, the fees from the block (the block reward) get released. Only one solution may be included in any block, and the solution must be included in the very next block to be considered valid.
This hashing process is similar to Bitcoin, where miners compete to find a unique mining solution for every block — but the main difference is that in Saito Consensus, miners are not block producers. The p2p network produces blocks, and miners unlock the funds from blocks. The difficulty of mining adjusts to target a certain number of golden ticket solutions per block (in Classic Saito Consensus, 1).
So while producing a block is a pre-requisite to receiving payment in Saito Consensus, it is not sufficient to receive payment. Funds must be unlocked through hashing work, which costs money. This gives us the comparable security properties to PoW (for now), but with some interesting new properties.
After a miner finds the golden ticket solution for a block and broadcasts it out to the network, the block’s fees are released. But who do they go to? We want to pay routing nodes, who did the routing work we want to incentivise — but we also want to pay mining nodes, who help to secure the blockchain. So we pay both. The block reward is split between routing nodes and mining nodes, according to a consensus-determined ratio called ‘Paysplit’. Discussion of the paysplit ventures into more advanced territory — so for now (and this is the default in Saito) let’s just say 50% of the block reward goes to a random routing node on the network who contributed routing work to that block, and 50% goes to the mining node who solved the mining puzzle for that block.
I say random, but in actuality the probability of a routing node receiving payment from a block is made to be proportional to their contribution to the total routing work of that block. By random, I just mean that all nodes who contributed routing work to the block are eligible to receive the block reward. Remember that this is a statistical payout. Only one routing node gets paid each block. It may not be the node who did the most routing work for that block, but on average it will be. This means that over time — but not necessarily for any individual block — nodes get paid according to how much work they contribute to the network.
Let’s reiterate what’s happening in Saito Consensus:
- Nodes produce blocks by accumulating routing work (collecting fees).
- When a block is produced, the fees inside it get burned.
- A costly golden ticket hash-lottery solution must be found to resurrect the fees inside the block and release them for payment.
- The block fees get paid out to the miner who found the block’s golden ticket gets paid, and a random routing node on the network — with routing node selection probabilistically based on how much routing work they contributed to the block. A given routing node earns money proportional to its share of the total routing work in a block on average — and a given miner earns money proportional to its share of the total hashpower in the network.
The outcome of this whole process is to gain Proof of Work style security out of a system which incentivises the p2p network to efficiently provide value to users — as well as critical network infrastructure.
“This system has several major advantages over proof-of-work and proof-of-stake mechanisms. The most important is that Saito explicitly distributes fees to the nodes that service users, collect transactions and produce blocks, and does so in proportion to the amount of value that these actors provide to the overall network.
Network nodes compete for access to lucrative inbound transaction flow, and will happily fund whatever development activities are needed to get users on the network. Of note, the services provided by edge nodes to attract Saito usage can include public-facing infrastructure needed by other blockchains.”
— Saito Whitepaper
“Reducing Saito to “pays for the p2p network” is missing the point. That isn’t the problem. The issue is scaling an open consensus layer.” — David Lancashire, co-founder of Saito
Saito Consensus Part 3: Majoritarian (51%) Attacks Eliminated?
I said that Saito Consensus gives comparable security to PoW systems like Bitcoin. But since miners are only getting paid half (instead of all) of each block’s fees, the chain’s mining budget is halved — so shouldn’t Saito’s security only be half as much as PoW?
Something else is going on here. Something that actually makes Saito Consensus more secure than Proof of Work and Proof of Stake. And it has to do with two key facts:
- That all of the routing work accumulated by each node on the network does not suddenly disappear (get orphaned) when any other given node produces a block.
- That producing a block and being paid are no longer tightly bound together. Instead, being paid depends on how much routing work you have contributed to a given produced block. (note: all block producers contribute some work to a given block, but never necessarily enough to guarantee they get paid)
Recall that attacking the blockchain requires producing the longest chain. In PoW, this requires 51% of mining power. In PoS, it’s 51% of stake. Once you get 51%, it’s game over. You will continually produce the longest chain and override (orphan) any blocks produced by others — pushing other participants off the network and taking all the network’s income in the process. Majoritarian attacks and discouragement attacks are profitable, and therefore incentivised.
In Saito Consensus, to produce a block you need to collect fee-paying transactions. This means that the only way to produce the longest chain is to collect 51% of inbound fee flow from honest users, OR fill blocks with your own fee-paying transactions to get 51% of total network fees.
But unlike in Proof of Work and Proof of Stake, in Saito Consensus if you are producing blocks and have 51% or more of the work function (in this case, fee collection), you cannot profitably produce your own chain and orphan blocks produced by smaller players. Meaning, you cannot profitably 51% attack the chain. In fact, you cannot profitably attack the chain, period.
This is a big claim to make. Really big. No other blockchain can make this claim. Even Satoshi didn’t manage this with Bitcoin. So let’s walk through some attack scenarios to see how it’s done. If at any point the following gets too in-the-details for you, just skip past the attack scenarios and you’ll eventually find a TLDR.
ATTACK SCENARIO I: SPENDING MONEY TO ATTACK THE CHAIN
Let’s examine what happens if you try to fill blocks with your own fee-paying transactions so that you can get 51% of routing work. This is the equivalent of paying for 51% of hash or stake in a discouragement attack.
There are two possible outcomes:
1) You spend your own money (in the form of transaction fees which you route to yourself) to produce a block, and then successfully mine on that block to unlock the fees.
In this case, the block reward (which is the fees you filled the block with) gets split between the miner (you) and the only node who contributed to the routing work of the block — also you. So upon finding the golden ticket solution you end up with all of the fees in the block MINUS the cost of electricity you spent hashing. But since all the fees in the block were yours to begin with, this means you will end up with less money than you started with. Attacking the network comes at a cost, and if you continue to do it you will lose more money.
2 ) You spend your own money (fees) to produce the block, and SOMEONE ELSE successfully finds your block’s golden ticket. Either you refused to mine, or they just outcompeted you.
In the case where you did no mining at all and left the mining to dedicated network miners, when a golden ticket is found for the block you would at most only get back 50% of the block fees you put in. You would only get back the routing-node portion of the block’s fees (50% of them), and the miner would take the other 50% of block fees due to the paysplit. So you lose 50% of your money per block.
If you did spend money mining, and then some other miner on the network found the block’s golden ticket solution, you would only get back the routing-node portion of the block fees MINUS the money you spent on hashing. So you would lose more than 50% of the fees you put in to create every block.
Unless you are participating in the network honestly, producing the longest chain requires spending your own money to fill blocks with fees to accumulate routing work. To recover back the funds you put in the block, you either have to spend your own money mining, or lose half the block’s fees to somebody else. This means you would be losing money and the attack would therefore be impossible to sustain over time. Attackers would eventually go bankrupt. This contrasts to PoW and PoS, where one can spend money to perform hash or stake rental attacks and turn a profit which they can then use to fund the attack further. This is a huge advancement.
Furthermore, if an attacker was ever filling blocks with transactions routed to them by other network nodes — then there’s a chance they wouldn’t even get the routing node payment for any given block! The routing-node portion of the block reward goes to a random node who contributed routing work to it — not necessarily the block producer.
That covers a heap of attack situations. But let’s do a thought-experiment and set up the most favourable attack conditions possible (however unlikely they might actually be) and see how an attacker fares.
What would happen if an honest block producer happened to find themselves with 51% of the work in Saito? Meaning, they have convinced 51% of users to route their transactions directly to them. In Proof of Work/Stake, this would again be a game-over situation, like any situation where 51% of the work function is compromised. 51% of the work function means you can produce the longest chain, which means you can build a chain which outpaces the rest of the network — and subsequently orphan all the blocks produced by others, driving them off the network. A situation where an honest node comes across 51% of the work function — maybe due to centralising pressures around block production — is also equivalent to the top two or three mining/staking pools on the network colluding to attain 51% of work and produce the longest chain.
