Scaling Blockchains: Can Elected Committees Help?

In the high-stakes race to develop more scalable blockchains, some platforms (Cosmos, EOS, TRON, etc.) have adopted committee-based consensus protocols, whereby the blockchain's record-keeping rights are entrusted to a committee of elected block producers. In theory, the smaller the committee, the faster the blockchain can reach consensus and the more it can scale. What's less clear, is whether this mechanism ensures that honest committees can be consistently elected, given voters typically have limited information. Using EOS' Delegated Proof of Stake (DPoS) protocol as a backdrop, we show that identifying the optimal voting strategy is complex and practically out of reach. We empirically characterize some simpler (suboptimal) voting strategies that token holders resort to in practice and show that these nonetheless converge to optimality, exponentially quickly. This yields efficiency gains over other PoS protocols that rely on randomized block producer selection. Our results suggest that (elected) committee-based consensus, as implemented in DPoS, can be robust and efficient, despite its complexity.

READ FULL TEXT VIEW PDF
POST COMMENT

Comments

There are no comments yet.

Authors

page 12

03/11/2019

Weighted Voting on the Blockchain: Improving Consensus in Proof of Stake Protocols

Proof of Stake (PoS) protocols rely on voting mechanisms to reach consen...
11/10/2017

Consensus in the Age of Blockchains

The blockchain initially gained traction in 2008 as the technology under...
11/16/2018

Evolutionary Game for Consensus Provision in Permissionless Blockchain Networks with Shard

With the development of decentralized consensus protocols, permissionles...
06/10/2020

Efficient democratic decisions via nondeterministic proportional consensus

Are there voting methods which (i) give everyone, including minorities, ...
03/22/2021

The quest for scaling BFT Consensus through Tree-Based Vote Aggregation

With the growing commercial interest in blockchain, permissioned impleme...
04/07/2019

Committee Selection is More Similar Than You Think: Evidence from Avalanche and Stellar

Increased interest in scalable and high-throughput blockchains has led t...
01/17/2022

Understanding the Decentralization of DPoS: Perspectives From Data-Driven Analysis on EOSIO

Recently, many Delegated Proof-of-Stake (DPoS)-based blockchains have be...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction

Permissionless blockchains face a challenging problem: How can anonymous/untrusted decentralized agents all agree on a sequence of events, e.g., transactions, or more general state updates? The Bitcoin Whitepaper (nakamoto2008bitcoin) introduced a new Consensus Protocol that allows participants to reach agreement, even in the absence of stable identities, paving the way to a new form of decentralized money (and a lot more). The core idea behind Nakamoto’s consensus is that participants can continuously establish trust by expending verifiable computational effort (e.g. wasting electricity), that is, by showing “Proof of Work” (PoW).

Since Bitcoin’s inception, there’s been a high-stakes race to replace the PoW protocol that underlies not just its own blockchain, but hundreds of others like it. Although PoW-based consensus has proven to be relatively safe for more than a decade now, it is wasteful and has been unable to generate the throughput necessary to handle the global demand for transaction processing. Finding a better alternative may determine not only the winners and losers of the ongoing cryptocurrency arms race, but also the long-term disruptive potential that blockchain technology, as a whole, will have on the global economy.

Dozens if not hundreds of competing consensus protocols have been proposed and implemented. At the moment, the most promising and widely used alternatives rely on the concept of Proof of Stake (PoS), where agents stake their existing wealth for a chance to be selected as the next “block leader”, via stake-weighted lottery. Winning the draw gives them to right to record transactions on the next blockchain block and reap any rewards that come with it.

While PoS systems are more scalable than PoW (e.g., see john2020economic), one drawback of selecting block producers via lottery is that malicious producers can try to fork the chain, and will (occasionally) be selected. Thus these types of consensus protocols require an additional method to identify the “canonical” branch when a fork occurs.111

PoW systems naturally disincentivize forking since producing a block is costly, and when forking occurs, most systems use a “longest chain rule,” where the chain with the most hash power is the “correct” branch. Since block production in PoS systems is essentially free, several PoS systems (e.g. Ethereum 2.0, Cosmos) employ “slashing” where producers are economically penalized for creating two blocks. See

saleh2021blockchain for an economic analysis.

One alternative method, that can avoid forks,222Most PoW blockchains (e.g. Bitcoin and Ethereum) achieve “eventual finality,” by contrast systems like Cosmos, Algorand, EOS and TRON achieve “instant finality”. is a form of “committee-based consensus,” where the rights to produce and certify blocks are delegated to a small committee. Several prominent blockchains including Cosmos, Algorand, EOS333EOS raised a record-breaking $4 billion in its Initial Coin Offering, in 2017. and TRON use this approach, though they differ in how they select the committee members: Algorand committees are selected randomly, Cosmos committees are selected by a single-vote election, and committees in EOS and TRON are based on Delegated Proof of Stake (DPoS), which uses a form of “approval voting”. Approval voting encompasses single-choice voting (as in Cosmos), and there is no election strategy in random selection (as in Algorand), thus approval voting will be our focus for much of the paper.

It’s worth noting that DPoS Blockchains have had their fair share of criticism, both in terms of their technical design (cosmosvseos, XLCB18) and some of their business behavior (justinsun, EOSsuit, Tronarbitration), but these criticisms do not undermine the core ideas of committee-based consensus, as evidenced by the fact that more prominent blockchains (like Cosmos) rely on it as well.

At its core, (elected) committee-based consensus is rather simple: users continuously vote to elect their preferred block producers to the committee. Keeping the committee size small improves efficiency: increasing throughput, decreasing latency and allowing for member specialization. Unfortunately, a small number of malicious committee members can also undermine the security of the entire blockchain, thus there is a fundamental tension between performance and robustness – a small committee is extremely efficient but may compromise security.

