以太坊2.0：从PoW到PoS，听V神分析背后的原因

以太坊从诞生至今，共经历了四个阶段，分别是Frontier（前沿）、Homestead（家园）、Metropolis（大都会）和Serenity（宁静）。

首先，Frontier阶段。2013年底，创始人Vitalik Buterin首次发表以太坊的第一版白皮书，组建以太坊团队，并于2014年进行ETH众筹。2015年7月30日，以太坊区块链正式发布，产生了第一个创世区块和第一个智能合约。

其次，Homestead阶段。2016年3月，以太坊经历了第一次硬分叉“Homestead Fork”，此次分叉在技术上并没有重大升级，但一定程度上改善了用户体验。6月18日，以太链上的智能合约The Dao发生了恶性黑客攻击事件，促使以太链硬分叉，原链成为以太经典（ETC），新分叉链成为现在的以太坊（ETH）。

第三，Metropolis阶段。这一阶段对以太坊较为关键，分为"拜占庭"和"君士坦丁堡"两个阶段。2017年的10月16日，以太坊进行“拜占庭”分叉升级，由于此时市场1C0火热，ETH链上交易量大涨，此次升级以太坊调整了区块难度评估公式，让出块趋于稳定，区块收益也从5 ETH降低至3 ETH。2019年2月28日，以太坊开启“君士坦丁堡”硬分叉，主要优化了GAS费用。最后，Serenity阶段，也就是以太坊2.0阶段。

北京时间8月4日21时，以太坊2.0多客户端测试网Medalla已正式启动，意味着我们离以太坊2.0更近了一步。以太坊2.0的升级，并不是一次传统意义上的硬分叉，是由用户迁移与双链合并两个步骤结合而成。

首先，在以太坊2.0正式版本启动后，用户可自愿迁移至采用PoS的Beacon链，而现行的ETH 1.0链将继续运行，两条链将分别进行开发，最终合二为一。双链运行，是基于ETH 1.0巨大生态可持续性的无奈之举。

以太坊2.0升级，最核心的是以太坊2.0分片和PoS共识机制。采用PoS共识机制是为了提高以太坊协议的能源效率以及增加以太坊区块链的安全性。以太坊2.0分片，使得以太链不再需要通过每个节点来处理链上的每笔交易。在分片系统中每个节点只需处理约1%的交易或更少，从而极大地提高了区块链的效率。

以太坊2.0目前拥有五个客户端，分别是Lighthouse，Nimbus， Prysm， Teku和Lodestar，预计将来会加入Cortex和Trinity，增加以太链的稳定性。其次，以太坊2.0采用PoS共识机制，可减少对矿工依赖，从而降低之前因交易量激增飙升的Gas费用，也可以一定程度上缓解网络堵塞的情况。

虽然以太坊2.0尚未到来，但共识机制的转变却牵动着很多人的心，尤其是那些购买了大量矿机挖以太币的矿工。那么，我们应该如何看待以太坊2.0共识机制的大调整呢？

以太坊为什么要选择在2.0阶段从Proof of Work过渡到Proof of Stake共识机制 (Casper PoS)？听听其创始人Vitalik Buterin怎么说的。

以下为V神原文的译文：

像以太坊（以及比特币、NXT和Bitshares等等）的系统基本上是加密经济有机体系中新产生的层级——是完全存在于加密空间的去中心化、无权威介入的实体，并由加密学、经济学和社会共识机制共同维系的。

它们有点像是BitTorrent，但又有所区别，因为BitTorrent并没有状态的概念——结果证明这是至关重要的一个区别。它们有时候会被形容为“去中心化的自治公司”，但它们又不是特别公司化，比如你并不能对微软公司实行硬分叉。它们像是开源软件项目，但两者之间也并不是特别像，你可以对区块链进行分叉，但这又没有分叉OpenOffice那么容易。

这些加密经济网络多种多样，有基于ASIC的PoW、基于GPU的PoW、朴素PoW、委托PoS，还有未来有希望实现的Casper PoS，而且每一种都不可避免地会有它自己背后的哲学。

一种比较著名的例子就是以工作量证明机制为最高纲领。在这种机制中，会将矿工投入了最大数额的经济资本去创建的单条区块链定义为“唯一正确”的区块链。原本这只是协议内的分叉选择规则，但这种机制却在很多情况下被上升为一种神圣的信条。作为示例，可以看一下我和Chris DeRose在Twitter上的讨论，它展现了一个人即使是在面对协议中哈希算法不断改变的硬分叉时，还是以他纯粹的形式为这种想法辩护。