So how does Saito fare under these conditions?
ATTACK SCENARIO II: 51% NODE ATTACKS NETWORK
Suppose there is a Saito network made up of honest participants, but one of the honest routing nodes is so large (I’ll call it a meganode) that it consistently takes in 51% of all the fee inflow into the network directly from users. So it is a first-hop routing node, and is collecting 51% of network fees on a consistent basis. This means it is able to produce 51% of blocks on the network only using fees it collects from users directly. This could be a giant Infura-like monopoly, or several top routing nodes colluding together.
To make this attack extra difficult to defend against, let’s also assume this node doesn’t forward any transactions that it collects to other nodes in the network. This means its blocks consist entirely of its own first-hop fees, giving it a 100% chance of receiving the routing node payout for every block it produces. This may be slightly unrealistic already, because transactions which are not shared take longer to get into blocks than if they are shared — and a node collecting 51% of fee flow would presumably have done that by offering superior transaction confirmation times for users.
Now imagine that this large routing node gets cursed by Hera, and in a fit of madness decides to ‘attack’ the network. It decides to add blocks to the tip of the chain per normal, but to only add its own blocks, ignoring all blocks produced by the rest of the network. It is trying to perform a 51% attack.
To understand what this means, pretend the chain is up to block 100. An honest node proposes block 101. The honest network nodes accept it, and start working on block 102, 103 and so on. The attacker, however, ignores it and builds on their own chain instead — finding its own block 101, 102 and so on, using the fees which it collects directly from users to do so. The attacker has more routing work than the rest of the network (51%), so is producing blocks at a faster rate. This means eventually (e.g. 20 or so blocks down the line) the attacker’s chain will outpace the honest chain in length, and will be a valid longest chain. The attacker can continue ignoring all blocks produced by the honest network, orphan everybody’s work, and eventually push everybody off of the network by denying them income.
Except — they can’t do this in Saito Consensus. It’s true that in PoW/PoS, the work you did to produce a block disappears once a new block is created (by anybody) and added to the chain. If you were mining on a block of your own and then somebody else produced a valid block, you’d have to throw your block away and start from zero work again. Your work gets orphaned. But in Saito, ‘work’ is associated with transactions instead of blocks. This means when somebody adds a block on the chain, you still have all the routing work you have done for the transactions you have collected which were not in that new block. No matter who produces the block. (And if you were on the routing path of any of the transactions which WERE in the newly produced block, you would have a shot at getting paid the routing-node portion of that block’s fees.)
Recall that the same transaction can be in the mempools of multiple nodes. If the network produces a block which contains transactions that are also in your mempool, then those transactions get deleted from your mempool because they have already made their way onto the chain. This ensures transactions which multiple nodes collect (e.g. ‘pay Socrates $100’) are not published on the chain twice.
However, nodes are still left with all the transactions they have accumulated which did not go into the newest block. In Saito, this means that they still have all of the routing work they accumulated which did not go into that block — so their routing work is not orphaned! In fact, they even have a head start on producing the next block, since the most recent block producer just depleted their routing work to make the newest block.
But how does this prevent an attacker who can produce the longest chain from ignoring blocks proposed by the rest of the network? What good is the rest of the network keeping their routing work and being able to produce blocks if the attacker still has more routing work in total — so can still produce a longer chain and ignore their blocks?
The answer is that if the rest of the network does not lose their routing work and the attacker is spending all of their routing work to make blocks, the rest of the network will end up with more routing work than the attacker and be able to produce the longest chain.
Let’s say that in this attack scenario we have outlined, the total amount of fee-flow coming into the blockchain is $100 per minute. So the honest network is collecting 49% of that ($49) per minute, and the attacker has 51% of that ($51) per minute. Let’s also say that the amount of routing work it takes to produce a block (called the ‘burnfee’) is equal to $250 (any number would do).
Right up until the point of the attack, the meganode is doing exactly what the network wants it to do. It is collecting transactions from honest users, putting them into blocks, and then posting those blocks on the chain. It is also allowing the rest of the network to post their blocks on the chain. The honest network collects $49 per minute, and the meganode collects $51 per minute. They produce blocks and add them to the chain every time they accumulate $250 worth of fees. In this instance, the block production schedule looks something like the following table.
The meganode has enough fees to make a block after five minutes of collecting fees — so they do. The honest network has enough fees to make a block at six minutes — so they do. And so on. Everybody is building on the same chain. All is good. The blockchain would look like this:
But now, let’s see what differs when the attack takes place.
In the attack, the attacker will only build upon their own blocks — ignoring any blocks the rest of the network produces. When the honest network proposes a block (at minute 6), the attacker will ignore it until it has two blocks (made at minutes 5 and 10), then add blocks 5 and 10 to the chain simultaneously in place of the honest network’s single block — creating a longer chain and thereby excluding the honest network’s block. The attacker can get two blocks on the chain before the honest network can, because controlling 51% of the block-producing work allows them to produce blocks at a faster rate. This outcome is shown in the graphic below:
If this was a PoW/PoS system, the work which had been put into that ignored block would be unsalvageable (orphaned). After adopting the attacker’s new longest chain, the honest network would need to start building up work from scratch — at the same time as the attacker — to produce a new block. So they’d be in the same situation as before; they would be in a losing battle to add two blocks to the chain before the attacker does. The attacker would be able to repeat this same strategy indefinitely because they have more work and are producing blocks at a faster rate than the honest network. They could forever build the longest chain on their own and orphan all other blocks.
However, as we have discussed, in Saito the honest network’s work is NOT orphaned, even if their block is excluded from the chain. Work is associated with transactions, not blocks. This means that the honest network can accumulate routing work while the attacker is performing the attack, and will stockpile enough routing work to eventually produce more than one block on top of the next block the attacker post. This would be more routing work than the attacker would be able to match, and put the honest network on the longest chain.
By accumulating multiple blocks worth of work, the honest network is able to temporarily outpace the attacker in block production speed. They use their surplus routing work to build multiple consecutive blocks on the attackers chain. The attacker’s own chain is now shorter than the chain containing the multiple consecutive blocks posted by the honest network. If attackers do not acquiesce and build on top of those honest blocks, they will no longer be operating on the longest chain. This outcome is shown in the following table:
In the table above, the honest network accumulates routing work while its blocks are being ignored (in minutes 6,7,8,9,10). Unlike PoW/PoS, the non-attackers can actually accumulate work over time, and do not lose any block production work from having their blocks excluded from the chain.
Having accumulated some additional routing work, the honest network then posts two blocks consecutively at minutes 11 and 12 on top of the attacker’s block produced at minute 10 (shown above). The honest network then continues building on that chain.
If the attacker tried to continue building on its own chain with the most recent block it produced (at minute 10), it would then be operating on a shorter chain than the honest network. The following graphic illustrates how when work is not orphaned, the honest network being censored can accumulate enough work to build the longest chain:
Since the attacker is producing blocks at a faster rate than the honest network, if they continued mining on their own shorter chain they would eventually create the longest chain again — but this would take a long time, as blocks are still being added to the new, longer chain by the honest network. In the above scenario, where the honest network withholds one block (from time 6–10) and then posts two blocks at once (at time 11 and 12), the attacker’s chain consisting of their own blocks would be shorter by one block at minute 15 — and it would take the attacker producing 51 more blocks in order to eventually outpace the honest network’s ever-growing chain. This would be at time 251 minutes.
At that point, however, the honest network would have produced 48 total blocks, which again, is work that is not orphanable. So if the attacker was stubborn and kept building on their own blocks, eventually producing 51 more blocks and reclaiming the longest chain, the honest network would immediately have 48 blocks worth of work to dump on the tip of the chain. Outpacing that would take a long time. An exponentially longer amount of time than it already took to outpace a mere one-block lead.
