In cases of emergency when the network comes under attack, the Proof of Community can seamlessly step in and ensure a correct functioning network.
The Proof of Community system is a way to help secure the network, it is based on the Digital Trust Protocol. It is designed to help nodes identity and run on the correct fork of the network in the time of crisis. The idea of PoC is to use it as a part of a governance mechanism to an existing network securing mechanism, like Proof of Work, Proof of Stake or HashGraph. It is possible to add PoC to any existing network. Why and how PoC works is the subject of this document.
Problem to solve
The various consensus algorithms, like PoW, PoS, etc. have different benefits and downsides when used to secure a decentralized, permissionless network. A common theme between them all is that they become less effective when the network is small, with only limited participants, relative to other similar networks with extensive resources.
With PoW, Bitcoin is on the very edge of the race; there is simply no more resource to find for increasing the hash rate significantly, that not are already booked to get online; this naturally limits the possibility of a 51% attack.
But with other smaller PoW secured networks like Ethereum Classic, they have a high risk of 51% attack as there is an abundance of hardware resources available put on, on a quick notice. The same problem also applies to most other consensus algorithms.
consensus algorithms that use centralization invalidates the point of having a decentralized, permissionless pseudo-anonymous network and is not considered further.
The most common problem for any network is the 51% attack. In Proof of Work, someone can rewrite the history of the lastest blocks.
In Proof of Stake, if someone has 51% of the Stake, they can control the network forever. Furthermore, coin stakes can be hedged or delegated to someone else without permission.
“In the cryptocurrency version of PoS, votes can be bought, borrowed, custodied by banks, and likely also taxed by governments. Imo this makes PoS coin designs much more vulnerable than real world political democracies.” - Tuur Demeester, Twitter
In HashGraph, if someone controls more than 33% of the validating nodes, they can block the network and with 67% they can control the network permanently.
The speed of attacks
Attacks are typically quickly executed. Many times an attacker uses transaction congestion or creates an invalid state on the network for a short period before exploiting the victims. Therefore there is usually little to no time for manual intervention.
Prolonged attacks are rarer, as there is time for human intervention. More often, long attacks are made as a fork of the network to divert and split the community. Identifying the correct fork of the system can be a problem for new or out of update nodes.
The idea behind Proof of Community is to minimize the risk of sybil attacks and 51% attacks.
Types of attacks
Consensus attack plays on changing the consensus state of the network. Making the victim believe in a false state of the transaction and then reverting on the victim when the attack is over.
DDOS attack plays on the limitation of the performance of physical hardware. This is usually done by overloading the system with data and then executing transactions without competition.
Bug exploits attacks are very hard to protect against with a protocol and usually require human intervention.
Proof of Community is used to mitigate the effects of attacks that go after the consensus of the network. It may only have limited effects on attacks that focus on hardware limits. If implemented correctly into smart contracts, it may be able to negate the effects of exploits of bugs in code.
Proof of Community is not a hard protocol algorithm, but it relies on a community to solve the problem; therefore, it does not guarantee a correct outcome by math. Its design is to help the community preserve the correct state of the network and limit attacks.
Nodes are the soul of any Distributed Ledger Technology. They form the backbone of the DLT network. Nodes are used for validation of transactions and blocks according to the protocol specification. Nodes define the rules of the network.
Each node is a community member’s commitment to the consensus. The node is the implementation of a specific protocol. It is the incentive for each member of the community to keep the system strong and not divide it to preserve the value of the token in the system.
The value of a token comes from the willingness to exchange a token for a specific price. For the token to keep its value, it needs trust that the community is willing to buy it tomorrow. Electronic tokens do not have any intrinsic value at all; it comes down to trust and confidence alone. Currency in general has no intrinsic value either and most tradable commodities only have value in a specific context.
It is the community around a token that gives the value to a token. Break up the community, and you destroy the token value.
Tokens that are backed by other assets require a centralized entity to guarantee the underlying. The underlying assets community now defines the value of the token.
A Stake is a representation of energy. A Stake can represent any form of energy, physical goods, electricity, money, information, trust, and security. Money is also a representation of energy; therefore money can efficiently be used as an Stake.
A simple definition of trust in a social context could be
“the belief that a person or system will behave predictably, even under stress” - [ldapwiki](https://ldapwiki.com/wiki/Trust)
One could also define trust as the expectation of a predictable, repeatable pattern that is subjective to the observer.
