TrueChain: Highly Performant Decentralized Public Ledger

05/03/2018 ∙ by Archit Sharma, et al. ∙ Proton Technologies AG TrueChain 0

In this paper we present the initial design of truechain consensus protocol and other technical details. Briefly, our consensus design enjoys the same consistency, liveness, transaction finality and security guarantee, a de-facto with the Hybrid Consensus. We discuss optimizations like frequency of rotating committee members and physical timestamp restrictions. We go on to propose the idea of a new virtual machine on top of Ethereum which adds permissioned-chain based transaction processing capabilities in a permissionless setting. We also use the idea of data sharding and speculative transactions, evaluation of running of smart contracts in a hybrid cloud infrastructure and usage of existing volunteer computing protocols for something we introduce as a compensation infrastructure. In the next version of this Yellow Paper, we will address some of these properties formally along with few of the future directions listed at the end of the paper.

READ FULL TEXT VIEW PDF
POST COMMENT

Comments

There are no comments yet.

Authors

page 1

page 2

page 3

page 4

page 5

page 6

page 7

page 8

Code Repositories

TIPs

Truechain Improvement Proposals and related documentation including roadmap


view repo
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1. Introduction

With the surging popularity of cryptocurrencies, blockchain technology has caught attention from both industry and academia. One can think blockchain as a shared computing environment involving peers to join and quit freely, with the premis for a commonly agreed consensus protocol. The decentralized nature of blockchain, together with transaction transparency, autonomy, immutability, are critical to crypocurrencies, drawing the baseline for such systems.

However top earlier-designed cryptocurrencies, such as Bitcoin[23] and Ethereum[11], have been widely recognised unscalable in terms of transaction rate and are not economically viable as they require severe energy consumptions and computation power. Other contenders such as EOS, whose consensus is based on delegated proof of stake (DPoS), achieves significantly higher transactions per second (tps) by making sacrifices in decentralization.

With the demand of apps and platforms using public blockchain growing in real world, a secure protocol that enables higher transaction rates, sacrificing the least possible decentralization is a main focus the new system. For example, consider a generic public chain that could host computationally intensive peer to peer gaming applications with a very large user base. In such a chain, if it also hosts smart contracts to digital advertisement applications, online education courses, decentalized exchange, we could easily expect a huge delay in transaction confirmation times.

There are other models like delegated mechanism of Proof of Stake and Practical Byzantine Fault Tolerant (PBFT) protocols[13]. The PBFT protocol ensures safety as long as only one third of the actors in the system are intentionally/unintentionally malacious adversaries, at a time[19]. The Byzantine assumption is easily satisfied in a permissioned environment; in a permissionless environment however, it is generally difficult to guarantee. DPoS’s attempt to mitigate this problem is, effectively, by adding a barrier to entry for the Byzantine committee, and a costly punishment for those who commit fraud. Namely, stakeholders using a token-weighted vote system to form the Byzantine committee (typically less than 30 nodes). However, decentralization is lost here because we can expect the same nodes being voted in each round, by the biggest cartel of token holders in the network.

In this Paper, we propose Minerva, a Hybrid Protocol[26] which incorporates a modified form of PBFT (Practical Byzantine Fault Tolerance)[13] and PoW (Proof of Work) consensus. The PoW consensus ensures incentivization, committee selection and committee auditing, while the PBFT layer acts as a highly performant consensus with capabilities like instant finality with high throughput, transaction validation, rotating committee for fair trade economy and a compensation infrastructure to deal with non-uniform infrastructure. The nature of hybrid protocol allows it to tolerate corruptions at a maximum of about one third of peer nodes.

2. Background

2.1. Related Works

The core strength of this proposal lies in the recognition of the theorems proposed in the hybrid consensus protocol[26] by Pass and Shi. We benefit from the fact that there is a lot of design space for further optimizations in that paper. The use of DailyBFT as committee members allows for the rotating committee feature which provides for better fairness for the consensus validating peers.

Hybrid consensus follows a design paradigm where PBFT and PoW are combined together so that it enjoys best of both worlds. In general, hybrid consensus will utilize PBFT protocols, which by default works in a permissioned setting where all the identities are known a priori, as a fast path dealing with large amount of incoming transactions. While PoW protocols choose the BFT committee based on a node’s performance in PoW. This provides the barebone necessary to deal with dynamic membership and committee switching in the permissionless setting.

