DFINITY Technology Overview Series Consensus System
Total Page:16
File Type:pdf, Size:1020Kb
DFINITY Technology Overview Series Consensus System Rev.1 Timo Hanke, Mahnush Movahedi and Dominic Williams ABSTRACT Dfinity will be introduced in a series of technology overviews, The Dfinity blockchain computer provides a secure, performant each highlighting an independent innovation in Dfinity such as and flexible consensus mechanism. While first defined for a permis- the consensus backbone, smart contract language, virtual machine, sioned participation model, the consensus mechanism itself can be concurrent contract execution model, daemon contracts, peer-to- paired with any method of Sybil resistance (e.g. proof-of-work or peer networks and secure broadcast, governance mechanism and proof-of-stake) to create an open participation model. Dfinity’s scaling techniques. The present document will focus on the con- greatest strength is unfolded in the most challenging proof-of-stake sensus backbone and cryptographic randomness. case. Dfinity has an unbiasable, verifiable random function (VRF) At its core, Dfinity contains a decentralized randomness beacon built-in at the core of its protocol. The VRF not only drives the which acts as a verifiable random function (VRF) that produces a consensus, it will also be the foundation for scaling techniques such stream of outputs over time. The novel technique behind the beacon as sharding, validation towers, etc. Moreover, the VRF produced relies on the existence of a unique-deterministic, non-interactive, by the consensus layer is available to the application layer, i.e., to DKG-friendly threshold signatures scheme. The only known ex- the smart contracts and virtual machine. In this way, the consensus amples of such a scheme are pairing-based and derived from BLS backbone is intertwined with many of the other topics. [3, 10]. The Dfinity blockchain is layered on top of the Dfinity beacon 2 INTRODUCTION and uses the beacon as its source of randomness for leader selec- Dfinity’s consensus mechanism has four layers as depicted in tion and leader ranking. A "weight" is attributed to a chain based Fig. 1. The first layer provides registered and Sybil-resistant client on the ranks of the leaders who propose the blocks in the chain, identities. On the second layer is a decentralized random beacon. and that weight is used to select between competing chains. The On the third layer is a blockchain that is driven by the random bea- Dfinity blockchain is further hardened by a notarization process con through a probabilistic mechanism for leader ranking. On the which dramatically improves the time to finality and eliminates the fourth layer is a decentralized notary that provides timestamping nothing-at-stake and selfish mining attacks. and publication guarantees, and is ultimately responsible for near- Dfinity’s consensus algorithm is made to scale through contin- instant finality. Dfinity’s consensus layers and other key aspects uous quorum selections driven by the random beacon. In practice, of the consensus mechanism can be summarized in the following Dfinity achieves block times of a few seconds and transaction fi- main categories. nality after only two confirmations. The system gracefully handles temporary losses of network synchrony including network splits, while it is provably secure under synchrony. Notary Layer s r Observe e y Observers s a r L o t 1 PROLOGUE l c o Blockchain Layer Transaction A c l o DFINITY is a decentralized network design whose protocols gen- t Users a o n r r e erate a reliable "virtual blockchain computer" running on top of a P t s x u peer-to-peer network upon which software can be installed and Random Beacon Layer E s n can operate in the tamperproof mode of smart contracts. The goal e s n is for the virtual computer to finalize computations quickly (using o C Register short block times and by requiring only a small number of blocks as Identity Layer "confirmations"), to provide predictable performance (by keeping New Clients the time between confirmations approximately constant), and for computational and storage capacity to scale up without bounds as Figure 1: Dfinity’s consensus mechanism layers. 1. Identity layer: demand for its services increases (using novel validation mecha- provides a registry of all clients. 2. Random Beacon layer: provides nisms and sharding systems discussed in our other papers). The the source of randomness (VRF) for all higher layers including ap- protocols must be secure against an adversary controlling less than plications (smart contracts). 3. Blockchain layer: builds a blockchain a certain critical proportion of its nodes, must generate crypto- from validated transactions via the Probabilistic Slot Protocol driven graphic randomness (which is required by advanced decentralized by the random beacon. 4. Notarization layer: provides fast finality applications) and must maintain a decentralized nature as it grows guarantees to clients and external observers. in size to millions of nodes. 