Decentralization in Open Quorum Systems

11/19/2019 ∙ by Andrea Bracciali, et al. ∙ 0

Decentralisation is one of the promises introduced by blockchain technologies: fair and secure interaction amongst peers with no dominant positions, single points of failure or censorship. Decentralisation, however, appears difficult to be formally defined, possibly a continuum property of systems that can be more or less decentralised, or can tend to decentralisation in their lifetime. In this paper we focus on decentralisation in quorum-based approaches to open (permissionless) consensus as illustrated in influential protocols such as the Ripple and Stellar protocols. Drawing from game theory and computational complexity, we establish limiting results concerning the decentralisation vs. safety trade-off in Ripple and Stellar, and we propose a novel methodology to formalise and quantitatively analyse decentralisation in this type of blockchains.

READ FULL TEXT VIEW PDF
POST COMMENT

Comments

There are no comments yet.

Authors

page 1

page 2

page 3

page 4

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction

To allow “any two willing parties to transact directly with each other without the need for a trusted third party”  [31] was one of the main motivations for the introduction of the Bitcoin blockchain, and several earlier attempts at digital currencies. A blockchain is a distributed state machine in charge of guaranteeing the correctness and trustability of data,111Blockchains can also make the computation trustable, e.g., guaranteeing the fair and untamperable execution of agreements among peers encoded as programs. e.g., monetary transactions in the case of Bitcoin. State updates are recorded in a chain of data blocks. Data are protected by replication of the state, i.e., of the chain of blocks, within a network of peers. The blockchain protocol must guarantee some form of distributed consensus allowing peers to agree on the information contained in the blockchain, e.g., who has been paid, and that no double spending of virtual coins has occurred, without the supervision of a centralised authority – a currency without a central bank.

1.0.1 Context: the quest for decentralisation

Decentralisation, which can be informally understood as the lack of dominant positions amongst the independent and untrusted peers, is then a strongly desirable property of blockchains. Decentralisation may involve several aspects of a blockchain definition and architecture, and is strongly connected to the problem of governance. There can be centralisation in the software maintenance, the management of the community of peers and users and associated access policies, the management of the tokenomics and incentives222Monetary and incentive policies, e.g., the economics of tokens, the motivational reward for peers, and the initial distribution of stake in PoS (see below), may affect the stability and long-term survival of the blockchain., the resolution of disputes, and the pooling of peers (see [18] for early considerations on the decentralisation in Bitcoin).

In this paper we address decentralisation in distributed consensus. Decentralisation in the sense of “any two willing parties” somehow implies openness, embodied by permissionsless blockchains, where participation is allowed in a generally unrestricted way. Permissionless blockchains are clearly exposed to the presence of Byzantine peers, i.e., dishonest peers trying to exploit the network and not bound to the blockchain protocol. Byzantine distributed consensus is a long-standing problem, from Lamport’s characterisation [26] and the FLP impossibility result [13], to the subsequent research on data replication and consistency based on Byzantine Fault-tolerant consensus (BFT), [28, 36]. Several proposals are currently competing in a multi-billion market, addressing the so-called blockchain trilemma, i.e., achieving security, scalability and decentralisation together.

One of the breakthroughs of Bitcoin was the introduction of the Proof-of-Work (PoW) [9]

as a mechanism to enable a probabilistic Byzantine distributed consensus. Informally speaking, by solving a computationally hard problem one of the peers is entitled to create the next block, cryptographically linked to the previous ones. Under the assumption that Byzantine computational power is suitably limited within the network, the probability that enough work can be channeled to alter block history decreases with the ageing of the blocks, as much as new blocks are created 

[16, 11]. Bitcoin reaches finality with an acceptable probability in about one hour (6 blocks), with limited transactions per second.333More technical and comprehensive introductions to blockchains can be found in [2, 32, 41].

In Proof-Of-Stake (PoS) blockchains peers contribute to the definition of the next block with a probability proportional to the stake (coins), rather than computational power, they detain in the system. Safety follows from the honest peers detaining the majority of stake. Scalability improves in Proof-of-Stake, but the management of security typically results in being more complex.

