Two weeks ago, we wrote an article about Pyrofex’s claim that they found a serious vulnerability in the design of the Casper proof-of-stake (PoS) protocol developed by the Ethereum and RChain research teams and that the consensus mechanism that Pyrofex designed called Casanova would be a superior solution. Since then, Pyrofex announced that they were working on a blockchain platform called CDelta that would utilise Casanova for consensus. We reached out to them for an interview, and their CEO Nash Foster graciously accepted to answer our questions.
Can you tell us a bit about your personal background, how Pyrofex was created and who the other notable members of the team are?
My name is Nash Foster and I co-founded Pyrofex in the spring of 2016 with Mike Stay. We’re both ex-Googlers and security researchers that have had a long-term interest in cryptography, information security, and programming languages. We started Pyrofex because we believe there’s a lot of untapped potential in these fields that desperately needs to be turned into large-scale engineering.
Until recently, as far as I understand, Pyrofex had been working together with RChain Cooperative on the development of the Rchain platform. Are you still involved with that project in some capacity? What made you start your own blockchain project?
We worked with RChain starting in the Spring of 2017 until about October of 2018. Primarily, we helped them recruit and manage a development team of Scala engineers. Mike and I contributed our own efforts to their project, as well. RChain has been undergoing a lot of change over the last few months and last fall we were able to help them save some money and accelerate some milestones by turning the dev team over to them directly. At this point, most of the developers we hired work for RChain directly and we don’t have any involvement with them any longer.
We decided to start a blockchain project because we had a great consensus algorithm that we feel is better than the competition, at least in the ledger-only space. We aren’t that interested in smart contracts at the moment, so we didn’t feel like we were going to be competing with our friends at RChain.
Pyrofex researchers have claimed recently that the Ethereum’s and RChain’s Casper proof of stake protocol does not satisfy the liveness property. Could you give an explanation accessible to an average reader of what this property is and why Casper falls short of it?
Typically, we want blockchains to process transactions. To do that, the network has to arrive at agreement about what transactions occurred and in what order. Liveness means that the network is able to reach agreement, even if part of the network is broken. The other property we care about is “correctness” and that is the property that when the network finds agreement, that everyone ends up agreeing to the same thing.
Casper’s problem is that it’s quite easy for the mechanism to get stuck. It’s like a kid who can’t decide between chocolate and vanilla ice cream and goes back and forth perseverating over which one it wants. Now, in the analogy, your mom eventually yells at you to make up your mind, but in the blockchain, there is no “mom” to do that and the Casper mechanism can get stuck.
What could be the practical consequences of projects like Ethereum sticking to the Casper protocol with this potential flaw not addressed?
I think if they are trying to use Casper, then it will be really hard to build networks that work reliably. The networks might run for a while, but they’ll eventually get stuck and fail to make progress. In the usual case of an IT system like ZooKeeper or Google’s Chubby, a human would be forced to intervene somehow. But, in the blockchain world that simply can’t happen the same way.
I think the result will be that projects trying to use Casper will never deliver. They’ll keep trying and trying and never be able to make something that works well enough to launch it. And of course, that’s what we have seen so far. So, this shouldn’t be very controversial.
Has there been an official response from someone in the Ethereum/RChain Casper research team to your non-liveness claim?
Vitalik and Vlad have both tweeted about it, but I don’t think they take the issue very seriously. I’m not sure why not, it seems very serious to me. Of course, I come out of Google SRE and I would never want a system that has this sort of reliability problem. I worry they think the correctness problem is so much harder that they have left liveness by the wayside.
As far as I understand, your biggest selling point is the Casanova consensus mechanism. Could you explain to our readers how it is different from any preceding consensus mechanisms and what you mean when you are talking about “optimistic” consensus?
Casanova is fast because it is specifically designed to handle a UTXO-style ledger system where most transactions aren’t double spends. Bitcoin and other cryptocurrencies do a lot of work to find a single ordering of all transactions that everyone can agree on. Networks like Ethereum and RChain have to do something similar, because it’s so hard to tell if VM updates conflict with each other.
Casanova relies on the observation that you don’t have to do this work if you have the right transaction model. When we say that Casanova consensus is “optimistic” what we mean is that Casanova nodes can accept your UTXO transactions and confirm them almost instantly, nearly all of the time. The only time you get slowed down is when you, yourself, are trying to cheat by double-spending. It’s really elegant, because honest participants get to transact at maximum speed and the penalty for dishonesty is paid only by cheaters. As far as we know, it’s the only protocol proposed that has this property.