A way to gain trust is to repeat the same pattern again and again. To lose trust is to break the pattern unexpectedly, and this usually leads to some pain for the involved parties. Therefore it is generally harder to gain trust than losing trust.
These simple rules enable the development of relatively simple autonomous programs that can still function very efficiently.
Trust also represents energy in a specific form. The energy of trust can be express simply as:
ETrust=time * work
The time is the period that has gone by where the subject is known.
Work is energy spent where a subject proves her or his intentions and believes. A subject that has spent much time and work into proving itself qualifies for a high value of Trust. However, it is always the observer of the subject that defines the Trust value individually.
A general observation of Trust has little value. Similar to rating systems on various platforms, where ratings given by people are unknown to the observer.
It is possible to Trust pseudo-anonymous identities based on a simple name or public key. The point is that the entity behind the pseudo-anonymous can still demonstrate a predictable and repeatable pattern. It is not uncommon to see a lot of Trust on identities behind made-up names on social media platforms.
Reputation is derived from the aggregation of trust from many sources. Reputation is a vital aspect when dealing with human entities. When you are dealing with other human beings, you are making yourself potentially vulnerable in the process, and therefore to minimize risk, you rely on their reputation. However, every time you are dealing with other people, you are also putting your reputation on the line. Because reputation is built from the trust of many people, no single entity will have control of the reputation.
Securing the consensus model
There are many different ways to implement a consensus model.
“For a permissionless, pseudo-anonymous decentralized network to function properly, it requires something at stake to prevent attacks and enhance trust.” - me
All of them share the same fundamental feature - something at Stake.
Without the Stake, there is nothing to lose in gaming the system and run off with the token. Therefore, each participant needs to put a Stake to gain the benefits, like mining rewards.
The community is securing the protocol, making sure that nobody can run their version of the code with different rules. The miner’s role is to secure the transactions. Consensus securing the protocol does cost energy in itself. It is an agreement between the participants in the network on which protocol to run. Each participant simply runs the protocol the participant believes in. If someone disagrees, they will fork the network and run their version of the protocol.
Proof of work uses external energy as a way to secure the transactions of the network. You need to invest energy and only maybe get rewarded. After that, the spent energy is gone; you don’t keep the energy as a stake.
This model allows anyone to participate in securing the transactions on the network, even for a very short time. The Proof of Work consensus model works best when the subject network has peak hash power delegated to it. This makes it hard to add much new hardware to the mining process for an attack.
Proof-of-stake systems usually use their token to secure the network. Some of the issues with Proof-of-Stake enable custodial takeover. Coins are generated and have no initial cost of energy. A coin stake can always be hedged; you cannot trust others only because they apparently have some coins at stake. A coin stake is easy to transfer.
The governance of commons in the real world
The governance of commons works by using the Trust and reputation as an incentive driver.
People’s identity is known and cannot be easily changed. People have the incentive to gain the benefits of the shared system, as it is usually vital to them.
Having a bad reputation may exclude a person permanently from similar services and resources.
People stake their identity when participating in a shared system governed by the participants.
Introducing the concept of pseudo-anonymity can hide your real identity, but also makes it easy to switch to a new identity. However, from the start there is no Trust on a newly created pseudo-anonymous identity and therefore it has limited value.
A refugee traveling through with no identity papers can claim any identity and exploit the shared services and resources without fear of losing reputation, as the refugee has no intention of staying.
An attacker of shared services and resources only needs one big score, and then is forever gone.
An identity needs to build-up proof of work to gain access to the shared system/resources.
Know your adversaries
Any permissionless DLT has 3 levels of adversaries to defeat before they can be fully trusted to be decentralized and permissionless.
In the first line of adversaries are the hackers, they go after vulnerabilities in the system to extract value. They exploit every crack in the system and are very good at finding security issues. They go after vulnerabilities in the consensus algorithm for cheating unsuspected victims. However, they do mostly have limited financial resources and have no political motivations. Most DLT’s are vulnerable to this level simply because the mining or coin staking resources on the DLT are limited.
When a network becomes big enough with much business. Big Corporations will try to capture some of the business on the network. To minimize risk and optimize profit, corporations will try to insert themselves into controlling the protocol and mining of the network. For example, big Corporations now sit on the board of the Linux Foundation. To avoid punishment from the government, and to minimize risk, they will always have the incentive to change the protocol towards a permission system.