Bitshares的委托权益证明机制 (DPoS) 展现了另一种符合逻辑的哲学，也就是一切又再次从单一的信条衍生而来。这种信条可以更简单描述为：股东投票。

其中的每一种哲学：包括中本（聪）共识机制，社会共识机制，股东投票共识机制，都诞生了一套自身的结论，并形成了一种基于其自身观点来看颇有道理的价值体系，尽管在互相比较时一定会受到批判。Casper共识机制也有其哲学基础，尽管至今还没能以一种简要清晰的方式描述出来。

我、Vlad、Dominic、Jae和其他人都对权益证明协议存在的原因以及如何去设计这一类协议都有各自的看法，但本文仅阐释我个人的观点。

我会直接进一步列出观察情况以及结论：

? 密码学在21世纪中确实是非常特殊的，因为在对立冲突中仍大多站在防御者一方的领域已经不多了，密码学就是其中一个。比起建造一个城堡，摧毁它会更加容易；岛屿的防御性更强，但也会被袭击；但是一个普通人的椭圆曲线密码 (ECC)密钥却能足够安全，甚至能抵御国家级的入侵。

密码朋克的哲学本质是利用这种宝贵的非对称性来创造一个能够更好地保护个人自由的世界。密码经济学从一定程度上说是密码学哲学的延伸。不同的是密码经济学保护的不仅是个人信息的隐私和安全，也要保护复杂的协作系统的安全性和活力。把自己看作是密码朋克精神继承者的系统应该保持这种基本属性，毁坏一个系统要远比使用和维护系统的代价更高。

? “密码朋克精神”并不单单只是理想主义，而建造一个易守难攻的系统，单就工程设计而言也理应如此。

?在一个中期到长期的时间范围里，人们非常擅长共识。即使敌手拥有无限的哈希算力，并且能对任意主要区块链系统进行51%攻击，甚至将其回滚到一个月前，但比起超越主链的哈希算力，要说服社区该链具有有效性要难得多。他们还需要篡改互联网上许多其他信息源，例如区块浏览器、社区中每一位可靠的成员、纽约时代、archive.org等等。

总言之，在信息技术发达的21世纪，攻击者想要说服全世界接受他攻下的区块链，难度大概不亚于说服全世界美国没有登陆过月球。因此，归根结底这些社会因素才是区块链的长期保障，无论区块链社区是否承认这一点（Bitcoin Core确实承认了社会层面的首要性）。

? 然而单单由社会共识保障的区块链还是太低效率了，运行的速度也不够快，并且很容易让分歧无休止地持续下去（不管怎么去防止它，结果还是发生了）；因此，在短期内，经济共识机制在保护区块链活性以及安全性上起到了非常重要的作用。

? 因为只能用区块奖励保证工作量证明机制的安全性（用Dominic William的话来说，就是三个Es当中少了两个）译者注：即Entry cost (进入成本)，Exist cost (存在成本), Exit penalty (退出惩罚)，再加上矿工的激励仅仅来自于他们可能失去区块奖励的风险，因此，工作量证明机制的运行逻辑是：通过巨额奖励来催生大量算力。

在PoW 当中要想从攻击中恢复过来是非常困难的：如果它是第一次发生，你可以通过硬分叉改变工作量证明，这样就可以使得攻击者的ASIC失效，但如果再次发生的话，你就没得选择了，所以攻击者可以一而再再而三地攻击。

因此，挖矿的网络的规模要足够大才能降低攻击的风险。假设网络每天的算力成本是X，那么就能阻止规模小于X的攻击者出现。我反对这一逻辑是因为（i）PoW会消耗大量能源；（ii）PoW并不能实现密码朋克精神，因为其攻守成本是1：1，所以根本没有防御者优势。

? PoS权益证明机制不再依靠为网络安全性提供奖励的机制，而是通过惩罚措施来打破这种对称性。质押资金（存款）的验证者会得到小小的奖励，这是为了对他们锁定资本、维护节点以及还要额外警惕私钥安全性做出的补偿，但是回滚交易受到的惩罚是他们同时间所获奖励的成百上千倍。因此权益证明机制的“一句话哲学”并不是“消耗能源来获得安全性”，而更应该是“提高损失的经济价值来保障安全性”。