2.2. Assumptions

The Minerva protocol is designed to operate in an permissionless environment, where each node agree to update their via a common consensus. Taking network delays into consideration, that view from each node may look different from others. Hence, the network in general will be at an asynchronous state, consistency only happens before the last blocks, where is a natural number.

Let denote the view of from node at time

. The following security requirements must be guaranteed with overwhelming probability.

  • Consistency: If is an honest node, there exists independent of , such that is constant with respect to . We denote this value by .

  • Liveness: Let be transactions presented to an honest node at time . There exist , independent of , such that for all honest nodes .

To ensure the above security requirement is met, the following parameters will play an important role in managing chain security.

  • Chain quality : Proportion of honest nodes in a Byzantine committee. In the case of a PoW chain, represent the proportion of last blocks mined by honest nodes.

In a permissioned Byzantine network, it is often safe to assume that chain quality to stay above . To satisfy the security requirements in a permissionless setting, we must invent new protocols to manage chain quality in such a way that it stays above with overwhelming probability.

2.3. Adversary Model

Our adversary model follows the assumptions in [26] where adversaries are allowed to mildly adaptively corrupt any node, while corruptions do not take effect immediately. In section 4 of the Yellow Paper, we will formally explain our adversary model, and talk about modifications in Universal Composabililty model [12] and  [15].

3. Blockchain, Blocks, State and Transactions

We now introduce the structure of our blockchain, and their underlying details.

3.1. The Blockchain

Our blockchain design is largely based on Hybrid Consensus by Pass and Shi [26], with several modifications and improvements in order to tailor for the application scenarios that we focus on. In this subsection we will present an overview of the Minerva protocol, while focusing mainly on the development of the blockchain. Details on the consensus itself is left to the next section.

Under the protocol proposed by [26], the hybrid blockchain is a union of two blockchains. A and a , whose entire ledger history is denoted by and respectively. The can be thought of as the union of chains, where each chain the output of the Byzantine committee during its term of service.

Nodes in the act as Byzantine committee members, they reach consensus via PBFT voting[13]. Transactions and smart contracts are executed on the to achieve high throughput. Members of the Byzantine committee randomly rotate once every fixed period of time , and the new committee is selected from PoW miners in a meritocratic fashion. This will enhance decentralization, as anyone with a computer can join and become a PoW node. Observe that in the limiting case, where we take committee rotating frequency to one snail block and committee size equal to 1, we will recover the traditional PoW consensus.

For the remainder of this subsection, we will talk about each component of the blockchain in detail.

3.2. Fastchain

A permissioned BFT committee in the classical setting of [13] is a set of nodes, capable of communicating with each other, vote to agree or disagree to a proposal proposed by the leader. We make no assumptions that these nodes trust one another, in fact, a subset of these nodes may be corrupted adversaries. Through deep analysis of the Byzantine generals problem in [19], the authors have concluded that a consensus is always reachable when of the nodes are honest.

Under this assumption, a transaction is processed on the as follows.

  • The leader propose a set of transactions that she think are valid. That is, the digital signature of the sender, and if any illegal states are created as a result of executing . She then sign off with her digital signature, and broadcast to other committee members.

  • Upon receiving the proposal, committee members checks for validity of . Sign off and broadcast if they think it’s valid.

  • Upon hearing affirmative votes, committee member nodes update to their .

  • has now been included a fast block, meaning a block on the . The block will be broadcasted to PoW nodes as a message , that contain a and a number.

Changes to the protocol is necessary as it is difficult to guarantee of the committee members are necessarily honest in a permissionless setting. Instead, we need to invent new protocol to ensure stays above under the adversary model described in section 4.2. We will talk in depth about chain quality management.

3.3. Snailchain

The greatest challenge that PoW based consensus faces today are efficiency and scalability. Slow execution and confirmation time make it unfit to develop complex applications, and excessive energy consumption make it environmentally unfriendly. Unlike Ethereum, where transactions and smart contracts are executed by every node on the network; a rotating BFT committee will handle the bulk of heavy lifting while PoW (the snailchain) will only be used to select the committee members, through a meritocratic process in proof of work. We briefly describe the procedure in this subsection.

