timo hanke, mahnush movahedibpase 2018 • 5 goal fast consensus (5 seconds) scalability (1m...

BPASE 2018 • JAN. 26, 2018

Timo Hanke, Mahnush Movahedi

BPASE 2018 • 2

GOAL

BPASE 2018 • 3

GOAL

Fast Consensus (5 seconds)

Scalability (1m participants)

Randomness

Security (provable)

PoS blockchain consensus providing

BPASE 2018 • 4

GOAL



Randomness

Security (provable)


Short block time,Instant Finality

BPASE 2018 • 5

GOAL



Randomness

Security (provable)



Unpredictable, Unmanipulable

BPASE 2018 • 6

GOAL



Randomness

Security (provable)



Unpredictable, Unmanipulable

Selfish-mining,Nothing-at-stake

BPASE 2018 • 7

CHALLENGES

BPASE 2018 •

ScalabilityInstant Finality

TRADE-OFF

8

CHALLENGES:

Consensus & Scalability

BPASE 2018 •


TRADE-OFF

9

CHALLENGES:


PBFT chain PoW chain

BPASE 2018 •


TRADE-OFF

10

CHALLENGES:


PBFT chain PoW chainFinality at every block Few nodes

Probabilistic finality over time Arbitrary many nodes

BPASE 2018 •

Derive randomness from a chain?

Chain is not random, manipulable

Assumes everybody agrees on the chain

11

CHALLENGES:

Randomness

BPASE 2018 •

Derive randomness from a chain?

Chain is not random, manipulable

Assumes everybody agrees on the chain

12

CHALLENGES:

Randomness

Must not depend on chain content (“grindable”)

Must not fork

BPASE 2018 • 13

CHALLENGES:

Randomness

“LAST ACTOR” BIAS

The “last actor” sees the randomness and

aborts.

Any fallback mechanism introduces bias.

BPASE 2018 • 14

CHALLENGES:

Randomness

“LAST ACTOR” BIAS

The “last actor” sees the randomness and

aborts.

Any fallback mechanism introduces bias.

EXAMPLES:

Miner discards block

2 or more parties involved

Commit-reveal schemes

…

BPASE 2018 •

PoS ATTACKS

15

CHALLENGES:

Security

Signatures are timeless

Signatures are cheap

Blocks can be equivocated

Blocks can be withheld

Selfish-mining Nothing-at-stake

BPASE 2018 •

FUNDAMENTAL OBSERVATIONS

CHALLENGES

16

BPASE 2018 •


1

Threshold groups do not have “last actors”

17

BPASE 2018 •

k out of n members have to act

(necessary and sufficient)

18

FUNDAMENTAL OBSERVATIONS:

No “last actors”

k-of-n THRESHOLD GROUP

BPASE 2018 •


2

Consensus without consensus

19

BPASE 2018 • 20



BLS Threshold signatures

BPASE 2018 •

Distributed key generation: No trusted dealer required

21




BPASE 2018 •


Unique: For every message only one signature verifies

22




BPASE 2018 •

Non-interactive: Signature shares created independently



23




BPASE 2018 •

Non-interactive: Signature shares created independently



24




“agree once”

“agree always”

BPASE 2018 •


3

Randomly sampled committees

25

BPASE 2018 •



Universe Random Sample

26

BPASE 2018 •



Universe

30%

Random Sample

27

BPASE 2018 •



Universe

30%

Random Sample

50% ?

28

BPASE 2018 •



Universe

30%

Random Sample

50% ?

0 5 10 15 20

29

BPASE 2018 •



Universe

30%

Random Sample

50% ?

0 5 10 15 20 0 20 40 60 80 100

30

BPASE 2018 •



Based on Binomial distribution (arbitrarily large universe)

Prob(G honest) > 1 - 2-x Safe group size

adversary controls

of universe

33.3% 25% 20%

423 173 111

701 287 185

887 363 235

1447 593 383

40

64

80

128

x

31

Group G honest if adversary controls <50% of G

BPASE 2018 •


4

Enforcing publication

32

BPASE 2018 •


Enforced publication

33

Majority signature by a committee.

NOTARIZATION

BPASE 2018 •



34


NOTARIZATION

A committee is a random sample of the whole network.

A notarization is a proof of publication.

BPASE 2018 •



35


NOTARIZATION

A committee is a random sample of the whole network.

A notarization is a proof of publication.Only notarized blocks

are valid.

VALID

BPASE 2018 •



1 2 3 4 5 Block height

36

BPASE 2018 •




Sequence of committeesG_1 G_2 G_3 G_4 G_5

37

BPASE 2018 •




Time interval


38

BPASE 2018 •




Time interval


39

A committee is active only during the phase of the block height to which it was assigned.

