Betting on Consensus with Fantômette Sarah Azouvi, Patrick McCorry, Sarah Meiklejohn University College London CESC 2018, SF , October 11 2018 � 1
Bitcoin vs Traditional Consensus
Bitcoin vs Traditional Consensus • Open, participants unknown
Bitcoin vs Traditional Consensus • Open, participants unknown • One message broadcast per round
Bitcoin vs Traditional Consensus • Open, participants unknown • One message broadcast per round • Incentives at the core of its security
Bitcoin vs Traditional Consensus • Open, participants unknown • One message broadcast per round • Incentives at the core of its security • High energy consumption
Blockchain without PoW?
Blockchain without PoW? • Proof-of-stake: computation stake
Blockchain without PoW? • Proof-of-stake: computation stake • Can we get the same guarantees?
Blockchain without PoW? • Proof-of-stake: computation stake • Can we get the same guarantees? • Problems: nothing at stake, grinding, long range attacks
Blockchain without PoW? • Proof-of-stake: computation stake • Can we get the same guarantees? • Problems: nothing at stake, grinding, long range attacks • Proposed solutions: PBFT style (e.g. Algorand), cryptographic (e.g. Ouroboros, Snow-White)
Blockchain without PoW? • Proof-of-stake: computation stake • Can we get the same guarantees? • Problems: nothing at stake, grinding, long range attacks • Proposed solutions: PBFT style (e.g. Algorand), cryptographic (e.g. Ouroboros, Snow-White) • Incentives rarely considered
Incentives matter
Incentives matter
Incentives matter
Incentives matter
Incentives matter
Incentives matter
Incentives matter
Model
Model Rational Players
Model Rational Players Byzantine (Malicious) Players
Model Coalitions Rational Players Byzantine (Malicious) Players
Model
Model BAR Model
Model BAR Model
Model BAR Model Byzantine Altruistic Rational
Model BAR Model
Model BAR Model Robustness
Model BAR Model Robustness
Model BAR Model Robustness Resilience
Model BAR Model Robustness Resilience Immunity
Model Coalitions Rational Players Byzantine (Malicious) Players
Model Coalitions Rational Players Byzantine (Malicious) Players
Model Coalitions Rational Players Byzantine (Malicious) Players • Chain growth
Model Coalitions Rational Players Byzantine (Malicious) Players • Chain growth • Chain quality
Model Coalitions Rational Players Byzantine (Malicious) Players • Chain growth • Chain quality • Common prefix
Fantômette Overview
Fantômette Overview Leader Election
Fantômette Overview Leader Election Instead of PoW: leader election
Fantômette Overview Leader Election Instead of PoW: leader election Publicly Verifiable Proof of Eligibility
Fantômette Overview Leader Election Instead of PoW: leader election Publicly Verifiable Proof of Eligibility One block elects at least one leader
Fantômette Overview Leader Election Betting Scheme Instead of PoW: leader election Publicly Verifiable Proof of Eligibility One block elects at least one leader
Fantômette Overview Leader Election Betting Scheme Instead of PoW: leader election Use incentives to move away from BFT-style Publicly Verifiable Proof of Eligibility One block elects at least one leader
Fantômette Continuous Leader Election
Fantômette Continuous Leader Election • Fair (Chain quality)
Fantômette Continuous Leader Election • Fair (Chain quality) • Unpredictable
Fantômette Continuous Leader Election • Fair (Chain quality) • Unpredictable • Privately unpredictable
Fantômette Continuous Leader Election • Fair (Chain quality) • Unpredictable • Privately unpredictable • Liveness
Fantômette Continuous Leader Election Random beacon Pseudo-randomly generated number associated within each block
Fantômette Continuous Leader Election
Fantômette Continuous Leader Election
Fantômette Continuous Leader Election Initial Random Beacon Verifiable Random Function < target?
Fantômette Continuous Leader Election Initial Random Beacon Verifiable Random Function < target? Verifiable Delay Function -> liveness
Fantômette
Fantômette • blockDAG (PHANTOM Sompolinski & Zohar)
Fantômette • blockDAG (PHANTOM Sompolinski & Zohar) • A block bets on its parent block
Fantômette • blockDAG (PHANTOM Sompolinski & Zohar) • A block bets on its parent block • A block references other blocks
Fantômette • blockDAG (PHANTOM Sompolinski & Zohar) • A block bets on its parent block • A block references other blocks A C Genesis block B
Fantômette • blockDAG (PHANTOM Sompolinski & Zohar) • A block bets on its parent block • A block references other blocks A C Genesis block B Notion of chain
Fantômette A C G B D
Fantômette • More connection = better score A C G B D
Fantômette • More connection = better score • Break tie with the random beacon A C G B D
Fantômette • More connection = better score • Break tie with the random beacon • Can only reference blocks with smaller score A C G B D
Fantômette • More connection = better score • Break tie with the random beacon • Can only reference blocks with smaller score A C G B D
Fantômette • More connection = better score • Break tie with the random beacon • Can only reference blocks with smaller score A C G B D
Fantômette • More connection = better score • Break tie with the random beacon • Can only reference blocks with smaller score A C Main chain grows faster G B D
Fantômette A C G B D
Fantômette A C G B D E
Fantômette A C G B D E
Fantômette F A C G B D E
Fantômette F A C G B D E
Fantômette F A C G B D E Reward connectivity
Fantômette F A C G B D E Reward connectivity Punishment if not well connected
Security Robustness Incentive to reference other blocks More likely to win when following the protocol Publish block as fast as possible to get more references
Security
Security
Security Chain Growth Convergence Common prefix
Security Chain Growth Convergence Score of the main chain grows faster Common prefix
Security Chain Growth Convergence Score of the main chain grows faster Common prefix Chain quality
Security Chain Growth Convergence Score of the main chain grows faster Common prefix Chain quality Fair leader election
Decentralized Checkpointing
Decentralized Checkpointing 2/3+ X1 . . . . . . Y1 Z1 Genesis block X2 . . . . . . Y2 Z2 2/3+
Decentralized Checkpointing 2/3+ X1 . . . . . . Y1 Z1 Genesis block X2 . . . . . . Y2 Z2 2/3+ Candidate Blocks
Decentralized Checkpointing 2/3+ X1 . . . . . . Y1 Z1 Genesis block X2 . . . . . . Y2 Z2 2/3+ Candidate Blocks x1 and x2 are justified
Decentralized Checkpointing 2/3+ X1 . . . . . . Y1 Z1 Genesis block X2 . . . . . . Y2 Z2 2/3+ Candidate Blocks x1 and x2 are justified x1 and x2 are finalized
Simulations payo ff for altruistic players payo ff for altruistic players payo ff for coalition of rational payo ff for coalition of players Byzantine players
Simulations Longest fork Chain Quality
Conclusion • blockDAG : enforce accountability • Incentivize rational players to follow the protocol • Leverage incentive to have a blockchain type pos consensus
Fantômette pre-print: https://arxiv.org/abs/1805.06786 sarah.azouvi.13@ucl.ac.uk @SarahAzouvi
Fantômette pre-print: https://arxiv.org/abs/1805.06786 Questions? sarah.azouvi.13@ucl.ac.uk @SarahAzouvi
Recommend
More recommend