At heart, all early e-cash protocols had to find and appoint a broker to support the issuance (and redemption) of coins. However, the search for an appropriate broker plagued and hindered the adoption of e-cash. There are many reasons for financial institutions to avoid taking on the role including:

• Regulatory red tape,
• Financial and reputation risk,
• Lack of understanding or appeal (“why not credit cards?”).

Satoshi Nakamoto’s core innovation was to replace an appointed broker with an open-membership group (“the block producers”). He implemented a leader election protocol to allow anyone to register and self-appoint themselves to the group. It is designed as an objective competition and attracts financially motivated players to compete amongst themselves. The winner wins becomes the next leader who can propose which pending transactions should be confirmed as final.

Thanks to cryptography, the leader election competition is objectively fair to all participants and it is publicly verifiable such that anyone can check the network’s rules were adhered too. There is no need to blindly trust any participant in the open-membership group. We only need to trust that they will participate in the process and afterwards we can verify their actions. The trust, but verify paradigm.

As you can imagine, the design by Satoshi Nakamoto was radically different to any leader election protocol proposed for the past 30 years. It has opened a new frontier of research for a topic that was typically considered dull and mostly complete.

Transaction ordering service

Collectively, the block producers offers a single service:

• Transaction ordering service. Decide the final order of transactions for execution.

All transactions carry a fee (or tip) which helps decide the priority of transactions for ordering. A block producer should pick transactions with a higher fee first as this will maximise their profit. They can find pending transactions from the peer to peer network or allow users to send it directly to them.

To avoid any misconceptions, block producers DO NOT in ANY WAY run or control the network:

• Block producers are NOT responsible for enforcing consensus rules.
• Block producers CANNOT change the consensus rules.

It is a very simple, narrow and well-defined role. They are financially rewarded for providing a good quality of ordering service. It is decentralization that forces block producers to adhere to the rules. If they propose a block that breaks the rules, then the economic majority rejects it and the block producer will forfeit their reward.

How do we decide who can become a block producer?

It is important that all block producers can eventually converge and agree that a proposed block is part of the canonical chain.

The need for collective agreement impacts who can be a block producer. While the goal is to keep it an open-membership group, we must avoid allowing parties to join who can disrupt the process and make it difficult for the block producers to converge on the canonical chain.

The leader election protocol must have a sybil-resistance mechanism to identify and limit who can participate in the leader election. This is tricky as there is no strong notion of identity on the internet. It is very easy for an individual to create one, two, or several identities. While there are some fun protocols for Proof of Personhood, there is no realistic way to restrict participation based on identity alone.

Proof of X.

The solution is to pick block producers based on their ownership of a scarce and financially expensive resource to acquire. We call this Proof of X as the participant must prove they own the asset X before they can participate as a block producer. It leads to a weak notion of identity as it is linked to the resource and the participant can remain pseudonymous.

Two prominent examples include:

• Proof of Work. Prove computational power under your control by producing the solution to a difficult puzzle (ownership of electricity and hardware efficiency).
• Proof of Stake. Prove ownership of a set of coins.

In both cases, there is a limited supply of the resource and it is financially expensive to acquire it. The side-effect of Proof of X is that it can help align the financial incentives of all participants to protect the long-term health of the system. If they deviate from the honest protocol, it can be detrimental their investment.

Misconception: Proof of X has nothing to do with transaction throughput. It only serves as a way to identify who is participating in the leader election for ordering transactions.

Classical vs Nakamoto: Registering and picking the leader

Consensus protocols rely on a sub-protocol called the leader election which picks a leader to make a single decision on behalf of the group.

A leader election protocol has two components:

• Registering participants. Deciding who is allowed to participate in the leader election protocol,
• Picking the leader. All participants agree on the new leader for a single round.

The core innovation by Satoshi Nakamoto is changing how participants can register for the election which we discuss next.

Classical consensus. Participant selection is an easy problem to solve. A trusted admin can curate the list of candidates and install it into the system. Once a list of candidates is available and well-known, it is fairly straight-forward to decide who can be the next leader. For example, a round-robin style protocol can be implemented to allow each participant to take it in turn to become the leader. AWS has a nice writeup on the pros and cons of a leader election protocol for distributed systems.

Nakamoto Consensus. There is no trusted admin to curate a potential list of candidates. The magic of Satoshi Nakamoto was to create an open process and allow participants to register as a candidate. This is achieved with Proof of X as the act of obtaining ownership of the scarce resource is the registration process. In fact, in proof of work, it goes further as participants can register for the process without publicly signalling their intent to participate. The act of participating is not publicly known until they are picked as the next leader.

Example: Bitcoin’s proof of work

We will walk through the leader election protocol in Bitcoin’s proof of work as it was invented by Satoshi Nakamoto.

Registration process. A block producer (miner) must set up a competitive mining facility by acquiring hardware and a cost-effective electricity source. This registration process occurs in meat-space and there is is no in-protocol transcript. It is important to help protect liveness of the Bitcoin network and eventual convergence on a single canonical chain.

Even if 99% of miners are kicked offline, the remaining 1% block producers can continue to create blocks and confirm transactions. Over time, new participants can set up new mining facilitates and eventually contribute towards the transaction ordering service. As such, the registration process and meat-space nature adds resilience to the network against disruption.

Picking the next leader. Each participant competes in a private lottery and the first to find the winning ticket is picked as the next leader. On average, across all rounds, leaders are picked proportionally based on their financial investment relative to other participants. This is interesting, especially since the total capital investment is not publicly declared and there is no list of active participants.

