Security and Performance Analysis of Quorum-based Blockchain Consensus Protocols Gabriel Antonio F. Rebello, Gustavo F. Camilo, Lucas C. B. Guimaraes,˜ Lucas Airam C. de Souza, Otto Carlos M. B. Duarte Universidade Federal do Rio de Janeiro - GTA/COPPE/UFRJ Abstract—Consensus protocols for blockchain-based systems days [7]. In response to the performance limitations of proof- are crucial and the most complex part of the blockchain. The of-work consensus, several new consensus protocols emerge proof-of-work consensus protocol of Bitcoin cryptocurrency is as possible substitutes for the Bitcoin protocol. This paper the most popular, but it presents a low transaction rate and 3 high energy consumption. This paper analyzes the main quorum- analyzes and compares the main quorum-based deterministic based consensus protocols for blockchains that are alternatives consensus protocols proposed as an alternative to proof-of- with higher throughput and energy-efficient. The paper focuses work. We classify the deterministic consensus protocols as on Byzantine fault-tolerant protocols as they are more robust practical Byzantine fault-tolerant and its variants, federated to security attacks. We classify and analyze quorum-based and delegated Byzantine fault-tolerant, and hybrid. We present consensus protocols according to their main characteristics and performance, highlighting the flaws and the specific attacks and analyze the characteristics, the transaction rate, and the that affect each consensus protocol and presenting possible security of each class of deterministic consensus protocol. countermeasures.1 Unlike other protocol performance analysis papers, this paper emphasizes the security of the analyzed protocols, specifying I. INTRODUCTION the main threats, the attacks discovered on each platform, and Blockchain is a disruptive technology that provides trust the possible countermeasures. The analysis covers the the main among a group of participants without mutual trust, in a existing cryptocurrencies such as: XRP, NEO and EOSIO. decentralized manner, and without intermediaries. A collective Besides, we analyze the execution model of Hyperledger agreement of the participants obtained in a distributed manner Fabric, which is the largest private blockchain platform. replaces the centralized decision. Therefore, the blockchain We organize the remainder of the paper as follows. Sec- system must be able to incorporate new blocks into the chain tion II discusses related work. Section III presents the main 2 through consensus among the participants. The blockchain requirements of a consensus protocol. Section IV describes technology has been proposed to provide security in several and analyzes the family of practical Byzantine fault-tolerant research areas, such as networks [1], Internet of things [2], consensus protocols. Section V presents and analyzes the e-health [3], and network slices [4]. Satoshi Nakamoto [5] federated Byzantine agreement protocols, citing Ripple and revolutionized the asset transfer area with the cryptocurrency Stellar. Section VI analyzes and describes the vulnerabilities of Bitcoin and the innovative consensus proposal, called Proof of federated class protocols, and Section VII focuses on a hybrid Work (PoW). The consensus through proof-of-work, however, protocol; Section VIII introduces and analyzes the security of is probabilistic because it can generate forks in the blockchain, Hyperledger Fabric, the largest private blockchain platform. requires a lot of energy consumption, presents a low trans- Finally, Section IX concludes the article and provides direc- action rate, and shows a tendency to centralize decisions in tions for future work. participants with more computational power. The Bitcoin presents a throughput of seven transactions per II. RELATED WORK second and one-hour latency when the user waits for six-block The blockchain consensus area has been attracting the atten- generation cycles, which is the recommended guarantee for tion of several researchers due to the success of the Bitcoin fork decisions. These characteristics limit the use of Bitcoin in cryptocurrency. There is, however, a need for a systematic applications that are unable to wait an hour to be completed, analysis of the vulnerabilities and countermeasures to security or by credit card companies that process more than 56,000 attacks in quorum-based consensus protocols. transactions per second [6]. Furthermore, proof of work in Bitcoin annually consumes more than the energy generated Vukolic´ compares blockchains based on deterministic con- by 160 countries individually and the energy expenditure sensus and proof of work [8]. Angelis et al. assess the to process a single Bitcoin transaction is enough to supply performance of proof of authority consensus protocols and an average United States of America household over 17.82 compare them with the PBFT [9] protocol. Nevertheless, the papers focus on discussing the scalability of consensus 1This paper was funded by CNPq, CAPES, FAPERJ and FAPESP (18/23292-0, 2015/24514-9, 2015/24485-9 2014/50937-1). 