The snailchain we first consider is the blockchain structure used in BTC and ETH, we call this the Nakamoto chain. Here, blocks are of the form , where are the transactions and digital signatures that’s recorded in that block; is the hash value produced from mining and is the hash value of the previous block. Through the continuous links of hash data, the blocks form as a chain structure known as the blockchain.

If the Nakamoto chain is used as the snailchain, can essentially be reduced to a of all the transactions that happened in the that during the snail block. The motivation is that, while the data contents in the is publically accessible to everyone, it would be extremely wasteful to store thousands or millions copies across the PoW nodes. PoW nodes only have to store enough data to ensure the validity of transactions, and not the transaction data themselves. Only nodes that wish to participate in PBFT, will need to synchronize to the .

The Nakamoto chain have several drawbacks. The most important of which is the practice of selfish mining, will require the minimal snail chain quality to ensure [25]. In a permissionless setting with mildly adaptive adversaries, we want to decay as slow as possible. Therefore, we choose fruitchain [25] over the traditional Nakamoto chain for our underlying . Readers are referred to [25] for a detail analysis of the fruitchain framework. Particularly, we only require to ensure , even with the assumption that miners will mine selfishly when given the opportunity. Here, we only briefly describe the basic mechanics of how it works.

A fruitchain consist of blocks and fruits, arranged in way that blocks relate to eachother like Nakamoto blockchain, while each block contain a large number of fruits. Mining difficulty is set so that each block takes 10 minutes to mine, while each fruit take 1 second to mine. The asynchronousity nature of the network means that we can only expect honest nodes to agree on earlier than at time , for some . Therefore, nodes will have different views of while they mine fruits, due to the low difficulty of mining. Hence, we allow fruits to mined out of order, provided that it hangs[25] from a block not too far back in the history.

In our application, each fruit is essentially a digest of the corresponding fast block. Fruits bare a serial number given by the , this is to allow block miners to recover the correct order of transaction history when dust finally settles. All PoW nodes must verify validity of the fast block, which will become part of the block header, before its possible to perform any mining calculation. Therefore, transactions on Truechain are validated by all PoW nodes, while still achieving high throughput.

Specifically, a block and a fruit , where is the hash of the previous block, and is the hash of any of the most recent blocks. We pick as the recency parameter of the fruit. Finally, is the hash root of transaction data from the block.

Here’s a summary of our procedure,

  • Assume . After a set of transaction is processed, a fast block is created on average once every second. The Byzantine committee will include transaction digest a serial number and broadcast to the PoW nodes as a message .

  • PoW miners solve an easier puzzle to package in a fruit. Mining difficulty is set so a fruit is created once every second, matching the block frequency in the . Fruits can be mined out of order, as their parent hash can be pointed to any of the last blocks of the snailchain.

  • The snail chain block is finality of the transaction. A block is mined once every 10 minutes, and it contains all the fruits with contiguous serial numbers mined up to that period.

3.4. Motivations for fruitchain

A functioning BFT committee require 2/3 of its members to be honest[13]. Hence we require the fast chain quality . A naive implementation using a Nakamoto chain as the snailchain will be vulnerable to obvious selfish mining attack strategies. If a selfish miner controlled more than 25% of the blockchain’s hash power, she could control more than 33% of block production[24][16]. The probability of being elected to the BFT committee, according to the procedure described in [26], is equal to one’s block production fraction. Hence, the selfish miner is likely to control over 1/3 of the BFT committee. If she happens to be adversarial, the BFT protocol is now compromised.

The worst case scenario is possible through a strategy illustrated in [29]. If a selfish miner controls 40% of the hash power in a Ethereum-type blockchain, she can control 70% of block production through optimized selfish mining. According to the committee election procedure in [26], she will have control over 70% of the BFT committee. The BFT committee is not only compromised, the selfish miner will have the dictatorial dominance to declare any honest committee member as ’dishonest’ at her will.

