## I Introduction

Since 2008, blockchains have been gaining increasing attention for its revolutionary innovations which may make radical changes in many fields: payments and money transfers, voting [1], intellectual property and digital rights management, sharing economy [2, 3, 4], social media [5, 6], supply chain management (HyperLedger)[7], energy management, government and public records [8, 9], and so on [10]. The philosophy of blockchain is *decentralization* and *disintermediation*: multiple untrusted or semi-trusted parties can directly and transparently interact with each other without the presence of a trusted intermediary. This property makes blockchain particularly appealing to financial institutions suffering from huge middleman costs in settlements and other back office operations.

So far, despite many breakthroughs and improvements, blockchain, compared to its traditional counterparts, still faces major hurdles before widespread adoption including but not limited to stability, performance and scalability. As per these properties, consensus protocols are the corner stone and are closely linked to them. Based on the same consensus protocol, all nodes will agree on the same criteria to pack, verify and mine a block. A consensus protocol is the vital safeguard to guarantee the blockchain’s health and legality: only legal blocks (meeting the criteria of consensus protocol) can be added to the blockchain while illegal ones will be rejected. Two key properties that a consensus protocol should have: (i) completeness, legal requests from correct clients are eventually processed, and (ii) consistency, if an honest node accepts (or rejects) a value then all other honest nodes make the same decision. Consensus is not a new topic: the distributed systems community has extensively studied it for decades, and developed robust and practical protocols that can tolerate faulty and malicious nodes [11, 12]. However, these protocols were designed for closed groups and blockchains have a higher requirement for zero fault tolerance.

The Proof-of-Work (PoW) consensus algorithm first implemented by Bitcoin’s blockchain requires all miners to find the solution to a hash puzzle. Then the first miner to find the solution will claim the winnership and get the mining reward. Due to the probabilistic and one-way transformation process with a nonce to its hash, this kind of PoW consensus algorithm works well in keeping Bitcoin’s decentralized network consistent and secure. However, there exists a big issue to this kind of PoW consensus algorithm: heavy load in hash arithmetic results in rewards dominated by machines with hashrate advantage like GPUs and ASICs (50 TH/S). This deeply discourages a great population of users from joining the mining with regular personal computers (1-100 MH/S) [13]. More importantly, only with “decentralized distributed reward”, a robust and secure decentralized blockchain’s peer-to-peer network can be formed and thrive[14].

In this paper, we will present a new PoW consensus algorithm used in Seele’s main-net, MPoW (Matrix-Proof-of-Work). Compared to Bitcoin’s PoW consensus algorithm, MPoW requires miners to compute the determinants of submatrices from a matrix constructed with hashes other than brute-force-hashing using a hash function to find the target. This paper will evaluate this algorithm’s compatibility with difficulty adjustment. Then we will discuss its efficiency in countering machines with hashrate advantage, and its feasibility to personal computers. We believe more innovative consensus protocols can be developed based on this algorithm.

## Ii Theoretical Foundation

### Ii-a SHA function: security and feasibility

A blockchain consensus algorithm must be secure and hard to compute but easy to verify. A secure hash algorithm (SHA) function can be informally defined as a function that maps a message of arbitrary length to a fixed length (-bit) hash value, is easy to compute but hard to invert, and in which a collision, finding two different messages with the same hash value, is computationally infeasible.

Specifically, a strong cryptographic hash function is usually expected to satisfy the following requirements[15]:

(i) Collision resistance : it must be computationally infeasible to find any two distinct messages and such that = . The best collision resistance one can hope to achieve with an -bit hash function is upper bounded by the complexity of a birthday attack[16].

(ii) Preimage resistance (one wayness) : given the hash value of an unknown message , it must be computationally infeasible to find any message (equal or not to M) such that = . The best preimage resistance one can hope to achieve with an -bit hash function is upper bounded by the complexity of an “exhaustive” search.

(iii) Second preimage resistance (weak collision resistance) : given any known message and its hash value, it must be computationally infeasible to find any message distinct from such that = . The best preimage resistance one can hope to achieve with an -bit hash function is upper bounded by the complexity of an “exhaustive” search.

Requirement (i) is by far the most important one in practice for the assessment of any candidate hash function such as the one considered in this paper, since:

• A collision resistant hash function is necessarily second preimage resistant, i.e. (i) (iii);

• Although some theoretical counter examples of the implication (i) (ii) are easy to construct, for most algorithms in practice, the existence of a computationally feasible preimage search attack would automatically result in a computationally feasible collision search attack. Specifically, assuming a preimage search attack exists, to prove that collision search attack also exists, one just have to draw a sufficient number of messages from a sufficiently large set of messages, and then apply the preimage search attack to until eventually an preimage distinct from M is be found.

Thus, in order to assess the security of a candidate cryptographic hash function, such as the one analyzed in this paper, it is nearly sufficient to restrict oneself to the investigation of the collision resistance properties of the considered function and of the collision resistance properties on the underlying compression function.