Several interrelated questions follow: First, how should agents vote for their preferred candidates given they only have partial information? Second: How small can the committee be without undermining security? Third: How does committee-based consensus with approval voting compare to other PoS protocols?

Summary of Model

To answer these questions, we develop a simple voting model using EOS’ Delegated Proof of Stake (DPoS) protocol as a backdrop. Block producers have two types, either “honest” or “dishonest,” and the vote is successful if a rds majority of the elected committee is honest.

Token holders have limited information: they receive private signals on the block producer types and vote strategically to try and maximize the probability of electing an honest committee. The election process is based on a variation of approval voting, whereby voters approve of a collection of candidates, and the candidates with the most approvals are elected to the committee

(BF07). As we will discuss later, this is fundamentally different from traditional voting schemes, where voting for more than one candidate means splitting your vote.

Assuming the block producer committee uses a traditional consensus protocol to certify blocks, such as Practical Byzantine Fault Tolerance (CL99), this imposes a strict threshold effect on the committee: if fewer than rd of the committee members are dishonest, they cannot disrupt the consensus protocol, but once more than rd of the committee members are dishonest, they can completely subvert the committee (which can result in halting transactions, or executing double-spend attacks).

We seek to characterize agent optimal voting strategies and the pure-strategy Bayesian Nash equilibria obtainable under these conditions. Further, guided by some stylized facts emerging from our basic empirical observations, we also consider a restriction of the voting strategy space to two simple and intuitive classes: “threshold voting,” where voters vote for all candidates whose (conditional) probability of being honest is above a certain threshold (Definition 5), and “cardinal voting,” where voters vote for their top candidates (Definition 6).

Summary of Results

Even with this relatively simply model, computing the probability of electing an honest committee turns out to be extremely challenging. In Theorem 1, we derive this probability in the most general terms, allowing for specialization to various voting strategy classes. We then proceed to examine the equilibrium for the two intuitive voting strategy classes we consider.

We first analyze a special case where there is only a single voter, and show that it is (mathematically) equivalent to a setting in which all voters can credibly (and costlessly) pool their information. Pooling of information is often regarded as a pure hypothetical exercise, but it is worth studying in our setting because voter incentives are aligned, and there is no obvious downside to sharing one’s information with others. Under these conditions, we show that the cardinal voting strategy is in fact the optimal strategy (Proposition 3). But this result breaks down when there is more than one voter, if signals cannot be shared (Proposition 6).

Proposition 1 gives a closed-form solution for the the probability of electing an honest committee when voters follow the threshold strategy. But threshold voting can be suboptimal even when there is just a single voter (Proposition 4).

Despite the general suboptimality of these simple strategies (other than in the special pooling case), we show that the system is asymptotically stable. More specifically, regardless of the strategy considered, and under very weak assumptions, the probability of electing an honest committee tends to one, exponentially fast, as the number of voters increases (Theorem 3). Thus, although the optimal voting strategy may be too complex to be realistically achievable in practice, simple, intuitive voting strategies, that token holders tend to use in practice, exhibit very strong robustness.

Finally, we compare the approval-voting mechanism for committee selection to another popular mechanism used by many PoS blockchains: the random assignments protocol. We find that approval voting typically requires much smaller committee sizes (1 to 2 orders of magnitude) to attain the same levels of failure tolerance.

Overall, our results suggest that for most practical purposes, committee-based consensus, of the type implemented in DPoS blockchains, is theoretically efficient and robust to the complexity it introduces on the agent strategy space (some limitations are discussed in Section 7).

Below, in Section 2, we discuss some of the basics of blockchain consensus protocols and the approval voting mechanism that we model. Readers already familiar with these concepts can skip the section, or its relevant parts, without loss.

2 Blockchain Consensus Protocols & Committee Elections

The core problem facing all cryptocurrencies (and decentralized databases of all kinds), is how to provide a single, universally accepted ordering of transactions (or state updates). Most modern cryptocurrencies are based on the notion of a hash chain, where blocks of data are chained together using cryptographic hash functions. Hash chains are an append-only data structure, meaning that new blocks (containing transactions) can be appended to the end of the chain, while internal blocks of the chain cannot be modified or re-ordered (without modifying all subsequent blocks). Since anyone can easily append new blocks to the end of a hash chain, decentralized systems need a method for deciding how and when new blocks can be added to the chain.

Most cryptocurrencies use a form of leader election, where a leader is elected at regular intervals. This leader, or “block producer,” is given the right to produce a single block. There is an inherent value in becoming a block producer, as block producers have the power to insert, re-order and censor transactions (flashboys2.0).444The value that can be extracted by inserting, re-ordering and censoring transactions is termed “Maximum Extractable Value” (MEV), and is worth hundreds of millions of dollars on blockchains like Ethereum (MEVexplorer). In addition, most cryptocurrencies provide direct incentives for block production in the form of transaction fees and block rewards. Transaction fees are paid by the users to incentivize the block producer to include specific transactions in a block. Block rewards are new coins that are minted and paid directly to block producers. For example, in Bitcoin, block rewards are currently set to BTC. In many cryptocurrencies, block rewards are the only mechanism by which new coins are generated. For reference, in July 2021, Ethereum miners received about 18% of their direct compensation from transaction fees and 82% from block rewards (Theblock).

Block producers also have the ability to harm the platform itself. Block producers can censor transactions within the block they produce. Lazy or inept block producers can reduce the total transaction throughput of the system by failing to include enough transactions in a block or failing to produce a block altogether. Malicious block producers can “fork” the chain by appending two blocks at the same block height. This type of behavior can lead to “double-spending attacks” and can destabilize the entire blockchain.