如果说一个给定的区块或状态享有价值X的安全性，前提是你得证明任何冲突区块或状态无法达到相同等级的最终确定性，除非恶意节点勾结起来支付价值X的协议内罚金。

? 理论上来说，大多数验证者勾结起来有可能会控制权益证明区块链，然后就开始作恶。然而（i）通过巧妙的协议设计，他们通过这种操纵手段攫取利润的能力就会尽可能被限制，而且更重要的是，（ii）如果他们尝试阻止新的验证者参与网络，或是执行51%攻击的话，那么社区就可以简单地协调好某个硬分叉并清除行为不端的验证者的存款。

一次成功的攻击可能会耗费五千万美元，但比起2016.11.25那一次的geth/parity共识错误处理情况来看，收拾残局的进程不会太艰巨。两天之后，区块链和社区会回到正轨，攻击者损失了五千万美元， 而由于攻击事件之后的供应量紧缩，代币的价值会上涨，社区成员可能会有所受益。这即是攻击和防御的不对称性。

? 上述并不能拿来表明非计划性的硬分叉将来会发展成为规律性事件；必要时，可以将在PoS中发起单次51%攻击的成本设置得和在PoW中进行永久的51%攻击一样高。这样庞大的费用和攻击的低效性应该能够保证在实际状况中不会有人尝试攻击。

? 经济学并不是万灵丹。有些个人可能是出于协议外的动机，比如说他们的计算机可能会遭到入侵、他们可能会被挟持或者可能仅仅因为某一天喝醉了，然后决定破坏这条区块链，完全不计成本。

再者，就积极的一面来说，个人的道德自制和沟通低效会将攻击所需的成本提升到比协议定义的损失价值 (value-at-loss) 更高的水平。这是我们不能依赖的优势，但与此同时它也是我们不应该觉得没有必要就抛弃的优势。

? 因此，最优的协议应该是那些在多种多样的模型和假设当中仍能够正常运行的协议——具备协调选择的经济理性、具备个人选择的经济理性、简单的容错机制、拜占庭容错机制（在理想‘情况下既是适应性也是非适应性的对抗变体）、受到Ariely/Kahneman启发的行为经济模型（“我们都只是轻微作弊”）以及在理想条件下既具有现实意义又具有实践意义的经得起推敲的模型。

重要的是要做好双层防御：防止中心化企业联盟做出反社会行为的经济激励，和一开始就防止企业联盟形成的反中心化激励。

?运作充分快速的共识协议具有一定风险，需要非常谨慎地对待，因为如果系统效率和激励挂钩，那么这样的结合将会带来高额奖励，以及足以引发系统性风险的网络层中心化（例如所有的验证者都在同一个主机服务商中运行）。有些共识协议并没有这些担忧，这类协议并不要求验证者发送信息有多快，只要他们能够在在可接受的时间间隔内发送信息就行了（4-8秒，根据经验我们知道以太坊延迟时间通常在500毫秒-1秒）。

一个可能的折中就是，创建一种快速运行的协议，但其中可以应用和以太坊叔块类似的机制，以确保节点的网络连接度超过了某个易达到的程度之后，其边际收益是非常低的。

至此，对一些具体细节肯定还有很多不同的情况和方法，但上述说法至少是我的Casper版本所基于的核心原则。我们当然还可以讨论互相竞争的价值观之间的利弊。

是年发行率1%的ETH和成本五千万美元的修复性硬分叉，还是年发行率为0的ETH和成本五百万美元的修复性硬分叉？我们该什么时候通过在容错模型下降低安全性作为在经济模型下提高协议安全性的交换呢？可预测的安全性和可预测的发行率，我们更在意哪个？

以太坊要从 PoW 转 PoS 有很多原因，其中最重要的考量是想要解决「不可能三角」问题，通过 PoS+Sharding（分片技术）的手段，让以太坊的性能变得更好。

我们非常尊重以太坊所走的技术路线，但我们认为在可行的二层扩容方案下，一层应该是一个更简单的设计，并且面向二层扩展优化，而不是需要承担分片带来的编程模式复杂性和可组合性的缺失。

因此以太坊从1.0到2.0的过程是一个超级复杂而且繁琐的过程，只要其中一个环节出现失误都会最终导致整个过渡的推迟，对于以太坊的升级，我们仍需保持关注。

以下为原文：

Systems like Ethereum (and Bitcoin, and NXT, and Bitshares, ETC) are a fundamentally new class of cryptoeconomic organisms — decentralized, jurisdictionless entities that exist entirely in cyberspace, maintained by a combination of cryptography, economics and social consensus. They are kind of like BitTorrent, but they are also not like BitTorrent, as BitTorrent has no concept of state — a distinction that turns out to be crucially important. They are sometimes described as decentralized autonomous corporations, but they are also not quite corporations — you can’t hard fork Microsoft. They are kind of like open source software projects, but they are not quite that either — you can fork a blockchain, but not quite as easily as you can fork OpenOffice.

