A related trilemma is that you can't have laws, privacy, and decentralization. To enforce laws decentrally, everyone has to know your identity and transactions. ZK proofs can greatly improve privacy but at a bandwidth cost as number of laws & identities increase.
The 3 column headings are the 3 things that require BW. My table uses the language of each of the trilemmas to show they can fall into the 3 columns. It's harder to see the connection to CAP theorem because it's about a hit-or-miss voting. Ben Franklin's safety and liberty shift from talking about arms to freedom from tyranny. But this is OK because both were a threat to the voting process.
--
Correct Consensus
Payload/time
Decentralized
Scalability Trilemma
Secure
Scalable
Decentralized
DCS Triangle
Consistent
Scalable
Decentralized
Tradeoff Triangle
Low byte overhead to get secure correctness
Low Latency
Many nodes
CAP Theorem
Proof of largest Partition of Consistent votes
Available
Many nodes
Here is a first-approximation in using the 3 columns to claim the trilemmas are equivalent and quantifiable.
secure scalable decentral < average voting node's max BW
The "<" indicates the source of the trilemma. The left side can't do more than what the right side allows. The average node's BW is the fundamental limit on the trilemmas. The easiest & quickest way to explain this more fully is to show the units:
"Bytes" here is the number of bytes necessary to prove secure consensus in a voting round plus the number of bytes of data being agreed upon (the "payload" of the consensus). These two categories of bytes will be broken up in a more complete equation for a wider range of consensus protocols..
Assigning a variable to each column:
B = secure = consensus_Bytes/node/round
V = scalable = Velocity = rounds/second.
N = decentralized = number of voting nodes
BWmax = Typical node's max bytes/second
So I have:
B * V * N < BWmax
This equation indicates 2x more nodes means you have to reduce V or B to 1/2 which would be a very inefficient protocol. Consensus protocols are capable of reaching consensus on just the hash of a payload and nodes thereby only need to receive the payload from 1 node and send it to 1 node. I need to break apart the bytes needed for secure consensus and the bytes needed for the PayLoad (transaction). This gives me:
(B*N+PL)*V < BWmax
B*N implies a very simple protocol where every node communicates with every other node equally to know consensus is reached. [ Here begins an important tangent on the meaning of "decentralization". ] It implies a very inefficient protocol that requires every node to collect every vote directly from every other node. This may be the only way to prove perfect decentralization without any tradeoff. More efficient protocols are B[N], a complex function of N. For example, the BW requirements for reaching consensus in POW mining is completely independent of N. Nodes only need to see a single hard-to-find hash to know they have a winning block. But POW does not give any evidence or enforcement of decentralization. But neither does it need any decentralization because the security assumptions are that the mining equipment is non-repurposable (has no other way to earn profits) and that miner(s) is/are profit-driven. I don't think proving or enforcing any decentralization is possible in permissionless voting. Even if you can prove different people are voting, you can't prove they are "of a different mind" (aka acting independently). All we can do is show the incentives encouraged honesty, not independence. A central authority could identify and give permission to a closed set of independent voters and then a consensus protocol could be used to prove they all voted. But this relies on the pre-consensus work of the central authority to claim they were independent.
Re-defining my terms for the above improvement:
B = bytes required for proof of correct finality per voting round per node
V = Velocity = rounds/second/node = low latency = fast finality ~ CAP's Availability
V*PL = scalability in bytes/second/node
N = number of voting (or lottery ticket) nodes participating in the consensus. For simplicity, my discussion assumes each voting node has equal voting power (such as mining hashrate or stake). Equal voting weight makes N a better metric for "decentralization".
BWmax = max effective bandwidth available at the "average node" = bytes/second/node. The effective BWmax is lowered by off-line validation delays. The trilemmas rarely mention BWmax but it is their core. They unconsciously assume it is a constant.
Checking my units:
( ( bytes/round/node ) * nodes + bytes/round ) * rounds/sec/node < max bytes/sec/node
Why PL is not a function of N.
