This week marks the completion of our fourth hard fork, Spurious Dragon, and subsequent state clearing process, the final steps in the two-hard fork solution to the recent Ethereum denial of service attacks that hit the network slowed in September and October. Gas limits are currently being increased to 4 million when the network returns to normal, and will be increased further as additional optimizations are completed for clients to allow for faster reads of health data.
Amidst these events, we have seen major progress from the C++ and Go development teams, including improvements to the Solidity tools and the release of the Geth Light client, and the Parity, EthereumJ, and other external development teams have continued to push their progress own technologies like Parity’s Warp Sync; Many of these innovations have already found their way into the hands of the average user, with more to come. At the same time, however, there has been a great deal of quiet progress on the research side, and while these advances have been rather blue skies in many cases, low-level protocol improvements will necessarily take a while to trickle down into the main Ethereum network, we expect the results to be work will start to bear fruit very soon.
Metropolis is the next major planned hard fork for Ethereum. While Metropolis isn’t quite as ambitious as Serenity and won’t feature a proof of stake, sharding, or other similarly big changes to how Ethereum works, it is expected to feature a number of small improvements to the protocol that are much larger overall than Homestead. Key improvements include:
- EIP 86 (Account Security Abstraction) – Move signature and nonce verification logic into contracts, allowing developers to experiment with new signature schemes, privacy protection technologies, and changes to parts of the protocol without requiring further hard forks or protocol-level support . Also allows contracts to pay for gas.
- EIP 96 (block hash and state root changes) – simplifies protocol and client implementations and allows upgrades to light client and fast syncing protocols, making them much more secure.
- Precompiled/native contracts for elliptic curve operations and big integer arithmetic, enabling efficient implementation of applications based on ring signatures or RSA cryptography
- Various efficiency improvements that enable faster transaction processing
Much of this work is part of a long-term plan to move the protocol toward what we call abstraction. Rather than having complex protocol rules governing contract creation, transaction validation, mining, and various other aspects of system behavior, we essentially try to fit as much of the logic of the Ethereum protocol into the EVM itself as possible and have the protocol logic simply a set of contracts. This reduces client complexity, lowers the long-term risk of consensus failures, and makes hard forks easier and safer — perhaps a hard fork could simply be specified as a configuration file that changes the code of some contracts. By reducing the number of “moving parts” at the lowest level of the protocol in this way, we can greatly reduce Ethereum’s attack surface and open more parts of the protocol to user experimentation: for example, instead of leaving the protocol at a user’s discretion at the same time to experiment with a new signature scheme and implement their own.
Proof of Stake, Sharding and Cryptoeconomics
Over the past year, research on Proof of Stake and Sharding has quietly evolved. The consensus algorithm we’ve been working on, Casper, has gone through several iterations and proof-of-concept releases, each of which has taught us important things about combining economics and decentralized consensus. PoC Release 2 came earlier this year, although that approach has now been abandoned as it has become apparent that requiring every validator to send a message every block, or even every ten blocks, requires far too much overhead to be sustainable . The more traditional chain-based PoC3, as described in the Mauve Paper, has been more successful; Although there are flaws in the way the incentives are structured, the flaws are much less serious.
Me, Vlad, and many volunteers from the Ethereum research team got together with university academics, Zcash developers, and others at the IC3 bootcamp in July to discuss Proof of Stake, sharding, privacy, and other challenges, and significant progress was made in bridging the Gap between them achieves our approach to Proof of Stake and that of others who have worked on similar problems. A newer and simpler version of Casper was beginning to solidify, and me and Vlad went down two separate paths: I myself aimed to create a simple proof-of-stake protocol that would have desirable properties with as few changes as possible from the Proof-of-work delivers, and Vlad took a “correction-by-construction” approach to restoring consensus from scratch. Both were presented at Devcon2 in Shanghai in September, and we were there two weeks ago.
At the end of November, the research team (temporarily assisted by Loi Luu, known as Validator’s Dilemma) along with some of our long-time volunteers and friends met for a two-week research workshop in Singapore with the aim of sharing our thoughts on various topics related to Casper, scalability, consensus incentives and government size control.