These cryptoeconomic networks come in many flavors — ASIC-based PoW, GPU-based PoW, naive PoS, delegated PoS, hopefully soon Casper PoS — and each of these flavors inevitably comes with its own underlying philosophy. One well-known example is the maximalist vision of proof of work, where “the” correct blockchain, singular, is defined as the chain that miners have burned the largest amount of economic capital to create. Originally a mere in-protocol fork choice rule, this mechanism has in many cases been elevated to a sacred tenet — see this Twitter discussion between myself and Chris DeRose for an example of someone seriously trying to defend the idea in a pure form, even in the face of hash-algorithm-changing protocol hard forks. Bitshares’delegated proof of stake presents another coherent philosophy, where everything once again flows from a single tenet, but one that can be described even more simply: shareholders vote.

Each of these philosophies; Nakamoto consensus, social consensus, shareholder voting consensus, leads to its own set of conclusions and leads to a system of values that makes quite a bit of sense when viewed on its own terms — though they can certainly be criticized when compared against each other. Casper consensus has a philosophical underpinning too, though one that has so far not been as succinctly articulated.

Myself, Vlad, Dominic, Jae and others all have their own views on why proof of stake protocols exist and how to design them, but here I intend to explain where I personally am coming from.

I’ll proceed to listing observations and then conclusions directly.

Cryptography is truly special in the 21st century because cryptography is one of the very few fields where adversarial conflict continues to heavily favor the defender. Castles are far easier to destroy than build, islands are defendable but can still be attacked, but an average person’s ECC keys are secure enough to resist even state-level actors. Cypherpunk philosophy is fundamentally about leveraging this precious asymmetry to create a world that better preserves the autonomy of the individual, and cryptoeconomics is to some extent an extension of that, except this time protecting the safety and liveness of complex systems of coordination and collaboration, rather than simply the integrity and confidentiality of private messages. Systems that consider themselves ideological heirs to the cypherpunk spirit should maintain this basic property, and be much more expensive to destroy or disrupt than they are to use and maintain.

The “cypherpunk spirit” isn’t just about idealism; making systems that are easier to defend than they are to attack is also simply sound engineering.

On medium to long time scales, humans are quite good at consensus. Even if an adversary had access to unlimited hashing power, and came out with a 51% attack of any major blockchain that reverted even the last month of history, convincing the community that this chain is legitimate is much harder than just outrunning the main chain’s hashpower. They would need to subvert block explorers, every trusted member in the community, the New York Times, archive.org, and many other sources on the internet; all in all, convincing the world that the new attack chain is the one that came first in the information technology-dense 21st century is about as hard as convincing the world that the US moon landings never happened. These social considerations are what ultimately protect any blockchain in the long term, regardless of whether or not the blockchain’s community admits it (note that Bitcoin Core does admit this primacy of the social layer).

However, a blockchain protected by social consensus alone would be far too inefficient and slow, and too easy for disagreements to continue without end (though despite all difficulties, it has happened); hence, economic consensus serves an extremely important role in protecting liveness and safety properties in the short term.

Because proof of work security can only come from block rewards (in Dominic Williams’ terms, it lacks two of the three Es), and incentives to miners can only come from the risk of them losing their future block rewards, proof of work necessarily operates on a logic of massive power incentivized into existence by massive rewards. Recovery from attacks in PoW is very hard: the first time it happens, you can hard fork to change the PoW and thereby render the attacker’s ASICs useless, but the second time you no longer have that option, and so the attacker can attack again and again. Hence, the size of the mining network has to be so large that attacks are inconceivable. Attackers of size less than X are discouraged from appearing by having the network constantly spend X every single day. I reject this logic because (i) it kills trees, and (ii) it fails to realize the cypherpunk spirit — cost of attack and cost of defense are at a 1:1 ratio, so there is no defender’s advantage.