Briefly put, by sacrificing the confirmation time for any particular tx, the BW requirement for a given PL can be made independent of N. See last section of this article for an example. BTC does this: txs spread on the order of seconds whereas B takes milliseconds. Transferring a PL block of data mainly only needs to be done once to each N, but confirming that all N agree requires B*N or B[N]. During network "echos" of all N trying to agree using a small B, nodes can have a lot of BW going unused, waiting on agreement to occur. They can use the down-time to transmit the PL for the next round. B usually confirms the PL that was accumulated in the prior round. Being able to use the idle BW is why we use PLs. To get the fastest confirmation time on a tx without wasting any benefit of using a PL, we want all the PL to be transferred during the "consensus downtime" of the previous block (and no other), so we want block time = 1/V = (PL/B[N]+1) * S where S = seconds it takes to form consensus for B.
More Discussion of B*N
B*N implies the required B bytes of proof linearly increase with the number of nodes N. This is the case only for the simplest, most decentralized, most inefficient protocol that requires every node to collect every vote directly from every other node. For a given consensus mechanism, B*N may be a more efficient complex function of N, the topology of how the nodes are distributed, and the distribution of voting weights among the N. B*N also depends on propagation delays "d" that may be a complex a function of N, the network topology, and other things. So B*N should actually be B[M,N,i,d,t] meaning the bytes required for proof of correct consensus are a function of all these things.
POW is remarkable in that the B overhead of 80 bytes in a header seems independent of N. If it were precisely true, it would would mean the triangles with a "decentralization" requirement do not apply. The equation needs to be modified to be:
(80+PL)*V < BWmax
But if there is an orphan rate of 1%, the POW's effective B is B/0.99. It takes more B bytes/node of communication to recover from learning your block was not on the side of the largest partition of votes (hashes aka lottery ticket purchases). The orphan rate increases if the mining (voting) nodes are very large in number, have equal hashrate, and are more widely dispersed to the edges of the network of miners. So B remains at least partially a function of N. I'll express the orphan rate as some O[N] function of N that varies from 0 to 1.
(80/(1-O[N])+PL)*V < BWmax
As an example use of this equation, notice 80 bytes is small compared to a >2MByte PL and not multiplied by N, there's no good reason to make V as slow as 1/600 and many subsequent coins chose not to. The PL could be lowered as V is raised.
[ It's September 25, 2021, a year after I wrote the first drafts of the above. I've just completed re-reading it and made a lot of improvements to make it more understandable. I've run out of stamina, unable to slog through the rest of this. Good luck on what follows. ]
To summarize the following 6 paragraphs
POS and POW have a theoretically equal level of security*scalability*decentralization for a given transaction bandwidth (PL*V), but the decentralization is apparently not needed (if it's even present today), potentially tilting the balance in favor of POS by motivating equipment that makes bandwidth more efficient.
Imagine a simple and impractical POS system where there is a large number of staking nodes with small stake (very decentralized) and each staking node approves a block only if it receives >N/2 cryptographically signed stake-weighted votes on a particular block (cryptographically signed to avoid the larger >2/3*N requirement). I'll ignore the small (C+P) needed to first register these participants for an epoc of rounds. B for every voting node to collect the votes is then proportional to N as in the original equation. The BW load would be enormous, requiring staking nodes to have a large equipment and energy expenditure, supported by fees. The solution is to centralized into staking pools, not unlike mining pools. But POW does not fundamentally need pools to avoid a similarly massive penalty in BW. In other words, to some extent, POW's off-network waste on equipment and energy is a substitute for the waste POS would have if it were capable of the same level of decentralization. I doubt any POS could have the same level of decentralization as this simple POS (w/o a similar cost in BW). This theoretical equivalency in POW & POS is not spurious because receiving, sending, and validating signatures requires equipment & energy and is similarly susceptible to Moore's law as POW. If the reward+fees are the same for this POS as POW, the presence of Moore's law (if it applies as well to hashing as to communicating) means the BW equipment would have about the same CAPEX to OPEX ratio as POW which means it would "waste" the same amount of electricity. Not only the electricity, but the equipment used for consensus in both this POS and POW are a waste in the sense it is only being used to form consensus. The fees financing consensus are the proper metric of how much societal value is "wasted" on the consensus.