As you can see, the inability to orphan work means that it would quickly become impossible to try and sustain the longest chain, because you would be competing against an exponential amount of accumulated work. This holds whether the attacker has 51%, 68% or any amount up to 99% of the total network fee flow. The ability for the honest network to effectively stockpile work and use past work in the future means that attackers are not just competing against the current percentage of fee flow the rest of the network controls — but that amount multiplied by however long they try and sustain the attack for. This renders 51% attacks impossible.
If in the beginning the honest network had let the attacker add three consecutive blocks on the tip of the chain before posting any blocks, it would have accumulated enough routing work to itself post three consecutive blocks (at times 16, 17, 18 minutes) on top of the attacker’s third block. This is shown in the table below. If this occurred, an attacker building only on their own blocks would need to produce 111 blocks before they would eventually recapture the longest chain (by which point they would find a mountain of routing work immediately dumped on the tip of the chain that they would have to overcome). So stockpiling two blocks made the attacker spend 251 minutes reclaiming the longest chain, and stockpiling three blocks made the attacker spend 545 minutes.
The time it takes for an attacker to reclaim the longest chain gets exponentially longer the more consecutive blocks the honest network posts. So in the first place, the honest network can just let the attacker post ten or so blocks in a row, and then dump ten blocks of their own to stall the attacker for a prohibitive amount of time. This stops the attack dead in its tracks. The attacker would find it easier to simply add their own blocks on top of the newly-added honest blocks, rather than spend an ungodly amount of time (what would become years) trying to outpace the new longest chain only to have it continually re-extended with all the un-orphanable work it accumulated.
The only way attackers would not need to allow honest blocks onto the chain is if they spent their own money to produce as many blocks as the honest chain posted to the chain (plus one) so that they can retain the longest chain. However, we have already proven that this is not a viable long-term strategy — as it results in the attacker constantly bleeding money until they eventually run out (nobody has infinite money).
To summarise all this:
Imagine an attacker produces 99 blocks per minute, and the entire honest network only produces 1 block per minute. A ‘99% attack’ should be possible. Yet, because the honest network can stockpile and accumulate their work over any amount of time and then add it on top of the attacker’s chain — in order to maintain the longest chain the attacker would need to be able to produce more blocks in 1 minute than entire honest network in an arbitrary amount of time. They can only do this by spending their own money — which would mean losing money.
In short: the 51% attack has been eliminated.
In the discussion of this attack, I have been leaving out a key detail. I have actually been understating how secure Saito Consensus is. Producing your own longest chain and orphaning the honest network’s blocks is not merely prohibited by time, as demonstrated above — but is itself a costly process. It actually actively costs money to orphan other people’s work and try and produce your own chain. So the more blocks the honest network forces an attacker make to catch up to the longest chain, the more money the attacker will have to spend to continue the attack.
Just like in the previous attack scenario where attackers spend their own money to attack the chain, attacking a Saito network is not a profitable activity — meaning attacks are unsustainable without an infinite amount of money. To go through how this works, let’s look at the situation in a little more depth.
The image below shows that before the 51% attack, the blockchain was taking in $100 per block — or $400 in four minutes. After the attack, however, all honest network blocks are excluded from the chain. This means that the blockchain’s income (the fees it collects) per unit of time is cut in half.
If the attacker tries to produce blocks at the same rate as the whole network did before, they would need to include half the fees in every block (because the amount of fees it collects from users is unchanged). Alternatively, the attacker could keep its blocks the same fee size as before the attack — but the blockchain would only produce blocks at half the speed as it did before the attack. No matter which way you cut it, the attacker only brings $200 into the network over a four minute span of time, so after excluding the honest network’s blocks, the total amount of fees the chain brings in is halved.
Now, consider the fact that in Saito Classic, the difficulty of mining adjusts to target one golden ticket solution per block. Meaning that for a given total hashrate (mining power of the network), the time that it takes a miner to find a golden ticket solution for a block will adjust so that on average, only one is found per block.
The mining adjustment process works like this:
- If a bunch of blocks are made and mining difficulty is so high that the entire network of miners is not able to produce a single golden ticket for any of those blocks, then mining difficulty (and the associated cost of mining) will slowly adjust downwards until the network can produce one golden ticket per block. Blocks have to go by without any golden tickets being found for them in order for difficulty to start adjusting downwards.
- Conversely, if the mining difficulty is so low that everybody and their mother’s cat is finding a golden ticket solution for each block, then the difficulty (and the associated cost of mining) will increase up until the point where only one golden ticket is produced by the network’s miners every block.
Remember that in either case the adjustment of mining difficulty is a slow process which takes time.
Now, let’s say that the pre-attack mining difficulty (which is just some number, like 4359353) creates real world hashing costs to miners of $X per block to find a golden ticket.
Once the attack is launched, the amount of network fees is halved. However, mining difficulty (and therefore mining cost) remains the same. It still costs $X. This means that for a given period of time, the same mining spend returns half as much money as it used to. Mining profitability is cut massively after the attack. This is shown in the table below.
Reduced mining profitability pushes many miners off the network. This makes the total hashrate of the network fall. Because total hashrate has fallen, not every block produced has an associated golden ticket found anymore. Remember that difficulty is adjusted to target one golden ticket per block at the previous network hashrate.
The difficulty adjustment process takes some time, so mining difficulty remains at its previous level for now. Eventually, difficulty will adjust downwards so that for the new network hashrate, one golden ticket can be produced per block. But for now, less than one golden ticket per block is able to be produced. This means that there are blocks which are being produced for which there is no reward.
From the perspective of the attacker, who is ignoring the rest of the network’s blocks, they are now the only one producing blocks for the blockchain. The attacker is continually producing blocks, trying to maintain the longest chain. But not all of their blocks have golden tickets found now. And it is a costly affair to produce blocks (collect transactions and run the network infrastructure) in the first place. This means that an attacker producing blocks without golden tickets (for no reward) is producing blocks at a loss.
In this case, the cost of attack to the attacker would be the cost of slowly reducing mining difficulty by producing blocks without golden tickets. Meaning, the cost incurred running massive network infrastructure (to take in 51% of fee flow) while waiting for difficulty to adjust downwards. The larger the total fee throughput of the chain — the greater this cost will be.
Alternatively, the attacker could try and spend money hashing to unlock the fees from blocks. But they would need to match the hashrate of the WHOLE network pre-attack in order to guarantee that they produce a golden ticket for any given block, because that’s what the difficulty is adjusted for. But if they did that, then the difficulty would never adjust downwards. So they would just be burning money hashing.
In addition to all of this, there are other reasons why the attack would quickly fail. Consider that most of the time, the attacker is spending time trying to build on a shorter, invalid chain. It takes a long time for them to recapture the longest chain — and they only do so for an extremely brief amount of time.
This means that users have sent them transactions, and those transactions are not getting onto the chain for long periods of time. If a user has to wait ten minutes for their transaction to get onto the chain, they won’t tolerate it. They’ll just rebroadcast their transaction to another node on the network (not the attacker). Fee flow will shift towards the honest network which has the longest chain, and the attacker would have lost its 51% of fees — and a lot of money in the process of trying to attack the network.
Where attacks are not eliminated in their entirety, what Saito Consensus does is make it expensive to attack the network, even when attacker has 51% or more of the work.
In Proof of Work and Proof of Stake systems, if the top miners or stakers collude to gain 51% of the work function, there is no cost to them if they decide to attack the chain. In Saito Consensus, it always costs money to attack the network. Even if you have 99% of the network’s routing work. This means that even if a chain running Saito Consensus only had one single node (e.g. Google) and was entirely centralised, it would still cost them to attack the network. In a system which always punishes attackers, the properties of decentralisation and censorship resistance are decoupled. Granted, there are other reasons why decentralisation might be valuable — but we can get to those later.
