Hanna Halaburda is an Associate Professor of Technology, Operations and Statistics at New York University Stern School of Business. Her research is focused on how technology influences business models. Much of her work is focused on competition between platforms and how do network effects and interactions affect marketplaces. The most current theme in her research is the development of digital currencies and blockchain technologies at the 4th Luohan Academy Frontier Dialogue.
Hanna Halaburda :
Thank you. Thank you, Steve, for the kind words of introduction, and thank you Raphael for great setup and introduction to permissioned blockchains, because there is, like Cam said, there's so much talk about Bitcoin, and about permissionless blockchains, and there are those other elements of the technology that are not so well understood and not so much talked about. So, permissionless blockchain as exemplified by Bitcoin has been hailed as this distributed ledger with a trusted third party. And like Raphael mentioned, it comes at a high cost. Electricity cost, the cost of maintaining the ledger, and the environmental cost. All sorts of costs that we can think of. A lot of it is expensive to maintain. So, when permissioned blockchain came along, it was held either as the best of both worlds, because we can get the distributed ledger without so much cost, or as the flaws of both worlds.
So, the other side was saying, "Well, you don't really get the full decentralization. You still need some trusted party or trusted parties, but because you created a distributed system, you have redundancy in the system, it's much more costly than the centralized system was." So, you're going to look at permission blockchain from both sides. And in fact, both of views are correct, depending on the angle that you're taking. So, one thing to remember is that distributed system is not the same as the centralized system. I'm not going to talk much about it, but basically distributed is the architecture of the system and decentralization is the level of control. So, you can have both of those views being true at the same time.
And what I'm going to emphasize on, I keep emphasizing every time I talk about it, is that when we were talking about blockchains, and we're comparing blockchains, so thinking about whether blockchains are worthwhile, we need to be really, really clear. Why do we seek decentralization? What benefits do we expect from this distributed system? Why do we want the distributed system? And only if we're really clear what is the objective we can start to model it.
So, there are many different reasons why we may want a decentralized system and distributed system. So, for example, if we want a censorship resistant interaction, where we have anonymity, it's a different objective than if we want efficient information sharing or information aggregation, like when we were thinking about the oracles. The one aspect that I'm going to focus on today is the transaction safety, and I think that this is the most important aspect from the financial applications.
So, transaction safety is preventing, replacing or erasing a transaction from a ledger. And like Raphael already mentioned, is that participants in a system, being a centralized system where it's run by one party, or a distributed system where it's run by multiple participants, each participant has their own incentives. And we are economists, so we assume that everybody is just maximizing their utility. They're opportunistic in a way. So, a good system is going to prevent misbehavior, prevent attacking, by making attacking costly. What I want to emphasize in this presentation is that permissioned and permissionless blockchain fundamentally differ in how they make attacking costly, and this has an effect on what is happening in the cost of the equilibrium.
Okay. So, in a permissionless blockchain, because nobody can limit their permission, there is no identity requirement, and therefore the participants are unknown outside of the blockchain, and there can be no accountability outside of the blockchain after a transaction is happening. Therefore, the cost of preventing an attack needs to be born up front. And then, if everything goes well, this cost is recuperated. So, in Bitcoin and in proof of work, permissionless blockchains, we see this cost of preventing attack as the cost of mining. So the only reason for the mining to be costly is to prevent attacks. Because if mining is costly for regular miners, for honest miners, it is going to be costly for the attacker. If mining is cheap for the miners, then it's going to be cheap for the attackers. The mining has nothing to do with the cost of validation of transaction. The only reason for mining to be costly is to create safety of the ledger. And then, the miners are rewarded with the mining reward to compensate them for the costly mining.
In permissioned blockchains, however, we have known parties validating the transactions and, because their identity are known, they are accountable outside of the blockchain as well, or they may be accountable outside of the blockchain. And therefore we can have an ex-post punishment in case an attack has happened. So, what Rafael was saying in his presentation, in the environment that Raphael and his co-authors are studying, the punishment is exclusion from the system in the future. But there may be other punishments possible.