### Ii-B Random matrix

As we discussed previously, the secure hash algorithms (SHAs) are designed to be one-way functions. Additionally, SHAs exhibit the avalanche effect, where the modification of very few letters to be encrypted causes a significant change in the output. Hence, SHAs will provide random results. If we use specific number of random hashes to construct a matrix, the matrix will be a “random” matrix. Herein, we discuss more details about random 0/1 matrices.

For simplicity, we start with results on

matrices with iid uniformly distributed elements. Let

(1) |

be a matrix with elements ( = 1,2) where

are iid random variables with density,

if ,

(2) |

if ,

(4) |

(5) |

(6) |

(7) |

if ,

(8) |

if ,

(9) |

Using the expression given as above, Williamson shows a graph of probability density of (the determinant of a random matrix with independent element uniformly distributed on [0,1])[17]. The density graph of the determinants peaks at 0 with a symmetry between positive and negative determinants. Moreover, as determinant value distances from 0, the density drops exponentially. Komlos has studied the singularity of random matrices and has shown that if ( = 1,2,…) are iid with a non-degenerate distribution[18], then

(10) |

## Iii Results

In this section, we will show the results got from our Seele’s main-net where we implement our new PoW consensus algorithm. Fig.1 presents the results on matrices with iid uniformly distributed elements constructed with hashes. Similar to results in Williamson’s paper[17], our histogram of determinants of matrices (the size of data set is around 1 million) shows a peak at around 0, and as determinant value deviates from 0, the frequency decreases exponentially. All results agree well with the data from the forementioned paper.

For matrices constructed with specific number of hashes, we also observe that as the dimension increases, the frequency of matrix whose determinant is 0 decreases[18]. The singularity of a random matrix is out of scope of this paper, which we won’t discuss in details here.

As seen in Fig. 1, the distribution of determinant is symmetrical with a mean value around 0. In Fig.2, we count the number of submatrices with non-negative determinants, selected from matrices constructed by 30 hashes (for convenience, we call those submatrices as “large submatrices”). Equation.10

shows that as the dimension goes up, the number of submatrices with 0 determinant decreases and approaches 0. When dimension equals 30, we can ignore the count of submatrices whose determinant is 0. Therefore, the probability of “large submatrices” will be close to 50% and the number of “large submatrices” has the highest probability at 113 with a well defined normal distribution.

A (-1,1)-matrix having a maximal determinant is known as a Hadamard matrix [19]. The same bound of applies to such matrices, and sharper bounds are known when the size of the matrix is not a multiple of 4. A summary of what is known about such bounds is given by Orrick and Solomon[20].

For a (0,1)-matrix, Hadamard’s bound can be improved to

(11) |

For an (0,1)-matrix (i.e., a binary matrix), the largest possible determinants for =1, 2, … are 1, 1, 2, 3, 5, 9, 32, 56, 144, 320, 1458, 3645, 9477, … (OEIS A003432[22]). The numbers of distinct binary matrices having the largest possible determinant are 1, 3, 3, 60, 3600, 529200, 75600, 195955200, 13716864000, … (OEIS A051752[23]).

## Iv Discussion

In this section, we will discuss the performance of our new MPoW consensus algorithm from the perspectives of block- time, difficulty adjustment and its efficiency in preventing machines with hashrate advantage, such as ASICs or GPUs, from dominating all mining rewards.

### Iv-a Mining

First of all, we will discuss the difficulty adjustment for our MPoW consensus algorithm. As more and more nodes (miners) join into the peer-to-peer network, stabilization of the network’s mining process require a stale block time to guarantee safety and decentralization. On the other hand, the block difficulty adjustment of MPoW algorithm needs to be gradual and smooth to achieve a stable block time (for Seele’s main-net, the goal of block time is 10 ). As shown in the Fig.1 and Fig.2

respectively, there is a well-defined probability distribution for determinants of submatrices and for the number of “large submatrices”.

The difficulty adjustment formula is defined as follows:

(12) |

Where: is the current block difficulty, is the previous block difficulty, is the current block time, is the previous block time, and is the smooth factor which is set to 2048 for Seele’s main-net.

The block mining process will try to find a target matrix which meets two criteria:

(i) The determinant of the submatrix constructed by first 30 columns and 30 rows meets:

(13) |

If the matrix meets the first criterion, in order to increase the calculation time percentage of mining a block, our MPoW consensus algorithm further requires the miner to calculate determinants of all submatrices and the number of the “large submatrices” to be as large as .

(ii) is defined as:

(14) |

where is the row size of target matrix, here we use = 30.