“The math works out so the cost of attacking the network is always greater than 100 percent of the fee throughput of the honest chain. This is double the security of POW and POS, where the cost-of-attack is capped at 50% of inbound fee flow.” — Introduction to Saito Consensus
I have not explained everything in the fullest depth here, and there is more to the math behind this for those who want to look deeper. But this doesn’t stop one from realising that up until now, consensus designers have been digging in the wrong place in their efforts to improve what Satoshi built. It might help to look at how majoritarian attacks can be solved in Proof of Work systems like Bitcoin to get a sense for what’s going on here. A short and to-the-point overview of the Saito Consensus design can be found here.
The ELI5/TLDR is that what Saito Consensus gives us is a system where it is always profitable to do what the network wants you to do, and always unprofitable to attack the network. If you collect transactions from honest users, verify them and put them into blocks, you are doing what the network wants. Whether you have 5%, 51% or 80% of the work. But what’s crucial is that if you at any point (not just before having 51% of work) try anything malicious — you are guaranteed to lose money for as long as you try doing it.
The below Twitter thread has aggregated many resources (created by others) explaining Saito Consensus. I suggest using it as a reference point to learn more, as I don’t think Saito Consensus is going away.
Advanced Saito Security — Increasing Cost of Attack Above 100% of Fee Flow
There is a pretty simple way to make Saito Consensus even more secure. There are two parts to this solution.
1) Golden Tickets Every Two Blocks
Instead of making difficulty adjust to target one golden ticket every block — we can instead make it target one golden ticket every two blocks. This will lead to network difficulty being twice as high, all else remaining equal.
The fees in every second block without a golden ticket do not get paid out.
As before, difficulty will automatically increase or decrease if there are too many or too few tickets produced over any length of the blockchain.
2) Staking
To avoid rampant deflation (which in the long-run would eventually burn the entire token supply), the money in every second block which no longer has a golden ticket needs to go somewhere. But we can’t just pay it out to routing nodes and mining nodes — because that would put us back in the same situation we were in before, where they collect every block’s fees.
So in order to avoid deflation, and to divert money away from potential attackers trying to recapture their money, a staking mechanism is introduced.
Users can ‘stake’ their Saito. If a block does not have a golden ticket in it (which should be every second block), then the money in that block goes to stakers instead of being burned. Payout is proportional to amount staked.
This system funnels even more money away from attackers, increasing cost of attack above 100% of network fee flow. Paying out every second block’s fees to stakers on average effectively halves the block reward again under all conditions, making attacking even more unprofitable. It also requires the attacker to commit new money to staking (on top of what they spend mining + collecting fees) in order to recapture funds they spend attacking the network.
Recently, a proposal was drafted to leverage the ATR mechanism of Saito to implement staking. Under this system, staking payouts would be made to individual UTXO’s which loop around the chain and pay ATR fees.
Implications of this modified approach to staking include:
- “All transactions on the network are “auto-staked” immediately on their inclusion in the blockchain, with their payout issued in a predictable amount of time [one epoch].”
- “The staking table is suddenly backed by 100% of the active token supply, further increasing the cost of attacks on the chain.”
- “ Perpetual storage is (suddenly) possible, if an ATR transaction contains a UTXO holding enough SAITO that its staking payout is larger than the rebroadcasting fee, that transaction will never fall off the chain. Since 25% of the average transaction fee is redistributed to the staking table on average, in equilibrium, this would suggest that transactions willing to lock-up 400% of the long-term equilibrium transaction fee can offset their rebroadcast costs with staking income in perpetuity.”
That last point is very interesting. If the staking reward one receives is high enough, it will automatically cover the ATR fees of the on-chain data/transaction and permanent data storage at no added cost becomes possible. This is an elegant way of achieving permanent storage on a transient ledger. While the ATR market-price based rent-style option for data permanence is still available, with staking users are given a way of reducing those costs, and possibly even eliminating them entirely and finding themselves in profit.
The modified mechanism of targeting a golden ticket every n blocks is referred to as the ‘powsplit’ in Saito. As n increases and more block fees are paid to stakers, so too does the cost of attack. To understand why, try thinking through what happens when attacker spend their own money to produce blocks. In half the blocks, half of the fees go to miners — and in the other half, all of the fees go to stakers. Attackers bleed much more money. And in majoritarian attack conditions where an attacker is using honest fee-flow to build the longest chain, mining profitability is even further reduced — so the cost of attack is increased then, too.
Commodification of the Work Function
We have discussed how Saito fixes a multitude of attacks — but have not touched on the fact that Saito does not suffer from the problem of an increasingly commodified work function.
As we have covered, in PoW/PoS there is nothing stopping the emergence of external markets for hash or stake where ‘work’ can be bought, sold or rented. This creates centralising risks and the threat of attackers purchasing work in real time to execute 51% attacks.
In Saito, however, this is not a possible outcome. Because the work function is the efficient collection of fees, it cannot be gamed.
Let’s say I have accumulated some routing work, and it is worth X to me to produce a block with it. If I share it with you, it will only be worth X/2 to you. Half as much — because the amount of routing work derived from a fee halves with every hop into the network. So buying work becomes extremely inefficient. I also won’t sell you that work for less than it can earn me if I share it with other network nodes.
Not only this, but even IF you bought routing work from me, and you used it to make blocks, I still have a chance of winning that block’s reward proportional to my contribution to the total routing work in the block. Since I was an earlier-hop node in the transactions’ routing paths, I am statistically more likely to get paid than you for the block than you (66% chance of payout).
In short, the hop-halving mechanism and the statistical payout of the block reward make commodifying the work function in Saito unfeasible.
Proof of Work? Proof of Stake? Saito Consensus.
Mining and Staking are both forms of ‘work’ which are used to produce blocks in Proof of Work and Proof of Stake systems.
Saito is neither PoW nor PoS, because it uses routing work to produce blocks. Mining plays a role, but that role is not block production — it is only to unlock the funds from blocks. ‘Staking’ still plays a role, but that role is not block production — it is only to divert money away from attackers.
In either case — mining or staking do not serve the same purpose as in Proof of Work/Stake. Saying that Saito uses “proof of work and proof of stake” is a misleading and inaccurate way of conceiving the consensus mechanism, because there are fundamental differences in the way mining and staking are leveraged in Saito.
The multifaceted approach outlined above — with routing work in the middle of it all — is why it has been named ‘Saito Consensus’.
“A great way to understand Saito Consensus is to think about what blockchain users need. They don’t need hashing or staking. They need nodes to take their transactions, get them into blocks and to share those blocks to other users.
Saito consensus rewards this. It says that we should not be taking users’ money and giving it to miners and stakers, we should be giving it to the nodes that are helping them, that’s the P2P network.
How do we keep the chain secure and open while paying for nodes? The very simple answer is that transactions track how they got into blocks. When a block is created we can inspect it, figure out who did the work to the transactions into the block and pay the network accordingly.
The transient blockchain is similar. Fees to use blockchains go up and up over time because the nodes running the chain have to store more and more data. Either the nodes will stop doing that and the chain will collapse, or users will pay more and more for the same service.
The transient chain just means that every transaction coming into the block is paying for a certain amount of time on the chain. When a transactions’ time is up, it has to pay for another period on the chain or drop off.
Automatic rebroadcasting is just a way of allowing for users to pay in advance for more time on chain, and making sure that consensus honours this.”
Saito Network, Twitter
Revisiting Scaling and the Blocksize Debate
You remember the blockchain trilemma. That classic constraint defining blockchain systems, which is just about the only thing which Proof of Work and Proof of Stake maximalists agree on. As a refresher, let’s go through Vitalik Buterin’s summary of the trilemma from his article on sharding:
“The scalability trilemma says that there are three properties that a blockchain try to have, and that, if you stick to “simple” techniques, you can only get two of those three. The three properties are:
Scalability: the chain can process more transactions than a single regular node (think: a consumer laptop) can verify.