So, what does it mean for the cost of the two systems on the equilibrium path? Because, in permissioned system, the cost of attack is born only if attack happens. Then sufficient prevention of the attack, the fear of the punishment if attack happens is actually not happening on the equilibrium path. So if the system is well designed and the attack is not happening, then this cost is never paid on the equilibrium path.
Whereas for permissionless system, this cost of preventing attacks has to be paid every period, it's to be paid and recuperated, but it's not simply accounting method. It actually needs to be paid. For the proof of work systems, it needs to be the electricity spent and the work being done to mine. It needs to be lost in order to be credible, and then it may be recuperated by the mining reward. In proof of stakes that are now held as this of environment saving mechanisms, you still need to lock in your stake. You're not getting any opportunity benefits. You cannot use this capital elsewhere. So you are still, you need to pay for creating the safe environment and preventing attacks. And you may be recuperated with the new stake if everything goes well.
So, because in permissioned blockchains, if on the equilibrium path, if attack is not happening, the cost of preventing attack is not paid, then permissioned system can bear imposing higher costs of attack up to a credible threat of punishment, and therefore it can keep larger size of transactions safe than permissionless system. And I'm not saying that it always does, but it will be up to design that I will be talking about next. But this is where this visibility is coming from.
Okay. So, in permissionless system, the safety really comes from the price of the native cryptocurrency. Actually, I'm going to kind of go more quickly, because this is a point that has been made many times in the literature right now, but due to the free entry for miners, the total cost of mining per block, the total cost of the system of mining a block is equal to the total reward, which is the block reward or the mining reward from a given block, results in fees, and the price of the cryptocurrency. So, for Bitcoin right now, this is about $300,000 per block, and block is every 10 minutes, right? So, if an attacker wants to attack and rewrite the ledger, they need to redo this mining. So, it is possible to attack with less mining power than the rest of the system, less than 51%. But, even the attacker has the same amount of computational power on this blockchain, then it is pretty sure that can successfully attack. So, if an attack needs W blocks of the length then, per block, the cost of the attack is given by this formula. Then we can define the total cost of attack. So, let's say that it takes 10 blocks to successfully attack Bitcoin's blockchain.
Right now, this C would be about 3 million to attack Bitcoin blockchain. So now, if the benefit of attacking the blockchain is larger than the cost of attack, then those transactions that offer a larger benefit of attack may be vulnerable. And this is assuming that after the attack is discovered, and if the attack is discovered, then the price of the crypto goes to zero and the attacker is not realizing any gains from the block reward. If otherwise we are going to, as I'm going to claim in a moment, actually, even if the attack is discovered, the price doesn't go all the way to zero, it has actually been cheaper for them, for the attacker to attack. What is the main point of the slide here is that the transaction safety and permissionless system is directly related to the price of crypto.
And this is not something that designers of the system can design. This is not depending on anyone. It's only up to the market. So, Bitcoin is quite safe right now, because it's really high price, but if the price would drop right now to a hundred dollar, actually the vulnerability would be substantial, especially with a lot of idle computational power that would be going offline with dropping of the price. And as it was earlier mentioned, I think by Cam, definitely by Raphael, is it smaller coins already have experienced double spend attacks. So, the protocol itself does not guarantee immutability of the ledger. Ethereum classic and Bitcoin gold have experienced double spend attacks, and there are also some other double spend attacks that are claimed not to have been discovered. And what we have seen is that price dropped, but did not go to zero.
So, the level of safety of permissionless blockchain depends on this price, and the price is not really depending on the design of the blockchain. So, this is a little bit different for permissioned blockchains. There, we have a number of known validators, accountable validators, and not all validators need to be involved in validating each transaction. There may be a subset of them. And Rafael in his paper has a formula to derive it. But whatever is the subset of validators involved in validating a particular transaction, we're requiring some majority of them to agree to put this transaction in the ledger. And now, what is the N for a given transaction? And what is the majority? It's actually a part of the blockchain design. And we may think of it as something that we designed, but there is a larger aspect of this blockchain design. So there may be technological limitations.