Block producers’ power to harm the ecosystem, means that the selection mechanism must ensure that only “honest” producers are elected. When block producer candidates have stable identities, classical consensus protocols (e.g. LSP82, CL99) provide efficient and robust mechanisms for leader election. In a permissionless setting, however, where the set of block producer candidates is anonymous and dynamic, classical consensus protocols fail, and other leader-election methods must be devised.

Proof of Work (PoW)

As mentioned earlier, the Bitcoin whitepaper nakamoto2008bitcoin introduced a novel leader-election protocol whereby block-producing candidates (“miners”) expend effort in the form of computing cryptographic hashes on random values, and their chance of becoming block leader is proportional to the amount of effort they exert. This Proof of Work consensus, is used by many of the leading cryptocurrencies (by market cap), including Bitcoin, Ethereum, Dogecoin and Litecoin.

Although PoW-based consensus has proven stable and secure, it has several drawbacks, most notably its societal cost, and its low transaction throughput. Currently, block producer candidates on Bitcoin expend about as much electricity as the country of Finland in an effort to be chosen as block producers (cambridge).

Proof-of-Work based consensus, also has limitations on how frequently block producers can be chosen, and this directly affects the blockchain’s transaction throughput. Currently, the leading PoW-based blockchains, Bitcoin and Ethereum, can handle less than tens of transactions per second. By contrast Visa handles thousands of transactions per second (tps).

Proof of Stake (PoS)

The aforementioned drawbacks of PoW have pushed the blockchain community to explore alternatives, and in this quest, Proof of Stake (PoS) has aruably emerged as the current frontrunner. The Ethereum blockchain, for instance, which supports the world’s second largest cryptocurrency ETH, originally launched with a PoW protocol but has been gradually trying to transition to a form of PoS for several years (ethmerge).

In PoS, block producers are elected in proportion to their token balance (“stake”) on the blockchain, rather than their computational effort. Similar to PoW systems, where candidates signal their support of the platform by expending computing resources, in PoS systems, candidates signal their support of the system by acquiring and holding native tokens on the blockchain.

There are many variants of the PoS protocol, but a common feature of almost all PoS systems is that block producers are elected with probability proportional to their “staked” tokens (as in Ethereum 2.0) or their passive token balances (as in Algorand).

Committee-based Consensus & Delegated Proof of Stake

Although under PoS, block producers can earn significant returns, being an efficient block producer usually requires powerful computing equipment, a dedicated internet connection, and a robust software configuration. In some blockchains, a nontrivial minimum amount of tokens is also required to be eligible to participate. Many regular token holders are thus ineligible (or simply unwilling) to take on this type of role. To address this problem, most PoS systems support some type of delegation mechanism, whereby token holders can delegate their stake to professional block producers (usually in exchange for some sort of profit sharing).

Committee-based consensus takes this separation between token holders and block producers to the extreme. In most traditional PoW systems, block producers are selected in a lottery-like procedure according to their (proportional) hash power. Several PoS systems (e.g. Tezos, Algorand, Cardano) adapted this idea to elect leaders randomly with probability equal to their proportional token stake.555In fact, the core technical contribution in systems like Algorand and Cardano is a decentralized, verifiable lottery mechanism. As an alternative to this lottery-based leader election, several blockchains allow users to cast (stake-weighted) votes for block producers and the ones with the highest number of votes become producers for some fixed duration of time.

This type of voting is most often associated with Delegated Proof of Stake systems. In these systems, a small committee ( in EOS or in TRON) of block producers is elected by a stake-weighted vote, and is responsible for producing and validating blocks.666Although almost all PoS systems support some form of delegation, the term “Delegated Proof of Stake” is usually reserved for the specific type of committee-based consensus protocols used by systems like EOS and TRON. Other PoS systems, like most platforms in the Cosmos ecosystem, also employ committee-based consensus.

In committee-based consensus, the elected committee typically runs a traditional consensus algorithm — Practical Byzantine Fault Tolerance (CL99) or Tendermint (Tendermint) — to certify the next block.

Some Advantages of Committee-based Consensus

Committee-based consensus has several perceived advantages over other commonly used consensus protocols. First, the committee can check each other’s actions, and prevent malicious behavior. For example, using a traditional consensus protocol, of the committee can behave maliciously without adversely affecting the system.

Second, the voting process takes a nonzero amount of time, so electing a batch of producers at once increases efficiency.

Third, it allows the chain to achieve instant finality – when the committee certifies a block, that block is immediately finalized. This is in contrast to PoW blockchains that only achieve eventual finality. Bitcoin wallets, for instance, typically wait until a transaction is buried 6 blocks deep in the chain before considering it “finalized” (confirmations).

Fourth, it can eliminate the need for “slashing” penalties. In many traditional PoS systems (e.g. Ethereum 2.0), block producer candidates need to stake their tokens by locking them in a smart contract, and this stake is held as a bond against misbehavior. If a block producer engages in (provable) misbehavior, their stake can be confiscated (“slashed”). In committee-based consensus, if a small minority of the committee misbehaves, they cannot adversely affect the system, and voters (having noticed this misbehavior) will not elect them again. For this reason, DPoS systems (like EOS and TRON) do not have slashing penalties. On the other hand, Cosmos, which uses committee-based consensus does include slashing penalties.

Finally, having a distinct separation between stakeholders and block producers allows specialization, and thus block producers in systems using committee-based consensus, may have better hardware and software infrastructure which would lead to lower latency and faster block times.

Of course, these advantages hinge on the system’s ability to consistently elect an honest majority of committee members. This then raises the need to dive into the committee election mechanism.

Approval Voting

Committee-based consensus protocols can vary on several dimensions, but we focus on how the committee is selected. The selection process is independent of many other features of the blockchain, e.g. the actual consensus protocol employed by the elected committee, or how data is stored and processed on the blockchain. In this work, we focus on approval voting, which is the selection mechanism employed by most DPoS systems (including EOS and TRON).