This may appear paradoxical at first -- how can we fairly and proportionally distribute who is picked as a leader without knowing the list of participants up front?

This is the magic of a scratch-off lottery ticket style leader election. The task is straight-forward. Competitors scratch-off lottery tickets as fast as they can to be the first one to find a winning ticket. Once found, they broadcast the winning ticket to all active participants to prove they have won the competition and now have the right to produce the next block.

The scratch-off lottery ticket competition must be objective and not offer an advantage to any other competitors. The only way to outperform is for the competitor to scratch off tickets faster than the other competitors. In Bitcoin, this is accomplished as the winning lottery ticket is to find a hash with a prefix of N zeroes:

000000000abc... = hash(block_header, r). 

Put another way, computing the block hash is the equivalent for scratching off the lottery ticket. If the hash is not a winning ticket, then the competitor picks a new random factor (r) and tries again. Thanks to the properties of a cryptographic hash function, the only way for a competitor to increase their chances of winning is to compute hashes faster than others.

Can we identify block producers?

The large unknown segments highlights that miners can participate in a proof of work system without revealing their identity. It has become common practice for block producers to tag blocks with an identity. This makes it easy to track their distribution relative to all other miners.

Small majority. There is typically 2-4 entities who represent a majority of Bitcoin’s computational power. It is possible for block producers to collude, and if so, they have the power to censor or reverse recently confirmed transactions. As mentioned earlier, they cannot dictate or change the rules which governs the network, no matter their size or significance.

Mining pools. Care must be taken not to assume an entity is a single miner. In most cases, a block producer is a collection of smaller miners who are pooling resources together to propose a block. We call this a “pool” and in proof of work it is called a “mining pool”. One of the reasons for a smaller miner to join a pool is to reduce the variance of payments. They can get rewarded on daily basis as opposed to every X months (or potentially never receiving a reward).

One criticism for pools is the reliance on a single pool master to dictate the ordering of transactions. It is typical for the pool master to send all miners a block template and for the miners to solely focus on producing the next block. In this case, the power master is empowered and a handful of actors can decide which transactions can get confirmed in the blockchain. The responsibility does not come without consent and accountability. Small miners can quickly leave and join a competitor pool if the pool master misbehaves (or the pool gets too big).

A textbook example is GHash as they amassed a majority of the computational power in July 2014. This only lasted for a short period of time and eventually the pool lost influence to the point it no longer exists. There are also protocols like P2Pool or BetterHash that can remove pool masters and allow individual miners to decide which transaction will be confirmed in their block. As well, protocols that can discourage the formation of pools do exist, but real-world implementations have never taken off.

Competitive industry. In a proof of work system, the relative influence of block producers has changed over the years. Many miners have disappeared because they failed to keep up with their peers. There are several reason including:

• Hardware efficiency and electricity cost. Miners with the most capital and the lowest on-going cost can get ahead of the competition.
• Access to new mining hardware. Only a few companies can build competitive mining hardware and the ability to purchase it is a competitive advantage (~70% produced by Bitmain in 2019).
• Political influence. Mining has been banned in several countries (like the China ban) which leads to miners moving abroad or continuing their operations in secret.
• Attractive returns. Smaller miners will hop between pools to maximise their profit. It was not uncommon for pool operators to make a short-term loss by paying small miners to join their pool.

So, while the credible neutrality and objectiveness of the competition (proof of work) provides a level playing field for all to compete, it is the real-world environment surrounding the competition which restricts participant. Miners can be shut down due to inefficient operations, lack fo access to hardware, or simply due to the political environment they operate in. Regardless, the proof of work competition continues as long as one miner (at least) is available to participate.

Why are the block producers honest?

This is why it is crucial for Proof of X to attract the “right type of players” who “have a long-term interest in protecting the network and its interests”. The competition is not necessarily about widening access for anyone to participate, but ensuring it attracts the most financially aligned players.

The consensus rules are well-defined and it is not possible for a block producer to deviate from them. For example, a block producer cannot include an invalid transaction as the block will be rejected by the network (and economic majority). However, the block producer can make a single decision:

• Decide to extend a block. If a block producer receives a new block, should they extend it or continue to mine a competing block?

Honest behaviour assumes that a block producer will immediately extend a new block when it is received. However, if we consider financially rational behaviour, there are many reasons for a block producer to mine a competing block as opposed to extending the latest block:

• Enforce censorship. A bock producer will ignore blocks if it includes a transaction they want censored.
• Maximal extractable value. A block producer may want to steal transaction fees from another block, re-order transactions to maximise value they can extract, or simply maximise their block reward relative to others.

The tricky party with “honest behaviour” is that it is a social concept and what it means to be “honest” may change over time based on who is participating. For example, the idea of sending a transaction directly to the miners and bypassing the peer to peer network’s fee market can be considered “dishonest”, but “direct-transactions” is now a popular service run by flashbots. There is a good reason to believe that block producers will trend from honest to rational behaviour to help maximise their profit.

Regardless of honest or rational behaviour, it should go without saying the venture of block producers will only work if the revenue can cover the costs to participate and ultimately return a profit. There are many subtle details to consider in regards to sustainability of block producers, especially since Bitcoin and Ethereum have adopted very different approaches to solve the same problem.

In a future block post, we will cover their business models and long-term sustainability which is critical for attracting the “right type of players.” If you want to know more now, you can watch Lecture 4 or the wonderful Q&A session on Fee Market Sustainability.

p.s., Distributed systems literature calls the process a leader election, but in reality it is a competition to become the leader. We stick with historical terminology.