The BFT paradigm has also been proposed for blockchain consensus, providing scalability in transaction per second thanks to low transaction latency and high throughput. BFT, however, is more constrained in terms of the scalability in the number of peers [40], since the number and identity of peers needs to be known and in some cases fixed [5]. This kind of blockchain has been proposed, for instance, for financial services, where a limited number of known and certified peers need to exchange fast and numerous transactions. It is worth remarking that if consensus requires control on peers, a centralised authority might be required, with implications also on identity, privacy and censorship.

1.0.2 Research question

In this paper we focus on BFT blockchains based on quorum systems [39]. In such systems consensus emerges from neighbourhoods of peers and the properties of such neighborhoods, together with assumptions on Byzantine failure thresholds, are essential to guarantee the liveness and safety of the consensus protocol, that is, whether honest peers are able to eventually reach consensus on a correct next state. At the heart of these protocols is a notion of trust between peers: nodes select which other nodes to trust, and listen to, in the network. Interested in understanding how much decentralisation can (or cannot) be achieved in principle in such systems, we address the following question:

To what extent can consensus be decentralized, when based on trust networks?

We approach the question by using tools from cooperative game theory (specifically the theory of command games [22, 21]) and computational complexity theory. The interface of methods from theoretical economics and computational complexity have proven extremely prolific in other areas of computer science and artificial intelligence, such as computational social choice theory [3, 20]. Our paper also aims to showcase these methods for general investigations on blockchain consensus and decentralisation.

We will consider Ripple [6, 37] and Stellar [30], two Quorum-based blockchains attempting to extend the applicability of the BFT paradigm from a permissioned to a permissionless setting, aiming at improving decentralisation.

Ripple provides frictionless global payments and corporate-oriented efficient transactions. It currently relies on a list of “authorised” validators444At the time of writing the list consists of about 30 validators, available at https://xrpcharts.ripple.com in charge of the correctness of transactions. Access is permissioned and each peer will need to have in their neighbourhood of trust a number of validators from the list. While the list was originally entirely composed by Ripple validators, today third-party validators, e.g., private companies and universities, have been included.

Stellar provides payments and asset management to corporate and individuals, and aims to push decentralisation further by offering open membership and allowing peers to autonomously define their trust networks, i.e., the set of validators that they trust. However, strong constraints hold on the topology of such trust networks.

Both Ripple and Stellar have been object of criticism with respect to the level of decentralisation of their current implementations, and the need for further research on protocols like Ripple and Stellar is emphasised, for instance, in [4].

1.0.3 Related work

Even though Ripple and Stellar are, respectively, the third and tenth blockchain systems in terms of market capitalization, very little foundational work exists on their protocols. Correctness analyses of Ripple have been proposed in [6], and of Stellar in [30, 42]. A specific study on the issue of decentralisation in Stellar has also very recently been presented in [25]. Authors investigate the current topology of Stellar’s quorum slices by means of an extended version of PageRank that they introduce to evaluate nodes’ influence. Findings about the current status show centralisation on two critical validators, which are controlled by the Stellar Foundation.

Our paper contributes further general results on the level of decentralization that could reasonably be achieved in consensus based on open quorum systems.

1.0.4 Paper contribution and outline

The contributions of this paper are:

  • a novel theoretical framework, rooted in economic theory (command games [22, 21], power indices [33, 1]), to ascertain the influence that peers can exert on each other in quorum systems based on trust networks. This contributes a novel methodology for a much needed quantitative evaluation of decentralisation in blockchain (here in the context of consensus). The proposed methods are applied to Ripple and Stellar (Theorem 4.1).

  • a general impossibility of decentralisation result for a class of consensus protocols of the Ripple type (Theorem 3.1), which are based on trust networks with a fixed threshold of tolerable Byzantine peers. This results implies that in Ripple the necessary existence of validators that must be trusted by every peer in the network, hindering the possibility of full decentralisation.