Proof of stake breaks this symmetry by relying not on rewards for security, but rather penalties. Validators put money (“deposits”) at stake, are rewarded slightly to compensate them for locking up their capital and maintaining nodes and taking extra precaution to ensure their private key safety, but the bulk of the cost of reverting transactions comes from penalties that are hundreds or thousands of times larger than the rewards that they got in the meantime. The “one-sentence philosophy” of proof of stake is thus not “security comes from burning energy”, but rather “security comes from putting up economic value-at-loss”. A given block or state has $X security if you can prove that achieving an equal level of finalization for any conflicting block or state cannot be accomplished unless malicious nodes complicit in an attempt to make the switch pay $X worth of in-protocol penalties.

Theoretically, a majority collusion of validators may take over a proof of stake chain, and start acting maliciously. However, (i) through clever protocol design, their ability to earn extra profits through such manipulation can be limited as much as possible, and more importantly (ii) if they try to prevent new validators from joining, or execute 51% attacks, then the community can simply coordinate a hard fork and delete the offending validators’ deposits. A successful attack may cost $50 million, but the process of cleaning up the consequences will not be that much more onerous than the geth/parity consensus failure of 2016.11.25. Two days later, the blockchain and community are back on track, attackers are $50 million poorer, and the rest of the community is likely richer since the attack will have caused the value of the token to go up due to the ensuing supply crunch. That’s attack/defense asymmetry for you.

The above should not be taken to mean that unscheduled hard forks will become a regular occurrence; if desired, the cost of a single 51% attack on proof of stake can certainly be set to be as high as the cost of a permanent 51% attack on proof of work, and the sheer cost and ineffectiveness of an attack should ensure that it is almost never attempted in practice.

Economics is not everything. Individual actors may be motivated by extra-protocol motives, they may get hacked, they may get kidnapped, or they may simply get drunk and decide to wreck the blockchain one day and to hell with the cost. Furthermore, on the bright side, individuals’ moral forbearances and communication inefficiencies will often raise the cost of an attack to levels much higher than the nominal protocol-defined value-at-loss. This is an advantage that we cannot rely on, but at the same time it is an advantage that we should not needlessly throw away.

Hence, the best protocols are protocols that work well under a variety of models and assumptions — economic rationality with coordinated choice, economic rationality with individual choice, simple fault tolerance, Byzantine fault tolerance (ideally both the adaptive and non-adaptive adversary variants), Ariely/Kahneman-inspired behavioral economic models (“we all cheat just a little”) and ideally any other model that’s realistic and practical to reason about. It is important to have both layers of defense: economic incentives to discourage centralized cartels from acting anti-socially, and anti-centralization incentives to discourage cartels from forming in the first place.

Consensus protocols that work as-fast-as-possible have risks and should be approached very carefully if at all, because if the possibility to be very fast is tied to incentives to do so, the combination will reward very high and systemic-risk-inducing levels of network-level centralization (eg. all validators running from the same hosting provider). Consensus protocols that don’t care too much how fast a validator sends a message, as long as they do so within some acceptably long time interval (eg. 4–8 seconds, as we empirically know that latency in ethereum is usually ~500ms-1s) do not have these concerns. A possible middle ground is creating protocols that can work very quickly, but where mechanics similar to Ethereum’s uncle mechanism ensure that the marginal reward for a node increasing its degree of network connectivity beyond some easily attainable point is fairly low.

From here, there are of course many details and many ways to diverge on the details, but the above are the core principles that at least my version of Casper is based on. From here, we can certainly debate tradeoffs between competing values . Do we give ETH a 1% annual issuance rate and get an $50 million cost of forcing a remedial hard fork, or a zero annual issuance rate and get a $5 million cost of forcing a remedial hard fork? When do we increase a protocol’s security under the economic model in exchange for decreasing its security under a fault tolerance model? Do we care more about having a predictable level of security or a predictable level of issuance? These are all questions for another post, and the various ways of implementing the different tradeoffs between these values are questions for yet more posts. But we’ll get to it :)

本文来源：区块链蓝海
原文标题：以太坊2.0：从PoW到PoS，听V神分析背后的原因

—-

编译者/作者：区块链蓝海

玩币族申明：玩币族作为开放的资讯翻译/分享平台，所提供的所有资讯仅代表作者个人观点，与玩币族平台立场无关，且不构成任何投资理财建议。文章版权归原作者所有。