Decentralization: the chain can run without any trust dependencies on a small group of large centralized actors. This is typically interpreted to mean that there should not be any trust (or even honest-majority assumption) of a set of nodes that you cannot join with just a consumer laptop.
Security: the chain can resist a large percentage of participating nodes trying to attack it (ideally 50%; anything above 25% is fine, 5% is definitely not fine)”
Vitalik goes on to describe the three possible ways this trade-off can be made, which “only get two of the three” properties we want. (Emphasis added)
- First, he says, there are “Traditional blockchains” like Bitcoin. “These rely on every participant running a full node that verifies every transaction, and so they have decentralization and security, but not scalability.”
- Then there are “high-TPS chains”, which “rely on a small number of nodes (often 10–100) maintaining consensus among themselves, with users having to trust a majority of these nodes. This is scalable and secure (using the definitions above), but it is not decentralized.”
- Finally, there are “multi-chain ecosystems”, which “have different applications live on different chains”, and use “cross-chain-communication protocols to talk between them. This is decentralized and scalable, but it is not secure, because an attacker need only get a consensus node majority in one of the many chains (so often <1% of the whole ecosystem) to break that chain and possibly cause ripple effects that cause great damage to applications in other chains.”
Where does Saito fit into this picture? Well, Saito-class chains stand in a category of their own.
In the first place, Saito more efficiently allocates its resources, and has a different trade-off curve to other chains.
For a given level of scalability, Saito achieves greater decentralisation than Proof of Work and Proof of Stake chains. For example, if you compare Saito and Bitcoin without volunteers — Saito will have greater decentralisation because its peer to peer network is actually paid for. Its provisioning is economically incentivised. If you compare Saito and Bitcoin with both having volunteers, Saito would still have more nodes in total, because in addition to volunteers it would have economically incentivised nodes. Additionally, the point at which nodes drop off the network over time due to rising chain-growth costs would be later in Saito than a Bitcoin chain of the same blocksize, since nodes are actually paid.
Similarly, Saito offers greater security guarantees than PoW/PoS chains of the same scalability. A Saito class blockchain is always secured by greater than or equal to 100% of fee flow, versus 51% in PoW/PoS chains without block subsidies. Not only does this mean that security rises with fee throughput — but it means that Saito Consensus sustainably allows for non-inflationary money on the base layer. This means that once a Saito-class chain is secure enough (has enough fee flow), it will be able to support a greater monetary asset than other blockchains. A stronger monetary asset ensures the self-sustainability of the network into the future, as it creates a stronger incentive for node runners to join the network. If you don’t understand this — imagine a cryptocurrency which was massively inflationary, whose price kept going down over time. Few people would be incentivised to join that network as a miner or staker and be paid in a depreciating asset.
Not to mention, increasing scalability on a Saito-type chain results in a significantly lesser decline in decentralisation than on a PoW/PoS chain. The reason for this is simple. Scale does not kill the peer to peer network (decentralisation) in Saito because Saito pays the peer to peer network for the costs which come with increasing scale!
So to begin with, compared to like-for-like PoW/PoS chains, a blockchain running Saito Consensus gets more decentralisation and more security than PoW/PoS chains — as well as a better scalability-decentralisation trade-off curve.
But in the second place, there is nothing stopping Saito from being decentralised, scalable and secure. The blockchain trilemma is founded on premises which do not apply in a Saito Consensus context.
The trilemma is created because in Proof of Work and Proof of Stake chains, you can’t pay for network scale without pulling money away from security (mining & staking). But in Saito Consensus, paying for the network is the security mechanism. So security scales by allocating funds to the network. Higher scale means more fee throughput, which means more security — because security is a function of fee flow.
On a chain like Bitcoin, to increase security one would need to increase the mining difficulty. This could be done by reducing the mining reward, and burning money. In Saito, the way you get security is by increasing the fee volume which the p2p network processes — and the p2p network is paid for this. There is no trade-off, because paying the network is the same method which gets us security. When routing work is the work function of the chain, greater fee flow (scalability) makes the network more secure.
This collapses the ‘security’ and ‘scalability’ corners of the triangle into the same category, leaving only a dilemma between scalability and decentralisation.
Now let us remind ourselves why we want decentralisation in the first place. There are two key reasons.
- Censorship resistance; preserving non-excludability. This is the primary reason decentralisation is valued. Because in PoW and PoS systems, centralisation enables costless censorship.
- Redundancy. Meaning, resistance to single points of failure which could go down for whatever reason.
But now recall that Saito Consensus has no honest majority assumptions — and does not rely on trusting any nodes on the network, even if they are running above consumer-grade hardware. There is no need to trust nodes at any level of centralisation, because there is an always-positive cost of attack. This means Saito would always be ‘decentralised enough’, by the standard Vitalik has outlined — able to run without any “trust dependencies on a small group of large, centralised actors” — regardless of its blocksize and throughput.
There is never a point where a large percentage of nodes trying to attack a Saito network will not face a positive cost of attack proportional to the total fee throughput of the network. This is exactly like the 51% guarantee PoW/PoS chains provide, but just stronger — working all the way up to 100% of work centralisation. Even a hypothetical 99% node could not profitably sustain an attack on a Saito Consensus chain.
In terms of redundancy, because Saito Consensus incentivises the production and optimisation of a user-facing network, even a Saito chain which attempted to process Google amounts of data would incentivise decentralisation on the basis that nodes which are geographically close to users will be able to better serve them. Meaning that sets of competing nodes would spring up across all major continents to seize on the proximity arbitrage they had.
But remember — not only is there nothing stopping Saito from being as decentralised as any existing chain — Saito Consensus should by all rights create a more decentralised network than any Proof of Work or Proof of Stake network ever could for a given level of scale — as in Saito, the network is paid for by consensus. It is not a volunteer network, so does not crumble with scale.
It could also easily be argued that a chain which pays its network to exist will face less redundancy issues than chains which rely solely on cultural propaganda to influence people to set up network nodes in the face of rising costs. Remember that up until now — culture has been the best and only solution to ‘decentralisation’ in the space.
I find it important to mention here that for comparisons to other chains to be valid, we need to take into account the properties which Saito brings to the table which other chains may not. For example, at no scalability level does Saito sacrifice network openness. This is not the case with other chains that attempt to scale, whose consensus mechanisms do not internally pay for the networking layer. Secondly, due to the ATR mechanism — there is no level of scale which Saito is not self-sustainable at. PoW/PoS chains which attempt to scale fail to deal with the data storage and pricing problems — making their scale unsustainable in the long-term. In Saito, nodes are paid to store the chain — so do not get pushed off of the network at scale. Comparing Saito with other chains which claim to have “achieved scalability” is therefore invalid unless network openness and self-sufficiency are also taken into consideration. One might also add network infrastructure self-optimisation and greater security guarantees to that list.
So there are three key things to note here regarding Saito and the blockchain trilemma.
- Saito aligns security and paying for network, turning the trilemma into a dilemma. By paying for the p2p network, scalability is always achieved without sacrificing security.
- Saito achieves the major goals of decentralisation (censorship resistance, non-excludability) at any level of decentralisation. ‘Decentralisation’ is revealed to be valued predominantly because it is the only means to those properties in PoW/PoS systems.
- Saito Consensus exhibits a superior trade-off curve and a more efficient use of resources than PoW/PoS systems — making it more decentralised and secure for any given level of scalability.
A hypothetical Saito Consensus maximalist would likely deny or dismiss the trilemma entirely. Instead, they would argue that the blockchain trilemma is a condition particular to blockchains only of a specific kind. That is, Proof of Work and Proof of Stake consensus mechanisms. The scale-decentralisation trade-off still remains, as it is an almost tautological problem. But that is all that remains. Decentralisation becomes irrelevant beyond the point of redundancy, as Saito’s honest-minority consensus mechanism decouples decentralisation from network control. For this reason, the blockchain trilemma is either irrelevant or wrong.
