Energy Consumption and Security in Blockchain

EXAMENSARBETE INOM TEKNIK, GRUNDNIVÅ, 15 HP STOCKHOLM, SVERIGE 2020

ELEONORA BORZI

DJIAR SALIM

KTH SKOLAN FÖR ELEKTROTEKNIK OCH DATAVETENSKAP

Abstract

Blockchain is a Distributed Ledger Technology that was popularized after the release of Bitcoin in 2009 as it was the first popular blockchain application. It is a technology for maintaining a digital and public ledger that is decentralized, which means that no single authority controls nor owns the public ledger. The ledger is formed by a chain of data structures, called blocks, that contain information. This ledger is shared publicly in a computer network where each node is called a peer. The problem that arises is how to make sure that every peer has the same ledger. This is solved with consensus mechanisms which are a set of rules that every peer must follow. Consensus mechanisms secure the ledger by ensuring that the majority of peers can reach agreement on the same ledger and that the malicious minority of peers cannot influence the majority agreement. There are many different consensus mechanisms. A problem with consensus mechanisms is that they have to make a trade-off between low energy consumption and high security. The purpose of this report is to explore and investigate the relationship between energy consumption and security in consensus mechanisms. The goal is to perform a comparative study of consensus mechanisms from an energy consumption and security perspective. The consensus mechanisms that are compared are Proof of Work, Proof of Stake and Delegated Proof of Stake. The methodology used is literature study and comparative study by using existing work and data from applications based on those consensus mechanisms. The results conclude that Proof of Work balances the trade-off by having high energy-consumption and high security, meanwhile Proof of Stake and Delegated Proof of Stake balance it by having low energy consumption but lower security level. In the analysis, a new factor arose, decentralization. The new insight in consensus mechanisms is that decentralization and security is threatened by an inevitable centralization where the ledger is controlled by few peers.

Keywords

Blockchain, consensus mechanism, sustainability, security, decentralization, Proof of Work

Sammanfattning

Blockchain är en så kallad distribuerad huvudbok teknologi som fick ett stort genombrott med den populära blockchain applikationen Bitcoin i 2009. Teknologin möjliggör upprätthållandet av en digital och offentlig huvudbok som är decentraliserad, vilket betyder att ingen ensam person eller organisation äger och kontrollerar den offentliga huvudboken. Huvudboken i blockchain är uppbyggt som en kedja av block, dessa block är datastrukturer som innehåller information. Huvudboken distribueras i ett nätverk av datorer som kallas för noder, dessa noder ägs av en eller flera personer. Problemet är att alla noderna i nätverket måste ha identiska huvudbok. Detta problem löses med en uppsättning av regler som noderna måste följa, denna uppsättning kallas för konsensus mekanism. Konsensus mekanismer säkrar huvudboken genom att möjliggöra en överenskommelse bland majoriteten av noderna om huvudbokens innehåll, och ser till att oärliga noder inte kan påverka majoritetens överenskommelse. Det finns flera olika konsensus mekanismer. Ett problem med konsensus mekanismer är att de är tvungna att göra en avvägning mellan låg energianvändning och hög säkerhet. Syftet med denna rapport är att undersöka och utreda relationen mellan energianvändning och säkerhet i konsensus mekanismer. Målet är att utföra en komparativ analys av konsensus mekanismer utifrån energianvändning och säkerhet. Konsensus mekanismerna som jämförs är Proof of Work, Proof of Stake och Delegated Proof of Stake. Metodologin som används är litteraturstudier och komparativ analys med hjälp av existerande metoder och data från applikationer som använder konsensus mekanismerna. Resultatet visar att Proof of Work väljer hög säkerhet på bekostnad av hög energianvändning, medan Proof of Stake och Delegated Proof of Stake väljer låg energianvändning men på bekostnad av lägre säkerhet. Analysen ger en ny inblick som visar att centralisering är en oundviklig faktor som hotar säkerheten.

Nyckelord

Blockkedja, konsensus mekanism, hållbarhet, säkerhet, decentralisering, Proof of Work

Table of contents

1 Introduction 6 1.1 Background 6 1.2 Problem 7 1.3 Purpose 8 1.4 Goals 8 1.5 Research Methodology 8 1.6 Delimitations 9 1.7 Ethics and Sustainability 9 1.8 Structure of the Thesis 10 2 Background 11 2.1 Blockchain 11 2.2 Consensus in Blockchain 15 2.3 Proof of Work 16 2.4 Proof of Stake 21 2.5 Delegated Proof of Stake 23 2.6 Related Work 25 2.7 Summary of the Consensus Mechanisms 27 3 Methodology 28 3.1 Research Process 28 4 Analysis of Different Consensus Mechanism 30 4.1 Proof of Work 30 4.1.1 Energy Consumption Analysis 30 4.1.2 Security Analysis 31 4.2 Proof of Stake 33 4.2.1 Energy Consumption Analysis 33 4.2.2 Security Analysis 35 4.3 Delegated Proof of Stake 37 4.3.1 Energy Consumption Analysis 37 4.3.2 Security Analysis 38 5 Results and Discussion 40 5.1 Summary Table 40 5.2 Discussion and Comparison 41

6 Conclusions and Future Work 44 6.1 Conclusions 44 6.2 Limitations 45 6.3 Future Work 45

1 Introduction

Blockchain is a technology for maintaining a digital and public ledger that is decentralized, which means that no single authority controls nor owns the public ledger [1]. It is a chain of data structures that are called blocks and each block contains information. For instance, in cryptocurrencies with virtual coins, the information kept in blocks are transactions and the chain of blocks is the total transaction history (ledger). A transaction can be defined as a trade between two users. The chain is created and maintained by a network of interconnected users as nodes and each node is a computer that is run by an individual or an organization. These nodes are also called peers and they can send or receive transactions. This network structure enables each peer to broadcast new transactions to other peers so that the transaction is added to everyone’s copy of the ledger.

Before adding the broadcasted transactions to the ledger, the transactions are first added into blocks that are then broadcasted [1]. When a block is added, it cannot be removed or altered. The block creation is decentralized and public, all peers have the right to create new blocks. The consequence of a public block production is that peers are constantly racing against each other to create the next block, this results in conflicting blocks that claim to be the next block in the chain [1]. These conflicting blocks might contain the same transactions and only one of them can be added to the ledger. Peers have to achieve a majority agreement on which block is the next one so that their copies of the ledger are identical. Each blockchain application has a set of rules that, if followed, will ensure a majority agreement. This set of rules is called the consensus mechanism and there are many different ones and different concepts of achieving agreement [1].

1.1 Background

The irreversible property of blockchain ensures that the current data in the ledger will never be removed or altered. This requires that all peers agree on the new information by having a set of rules that decides if the new data is valid or to be discarded. This set of rules is called the consensus mechanism [2]. Consensus mechanisms are used to make all the peers agree on the same ledger but also to avoid anyone to take control over the ledger. The

three most popular consensus mechanisms used in cryptocurrencies are Proof of Work, Proof of Stake and Delegated Proof of Stake.

Proof of Work (PoW) [3] is a consensus mechanism used in Bitcoin and other blockchain applications. In Proof of Work, peers must first solve a cryptographic puzzle that requires computational power before creating a block. The probability of solving the puzzle is higher if a peer has more computational power. The peer who first solves the cryptographic puzzle will add the block to the chain, this leads peers to compete against each other. In PoW, peers agree on the longest chain since it has the most computational power put into it. The only way to create fraudulent blocks is to achieve 51% of the total computational power in the network [2]. In Proof of Stake (PoS) [4], a virtual resource, called coin age, is used to create blocks. The coin age is the amount of coins that a peer owns multiplied with the number of days the coins have been unspent. As in PoW, all the peers agree on the longest chain because it has the most coin age spent on. However, the use of a resource with less energy consumption has led to security flaws called: Nothing-at-stake [5] and Long-range attack [6]. Delegated Proof of Stake (DPoS) [7] is a consensus mechanism where peers elect block producers who have the task of creating blocks. The block producers take turns to create blocks without competing against each other. However, having block producers in charge of block production can lead to a centralized system.

1.2 Problem

The most popular consensus mechanism, PoW, requires high energy resources to secure the chain. PoW makes sure that no one can take over the chain without achieving 51% of the total computational power in the network. Other consensus mechanisms avoid high energy consumption by trying to secure the chain without using computational power. The outcome is that energy consumption decreased, but security flaws arose.

There is a clear trade-off between energy consumption and security in consensus mechanisms. This means that if a consensus mechanism achieves lower energy consumption, its security level will not be high and vice versa. This trade-off is due to the type of work that peers need to do in order to agree on the same ledger. Several consensus

mechanisms have been created and for each of them, the balance between energy consumption and security is different. This trade-off has resulted in several problems when trying to achieve a balance that meets the requirement of the application.

This problem leads to the question “What are the dynamics of the balance between security and energy consumption in consensus mechanisms?”. In other words, how energy consumption and security influence each other in the trade-off.

1.3 Purpose

The purpose of this report is to explore and investigate the relationship between energy consumption and security in consensus mechanisms, with the focus of achieving a clearer picture of how this trade-off affects consensus mechanisms. The exploration can highlight the key components in this trade-off that can be further explored in future investigations.