The motivation of the state is unlimited control. The state has unlimited power in the form of money and violence. The state has no motivation for profit. The state may try to enforce rules and regulations on the DLT or just outright ban it, in the attempt to gain control.
The strength of Crypto’s
Bitcoin is the largest and most robust permissionless DLT, and it has defeated the hackers and minor Corporations. However, we have not yet seen what will happen when the big Corps starts going after Bitcoin. Furthermore, no big state actor has yet reacted to Bitcoin and seriously challenged its independence.
Ethereum has a well-defined leadership on its foundation; therefore, it is subject to a takeover attempt by Big Corps, just as it has happened with the Linux Foundation.
As a DLT gets bigger, it will also attract attention from more significant players. Most DLT cryptos of today are small and therefore have problems against just the hackers, and would not stand a chance if the big boys go after it.
Proof of Community
The Proof of Community (PoC) uses Trust as a way to Stake value. The purpose of PoC is to be used as a governance model on a consensus model.
The idea is to add protection from the shortcomings of other consensus models.
PoC works by the nodes in the community, trusting one or the other. This results in a Web of Trust kind of structure. The advantage of having a web of trust graph is that it enables the nodes to make decisions in the event of an attack or stress without human intervention. Because the nodes know whom to trust, they can decide on actions that allow the network to continue working without having a critical failure or being exploited.
It is not a requirement to be Trusted to operate a node; it is a voluntary system. But in times of stress, nodes that are not Trusted have less to no influence on keeping the network safe.
Having a high Trust score does not influence mining capability or reward because the intention of PoC is to keep the system safe.
The PoC system works on the assumption that it is harder to gain trust than to lose trust. This is the basis for the system to function properly, as it creates an incentive for a user to act appropriately to maintain the reputation. Steadily losing trust will most likely result in a loss of attention and influence.
- The PoC protocol works on the incentive of reputation.
- The motivation of not losing reputation will help to keep the system honest.
The incentive for the nodes is to Trust and become trusted nodes, is to make the community consensus model stronger. Nodes typically have an investment in the network, therefore, keeping the community aligned and ensuring a strong belief in the network, benefits and ensures the value of the network asset.
The identifier of a node is a public key. This enables the nodes to stay pseudo-anonymous and still be trusted.
The nodes can establish a trusted reputation on the network through proof of work, like blog posts, activity on the social platforms, etc. It is up to other nodes if they would trust the subject node to be honest in the case of an attack.
Proof of Community stake if different from the usual Proof of Stake coin, in the way that you cannot borrow, hedge, or tax reputation.
You cannot give your reputation away or hedge it against a drop in value. For taxation, how do you measure reputation? The observer defines the value of reputation on any given identity. A node’s reputation may have a different meaning for different people.
Because of the abstractness of reputation, it will take time to build up in any network. But when it gets there, it can provide a solid foundation for conflict resolution, without a central authority.
Reputation is built of many Trust messages, issued by nodes to other nodes. One Trust message is simply a claim that Node A trust Node B. Nodes can also distrust other nodes or cancel out their previous trust or distrust.
Each Trust message is atomic in the sense that there can only be one Issuer, one subject, and one trust value. Properties like activation date, expiry date, scope, and other metadata can be added to the trust message. This makes it possible to limit the time and scope of the Trust message. The atomic nature of the Trust message enables it to be stateless when it comes to adding, updating, and deleting the messages. Therefore perfectly suitable for an event-driven, permissionless DLT system.
Trust given to a node cannot be spent or given to another node; therefore, there is no need to protect against double-spending of Trust.
The system can allow for an unbalanced distribution of Trust messages for a short period, even for hours, where all nodes are not updated at the same time.
Therefore, there is no need for a consensus model to make sure that everyone is in sync. PoC simply has a built-in incentive for everyone to be a good actor within the system. So the concept of a fork in a PoC system alone is nonexistent.
HashGraph can roughly be compared to an advanced sorting algorithm built for a DLT. It is very good at solving high transaction throughput compared to other consensus algorithms. However, HashGraph BFT algorithm does not Stake energy in itself and therefore is not suitable as a governance model. HashGraph is simply just a gossip mechanism with a virtual voting algorithm that defines outcomes of transaction ordering and creates EPOCs.