In approval voting, voters “approve” of a collection of candidates, and the candidates with the most approvals are elected to the committee (BF07). This is fundamentally different from traditional voting schemes, where voting for two candidates means splitting your vote. In approval voting, if a voter votes for two (or more) candidates, each receives the same “approval” as if the voter only voted for one candidate.

For example, the Cosmos blockchain uses a traditional (single-vote) mechanism to elect a committee of 125 block producers (cosmosvalidators). By contrast, EOS uses approval voting to elect a committee of block producers. Although Cosmos and EOS vary on several other dimensions (cosmosvseos), the committee selection mechanism is essentially independent of all these other variables. Since Cosmos could be modified to use approval voting, and EOS could be modified to use a single-vote mechanism, designing the most efficient committee-based consensus protocols requires analyzing the characteristics of these mechanisms in the blockchain setting.

3 Literature Review

Committee-based consensus is widely used in the blockchain space (Byzcoin, Meng2018, EOS, TRON, cosmosvalidators), but the academic literature is arguably still lagging behind. Of the few studies we could find, meng2018committee, yang2019delegated, hu2021improved examine related topics, but they focus mostly on hypothetical tweaks that could be added to improve existing systems. In contrast, we seek to formally analyze and understand whether the existing systems themselves are robust and efficient, given voters have limited information.

Approval voting was introduced into the blockchain space in Delegated Proof of Stake (DPoS), and the first literature on DPoS started with practitioners, where it was often asserted that DPoS consensus is a more efficient and democratic version of the standard PoS mechanism (binanceDPOS, gemini). The approval voting mechanism underlying DPoS is described in the original whitepaper, DPoSWP, but there is little attempt to assess potential agent voting behavior and what could go wrong with it.

Approval voting has been widely studied in the context of political elections (BF07), and we highlight here some facts about the known dynamics of approval voting in general. In a -winner election system, it is desirable to have the property that if a candidate is ranked first by at least of the voters, then that candidate should be elected to the committee. Unfortunately, this property does not hold under approval voting (EFSS17).

Similarly, an approval voting scheme can end up electing candidates that would lose a majority of pairwise contests against the other candidates, i.e., an approval voting scheme may elect a “Condorcet loser” (N84).

One of the most interesting features of approval voting schemes is that voters typically have multiple honest strategies (N84). For example, consider an up-to-, -winner system with two voters (), and four candidates (), . If the two voters’ preference orders are for voter and for voter then the candidate will be in the elected committee for any , so both and cannot be in the elected committee. Should voter vote for only, or and ? These are both honest strategies, and thus even honest players must think strategically. This feature makes the analysis of approval voting systems complex.

DPoS consensus, being based on approval voting, inherits these aforementioned properties, but it differs from traditional approval voting in several ways that we describe in the model section. The most significant departure is perhaps that extant studies (outside of the blockchain literature) assume voters have competing interests, and usually have perfect information about the candidates themselves. By contrast, in the DPoS setting, most voters’ interests are aligned. All voters wish to elect an honest committee, but they have limited information about the candidates. This completely changes the nature of the analysis.

Though we are not aware of any studies considering strategic agent voting behavior in committee-based protocols, numerous studies have looked at strategic agent behavior in other Blockchain protocols. saleh2021blockchain, rocsu2021evolution, fanti2019economics are some of the first studies looking at the economics of PoS systems. LSRDPG20 study weighted voting in validator committees in PoS protocols. There is also a relatively large computer science literature blending strategic considerations and technical design elements of PoS, such as gavzi2019proof, algorand, bentov2016snow, kiayias2017ouroboros.

Beyond PoS, alsabah2020pitfalls, biais2019blockchain, cong2021decentralized, garratt2020fixed focus on the economics of PoW, and the underlying mining mechanism. Several other studies focus more specifically on Bitcoin, such as nakamoto2008bitcoin, easley2019mining, huberman, pagnotta, prat2021equilibrium.

Finally, on a broader note, our work is related to the literature studying security guarantees for different types of blockchain protocols, e.g., lewis2020general, lewis2021does, though we are not aware of any prior work focused specifically on committee-based consensus. More generally, our work also has implications for the literature studying the economics of token systems, see e.g., cong2021decentralized, tsoukalas2020token, gan2021initial, gan2021infinity.

To the best of our knowledge, ours is the first paper to analyze the efficiency of committee elections in committee-based consensus protocols, with private information and strategic agents.

4 Preliminaries and Empirical Observations

4.1 Definitions

Approval voting is a system where each voter may select (“approve”) any number of candidates, and the winners are the candidates approved by the largest number of voters (see K10 for a survey on approval voting). Formally:

Definition 1 (-winner Approval Voting).

A set of voters votes on a set of candidates, . Let , and . Voter chooses a subset of candidates they wish to vote for. For each candidate , the score of candidate , that is, the number of votes the candidate receives, is defined to be

(1)

The elected committee is determined to be the candidates with the highest scores.

In DPoS protocols, stake-holders vote for a set of “block-producers” modifying the k-winner Approval Voting system to include a cap on the number of candidates. Formally:

Definition 2 (up-to--vote, -winner Approval Voting).

With notation as in definition 1, we limit the maximum number of candidates each voter can vote for, so that voter chooses a subset of candidates restricted to . As before, the elected committee is determined to be the candidates with the highest scores.

We will assume throughout that there are at least candidates, . In general, there may be less than candidates in the elected committee if less than candidates received any votes. Alternatively, there may be more than candidates if there are ties. We specify how we handle these cases in Definition 3.

4.2 Empirical Observations: Approval Voting on EOS

Block Producers on EOS are elected by token holders according to a up-to--vote, -winner approval voting system (see Definition 2, with and ). The winning candidates form the block producer committee. Elections are held continuously, and each committee of block producers remains in control of the chain for 126 seconds (EVG18).