1.4 Goals

The goal is to perform a comparative study on consensus mechanisms from an energy consumption and security perspective. The comparative study helps to achieve new insights in the trade-off and other factors that are related to the trade-off. Moreover, it can show how different consensus mechanisms have balanced this relation.

1.5 Research Methodology

The research methodology is of qualitative type because the information found for each consensus mechanism differs in type and amount. The methods used are literature study and comparative study and it can be divided in four phases: 1. Literature study about blockchain and its problems. 2. Selection of consensus mechanisms that are then analysed. The consensus mechanisms are chosen based on their popularity and how much information can be found. 3. Analysis of energy consumption and security in each consensus mechanism.

Analysis of energy consumption is based on: ● Previous studies and experiments ● The energy consumption in applications using the consensus mechanism ● Inductive analysis when no study, research or application is found for a given consensus mechanism

Analysis of security level is based on: ● Investigate theoretical security attacks ● Investigate performed security attacks

4. Comparison of the results from the analyses in phase 3. The comparison focuses on the balance between energy consumption and security in each consensus mechanism.

1.6 Delimitations

This report has some delimitations. One of them is that the report does not aim to suggest a new consensus mechanism with low energy consumption and high security. It only investigates already existing consensus mechanisms. Another delimitation is that the report focuses on security but not on privacy because it is out of the scope. Privacy is related to how personal information is handled and available, while security in blockchain includes the process of securing the public ledger from being tampered.

1.7 Ethics and Sustainability

There are some ethical aspects that need to be taken in consideration when studying and comparing different consensus mechanisms. The conclusion drawn from a comparison has to take into account the variety and quality of information for each consensus mechanism. In this case, the type and the amount of information found for each consensus mechanism is not the same. For example, one consensus mechanism can have been studied for several years making it easier to find information about the energy consumption. On the other hand, trying to find information about a consensus mechanism that has not been studied

as much is not as easy. The report can mislead the reader into conclusions that are incorrect or based on incomplete observations if this is not taken into consideration.

Another ethical aspect concerns the use of assumptions in the analyses of energy consumption and security. In this report, assumptions are used due to lack of information. Information such as the scale of a network and what devices are used. The issue with these kinds of assumptions is that they can induce conclusions that misrepresent reality. This paper tries to reduce the risk of misrepresentations by using assumptive reasoning carefully and critically while explaining the reasoning behind each assumption.

The potential sustainability impact of this report is that the understanding of the trade-off between energy consumption and security is increased. This can in turn help future efforts to shift or eliminate the trade-off and decrease the environmental impact. An example of how this trade-off affects environmental sustainability is the cryptocurrency Bitcoin. It is estimated to cause 34 Mt CO2 emissions each year and 71 TWh energy consumption annually [15]. The total yearly carbon emission is similar to emissions from the country Denmark and the yearly energy usage is similar to Austria’s. Bitcoin uses a consensus mechanism that has a high energy consumption and a high security level. If the trade-off can be mitigated, then it could be beneficial to the environment.

1.8 Structure of the Thesis

Chapter 2 provides an introduction to blockchain and consensus mechanisms. Furthermore, PoW, PoS and DPoS are explained and two related works are introduced. The methodology is described in chapter 3 and the analyses for each consensus mechanism is found in chapter 4. The results are summarized in a table in chapter 5 and a comparison of results is found in the same chapter. Lastly, chapter 6 summarizes the report and includes the derived conclusions but it also introduces future work.

2 Background

This chapter gives an overview of blockchain, the concept of consensus mechanism and the chosen consensus mechanisms. Related works are presented at the end of the chapter to provide an overview of existing methods and approaches of evaluating consensus mechanisms.

2.1 Blockchain

Blockchain is a Distributed Ledger Technology (DLT) that increased in popularity after the launch of the digital currency Bitcoin in 2009 [8]. To understand this technology it is more practical to use cryptocurrencies as examples, in this case Bitcoin. The total transaction history of Bitcoin is kept in a ledger. In simpler terms, the Bitcoin ledger consists of announcements such as “I am Bob and I gave Sara X bitcoins”. In a group of five friends, it would be easy to maintain such a ledger without any sophisticated blockchain technology. All the friends would together own the ledger and be able to add new transactions. Most importantly, the friends would believe that all the transactions are true since they are friends and trust each other. The problem that blockchain technology solves is when, instead of a group of five friends, millions of strangers want to share the same ledger. Trust is no longer reliable for securing the ledger from dishonest transactions. One simple solution is to allow a trusted public organization to control the ledger and transactions, but that is the same as a bank system. The founder of the underlying blockchain technology of Bitcoin argued how the technology could enable a public decentralized digital currency [3]. Decentralization is the opposite of a bank or another single authority controlling the ledger, all the control belongs to the people that are participating in the ledger. To fully understand the basic structure of blockchain, it is best to continue with the example of digital currency.

All communication between the ‘strangers’ in blockchain is peer-to-peer (P2P). In contrast to the classic client-server model of communication where there is a client that requests data from a server, P2P communication is directly between the computers [9]. The owner of a computer can be an individual or an organisation. Blockchain is often represented as a P2P network with connected computers (see Figure 1) that are called

peers or nodes. Every peer on the blockchain has a copy of the ledger. These peers are strangers to each other in the sense that they do not know each other’s real identity, but each peer is known to others by their unique public key [8]. A public key is a long unique sequence of numbers that is used to identify a peer and it is important when providing a signature on transactions. In the simple example “I am Bob and I gave Sara X coins”, the peer must provide proof that he truly is Bob in the form of a signature. Each peer has two unique keys that are used when signing a transaction [1], the public key that is public and the private key that only the peer knows. These keys are related in such a way that when a message is encrypted with the private key it can only be decrypted with the public key. This relationship is used to make a digital signature by encrypting a part of the transaction with the private key.

Figure 1. A network of computers that are connected as nodes

Before explaining digital signatures, it is important to introduce hash functions. Hashing can be defined as taking a sequence of characters of any length and converting it into an output of a fixed length, called a hash [10]. The properties that a hash function must fulfil are the following: it must be deterministic, hashing the same input will always give the same hash; it must be a fast computation; it must be infeasible to find the input of the hash function by analyzing the hash; if the input slightly changes then the output must drastically change; and two different input should never result in the same hash [10].

Peers provide a signature on transactions by encrypting the hash of the transaction with their private key [1]. Any other peer can determine if a signed transaction

is authentic or not by using the public key to decrypt this signature and calculate the correct hash value of the transaction. If the decrypted result and their own calculated hash value are identical, the signature is authentic. This is a safe method to prove ownership of public keys because it is computationally infeasible to calculate a private key from the public key.

If Bob wants to send coins to Sara, he has to know Sara’s public key. A transaction can only be announced with the receiver's public key, which in this case is Sara’s public key. A simplified version of the transaction is: “I am #BobsPubK and I gave X coins to #SarasPubK. Signed: #BobsSignature”. PubK is the public key and Signature is the hash value encrypted with the private key. This is then broadcasted by Bob to as many other peers as possible. Other peers might broadcast their transactions at the same time, so it is possible that there are multiple broadcasted transactions occurring in the network simultaneously [3]. The broadcasted transactions are not yet a part of the ledger itself. A peer must collect these transactions into a new block and then broadcast the block, only then the block with transactions can be added to the ledger [1].

Blocks contain the collected transactions and also a header [1] that describes the block. The header in the new block will specify, among other things, what block in the ledger is the previous block. This is why the ledger is a chain of blocks, as shown in Figure 2, hence the name blockchain.

Figure 2. Blocks with a header and transactions, linked to each other and form a blockchain. The utmost right block is the top of the chain

The chain structure ensures immutability, which is the second key property of blockchain after decentralization [1]. The content of an immutable ledger cannot be changed, the only possible change is adding new blocks with new information. This is

partly true in blockchain because conflicting blocks can emerge. Two blocks are in conflict with each other when they both point to the same block as the previous one, which results in a fork as illustrated in Figure 3. This is possible because two peers can collect different transactions and broadcast them as the next block [3]. The question is, what should a peer do when they receive two conflicting blocks? Keeping both blocks is not a reasonable solution since that would result in two different ledgers. If the peer decides to keep one block and discard the other, they have to be sure that all other peers made the same decision. Furthermore, how should a peer reason when discarding a block? These issues are a few examples of problems that are solved by using a consensus mechanism.

Figure 3. The chain has forked in two chains and there are two versions of the ledger. One of the chains must continue and one has to be discarded

A consensus mechanism is a set of rules that the peers are expected to follow. When not followed, the peers cannot participate in the ledger [1]. Consensus mechanisms decide how blocks are created and added to the chain. All peers in the network can be sure that their copy of the ledger is identical to others’ by following the rules. Consensus mechanisms ensure consensus among peers on what the ledger currently contains [[11]. There are many different consensus mechanisms that have different rules and approaches, but the ultimate goal of consensus mechanisms is for all peers to agree on a single chain of blocks that form the ledger. The concept of consensus mechanisms is further introduced in chapter 2.2.

