Alternative Consensus Algorithms. Murat Osmanoglu

Transcription

1 Alternative Consensus Algorithms Murat Osmanoglu

2 Bitcoin Block i-1 Block i Block i+1 Hash i-2 Nonce i-1 Hash i-1 Nonce i Hash i Nonce i+1 tx tx tx tx tx tx tx tx tx tx tx tx

3 Do you really need a Blockchain? Do you need a shared, consistent data store? Does more than one entity need to contribute the data? Data records, once written, are never updated or deleted? Sensitive identifiers wont be written to the data store? BC provides a historically consistent data store. If you don t need that, use or spreadsheets If your data comes from a single entity, use a database Blockchains don t allow modifications of historical data, if you don t need, use database Blockchain is not the proper place to write sensitive information, even if it s encrypted, Encrypted database Are the entities having a hard time deciding who controls the data? Do you want a tamperproof log of all writes to data store? You may have a blockchain! If there are no trust or control issues over who runs the data, use managed database If you don t need to audit what happened and when it happened use a database

4 Forms of Government Democracy Autocracy rule of the one Oligarchy rule of the few Democracy rule of the majority

5 Democracy Forms of Government Autocracy rule of the one autos(self) + kratos(to rule) Oligarchy rule of the few oligos(few) + arkho(to rule) Democracy rule of the majority demos(people) + kratos(to rule)

6 Democracy best way to ensure that an organization serves the interests of all its members fairly and equitably is to spread the ultimate power of decision and action evenly among all of its members but how the agreement be achieved on making rules or taking actions in the case of inevitable disagreements, conflict of interest, and varying levels of time, knowledge, and abilities among members voting is the key component in decision-making voting used for the purpose of making decisions or electing representatives? direct democracy and representative democracy

7 Democracy Direct Democracy to ensure maximum equality and fairness, all members for an organization should directly get involved in all important decision-making processes may not be possible for big organizations such as state or country Even if is feasible, it may not be desirable there is a wide variance in knowledge, interests, and abilities among the members of an organization. if the influence of each member is equal, the effective wisdom of collective may not be better than the average even it can be worse than average if that is the aggregation of conflicting policies

8 Representative Democracy Democracy relatively small number of people are elected by the members to make decisions on their behalf it creates stability or cohesiveness of policy but a powerful minority may take over the power for a long period of time it may promise proportional representation along certain lines (geographic), but may also incline disproportionalities along different lines (ethnic, racial, gender) full-time positions for the representatives (nothing for the losers), smaller body is less costly to maintain, and more efficient to act larger body is better to establish close relationship between the members and the representatives, and better in terms of reflecting the overall decision

9 Democracy Delegative Democracy (or Liquid Democracy) The members of the organization should have the widest possible direct choice of representatives They may build close relationships with their representatives No specific limit on the number of representatives Delegates don t have to compete with each other as in representative democracy They may compete to get votes from the members, but they don t win or loose seats As a member, there is no need to study candidates or party programs, just delegating your vote to someone you trust

10 Democracy Delegative Democracy (or Liquid Democracy) is there any upper bound for the number of members a delegate can represent? How do we maintain such body?(the cost of the maintenance?) How do we implement the voting process? How do we implement the decision-making process among the delegates?

11 Delegated Proof of Stake (Ouroboros) to be able to create blocks, stakeholders must be online, but this is not attractive for the one having small stake to be able generate fresh randomness for the leader election, majority of the elected stakeholders should participate in MPC protocol, that creates a strain on the network stakeholders will authorize other stakeholders to create blocks on their behalf and to represent them in leader election a delegate may join in the protocol only if he represents a number of stakeholders whose stake exceeds a given threshold Setting a threshold value avoids the fragmentation attack that aims to increase the delegate population in order to damage the performance

12 Delegated Proof of Stake (Ouroboros) any stakeholder can authorize a delegate to generate blocks on his behalf by utilizing a proxy signature scheme proxy signature enables someone (original signer) to delegate another one (proxy signer) to sign messages on his behalf, in case of temporal absence, lack of time, or computational power to limit the block generation power of the delegate to a certain range (slots or epoch), the stakeholder can put a limit on the message space the proxy can only sign the message ending with a slot number sl j

13 Delegated Proof of Stake (Larimer) every participant may delegate his voting power to a representative. top 100 representatives holding the total votes take turns to generate the next 100 blocks on defined schedule all representatives earn equal amount of money which is 10% of the transaction fees included in the average block if one of the representatives do not produce block, then this slot is skipped, and the protocol will continue with the next representative

14 Delegated Proof of Stake (Larimer) every wallet has a preference window that enables users to choose one or more representatives to vote once decided, user creates a transaction to transfer votes to the representative without a fee users can also monitor their representatives through their wallet, and change them according to the performance as long as more than half of the scheduled 100 blocks are produced after a transaction is broadcasted, then this transaction assumed to be on the majority fork.

