Censorship in private BFT blockchains
Off-chain recourse is your enemy.
Consortium chains as clearinghouses
Picture a scenario where a consortium blockchain is used to replace a regulated, independent clearinghouse, allowing banks and other large organisations to trade more efficiently between themselves.
By establishing a permanent record of “facts” agreed upon by all parties, transactions can be made in real time whilst simultaneously reducing the cost of detecting/preventing fraud.
From the viewpoint of regulators, the viability of such a system comes from the extent to which this permanent record can be trusted.
Motivations for censorship
The best attack against a Byzantine Fault Tolerant (BFT) chain such as Tendermint is censorship:
“Tendermint is two dudes!” Matthew Wampler-Doty excitedly told me [Vlad Zamfir], one evening. He explained that a cartel of Tendermint validators with more than 2/3 of the security deposits would form, because it does not require participation from the remaining validators to create finalized blocks (these “non-cartel validators” have less than 1/3 of security deposits). These less than 1/3 of nodes would be censored and eventually removed from the validator set. A new cartel with more than 2/3 of the (now smaller) set of security deposits would then form, and this process would continue until only [at most] 2 validators remain.
A censorship attack does not need to have the goal of eliminating a party from a network. It may just be to block the actions of a specific party, for example blocking or delaying the sale of assets just as a market starts to crash.
Recourse
Implementers of a consortium chain may look for a combination of technology and contractual agreements to provide recourse against censorship.
For example, nodes may automatically retain a history of all transactions validated, whether or not they make it onto the chain, and a legal contract may impose penalties if evidence of censorship can be provided.
Unintended consequences
If any weight at all is given to this “evidence”, it creates a new, much cheaper attack vector.
A party need only obtain valid signatures from 1/3 of nodes (or less) for a transaction to “prove” that they have had their actions censored, and this can be done after-the-fact.
This evidence is trivial to falsify, and it is impossible to prove or disprove that it has been forged because it is not a “fact” in the same way that on-chain transactions are “facts”.
Picture the very same on-the-verge market crash: perhaps a party is not sure of how events will transpire and does not want to “commit” to the sale of a bag of assets. This off-chain recourse allows this party to do an after-the-fact commitment to a past transaction, but instead of directly benefiting from the trade, they receive (potentially equivalent) compensation.
As this attack requires participation from less than 1/3 of nodes, the cost of this attack is at most half that of censorship (plus legal fees), effectively halving the resilience of the solution.
The moral of the story: censorship resistance needs to be on-chain.