  • an appraisal of computational barriers to decentralization in protocols like Stellar, based on so-called federated Byzantine agreement systems. Specifically, we show that constraints that are necessary to guarantee the safety of the network require peers to be able to solve problems that are computationally intractable in principle (Theorems 3.3 and 3.4). This result imposes in Stellar limitations to the autonomous construction of trust networks by peers, limiting also in this case the possibility of full decentralisation.

Trust networks and command games are introduced in Section 2, impossibility and intractability results are presented in Section 3, and decentralisation measures in Section 4. Section 5 contains final considerations and future outlooks. Relevant literature is discussed throughout the paper, proofs appear in the Appendix.

2 Preliminaries

In this section we link the open quorum systems underlying Ripple (trust networks [19]) and Stellar (federated Byzantine agreement systems, FBAS, [30]) to structures studied in the economic theory literature, known as command games. This will then allow us to import concepts and results from the field of command games to the workings of consensus in Ripple and Stellar.

2.1 Byzantine Trust Networks

A set of peers, hereafter nodes, want to get to an agreement on a binary opinion , e.g., whether a given transaction should belong, or not, to the current ledger. The set is open, but we consider a snapshot at a given point in time. Byzantine nodes, differently from honest ones, can hold and reveal multiple, inconsistent opinions. The goal of consensus is to have all honest nodes eventually agreeing on the same opinion (no-forking). Crucially, a honest node’s opinion depends on the opinions revealed by the nodes (honest or byzantine) that it trusts.

Definition 1

A Byzantine trust network (BTN) is a tuple where:

  • is a finite set of nodes.

  • is the set of honest nodes. is the set of Byzantine nodes.

  • , for each node , is the non-empty set of nodes that trusts, i.e., its trust set.555Ripple and Stellar refer to trust sets as unique node lists (UNLs).

  • , for each honest node , is the collection of sets of nodes, among those that trusts, that can determine ’s opinion. We refer to as the set of winning coalitions for node . For ease of presentation we will sometimes treat also as a function assigning a set of subsets of to each honest node.

We will sometimes assume that, for all , . We will sometimes furthermore assume that for all , . In such a case the BTN is said to be vetoed.

Intuitively, a winning coalition is a set of nodes such that, if all members of one of such coalition agree on a value, then that value is also ’s opinion. When belongs to , cannot validate an opinion unless it also holds such opinion (it holds a veto for its own validation). In the Stellar white paper [30] BTN are referred to as federated Byzantine agreement systems (FBAS), or as federated Byzantine quorum systems in [42], and the winning coalitions of a node are referred to as quorum slices. BTNs are also known structures in the economic theory literature, where they are referred to as command games [22, 21], or as simple game structures [24].

A natural class of BTNs is obtained by associating a quota, or threshold, to each honest node :666Cf. [17].

Definition 2

A Quota Byzantine Trust Network (QBTN) is a BTN such that for all there exists a quota such that:

A QBTN is therefore denoted by a tuple . A QBTN is said to be uniform whenever for any .

Intuitively, QBTNs are BTNs where the winning coalitions of a node are determined by a numerical quota: ’s opinion is determined whenever at least nodes in hold that opinion. Assuming for each a standard failure model with a fraction of Byzantine node (cf. [26]), when it is guaranteed that i) the quota is met whenever the honest nodes in agree, and ii) if the quota is met for an opinion , then there is at least an honest majority of nodes with opinion in the trust set of . So in this paper we will assume quota fall in the range. A QBTS is said to be uniform whenever for any .

The Ripple consensus protocol [6, 37] is based on uniform QBTNs with quotas set to . The Stellar consensus protocol as described in [30] is not based on quota but requires the generality of BTNs while assuming them to be vetoed.

Remark 1

In Definition 1 we associate winning coalitions only to honest nodes. We do this for simplicity but it should be clear that trivial collections of winning coalitions can be associate also to Byzantine nodes. Since the opinion of a Byzantine node is not influenced by any other node its trivial collection of winning coalitions is the set , that is, the set of all coalitions containing . Intuitively, this amounts to stating that is the only node influencing its own opinion.