BTW, for my POS to recover as well as POW in the event of bad partitions, proof that votes were counted has to be on the chain in each block. This might be achieved by hashing each stake-weighted vote to find the lowest hash, assuming all the usual POS problems have been solved (such grinding and re-using old votes).
If a completely decentralized POS like this can be made as secure as POW, the resulting massive investment in communication equipment efficiency to count the votes would result in ASICs. Receiving, validating, and transmitting votes might be just a slightly different type of transaction (although not stored on the chain), so it might result in a much more efficient network of ASICs that could handle transactions as well as votes.
But POW and POS have no proof of (or need for) decentralization. Miners and stakers, pools or not, could choose to collude at anytime to do a 51% attack. They don't because they would lose more value in their equipment stake or coin stake than they can gain by attacks. Instead of trying to achieve the impossible proof that >50% voters are not colluding off-chain to act as a single mind, POW and POS assume they already are a single mind, a mind that places profit first. We pay them protection money which should cause some concern.
If POW and POS have no proof of decentralization, how relevant are the triangles? CAP theorem remains intact because it does not address "decentralization". Is it the only one with a proof? Is it impossible to get a proof of decentralization? We need at least some decentralization because if all the POW or POS equipment were in the same location it would be very vulnerable.
Is it possible to have a proof of network BW to replace POW and POS? This way, fees could support the network BW in addition to security. Fees could be made per byte of transaction and in this way fees are automatically proportional to the BW needed. But BW equipment is repurposable so it can't provide permissionless security like POW, so it probably requires a centralized POS system that directs funds to central servers that have high BW. For example, SPV wallets choosing a faster server and dedicating their voting stake and fees to that particular server. See last paragraph of this article.
Incorporating the effect of attacks
If A = 0 to 1 is the fraction of N nodes that are Attacking, the equation for a perfectly efficient consensus mechanism might be:
Attacker strength = infinite if A>0.5. Change 0.5 to 0.67 if votes are not digitally-signed in the POS.
Consistency is often not the priority.
The equation assumes we are dealing with something like a cryptocurrency where high B is required (a high probability that correct consensus is achieved). It should cover what is known as the CP (Consistent despite many Partitions aka nodes) and CA (Consistent and Available) cases, but not the AP case (A = high speed aka availability and P = high decentralization aka partition risk at a cost in secure consistency). For example, keeping a web page stored locally instead of checking the source every time your visit it. Another use case is Avalanche where secure consistency is lower due to possibility of Sybil and eclipse attacks if some centralized protections are not used. I need to modify the equation to allow a lower confidence in B. A lower confidence can allow for more PL, V, and N. It might require another article as long as this one to explore this.
Example of how PL can avoid being a function of N
If the nodes collect votes directly from each other as in the POS system (N^2 lines of communication), they may still communicate txs for the PL in a ring, receiving from 1 node and sending to 1 node. If N gets large the BW for each node does not increase. There are more bytes of PLs in the ring at any given moment, but if V is the same, the PL/round has not changed. V does not need to wait on all the txs to make it around the ring if it is looking at older txs. Txs will have to wait several rounds to make it to all nodes before it can be approved. So the initial equation is only about tx/s, ignoring the time needed to get a specific tx approved. "Fast finality" in my equation (high V) is only about the speed of voting rounds, not how fast a particular tx goes from a single node to network approval.
Letting stake-votes work decentrally on B while directing fees to support centralized BW for larger PL
Instead of the ring, a few high BW nodes can become sources of centralization for the efficient (fast) spread of txs (the PL) throughout the network. Notice this does not reduce the decentralization of the consensus mechanism that can avoid using the central servers because B is much smaller than PL. The central servers can hold a vote up by not sending the PL that B needs to confirm, but they can't affect the traffic of B if nodes still communicate directly for consensus. Fees in the PL can be directed to support the centralized PL nodes while nodes count each other's stake-votes directly. A VDF and difficulty algorithm would be used to select a wallet to form the block, giving POW-like permissionlessness without waste. POW waste would be used only to generate coin (since coins are supposed to be re-used indefinitely, it is not much waste). Since SPV wallets are not rewarded from the fees, "fee sniping" from lack of rewards shouldn't occur but if the majority of wallets do not want to vote like others, congealing into a 2-party system just as awful as democracy might develop.