2.2 Consensus in Blockchain

In computer science there is a popular problem called the Byzantine Generals’ problem [12]. The backstory is that several generals, each with their own division of soldiers, are planning to attack a city. The premise is as follows: the attack is successful only if the majority of generals reach agreement on the same strategy. All communication between the generals is done by messengers. The problem is that some of the generals are traitors that will spread misinformation. This misinformation, if spread to many generals, can prevent agreement on the same strategy and cause total failure. The generals must follow certain rules that will ensure agreement and adversary tolerance. The adversary tolerance enables loyal generals to receive misinformation from traitors and discard it. This is the fundamental problem that consensus mechanisms solve in blockchain. The peers are the generals and the strategy of attack is the ledger, all peers want to agree on the same ledger. Dishonest peers, the traitors, will never be able to influence the ledger because they are outnumbered by honest peers. The rule of thumb is that the ledger is always decided by what the majority agrees on, the consensus determines the official ledger.

As mentioned in the previous chapter, trust is not considered a reliable source for securing the ledger. Furthermore, centralized control of a public ledger is not what blockchain aims for. Both trust and centralized control is avoided by using a consensus mechanism, in particular using incentives [1]. Creating incentive for maintenance is an important part of the consensus mechanism. The incentive involves more peers to maintain the network and it helps to spread consensus [13]. One example of an incentive is transaction fees [11] in digital currencies. Whenever a transaction is broadcasted by a peer it must contain a transaction fee, this fee is given as a reward to whomever includes the transaction in a block. The peers that collect transactions into blocks are rewarded with all the transaction fees. In case of a fork in the blockchain, the peer that is creating the next block has to carefully choose which chain to continue on. If the block is added to the wrong chain which will be discarded later on, then the rewards will be lost since the transactions never happened according to the ledger. The longest chain is the one that every peer agrees on but it can happen that a new chain becomes the longest and discards the former longest chain. Transaction fees also incentivises peers to verify previous blocks on the chain, peers can continue on a fork if the previous blocks are not valid. Peers verify blocks by

controlling that each transaction in the block is correctly signed and that the transaction sender has sufficient balance. Peers’ balance can be calculated by exploring the ledger.

These incentives are great for securing consensus and the ledger, as long as dishonest actions are less beneficial than the incentive itself. Blockchain technology is mostly used in the financial domain, in particular digital currency which is also known as cryptocurrencies. Cryptocurrencies are prone to attacks since successful attacks are often more profitable than consensus rewards. These attacks can be summarized as dishonest changes in the ledger where the attackers steal money. Several blockchain applications have experienced malicious attacks in the past years, in 2018 $1.7 billion were stolen in cryptocurrencies [14]. Consensus mechanisms must provide an infrastructure where all peers can verify blocks and distribute consensus, thereby maintenance, among many peers. By doing so, the dishonest changes are less probable to be accepted by the consensus.

Besides the security concerns in blockchain, there is a concern of the environmental impact of some blockchain applications. Bitcoin is estimated to contribute 34 Mt CO2 emissions, 71 TWh energy consumption and 9 kt electronic waste each year [15]. The total yearly carbon emission is similar to emissions from Denmark, the yearly energy usage is similar to Austria’s and the amount of electronic waste is similar to Luxemburg’s [15]. There are other blockchain applications that share the same issues [16]. These applications have high energy consumption which is a side effect of the consensus mechanism they are using, which is called Proof of Work and the next chapter is dedicated to it.

2.3 Proof of Work

Proof of Work (PoW) was introduced by Cynthia Dwork and Moni Naor [17] to combat Junk Mail but then it was developed by Satoshi Nakamoto [3] to be used in a Peer-to-Peer Electronic Money System, which is now called Bitcoin. The method that PoW introduces is to make every peer agree on the chain with most computational work put into it [3].

As mentioned in chapter 2.1, when transactions are broadcasted, they are put into a block by block creators. The blocks are then broadcasted to the network. In PoW [3], the

block creators must solve a cryptographic puzzle in order to create and broadcast the block. Solving this cryptographic puzzle is called mining and the block creators are called miners. Before explaining the cryptographic puzzle, it is important to understand what type of information a block in PoW contains. Some information that a block contains are the following:

● the previous block hash, which is the hash of the previous block’s header and this connects the blocks; ● the difficulty target, which sets the level of difficulty of the cryptographic puzzle and; ● the nonce, the variable in the cryptographic puzzle.

The miners’ task is to find a hash of the header that is smaller than the difficulty target, this task is the cryptographic puzzle. As shown in Figure 4, if the miner is successful then the block is added to the chain. If the miner is unsuccessful, the nonce is increased by one and a new hash is calculated.

Figure 4. A flowchart of steps taken when mining a block in PoW

In Bitcoin, the specific algorithm used for hashing is called SHA-256 [3], but any other secure hashing algorithm can be used. The block is successfully mined when the hash is smaller than the difficulty target, which means that the hash in binary must start with the required amount of zero bits set in the difficulty target [18]. If the difficulty target is set to require 20 zero bits, the hash must start with 20 zero bits. Nakomoto explains this choice by stating that “The average work required is exponential in the number of zero bits required” [3] which means that if the number of zero bits increases the average work required increases, and if the number of zero bits decreases the average work also decreases. The nonce is the only variable that is changing in every hash attempt, which means that the cryptographic puzzle is about finding the nonce that gives you the right solution [3]. The cryptographic puzzle can be seen as a guessing game where the miners are guessing the right nonce.

As soon as the miner finds the nonce, the miner broadcasts the block to the other peers so that the ledger is updated. The first miner that finds the nonce will receive a reward when the other peers accept the new block, but what should peers do in the event of a fork? The answer in PoW is that the chain with the most computational work put into should be trusted, which is always the longest chain [18]. The peers will keep track of every branch created just in case one of the chains will become longer later on, but they will always accept the longest one. Accepting a block means that the nodes will create the next block using the accepted block as the previous block. Nakamoto [3] summarizes how the network works in 6 steps:

1) New transactions are broadcast to all nodes 2) Each node collects new transactions into a block 3) Each node works on finding a difficult proof-of-work for its block 4) When a node finds a proof-of-work, it broadcasts the block to all nodes 5) Nodes accept the block only if all transactions in it are valid and not already spent 6) Nodes express their acceptance of the block by working on creating the next block in the chain, using the hash of the accepted block as the previous hash.

The difficulty target plays an important role in PoW as it sets the problem’s difficulty level. In Bitcoin, this is set up so that every 10 minutes a block is created and the difficulty target is adjusted by using the timestamp of the previous blocks [13]. The timestamp of a block is the date it was proposed and it can be found in the block header. The difficulty target changes depending on how fast the previous blocks are created, if it took more than 10 minutes to create the block, the difficulty decreases, if it took less than 10 minutes then the difficulty increases. This means that even if more peers join the network, and even if they use the latest and fastest hardware, the block creation time will still be 10 minutes [2]. The difficulty target can always be calculated by exploring recent blocks in the ledger, which means that peers can verify that other peers have used the right difficulty target when mining.

The miners compete against each other to be the first one to solve the problem. The miners that have access to more hardware with higher computational power are more likely to solve the problem faster as their hash rate is higher [13]. The hash rate is the

number of hashes performed per second, which roughly translates to how many nonces can be guessed per second. Miners can collaborate with each other to increase their profit [13]. This means that they create pools and share their computational power with each other to increase the chance of finding the nonce. The reward is then divided among the miners within the pool depending on how much hash rate they contributed with. The popular hardware used for mining is called Application-Specific Integrated Circuit (ASIC) which has better performance than the Central Processing Unit (CPU) and the Graphics Processing Unit (GPU) [19]. The CPU is the part of the computer that has the role of storing information, performing calculations and instructions [20], while the GPU is responsible for doing tasks that consist of repetitive and highly-parallel computing, such as graphical rendering [21]. These ASICs can be defined as computers that are designed to be efficient in mining since their hash rate is high [5].

The cryptographic puzzle ensures security in the chain. In order to understand how it secures, it is easier to use a double spending attack [2] as an example. A double spending attack is when, for instance, a peer called Bad Bob sends Sara X bitcoins for Y dollars, Sara sees the bitcoin transaction on the ledger so she sends the dollars to Bad Bob through her bank. Bad Bob wants to undo his transaction and creates a new block that creates a fork. The first chain has the X bitcoin to Sara while the new chain does not include the transaction. Bad Bob needs to make his new chain the longest of them all to succeed because the longest chain is the one all peers agree upon. If Bad Bob succeeds, the X bitcoin transaction will not be a part of the ledger and he will keep the Y dollars from Sara and his bitcoins. To do so, he must have 51% of the computational power of the whole network. This can be achieved if the number of miners in the network is low, but as soon as more miners join the network, the amount of computational power that Bad Bob needs will increase to a level that is infeasible to achieve for a single peer. As stated before, as more miners join the network the difficulty of the cryptographic puzzle increases. The energy required to perform the calculations increases as well, which results in high energy consumption. The cryptographic puzzle is beneficial for ensuring security but demands high energy consumption to do so.

2.4 Proof of Stake

In 2012, Sunny King and Scott Nadal proposed a new consensus mechanism called Proof of Stake (PoS) [4] and they argued that it would replace PoW. Motivated by the issue of high energy usage in PoW, the proposed mechanism is driven without the cryptographic puzzle that is fundamental in PoW. PoS replaces computational power with virtual resources. Instead of proving that expensive calculations have been made when creating a new block, peers consume a virtual resource. This virtual resource is called coin age and its purpose is to simulate computational power.

