Asymmetric Distributed Trust

Blockchain platforms are essentially distributed databases that guarantee consistency even in settings where neither all users of the system trust each other, nor do they agree on a trustworthy designated third party. 

The first and still most widespread use of blockchain technology is in cryptocurrencies, whose fundamental difference with traditional central-bank-issued currencies is exactly that they do away with the requirement of a single trusted party. A cryptocurrency must guarantee consistency also in presence of misbehaving participants, as otherwise no user would trust in the future valuation of their assets, which would obviously render the currency meaningless.

A core technical ingredient in all blockchain (or more generally: distributed ledger technology) platforms is a consensus mechanism. When users submit new transactions to the platform, all participants have to agree on the transactions that will be accepted, and in most cases also the order in which they will be processed. This is exactly the purpose of a consensus mechanism.

What all consensus mechanisms have in common is that they only guarantee consistency as long as some type of trust assumption about the system is valid. Widely used (so-called permissionless) blockchain platforms such as Bitcoin or Ethereum are based on so-called proof-of-work consensus: They guarantee that consistency holds as long as more than half of the mining power (roughly proportional to energy consumption) is controlled by participants that honestly follow the protocol. Whether one finds this assumption credible or not is a question of taste; trust is subjective: De gustibus non est disputandum.

Reaching consensus in distributed systems has been a topic of research in computer science for some 40 years. The model used traditionally in research is permissioned, in the sense that it considers a set of known participants that run the protocol together. This is different from the permissionless setting of proof-of-work where participants can join or leave the platform at any time, without coordinating with any other party. Even in the permissioned setting, building consensus protocols turns out to be difficult, but consensus is achievable if more than two thirds of the overall participants behave honestly. Protocols in this setting are usually referred to as BFT (Byzantine fault tolerant) consensus, and most protocols used today are variants of PBFT, published by Castro and Liskov in 1998. To be fair, BFT protocols achieve stronger finality guarantees than their proof-of-work counterparts, which justifies the stronger assumption on the ratio of honest behavior.

Permissioned and permissionless protocols serve different scenarios: in a permissioned platform, the participants are known and trust decisions are made based on their identities. This makes permissioned protocols suitable for, e.g., specialized networks involving a group of enterprises (or states) that perform transactions amongst themselves, or networks such as Libra that offer a service to a wide audience but base the trust on a smaller group of well-known entities. Permissionless networks, by contrast, base the voting power on factors such as energy consumption (proof of work) or wealth distribution (proof of stake), they are more suitable for settings where trust shall be distributed among a diverse set of participants that may not even know of each other.

The trust assumption underlying traditional BFT-type consensus protocols are symmetric in the sense that every user of the platform has to make the same trust assumption, namely that more than two thirds of the participants follow the protocol honestly. This does not quite reflect the subjectiveness of trust in reality, where a user may trust some participants more than others. Two permissioned blockchain platforms that have gained considerable publicity and allow for a more realistic, asymmetric distribution of trust are Ripple and Stellar. Unfortunately, Ripple's consensus protocol has been shown not to achieve the desired (liveness and consistency) properties if nodes actually divert from the pre-configured trust model and thereby make the trust model asymmetric. Stellar can be seen as a spin-off of Ripple, but it uses a slightly different model of specifying trust and a different consensus method. The trust distribution in Stellar's network has been criticized as being too centralized, and recently the network experienced an outage (failure of liveness but not consistency) as too few trustworthy nodes were participating in the network.

While traditional BFT consensus with symmetric assumptions is well-understood, the cases of Ripple and Stellar exemplify that this is not the case for consensus with asymmetric trust assumptions. A recent research outcome of PRIViLEDGE, which was presented at the PENCIL workshop, provides the formal foundation: the paper starts from the Byzantine quorum systems that underly the security of traditional BFT consensus and generalizes them to the case of asymmetric and subjective trust. The paper also introduces protocols with asymmetric trust that strictly generalize existing standard algorithms, which have so far required common trust and knowledge of all nodes. The next goal is building a full consensus protocol in this model, which will be suitable as a basis for blockchain platforms.

Björn Tackmann
IBM Research