EOS voters are not directly rewarded for staking (although this has been proposed as in ENY19), instead voters are assumed to benefit indirectly from the stability and performance of the platform. In EOS and other DPoS systems, votes are weighted by stake, and voters are allowed to “proxy” their votes, i.e., delegate their voting power to a different voter.

To understand real-world voting strategies, we gathered voting data from EOS. As the EOS blockchain is extremely large (over 8TB) and the majority of transactions are unrelated to voting, we gathered daily voting snapshots from EOS Authority (a block producer) and we used these to analyze voter behavior during the period 2021-08-20 - 2021-08-30. Each snapshot contained the current votes of the nearly 1 million accounts that have ever voted.

Figure 1 shows the number of votes cast by individual voters (left panel), and stake-weighted votes (right panel), on a typical day. Although EOS votes are stake-weighted, and the unweighted votes do not directly affect the elected committee, we include them in our data be cause they illustrate the strategy pursued by the majority of voters.

Figure 1: The number of producers that each token holder voted for, during the period 2021-08-20 - 2021-08-30. Left panel: unweighted voting. Right panel: stake-weighted voting. Key Takeaway: most voters follow a “cardinal voting” strategy.

As can be seen from Figure 1, when votes are weighted by stake, most stake is proxied, and most voters vote for either 21 or 30 producers.

Figure 2 shows a different view of the same data: the left panel shows the breakdown (in %) of unweighted voting and the right panel shows the breakdown (in %) for stake-weighted voting.

Figure 2: The percentage breakdown of votes during the period 2021-08-20 - 2021-08-30. The left-hand plot shows unweighted voting. The right-hand plot shows stake-weighted votes.

Note, both figures represent a week’s worth of voting data on EOS, but these patterns are consistent and exhibit relatively little variability, over different/longer time windows.

The key observation is that most voters follow a “cardinal voting strategy” where they vote for a fixed number of block producers. A formal definition is given in Definition 6.

We rely on these basic empirical observations to inform our model in Section 5. In Section 6, we explore how optimal these types of voting strategies can be.

5 Model

5.1 Voting with Limited Information

We lay out a simple model, where the blockchain’s token holders vote according to an up-to-, -winner approval voting system, to elect a committee of block producers. There is a pool of producers to choose from, , and strategic voters on the platform, . Every producer has an unknown type, either “honest”, , or “malicious”, . The goal of each voter is to maximize the probability that a supermajority (e.g. a majority) of the elected committee is honest. We discuss some possible alternative objectives in Appendix D.

Definition 3 (Honest Committee).

Suppose the producers with highest number of votes are elected to be on the block-producer committee, . If there are less than candidates with non-zero score, then the committee is filled adversarially (i.e., in a worst-case fashion), and if there are ties between the candidates such that there are more than producers with highest score, then they are broken adversarially (between the ones with least score). Since most Byzantine Agreement protocols require at least honest members, we say the committee is honest, , if at least of the elected block producers are honest.

Suppose the a priori probability that producer is honest is . Also, suppose voter

receives a private noisy signal vector,

about producer’s honesty,

(2)

where

is a normally distributed noise term with

and , i.e., ,. It follows that signals are normally distributed with if producer is honest, and if producer is malicious.

When voter receives a signal, , regarding producer , the voter can compute the posterior probability that producer is honest conditioned on . We call this conditional probability :

(3)

The map is a bijective function, and we calculate it explicitly in Lemma 2 in Appendix A.1. The result is given below in (4).

(4)

Our core model assumes all voters are strategic (fully rational), and we seek to characterize the pure-strategy Bayesian Nash equilibria of the game.777Note, we also assume all voters in our model have equal weight. Although essentially all real-world platforms rely on stake-weighted voting where voters can have different stakes, our model still applies since we can view each voter as encompassing the voting power of a single unit stake. More specifically, each voter maximizes the success probability — the probability that the elected committee is honest, conditioned on the private signal vector they receive, , given the platform voting system in Definition 2.

(5)

We assume that , are publicly visible, but voters cannot observe others’ private signals.

Definition 4 (Voting Strategy).

A voting strategy is an algorithm (in the class ) used by all voters, that takes as input the parameters the voter has access to and outputs a subset of candidates the voter wishes to vote for . We denote the committee elected by exerting algorithm as .

After observing their private signal, voters simultaneously submit their “votes” ; we consider any voting strategy in the class of voting strategies, represented by the letter . With Definition  4, we can interchangeably talk about the voters maximizing the success probability by exerting a voting algorithm and rewrite Equation 5 as:

(6)

We say that a strategy is optimal if it maximizes the success probability - the probability of electing an honest committee, Equation 5 or 6. Table 1 summarizes the notation.

Number of (candidate) block producers
Number of voters
A priori probability block producer candidate is honest
The base signal for a malicious candidate producer
The base signal for an honest candidate producer
Standard deviation of the noise, for voter , and producer
Elected Committee size
Voter ’s raw signal about producer
Producer

’s posterior probability of being honest, conditioned on

.
Table 1: Notation

While voters’ optimization problem is well-defined, computing the objective function is challenging. As a first step, we need to define the types of voting strategies that are accessible to agents. This is the goal of the next section.

5.2 Class of Voting Strategies

In principle, any function is a possible voting strategy. It seems clear, however, that any reasonable strategy should be coordinate-wise non-decreasing, i.e., if and , and if then . In other words, if one candidate’s signal increases (while the other signals remain the same) this cannot cause the voter to switch their vote away from the candidate. If we also assume that, aside from the signals, the candidates are otherwise indistinguishable to each voter, then a class of reasonable voting strategies would be to sort the candidates by their signal and vote for the top candidates. With this intuition we will now consider the reasonable strategies described above as the class .