A peer’s coin age is equal to their balance multiplied by the number of days the balance has been unspent. If a peer has a balance of 10 coins and they have been unspent for 30 days, then the peer’s coin age is 300. Peers can gain the right to produce the next block by destroying their coin age. The coin age is destroyed whenever the peer does a transaction, but this does not mean that the peer has to transfer coins to another peer when creating a new block. If peers want to produce the next block they can collect broadcasted transactions into a new block, similar to PoW. The difference in PoS is that peers have to include a special transaction that destroys their coin age. The exact details of this transaction are not identical in all PoS applications, but in general it is a ‘dummy’ transaction where the peers transfer coins to themselves and thereby destroy their coin age.

Collecting transactions and creating blocks in PoS is called minting [4], and peers that are minting are called minters. Before minting a new block, minters have to accumulate enough coin age. PoS favours minting by the most invested peers, both in time and capital. The intuitive reasoning behind this is that the most invested peers have the strongest incentive to secure the blockchain [1].

Similar to PoW, minting a block is a probability game, but in PoS the more coins a peer owns, the higher the probability is to mint a block. A block is minted when the peer’s coin age satisfies the following [22]:

proofhash < coinage × target (1)

The target value is similar to the difficulty target in PoW, it adjusts the difficulty level of minting the block based on previous blocks [23]. Proofhash can be described as the hash of

the block header, very similar to PoW header hash, but the only part of the header that changes the proofhash is the block timestamp. Recall that blocks in PoW are mined by incrementing the nonce until the header hash is less than the difficulty target. There is no nonce in a PoS block, the only valid method of changing the proofhash is to wait and try a new timestamp.

Timestamps, in some PoS applications, count time in intervals such as 16 seconds [22]. Minters are restricted to try one hash per time interval, so the hash rate does not matter in PoS. The computational power competition, which is causing high energy usage in PoW, does not exist in PoS. Figure 5 illustrates the steps taken when minting a block. The proofhash is only changed with a different timestamp.

The only factor that increases minters' probability of minting the next block is their coin age. The probability of minting is linearly proportional to the coin age [4]. A minter with 200 coin age is roughly twice as likely as a minter with 100 coin age to mint the next block. However, it is still possible that the next block is minted by a minter with less coin age. This is because proofhash is unpredictable and unique for each block, even if they have the same timestamp and previous block.

When a minter has minted a new block, it is broadcasted [22] to other peers as the next block. Other peers verify the block by controlling the transactions and calculating if the minter’s coin age is sufficient using the equation (1). The coin age is calculated by finding the last time the minter made a transaction in the ledger, then multiplying it by the minter’s amount of coins. Then the target is calculated by analysing previous blocks and lastly the proofhash is calculated for the block. The relationship between these three values can be tested according to the mentioned equation (1). If the transactions are valid and the coin age is sufficient, then the block is accepted. Forks are possible and they are solved by similar reasoning as in PoW [22]. The longest chain is the one that the peers agree on. This is because the sum of the coin age, that the peers have consumed when creating the blocks on the chain, is the greatest. Given that a minter has minted an accepted block, PoS rewards the minter with the transaction fees and new coins as an effort to incentivize maintenance [4]. Receiving new coins from minting is the only way the total supply of coins increases.

Figure 5. Flowchart that illustrates the steps of minting a block in PoS

2.5 Delegated Proof of Stake

Delegated Proof of Stake (DPoS) is a consensus mechanism that was introduced by Dan Larimer [7]. DPoS can be explained with an example of the Byzantine Generals’ problem [12] which was introduced in chapter 2.2. The problem is about a group of generals that wants to attack a city and have to agree on the same strategy by communicating through messages. In this example, the generals have agreed beforehand that it is more time

effective to elect a general they trust as the leader. The leader will have more authority, thereby decisions can be made faster. The problematic consequence is that the strategy would rely on the leader. Generals can after the election discover that the leader is corrupted and a traitor, or due to circumstances, become unable to perform his duty. In any case, the generals must quickly elect a new leader. They need to have a voting process that can be done anytime. Peers in a DPoS blockchain vote on who should have the right to produce blocks.

The DPoS consensus mechanism [7] is divided into two parts , the first one is the voting process and the second one is block production. Both processes are continuous and never terminate as long as new transactions are broadcasted in the network. In the voting process, each peer can vote on peers they think should produce new blocks. The number of votes that each peer has is equal to the amount of coins they own. Votes are added into blocks together with transactions, which can be regarded as special transactions where votes are transferred.

If a peer has a balance of 1000 coins, the peer creates a vote transaction [24] where 1000 votes are casted and then signs it before broadcasting it to others. The vote’s authenticity and validity are controlled, similar to how transactions are controlled, and it is eventually added to a block in the ledger. Peers can split their votes between multiple peers they trust and do not have to vote on a single peer. All votes are collected as transactions which makes the voting process continuous and allows peers to change their votes anytime. Since all the votes are also recorded on the ledger, the winners can be calculated from the ledger. The top X most voted peers are the block producers that have the right to produce blocks. The exact number of block producers that are elected is different in different DPoS applications.

The block producers take turns to produce blocks, each of them has a scheduled time slot when they are allowed to produce blocks [25]. The production schedule is known by all the block producers and other peers. The block producer collects broadcasted transactions and votes into blocks. Instead of having multiple peers creating blocks simultaneously, only one block producer at a time creates blocks which reduces the energy consumption. DPoS blocks are valid when the header contains a signature from the block producer and a timestamp from the scheduled time slot. Block producers broadcast the new blocks to other block producers and peers in the network. Forks are possible in DPoS

[7] and they are either due to consensus disagreement, which means that a block producer might disagree on the validity of the recently added block; or it is due to a failed block broadcast, the previous block was not received by the next block producer. Forks are resolved by the longest chain rule, the production of new blocks is done on the longest chain.

Peers are incentivized to become block producers [26]. As the producers add new blocks to the ledger and stay elected, they receive new coins as rewards. Block producers are risking these rewards when they misbehave since the peers can effectively vote them out by moving their votes to other peers. The peers can vote out block producers that include invalid transactions, produce blocks out of their scheduled time, produce blocks on both chains of a fork or for any other undesired behaviour. The voting process in DPoS secures the ledger by quickly electing new block producers they trust.

2.6 Related Work

A survey on several consensus mechanisms was carried out by Shihab S. Hazari and Qusay H. Mahmud [27]. They performed a comparative evaluation and the consensus mechanisms analysed were Proof of Work, Proof of Stake, a combination of PoW and PoS, Byzantine Fault Tolerance and Tangle. The report analyses seven different factors: energy consumption, advanced hardware requirement, centralization, double spending attack, scalability, memory requirement and security. Their results are shown in Table 2. The authors believe that consensus mechanisms can only prioritize decentralization or efficiency. Efficiency refers to energy consumption, security and scalability.

Table 2. Results of comparison between consensus mechanisms from [27]

One of the most cited works is Marc Bevand’s energy consumption assessment of Bitcoin [28]. Bevand calculated the energy consumption of Bitcoin with lower and upper assumptive bounds with respect to mining hardware, mining trends and the changing difficulty of Bitcoin’s cryptographic puzzle. The main focus of Bevand’s calculation was determining the total hash rate in the network, which roughly translates to the total computing power. The second focus was the mining devices that perform different hash rates. The key property of mining devices is joule per hash, which is a measurement of how much energy is spent per hash. With the total hash rate in the network and the estimated joule per hash of all active mining devices, the estimated energy consumption can be obtained with a simple multiplication. The author examined the Bitcoin hash rate from January 2009 to Feb 2017 and divided the timeline into 9 phases depending on when new mining hardware was released. The upper bound is calculated by assuming that all the miners use the least efficient hardware currently available at that time. On the other hand, the lower bound is calculated by assuming that the miners use the most efficient hardware available at that time. The author carried out the calculation on three different dates: 26 February 2017; 28 July 2017 and 11 January 2018. The results show that the average hash rate has drastically increased from 28 July 2017 to 11 January 2018. The author concludes the paper by stating that Bitcoin has various benefits and mining is not wasteful.

2.7 Summary of the Consensus Mechanisms

The important key concepts for each consensus mechanism are summarized in Table 1.

Proof of Work Proof of Stake Delegated Proof of Stake

➢ Creating blocks is ➢ Creating blocks is ➢ Only the elected called mining called minting block producers ➢ Miners create blocks ➢ Minters create create blocks ➢ Miners with more blocks ➢ Block producers are hash rate are more ➢ Minters with more elected by peers likely to mine the coin age are more through continuous next block likely to mint the voting ➢ Mining requires high next block ➢ Peers’ voting power energy consumption ➢ No computational depends on how ➢ Miners use mining power is needed to many coins they devices called ASIC create blocks own

Table 1. Summary of consensus mechanism introduced in chapter 2

3 Methodology

This chapter describes the methodology used for the research and how the comparative study is carried out.

3.1 Research Process

The research methodology is of qualitative type since the information found for each consensus mechanism differs in type and amount. To find and understand the problems within blockchain, a literature study is necessary. The literature study aims to give a fundamental understanding of blockchain, which helps to discover the issues blockchain faces. The quality of information is not equal for each consensus mechanism, so the data collection varies for each consensus mechanism. The research can be divided in four phases. The first phase is collecting information about blockchain in general and the problems within it.

The second phase consists of selecting the consensus mechanisms that are then investigated. The decision is based on how much information can be found about them. Blockchain is not only used in cryptocurrencies, but also in healthcare and bank systems, but their information and data are not as disclosed as in cryptocurrency. By choosing the consensus mechanisms based on the popularity in cryptocurrency, information is found more easily.