I would also like to give a bit of a background on consensus systems. There are different kinds of consensus system. Traditional distributed consensus algorithms like Paxos, or maybe Raft, rely on a trusted network whose failures are not too weird. These systems can be fast and have a lot of throughput, handling millions of transactions an hour, like in the case of Google’s Chubby system. But, these systems are not secure against weird failure cases.
Cryptographic consensus systems like Bitcoin’s X11 algorithm or Ethereum’s Dagger-Hashimoto algorithm rely on the thermodynamics of computation to form consensus. These algorithms are secure against most of the weird failure modes, but they are extremely slow. They can only support a few transactions an hour.
Moreover, the cost of maintaining security is outrageously high because Moore’s Law still applies. Moore’s Law is why ASICs are a problem for Bitcoin style networks. The performance improvements come faster if you can manufacture ASICs than if you have to rely on more general purpose gear.
Most of these networks will eventually collapse because the internal rate-of-return for the cryptocurrency cannot cover the cost of providing security.
With regard to optimistic consensus, I would like to be provocative and anticipate a critique from the broader blockchain circles. It seems, at least at first sight, to deviate from the fundamental assumption behind public blockchain projects starting from Bitcoin. That we should not have to trust at least the majority of the actors in the system in order to make it work. What would you respond to such critics?
Bitcoin requires that 51% of the hash rate be in the hands of honest miners. Casanova requires that 51% of the “votes” be in the hands of honest nodes. What’s the difference?
Well, one important difference is finalization. If a heavier Bitcoin chain shows up, all the honest miners are going to switch to it, even if that means a huge number of transactions are rolled back or re-ordered. This happened to the Ethereum Classic network recently when a larger mining farm launched a successful 51% attack.
In a system using Casanova, there is true finalization. Once my transaction is referenced by a node, that node can’t deny my transaction ever again without equivocating. So, large-scale block reorganizations aren’t possible. If there are enough evil nodes, they could ignore certain blocks and just pretend that those transactions weren’t happening. But, they would earn lower mining rewards as a result. It becomes a trade-off for the bad guys where they have to give up earnings to gain censorship power.
To us, this feels much more secure and realistic than the Bitcoin scenario or any proof-of-resource system, really.
What about the fact that optimistic consensus assumes that the vast majority of users will not attempt to double-spend? But one could argue that this may create an attack vector that does not exist in other blockchain architectures. For example, one can imagine a hostile government or a hacker using a botnet try to compromise CDelta by deliberately sending a mass of illicit transactions. How does CDelta’s design protect against such a scenario?
Blockchain transactions are extremely difficult to forge unless you have broken some fairly important cryptographic primitives. Every transaction is cryptographically signed by the sender’s private key. A very large bot-net would not be enough to spam the CDelta network with double spends. If state-level actors have broken public key cryptography, then many technologies like SSL/TLS are also completely broken and the cryptography community has some serious work to do. In fact, nearly every blockchain would be in the same position if state-level actors have good large-scale attacks against public key crypto. In this regard, we aren’t unique at all, we’re in the same boat as everyone else.
It’s possible that lots of real users could all attempt to double spend at the same time, but it’s not clear to me why that would be useful to them. The CDelta network will get slow for them, but it won’t slow down nearly as much for people transacting honestly. So, they a really hurting themselves more than they are hurting anyone else. I like situations where the attacker pays much higher cost than the victim. This is a scenario where there is a strong incentive is to stop attacking people.
Are you planning to use sharding or layer-two solutions like state channels or plasma chains?
The CDelta network that we’re building is going to have a kind of sharding based on geography. We’re not intending to build anything like state channels or plasma chains. Those seem like really sad compromises to us. When Tesla wanted to build a practical electric car, they didn’t start by saying, “performance is going to be terrible and you’re going to need this other car in most situations.” The lightning network and plasma chains are basically hacks that are necessary because the dev teams don’t know what else to do.
We aren’t faced with the same legacy problems when building CDelta. First of all, we don’t have a legacy ledger system to support. So, we can fine tune the ledger’s transaction model to an algorithm that is absurdly fast by design. Second, we don’t have a legacy physical network to support. So, we can design and build a physical network that incorporates design principles from the last 40 years of experience building high-speed networks.
Bitcoin and Ethereum simply can’t do that. Those protocols encourage people to invest in hash power exclusively in preference to any sort of network performance. There’s no reason to build a mining farm with a really large Internet connection, because it wouldn’t use it anyway. But, everyone in the networking field knows that if you want transaction volume, it takes bandwidth and low latency networking connections. There just isn’t any way for the Bitcoin devs to get what they want. So, they build Lightning or Plasma or whatever, even though it’s a terrible idea.