Within this broad class, we also single out two particularly simple and intuitive strategies related to our empirical observations, that users could follow: threshold voting (Definition 5) and cardinal voting (Definition 6).

Definition 5 (Threshold Voting).

Voter is said to follow the threshold voting strategy if (prior to seeing the realization his or her signals), voter chooses a threshold and voter votes for all producers , with probability of being honest higher than the threshold .

If we define , then is the probability that voter votes for producer (assuming voter is following the threshold voting strategy). Summing over all voters, the number of votes received by producer is distributed as the sum of

Bernoulli random variables with parameters

. If , then the number of votes received by producer is a binomial random variable. When the are distinct, then the number of votes received by producer is a Poisson Binomial Random Variable. See Appendix B

for a review of known facts about the Poisson Binomial Distribution.

This characterization of the distribution of votes when voters follow the threshold voting strategy will be important as we study the dynamics of this strategy in Section 6.

Definition 6 (Cardinal Voting).

Voter is said to follow the cardinal voting strategy if (prior to seeing the realization his or her signals), voter creates a strategy , then voter orders producers according to their probability of being honest and votes for the top producers in the list.

When voters follow the cardinal voting strategy, the number of votes received by each producer is still distributed as a Poisson Binomial random variable, but now the parameters (the probability that voter votes for candidate ) are much more difficult to compute.

Connecting this back to the empirical voting strategies discussed in Section 4.2, Figure 1 shows that EOS voters tend to follow the cardinal voting strategy with or .

6 Analysis

We begin our analysis by characterizing the probability of electing an honest committee in the most general terms possible (Section 6.1) and unveiling some associated complexities (Section 6.2). We then examine outcomes in a special single-voter/signal pooling case which helps build intuition (Section 6.3), before looking at the general multi-voter case (Section 6.4). The results obtained raise additional questions about asymptotic optimality (Section 6.5). We then compare DPoS to other PoS-based mechanisms (Section 6.6).

6.1 The Probability of Electing an Honest Committee

The first step in the analysis is to determine the objective function of the optimization, which is the probability that an elected committee is honest.

Theorem 1 (Success Probability).

Suppose there are producers, and each producer is honest independently with probability . The probability that there are at least honest producers in a committee of size , is given by:

(7)

where are the PDF and CDF of the number of votes received by an honest producer, and are the PDF and CDF of the number of votes received by a dishonest producer.

All proofs are in the Appendix. Theorem 1 is very general, in the sense that it gives the expression for the probability of electing an honest committee under any type of voting strategy – provided that the distribution of votes () can be computed.

Note, in Theorem 1

and for the rest of this section, we assume that producers are indistinguishable except for their type, meaning, the variance of the noise

, for in Equation 2. This implies there is a single pdf, that denotes the probability an honest producer receives votes. This simplification is done purely for expositional purposes; to obtain the result for the more general case, one would need to replace Theorem 9 (used in the proof of Theorem 1) by the more general Bapat-Beg Theorem (bapatbeg). The resulting expression remains closed-form, but is too cumbersome for display.

Theorem 2 gives the general form of the distribution of votes () received by honest and dishonest producers given the probability that voter casts a vote for producer .

Theorem 2 (Distribution of Votes).

For a producer, , let (resp. ) denote the probability that voter casts a vote for producer conditioned on producer

being honest (resp. dishonest). Then the probability distribution of the number of votes received for honest and dishonest producers is given by

(8)
(9)

where is the set of all subsets of integers that can be selected from .

Combining Theorems 1 and 2 gives a closed-form expression for the success probability whenever and can be calculated. In Propositions 1 and 2, we show how to calculate those probabilities for the two simple strategies we singled out.

Proposition 1 (Threshold voting).

For a producer , let (resp. ) denote the probability that voter casts a vote for producer conditioned on producer being honest (resp. dishonest).

When voters follow the threshold strategy (Definition 5) with threshold, ,

(10)

where is the density function of the standard normal distribution, and

(11)

is derived in Lemma 2.

Proposition 2 (Cardinal voting).

With notation as in Proposition 1, when voters follow the cardinal strategy (Definition 6) with cardinal, , then

(12)
(13)

where

(14)

and are derived in Lemma 2.

6.2 Complexity of the Optimal Voting Strategy

Combining Theorems 1 and 2 with Propositions 1 or 2, results in highly complex objective functions, and this makes the voters’ general optimization problem in (6) challenging. To understand the origin of this complexity, we visualize below the objective function, that is, the probability of electing an honest committee, focusing on the case where voters follow a simple threshold voting strategy (the more tractable of the two voting strategy classes).

As a first step, we plug Proposition 1, into Theorems 1 and 2, which gives the exact probability of success as a function of the threshold chosen. Figure 3 shows the success probability under threshold voting, for small numbers of voters ( to ). Although, in practice, systems have many more voters, these graphs highlight the complex dynamics of approval voting.

Figure 3: Success probability as a function of threshold chosen, assuming small number of voters (). Key Takeway: The number of local optima increases with .

The optimal thresholds tend to hover around , meaning that with these parameters, voters should vote for any candidate, , whose posterior probability, , is above this threshold and not vote for any candidate below this threshold. The thinness of the peaks, however, indicates that even small deviations from the optimal strategy can drastically reduce the success probability. In addition, the number of local optima increases with . These properties can make the optimization problem intractable at relatively low or medium values of (with the exception of , for which the objective is unimodal).

Next, we examine the situation for a large number of voters , in Figure 4.

Figure 4: Success probability as a function of threshold chosen, assuming large number of voters (). Key Takeway: For large , the probability of success goes to 100% across a wide range of thresholds, and thus a wide range of voting strategies yields nearly optimal results.