The third phase consists of an analysis of energy consumption and security in each consensus mechanism. The analysis of energy consumption is based on previous studies and experiments. If no type of study or research is found about the consensus mechanism, a more inductive analysis is performed by finding correlations from other consensus mechanisms that are similar. The energy consumption of each consensus mechanism is calculated based on data from cryptocurrencies using the consensus mechanism. Since the type of information found for each consensus mechanism is not the same, it is not possible to use a single method to analyse the energy consumption. However, assumptions are used to perform calculations so that the results can be compared to each other. The consensus

mechanisms' security is analyzed by exploring studies that investigated potential security threats and performed attacks.

The fourth phase involves a comparison of the results from the analyses focusing on the balance between energy consumption and security in each consensus mechanism. This can give new insight into the trade-off and if any other factor influenced the trade-off.

4 Analysis of Different Consensus Mechanism

In this chapter, the consensus mechanisms that were introduced in chapter 2 are analysed from an energy consumption and security perspective.

4.1 Proof of Work

Proof of Work is one of the consensus mechanisms which requires large amounts of energy due to the cryptographic puzzle.

4.1.1 Energy Consumption Analysis

To evaluate the energy consumption of PoW, the best attempt is by using estimations performed on PoW-driven applications. In Marc Bevand’s estimation of energy consumption in Bitcoin [28], as mentioned in chapter 2.8, the two most interesting key data points are the total hash rate in the network and the efficiency of mining devices.

By using Bevand’s estimation as a guideline, the minimum energy consumption of Bitcoin can be estimated. As of third of May 2020, an average of 128.645 exa-hashes per second was performed by Bitcoin miners in the previous 24 hours [29]. If the hash rate is stable for a year, then it is possible to estimate the minimum annual energy consumption of Bitcoin. The most efficient mining devices consume few joules per hash while simultaneously having high hash rates. ASIC Miner Value is a web page [30] that lists mining devices by profitability which is also an indication of efficiency. The less joule per hash consumed by a device, the more efficient and profitable it is. The most efficient mining device listed on ASIC Miner Value, that computes Bitcoin hashes (SHA-256), is the Antminer S19 Pro [31]. It requires 3250 watts and does 110 tera-hashes per second.

If all 128.645 exa-hashes per second are performed by Antminer S19 Pro’s, then the

18 total number of devices is 128.645×10 = 1, 169, 500 . With each device needing 3250 watts, 110×1012 the total power usage is 1, 169, 500 × 3250 = 3, 800, 875, 000 W . The annual energy consumption is thereby 3, 800, 875, 000 W × 24 hours × 365 days = 33, 295, 665, 000, 000 W h ≈ 33 T W h .

The estimated minimum annual energy consumption of 33 TWh is close to other estimations from the same day in May; Cambridge Bitcoin Electricity Consumption Index [32] estimated a minimum annual energy consumption of 36.37 TWh. However, the lower bound estimation of Bitcoin is very optimistic and does not accurately portray what mining devices are used. Despite this, a lower bound estimation sets the best-case scenario that can be compared to other consensus mechanisms. The problem with an upper bound (worst-case) estimation of the energy consumption is uncertainty, because there is no information about what kind of mining devices are used in reality. When estimating the annual energy consumption based on the most efficient mining device available, it is at least certain that the actual energy consumption is not less than the lower bound estimation.

From an energy consumption perspective, PoW does not scale well when new miners are joining the network. As shown in Figure 6, the total hash rate in the network is increased when more miners join. The increased hash rate results in faster mining which increases the difficulty. An increase in difficulty increases computational work and energy consumption. Ultimately, the miners upgrade their mining hardware to keep up with the difficulty and the total hash rate is increased again.

Figure 6. The positive feedback loop of energy consumption and difficulty in PoW

4.1.2 Security Analysis

The most prominent attack discussed in PoW is the 51% attack, where 51% of all computational power in the network is owned by an individual or a single group of

individuals. There are two main reasons that make it a security issue. The first reason is the fact that 51% of the computational power decides the consensus and not 51% of the peers. The second reason is the distribution of power among the peers. Where the ones earning the most can continue to expand their computational power, creating a feedback-loop in which they grow their power, which could be abused. Nonetheless, the major and sole reason that this attack is neglected is the massive cost required to perform the attack. For instance, there has not been any recorded 51% attack on Bitcoin, since such an attack would cost a vast amount of money to upgrade the mining devices.

The fact that Bitcoin has not been 51% attacked can be accredited to the large number of miners. This has made it much harder to control the majority of computational power in the network. The same cannot be said for other less popular PoW applications. Bitcoin Gold is a cryptocurrency that uses PoW and it has experienced three 51% attacks, one in 2018 and two in early 2020, that resulted in millions of dollars stolen [33]. Ethereum Classic, another cryptocurrency based on PoW, was 51% attacked in early 2019 [34]. Other PoW driven cryptocurrencies have been 51% attacked as well [35].

The constantly increasing computational power [29] invested in Bitcoin has favoured the network in a way that makes attacks expensive. The increase in computational power can be traced back to multiple reasons, such as the more computational power the more likely to mine blocks and get rewards. Bitcoin attracts more miners due to its popularity and the mining rewards, but there are some side-effects. The ongoing trend is that miners collaborate in large mining pools owned by companies. Currently, the four biggest mining pools for Bitcoin together control more than 51% of the computational power [36] and pose a threat to the decentralization. It is not unforeseeable that these mining pools could create cartels and deny transactions or attack the blockchain.

In contrast to an inter-pool collaborative attack, there have been records of network attacks on mining pool servers. These attacks are possibly motivated by undermining other competitors’ computational power. Furthermore, it is suggested that network attacks on mining pools’ servers are profitable from the perspective of a competitive miner, because the attacker’s share of total hash rate in the network will increase [37].

Another security threat in PoW is the mining hardware. ASICs are the most common hardware used for mining. These chips are specialized in hashing and are more profitable than using GPUs or CPUs which makes them dominating mining hardware. The

issue here is that PoW has increasingly relied on ASICs and on the ASIC manufacturers. The network is no longer decentralized as the companies who create these hardware hold the power of ensuring security. There is evidence of manufacturers planting backdoors on the devices to be able to turn them off, to decrease the hash rate of the network [19]. Bitcoin Gold [38] is a cryptocurrency that has tried to keep PoW safe from ASICs by redirecting the computational power to the GPUs and creating a decentralized network that is free from ASIC manufacturers. The algorithm used is called Equihash-BTG and it can run on GPUs but not on ASICs because of the high memory requirements. However, this shift to GPUs has led to a security attack. As stated before, the cryptocurrency experienced a 51% attack on multiple occasions [33].

4.2 Proof of Stake

Proof of Stake has been claimed to be more efficient than PoW by reducing energy consumption. However, there are consensus flaws and theoretical attacks.

4.2.1 Energy Consumption Analysis

Calculating the energy consumption of PoS requires a different method than of PoW but a similar best-case estimation can be done. The maintenance of a PoS-driven network can be managed by ordinary personal computers, such as laptops or desktop computers because minting does not have high computational requirements [39]. Since block production is driven by the continuous process of minting, the PoS application is dependent on active and online minters. With this dependency on online minters and the minimum requirements, the energy consumption can be estimated with some assumptions. Assumptions are needed due to the lack of information on what computers minters are using. The number of active minters must also be assumed in a way that leads to a meaningful estimation that is comparable to other consensus mechanisms. Given a feasible average annual energy consumption of a minter and given the number of active minters, a multiplication will relay the total annual energy consumption for the network.

The first assumption needed is the average energy consumption of a minter. In chapter 4.1.1, the minimum energy consumption of Bitcoin is estimated with the

assumption that mining is done with an energy-efficient ASIC. Similar to ASICs, some devices are ideal for minting in PoS. StakeBox sells Raspberry Pi 3B’s that are programmed for staking [40], these devices are ideal for 24/7 usage because they have low energy consumption and meet the hardware requirements for minting. A Raspberry Pi 3B consumes approximately 2.4 watts when active and performing work [41], thereby the annual energy consumption is 2.4W × 24 hours × 365 days = 21, 024W h . Based on the same best-case reasoning in chapter 4.1.1, the minters are assumed to use Raspberry Pi 3B for minting.