A notarization is a timestamp.

BPASE 2018 •



40

Only notarized blocks are valid.

Blocks cannot be withheld.

Impossible to build on old blocks.

BPASE 2018 •



41

Can notarizations be withheld?

BPASE 2018 •



42

A committee is active only during the phase of the block height to which it was assigned.

A block can get “half-notarized”.

BPASE 2018 •


Notarized Chains

2a1 3a 4a

3b 4b

Time interval

Active groupG_1 G_2 G_3 G_4 G_5

G_1 G_2 G_3 G_4

G_3 G_4

5

5

G_5

G_5

3c 4c

2b

43



2bG_2

3cG_3

4cG_4

BPASE 2018 • 44



2bG_2

3cG_3

Every notarization contains honest signatures.

BPASE 2018 • 45



2bG_2

3cG_3


2bG_2

3cG_3

Trick:

BPASE 2018 • 46



2bG_2

3cG_3


2bG_2

3cG_3

Trick:

Block references the previous notarization

Notarizations cannot be withheld

BPASE 2018 •


Notarized Chains

2a1 3a 4a

3b 4b

Time interval


G_1 G_2 G_3 G_4

G_3 G_4

5

5

G_5

G_5

2b

47



2bG_2

3c

BPASE 2018 •


Notarized Chains

2a1 3a 4a

3b 4b

Time interval


G_1 G_2 G_3 G_4

G_3 G_4

5

5

G_5

G_5

3c

2b

48



2bG_2

3c

G_2

BPASE 2018 •


Notarized Chains

2a1 3a 4a

3b 4b

Time interval


G_1 G_2 G_3 G_4

G_3 G_4

5

5

G_5

G_5

3c

2b

49



2bG_2

3c

G_2

BPASE 2018 •

THE SYSTEM

CHALLENGES

50

BPASE 2018 •

RandomnessUnique threshold

signatures

ScalabilityCommittees

Provable security Fast consensus

Notarization

51

SOLUTION

BPASE 2018 • 52

Identity Layer

Random Beacon Layer

Blockchain Layer

Register

Transaction

Observe

Users

Notary Layer

Con

sens

us P

roto

col L

ayer

s

Exte

rnal

Act

orsObservers

New Clients

SOLUTION:

Protocol Layers

BPASE 2018 • 53

Notary

RandomBeacon

BlockMakers1. Random

value

1. Randomvalue

2. Blockproposals

3. NotarizedBlock

3. NotarizedBlock

SOLUTION SOLUTION:

Rounds

BPASE 2018 • 54

SOLUTION:

Random Beacon

BPASE 2018 • 55

SOLUTION:

Random Beacon

BPASE 2018 • 56

SOLUTION:

Random Beacon

BPASE 2018 •

SOLUTION:

57

BPASE 2018 • 58

SOLUTION:

Blockchain

⇠r�1 ⇠r

Br�1 Br

zr�1

�Br,i1�Br,i2...�Br,it

BPASE 2018 • 59

SOLUTION:

Blockchain

⇠r�1 ⇠r

Br�1 Br

zr�1


⇠r�1 ⇠r

Br�1 Br

zr�1 zr

BPASE 2018 • 60

SOLUTION:

Blockchain

⇠r�1 ⇠r

Br�1 Br

zr�1


⇠r�1 ⇠r

Br�1 Br

zr�1 zr

⇠r�1 ⇠r

Br�1 Br

zr�1 zr

�r||⇠r,i1�r||⇠r,i2...�r||⇠r,it

BPASE 2018 • 61

SOLUTION:

Blockchain

⇠r�1 ⇠r

Br�1 Br

zr�1


⇠r�1 ⇠r

Br�1 Br

zr�1 zr

⇠r�1 ⇠r

Br�1 Br

zr�1 zr

�r||⇠r,i1�r||⇠r,i2...�r||⇠r,it

⇠r�1 ⇠r

Br�1 Br

zr�1

⇠r+1

zr

BPASE 2018 •

2a1 3a 4aG_1 G_2 G_3 G_4

5

52b

62


Normal operation

G_2

G_5

G_5

First block maker honest+

Network synchronous

Only one block gets notarized

BPASE 2018 • 63

SOLUTION:

Blockchain

r � 3 r � 2 r � 1 r

0

1

2

FINAL

DEAD

DEAD

FINAL

DEAD

BPASE 2018 •

CONCLUSIONS

CHALLENGES

64

BPASE 2018 • 65

Consensus algorithm landscape

BYZANTINE AGREEMENT IN AUTHENTICATED SETTING

(n replicas, f adversary, asynchrony)

FLP

f = 0

BPASE 2018 • 66




FLP Bracha/Toueg

probabilistic

f = 0 n > 3f

BPASE 2018 • 67




+ synchrony (for liveness)