A New Way of Thinking
Saito — with its novel chain design and consensus mechanism — solves a lot of problems.
The volunteer problem is solved. The data storage and pricing problem is solved. The scalability problem, the network closure problem, the block subsidy problem, majoritarian attacks, discouragement attacks, the commodification of the work function, header-first mining, delayed block propagation , and a host of incentive problems — are all solved.
And most importantly, in my opinion, The Satoshi Properties are achieved. We want a blockchain that doesn’t collapse, and a consensus mechanism which pays for things we value today and into the future. We also want censorship resistance and the property of openness (non-excludability). These things are what make a blockchain desirable in the first place. Self-Sufficiency, Openness and Censorship Resistance. No matter HOW decentralised, secure or scalable, you would not want to USE a blockchain without these three properties. The Satoshi Properties are the real blockchain trilemma. With Saito, we get them.
How do we get them? By fixing incentive problems, rather than technical problems.
It should be easy to see by now. Why can’t blockchains scale without losing openness, and without sacrificing their p2p networks? Because networks do not internally pay for data, bandwidth and infrastructure costs. Incentive problem. Why do majoritarian and discouragement attacks exist? Because when someone is in a position to execute a majoritarian attack in PoW/PoS, they are financially incentivised to do so. Incentive problem. The dream that we all bought into has been that the biggest problems in blockchains are technical, when in fact they are economic.
On other blockchains, core activities which are central to the chain’s long-term existence are not incentivised. On Saito, every activity required to keep the chain operational is incentivised. A Saito network can sustain itself indefinitely. This is the virtue of network self-sufficiency which the biggest blockchains on the market currently lack.
Saito seems to mark a paradigm shift in the blockchain space. It a project that I think, if they were still around, Satoshi would actually support.
In my opinion its most impressive aspect is not that it prices and pays for data storage, or that it incentivises the provisioning of much-needed network infrastructure instead of just mining and staking so that it can scale openly. The most impressive aspect of Saito is that it figured out how to make attacking the network costly under all circumstances — meaning that no matter what the network topology (whatever the level of decentralisation is), censorship resistance and openness are secured by a quantifiable cost. And the more it scales, the higher this cost grows.
This fact brings with it a new way of thinking. The reason we valued decentralisation in the first place was that it was essential for trustlessness. Without it, PoW and PoS networks lose openness and self-sufficiency. But Saito Consensus achieves trustlessness, openness and censorship resistance whether it has one node or one million. And the way it is designed, it can be more decentralised than any other chain on the market pound for pound. By solving the fundamental public goods problem at the heart of the space, ‘a culture of nodes’ supporting the network would merely be icing on the cake.
With Saito, we have a blockchain which pays for whatever users want. Some are already speculating that Saito Consensus will eventually be used to fund open source software more generally. Beyond that, Saito might even be able to fund public goods outside of the digital world. One can quite easily conceive of a world where routing nodes compete to attract fee-flow by serving the values of users — donating a portion of their profits to charity X or funding business Y to attract more fee flow. If the public school which I went to as a child set up a Saito node — or if a conglomeration of schools pooled resources to run a node — I would gladly route my fees through them to help fund schools, for example.
“In networks like Saito, fee collection is the form of work that secures the network. This is preferable to mining/staking as it pays ISPs/Infura(s). So people will build apps just like miners design ASICs” — David Lancashire, Saito Co-Founder
What’s important is understanding that important and long-standing problems facing all major blockchains — including many thought to be unsolvable — have been fixed. And what’s more, they have been fixed without sacrificing the Satoshi Properties which give blockchains their value. Bitcoin’s solution to the problems which threaten eventual blockchain collapse was to not scale so that volunteers could support the network. Other networks choose to trade-off long-term sustainability for scalability, and are trying their best to use technical optimisations to push out and delay the inevitable for as long as possible. All of these ‘solutions’ are merely trade-offs. By tackling problems at the incentive layer, Saito need not be subject to the same trade-offs which other blockchains face. It can provide greater security than Bitcoin while incentivising a resilient (rather than volunteer) network — allowing it to achieve scale without putting the long-term self-sustainability of the chain at risk.
To put it simply: crypto’s ticking time bomb has finally been defused.
What Kind of Chain is Saito, Again?
I’ve spent a lot of time talking about Saito’s chain design and consensus mechanism. But what exactly is Saito?
Saito is a base-layer blockchain which supports its own native cryptocurrency. Like Bitcoin, Ethereum and alt Layer 1’s, its native cryptocurrency (Saito) has the potential to be money more broadly. In this sense, the Saito ledger competes as a monetary base layer. It has been described as “a version of Bitcoin that forces attackers to do 2x the hashing, but which only pays them at most 1/3 of the fees, because routing nodes collect the rest. Double the security, while paying for the P2P network.”
However, Saito has ambitions to do more than just money. Its goal is to be the backbone for web3. The current web runs through centralised internet service providers (ISP’s). It is not a trustless system. Saito envisions a world where the web runs through Saito nodes, and internet data travels through the Saito network — which provides guarantees of trustlessness, censorship-resistance, peer-to-peer, and non-excludability.
The simple answer to the question ‘What is Saito’ is: Saito is Bitcoin, but it handles data in addition to just money. Except, Saito has not only trustless — but self-funding and scalable network infrastructure (and it retains openness at scale!).
I think the best way to conceptualise Saito is as an open data network. Unlike Bitcoin, Saito transactions can carry arbitrary data, allowing users to send and receive data in a permissionless, trustless and secure way. ‘Data’ could be anything. It could be monetary transactions, messages, emails, videos, poker hands, personal information, social media posts or IOT data. It can be anything. Especially those things which users would prefer not to run through centralised hands. Keep in mind that data can be transferred using whatever encryption methods satisfy a given user’s wants, and there needn’t be any worry about that data being tampered with, stolen or used for malicious purposes. This contrasts with the web2 world, where we rely on trusted parties not to misuse our data.
Saito offers browser-native decentralised applications. There is no need for third party extensions like Metamask. All Metamask does is connect to Infura, who runs Ethereum’s peer-to-peer network and forwards transactions to validators. But on Saito, the p2p network is all that there is. All nodes are doing what Infura is doing and you connect to them directly.
In Saito, applications are modules which run inside user wallets. When you interface with a website like the Saito Arcade, the ‘website’ is actually a lite-client wallet which runs in the browser. The wallet shows you the application — and when new transactions come in, the wallet updates the application. When you transfer somebody data using Saito, whether you are messaging or playing a game with them, you are operating fully peer to peer.
“There’s no Facebook, there’s no Google, and there’s no Apple deciding if you can run this game or that game. It’s fully open.”
Because Saito is a blockchain, all data which gets put on the chain (for any period of time) gets universally broadcast out to the entire network. This means party A on one side of the earth can put data on the chain, and party B can see it and act based on this data. Off-chain software can listen to the chain and react accordingly. Two parties can interact in a trustless, peer-to-peer manner. For example, users can download a Twitter-like application in their wallet, and use the Saito network to transfer data in a peer-to-peer manner without trusting any third parties. Using public/private key infrastructure, they can ensure that only the intended party (or parties) sees and reads their messages.
Whether it’s the Apple app store or Steam taking a 30% cut of all app and game sales through their platform, or Facebook and Reddit making money from owning and selling your data — all instances of closure can be eliminated using open infrastructure which blockchains built right provide.