The second assumption is the total number of minters that are maintaining the network. Assuming large scale maintenance similar to Bitcoin, the calculated energy consumption can be compared fairly. There is no certainty of how many miners are maintaining Bitcoin, partly because the number is changing constantly, but it can be roughly estimated by looking at mining pools such as Poolin. With the help of Poolin live monitor page [42] and the live pool statistics [43], it is possible to calculate how many active miners account for Bitcoin’s total hash rate in the network. This method suggests that there is a linear relationship between active miners in mining pools and the pool’s percentage of the total hash rate. As of third of May 2020, the total active miners in Poolin are 628,911 and the mining pool accounts for 18.0% of the total hash rate in Bitcoin. If 628,911 miners account for 18.0%, assuming a linear relationship, the total number of 100 miners in Bitcoin is: 18 × 628, 911 = 3, 493, 950

The linear relationship can be further motivated when looking at another mining pool called Slushpool. As of third of May 2020, there are 172,772 active miners in Slushpool [44] and the mining pool accounts for 5.0% percent of the total Bitcoin network [43], by using the same method of calculation these numbers suggest that the total number 100 of miners is: 5 × 172, 772 = 3, 455, 440

The two different calculations are in approximately 2% disagreement on how many miners are active in the network, the difference of 38,510 between the calculations possibly means that the average miner in Slushpool has better hardware and therefore higher hash rate. The total number of miners is assumed to be the average of these two calculations: 3,493,950+3,455,440 2 = 3, 474, 695 ≈ 3, 475, 000

If all the assumed 3,475,000 miners migrate to a new PoS driven application with the intent of maintaining the network as minters, and if each of them use one of the most ideal minting devices (Raspberry Pi 3B) that consumes 21,024 Wh annually, the total annual energy consumption would be: 3, 475, 000 × 21, 024 W h = 73, 058, 400, 000 W h ≈ 0.073 T W h

There are many potential critiques against the assumptions made. One possible critique is that the assumption of the number of minters is exaggerated. In response to that critique there are two factors that need to be acknowledged. Firstly, as in PoW, there is a reward system that incentivizes minters to mint. Secondly, the purchase-barrier of minting is much lower for minters than for miners since minters do not need extra hardware.

4.2.2 Security Analysis

Proof of Stake was introduced as an alternative to PoW as a less energy demanding option. However, the consensus mechanism has two security flaws: Nothing-at-stake and Long-range attack. If the minter mints a block that is later discarded, there will not be any rewards [1]. The consensus mechanism only rewards minters and there is no penalization for minting on a wrong chain. Creating valid blocks in PoS is computationally free and does not require a cost until it is accepted to the blockchain because only then the coin age is consumed. This leads to the problem called Nothing-at-stake which is one of the biggest critiques of PoS [1]. In the event of conflicting blocks being added to the blockchain, the chain is forked into two different competing chains. The problem in PoS is that minters have no incentive to decide a chain to continue on. Ultimately it is in their best favour, as shown in Figure 7, to mint blocks on both chains because they will receive rewards regardless of how the fork is solved.

Figure 7. Flowchart that illustrates the consensus flaw of Nothing-at-stake in PoS

Since creating blocks does not require any resources, another problem arises which is called the Long-range attack [6]. In a Long-range attack, the attacker creates a fork, hundreds or thousands of blocks ago, and creates a longer alternative chain that is also valid, but not what the consensus agreed on. Peers who were active before the attack might discover this and discard the new fork, but newcomers to the network that are presented with both chains have no idea about the situation. The new chain can be incorrectly accepted by peers and minters might start minting on it. One of the reasons that Long-range attacks are plausible is due to retired peers. Retired peers are peers that no longer participate in the blockchain and are careless of how their private key is stored. Attackers can use a set of compromised private keys to execute a Long-range attack. The alarming part is that it does not matter if retired peers have no coins at the time of compromise, the attacker can use the keys to mint at a moment in block-history when they had coins.

None of these two attacks have been performed in PoS cryptocurrencies, possibly because the value of the network would decrease which is not in the interest of minters. There is a critique towards the general concept of PoS. The most influential and richest peers have the highest chances to mint blocks and hence become more influential. When exploring the richest peers on popular PoS cryptocurrencies [45]–[48], it is clear that many of these peers are actually owned by few entities which makes it obvious that the popular PoS cryptocurrencies tend to be centralized. The problem is that the total supply of coins is only increased with minting. A peer that owns the majority of the total coins has higher probability of minting, thereby the peer will receive new coins and his share of the total will grow more. Other peers cannot decrease his share of the total coins if the rich peer does not sell his coins. This is a great loss of the decentralization aspect and distributed control that has always been a key property of blockchain.

4.3 Delegated Proof of Stake

The concept of DPoS is that the maintenance and authority to produce blocks is delegated to few elected peers. The elected block producers take turns to produce blocks and therefore, each block is worked by one peer only.

4.3.1 Energy Consumption Analysis

Looking at the most popular DPoS-driven cryptocurrency EOS, the block producer GenerEOS discloses in an article [49] that the EOS block producers consumes on average 1.8 kW. In the EOS network there are 21 elected block producers that have the authority to produce blocks while many other block producers with less vote are in standby. GenerEOS, in the same article, estimated a total energy consumption from all block producers in EOS. The number of block producers accounted for was 74, of which 21 block producers were elected and 53 were in standby. The energy consumption from 74 block producers, with an average of 1.8 kW per block producer, yields an annual energy consumption of: 1.8 kW × 74 × 24h × 365 days ≈ 0.0012 T W h .

EOSauthority is another block producer that has provided a total energy consumption calculation for EOS block producers. The calculation is based on an average

block producer consumption of 15.7625 MWh, ~1.8kW, annually and with a total of 80 block producers [50]. The total energy consumption from 80 block producers with an average annual consumption of 15.7625 MWh is: 80 × 15.7625 MW h ≈ 0.0013 T W h .

The difference in number of block producers between GenerEOS and EOSauthority can possibly be due to the number of block producers in standby has increased since the calculation from generEOS. There is no information on exactly how many standby block producers are active and running, but the calculations from GenerEOS and EOSauthority suggests that the number of active block producers is rising. Assuming that close to 100 block producers are constantly running for a year, with an average of 1.8kW annual consumption, it would yield an energy consumption close to: 100 × 24 × 365 × 1.8kW ≈ 0.0016 T W h .

Another important aspect of DPoS is the continuous voting process where all peers are advocated to participate. The incentive is, as with any election, to contribute with your opinion regularly. There are no exact guidelines on how often a peer should vote, but the key feature of DPoS is that peers that vote do not have to stay online. This makes the energy consumption from voting negligible compared to the consumption from block production, regardless of how often peers vote.

The important attribute of DPoS is how the energy consumption scales in relation to the number of peers in the network. Peers are not competing to create the next block; each block is created by a block producer according to the schedule. DPoS does not require all peers to be online, because block creation and consensus is driven by the block producers. This is why as more peers join the energy consumption does not increase linearly. All work is done by the block producers and that is why the estimated energy consumption is dependent on the number of block producers, not the size of the network.

4.3.2 Security Analysis

In late 2019, a public block producer called EOS New York, disclosed on Twitter that six registered block producers were actually owned by the same entity [51]. These block producers were quickly voted out by the peers after the discovery. This illustrates the core

issue of delegating authority in DPoS. Distributed consensus would not exist if the entity was elected with five more block producers, because that would result in a majority among the twenty-one elected block producers in EOS. Another way of reasoning; if five other block producers were owned by another entity, it would be in the interest of the entities to work together and maintain majority. The reward that block producers receive strongly motivates them to maintain their status. The majority of block producers in EOS [52] are non-anonymous public organizations that can be targeted. Similar to how competitors attack each other in PoW, it is not unexpected that block producers will maintain their status as elected by sabotaging other block producers' operationality.

As mentioned above, the discovery by EOS New York was quickly resolved. The question remains, what would happen if no one discovered it? The block producers would probably still be receiving votes from peers. This is an argument of how DPoS is relying on external information and consequently fails to fully guarantee security as a consensus mechanism.

When looking at the voting statistics for the popular DPoS application EOS [53], the most influential actors are the exchange companies such as Bitfinex, Huobi, Newdex and Whalex. Together with the other top 20 richest peers in the network, these elite actors control the majority of the voting power. The centralized voting power will dictate who will become block producers. The election does not represent a true majority of peers. Steem, another application that uses DPoS, experienced an incident due to the centralized voting power. The owner of the Steemit social network used votes from several exchanges to outvote multiple block producers and choose new ones [54]. Effectively there was no consensus and the ledger was controlled by one person.

5 Results and Discussion

The analysis of the energy consumption and security for each consensus mechanism is summarized in chapter 5.1 and then compared in chapter 5.2.

5.1 Summary Table

The key concepts from each analysis are summarized in Table 3.

Proof of Work

Energy Security

● There is positive feedback loop in the ● Attackers can control the blockchain if consensus mechanism that increases they have 51% of the total energy consumption due to miners computational power in the network, a joining/upgrading and increasing the so called 51% attack mining difficulty ● PoW is more secure in applications ● ~33 TWh annually (estimated lower with more miners due to the difficulty bound of Bitcoin) of obtaining 51% computational power ● ASIC manufacturers and mining pools are a threat to the security of PoW ● ASIC-free PoW have experienced 51% attacks

Proof of Stake

Energy Security

● ~0.073 TWh annually (If all miners ● Has conceptual flaws such as Nothing from Bitcoin migrated to PoS as at stake and Long-range attacks, but minters with ideal minting devices) no recorded attacks ● Influential peers get more influence and thereby the control becomes centralized ● Coins centralized in several popular PoS cryptocurrencies

Delegated Proof of Stake

Energy Security

● The total energy consumption depends ● Multiple block producers can be owned on the number of block producers. by one single entity in secret ● ~0.0016 TWh annually (with 100 EOS ● Safety relies on external information block producers) ● Voting power is centralized

Table 3. Summary of the results from the analysis of the consensus mechanisms

5.2 Discussion and Comparison

The results in Table 3 are not ground-breaking but rather shine some new light on the matter. There is a clear trade-off between energy consumption and security in consensus mechanisms, this is evident when PoS is compared to PoW.