2.2 Opinions and Safety

At any given time, the collection of each node’s opinions defines an opinion profile that associates a ‘genuine’ opinion from to every honest node (the opinion that the node reveals to the network). And to each Byzantine node it associates a function from honest nodes to opinions. This function represents the values that each Byzantine node would reveal to each honest node in the network that includes it in its trust set.

Definition 3

An opinion profile such that if and if .

Intuitively, ’s opinion is settled whenever a winning coalition of trusted nodes holds that opinion. In a QBTN, ’s opinion (if is honest) is settled whenever there are at least nodes with a same opinion among the nodes it trusts. Given an opinion profile we denote by

(1)

This is the set of nodes (honest or Byzantine), among those that trusts, holding opinion in profile . We say that validates (in a given ) if . We then say that an opinion profile is forked (or, is a fork) if there are two honest nodes such that validates and validates in , where, given , represents the element of singleton .

Let us introduce some auxiliary notions. Let be a function picking, for any agent , one coalition out of .777Clearly there are such functions. Each function induces an operator such that , collecting, for each in , the winning coalition picked by function . We further denote by the -th iteration of . Since is finite, for any there exists such that .888Cf. the Knaster-Tarski theorem [7].

We say that an opinion profile is strongly forked (or, is a strong fork) if there are two honest nodes and a function such that all nodes in agree on and all nodes in agree on . Formally: for all , and for all . That is, there is a winning coalition for agreeing on and a winning coalition for agreeing on , and all nodes in that winning coalition for also have a winning coalition agreeing on and all nodes in that winning coalition for have a winning coalition agreeing on , and so on.

Definition 4

A BTN is safe if there exists no forked profile for it. It is weakly safe if there exists no strongly forked profile for it.

Safety rules out the possibility that two honest nodes may settle on different opinions. Weak safety allows for forks of only a limited kind. It rules out the possibility that forks are of a ‘deep’ kind involving all winning coalitions upon which the diverging opinions are rooted. Clearly safety implies weak safety but not vice versa.

3 (De)centralisation and (In)tractability

This section explores inherent limitations present in the above notion of safety for BTNs, establishing general limitative results for the class of consensus protocols based on them, such as Ripple and Stellar. First, it focuses on uniform QBTNs (Definition 2), as exemplified by the Ripple consensus protocol, showing that safety drastically limits the freedom of nodes in selecting trustees. Second, it focuses on safety for general BTNs (Definition 1), as exemplified by the Stellar consensus protocol, showing that, even though safety in such settings allows for more freedom on the part of nodes, it does require single nodes to solve decision problems that are, in principle, computationally intractable.

3.1 Safety Implies Centralization in Uniform QBTNs

We show that for safe consensus to be possible on uniform QBTNs nodes cannot be fully free to choose their trust set.

The result builds on ideas from [6]. We will use the following auxiliary definition, also borrowed from [6]:

(2)

Intuitively, denotes the number of Byzantine agents present in the intersection of the trust sets of and . Such a number equals the maximum amount of Byzantine nodes assumed by the node, either or , that tolerates fewer Byzantine nodes. However, such a number cannot obviously exceed the size of the intersection itself.

Lemma 1 ([6])

Let be a QBTN. For any profile and node , if then for any ,

(3)
(4)

This lemma establishes a lower bound on the number of honest nodes with opinion that a honest node can observe in its trust set, given the number of nodes (not necessarily honest) that another honest node observes. It is used in the proof of Lemma 2. Notice that the upper bound in (4) is not necessarily strict as illustrated in the following example.

Example 1

Let be such that: , (recall ), and , . Let then be such that , , finally be such that and . We have that and see no honest node with opinion , and we thus have .

Lemma 2

Let be a safe uniform QBTN. Then for all :

It is worth observing that Lemma 2 establishes a conservative lower bound on the size of the intersection of trust sets required by safety. It is not difficult to construct uniform QBTNs where the intersection equals . This is the case, for instance, of BTNs where for all .

Lemma 3

Let be a uniform BTN. If for all ,

then

Theorem 3.1

In uniform QBTNs with quotas , safety implies the existence of nodes that are trusted by all honest nodes.

