KRNC: New Foundations for Permissionless Byzantine Consensus and Global Monetary Stability Clinton Ehrlich1 Anna Guzova2 February 27, 2020 Version 1.5 It is not unlikely that a new security/trust protocol, with the magnitude of the influence from the invention of the public-key protocol, [will be] inspired by the study of animal communication networks. – Prof. Zhanshan Ma, Chinese Academy of Sciences, 2009 Abstract This paper applies biomimetic engineering to the problem of permissionless Byzantine consensus and achieves results that surpass the prior state of the art by four orders of magnitude. It introduces a biologically inspired asymmetric Sybil- resistance mechanism, Proof-of-Balance, which can replace symmetric Proof-of-Work and Proof-of-Stake weighting schemes. The biomimetic mechanism is incorporated into a permissionless blockchain protocol, Key Retroactivity Network Consensus (“KRNC”), which delivers ~40,000 times the security and speed of today’s decentralized ledgers. KRNC allows the fiat money that the public already owns to be upgraded with cryptographic inflation protection, eliminating the problems inherent in bootstrapping new currencies like Bitcoin and Ethereum. The paper includes two independently significant contributions to the literature. First, it replaces the non-structural axioms invoked in prior work with a new formal method for reasoning about trust, liveness, and safety from first principles. Second, it formalizes two simple but powerful exploits — book-prize attacks and pseudo-transfer attacks — that undermine the security guarantees of all prior permissionless ledgers. 1 Chief Computer Scientist, Krnc Inc.; Fmr. Visiting Researcher, MGIMO University, [email protected] 2 Lead Mathematician, Krnc Inc.; Fmr. Senior Applied Mathematician, AO UniCredit Bank 3 Proof-of-Balance comprises the subject matter of the following published patent applications: US 16/261, 478; PCT/US2019/015732. Part I: Concept 1. Introduction 1.1 Summary Reverse engineering biological systems has yielded rapid advancement in fields ranging from pharmacology and artificial intelligence to materials science and aerospace design. [1] This approach, known as biomimicry, allows humans to learn from and copy what are effectively “alien technologies” developed through billions of years of evolutionary optimization. It has long been hoped that biomimicry could be the key to a major leap forward in trust-minimized computation. In 2009, the same year that Bitcoin was released, one of the world’s few dual PhDs in computer science and biology predicted that adapting animal-communication techniques to fault-tolerant distributed systems could yield a breakthrough comparable to the invention of asymmetric encryption in the 1970s. [2] This paper vindicates that prediction: it adapts cue-authenticated biological signaling to construct the first asymmetric method of Sybil-resistance, which allows correct agents to verifiably retain control of a permissionless blockchain even if they are unable to match the adversary’s budget for an attack. Adding biomimetic cost asymmetry to off-the-shelf consensus algorithms unlocks a roughly 40,000-fold increase in reliability, speed, and scalability over symmetric weighting methods, such as Proof-of-Work and Proof-of-Stake, which require correct agents to expend more resources than their faulty counterparts. Those legacy technologies embody the “handicap principle,” a theory that originated in biology to explain the evolution of seemingly wasteful traits, like the oversized tails of male peacocks. According to the handicap principle, the reliability of a signal depends on its verifiable cost to the signaler. [3] Inside the Bitcoin community, this theory has been elevated to the status of a supposedly universal natural law, which applies with equal weight to biology and computer science. [4] In Proof-of-Work, a handicap is imposed by forcing consensus participants to expend computing power. In Proof-of-Stake, a handicap is imposed by forcing participants to expend money. In both cases, the goal is to authenticate the results of consensus by auctioning control of the blockchain to the highest bidder. If voting power is assigned in proportion to verifiable handicaps, then a virtual network can be created on which the fraction of faulty replicas is guaranteed to fall below the security threshold of a specified consensus algorithm. This approach predates Bitcoin by four years. It has been the foundation of permissionless Byzantine consensus since the publication of 2 the first Sybil-resistant algorithms. [5] Unfortunately, it is deeply flawed. The present paper identifies three critical problems. A Confluence of Errors First, the traditional handicap principle is no longer good science. It reflects the state of biological signaling theory in the early 1990s. [6] Subsequent research, some of it by the same scientist who first formalized the handicap principle, has refuted the theory that a signal’s reliability depends on its verifiable cost to the signaler. In reality, honest signals can be transmitted at zero cost, as long as the verifiable cost of a dishonest signal is sufficiently high. [7] There is thus no intrinsic reason that participants in permissionless consensus should be forced to waste money or computing power. The costs that Proof-of-Work and Proof-of-Stake systems impose on their users are a design flaw, not a feature. Second, the assumption that Sybil-resistance is sufficient to guarantee consensus on a permissionless network is false. It conflates two distinct forms of statistical bias: sampling error and non-sampling error. The former relates to which elements of a population are included in a sample, the latter to how those elements are counted. [8] Sybil-resistance guarantees that the entities participating in consensus will be counted correctly, but it does not guarantee that those entities are an unbiased sample of the population that is axiomatically known to contain an honest majority or supermajority. The maximum fraction of corrupted entities within the protocol can be verified only if the set of protocol participants is large enough to ensure an accurate sample of the population whose minimum percentage of honest members is axiomatically known. Today’s Sybil-resistant protocols do not satisfy the minimum threshold for statistical reliability, so they are vulnerable to “book prize” attacks, which exploit their reliance on non-probability sampling. Third, axioms about control of a designated resource are incompatible with the concept of an adaptive adversary. Economic agents have varying resource endowments, so an adaptive adversary can alter how much of a given resource it controls simply by switching which agents it has corrupted. To establish the security of a resource-weighted protocol, it is therefore necessary to start with an axiom that is invariant in the face of adaptive corruption — such as the maximum combined value of all resources within the adversary’s potential control — and to prove from that axiom that the adversary will be unable to acquire the fraction of the designated resource needed for an attack. Existing proofs of security for permissionless blockchains are tautological, because they start with this desired conclusion as their premise. These three problems are related. Because computer scientists have mistakenly assumed that it is necessary to employ handicap-authenticated signaling, they have designed protocols that force all participants to waste 3 money or computing power. Because today’s protocols force all participants to waste money or computing power, most internet users decline to join, so the set of participating agents is not large enough to ensure a statistically unbiased sample. Because the set of protocol participants is not a reliable sample of the population, it is impossible to prove the existence of an honest majority within the protocol, so one has simply been assumed as an axiom. It should be a red flag when the most rigorous proofs in a field all start with the same convenient-but-unreliable axiom. [9] The ultimate purpose of formal proofs of security is to provide information to end users about the real-world reliability of a given protocol. If the adversary model employed in a formal proof does not match the threats that are present in the real world, “the presented protocols may not be fully proven by the formalization.” [10] A facially rigorous proof based on a flawed adversary model may be worse than no proof at all, because the illusion of security it provides can induce end users to leave themselves vulnerable to attack. If society is going to employ permissionless ledgers to manage billions of dollars in value, the security of those systems should be derived from axioms that are known to be true with overwhelming probability. If proof of security cannot be obtained from reliable premises, then the public should be warned to treat permissionless ledgers as high-risk toys, not serious financial platforms for storing and exchanging value. Illusion of Security This pessimism may sound inconsistent with the track record of today’s permissionless blockchains. It is not. Past results provide no credible assurances of future safety in this context, because — according to game-theoretic modeling — a rational adversary will delay its attack to inculcate a false sense of security among protocol participants, then “cash out” by executing a double-spending attack once a sufficiently large payoff is available. As Ponzi schemes famously illustrate,