PoW has high energy consumption due to computationally expensive mining and competitiveness. However, these factors are the same factors that make PoW secure. The expensive block creation ensures that miners are always participating in the consensus by mining on the right chain. The competitiveness in PoW raises the difficulty of creating blocks to a level where it is infeasible that a single peer achieves 51% of the computational power. The increased computational difficulty increases security, but also increases energy consumption. This is the trade-off PoW makes.

PoS aims to benefit from the same advantages by simulating PoW mining. PoS is much more energy efficient than PoW. As mentioned in Table 3, the energy consumption would significantly decrease if all miners in Bitcoin migrated to a PoS blockchain. However, the trade-off in simulating mining is that the cost of creating a block in PoS is insignificant compared to the cost in PoW. If a new block is minted in PoS and added to the blockchain, the coin age is consumed, but it did not cost anything computationally to

create the block. This is why PoS has consensus flaws such as Nothing-at-stake and Long-range attacks. Minters lose nothing if the block is discarded. In comparison, the expensive computational work performed by PoW miners is wasted if their block is discarded. PoS fails to simulate this aspect of mining that spreads consensus. Additionally, PoS fails to provide the same security guarantee; PoW is safe as long as the majority of computational power is decentralized, if not, new miners can join and increase the total computational power which will distribute control. Meanwhile, PoS is safe as long as the majority of coins are decentralized, if not, the centralized control will continue to grow with minting rewards. The availability of computational power allows peers to take back control of PoW networks. Whereas in PoS, peers cannot decrease the richest peer’s share of total coins if the richest peer does not sell it.

With the acquired insight on the trade-off, the dynamics between energy consumption and security can be described in a different way: PoW secures the blockchain by translating a resource in the physical world, namely computational power, into every block. Energy consumption is a side-effect of that resource. PoS fails to simulate the availability of the resource and fails to translate its own simulated resource in every block regardless of being discarded or not. Energy consumption is avoided in PoS, but the same level of security in PoW cannot be guaranteed.

As shown in Table 3, DPoS is significantly more energy efficient in comparison to PoW and PoS. However, it is difficult to compare the security in DPoS with PoW and PoS in a meaningful way because of the conceptual difference in DPoS. The results conclude that the voting power is centralized in the most popular DPoS application, EOS, and that the voters depend on external information. The consensus mechanism fails to prevent dishonest block producers from being elected. The trade-off that DPoS makes is that the only significant energy consumption is from few elected block producers, but at the cost of trusting block producers based on impressions from external information such as reputation and identity.

The common source of many security concerns in Table 3 is due to the centralized control. In DPoS, the aim is partial decentralization through election, but the voting power in EOS and Steem has proven to be centralized. PoS aims for decentralization but the

majority of coins in PoS cryptocurrencies is owned by a minority of peers. PoW also aims for decentralization but is threatened by a centralized ASIC manufacturing and mining pools. The mentioned security concerns suggest that centralized control is inevitable and challenges the established idea of a trade-off between energy consumption and security, in particular, that high energy consumption guarantees security. This connection has also been found by. Shihab S. Hazari and Qusay H.Mahmud [27] who stated that if consensus mechanisms try to increase efficiency (efficiency refers to energy consumption, security and scalability) then the network becomes more centralized. And they concluded in their research that the mechanism can only prioritize decentralization or efficiency and this arose through the analysis of security in each consensus.

6 Conclusions and Future Work

In this chapter, conclusions are made from the results of the comparative study. It also presents reflections on the goals and discusses how well they were met. The limitations of the work and thoughts about future work are also presented.

6.1 Conclusions

The aim of this report is to explore and investigate the relationship between energy consumption and security in consensus mechanisms. This is achieved with a comparative study on consensus mechanisms from an energy consumption and security perspective. PoW, PoS and DPoS are the consensus mechanisms analysed and compared.

The analysis of PoW shows that the minimum annual energy consumption of Bitcoin is estimated to be 33 TWh and not scalable when new miners enter the network. The security is high because achieving 51% control is expensive in terms of computational power. However, mining pools and the centralized manufacturing of mining devices pose a threat to decentralization. In PoS, the best-case annual energy consumption is estimated to be 0.073 TWh when assuming that the number of minters that are using minting devices is the same as the number of miners in Bitcoin. PoS’s low computational requirement for creating blocks, and low energy consumption, has resulted in two security flaws called Nothing-at-stake and Long-range attack. The calculations for PoW and PoS were based on the best-case scenario. Calculating the worst-case scenario is not appropriate for comparison as it is uncertain what mining and minting devices should be included in a worst-case estimation. In DPoS, the annual energy consumption is estimated to be 0.0016 TWh as a result of delegating the block production to fewer peers, but the security is threatened by centralized block production.

The comparison leads to the following conclusion. PoW keeps the ledger secure by using a physical resource, computational power, to produce the blocks. Therefore, the security level is high because of the difficulty of achieving 51% of the network’s computational power. The trade-off is that to secure the ledger from a 51% attack, a high computational power, thereby high energy consumption, is needed in the network to make

it infeasible to achieve 51% of it. PoS uses a limited resource but it is not physical, the coin age is virtual. This leads to security flaws because the minters do not lose any resources on discarded blocks. The trade-off in PoS is that it uses non-physical resources, which allows for a lower energy consumption but at the expense of security threats. The trade-off that DPoS makes is that the main energy consumption is done by a minority of block producers, at the cost of empowerment of the elected block producers.

The results highlight a factor that is linked to the trade-off. PoW, which chooses security over low energy consumption in the trade-off, is still threatened by mining pools and centralized manufacturing of mining devices. The results suggest that centralization is inevitable and challenges the relationship that high energy consumption ensures high security. This relationship between centralization, energy consumption and security is also found in one of the related works done by Shihab S. Hazari and Qusay H.Mahmud [27].

The problem with blockchain is that consensus mechanisms must make a trade-off between energy consumption and security, the results in this report do not solve the problem but give an insight to better understand the trade-off.

6.2 Limitations

The report covers several consensus mechanisms that are not all investigated to the same extent. This results in having different amounts and types of information to analyse for every consensus mechanism, which makes it difficult to analyse and compare them in a consistent manner. As stated in the methodology section, the information found for each consensus mechanism is not equal. The energy consumption analysis is based on data when possible, this was possible for PoW and DPoS but not for PoS. Without having the same amount of data, it is hard to fully analyse the energy consumption of a consensus mechanism. Meanwhile, when analysing the consensus mechanisms from a security perspective, PoW and PoS had more information as they have been more studied. However, with the use of previous experiments, inductive reasoning and calculations based on assumptions, it is possible to draw conclusions about the trade-off in the consensus mechanisms.

6.3 Future Work

This report gives new insight on the trade-off between energy consumption and security in consensus mechanisms. It can be a starting point for future researchers who want to investigate the trade-off in different environments or in different consensus mechanisms. The comparative study can be extended by simulating networks with different consensus mechanisms, and then comparing the consensus mechanisms from the perspective of security and energy consumption. In this report, the consensus mechanisms are analysed in applications for cryptocurrency as it is easier to find data and information, but if there is more information on consensus mechanisms in other domains in the future, the trade-off can be explored based on a broader application of consensus mechanisms.

References

[1] D. Yaga, P. Mell, N. Roby, and K. Scarfone, ‘Blockchain technology overview’, National Institute of Standards and Technology, Gaithersburg, MD, NIST IR 8202, Oct. 2018. doi: 10.6028/NIST.IR.8202. [2] E. Elrom, The Blockchain Developer A Practical Guide for Designing, Implementing, Publishing, Testing, and Securing Distributed Blockchain-based Projects, 1st ed. 2019.. 2019. [3] S. Nakamoto, ‘Bitcoin: A Peer-to-Peer Electronic Cash System’, p. 9. [4] S. King and S. Nadal, ‘PPCoin: Peer-to-Peer Crypto-Currency with Proof-of-Stake’, p. 6. [5] J. Martinez, ‘Understanding Proof of Stake: The Nothing at Stake Theory’, Medium, Jan. 22, 2020. https://medium.com/coinmonks/understanding-proof-of-stake-the-nothing-at-stake -theory-1f0d71bc027 (accessed May 01, 2020). [6] ‘(PDF) A Survey on Long-Range Attacks for Proof of Stake Protocols’, ResearchGate. https://www.researchgate.net/publication/331313599_A_Survey_on_Long-Range_ Attacks_for_Proof_of_Stake_Protocols (accessed Aug. 15, 2020). [7] D. Larimer, ‘DPOS Consensus Algorithm - The Missing White Paper’, Steemit, May 29, 2017. https://steemit.com/dpos/@dantheman/dpos-consensus-algorithm-this-missing-wh ite-paper (accessed Apr. 12, 2020). [8] M. Swan, Blockchain: blueprint for a new economy, First edition. Beijing : Sebastopol, CA: O’Reilly, 2015. [9] R. Schollmeier, ‘A definition of peer-to-peer networking for the classification of peer-to-peer architectures and applications’, in Proceedings First International Conference on Peer-to-Peer Computing, Aug. 2001, pp. 101–102, doi: 10.1109/P2P.2001.990434. [10] ‘The In’s and Outs of Cryptographic Hash Functions (Blockgeek’s Guide)’, Blockgeeks. https://blockgeeks.com/guides/cryptographic-hash-functions/ (accessed Aug. 03, 2020). [11] A. M. Antonopoulos, Mastering bitcoin, First edition. Sebastopol CA: O’Reilly, 2015. [12] L. Lamport, R. Shostak, and M. Pease, ‘The Byzantine Generals Problem’, ACM Trans. Program. Lang. Syst., vol. 4, no. 3, p. 20.