Proof

The result follows directly from Lemmas 2 and 3 and the observation that for we have .∎

If we understand decentralisation as the property of trust networks in which nodes have full freedom on whom to trust in the network, then the theorem can be interpreted as a general impossibility result for decentralised consensus based on QBTNs: if quotas are uniform, and set in a reasonable way in order to cope with the presence of Byzantine nodes in trust sets, then the existence of nodes that are trusted by everyone is a necessary condition for the safety of consensus. Furthermore, beyond limiting the choice of nodes, a (limited) set of such nodes clearly represents a dominant position and risk factor for the blockchain.

In general, Theorem 3.1 applies to any consensus protocol based on uniform BTNs. In particular, it applies to the Ripple consensus protocol, which uses quota (). In a way, Theorem 3.1 provides an ex-post analytical justification to the current design of the Ripple trust network where all trust sets are required to include a same subset of nodes (cf. [6]). Currently Ripple relies on a single UNL mostly controlled by Ripple, although plans for further decentralisation are under discussion.999Cf. https://xrpcharts.ripple.com/.

3.2 Safety and Quorum Intersection in BTNs

In this and the next section we consider the general case of (vetoed) BTNs, to which Theorem 3.1 does not apply. This more general setting applies to Stellar as presented in its white paper [30] where the Stellar consensus protocol does not presuppose uniformity of quotas. Actually, Stellar aims to offer open membership and freedom in choosing it’s own trust networks, which, together with BFT good scalability, would yield a decentralised and efficient blockchain, an interesting value proposition. In such a setting an intuitive necessary condition for safety is that trust networks are sufficiently ‘interconnected’, in the following sense.

Let be a vetoed BTN. A non-empty set is called a quorum if and only if , s.t. . Quora are, intuitively, sets of nodes that can form an agreement. Such sets need to be in a pairwise non-empty intersection relation.

Definition 5 (Quorum intersection [30])

A vetoed BTN enjoys quorum intersection (QI) whenever for any two sets , if and are quora, then .

Figure 1: Example from [30] of a vetoed BTN lacking QI. Arrows denote which nodes each node trusts (reflexive arrows omitted). and .
Example 2

In Figure 1 the quora are

This command game does not enjoy QI, but both of its disjoint components (with support and ) do. Suppose instead that , that is, also ‘looks at’ to determine its own value. Then the system would satisfy QI with quora:

Example 3

In a BTN where , , the set of all nodes is the unique quorum, and trivially enjoys quorum intersection.

In fact, there is a close relationship between quorum intersection and the property of weak safety:

Theorem 3.2

A vetoed BTN is weakly safe iff any two quora intersect and such intersection contains at least one honest node.

Clearly, nodes in a BTN cannot know which nodes are Byzantine so their best effort to guarantee weak safety is to guarantee QI is not violated.101010Although a BTN could be complemented by a failure model consisting of a set sets of possible Byzantine nodes representing the possible failure scenario that nodes should consider (cf. [42]).

3.3 The intractability of maintaining quorum intersection

Quorum intersection is in fact assumed by all the existing correctness analyses of Stellar [30, 42]. It is furthermore stressed in [30, p. 9] that: “[…] it is the responsibility of each node to ensure [notation adapted] does not violate quorum intersection.”

The key question, from a safety perspective, becomes therefore whether single nodes can reasonably be tasked with maintaining QI. Apart from incentive issues, which have also been flagged [25], we argue that this is a problematic requirement from a merely computational standpoint. This might not be an issue in the current, small-scale, Stellar configuration (although an instance of QI failure has been recently reported [29]), but it is something to be considered in a path towards full decentralisation with a full-scale number of nodes and validators. As our analysis below shows, maintaining QI is a computationally intractable problem.

We present two results. First we show that deciding whether a given BTN satisfies QI is intractable.111111An equivalent result has been recently presented in [27]. That paper provides a proof of NP-completeness (via reduction from the Set Splitting Problem) of the complementary problem for which we prove coNP-completeness (via reduction from 3SAT). Second, we show that deciding whether adding a new trust set with winning coalitions preserves QI on a given BTN—arguably the decision problem that nodes need to solve when linking to the Stellar network—is also computationally intractable (again coNP-hard). We argue that these results point to a possible computational bottleneck for the scalability of the consensus model of Stellar.