3In this paper, we consider quorum-based protocols and deterministic 2Consensus is a type of agreement reached among all members of a group. protocols as synonyms. protocols instead of providing an in-depth discussion of the • Integrity: A correct participant proposes the block b. vulnerabilities that exist in each protocol. The consensus protocols seek to guarantee the four conditions Xiao et al. [10] and Joshi et al. [11] present different deter- that together provide the safety and liveness properties. The ministic and probabilistic consensus protocols for blockchain. guarantee of the termination requirement provides liveness as Despite describing several consensus mechanisms, the discus- the rounds of consensus continue to happen, and the system sion of threats and security flaws in vote-based consensus always incorporates new blocks. The guarantee of the termina- algorithms is brief and does not provide countermeasures. tion, however, does not guarantee that the blocks are correct. Hasanova et al. analyze the security of different probabilis- The agreement requirement provides decision uniformity in tic and deterministic blockchains [12]. The work, however, all participants, and the validity and integrity requirements focuses on the vulnerabilities and countermeasures of proof- represent the correctness of the decision, ensuring that an based protocols and does not provide an in-depth analysis of honest participant proposed the block. Together, agreement, quorum-based protocols. validity, and integrity provide the consistency property to Wang et al. present two vulnerabilities in the NEO [13] the protocol. Consistency does not guarantee that the system cryptocurrency consensus protocol. Christodoulou et al. ana- always incorporates new blocks, but it does guarantee that the lyze the security of the Ripple cryptocurrency in the presence ones that are incorporated are always correct. Therefore, a of multiple adversaries [14]. Nevertheless, the papers focus consensus protocol must provide both properties to ensure the on cryptocurrencies and specific protocols, without extensive correction of the system even when failures occur. discussion and comparison with others. Consensus protocols can tolerate two types of failures: crash This paper clearly and concisely presents the required main faults or Byzantine faults. A crash fault participant does not characteristics of quorum-based consensus protocols. Besides, respond and does not perform new operations during the the paper describes the main quorum-based protocols for consensus execution. The Byzantine failure is much more blockchains, focusing on specific security vulnerabilities of complicated since the failing participant can be a malicious each protocol and comparing them. agent that exhibits arbitrary behavior, deviating from the spec- ified protocol, and taking any action. The malicious agent may III. QUORUM-BASED BLOCKCHAIN CONSENSUS behave well, responding correctly, may respond incorrectly, or The consensus is the process by which, from a group of may not respond at all. Also, a Byzantine failing participant independent participants, all the correct participants reach the may answer that it approves a block b to one participant and same collective decision to accept or refuse to add a new block that it approves a block b0 to another participant. Thus, in in the blockchain. One of the consensus participants submits the Byzantine failure model, there is no precise information a proposal for a new block. In quorum-based consensus, about the behavior of the participants or whether the system participants exchange messages with two primitives: information is correct. The maximum number of malicious 5 • propose(P; b): proposes a new block b to the set of participants that a quorum-based system can tolerate is one- consensus participants P . Only a special participant, the third of the total network participants, including honest and consensus leader, can send this primitive; malicious participants. This paper focuses on Byzantine fault- • decide(b): informs the network that the participant vali- tolerant consensus, as they are more robust to malicious dated and decided on the block b. behavior. Consensus occurs every time the leader proposes a new block Communication systems are essential to obtain quorum- b, and the majority of participants validate and decide on the based consensus, as consensus participants must exchange proposed block.