[13] A. Judmayer, N. Stifter, K. Krombholz, E. Weippl, E. Bertino, and R. Sandhu, Blocks and Chains: Introduction to Bitcoin, Cryptocurrencies, and Their Consensus Mechanisms. Morgan & Claypool, 2017. [14] J. Su, ‘Hackers Stole Over $4 Billion From Crypto Crimes In 2019 So Far, Up From $1.7 Billion In All Of 2018’, Forbes. https://www.forbes.com/sites/jeanbaptiste/2019/08/15/hackers-stole-over-4-billion -from-crypto-crimes-in-2019-so-far-up-from-1-7-billion-in-all-of-2018/ (accessed Apr. 16, 2020). [15] ‘Bitcoin Energy Consumption Index’, Digiconomist. https://digiconomist.net/bitcoin-energy-consumption (accessed Mar. 28, 2020). [16] ‘Ethereum Energy Consumption Index (beta)’, Digiconomist. https://digiconomist.net/ethereum-energy-consumption (accessed Apr. 27, 2020). [17] C. Dwork and M. Naor, ‘Pricing via Processing or Combatting Junk Mail’, in Advances in Cryptology — CRYPTO’ 92, Berlin, Heidelberg, 1993, pp. 139–147. [18] ‘How the Bitcoin protocol actually works | DDI’. http://www.michaelnielsen.org/ddi/how-the-bitcoin-protocol-actually-works/ (accessed Aug. 03, 2020). [19] L. Network, ‘The Problem With ASICs’, Medium, May 24, 2018. https://medium.com/@LokiNetwork/the-problem-with-asics-3c9cee44f383 (accessed Apr. 25, 2020). [20] ‘Difference between CPU and GPU’, GeeksforGeeks, Jun. 06, 2019. https://www.geeksforgeeks.org/difference-between-cpu-and-gpu/ (accessed Aug. 06, 2020). [21] ‘Introduction to GPUs: Introduction’. https://nyu-cds.github.io/python-gpu/01-introduction/ (accessed Aug. 13, 2020). [22] P. Vasin, ‘BlackCoin’s Proof-of-Stake Protocol v2’, p. 2. [23] J. Earls, ‘The missing explanation of Proof of Stake Version 3’, Jul. 27, 2020. http://earlz.net/view/2017/07/27/1904/the-missing-explanation-of-proof-of-stake-v ersion (accessed Aug. 11, 2020). [24] E. O. S. Authority, ‘EOS Authority - The types of transactions that appear on your EOS account.’ https://eosauthority.com/blog/types_of_transactions_on_eos_accounts (accessed Aug. 11, 2020). [25] EOS: Explanation of DPoS+BFT w/ Daniel Larimer - Part 1 of 2.

[26] EOS: Explanation of New BFT+DPoS w/ Daniel Larimer - Part 2 of 2. 2018. [27] S. S. Hazari and Q. H. Mahmoud, ‘Comparative evaluation of consensus mechanisms in cryptocurrencies’, Internet Technol. Lett., vol. 2, no. 3, p. e100, 2019, doi: 10.1002/itl2.100. [28] M. Bevand, ‘Electricity consumption of Bitcoin: a market-based and technical analysis’, Mar. 10, 2017. http://blog.zorinaq.com/bitcoin-electricity-consumption/ (accessed Apr. 20, 2020). [29] ‘Bitcoin Hashrate chart’, BitInfoCharts. https://bitinfocharts.com/comparison/bitcoin-hashrate.html (accessed Aug. 14, 2020). [30] ‘Realtime mining hardware profitability | ASIC Miner Value’. https://www.asicminervalue.com/ (accessed Aug. 14, 2020). [31] ‘Bitmain Antminer S19 Pro (110Th) profitability | ASIC Miner Value’. https://www.asicminervalue.com/miners/bitmain/antminer-s19-pro-110th (accessed Aug. 14, 2020). [32] ‘Cambridge Bitcoin Electricity Consumption Index (CBECI)’. https://www.cbeci.org/ (accessed Aug. 14, 2020). [33] 262588213843476, ‘Bitcoin Gold (BTG) was 51% attacked’, Gist. https://gist.github.com/metalicjames/71321570a105940529e709651d0a9765 (accessed Apr. 24, 2020). [34] ‘Ethereum Classic Under Attack’. https://cryptonews.com/news/ethereum-classic-under-attack-3168.htm (accessed Apr. 24, 2020). [35] ‘A Timeline of the Most Infamous 51% Attacks in Crypto History’, Honeyminer Blog, Apr. 25, 2019. https://blog.honeyminer.com/timeline-of-51-attacks/ (accessed Apr. 24, 2020). [36] ‘Pool Stats - BTC.com’. https://btc.com/stats/pool?percent_mode=latest#pool-history (accessed Apr. 24, 2020). [37] B. Johnson, A. Laszka, J. Grossklags, M. Vasek, and T. Moore, ‘Game-Theoretic Analysis of DDoS Attacks Against Bitcoin Mining Pools’, in Financial Cryptography and Data Security, vol. 8438, R. Böhme, M. Brenner, T. Moore, and M. Smith, Eds. Berlin, Heidelberg: Springer Berlin Heidelberg, 2014, pp. 72–86. [38] ‘For miners | Bitcoin Gold’. https://bitcoingold.org/for-miners/ (accessed Apr. 25,

2020). [39] ‘BlackCoin - F.A.Q’. https://blackcoin.org/faq/ (accessed May 01, 2020). [40] ‘StakeBox Kits • Start Staking Proof of Stake (PoS) Cryptocurrencies’, StakeBox. https://www.stakebox.org/collections/stakeboxes (accessed May 17, 2020). [41] ‘Power Consumption Benchmarks | Raspberry Pi Dramble’. https://www.pidramble.com/wiki/benchmarks/power-consumption (accessed Aug. 16, 2020). [42] Poolin, ‘Poolin.com Pool - Better BTC, BCH, LTC, ETH, DASH, ETN, DASH, XMC, XMR Cryptocurrency Mining Pool’, Poolin.com Pool - Better BTC, BCH, LTC, ETH, DASH Cryptocurrency Mining Pool. https://www.poolin.com/ (accessed May 03, 2020). [43] ‘Bitcoin (BTC) SHA-256 | Mining Pools’. https://miningpoolstats.stream/bitcoin (accessed May 03, 2020). [44] ‘Stats’, slushpool.com. https://slushpool.com/stats/?c=btc&__cf_chl_jschl_tk__=41c74a06af0faf81542d8 07d71b60b5abff8257d-1588429691-0-AdKvGf9QHMqZiu0D1fX7KtQwfHRJ4osDfoc nLw-NjzjyyPosUMXsFMfOSBy89dswBWRfrtqlmHcgZyQ5kKC0jIzvnfSO1YRjECdrT7 TP6OmlpTIvRHY0bcA6vlZIP_YevgXcJ9Wjh_h38SgV0R8goN0F5TiA-vWmNk9wwS pi-qo6gOTVKqAn8hcMJQax7CsVmX8OYgqW-7bH87tBLSpsvXHERQhO-A5IDi612R vrtQa6p3HuZXJJzCs7L3AhuI_BdL4Wl5ZSgC-iF_NLP4cMxdL3v8kUyIqQcEzoFVJD RT1U (accessed May 03, 2020). [45] ‘PeerCoin Explorer’. https://chainz.cryptoid.info/ppc/#!rich (accessed May 17, 2020). [46] ‘Stratis Explorer’. https://chainz.cryptoid.info/strat/#!rich (accessed May 17, 2020). [47] ‘Okcash Explorer’. https://chainz.cryptoid.info/ok/#!rich (accessed May 17, 2020). [48] ‘BlackCoin Explorer’. https://chainz.cryptoid.info/blk/#!rich (accessed May 17, 2020). [49] GenerEOS, ‘EOS Energy Consumption vs Bitcoin and Ethereum’, GenerEOS, Oct. 26, 2018. https://www.genereos.io/index.php/2018/10/26/eosenergyconsumption/ (accessed Apr. 20, 2020). [50] E. O. S. Authority, ‘Making EOS the first major carbon neutral blockchain’. https://eosauthority.com/green/ (accessed May 18, 2020). [51] ‘EOS Block Producer Claims Centralized Misconduct on the Network’, Cointelegraph. https://cointelegraph.com/news/eos-block-producer-claims-centralized-misconduct-

on-the-network (accessed Apr. 28, 2020). [52] ‘Block Producers | EOS Block Explorer, Account, Contracts, Producers’, EOSPark. https://eospark.com (accessed Apr. 28, 2020). [53] E. O. S. Authority, ‘EOS Voting Charts’. https://eosauthority.com/producers_chart?network=eos#producer-rankings (accessed May 06, 2020). [54] ‘The Steem Takeover and the Coming Proof-of-Stake Crisis’, Cointelegraph. https://cointelegraph.com/news/the-steem-takeover-and-the-coming-proof-of-stake -crisis (accessed May 13, 2020).

51 TRITA-EECS-EX-2020:693