Breaking the chain sompolinsky

Breaking free from the chains of blockchain protocols Yonatan Sompolinsky

joint work:

Aviv Zohar, Yoad Lewenberg

The Hebrew University, Jerusalem Israel

Our daydream for Bitcoin ◉

long-term vision. several orders of magnitude increase in transaction volume (many MB per sec) ◉

transactions confirmed quickly (~1 sec) ◉

highly secure

This work ◉

a new family of blockchain protocols ◉

makes use of ordinary Bitcoin blocks

◉

- orthogonal to “offchain” solutions scalable

Public ledger under high throughput C1

Genesis block

D1

E1

D2 A

B1

C2

C3

D3

E2

D4

E3

D5

F1

networkâ&#x20AC;&#x2122;s longest chain flow of time

Double-spending attacker publishes blocks after confirmation tx reversed A

B1

honest tx

doublespend

B2

B

D1

E1

F1

D2 C2

D3

E2

D4

E3

C3

D5

C4

D6

E4

flow of time

F2

G1

Censorship to prevent confirmation, attacker publishes empty blocks fast B

D1

E1

F1

D3

E2

F2

D4

E3

D2 A

B1

C2

C3

D5

G1

Delayed-Acceptance to prevent confirmation, attacker helps weaker chains to survive B

D1

E1

F1

E1

D6

E4

D3

D6

D4

E3

D2 A

B1

C2

C3

D5

F1

Security thresholds under high throughput

doublespending

censorship

delayedacceptance

longestchain

50% 50% 50%

GHOST

ideal

50%

does an ideal protocol exist?

INSIGHT

â&#x20AC;&#x153;chainlessâ&#x20AC;? protocols.

1. to avoid vulnerability, all blocks participate in tx confirmation.

2. agreeing on the order of incoming transactions is enough.

From chains to DAG

◉

acknowledge all predecessors ◉

ledger becomes block chain DAG ◉

need to define new consistency rules ◉

more complex, more powerful

A

B1 B2

C1

D1 D2

Consistency via linear ordering

observation: a linear ordering of blocks in DAG induces natural consistency

A

B1

C1

B2 block DAG

D1 D2

A

B2

B1

C1

linearized block DAG

D2

D1

Consistency via linear ordering

a “good” order should be resilient to revision. now implies ◉

◉

with high probability: no cutting in line:

later

published earlier than implies

not easy to satisfy - naïve protocols are manipulable

New protocol the order on a given DAG is decided by all blocks voting. 1. for each pair a) block

that knows

(base case: b) block

vote between votes

or

and

(or both): compute vote recursively for all

that knows neither

that it does not know)

nor : compute vote by majority of

blocks in ’s future

2. linearize pairwise votes via the “Schulze Method” ◉

under no delays coincides with longest-chain/GHOST ◉

provably correct

every new block runs protocol on its world-view

E

Genesis

F

case #1: E or F are in past(C) infer Câ&#x20AC;&#x2122;s vote via recursion

E

Genesis

F

C

case #1: E or F are in past(C) infer Câ&#x20AC;&#x2122;s vote via recursion

E

Genesis

F