There are numerous serious projects attempting to build a truly scalable platform (Cardano, Algorand, Hashgraph, RChain, DFinity, Polkadot, Ethereum with Serenity, etc.). What other features of CDelta besides optimistic consensus make you think that it has solid chances to at least get a significant market niche in the mature blockchain industry?
A lot of those projects aren’t really delivering what they promised. A lot of these projects raised really eye-popping amounts of money and have delivered really mediocre results. With CDelta, we’re being very conservative about what we promise people. Right now, we’re laser focused on building a high-speed transaction system, which makes things a lot simpler for us. We don’t have to deal with all the complexity of a smart contract VM or the same sort of formal methods problems that Cardano or Tezos are trying to address.
We really believe that when it comes to computer engineering, the proof is in delivering. So, our goal is to deliver consistently and convincingly every single day. Over time, this will make our product extremely convincing for organizations and users that are looking to adopt blockchain for various use cases.
On top of that, we think most of these projects have been very idealistic about governance, when the need has been hard-nosed practicality. We’re very proud of the way we’re organizing the project in terms of governance and we expect it to be successful in ways that other projects have found very difficult.
Those are just features, though. At the end of the day, projects succeed or fail based on relationships and marketing. We look forward to competing with all of these projects on those grounds. May the best team win.
On the web-page you wrote that “the CDelta chain’s focus is oriented towards payment processing as a core component of a decentralized application framework.” Does it mean that you are not building an Ethereum-style decentralized applications-enabling blockchain?
We are not building an Ethereum-style blockchain. First of all, the main use case for Ethereum is ERC20 tokens. We intend to support something similar to ERC20, but in a different way that avoids needing an Ethereum style virtual machine. Second of all, we feel very committed to avoiding unnecessary complexity. We want to solve the performance and scale problems for blockchains. Those problems are hard enough in the UTXO ledger case, which is why we don’t have a viable high-performance alternative to Bitcoin yet. I could promise you the moon, but what’s the point? We’re going to do this one thing and do it really well.
If CDelta is also planned as a decentralized applications-enabling blockchain, what will be the approach to enabling computations on-chain? Are you planning to emulate RChain’s rho calculus-based approach to computations?
We’re not building an apps-enabling blockchain, but if we did then we would not use the Rho-calculus. I think Ethereum and CasperLabs both have got the right end of the stick in planning to use WASM for their VM. We would almost certainly do the same thing, in large part because WASM is being used very successfully elsewhere. E.g., CloudFlare has some very interesting products based on WASM. Moreover, WASM is directly supported by the LLVM toolkit whereas the Rho-calculus model is not.
What other notable blockchain-related projects that you are ready to disclose is Pyrofex working on?
We are also preparing to release Numifex Beta, our payment processing solution. The goal of Numifex is to allow businesses to run their own decentralized payment processor without having to rely on third-parties. This dramatically reduces the cost of payment processing for businesses, especially those in the high-risk category.
Finally, what are the biggest obstacles to blockchain adoption and how may they realistically be solved, in your view?
The biggest obstacle to blockchain adoption is that the technology is immature for real users and it’s not maturing very quickly. We have a situation where companies can generate income through token sales and investments without ever having to create sales. So, we’re getting increasingly bizarre business plans that might be good someday, but nobody cares right now because there isn’t really any payment volume yet.
We saw this in the Internet boom, too. There were huge investments in companies that were not prepared to focus on sales first. The Pets.com guys could have been Jeff Bezos. There really wasn’t any reason that Amazon had to sell books first, they could have sold dog food. But, the Pets.com team wasn’t prepared to focus on sales and Bezos was. So, Bezos was off in a corner of the Internet quietly selling books for a long time, figuring out how to get people to put their credit card number into a website. Meanwhile, the Pets.com guys were buying trucks and worrying about internal logistics and distribution. In the end, Bezos got to solve the cool internal logistics problem and the Pets.com guys didn’t, because sales come first in business.
It’s the same problem now. Cardano and Tezos and a bunch of other people are spending all their time worrying about formal verification and smart contracts and side chains and Plasma networks and disintermediating the market for artificial intelligence computation or whatever other crazy thing. There are all these wacko business plans and I guess this stuff seems cool and important to other blockchain developers and enthusiasts.
But, the real world users are saying, “Can you just send me Venmo?” And those guys are really kicking our ass in the mobile payment space. And the only reason is we can’t figure it out.
If blockchain networks want to get to the next level, we have to stop navel-gazing and get focused on putting users onto the network so they can transact with each other. I need to be able to pay my babysitter with cryptocurrency and there just aren’t enough companies focused on figuring that part out.