Brewer's CAP theorem, Vlad's tradeoff triangle, Vitalik's Scalability Trilemma, and Trent's DCS triangle are different ways to express consensus goals competing for the average node's limited bytes/second bandwidth (BW).
A related trilemma is that you can't have laws, privacy, and decentralization. To enforce laws decentrally, everyone has to know your identity and transactions. ZK proofs can greatly improve privacy but at a bandwidth cost as number of laws & identities increase.
The 3 column headings are the 3 things that require BW. My table uses the language of each of the trilemmas to show they can fall into the 3 columns. It's harder to see the connection to CAP theorem because it's about a hit-or-miss voting. Ben Franklin's safety and liberty shift from talking about arms to freedom from tyranny. But this is OK because both were a threat to the voting process.
Here is a first-approximation in using the 3 columns to claim the trilemmas are equivalent and quantifiable.
secure scalable decentral < average voting node's max BW
The "<" indicates the source of the trilemma. The left side can't do more than what the right side allows. The average node's BW is the fundamental limit on the trilemmas. The easiest & quickest way to explain this more fully is to show the units:
consensus_bytes/voting_round/node voting_rounds/second nodes < bytes/second/node
"Bytes" here is the number of bytes necessary to prove secure consensus in a voting round plus the number of bytes of data being agreed upon (the "payload" of the consensus). These two categories of bytes will be broken up in a more complete equation for a wider range of consensus protocols..
Assigning a variable to each column: B = secure = consensus_Bytes/node/round V = scalable = Velocity = rounds/second. N = decentralized = number of voting nodes BWmax = Typical node's max bytes/second
So I have: B * V * N < BWmax
This equation indicates 2x more nodes means you have to reduce V or B to 1/2 which would be a very inefficient protocol. Consensus protocols are capable of reaching consensus on just the hash of a payload and nodes thereby only need to receive the payload from 1 node and send it to 1 node. I need to break apart the bytes needed for secure consensus and the bytes needed for the PayLoad (transaction). This gives me:
(B*N+PL)*V < BWmax
B*N implies a very simple protocol where every node communicates with every other node equally to know consensus is reached. [ Here begins an important tangent on the meaning of "decentralization". ] It implies a very inefficient protocol that requires every node to collect every vote directly from every other node. This may be the only way to prove perfect decentralization without any tradeoff. More efficient protocols are B[N], a complex function of N. For example, the BW requirements for reaching consensus in POW mining is completely independent of N. Nodes only need to see a single hard-to-find hash to know they have a winning block. But POW does not give any evidence or enforcement of decentralization. But neither does it need any decentralization because the security assumptions are that the mining equipment is non-repurposable (has no other way to earn profits) and that miner(s) is/are profit-driven. I don't think proving or enforcing any decentralization is possible in permissionless voting. Even if you can prove different people are voting, you can't prove they are "of a different mind" (aka acting independently). All we can do is show the incentives encouraged honesty, not independence. A central authority could identify and give permission to a closed set of independent voters and then a consensus protocol could be used to prove they all voted. But this relies on the pre-consensus work of the central authority to claim they were independent.
Re-defining my terms for the above improvement:
Checking my units: ( ( bytes/round/node ) * nodes + bytes/round ) * rounds/sec/node < max bytes/sec/node
Why PL is not a function of N. Briefly put, by sacrificing the confirmation time for any particular tx, the BW requirement for a given PL can be made independent of N. See last section of this article for an example. BTC does this: txs spread on the order of seconds whereas B takes milliseconds. Transferring a PL block of data mainly only needs to be done once to each N, but confirming that all N agree requires B*N or B[N]. During network "echos" of all N trying to agree using a small B, nodes can have a lot of BW going unused, waiting on agreement to occur. They can use the down-time to transmit the PL for the next round. B usually confirms the PL that was accumulated in the prior round. Being able to use the idle BW is why we use PLs. To get the fastest confirmation time on a tx without wasting any benefit of using a PL, we want all the PL to be transferred during the "consensus downtime" of the previous block (and no other), so we want block time = 1/V = (PL/B[N]+1) * S where S = seconds it takes to form consensus for B.