15 Delegated Proof of Stake (Larimer) any transaction approved by even one of the representative can be included in the ledger in less than 30 min (block produced in 30 seconds) so none of the representatives can benefit by excluding transactions that for the other representatives top 100 are given equal weight regardless of votes delegated to them. One representative may control multiple representatives, even more than half since the votes may not be distributed equally. it can quickly be identified, and eliminated

16 Proof of Space (SpaceMint) to create a block, miners invest disk space instead of computing power dedicating more disk space means higher chance to create a block once the dedicated space is initialized, the cost of mining is marjinal a few disk accesses with minimal computation even if the reward is much smaller than the cost of buying disk space for mining, space still be dedicated towards mining unused disk space is available on many personal computers most mining is currently done by specialized ASICs, and they have no use other than Bitcoin mining. No such devices required for PoSpace a simple idea can be applied to Bitcoin to avoid mining pools : instead of applying the hash function to a nonce directly, it will be applied to the signature of the nonce (similar idea can be adapted to SpaceMint)

17 Proof of Space (SpaceMint) Prover At the initialization, prover stores some data F of size N Verifier At the initialization, verifier keeps only small piece of information S about F At any time later, verifier initialize a proof execution phase At the end, verifier outputs reject or accept we demand that verifier is highly efficient in both phases, and prover is highly efficient in the execution (generating the proof) and in the access to F be careful; a cheating prover can delete F after initialization

18 Graph Pebbling Proof of Space (SpaceMint) consider a directed acyclic graph G = (V E) every vertex is associated with a value w(v) in {0,1} L v 1 v 2 w(v 2 ) = H(v 2, w(v 1 )) v 5 w(v 5 ) = H(v 5, w(v 2 ), w(v 3 ), w(v 4 )) w(v 1 ) = H(v 1 ) v 3 v 4 w(v 3 ) = H(v 3, w(v 1 )) w(v 4 ) = H(v 4, w(v 2 ), w(v 3 )) Parameter : G = (V, E) s.t. lvl=n, D is efficiently samplable distribution over vertices First prover creates S=w(V) and a short proof λ from S, then keeps the graph and gives λ to verifier Verifier samples a subset CçD, and gives C to P Prover creates an answer A=w(C) for C Verifier accepts if A is compatible with λ

19 Hash Trees for Graph Pebbling Proof of Space (SpaceMint) v 1 v 2 v 3 v 4 v 5 v 6 v 7 v 8 x 1 x 2 x 3 x 4 x 5 x 12 x 34 x 56 x 1234 λ x a = H(v a ) x ab =H(x a,x b ) x abcd =H(x ab, x cd ) λ = H(x 1234,x 5678 ) x 6 x 7 x 78 x 5678 Prover creates hash tree and sends λ to verifier Verifier sends a challenge, for instance v 3, to prover Prover sends x 3 together with x 8 {x 4,x 12,x 5678 } to verifier Verifier accepts if If H is collusion-resistant, then prover must keep all the data to be able to provide valid proof λ=h(h(x 12,H(x 3,x 4 )),x 5678 )

20 Challenges Proof of Space (SpaceMint) Proof of Space requires interactions, it s hard to adapt it to the blockchain settings Generating a PoSpace is computationally cheap. It needs some clever way to decide which of many proof wins a miner should learn if he is a winner without any interaction nothing-at-stake : if mining is computationally cheap, then miners can mine on multiple chains, or try to create many different blocks with a single proof slows down consensus gives chance to cheating miners to get a greater reward enables double-spending attacks by someone controlling less than 50% of the space

21 Construction Proof of Space (SpaceMint) a miner joins the network by announcing its space commitment (pk, λ) via a special transaction. Genè(pk,sk), Init(pk,N)è(S,λ) where N is the size of the space in terms of bits that the miner contributes to the mining effort PC SC Block i Block i+1 Hash i Sig i Tran i Hash i+1 Sig i+1 Tran i+1 Hash i : current block index i miner s signature on Hash i-1 a space proof that contains pk Sig i : current block index i miner s signature on Tran i miner s signature on Sig i-1 Tran i : current block index i list of transactions Once an honest miner adds a new block to the chain, the transactions up to this block cannot be changed, even by someone that holds all secret keys of the miners that added all the previous blocks.

