Proof of Authority & Security
When it comes to the security of a blockchain, the focus of the ecosystem has been on topics such as cryptography, replay attacks, and overall soundness of the technical infrastructure. Yet proof of authority, as envisioned by the POA Network, comes with a security approach that is more human: validators are people who have a name, a family, and a home. In their home one could find hardware and potentially private keys important to the network. In fact, validators of the POA Network have their name and address disclosed to the public in a registry maintained by the state where they live, and guaranteed to be up to date within 30 days from a change in their record.
Validators receive token rewards for services performed for the network, which incentivize them to keep their number small. In addition, the more validators, the less scalable the network becomes; thus theoretically users have a preference for a small number of validator nodes.
The POA network is scheduled to grow following these three phases:
- Phase 1 “Inception”, with 3 validators
- Phase 2 “Stability” with 12 validators
- Phase 3 “Expansion’’ with 25 validators
Let’s assume that we are in phase 1, as the network grows in value, it could be easy and profitable for malicious actors to intimidate our 3 validators and/or their family members. In a worst case scenario, criminals could coordinate in a way in which every validator is attacked at the same time and thus these criminals would control the network. Furthermore, from their primary residence, validators can be followed and routines can be identified, which is enough for a criminal mind to predict the best time for an attack on the network.
As the number of validators increases such an attack becomes harder. Keep in mind that the attackers only need to acquire a majority vote on the network to remove the remaining uncorrupted validator set and replace it by a corrupted set, thus taking over the entire network. As an example, in a 25 validators model, a successful attack on 13 validators would be enough to overtake the network.
Two factors are to be monitored in order to predict the likelihood of successful attacks on the network:
- A function of the Return On Investment (ROI) for operating a validator node: P1(ROI)
- A function of validator’s voting weight on the network: P2(1/# validators)
The network compromise probability (NCP) is therefore: P1(ROI) * P2(1/# validators). Where P1 is the underlying root cause for attracting attackers, since lucrative economic engines are always in danger of hostile takeovers, and where P2 is the probability multiplier, since as mentioned; the fewer validators — the easier it is to compromise the network.
Let us run few simulations (using decimal orders of magnitude):
Network ROI = 1 BTC/month; # validators = 10: taking over 6 validators ensures 1 BTC/month income. We could argue that this isn’t enough of an incentive and the probability of it happening is no higher than getting robbed.
Network ROI = 10 BTC/month; # validators = 10: taking over 6 validators ensures 10 BTC/month income. For some, this incentive would be enough to arrange a simultaneous hostile takeover on 6 validators. Keep in mind that geo-distribution may increase the cost and complexity of such an action in a way that could offset the potential returns.
Network ROI = 100 BTC/month; # validators = 50: taking over 26 validators ensures 100 BTC/month. The ROI is now so high, that a potential hostile takeover is likely.
This is why for security reasons, as the network grows in value, both users and validators could benefit from either an increased number of validator nodes, or a large and healthy pool of validators from which the network could cycle through.
Potentially the attributes of validators may be a factor to consider, geo-distribution, empirically provable trustworthiness, and cyber-security proficiency, should all be desirable skills to look for. In terms of how the network operates, silent methods to signal that a node has been compromised could be an interesting avenue to explore. Similar to this, the ping-alive method where every validator has to offer periodic proof that the node hasn’t been compromised is another possible route. Additionally validators could temporarily suspend their own voting rights, so that in case of hostile attempts, validators could drive their P2 to zero and render themselves useless as a target. Finally, in both biological (wet) and computer systems (dry) all things have a lifecycle and eventually rot, perish, or become obsolete. Therefore, it could make sense that to maintain a “healthy” network, validators would be termed in some reasonable fashion. They could be recycled, i.e. exit for a determined period and then re-enter the validator pool.
The obvious solution would be to increase the number of validators to an extremely large number as the network becomes successful. However this would, as mentioned before, severely impair the performance of the network and therefore I am calling for more discussions and creativity in our attempt to find a solution to this question.
Special thanks to @Micwebnet , @jlegassic, and Storifier: Blockchain, Token Economy, ICOs for their contribution in the conceptualization of this essay. Please take part and share your opinion directly in the forum of the POA Network or in the comment section below.