More Discussion of B*N B*N implies the required B bytes of proof linearly increase with the number of nodes N. This is the case only for the simplest, most decentralized, most inefficient protocol that requires every node to collect every vote directly from every other node. For a given consensus mechanism, B*N may be a more efficient complex function of N, the topology of how the nodes are distributed, and the distribution of voting weights among the N. B*N also depends on propagation delays "d" that may be a complex a function of N, the network topology, and other things. So B*N should actually be B[M,N,i,d,t] meaning the bytes required for proof of correct consensus are a function of all these things.
POW is remarkable in that the B overhead of 80 bytes in a header seems independent of N. If it were precisely true, it would would mean the triangles with a "decentralization" requirement do not apply. The equation needs to be modified to be: (80+PL)*V < BWmax
But if there is an orphan rate of 1%, the POW's effective B is B/0.99. It takes more B bytes/node of communication to recover from learning your block was not on the side of the largest partition of votes (hashes aka lottery ticket purchases). The orphan rate increases if the mining (voting) nodes are very large in number, have equal hashrate, and are more widely dispersed to the edges of the network of miners. So B remains at least partially a function of N. I'll express the orphan rate as some O[N] function of N that varies from 0 to 1. (80/(1-O[N])+PL)*V < BWmax
As an example use of this equation, notice 80 bytes is small compared to a >2MByte PL and not multiplied by N, there's no good reason to make V as slow as 1/600 and many subsequent coins chose not to. The PL could be lowered as V is raised.
[ It's September 25, 2021, a year after I wrote the first drafts of the above. I've just completed re-reading it and made a lot of improvements to make it more understandable. I've run out of stamina, unable to slog through the rest of this. Good luck on what follows. ]
To summarize the following 6 paragraphs POS and POW have a theoretically equal level of security*scalability*decentralization for a given transaction bandwidth (PL*V), but the decentralization is apparently not needed (if it's even present today), potentially tilting the balance in favor of POS by motivating equipment that makes bandwidth more efficient.
Imagine a simple and impractical POS system where there is a large number of staking nodes with small stake (very decentralized) and each staking node approves a block only if it receives >N/2 cryptographically signed stake-weighted votes on a particular block (cryptographically signed to avoid the larger >2/3*N requirement). I'll ignore the small (C+P) needed to first register these participants for an epoc of rounds. B for every voting node to collect the votes is then proportional to N as in the original equation. The BW load would be enormous, requiring staking nodes to have a large equipment and energy expenditure, supported by fees. The solution is to centralized into staking pools, not unlike mining pools. But POW does not fundamentally need pools to avoid a similarly massive penalty in BW. In other words, to some extent, POW's off-network waste on equipment and energy is a substitute for the waste POS would have if it were capable of the same level of decentralization. I doubt any POS could have the same level of decentralization as this simple POS (w/o a similar cost in BW). This theoretical equivalency in POW & POS is not spurious because receiving, sending, and validating signatures requires equipment & energy and is similarly susceptible to Moore's law as POW. If the reward+fees are the same for this POS as POW, the presence of Moore's law (if it applies as well to hashing as to communicating) means the BW equipment would have about the same CAPEX to OPEX ratio as POW which means it would "waste" the same amount of electricity. Not only the electricity, but the equipment used for consensus in both this POS and POW are a waste in the sense it is only being used to form consensus. The fees financing consensus are the proper metric of how much societal value is "wasted" on the consensus.
BTW, for my POS to recover as well as POW in the event of bad partitions, proof that votes were counted has to be on the chain in each block. This might be achieved by hashing each stake-weighted vote to find the lowest hash, assuming all the usual POS problems have been solved (such grinding and re-using old votes).