“[Blockchains with open infrastructure can be used for] anything that requires universal data distribution where you don’t want the network effects owned by a private firm or taxed by the state. App stores / Facebook / distributed applications built around keypairs.” — David Lancashire, Saito Co-Founder
Saito’s Richard Parris gives another cool example. Suppose you buy an IOT camera which records your home so that you can check on things while you’re out of the house. Currently, you need to go to a trusted provider who streams the recording to their data centre, and then makes it available to you upon request. You trust that they do not use this data of yours which they control for anything else. In a Saito world, you’d have a little LCD screen (a small, 10 cent piece of electronics) and a wallet generator on the camera. You’d press it to generate a new wallet, scan that in an app on your phone, and go on with your day. When you want to wake the camera up or access its feed, you could simply press a button on your phone which sends that address on the network a couple of Saito, some cryptographic information and some location information over the internet. The camera would respond, and you would establish a point-to-point encrypted transfer between you and the camera, and you could use the regular internet (because we have encryption capabilities) to send the stream directly to yourself. Now your camera is streaming directly to your phone peer to peer in an encrypted manner, and no trusted third party is in possession of your data at any point. This is real web3.
Saito does not have smart contracts. But remember that it does not need smart contracts for applications. It has no EVM on the base layer (though these can exist and be interfaced with on L2), and is a UTXO based system. It is a network which can be used to send and receive data peer-to-peer (and store data), without trusted third parties. Because Saito is a UTXO system, network nodes do not need to execute every transaction — instead they just need to keep track of the UTXO hash map (a data structure) which tracks whether UTXO’s have been spent or not. This creates massive efficiency gains and reduces strain on the p2p network, as nodes do not need to execute transactions.
In this system, one could use a chain like Ethereum as a layer 2 should they so wish. If this requires data storage, only a subset of nodes (those which service users) need to do that, and they can fund the data storage by providing that data to users in exchange for L1 transaction flow that sends the transactions into the EVM.
“What you can do is have 5, or 10, or 100, or N computers on Saito (the user can decide) take transactions sent from a specific address, and treat them as instructions to execute on L2 EVM. So you could do smart contracts on layer 2. You can let the layer 2 people worry about their state, but the stuff that the blockchain is supposed to provide, we’re not slowing down because not everything needs to be an application.”
— David Lancashire, Saito Co-Founder, Interview
There are also interesting (currently hypothetical) models which would enable users to transact with the Saito network freely, should they so choose.
“You can run whatever applications you want, and if you want some free tokens — enough to use the network — why don’t you install this advertising module. Or that advertising module. And you decide if you want it. You don’t need it. But if you want a little bit of free tokens, then okay, do that. And maybe when you’re using the chain it shows you an ad or asks you to fill out a survey. The advertisers send users tokens, and the users can use those tokens to make transactions. It sounds a bit like Brave, but the difference is there’s no company in the middle — Brave doesn’t exist! There’s no company deciding “you get to advertise, we collect money and give you a little bit of the tokens.” It’s: you decide who you want to deal with because it’s entirely open.”
“The beautiful thing about routing work is that all of a sudden, we have a model where: the old internet is ‘advertisers pay Facebook and you pay your ISP. The new internet is ‘the advertisers pay you, and when you do whatever you want to do on the internet, your ISP collects the money because serving you is how they get paid. As Saito grows, the model grows because the values of the fees and values of the transactions grow. So what’s your ISP going to do to get you to use them? Maybe they’re gonna give you a bunch of free off-chain data. Maybe they’re gonna give you liquidity on the lightning network. Maybe they’re gonna give you a free mobile phone number, because they’re China Mobile and they’re competing with China Unicom”
— David Lancashire, Saito Co-Founder, Interview
If all this is too much, the TLDR is: Saito is base layer money with web3 capabilities, browser-native dapps and true peer-to-peer. With scalability. Without sacrificing trustlessness.
Interoperability — Helping Other Chains
There is one other thing I forgot to mention. Saito is a layer 1 blockchain which by itself can create and sustain web3 — but it can also assist other blockchains in their missions too. In addition to being a self-sufficient and open Layer 1 protocol, Saito’s unique consensus mechanism can actually be used in a node-as-a-service (NAAS) style fashion to service other blockchains. In this way, it is able to alleviate their volunteer infrastructure problems.
The Saito Network can run the p2p network for Bitcoin, Ethereum — or any other chain. Saito pays for fee collection, but does not specify where these fees need to come from. Some examples of how Saito can fund external to the network infrastructure include:
- A Saito node running lightning network channels on Bitcoin and paying for liquidity provision in those channels because Bitcoin users didn’t want to set up their own payment channels. Users will route their transactions to a specialised Saito node offering them the service they demand, and the node will charge fees which cover the costs of the infrastructure.
- A Saito node running a node on the Ethereum blockchain to route transactions for a dapp like Uniswap (instead of developers using Infura, they — and anyone else — can use Saito to route transactions for their dapp)
- A Saito node running a Polkadot parachain node because people want to play poker with a token on that parachain.
Saito can also reduce congestion on their networks by taking on data which nobody wants stored forever on a permanent ledger. In doing this, the data-storage load on other network’s nodes — as well as network congestion and subsequently fees — can be reduced. Saito Co-Founder Richard Parris elaborates:
“We do not need to compete head on with Ethereum. We can actually be very helpful by providing simple ways for developers to take load that needs the PKI, the public broadcast aspects of blockchain with cryptographic security, and move as much of the transient, transactional kind of stuff as possible onto Saito — and just have Ethereum do what it does well: hold the tokens, move the tokens. And that’s possible on Saito because our transaction size isn’t limited. So you can put a whole bunch of Ethereum transactions into one Saito transaction. We’ve actually built an early version prototype of this on a testnet to show that this is possible.”
“You can put as much data as you want in Saito transactions, you just have to pay for that space on chain. You just have to find a node willing to take that transaction from you, and pay the appropriate fee for that transaction size.”
“What it means as a developer is that you have access to these key features of blockchain that allow web3. […] Consider the example of an NFT auction. The current models are all web2 options. They’re off chain. You could do it on chain, on a cheaper chain. But do you really want to fill a blockchain that’s permanent with thousands of bids? And do people really want to pay $20,000 in fees between them just for an auction? What you could do is put all those transactions into one Saito transaction, and just have software put the biggest one on the Ethereum chain.”
“One of the huge things for developers is that you can suddenly use much more traditional methods to develop, because you can just put data into the transactions — and so you can work a bit like an API — I can just dump information for you, I can send moves in a game, I can send a business transaction, anything I like — but I’m getting proper web3 when I do that.”
“Our sense of how things will move forward is that EVM chains and things that need to be a permanent record will stay using the common models, but the transactional things will move onto blockchains like Saito to provide a web3 underpinning for those token networks.”
— Richard Parris, Saito Co-Founder, Interview
What’s the biggest takeaway? Saito has the capacity to inadvertently solve infrastructure provision on other blockchains (should users desire it) as a consequence of its routing-work based mechanism. It can also act as a supporting (open) data layer for other chains to help ease data costs and reduce network congestion. In Ethereum’s case, it can replace Infura.
Advanced Scaling — Sharding, Layer 2's
In my opinion, the Ethereum roadmap of disaggregating consensus / execution / data availability is the best solution to the problems in the blockchain space in a pre-Saito paradigm. The solutions outlined and being developed by Ethereum team are focused on preserving the core quality of trustlessness which blockchains exist to solve.
But by creating a self-sufficient, open and censorship resistant base layer which is not plagued by the myriad of problems found on other chains — and which is capable of being more decentralised, more secure and more scalable than all major chains today — I now believe that a scaled-up (secure) Saito chain would be a better base-layer for L2 scaling than BTC and ETH. Saito’s consensus mechanism does one better than resisting attacks under ‘honest minority’ conditions. It has resistance to dishonest majority conditions, up to (but not including) 100% of the network. Not only this, but it is free from block-subsidy security problems and other critical problems covered ad nauseum in this article.
The fact is that PoW and PoS chains are wrestling with trade-offs that just do not exist in Saito Consensus. Every technical solution being devised to squeeze a little more optimisation out of pre-Saito systems can be applied more effectively on a Saito-Consensus style system not subject to those constraints.