A key topic of discussion was the development of a rigorous and generalizable strategy for determining optimal incentives in consensus protocols – whether you are building a chain-based protocol, a scalable sharding protocol, or even an incentive version of PBFT, we can imagine with a generalized way to give all participants the correctly assign proper rewards and penalties using only verifiable evidence that could be injected as input to a blockchain, and in a way that would have optimal game-theoretic properties? We had some ideas; One of them, when applied to Proof of Work as an experiment, immediately led to a new way of solving selfish mining attacks and has also shown great promise for tackling long-standing Proof of Stake problems.
A key goal of our approach to cryptoeconomics is to ensure as much incentive compatibility as possible, even under a majority-shaking model: even if an attacker controls 90% of the network, there is a way to ensure this if the attacker deviates from the protocol in any malicious way Wise, does the attacker lose money? At least in some cases, such as B. short reach forks, the answer seems to be yes. In other cases, like censorship, this goal is much more difficult to achieve.
A second goal is to limit “griefing factors” – that is, to ensure that there is no way for an attacker to make other players lose money without losing nearly the same amount of money themselves. A third goal is to ensure that the protocol works as well as possible under other extreme conditions: for example, what if 60% of the validator nodes go offline at the same time? Traditional consensus protocols such as PBFT and proof-of-stake protocols inspired by such approaches simply stop in this case; Our goal with Casper is for the chain to persist, and even if the chain cannot offer all the guarantees it normally offers under such conditions, the protocol should still try to do as much as possible.
One of the main positive outcomes of the workshop was bridging the gap between my current “exponential ramp-up” approach to transaction/block finality in Casper, which rewards validators for making bets with increasing confidence and penalizes them when their bets are wrong and Vlad’s “correct-by-construction” approach, which emphasizes only penalizing validators when they are ambiguous (i.e., sign two incompatible messages). At the end of the workshop we started working together on strategies to combine the best of both approaches and we have already started to use these insights to improve the Casper protocol.
In the meantime, I’ve written some documents and FAQs describing the current state of thinking on Proof of Stake, Sharding and Casper to bring anyone interested up to date:
https://docs.google.com/document/d/1maFT3cpHvwn29gLvtY4WcQiI6kRbN_nbCf3JlgR3m_8 (Mauve Paper; now a bit outdated but will be updated soon)
state variable control
Another important area of protocol design is state size control – that is, how can we reduce the amount of state information that full nodes need to track? Right now the state is about a gigabyte (the rest of the data that a geth or parity node currently stores is transaction history; this data can theoretically be truncated once there is a robust light client protocol to retrieve it), and we have already seen how the usability of logs degrades in various ways as they get much larger; Additionally, sharding becomes much more difficult as sharding blockchains require nodes to be able to quickly download pieces of state as part of the process of serving as validators.
Some suggestions that have been put forward have to do with deleting old accounts without a contract that do not have enough ether to send a transaction, in a secure way to prevent replay attacks. Other proposals are to just make creating new accounts or storing data much more expensive, in a way that is more decoupled from how we pay for other types of costs within the EVM. Still other suggestions include limiting the duration of contracts and increasing fees for creating longer-term accounts or contracts (the time limits would be generous here; it would still be affordable to enter into a contract lasting several years). There is currently a debate in the developer community on how best to achieve the goal of keeping the state size small while keeping the core protocol as user and developer friendly as possible.
Other areas of low-level protocol improvement on the horizon include:
- Several “EVM 1.5” proposals that make the EVM more user-friendly for static analysis and easier to be compatible with WASM
- Integrate zero-knowledge proofs, likely through either (i) an explicit ZKP opcode/native contract, or (ii) an opcode or native contract for the main computationally intensive components in ZKPs, particularly elliptic curve pairing computations
- Further levels of abstraction and protocol simplification
Expect more detailed documents and discussions on all of these topics in the coming months, especially as work continues to transform the Casper specification into a viable proof-of-concept version that could run a testnet.