If a completely decentralized POS like this can be made as secure as POW, the resulting massive investment in communication equipment efficiency to count the votes would result in ASICs. Receiving, validating, and transmitting votes might be just a slightly different type of transaction (although not stored on the chain), so it might result in a much more efficient network of ASICs that could handle transactions as well as votes.
But POW and POS have no proof of (or need for) decentralization. Miners and stakers, pools or not, could choose to collude at anytime to do a 51% attack. They don't because they would lose more value in their equipment stake or coin stake than they can gain by attacks. Instead of trying to achieve the impossible proof that >50% voters are not colluding off-chain to act as a single mind, POW and POS assume they already are a single mind, a mind that places profit first. We pay them protection money which should cause some concern.
If POW and POS have no proof of decentralization, how relevant are the triangles? CAP theorem remains intact because it does not address "decentralization". Is it the only one with a proof? Is it impossible to get a proof of decentralization? We need at least some decentralization because if all the POW or POS equipment were in the same location it would be very vulnerable.
Is it possible to have a proof of network BW to replace POW and POS? This way, fees could support the network BW in addition to security. Fees could be made per byte of transaction and in this way fees are automatically proportional to the BW needed. But BW equipment is repurposable so it can't provide permissionless security like POW, so it probably requires a centralized POS system that directs funds to central servers that have high BW. For example, SPV wallets choosing a faster server and dedicating their voting stake and fees to that particular server. See last paragraph of this article.
Incorporating the effect of attacks If A = 0 to 1 is the fraction of N nodes that are Attacking, the equation for a perfectly efficient consensus mechanism might be:
(B*0.5/max(0,(0.5-A))+PL)*V < BWmax ( POW ) (B*N*0.5/max(0,(0.5-A))] + PL)*V < BWmax (Simple, super-decentralized POS)
Attacker strength = infinite if A>0.5. Change 0.5 to 0.67 if votes are not digitally-signed in the POS.
Consistency is often not the priority. The equation assumes we are dealing with something like a cryptocurrency where high B is required (a high probability that correct consensus is achieved). It should cover what is known as the CP (Consistent despite many Partitions aka nodes) and CA (Consistent and Available) cases, but not the AP case (A = high speed aka availability and P = high decentralization aka partition risk at a cost in secure consistency). For example, keeping a web page stored locally instead of checking the source every time your visit it. Another use case is Avalanche where secure consistency is lower due to possibility of Sybil and eclipse attacks if some centralized protections are not used. I need to modify the equation to allow a lower confidence in B. A lower confidence can allow for more PL, V, and N. It might require another article as long as this one to explore this.
Example of how PL can avoid being a function of N If the nodes collect votes directly from each other as in the POS system (N^2 lines of communication), they may still communicate txs for the PL in a ring, receiving from 1 node and sending to 1 node. If N gets large the BW for each node does not increase. There are more bytes of PLs in the ring at any given moment, but if V is the same, the PL/round has not changed. V does not need to wait on all the txs to make it around the ring if it is looking at older txs. Txs will have to wait several rounds to make it to all nodes before it can be approved. So the initial equation is only about tx/s, ignoring the time needed to get a specific tx approved. "Fast finality" in my equation (high V) is only about the speed of voting rounds, not how fast a particular tx goes from a single node to network approval.
Letting stake-votes work decentrally on B while directing fees to support centralized BW for larger PL Instead of the ring, a few high BW nodes can become sources of centralization for the efficient (fast) spread of txs (the PL) throughout the network. Notice this does not reduce the decentralization of the consensus mechanism that can avoid using the central servers because B is much smaller than PL. The central servers can hold a vote up by not sending the PL that B needs to confirm, but they can't affect the traffic of B if nodes still communicate directly for consensus. Fees in the PL can be directed to support the centralized PL nodes while nodes count each other's stake-votes directly. A VDF and difficulty algorithm would be used to select a wallet to form the block, giving POW-like permissionlessness without waste. POW waste would be used only to generate coin (since coins are supposed to be re-used indefinitely, it is not much waste). Since SPV wallets are not rewarded from the fees, "fee sniping" from lack of rewards shouldn't occur but if the majority of wallets do not want to vote like others, congealing into a 2-party system just as awful as democracy might develop.