We choose the fruitchain[25] as our underlying snailchain for hybrid consensus. The actual growth process of the fruitchain will be explained in detail in a later subsection. The fruitchain is more resistant to selfish mining, as stated by the fairness theorem in [25]. The required chain snail chain quality needed to maintain fast chain security is on a PBFT-Fruitchain hybrid, as opposed to on a PBFT-Nakamoto hybrid. The extra chain quality required by Nakamoto chain is to counteract against security loss from self mining practices.

However, the BFT committee is still vulnerable should an attacker directly control over 33% of the blockchain’s hash power. Hence, we will take further deviations from [26] and [25] to alleviate the issues.

There are two undesirable extremes that we need to find a balance in,

  • Randomly select BFT members via VRF[22]. This is vulnerable against a sybil attack.

  • Any selection procedure where probability of being selected is proportional to hash power. The BFT committee is vulnerable against mining pools who are rich in hash power.

Our proposed solution are as follows. When an honest BFT node’s chain reaches in length, it will publish the unique miner IDs of every fruit in the chain as candidates (or, every miner ID who mined more than fruits). The new BFT committee is randomly selected from the candidates with uniform probability. The obvious sybil attack is not possible under this scheme, as you require a minimal level of PoW to become a candidate. Neither it will be easy for a large mining pool to achieve compromise the BFT committee. A fruit will be orders of magnitude easier to mine than a block.

Details on the BFT committee selection will be included in the next section. We will explain the interactions of fastchain and fruitchain, how they process transactions and smart contracts in the next subsection.

3.5. The Block

3.5.1. Block structure

There are three types of blocks that require explanation in Truechain. Fast block, the fruit and snail block. They interact in the following manner, the fast block is produced by PBFT and broadcasted to PoW nodes as a message . PoW nodes will first mine as a fruit, before packaging fruits into a block.

A fruit is the tuple , while a block is the tuple where each entry means

  • points to the previous block’s reference, only useful for fruit verification.

  • points to a block that contains the fruit, only useful for block verification.

  • is the random nonce.

  • is a collision resistant hash function, value used to check the fruit’s validity.

  • is the record contained in the fruit.

  • is the hash value of the block / fruit.

  • is a valid fruitset as defined in [25].

The blockchain is a collection of individual blocks ordered by index , where , and is the length of . We call a fruit -’recent’ w.r.t. if . In our implementation, we choose .

3.5.2. Data in block

There are two types of blocks in Truechain, fast block and snail block. The hash algorithm used by Truechain is Sha3, which will be referred to as hash.

The fast block contain the following:

  • ParentHash: Hash value of parents block’s header.

  • StateRoot: Hash root of the state Merkle tree, after all transactions are executed.

  • Transactions root: Hash root of the Merkle tree with each transaction in the transactions list.

  • ReceiptHash: Hash root of the Merkle tree with receipts of each transaction in the transactions list.

  • Proposer: Address of proposer of the transaction

  • Bloom: The Bloom filter

  • SnailHash: Hash of the snail block mining is rewarded to

  • SnailNumber: Height of the snail block mining is rewarded to

  • Number: Number of ancestor blocks

  • GasLimit: Limit of gas expenditure per block

  • GasUsed: Total gas used for this block

  • Time: Timestamp

  • Extra: Preallocated space for miscellaneous use

The snail block contain the following:

  • Parent hash (): Hash value of parents block’s header.

  • Uncle hash: Hash value of uncle blocks.

  • Coinbase: Coinbase address of the miner.

  • PointerHash: The block hash which the fruit is hanging from.

  • PointerNumber: The block height which the fruit is hanging from.

  • FruitsHash: Hash data of the included fruits in a block

  • Fasthash: Hash data of the fast block

  • FastNumber: Block height of the .