1 Technology Overviews, Jan. 23, 2018, DFINITY Stiftung Timo Hanke, Mahnush Movahedi and Dominic Williams 1st layer: Identities and Registry. The active participants in the the block candidates that are presented to a client for notarization, Dfinity network are called clients. All clients in Dfinity are reg- the client only notarizes the highest-ranked one with respect to a istered, i.e., have permanent, pseudonymous identities. The regis- publicly verifiable ranking algorithm driven by the random beacon. tration of clients has advantages over the typical proof-of-work It is important to emphasize that notarization is not consensus blockchains where it is impossible to link different blocks to the because it is possible, due to adverse timing, for more than one same miner. For example, if registration requires a security deposit, block to get notarized at a given height. This is explicitly tolerated a misbehaving client would lose its entire deposit, whereas a miner and an important difference to other proof-of-stake proposals that in a typical proof-of-work blockchain would only forego the block apply full Byzantine agreement at every block. Dfinity achieves reward during the time of misbehavior. As a result, the penalty for its high speed and short block times exactly because notarization is misbehavior can be magnitudes larger for registered identities than not full consensus. However, notarization can be seen as optimistic it can be for unregistered identities. This is particularly important consensus because it will frequently be the case that only one as blockchains can track unbounded external value that exceeds block gets notarized. Whether this is the case can be detected after the value of the native token itself. Moreover, Dfinity supports one subsequent block plus a relay time (cf. Theorem 9.3). Hence, open membership by providing a protocol to register new clients whenever the broadcast network functions normally a transaction via a stake deposit with a lock-up period. This is the responsibility is final in the Dfinity consensus after two notarized confirmations of the first layer. plus a network traversal time. We like to emphasize that a notarization in Dfinity is not pri- 2nd layer: Random Beacon. The random beacon in the second marily a validity guarantee but rather a timestamp plus a proof layer is an unbiasable, verifiable random function (VRF) that is of publication. The notarization step makes it impossible for the produced jointly by registered clients. Each random output of the adversary to build and sustain a chain of linked, notarized blocks VRF is unpredictable by anyone until just before it becomes avail- in secret. For this reason, Dfinity does not suffer from the selfish able to everyone. This is a key technology of the Dfinity system mining attack [4] or the nothing-at-stake problem. which relies on a threshold signature scheme with the properties of uniqueness and non-interactivity. The BLS signature scheme is the Threshold Relay and Network Scalability. Dfinity’s consensus only practical1 scheme that can provide these features, and Dfinity is designed to operate on a network of millions of clients. To en- has a particularly optimized implementation of BLS built in [2, 11]. able scalability to this extent, the random beacon and notarization Using a threshold mechanism for randomness creation solves the protocols are designed such that they can be safely and efficiently fundamental "last actor" problem. Any decentralized protocol for delegated to a committee. A committee is a randomly sampled sub- creating public randomness without a threshold mechanism suffers set of all registered clients that deploys a threshold mechanism (for from the problem that the last actor in that protocol knows the next safety) that is moreover non-interactive (for efficiency). random value and can decide to abort the protocol. In Dfinity, the active committee changes regularly. After having temporarily executed the protocol on behalf of all clients, the com- 3rd layer: Blockchain and fork resolution. The third layer deploys mittee relays the execution to another pre-configured committee. the "probabilistic slot protocol" (PSP). This protocol ranks the clients We call this technique "Threshold Relay" in Dfinity. for each height of the chain, in an order that is derived determin- istically from the unbiased output of the random beacon for that Consistency vs availability. It is worth noting that network splits height. A weight is then assigned to block proposals based on the are implicitly detectable by Dfinity and are handled conservatively. proposer’s rank such that blocks from clients at the top of the list This is a consequence of the random sampling of committees. If receive a higher weight. Forks are resolved by giving favor to the the network splits in two halves of more or less the same size, "heaviest" chain in terms of accumulated block weight – quite sim- this will automatically cause the random beacon to pause within ilar to how traditional proof-of-work consensus is based on the a few blocks so that none of the sides can continue.