22 Construction three types of transactions : Proof of Space (SpaceMint) - regular payments : has the form tx = (payment, txid, in, out) where txid is a unique ID (no two tx in the blockchain can have same ID in is a list of input coins, in = (in 1,,in n ) where in j = (txid j,k j,sig j ) such that k j is an index that indicates the sender of txid j out is a list of output coins, out = (out 1,,out m ) where out i =(pk i,v i ) such that - space commitments : has the form tx = (commit, txid, (pk, λ)) where Init(pk,N) è(pk, λ) - penalties : has the form tx = (penalty, txid, pk, prf) pk is the public key of the transaction creator prf is the proof indicating that two blocks of same index signed by the same signer For regular payments; all signatures must be valid, any subsequent transaction must be used only one time in the blockchain(double-spendin), and the sum of the input values should be at least the sum of the output for the acceptance of tx

23 Construction Proof of Space (SpaceMint) Mining : - extract the hash value of the last block in the best chain so far, and a challenge c which is used to derive two long random strings C u, C v - compute challenges Chal(n,u,C u ) = (c 1,,c u ) - compute the proof of space a = (a 1,,a u ) - compute the quality Q(pk,λ,c,a) of the proof - if the quality is high enough (there is a realistic chance to be the best proof in that period), compute the proof of correct commitment b = (b 1,,b v ), create a block, send the block to the network

24 Construction Proof of Space (SpaceMint) Mining : - extract the hash value of the last block in the best chain so far, and a challenge c which is used to derive two long random strings C u, C v - compute challenges Chal(n,u,C u ) = (c 1,,c u ) How do we create this challenge? - (i-1)th compute block the can proof be of used space to derive a = (a 1,,a that u ) challenge, but it can slow down the consensus. - compute there may the quality be many Q(pk,λ,c,a) chains; rational of the miners proof can create different challenges for different chains, and try to create - if proofs the quality for different is high enough chains (there since it is is a easy realistic to do chance it to be the best proof in that period), compute the proof of correct commitment b = (b 1, Derive the challenge from the hash of block i Δ,b v ), create a block, send the block to the network the probability of multiple chains surviving for more than Δ blocks decreases exponentially

25 Construction Proof of Space (SpaceMint) Mining For : a set of valid proofs π 1 =(pk 1,λ 1,c 1, a 1 ),, π m =(pk m,λ m,c m, a m ), Q(π i ) should be defined in a way that the probability that π i has - extract the best the quality hash among value πof 1,, the π m last corresponds block in the to ith best miner s chain so far, and a challenge fraction of c which the total is used space to in derive the network, long which random is strings C u, C v N i / (N N m ) - compute where N challenges Chal(n,u,C u ) = (c 1,,c u ) i is the space committed to λ i - compute the proof of space a = (a 1,,a u ) - compute the quality Q(pk,λ,c,a) of the proof - if the quality is high enough (there is a realistic chance to be the best proof in that period), compute the proof of correct commitment b = (b 1,,b v ), create a block, send the block to the network

26 Nothing-at-Stake Grinding: Proof of Space (SpaceMint) - In PoSpace, it s computationally easy to generate proofs. So, miners can work on many different blocks (just try different transactions) till finding a good one that will allow them to generate good proofs for future - the challenge is derived from proof chain that does not contain transactions. Thus, a prover can create at most one valid proof per challenge Mining on mutiple chains: - In PoSpace, it s computationally easy to generate proofs. So, miners can work on all known chains in parallel to increase their profits, even to try double-spending and selfish-mining. - the challenge is derived the hash of block i Δ, and for any challenge there is a single proof. Besides, the protocol imposes a penalty via the penalty transactions (half of the reward for bad block is given to the creator of the penalty transaction, and other half is diminished)