Because the HashGraph is not a governance model, it is vulnerable to the majority node attack.
- 1/3 nodes can stop the network. No more EPOCs.
- 2/3 nodes can take over the network. Enables the attacker to delay or filter out transactions. Fork the network.
To mitigate the node majority attack, a governance model with Stake is needed to add something to lose into the system, so there are no free attacks on the system.
Using a Proof of Work algorithm for qualifying to participate in the voting process, has some downsides. It may not be simple to implement and wasteful in resources. Also, PoW is easy to attack if the network does not have majority hash power. Several PoW cryptos suffer from 51% attacks because of their current minority hash power delegation.
Using Proof of Stake where the Stake is money can be gamified easily because money can be easily transferred, borrowed, hedged, without consensus.
Proof of Community uses the node’s reputation as Stake on the governance model. It cost very little to issue a Trust message, and you cannot transfer, borrow, or hedged Trust. This makes Trust very suitable as a Stake. The down side with Trust is that it take long time and effort to build up and valuable.
Tagion consensus algorithm
The HashGraph is the basis of the Tagion consensus model, that uses voting nodes to find EPOCs.
The whitepaper proposes a solution for virtual voting node selection, with a combination of active, time, a mating process, promotion, proof of people, etc. I understand that the motivation is to make it hard to attack and gain a majority of voting nodes, however it seems a little complex, and requires the state of the node to be recorded and known by all nodes.
I would like to very humbly suggest that we rethink the voting node selection algorithm in the light of PoC. That we use an algorithm that is simple and as stateless as possible. A stateless mining/voting is where the network does not need to know the state of the node. E.g. Bitcoin uses hash power mining to create blocks. There is no state or history of the mining node kept anywhere on the blockchain. Every mining node is allowed to participate at any moment, without restrictions.
Different types of stakes can be used like PoW, PoS, Proof of Burn (PoB) and PoC.
When all voting nodes have been identified, using random nodes for voting speeds up the process of finding EPOCs looks like a good idea. If for some rounds no EPOCs have been found, a new set of random nodes is selected and a new voting process is started.
Adding a direct Stake on the voting nodes will add to the difficulty of adding more nodes to attack the network.
Combining the HashGraph and Proof of Community
When an attack on the network happens with the majority of 1/3 or 2/3 nodes, each node can detect that EPOCs are not generating or transactions are not included. It may even be able to detect the nodes involved in the attack as they are blocking normal operations.
Each node now has the option of using the Proof of Community network and looking at its trusted neighbors if they have the same problem or the node is just out of sync. If a node is in sync and can solve the consensus only by using its trusted neighbors, it will start doing this and exclude the attacking voting nodes from the calculation of the voting process.
The result is that the network has forked. However, the nodes in the web of trust network are all on the same fork, and the attacker is running its separated fork. As the community stays on the same fork, they can continue without interruption. There is no loss of value on the network token because the community didn’t split.
It is unlikely that an attacker will be able to build up a reputation on each attacking node, to gain the majority of the voting power and keep everyone on the attacker’s fork.
If a fork happens in the community, then it is not a consensus problem anymore but a split in the community about which protocol to run. Like it happened with the split to BitcoinCash.
When a node is out of sync with the network, it can use the PoC network to identify which nodes are worth trusting to get the latest state of the network.
The HashGraph algorithm can be seen as a consensus algorithm that focuses on internal adversaries, making sure that nobody cheats. The Proof of Community focuses on external adversaries, securing against outside attacks like 51%, Corporate takeover, or the governments grab for control.
Tagion 3 levels of adversaries
Because the Stake used is not defined yet. It is not possible to do a full analysis of each level of threat on Tagion.
But commonly, one could argue that because the community has a way to identify them self, it would be possible to correct any interruption from all 3 levels of threats.
The hacker’s motivation for trying to control the network would demise as it would be very difficult. It is assumed that no bug is exploited in the code in Tagion. Bug in smarts contracts is also not considered.
There is no clear way how a corporation can control the network by controlling the community. If someone detects that a company has bought a high trusted node, that node may get distrusted very quickly by the community.
The only tool a state actor has is to ban the network right out as there is no way to buy in or take control of the network without it forking away from the state. The state can simply not control whom you trust.