  • SignHash: Hash of the digital signatures of the PBFT committee

  • Bloom: The Bloom filter

  • Difficulty: Difficulty used by the block

  • FruitDifficulty: Difficulty used by the fruit

  • Number: Number of ancestor blocks

  • Publickey: EC-Schnorr public key of the leader who proposed the fast block

  • ToElect: Whether PBFT committee members will rotate after this block

  • Time: Timestamp

  • Extra: Preallocated space for miscellaneous use

  • MixDigest: Digest of the fast block

  • Nonce: Block nonce

3.6. Fruitchain growth process

1 Initialize
2
3
4
5 if heard fruit  then
6       if  is the unique fruit corresponding to message  then
7            
8      if  for all other fruits such that . then
9            
10      
11if heard blockchain and  then
12      
13       where is the total number of fruit contained in .
14foreach time step (1 sec)  do
15       Heard signed message m, broadcasted by PBFT. Let
16       , so .
17       recent w.r.t.
18       where .
19       .
20       while mined = FALSE do
21             Randomly pick
22             Compute
23             if   then
24                  
25                  
26                   boardcast fruit
27                   mined = FRUIT
28                  
29            if  then
30                  
31                   broadcast blockchain
32                   mined = BLOCK
33                  
34            
35      
Algorithm 1 Blockchain growth process

Inheriting the variable definitions from [25] (p.14 - 16), the fruitchain consist of a blockchain with each block containing its own set of fruits. Transactions executed by the BFT will be initially packaged as a record to be mined as a fruit. Fruits more recent than a recency parameter will be packaged into a block when the next block is mined.

The miner will run only one mining algorithm that produces hash values from a random oracle. A fruit is mined when , and a block is mined when , where and are the mining difficulty parameter of the fruit and block respectively. The tuple determines mining process.

In order to discourage the deployment of ASICs, we will make the recency parameter time-dependent. VRF will generate and broadcast a new (to fall within the valid range) using VRF once every 3 months. Details of this process will be included in a future version of the yellow paper.

More specifically, the mining algorithm goes as follows.

We tentatively choose and such that expected time to mine a fruit and block are respectively 1 second and 10 minutes.

We make the following remark with our mining process,

  • Fruits are easier to mine than blocks, and therefore miners are less incentivized to join or form mining pools. This make PoW a fairer process.

  • Since fruit mining difficulty is low, its quite likely that two fruits are mined simultaneously. One way of determining which is the valid fruit is by choosing the one with a lower hash value.

  • Fruits are not stable until they are written in a block. Therefore the mining reward will be paid to the block miner, who will then distribute her reward to miners of fruits that are included in the block.

  • One advantage of the fruitchain protocol is that fruits can be mined in any order, and this can make mining highly parallel. This will be particularly useful when combined with sharding.

3.7. The world state and snapshotting

The world state is a database running in the background, in the form of a Merkle tree, that provide a mapping between addresses and account state. Being an immutable data structure, it allows any previous state to be reconstructed by altering the root hash accordingly.

The account state consist of the following information.

  • Nonce: Number of transactions or contract creations made by this account. The value of this number is non-decreasing with respect to block height.

  • Balance: A non-negative value indicating the amount of tokens held by the account.

  • CodeHash: This stores the hash digest of the contract code, that will be executed should this address receive a message call. This field is strictly immutable and should not be changed after construction.

  • StorageRoot: The root hash of the storage associated with each account.

3.8. Transactions and execution

The transaction is a cryptographically signed message initiated by a client user of Truechain. The message take the following form:

  • AccountNonce: Number of transactions sent by the sender.

  • GasPrice: Number of Wei to be paid per unit of gas for this transaction.

  • GasLimit: Maximum amount of gas should be used for this transaction.

  • Recipient: Address of the beneficiary for this transaction.

  • Payload: Amount of token to be transacted.

  • Code: Virtual machine code for smart contract deployment.

  • Data: Miscellaneous use.

  • V,R,S: Cryptographic values corresponding to the signature of the transaction, and used to determine the sender of the transaction.

The transaction will go through the following steps to reach finality.

  1. The transaction, along with a set of other transactions, would accumulated in .

  2. The leader of the PBFT committee select a subset of that she believe is valid, and make a proposal to other committee members.

  3. Committee members checks the validity of all transactions proposed by the leader, and if they agree, sign and boardcast to other committee members.

  4. Upon hearing more than affirmative votes, a consensus is formed. The transaction is then broadcasted to PoW nodes as a message.

  5. PoW miners first validate the transactions of the block, which becomes a part of the block header, and package them in a fruit. Fruits can be mined in arbitrary order.