FLP Bracha/Toueg

PBFT

probabilistic practical

f = 0 n > 3f n > 3f

BPASE 2018 • 68





+ synchrony+ probabilistic

termination

FLP Bracha/Toueg

PBFT Blockchain

probabilistic practical

f = 0 n > 3f n > 2fn > 3f

BPASE 2018 • 69





+ synchrony(for liveness & safety)


termination

FLP Bracha/Toueg

PBFT Dfinity Blockchain

probabilistic practical scale

f = 0 n > 3f n > 2f + ✏ n > 2fn > 3f

BPASE 2018 • 70





+ synchrony(for liveness & safety)


termination

FLP Bracha/Toueg

PBFT Dfinity Blockchain

probabilistic practical scale fast termination

f = 0 n > 3f n > 2f + ✏ n > 2fn > 3f

BPASE 2018 • 71

Algorithm flexibility

PBFT(synchrony only for liveness)

n/5 n/3 n/2 f

n

102

106

1

BPASE 2018 • 72


DFINITY(synchrony for liveness and safety)


n/5 n/3 n/2 f

n

102

106

1

BPASE 2018 • 73


DFINITY(synchrony only for liveness)



n/5 n/3 n/2 f

n

102

106

1

BPASE 2018 • 74


DFINITY(synchrony only for liveness)



n/5 n/3 n/2 f

n

102

106

1

BPASE 2018 •

BPASE 2018

PART 2

75

BPASE 2018 • 76

Open participation

BPASE 2018 • 77

Randomness defines the new groups The group members run distributed key generation They join by providing their group public key

Open participation

BPASE 2018 •

Challenge

How to agree on the group public key?

78

BPASE 2018 •

Solution

Use Dfinity chain at the current epoch to change the behavior of the

system itself at future epochs.

79

BPASE 2018 •

Requires Agreement: Dfinity chain has already created an efficient medium for consensus

Using the same blockchain: the result will be used only on the side of a fork on which it is used

80

Distributed Key Generation

System Contracts

Node Registration Group Registration

System Parameters

DFN Payment BNS

System contracts

BPASE 2018 •

DKG Contract

81

BPASE 2018 • 82

Mahnush

Movahedi

BPASE 2018 •

(t, n) Distributed Key Generation

Create a master public key and set of partial signing keys.

83

BPASE 2018 •

Studied extensively in the crypto literature

Utilizes point-to-point communication

Assumes/implements a reliable broadcast channel as a bullet-in-board

We use Dfinity chain as the bullet-in-board

84

Previous versions of the DKG

BPASE 2018 •

It goes trough the following phases 1. Dealing

2. Complaint

3. Justification

4. Registration

Prefer contracts that are event driven

85

{-# LANGUAGE ScopedTypeVariables, FlexibleContexts #-} module Main where

import Data.List (delete) import Control.Monad import Control.Monad.Task import Contract import System

type VerificationVector = String

data DkgEvent = Deal Int VerificationVector | Complain Int Int | Justify Int Int VerificationVector | GetGroupKey deriving (Eq, Show)

DKG phases

BPASE 2018 •

Many dealers (contributors).

Each Dealer will • Share a secret value using a polynomial

• Create commitment to the polynomial

• Encrypt the shares

• Send the vector to the contract

86

Dealing phase

collectDeals deal@(i,_) deals = case lookup i deals of Just _ -> logConsole ("deal already exists", i) >> return deals Nothing -> return (deal : deals)

BPASE 2018 •

Receive your share and commitment vector

Check the validity of your share

Send your complain to the contract if: • No share received

• The share was invalid

87

Complain phase

BPASE 2018 •

For each complaint: • Send the share in clear text to the contract

For each justification, the contract: • Check if the share is valid

• If it is valid, it removes the complain and accepts the sharing.

88

Justification phase

BPASE 2018 •

The group public key is the sum of the verification vector of each successful dealer

Successful Dealer: not have any unjustified complains remaining

89

Registration phase

BPASE 2018 •

System contracts can be used to manage the future behavior of the system

Carefully design the contract that most of the code which do not need consensus is happening on the client side.

Only the data that need agreement over will pass to the contract

90

Take away

THANK YOU

dfinity.org

twitter.com/dfinity

dfinity.org/tech

bit.ly/DFN_TestNet

medium.com/dfinity

reddit.com/r/dfinity

http://dfinity.org

http://twitter.com/dfinity

http://dfinity.org/tech

http://bit.ly/DFN_TestNet

http://medium.com/dfinity

http://reddit.com/r/dfinity

timo hanke, mahnush movahedibpase 2018 • 5 goal fast consensus (5 seconds) scalability (1m...

Documents