Yesterday I started a discussion on Witness pay and the appropriate number of witnesses, but I fear that discussion actually missed the mark. The number of witnesses can be changed in a day, and the pay within 2 weeks.
What is far more important than the number of witnesses is who gets to chose the witnesses and how quickly those decisions can be made.
I would like to take a moment to use an analogy on the difference between energy and power. Power can be thought of as the amount of energy that can be applied in a fixed amount of time. If you invented a battery that
contained infinite energy but that energy could only be drawn upon at 1 watt then you couldn't even power a household light bulb. However, if you had a standard AA battery and were able to release all of the energy in that
battery instantaneously you could destroy the world.
When it comes to proof of stake coins, a voting share can be thought of as raw energy. The power of the network can be thought of in terms of how many votes can be brought to bare in a short period of time.
The security of a network depends upon distribution of energy and the speed at which it can be applied to react to changing circumstances.
So let's suppose that we had 1001 witnesses but all voting power was proxied through a single account. The presence of 1001 witnesses is an illusion, they could be changed in a day down to the minimum of 11 if a single
individual was compromised. It is unlikely that 50% of the stakeholders could change their vote in a day to counter the corrupt proxy.
From this perspective we see that witnesses are only necessary for short-term security and are powerless to maintain their position.
The question becomes not about bribing a witness, or performing a DDOS on a witness, but on choosing the witness.
For a given set of witnesses they can choose to censor transactions which change votes. This is their only vector of attack. If they choose this route then the network goes down for a hardfork where the proxies vote on a fresh set of witnesses.
Think of the witnesses as the IT staff and the proxies as the Board of Directors of a company. If the IT staff decided to go rogue they would be fired and the BOD would simply replace them.
All that is necessary is to have a contingency plan in place in the event that the witnesses go rogue. A plan that is decided in advance and whose execution can be independently validated by everyone.
Imagine if at any time a block can be produced that is a consensus in itself and this block can build off of any block after the last checkpoint. Imagine that this block has the power to completely change the blockchain parameters including the elected witnesses. Imagine if a block containing the signatures of accounts that collectively vote for more than 50% of the stakeholders could overwrite a block produced by witnesses.
What we need for security is a DECISION MAKING PROCESS more than anything else. We need an adaptive and responsive system. We need a diverse set of unpaid decision makers that the majority trust with their proxy votes.
If we had 101 accounts that collectively controlled 2/3 of all voting power (via proxy) then the power structure of the network would effectively be:
1. Witnesses are the Executive Branch
2. Committee members are the Senate (1 vote per seat)
3. Proxy members are the House (weight proportional to population)
In the event the executive branch goes rogue we merely need to "hold an election" which can be done via the Senate (easiest), via Proxy Members (next easiest) or via direct voting. Once the votes are cast a new set of witnesses are elected and the network can proceed as always.
What does all of this mean? It means that we should be focused more on defining a solid set of representatives to serve as active proxy voters that are in the best position to evaluate how many witnesses and committee members are necessary to secure the network. Having effective and timely voting will do more to improve network security than a 5x or 10x increase in the number of witnesses.
Remember that in evolution, it isn't the strongest that survive but the most adaptable. Create a system that cannot adapt and it will easily be taken down.
Consider Bitcoin, it cannot even reach consensus on block size, so how would the network recover if all publically available mining pools were shutdown or compromised? All of a sudden it isn't profitable to solo-mine and there is no recourse.
View witnesses as mining pools that are easily changed and hard to shutdown.
Every day there is a new debate about decentralization, and every time that debate quickly loses sight of all perspective. Everyone wants a system that is "secure", whatever that means. Everyone wants a system that is "cheap", "fast", and "reliable" as well.
The problem is that everyone has different definitions of terms and different threats they are concerned about. There are as many variables to security as there are types of security and vectors of attack. If we are not careful then we spend millions of dollars building a moat and castle wall so we can feel secure only to have the castel taken down from the air, by siege, or some other attack vector.
The debate about how many witnesses a network has is meaningless without a proper discussion of the *type* of security witnesses provide and how they provide it. Collectively witnesses exist to establish a consensus on an irreversible transaction history and testify about the relative value of assets in the system. Technically the witnesses are not where the consensus lies. Technically every other node on the network is also participating in the consensus by recording the real time broadcast of blocks by the official witnesses. Each and every one of these nodes also processes and validates all transactions.
Producing blocks is only one part of security. Providing seed nodes is another. Attacking the P2P protocol is a third. Of the three of these, attacking the block producers is probably the most difficult because no one knows their IP address. Attacking the seed nodes on the other hand could completely disable new connections. More importantly, attacking the P2P protocol could temporarily completely disrupt all communication among witnesses.
The more witnesses you have the more difficult it becomes to coordinate in the event that communication is disrupted. As a result increasing the number of witnesses beyond a certain point makes the network less secure.
The more witnesses you have the more difficult it becomes to vet the witnesses and hold them accountable. Once again increasing the number of witnesses has the paradoxical effect of reducing security.
To understand this from a metaphor perspective, building the great wall around all of China to protect a single house is pointless unless you are able to watch every square inch of that wall all of the time. Building a similar wall around 1 acre would be far more effective. Walls only slow down attacks, they don't prevent them. Having 1 million witnesses means that no one will notice when 500,001 of them fall under control of one entity. There is simply too much to track.
There are several different kinds of attacks that must be specifically addressed:
1. Censorship
2. Changing History
3. Denial of Service
4. Denial of Connection
All blockchains can be completely shutdown by IP/PORT filtering of all public nodes. If the network was attacked by a botnet that connected 100K nodes it would dwarf the size of even the bitcoin network. These nodes could then perform all kind of attacks. A 100K botnet is cheaper than mining power.
In conclusion I would like to suggest that having an abundance of witnesses is like wearing a gas mask every day just incase your home gets raided with tear gas. Instead what we do is keep a gas mask handy, "just in case", but we don't wear it everyday. Likewise, we keep the ability to increase the number of witnesses "just in case", but it is pointless to obsess over this.
This leaves only ONE argument that holds any water: perception matters more than reality.
Just because we recognize the futility of hiding under our desks in the event of a nuclear attack does not mean that millions of kids don't feel more comfortable.
So my counter-argument that the perceived importance of attracting the more-is-better audience is likely overestimated. Most people simply don't care so long as the system appears to work and is reliable.