We start by defining the problem consisting of deciding whether QI holds in a given BTN.

Quorum-Intersection

  • Input: A BTN  where the sets  for  are listed explicitly.121212For the purpose of this and the following result we do not need to take into consideration the and elements of a BTN (Definition 1). We therefore omit them for conciseness.

    Question: Is it the case that for each two quora , ?

Theorem 3.3

Quorum-Intersection is coNP-complete.

The intractability result of Theorem 3.3 says that it may be computationally hard, in practice, to check QI. Such a result is robust in the sense that the related problem of checking whether QI holds after the insertion of one new slide by a node into a system that already satisfies QI, is also coNP-complete. (actually coNP-hard).

Slice-Addition-Quorum-Intersection

  • Input: Two BTNs  and , such that  satisfies QI, and such that  is obtained from  by adding one single slice to  for some , where the sets  and  for all  are listed explicitly.

    Question: Is it the case that for each two quora  of  ?

Theorem 3.4

Slice-Addition-Quorum-Intersection is coNP-complete.

4 Quantifying Influence on Consensus in BTNs

Theorem 3.1 showed that, in uniform QBTNs, safety implies the existence of nodes that are trusted by all honest nodes. While this can definitely be interpreted as a high level of centralisation required by safety, it is worth trying to precisely quantify the effect that the existence of all-trusted nodes has on consensus. In PoW and PoS protocols it is straightforward, at least by first approximation, to understand what the influence of each node is on the consensus process: each node will be able to determine a fraction of blocks corresponding to the node’s share of total hashing power (PoW) or of total stakes (PoS). For consensus based on voting on trust structures, like in Ripple and Stellar, quantifying nodes’ influence in a principled way is not obvious. This section proposes a methodology for such quantification that leverages the theory of voting games.

4.1 Influence Matrices

Within a BTN, a simple game is associated to each honest node. The Penrose-Banzhaf index [33, 1] of in the simple game of node is

(5)

which measures the probability that node is pivotal in a coalition to determine ’s opinion, assuming all other agents in have uniformly random opinions. Indeed if allows a decision to be made, and otherwise. Informally speaking, the sum counts all the cases in which is needed to enable the decision of , normalised on the possible coalitions without .

For any agent we stipulate , as nodes that does not trust cannot influence ’s opinion directly (they are ‘dummy agents’ in the game-theoretic jargon). Byzantine nodes are assigned degenerate simple games containing a singleton winning coalition containing themselves (cf. Remark 1 above). Byzantine agents cannot be influenced: for all from the degenerate simple game associated to we have , and for each . The normalised version of the Penrose-Banzhaf index is:

(6)

Given a BTN, we associate to each honest node

a vector

of normalized Penrose-Banzhaf indices capturing the influence that each node has on . Clearly and only if , for any . Notice that the vector of a Byzantine node is degenerate: and for each .

It follows that each BTN can be described by a stochastic matrix

where denotes the normalized Penrose-Banzhaf index of node in the simple game associated to . We call such matrix the influence matrix (of ). We will drop reference to when not needed. The matrix encodes the influence that each node has on each other. Matrices of this type have a long history in the mathematical modeling of influence in economics and the social sciences dating back to [14, 8], and have recently received renewed attention [23].131313See also [34, 35] for an overview of such models. Similar matrices, but based on the Shapley-Shubik power index [38] instead of the Penrose-Banzhaf one, have more recently been studied in [22, 21].141414For a comparison between these two power indeces we refer the reader to [12].

Example 4

Consider the following BTN with no Byzantine nodes and consisting of 6 agents all having a same set of 5 agents as trust set: , for all and for all . By (5) and (6) for each we have and , for each node . The influence matrix describing this BTN consists of 6 identical row vectors

Consider now a variant of the above BTN where node is Byzantine. The influence matrix describing this variant consists of 5 identical vectors for the rows corresponding to nodes and , and the degenerate row vector for the row of node . That is, all the nodes in have the same influence on honest nodes, but no honest node influences .