  6. When the next block is mined, the block miner will package the biggest contiguous set (as per fruit serial number from fast block) to the block where finality is reached.

  7. We resolve a snailchain fork by aligning to the branch with the highest sum of fruit difficulty. The probability of two branches with equal difficulty sum is negligible.

4. Consensus Details

4.1. Adversary model

In the previous section, we introduced the Minerva consensus model based hybrid blockchain architecture. One important point we glossed over was the security of PBFT in our . As stated in section 3.2, the classical PBFT by the design[13], operate in a permissioned environment. The Byzantine assumption that less than of the participating nodes are corrupt is quite conservative. In a permissionless environment however, this means we need to maintain quality , for the chain to sustain consistency and liveness. In this section, we will talk in detail about the formation and secure communication of the PBFT committee, view change, and protective measures to maintain above that threshold.

We assume the following about our operating environment, which we call our adversary model.

  1. Let be the proportion of hash power controlled by honest mining nodes. We assume that , this is slightly more conservative than the security assumptions made by leading projects such as Bitcoin and Ethereum, where effectively they only assume .

  2. We assume our adversaries are mildly adaptive. By adaptive, we mean a node can maintain to be honest before being elected to the committee, and suddenly turn adversarial once it is elected. In a mildly adaptive model, we do not assume this process to be instantaneous, but rather occur over a period of time. This is also the assumption made in [26].

  3. A node that become corrupt precisely after time steps of election is called a -agile adversary. We do not make assumptions on the value or distribution that should take.

  4. BFT committee members are elected from PoW nodes with a meritocratic, albeit permissionless, process. We do not assume the node themselves to possess advanced cyber security measures, and honest nodes (e.g. committee member) may turn adversarial when it is hacked by an external party.

4.2. The DailyBFT protocol

4.2.1. Daily offchain consensus protocol

In the , committee members run an offchain instance to decide a daily , whereas non-members count signatures from committee members. It extends security to committee non-members and late-spawning nodes. It carries with it, a termination agreement which requires that all honest nodes agree on the same final upon termination. In , committee members output signed daily hashes, which are then consumed by the Hybrid Consensus protocol. These signed daily log hashes satisfy completeness and unforgeability.

On keygen, add public key to list of keys. On receiving a signal, a conditional election of the node as committee member happens. The environment opens up the committee selectively.

Here is how the subprotocol works for when the node is a BFT member:- A BFT virtual node is then forked. BFT virtual node here, denoted by , then starts receiving the TXs (transactions). The log completion is checked and stopped iff the signal has been signed off by atleast a third of the initial distinct public keys. During this, a continuous ”Until ” check happens and once completion of gossip happens at each step, all the log entries are removed

Here is how the subprotocol works for when the node is not a BFT member:- On receival of a transaction, the message is added to and signed by a third of the initial distinct public keys

The signing algorithm tags each message for the inner BFT instance with the prefix “0”, and each message for the outer DailyBFT with the prefix “1” to avoid namespace collision.

4.2.2. The mempool subprotocol

Initializes with 0 and keeps a track of incoming transactions with a Union set. On receiving a call, it adds the transaction to log and communciates with gossip protocol. It also supports method to return confirmed transactions. By keeping track of transactions in a set, it purges the ones already confirmed.

4.2.3. Newly spawned nodes

A newly spawned node with an implicit message routing that carries with it of the transcripts sent and received. This interacts with the following components - Mempools, Snailchain, Preprocess, Daily Offchain Consensus, and on chain validation.

4.3. Hybrid committee election

In [26], committee instances are switched after a fixed period of time (with the as a logical clock). Our is expected to produce one block every 10 minutes, so we’ve set a rotating frequency of 144 blocks. According to [26], a new committee is formed simply by the miners of the latest number of blocks inside .

A naive implementation of [26] will be vulnerable to well known selfish mining attack strategies. The damage of selfish mining is magnified in the hybrid consensus setting, because power is more concentrated in the top few high hash nodes. If a selfish miner controlled more than 25% of the blockchain’s hash power, she could control more than 33% of block production[24][16]. Under the election procedure described in [26], the selfish miner is likely to control over 1/3 of the BFT committee. If she happens to be adversarial, the will lose the liveness property.

There are two undesirable extremes that we need to find a balance in,

  • Randomly select BFT members via VRF[22]. This is vulnerable against a sybil attack.

  • Any selection procedure where probability of being selected is proportional to hash power. The BFT committee is vulnerable against mining pools who are rich in hash power.

Our proposed solution are as follows. When an honest BFT node’s chain reaches in length, it will publish the unique miner IDs of every fruit in the chain as candidates (or, every miner ID who mined more than fruits). The new BFT committee is randomly selected from the candidates with uniform probability. The obvious sybil attack is not possible under this scheme, as you require a minimal level of PoW to become a candidate. Neither it will be easy for a large mining pool to achieve compromise the BFT committee. A fruit will be orders of magnitude easier to mine than a block.

The uniformly distributed random number we use is similar to VRF 

[22] where the seed is determined by the seed used in previous committee selection, as well as the proposed randomness from recent blocks. Different from Algorand [17], here we don’t count stake weights for this part of selection. Notice that the nodes that are chosen by random functions would have certain probability of not being online. This will cause our to lose chain quality. The user will need to manually flag that they are willing to participate in the committee election.

4.4. Secure communication channel

The ability to establish a secure communication channel between committee nodes is central to the success of building a decentralized, high performant and secure network. There is a common misconception among the public that traditional PoW networks like Bitcoin and Ethereum are slow because of mining puzzles are too difficult to solve. On the contrary, the mining puzzle is nothing but a kill-time mechanism, so that the nodes have enough time to synchronize due to network delays.

To make things worse, the aggregate network traffic required to achieve synchronization of all nodes, grows in polynomial order with respect to number of nodes in the network. As the network grows, its throughput will decay rapidly, making the development of its ecosystem unsustainable. The reason why PBFT based blockchains achieve far better transactions per second than PoW, is that the nodes required to reach consensus on a transaction is much fewer (typically 10 – 30), and that stays constant regardless of the total number of nodes in the network, while we lose decentralization.

Minerva aim to achieve high throughput by using a rotating BFT committee to process transactions, and PoW to determine who get elected to the committee. There lies a problem, how do BFT committee members communicate with eachother about their voting decisions? If the BFT committee use the gossip protocol of the PoW network, voting messages will need to traverse the entire PoW network before committee members hear about it. A real life experimental deployment of this network resulted in a throughput of 80 tps, a marginal improvement from Bitcoin cash.

On the other hand, BFT committee members can make their communication channel known to the public, to establish direct peer-to-peer communication during the voting process. However, by (4) of our adversary model in section 4.1, we can expect this node to be DDoS’ed, and fast chain quality will rapidly deteriorate. Therefore, the central question we need to address is, how to protect the identities of rotating committee members while achieving direct peer-to-peer communication?

Consider the following protocol,

  1. If a PoW node mined over fruits over the last 144 blocks, and is willing to participate in PBFT, then it automatically become a member of the candidate committee.

  2. Hash data derived from fruits mined by node is used to an interval . Another random number, , also generated from historical hash data (far enough so all nodes have synchronization). If , then node has been elected to the committee. The value of should be the same across all honest nodes to achieve consensus.

  3. Repeat (2) until enough committee members have been generated.

  4. Let be the generated uniform random numbers. Elected nodes can compute locally from data, the addresses of other members of the next committee. Suppose these are .

  5. Suppose node is a new committee member. She will broadcast her IP address (or other data necessary to establish a direct communication channel), encrypted with the public key of , using the gossip protocol.

  6. When another committee member hear this message, she will decrypt it with her private key, and find lines of gibberish and one line containing the IP address of node , while non-committee members will be unable to decrypt this message.

This protocol allow each committee member to locally build a table of IP addresses of other committee members, which will allow high throughput communication while hiding their IP address from the public. A slight drawback of this procedure is that if an adversary happens to be a committee member, she can broadcast the entire list of committee IP addresses to the general public. All of the committee nodes can be DDoS’ed in a short period of time, and the mildly adaptive adversary assumption is breached.

Therefore, we make the following adjustment. Assume there are members in the committee and we create a private gossip network, with each node gossiping to other nodes. A typical value of these parameters could be and .