Figure 4 shows that for large , the previous issues fade: the local optima tend to merge, and almost any reasonable threshold has an almost 100% probability of success.

Combining insights from Figures 3 and  4

, we conclude that the voters’ problem behaves drastically differently depending on low vs. high-number of voters, and hints that asymptotic analysis may offer more tractable results.

Next, we analytically characterize (to the extent possible) the optimality of voting strategies, separating the case from the general case.

6.3 Special Cases: Single-Voter & Signal Pooling

In this section we consider the special case of a single voter (). Beyond letting us build intuition, we show that the general case, collapses to when voters are allowed to credibly (and costlessly) share their signals. This is more than a mere hypothetical exercise. Signal pooling has no obvious downside in our setting given voter incentives are aligned, and thus could be plausible in practice.

Single Voter

Before presenting the result, we introduce one intermediate technical lemma that will be useful throughout the analysis.

Lemma 1.

Suppose is a Poisson Binomial random variable with trials and let with denote the Poisson Binomial with parameters . Let , and be positive integers, such that then .

To understand the implication of Lemma 1, consider a -winner approval voting system in which candidates have posterior probabilities of being honest . Suppose the subset of candidates elected to the committee is so that their posterior probabilities are . If we think about the realization of honesty of each candidate as a trial with probability then the number of honest candidates on the committee is a Poisson Binomial with parameters . The success probability, e.g. the probability of an honest committee is the probability that the number of honest candidates on the committee is at least . Lemma  1 implies that the success probability is maximized when each of the posterior probabilities of the different candidates is as high as it can be.

Proposition 3 (Optimality of Cardinal voting when ).

Consider a -winner approval voting system with voter and candidates, then the globally optimal strategy is the cardinal strategy with .

Proposition 3 follows from the fact that if there is only a single voter, that voter possesses all relevant information about each producer’s type, and the voter can unilaterally decide the committee. Thus the optimal strategy is to form the committee from the candidates that have the highest (posterior) probability of being honest. In other words, the voter should vote for the top candidates (when sorted accorded to their posterior probability of being honest), and this strategy is optimal across all possible strategies, not just cardinal or threshold voting.

Proposition 4 (Suboptimality of Threshold voting when ).

Consider a -winner approval voting system with voter and candidates, then any threshold strategy is not optimal.

More specifically, when we say a strategy is not optimal we mean that there is a non-zero probability event (realization of signals) in which the non-optimal strategy achieves a success probability that is strictly smaller than would be achieved using a different strategy .

(15)

In particular, in the proof of Proposition 4 we show Equation (15) is true for and . In other words, we show that for the threshold strategy gives a strictly lower success probability than the cardinal strategy.

Signal Sharing/Pooling

If voters could credibly (and costlessly) share their private signals, then it is straightforward to show that they effectively act as a single voter.

As in the private signal setting, each voter can calculate the probability that a given producer is honest, conditioned on the received signals. But now, we assume voters can condition on all the signals. We calculate the resulting posterior probability in Lemma 3 in Appendix A.1.

Proposition 5 shows that when voters share their signal, the optimal strategy (out of all possible strategies) is to follow the cardinal voting strategy with threshold .

Proposition 5 (Optimality of Cardinal Voting with Shared Signals).

Consider a -winner approval voting system with voters, candidates and such that voters’ private signals are credibly shared. Then the globally optimal strategy is the cardinal strategy with where each voter is ranking based on the shared instead of their private .

A natural question that follows is, whether cardinal voting persists to be the optimal strategy in the general multi-voter case. We examine this in the next section.

6.4 General Case: Multiple Voters

Given we show in the previous Section 6.3 that the threshold strategy is already suboptimal for , while the cardinal strategy is in fact optimal for , we focus our attention here on the latter.

In the multi-voter setting (), the optimal cardinal strategy becomes extremely complex and even computing the exact success probability for a fixed strategy is difficult. Despite this, we can formally show that the cardinal strategy that was always optimal with may become suboptimal with .

Proposition 6 (Suboptimality of Cardinal voting when ).

Consider a -winner Approval Voting system with voter and candidates, then the cardinal strategy can be suboptimal.

Intuitively, this result occurs because a vote for a candidate can actually bump other candidates out of the committee. To dig deeper, consider a situation with two voters (voter and voter ), where voter has better information than voter , (i.e., for all ). Even if is large, voter ’s signals convey information (a single voter who had access to the signals and would do better than one with access to alone). The problem is that voter 1 can only convey information about their signal through discrete votes, and a vote for candidate may be too strong an endorsement for that candidate given that the signal is only weakly informative.

As an extreme case, consider a situation where voter is perfectly informed (i.e., voter can differentiate between honest and dishonest producers with probability 1), and voter is perfectly uninformed (i.e., from voter ’s perspective, each candidate is honest independently with probability , in other words for all ). In this case, it should be clear that voter should not cast any votes, while voter should cast votes.

The suboptimality of the cardinal voting strategy persists even if both voters have the same information (i.e., for ). This is because the realized signals can convey different amounts of information. For example, suppose voter ’s sorted signals are and voter ’s sorted signals are . Suppose as well that , but . In this case, voter has high confidence that the committee should consist of the candidates , but voter is essentially indifferent between candidates . The cardinality strategy with threshold would force voter 1 to vote for and , but not , and this vote (based on little information) could displace committee members who would have been elected by voter (whose signals were very informative).

6.5 Asymptotic Optimality

So far, we have established via Proposition 4, that the threshold strategy is suboptimal, and via Proposition 6, that the cardinality strategy may be suboptimal. However, our basic numerical study in Section 6.2 suggests that as the number of voters increases, this optimality gap becomes less important.

Theorem 3 (Exponential Convergence).