4.2 Limit Influence

Pushing further the game theoretic framework, by using an influence matrix we can pinpoint the influence of any node on determining node ’s opinion:

represents the probability that can directly sway to validate a value . This is ’s direct influence on .

represents the probability that can sway ’s opinion in two steps, by swaying the opinion of an intermediate node which in turn sways ’s opinion directly. This is ’s indirect (-step) influence on .

more generally represents ’s indirect (-step) influence on .

So the influence (direct or indirect) of on in a BTN is given by the total probability of all ways in which can sway ’s opinion. Formally this amounts to provided such limit exists. In yet other words, this denotes the likelihood that is able to determine the value validates.

We are then in the position to quantify what the influence is of each node on every other node by taking the limit of the power of the influence matrix of the BTN , that is:

(7)

If the limit matrix in (7) exists, we say that the influence matrix is regular. We say that it is fully regular when its limit matrix exists and it is such that all rows are identical.151515The ‘regularity’ and ‘full regularity’ terminology are borrowed from [15] and [34]. Intuitively, regularity means that it is possible to precisely quantify the influence of each node on each other node; full regularity means that every node has the same influence on every other node.

Example 5

Consider again the two BTNs introduced in Example 4. In the first case, where all nodes are honest, all nodes belonging to some trust set have positive and—given the symmetry built in the example—the same influence:

In the second case, where node is Byzantine, the only node having positive influence (total influence in this example) is precisely :

In other words, the only node having influence on which values will be validated by other nodes, and therefore which values will be agreed upon, is the Byzantine node.

4.3 Limit Influence in Ripple and Stellar

Theorem 3.1 established that in uniform QBTN, and therefore Ripple, safety requires centralisation in the sense of requiring a non-empty set of nodes trusted by all other nodes. While this does not apply in general to Stellar, recent studies have highlighted that Stellar enjoys a similar level of centralisation.161616Data analysis of the current Stellar network has shown [25] that one of the three Stellar foundations validators is included in all trust sets. If we treat the Stellar foundation to be operating as one node, Stellar satisfies de facto the same level of centralisation that we have shown is analytically required for Ripple.

Here we put the above methodology at work to study limit influence in centralised BTNs, that is BTNs where nodes exist that are trusted by all nodes. We show (Theorem 4.1) that: the existence of nodes trusted by all nodes makes it possible to establish limit influence (first claim); this limit influence is such that every node has the same limit influence on every other node (second claim) when at most one Byzantine node exists in the BTN; but if only just one all-trusted node trusts a Byzantine node, no honest node has limit influence on any other honest node (third claim). That is, in a centralised BTN the power of determining consensus values is all in the hands of Byzantine nodes.

Theorem 4.1

Let be a BTN. If is such that then:

  1. is regular;

  2. is fully regular if in addition is such that ;

  3. and, if there exists such that then for all , .

Again, it is worth noticing that this is a general protocol-independent result: it concerns all protocols working on centralized BTNs. In particular, it applies to the setup of the Ripple trust network under the assumption of safety (by Theorem 3.1) and to the current setup of the Stellar trust network.

5 Conclusions

We have presented a framework to quantitatively characterise decentralisation, a foundational and highly innovative property of blockchain technologies. Although largely discussed, decentralisation is hard to define, as it is a complex property depending on many aspects of the multidisciplinary and multi-layered design of blockchains. As a consequence, it is also a property difficult to be formally defined and quantitatively analysed.

We have addressed decentralisation in the specific context of BFT consensus based on open quorum systems, showcasing the relevance of tools from economic theory (command games, power indices) and computational complexity theory. We argue that the obtained results show this is a promising general approach to the formal analysis of decentralisation.

We focused on a general class of consensus, linking decentralisation to a precise measure of the influence of each peer in the network (a theme largely studied in economics), an analysis of the structural properties of the consensus network, and the computational complexity of some proposed solutions. The obtained limiting results on Ripple and Stellar are coherent with the current practice and the proposals that industry is putting forward to improve decentralisation.

