Hybrid Consensus: Scalable Permissionless Consensus

The distributed systems and cryptography literature traditionally has focused on protocols whose participants are known a priori. Bitcoin’s rapid rise to fame represents an exciting breakthrough: Bitcoin empirically demonstrated that by leveraging assumptions such as proofs-of-work, non-trivial secure applications can be built on top of a fully decentralized network where nodes join and leave freely and dynamically, and there is no pre-established trust between participants. In the remainder of the paper, we will refer to the two network settings as the permissioned setting and the permissionless setting respectively. Informally speaking, Bitcoin’s core consensus protocol, often referred to as Nakamoto consensus [14], realizes a “replicated state machine” abstraction, where nodes in a permissionless network reach agreement about a set of transactions committed as well as their ordering. Since the protocol relies on chaining of blocks of transactions, it is often referred to as the “blockchain”. Achieving consensus in the traditional permissioned model turns out to be a classical distributed systems problem, and there is a long line of research that seeks to design and optimize Byzantine consensus protocols [4,7,13]. The fact that we can obtain consensus in a permissionless model (relying on proofs-of-work) was the novel contribution of Bitcoin. In a sense, Bitcoin popularized a new model of distributed systems that was rarely considered in 30 years of classical distributed systems literature. The price of decentralization? However, achieving consensus in the permissionless model comes at a cost. Since identities of nodes are not known a priori, it is imperative to defend against a Sybil attack where an attacker makes up arbitrarily many identities to outvote honest nodes. The Bitcoin protocol critically relies on proofs-of-work to roughly enforce the idea of “one vote per hashpower”. The adoption of proofs-ofwork, however, makes the Bitcoin protocol unscalable. As Croman et al. [5] point out, Bitcoin achieves terrible performance: the Bitcoin network can sustain at most 7 tx/sec, at a transaction confirmation time of 10+ min (c.f. a main-stream payment processor such as Visa handles an average rate of 2, 000 tx/sec, and a peak rate of 59, 000 tx/sec). Further, each confirmed transaction costs roughly $1 to $6 if we were to amortize the network’s total electrcity consumptions over all transactions being confirmed — today, this cost is in some sense being paid by the speculators of Bitcoin. By contrast, traditional Byzantine consensus protocols (for the permissioned model) need not rely on proofs-of-work, and are capable of attaining high throughput and low response time, e.g., with about 100 PBFT [4] nodes deployed across multiple data centers on Amazon AWS, Kroman et al. [5] demonstrated a transaction throughput of 10, 000+ tx/sec, and transaction confirmation time on the order of seconds. This naturally raises an important question.