If you wanted to do sharding, you could build a sharded Saito-type chain. If you want L2 and rollups, you could do that too. Remember how in an attempt to decentralise rollups, people are trying to build entire new proof of stake consensus mechanisms for individual rollups? Giving rollups their whole own blockchain trilemma? Fractal scaling? Well now, instead of PoS, this could be done with Saito Consensus — which does not suffer from profitable attacks at any level of centralisation, and also incentivises the efficient collection of user fees. The rollup method can still work as it has been outlined, but it now has a better and more secure base layer to build upon and model itself off. A base layer which pays for its own infrastructure costs and can guarantee that it won’t collapse due to scale or volunteer pressure over time.
On the Role of Mining in Saito Consensus
One of the biggest critiques levied against Bitcoin is that mining is ‘wasteful’ and ‘inefficient’, as the sum total of mining for the Bitcoin network only produces a network capable of 7tps. I am not going to comment here on the thorough discussions which have taken place regarding this critique. Instead, I will only focus on how Saito Consensus differs from Proof of Work in this regard.
In Saito, mining only receives half of the block reward. So by default, for a given network fee-flow there will be half as much mining on a Saito Consensus chain as on a Proof of Work chain like Bitcoin. If we then target only one golden ticket every two blocks, Saito Consensus becomes only 25% the hashing of Proof of Work for a given fee flow. With further advancements in consensus, targeting one golden ticket per n>2 blocks may be possible, and these gains could be pushed further. Saito Consensus is also double as secure as PoW, being secured by 100% of fee flow rather than 51%. So there is 1/4 as much hashing (energy consumption), for twice the gain. Making Saito Consensus a vastly more energy-efficient system than traditional PoW.
On the matter of efficiency gains, the only Saito chain which currently exists has allowed its blocksize to float freely — and be regulated by market forces using the ATR mechanism rather than by fiat (decree). Blocks will never grow so big that they collapse the p2p network because nodes will stop accepting transactions if it is unprofitable to store them (which they have to do). Rising fees from blockspace demand will raise ATR fees further — pruning off old data. While this will lead to more centralisation than a puny 1 megabyte blocksize cap, it doesn’t really matter. First, by incentivising nodes to join the network Saito will retain greater decentralisation than other chains. Secondly, the degree of decentralisation is entirely irrelevant past the point of redundancy (which will easily be attained), because Saito does not even require decentralisation (a specific network topology) to achieve security (cost of attack), censorship resistance and protection from nefarious actors.
Given that Saito is able to scale orders of magnitude more than Bitcoin — the (smaller) electricity expenditure used to secure vastly more network activity. So considering the blockchain ‘wasteful’ or ‘inefficient’ per unit of electricity spend compared to alternative means is no longer a valid critique. This is all notwithstanding the fact that the same electricity spend on hashing actually gives you even greater security on a high-scalability Saito Consensus chain processing a lot of fee-flow, because for Saito cost of attack is a function of fee flow.
From an economic perspective, the question of hashing is simple. If the network supports value for people (in the form of applications and usage) then hashing is not wasted electricity. Just like the internet currently. Or Christmas lights, or washing machines, or Facebook. All these things consume incredible amounts of energy, yet are produced because people demand them. Some might consider it ‘wasteful’, but that is only with reference to their own subjective value judgements. Clearly there are others who do not see it that way, and get value out of these things. I think coming after an energy-efficient blockchain for providing the means to be free from financial censorship, disintermediate mega-corporations and empower users to escape monopoly control is a bit disingenuous — and often really motivated by a fear of change. One only need consider the total electricity and bandwidth spend of humanity on video games, porn and mindless entertainment to see this point.
I can see how the argument that ‘it is not wasted electricity if it provides value to people’ is more compelling to industry outsiders when made for an application-capable platform like Saito which has more pre-crypto analogues (e.g. app stores), rather than a purely monetary network Bitcoin which feels more like a ponzi to someone who’s never thought deeply about it. For an application-type blockchain, one can make the simple comparison: ‘electricity is used to pay for running apps and infrastructure for apps, just like with Apple or Amazon — except it requires hashing to get rid of the Apple or Amazon from the picture, and just have the app free-standing as a public good.’
There is also a case to be made that consensus mechanisms with mining lead to a fairer token distribution over time because of token-selling pressures from miners who need to recover their costs. This is not insignificant when trying to design a fair and open protocol. Despite the fact that token distribution has no impact on the underlying security of a chain running Saito Consensus.
Whether the Saito that exists now will be the chain which takes the space, whether it gets forked and goes through its own darwinistic process of evolution like Bitcoin did, or whether some of its key ideas are implemented by other chains — it doesn’t really matter. The point of this article is to showcase that solutions exist to problems this space considers to be ‘unsolvable’ problems — and that we should be discussing them and taking them very seriously. In my opinion, Saito Consensus is an improvement on PoW and PoS. If you hate hashing (despite it being multiples more energy efficient in Saito), you can build a version of Saito Consensus which doesn’t rely on it — and instead uses random number generation to derive security. Whatever one’s stance on hashing, I think that the fundamental innovation of Saito Consensus, as well as the ATR-looping chain mechanism, will play a large role in the future of this space.
The Saito team is very vocal that they want discourse about both Saito Consensus and the chain design mechanism. There is more nuance than what I have discussed here — and with the bright minds of the space put together, there is no doubt room for further innovation which will benefit everybody. I am simply a community member trying to spread the message. For Saito as it exists today, I see the biggest challenge as increasing fee flow to get security. Real progress is currently being made towards this end. Bootstrapping network usage is not easy, but if it can be pulled off, the security gains for the chain will be massive and the network will have proven itself to the market at scale.
So What Now?
“Dreams feel real while we’re in them. It’s only when we wake up that we realize something was actually strange.”
— Inception
Proof of Work and Proof of Stake consensus mechanisms have intrinsic flaws which create the blockchain trilemma and majoritarian attacks. Many chains are growing in size at an unsustainable rate, and with enough time their networks will collapse under their own weight. Bitcoin’s network remains open, but at the cost of limiting scalability. The provisioning of critical network infrastructure beyond mining and staking is totally unaccounted for. Network openness and long-term sustainability is an afterthought.
What’s more, technical solutions are endlessly thrown at what are actually economic problems requiring incentive reform. For a prototypical example, see Adam Back deflecting critiques about Bitcoin’s security model relying on the (temporary) block subsidy. What we see is a complete neglect of the existence of market failures to provide public goods.
Saito targets these problems on the economic level. It realigns incentives to induce the provisioning of infrastructure — and to make it impossible for network participants to attack (censor, exclude people from) the network without going bankrupt. No matter how decentralised Bitcoin is, if the top mining pools collude, they could profitably attack the chain if they so wished. The equivalent applies for any other chain.
I believe that if we care about the potential of our blockchains, Saito’s innovations should be taken seriously and grappled with by the users and builders of this industry. That is why I wrote this article. If you could find the little clapping icon👏 on the bottom of your screen and hold down your click button on it — you will be able to give this article up to 50 claps. I would appreciate you doing so, as it took a lot of time and effort to create.
In the movie Inception, there is a character named Saito. Saito enters the dream world with a purpose, but ends up getting trapped there, unable to escape. After many decades pass — with his mind confined to the illusory world — the young Saito grows into an old man who forgets that he is in a dream. Eventually, Saito is found in the world of the dream, and must be convinced that he is dreaming before he can finally wake up and return to reality.
There are some major problems with blockchains as we know them. And instead of solving them, we have simply forgotten about them. We have convinced ourselves that they are unsolvable and have resigned ourselves to working around them instead. Now, we live in the world of the dream, and our ability to make progress is being hindered by the dream we have come to believe. We are all Saito. You are Saito.
The question now is not “when moon?”
The question now is not “is Saito perfect?”
The real question is — knowing all of this — can you go back to the dream?