Our results point to several avenues of future research. We are planning to extend our analysis to other blockchains based on BFT consensus that are currently being developed, noticeably Cobalt [10] as an evolution of the Ripple/Stellar tradition. These will offer interesting use cases for benchmarking our approach. More generally, we also want to explore the applicability of the methodology beyond the framework of Byzantine Trust Networks, since measures of the relative influence of peers are of interest for other blockchain frameworks, e.g. PoS. At the same time, we also intend to build on such measures to address the relationships between influence, decentralisation and, crucially, revenue. Properly understanding such mechanisms will serve to the long-term goal of designing more reliable and robust blockchains.

On the application side, the development of a prototype analysis toolkit and collection of relevant data is also an ongoing activity.

Appendix 0.A Proofs

0.a.1 Proofs of Section 2

0.a.1.1 Lemma 1

Proof

(3) Assume . Under this assumption observes at least nodes with opinion in . Those are the honest nodes among the nodes with opinion that both and can observe. So

Now among the nodes in there are at most Byzantine nodes that could reveal the opposite opinion to j. So,

The claim is finally established by the following series of (in)equalities:

(4) Assume . By (3), whenever only the honest nodes in have opinion . It follows that

This completes the proof. ∎

0.a.1.2 Lemma 2

Proof

The proof consists of two sub-arguments. First we show that safety implies that, for all :

(8)

By safety, if with , then for all . Assume with . By Lemma 1 and safety we have:

From we thus obtain

as desired.171717Cf. [6, Proposition 4].

Second We show that safety also implies that, for all :

(9)

We have established that safety implies that for all , (8), that is, the size of the intersection of the trust sets of and should be larger than the maximum possible fraction of Byzantine nodes times the combined size of the trust sets, plus . Now recall the definition of (2). By (8) it cannot be the case that . So where is the the smallest set between and . Now assume, w.l.o.g. that and so that with . By (8) we have:

From this, and the fact that a set is always at least as large as its intersection with another we obtain a lower bound for by the following series of inequalities:

By substituting for in (8) we thus obtain a lower bound for in . We then reformulate (8) in terms of the combined size of the two trust sets:

So safety implies that the size of the intersection of and must be larger than the fraction of the combined size of the two sets. ∎

0.a.1.3 Lemma 3

Proof

The proof is by induction on . Base if the claim holds trivially. Step Now assume the claim holds for (IH). We prove it holds for . So assume for all , , and let be the node in . By IH we know that . Now take one of the smallest (w.r.t. size) with and call it . There are two cases. . Then . Since was smallest amongst the , it also hols that . From this we conclude that . Then . Since was smallest amongst the , it also hols that , from which we also conclude . ∎

0.a.1.4 Theorem 3.2

Proof

Left to right Straightforwardly proven by contraposition. Right to left Proceed by contraposition and assume there is a profile , a function and agents and such that all agree on and all agree on . Observe that and are quora containing (since the BTN is vetoed) and . There are two cases. Either , or if that is not the case then as only Byzantine nodes can reveal different opinions to different nodes. Hence and are either disjoint or their intersection contains only Byzantine nodes. ∎

0.a.1.5 Theorem 3.3

Proof

To see that the problem is contained in coNP, we describe a nondeterministic polynomial-time algorithm to decide whether 

does not have the quorum intersection property. The algorithm guesses two disjoint sets . Then, for each  and for each , the algorithm checks if there is some  such that . That is, the algorithm verifies that  and  are quora (which is the case if and only if all checks succeed). Clearly, all checks can be performed in polynomial time. Thus, deciding whether  has the quorum intersection property is in coNP.

To show coNP-hardness, we reduce from the coNP-complete propositional unsatisfiability problem (UNSAT). Let  be a propositional formula containing the propositional variables . Without loss of generality, we may assume that  is in 3CNF, i.e., that  and that for each , where  are literals. We construct a command game  that has the quorum intersection property if and only if  is unsatisfiable.

We let:

That is, we have nodes , a node  for each clause of , and nodes  for each variable occurring in .

We define the sets of winning coalitions of the nodes in  as follows: