Ethereum Protocol Upgrade Outlook (1): The Merge

Original Article Title: "Ethereum Protocol Upgrade Outlook Analysis (Part 1): The Merge"

Original Source: Ebunker Chinese

Since October of this year, Ethereum co-founder Vitalik Buterin has released a series of articles on the future possibilities of the Ethereum protocol, covering six parts of the Ethereum development roadmap: The Merge, The Surge, The Scourge, The Verge, The Purge, and The Splurge. This article will interpret the roadmap's first part (The Merge), exploring what other technical designs for PoS Proof of Stake can be improved and the paths to implementing these improvements.

Vitalik believes that the "Merge" refers to the most important event in Ethereum protocol history since its launch: the transition from PoW Proof of Work to PoS Proof of Stake. Today, Ethereum has been operating as a stable PoS system for almost two years, and this Proof of Stake has performed very well in terms of stability, performance, and mitigating centralization risks. However, there are still some important areas for improvement in Proof of Stake.

The Ethereum 2023 roadmap divides it into several parts: improving technical features (such as stability, performance, and accessibility to smaller validators) and making economic changes to address centralization risks. According to Vitalik, this article is not an exhaustive list of improvements to Proof of Stake but rather a collection of actively considered ideas.

Main goals of the Merge:

1. Single-slot finality (SSF): Typically, an Ethereum block takes about 15 minutes to finalize. However, by increasing the efficiency of Ethereum's consensus mechanism to validate blocks, the time needed for finality can be significantly reduced. Blocks can be proposed and finalized in the same slot without waiting for 15 minutes.

2. Fastest transaction confirmation and finality while maintaining decentralization

3. Improve the feasibility of solo stakers

4. Enhance robustness

5. Improve Ethereum's resistance and recovery capabilities against 51% attacks (including finality reversals, finality denials, and reviews)

Single Slot Deterministic Finality and Stake Decentralization

Currently, it takes 2–3 epochs (about 15 minutes) to finalize a block, and 32 ETH is required to become a validator. This was initially a compromise to balance among three goals:

- Maximizing the number of validators participating in staking (minimizing ETH required for staking);

- Minimizing finality time;

- Minimizing node operation costs.

These three goals are conflicting: to achieve economic finality (meaning an attacker would need to burn a substantial amount of ETH to revert a finalized block), every validator is required to sign two messages each time finality is reached. Therefore, if there are a large number of validators, either a significant amount of time is needed to process all signatures, or very powerful nodes are required to process all signatures concurrently.

All of this hinges on a key goal of Ethereum: ensuring that even a successful attack would incur a high cost to the attacker. This is the essence of "economic finality."

There are counterexamples as well. Blockchains without "economic finality" (such as Algorand) address this issue by randomly selecting a committee to finalize each slot. However, the problem with this approach is that if an attacker does indeed control 51% of validators, the cost of attack is extremely low: only some nodes in the committee will be identified as participating in the attack and penalized. This means the attacker can repeatedly carry out attacks on the chain.

Therefore, if Ethereum aims to achieve economic finality, a committee-based simplistic approach is not viable, and instead, full validator participation is required.

Ideally, Ethereum wants to improve the current state in two aspects while retaining economic finality:

1. Finalizing blocks within a single slot (ideally, maintaining or reducing the current 12-second length) instead of 15 minutes

2. Allowing validators to stake 1 ETH (reducing from 32 ETH to 1 ETH)

The first point can ensure that all Ethereum users benefit from a higher level of security provided by the finality mechanism. Currently, most users cannot enjoy this security as they are unwilling to wait for 15 minutes; with a single slot deterministic finality mechanism, users can almost instantly see transaction finality shortly after transaction confirmation. Secondly, if users and applications do not have to worry about the possibility of chain reorganizations, it simplifies the protocol and its surrounding infrastructure.

The second point is to support individual stakers. According to multiple polls, the main barrier to solo staking is the 32 ETH minimum requirement. Lowering the minimum to 1 ETH will address this issue.

There is currently a challenge: the goals of faster finality and more decentralized staking both conflict with the objective of minimizing costs. In fact, this is why Ethereum did not initially adopt single-slot finality. However, recent research has proposed some potential solutions to this issue.

How It Works:

Single-slot finality involves using a consensus algorithm that finalizes a block within one slot. This is not inherently a difficult goal to achieve as many algorithms (e.g., Tendermint consensus) have already accomplished this.

One unique property of Ethereum (i.e., inactivity leaks) is that even if over 1/3 of validators are offline, this property allows the blockchain to continue operating and eventually recover.

Single-Slot Finality Proposal

Regarding how to make single-slot finality work with a very high number of validators without causing excessive node operator costs, there are several leading solutions:

Option one is brute-forcing by achieving a better signature aggregation protocol, potentially utilizing ZK-SNARKs, which would make it feasible to handle signatures from millions of validators in a single slot. For example, Horn is one proposal put forth to design a better aggregation protocol.

Option two is the Orbit Committee, a new mechanism that allows for randomly selected medium-sized committees to be responsible for chain finality but maintains attack cost properties. Orbit leverages the existing heterogeneity in validator deposit sizes to achieve maximal economic finality while still giving smaller validators a role proportionate to theirs.