In Fig.3, we present the difficulty and block time curves over block index. In order to better see the correlation between difficulty and block time, we intentionally set the smooth factor in Equation(12) to 1. Generally, there is a strong correlation between the difficulty (red curve) and block time (blue curve). The difficulty is subsequently adjusted to be smaller if the block time increases, vice versa. This indicates our difficulty function works quite well in dynamically adjusting the difficulty. The target matrix finding process is feasible and within a reasonable block time. For a better look, we also fit the block time with a sinusoidal function as in Fig.3. The coefficient values from the fitting curve roughly give us an average block time of 14 seconds which well matches our 10 seconds block time goal considering other processes, such as packing a block, takes some extra time. Finally, note that if we set smooth factor to 2048 other than 1 (as we use in our Seele’s main-net), the curves of difficulty and block time will be smoother with smaller deviations.

### Iv-B Time Distribution

Second, in the Fig.4, we show the results of hash time percentage within mining a block. The hash time percentage in the inset diagram of Fig.4 shows a clear regression to 30% with some random fluctuations. The histogram further confirms that the hash time percentage during mining a block is around 30%. By comparison, traditional PoW consensus algorithms, requiring miner to solve a hash puzzle, will take up almost 100% of hash time when mining a block. However, hash time percentage is balanced out by our new MPoW consensus algorithm’s requirement: miner should further construct a matrix and calculate the determinants of its submatrices instead of just hashing. In this case, we can not only keep the blockchain safe and feasible with one-way data conversion using SHA function but also eliminate the advantage of machines with high hashrates.

## V Summary

In this paper, we introduce a new PoW consensus algorithm (MPoW) which requires miner to use SHA function to get specific number, hashes and then use these hashes to construct a matrix() that satisfies two criteria: the determinant of first submatrix should be not less than a target which can be dynamically adjusted based on the block time; Also, the number of submatrices with non-negative determinants should be larger than another given value. This MPoW consensus algorithm can efficiently eliminate the dominant advantage of machines whose hashrates are hundreds or thousand of times larger than personal computers. This consensus algorithm may pave the way to a real decentralizated blockchain. Furthermore, our new PoW (MPoW) consensus algorithm provides a new way to utilize the properties of a matrix to implement an efficient and secure blockchain’s consensus algorithm. SeeleTech’s research and development team will keep making an effort in this field and contributing to our community.

## References

- [1] Follow My Vote. https://followmyvote.com.
- [2] Lazooz. http://lazooz.org.
- [3] Arcade City. https://arcade.city.
- [4] LemonWay. https://www.lemonway.com/en/.
- [5] Akasha. https://akasha.world.
- [6] Steem. https://steem.io.
- [7] Hyperledger’s Sawtooth Lake Aims at a Thousand Transactions per Second. https://www.altoros.com/blog/hyperledgers-sawtooth-lake-aims-at-a-thousand-transactions-per-second/.
- [8] The Illinois Blockchain Initiative. https://illinoisblockchain.tech.
- [9] The Economist. Governments may be big backers of the blockchain. goo.gl/uEjckp, 2017.
- [10] C. INSIGHTS. Banking Is Only The Beginning: 30 Big Industries Blockchain Could Transform. https://www.cbinsights.com/research/industries-disrupted-blockchain/, 2017.
- [11] M. Castro, B. Liskov, et al, Practical Byzantine fault tolerance. In OSDI, volume 99, pages 173–186, 1999.
- [12] L. Lamport. The part-time parliament. ACM Transactions on Computer Systems (TOCS), 16(2):133–169,1998.
- [13] Hash Rate Comparison. https://en.bitcoin.it/wiki/Mining_hardware_comparison.
- [14] Wei Bi, Huawei Yang and Maolin Zheng. “An Accelerated Method for Message Propagation in Blockchain Networks”. http://arxiv.org/abs/1809.00455.
- [15] Handschuh, Helena and Gilbert, Henri. Evaluation Report Security Level of Cryptography–SHA-256. https://www.researchgate.net/publication/242782685_Evaluation_Report_Security_Level_of_Cryptography_-_SHA256.
- [16] Daniel J. Bernstein. Cost analysis of hash collisions: Will quantum computers make SHARCS obsolete? http://cr.yp.to/hash/collisioncost-20090823.pdf.
- [17] R.C Williamson and T Downs. The inverse and determinant of a 2x2 uniformly distributed random matrix. http://www.sciencedirect.com/science/article/pii/0167715288900442.
- [18] Komlos, J. On the determinant of random matrices. 1968.
- [19] Joel Brenner and Larry Cummings. The Hadamard Maximum Determinant Problem. https://doi.org/10.1080/00029890.1972.11993099.
- [20] Orrick, W. and Solomon, B. Known Bounds on Maximal Determinants. http://www.indiana.edu/ maxdet/bounds.html.
- [21] Faddeev, D. K. and Sominskii, I. S. Problems in Higher Algebra. 1965.
- [22] OEIS A003432, http://oeis.org/A003432.
- [23] OEIS A051752, http://oeis.org/A003432.