Let denote the set of dishonest producers, and suppose there exists a set of honest producers, , with , and a such that where denotes the probability that voter votes for producer . Then

(16)

Theorem 3 shows that as the number of voters, , tends to infinity, almost any reasonable strategy has a very high chance of electing an honest committee. In particular, as long as signals are not completely uninformative, that is, as long as there exists a gap when is honest and is dishonest, the probability of an honest committee tends to one exponentially in the number of voters (assuming there are enough honest producers to fill the committee). The lower bound on the success probability decreases quadratically in the number of block producer candidates , because if there are too many block producers relative to the number of voters, no single block producer can amass enough votes to make it onto the committee with high probability. As long as there are not too many candidates, however, the exponential dependence on the number of voters dominates the quadratic dependence on the number of producer candidates. Importantly, this result holds across all voting strategy classes, and this leads to the following two corollaries.

Corollary 1.

If , and , then the probability of an honest committee when all voters follow the Threshold strategy converges to as (assuming ).

Corollary 2.

If , and , then the probability of an honest committee when all voters follow the Cardinality strategy converges to as (assuming ).

Figure 5 illustrates the exponential convergence result, assuming each voter follows a generally suboptimal Threshold Voting strategy (Definition 5) with . The figure shows that as long as the signals are not completely uninformative (), the probability of success rapidly converges to 100%.

Figure 5: Rate of Convergence to Optimality under the suboptimal threshold voting strategy. Key Takeaway: The success probability quickly goes to one, as increases.

Note, convergence to optimality also holds (more trivially) for other asymptotics of interest, such as if the signal informativeness or if the prior . See Appendix E for an illustration.

6.6 Efficiency Gains over Alternative Proof of Stake Protocols

Since most Proof of Stake systems support delegation, the main difference between Proof of Stake and Delegated Proof of Stake comes down to how the block producers are elected – either by lottery or by vote.

In DPoS, as discussed, each block is certified by a committee using a traditional consensus mechanism (like PBFT), and this allows the blockchain to have immediate finality. This feature is not restricted to DPoS, and PoS systems also use committees to run classical consensus mechanisms. For example, Algorand uses (randomly selected) committees to certify each block.

Intuitively speaking, allowing users to vote, should increase the probability of electing an honest committee, and thus reduce the size of the committee needed to ensure that it reaches the critical (rd) threshold of honest members. For example, Algorand suggests a target committee size of about , instead of 21 for EOS (algorand)[Section 5.1].

In Figure 6, we plot the minimum committee size necessary to achieve a desired failure probability, when the committee is chosen randomly (as in Algorand) or according to an approval vote (as in DPoS). Even when the voters have only minimal information and ), allowing users to vote for candidates drastically reduces the size of the committee necessary to achieve a specific failure bound. Since the committee executes a Byzantine Agreement protocol with communication cost that is quadratic in the committee size, , minimizing the committee size is critical for performance.

Figure 6: The minimum committee size required (y axis) to achieve a failure probability of , when the committee is chosen at random (as in Algorand) vs. when the committee is elected by voters (as in DPoS). Key takeaway: DPoS consensus requires much smaller committee sizes for the same level of security.

Note, Figure 6 was generated assuming the voters follow the threshold voting strategy with

. Since we know this strategy is suboptimal, the figure can be viewed as a conservative estimate. In other words, plotting a similar figure for the optimal election strategy would further reinforce our key insight.

7 Discussion

Our results suggest that while voters in committee-based consensus seem to be following intuitive, yet suboptimal strategies, these systems are nonetheless asymptotically robust and efficient from an election perspective. Beyond optimizing to reduce failure rates, however, our model does not deal with other features that voters may care about (a discussion can be found in Appendix D). These are outside the scope of this work, but could be of interest for future work.

For instance, one drawback of electing committees (as in Cosmos, EOS and TRON) as opposed to selecting random committees (as in Algorand) is that elections seems to lead to stagnation, especially early on in the blockchain life-cycle. EOS represents a rather extreme example: The first 89 million EOS blocks were mined by only 63 distinct producers Xblock. By comparison, the first 655,000 Bitcoin blocks were mined by more than 275,000 distinct addresses, and the first 8 million Ethereum blocks were mined by over 5000 distinct addresses xblock-eth.

A small, static set of block producers reduces decentralization – a core tenet of almost all cryptocurrencies. The idea that there should be a diversity of block producers is core to the open, democratic ideals that spawned much of the blockchain ecosystem, and the idea that there should be turnover in the set of block producers has been formalized in the notion of chain quality which is a measure of fairness. Chain quality is a measure of whether (in sufficiently long time windows) the fraction of blocks contributed by each participant is proportional to their hash power or stake GKL15.

Chain quality is a different metric by which we could measure different election mechanisms, and this could be an interesting direction for future research.

References

Appendix A Proofs

a.1 Posterior probabilities

Lemma 2.

Let be a producer with a priori probability to be honest , suppose a voter receives a signal

with , then

  1. [label=()]

One useful implication of Lemma 2 is that we can interchangeably talk about the voters considering the probabilities of producers to be honest conditioned on their signals instead of the original signals. Meaning, the model facilitates comparisons with Bayesian posteriors. In particular conditioned on , Lemma 2 shows that the probability that producer is honest is

(17)

Proof of Lemma 2. Part (i): Let denote the PDF of

. Bayes’ Theorem says

(18)
(19)
(20)
(21)

Now,

(23)

Thus

(24)

Part (ii): Let

(25)

then , by Lemma 2.

Since is strictly increasing, the cumulative density function satisfies

(26)

and the conditional cumulative distribution function satisfies

(27)

Thus it suffices to calculate .

Thus

(28)

Since , and

(29)

We have

(30)

Now

(31)

and

(32)

Thus by Equations 30, 31 and 32