As illustrated in the graph below, lying between x=0 (Algorand Committee with no economic finality) and x=1 (Ethereum's current state), Orbit SSF opens up an intermediate zone:

1. Where the cost of malfeasance remains high to ensure utmost security;

2. Yet, at the same time, only a moderately sized random validator sample needs to participate in each slot, easing the node burden.

Option three is Dual Collateral, a mechanism with two types of collateral providers, where one type has a higher deposit requirement and the other type has a lower deposit requirement. Only the higher deposit requirement tier will directly participate in providing economic finality. Various proposals have been made regarding the rights and responsibilities of the lower-tier depositors, including:

- The right to delegate stake to a higher-level stakeholder;

- Randomly selecting lower-tier collateral providers to attest and ultimately finalize each block;

- The right to be included in a list, and so on.

For Ethereum's security model and the centralization properties of staking, each solution has its advantages, disadvantages, and trade-offs: while a brute-force attack can address the issue, it requires aggregating a large number of signatures in a very short time, making it technically challenging; Orbit Committees need to validate their security and properties, and undergo formalization and implementation; and the Dual Collateral mechanism faces centralization risks, with the risk largely depending on the specific rights obtained by the lower collateral tier.

In addition to single-slot determinism, Single Secret Leader Election is also a critical issue in the Ethereum proof-of-stake system. Currently, it is possible to know in advance which validator will propose the next block, creating a security vulnerability where an attacker can monitor the network, determine which validators correspond to which IP addresses, and launch a DoS attack on them as they are about to propose a block.

The best approach to addressing this issue is to conceal which validator will produce the next block, at least until this information is revealed before the block is actually generated.

Single Secret Leader Election

Currently, it is possible to know in advance which validator will propose the next block, creating a security vulnerability where an attacker can monitor the network, determine which validators correspond to which IP addresses, and launch a DoS attack on them as they are about to propose a block.

The Single Secret Leader Election protocol addresses this issue by creating a "blinded" validator ID for each validator using some cryptographic techniques, allowing many proposers the opportunity to reshuffle and re-blind the blind ID pool, thereby mitigating this problem.

However, implementing a sufficiently simple Single Secret Leader Election protocol is not easy.

The simplicity of the Ethereum protocol is crucial, and further complexity is not desirable. Simplified SSLE using ring signatures, which uses ring signatures, adds only a few hundred lines of spec code and introduces new assumptions in complex cryptography.

Achieving a sufficiently effective post-quantum Secure Systems Layer (SSLE) is also a question. It may eventually turn out that the "marginal additional complexity" of SSLE will only decrease to a low enough level when we boldly attempt, for other reasons, to introduce a mechanism for executing general zero-knowledge proofs in the Ethereum protocol at Layer 1.

Additionally, faster transaction finality is also one of the challenges the Ethereum proof-of-stake system needs to address.

Further shortening Ethereum's transaction confirmation time (from 12 seconds to 4 seconds) is valuable. Doing so will significantly improve the user experience on L1 and rollup-based solutions, while making DeFi protocols more efficient. It will also decentralize L2 further, as it will enable numerous L2 applications to operate on rollups, reducing the need for L2 to build their own committee-based decentralized ordering.

There are roughly two technologies: reducing slot time to 8 seconds or 4 seconds and allowing proposers to pre-commit within a single slot. However, the feasibility of shortening the slot time is currently unclear.

Even today, validators in many parts of the world find it challenging to get attestations quickly enough. Attempts at 4-second slot times pose centralization risks for validators and, due to latency, becoming a validator outside a few geologically advantaged regions is impractical.

The weakness of the proposer pre-commit method is that it can significantly improve the average-case inclusion time but not the worst-case. Additionally, there is an unresolved issue of how to incentivize pre-commitments.

Facing the potential threat of quantum computing in the future, Ethereum needs to actively develop post-quantum attack-resistant alternatives. Every part of the Ethereum protocol that currently relies on elliptic curves needs to have some hash-based or other post-quantum alternatives. This demonstrates that conservatism in the performance assumptions around proof of stake design is reasonable and is also a reason for actively developing post-quantum attack-resistant alternatives.

Conclusion

The Ethereum proof-of-stake system faces challenges on its path of technical evolution. Due to Ethereum's high staking threshold, staking service providers led by Lido have become the preferred choice for Ethereum node staking, and multi-level staking schemes also carry some centralization risk. To address these challenges, single-slot finality and stake decentralization, single secret leader election, faster transaction confirmation, and the development of post-quantum attack-resistant alternatives are all critical issues Ethereum needs to tackle.

Vitalik has thoroughly considered "The Merge" upgrade and proposed as many technical solution combinations as possible, discussing the design potential of Ethereum's PoS proof-of-stake technology, as well as the current feasible technological upgrade paths.

Throughout the technical upgrade process, Ethereum is still striving to continuously explore and innovate, balancing and choosing between different technical solutions to find the most suitable development path, achieving higher security, performance, and decentralization.

Original Article Link