So, it may come from how we define what consensus we are going to choose, how nodes are able to communicate, how many exchanges do you need to exchange, how reliable is the voting mechanism that they're using. So, there are a lot of the blockchain design aspects. But what I want to emphasize are the two dimensions of control in blockchain design, which are especially important for permissioned blockchains.
So, one dimension of control is control of validators. So, how many validators do we have for a particular transaction, and what is their relative power? Because in permissionless blockchains, all validators are equal unless they have more power, but in permissioned blockchains, they may be hierarchical, and it may be a positive or negative thing for transactional safety. Overall, this control of validation of a transaction is going to tell us how many nodes do we need, how many validators do we need to conduct a successful attack.
The other dimension of control is control over validators. So. Who is permitted to become a validator? And then, what are their incentives at accountability? So in a way, what is the punishment? Are we allowed to kick them out? Because there may be a design, or once you give a permission, you cannot revoke it. If you can revoke it, can you also levy some additional punishment? So, is it just exclusion, or some monetary punishment as well?
Okay. Depending on what is the setup there, the setup is going to tell us how much the validators can be punished. So, those are two elements that can be designed, at least to some extent, in a permissioned system.
So, why does it matter? First of all, as the attacks are going to involve N nodes, and this may be different for whether we want to replace transaction or whether we want to ignore transaction, and this N is going to be related to the design choice. And it is going to tell us how many nodes will need to cooperate to attack and how many nodes will need to be bribed. And something that may be interesting in permissioned blockchains that does not show up in permissionless blockchain is if we put too high majority rule, like 80% of nodes need to agree on a transaction, then we need to bribe only 20% of the nodes to ignore a transaction. And that may also be a valuable attack. And this is something that does not come up in permissionless blockchain.
So, attacking nodes can be punished to a value Pi, which follows from the blockchain design, and the punishment may be executed with probability tau. And this is because the punishment is executed outside of the blockchain, or may or may not be executed. So, if we are going to just simplify and say that everybody can be punished to the same punishment, the transaction safety is given by this formula.
What is important is if you believe that the nodes will never be punished for their misbehavior, then your only option is to go for permissionless blockchain. But if you think that there is a chance that there will be, even not one, but there's a chance that they will be punished, then you can design a permissioned system that may be better with high enough N and P. So, I'm not talking here, which is a separate and very important topic about the cost of having a larger number of validators, but if you can levy an infinite P, then you are better off with a centralized system. Which, of course, we cannot levy infinite P. And this is why having distributed system may be better for transactional safety than centralized system here. Okay. So, I have talked about how the two systems are different.
Hanna,I need you to try to wrap up.
I will try to wrap up. I just have two remarks ready. So, one is that the two systems can coexist at the same time, but the permissionless system is going to be inherently more costly. There may be a reason why we may prefer a permissionless system, right? And it may also be for different uses. The second point that I want to make is interconnectivity. If we have those two systems existing, can they connect to each other? And we cannot really mix the consensus mechanisms, but they can interconnect with each other via asset transfers. And there is a really interesting concept how we are going to move Bitcoin to Ethereum, and the same way you can move it to permissioned system and via oracles.
So, the information from one blockchain can be an input for execution of some transaction in the other blockchain. And also, what we are seeing right now is that we can have a very much permissioned Dapps running on permissionless blockchain. And what we can kind of look forward to is we can have permissioned platforms that would run peer to peer, maybe permissionless smart contracts. So, those concepts can be mixed together, not only coexisting, but they can interact with each other as well. So, let me stop here. Thank you very much.
For more information, please visit Luohan Academy's youtube channel: Luohan Academy