  1. We generate a matrix from historical hash data, such that , and columns and rows of sum up to . The matrix should be the same across all honest nodes to achieve consensus.

  2. We give label to the committee member who is elected by the random number .

  3. Committee member will only encrypt her IP address using the public key of , provided if .

We have just established a private gossip network of nodes, each gossiping to other nodes. If an adversarial node made it to the BFT committee, the biggest damage is for the BFT committee to lose nodes. Setting big could improve the blockchain’s throughput, while a smaller improves the chain’s security. By experiment we found that setting generally gives a good balance. This allowed us to achieve over 2000 transactions per second in beta-net live deployment setting.

If is too small, we could run the risk of having an eclipse attack, particularly when accompanied by a bad choice of . Roughly speaking, if is very close to a direct sum of lower dimensional matrices, the resulting graph will start to have isolated regions, making some nodes a more critical connector than others. The algorithm to consistently generate robust choices of , relies on the representation theory of symmetric groups, which is will be explained in a forthcoming paper.

4.5. Application Specific Design

Our consensus design is aware of application specific requirements and tailors for them, under the conditions that the consistency, liveness and security properties are not compromised.

4.5.1. Physical Timing Restriction

Conventional consensus design by default allows miners / committee members / leaders to re-order transactions within a small timing window. This raises a problem for some decentralized applications such as commercial exchanges where the trading fairness requires the timing order between transactions to be carefully preserved, or otherwise malicious (or, even normal rational) participants will have the incentive to re-order transactions, or even insert its own transactions, to gain extra profits. And this incentive will be magnified under high throughputs.

And what is even worse, is that such malicious re-ordering is impossible to distinguish because naturally network latency will cause re-ordering and such latencies can only be observed by the receiver itself and therefore it has the final evidence of numbers regarding network latency.

To support decentralized advertisement exchanges, we try to reduce such problems by incoporating one more restriction called sticky timestamp. More specifically, with a heuristic parameter

, when proposing transactions, we require the client to put a physical timestamp inside the metadata of the transaction, and this physical timestamp is signed together with the other parts of the transaction. Later when validators inside verify the transaction, it will do the following extra checks as shown in Algorithm 2.

Data: Input Transaction
Result: A Boolean value that indicates whether the verification is passed
1 ;
2 if  then
3       return ;
       //

if the time skew is too large, reject

.
4      
5var new static dictionary of lists;
6 if  then
7       ;
8      
9else
10       if  then
11             return ;
             // To make sure the transactions from the same node preserve timing order.
12            
13      else
14             ;
15             return ;
16            
17      
Algorithm 2 Extra Verification Regarding Physcal Timestamp
Figure 1. Pseudo-Code for Extra Verification

At the stage of materializing logs inside , the leader will sort the transaction batch according to its physical timestamps and break ties (though very unlikely) with the sequence number. Actually this step is not necessary because we can enforce the order later in the evaluation and verification. But for simplicity, we put it here.

This set of modications give us several extra properties:

  1. The order of transactions from any node is internally preserved according to their physical timestamps. Thus the sequence order of these transactions is strictly enforced. This will get rid of the possibility of some malicious re-ordering that involves two transcations from the same node.

  2. The order within a batch of transactions output by the committee is strictly ordered by timestamps.

  3. Nodes cannot manipulate fake physical timestamps because of the timing window restriction.

One obvious disadvantage of this modificaion will be the reduction in terms of throughput due to aborting transactions when the parameter is inappropriate for the varying network latency. Another disadvantage is that, the committee members are still allowed to lie about their local time and reject certain transactions. However, committee members can reject certain transactions anyway. But honest nodes could potentially reject ignorant transactions because of their unsynchronzied clocks. This issue can be reduced by adding restrictions on the eligibilities of the committee. Later we will see that to get into the committee, the nodes should present evidence of synchronized clocks.

5. Computation and Data Sharding, and Speculative Transaction Execution

In this section we introduce our sharding scheme.

An important modification over the original Hybrid Consensus is that we add computation and data sharding support for it. And even more, first of its kind, we design a speculative transaction processing system over shards. The idea is clear. In Hybrid Consensus, the instances are indexed into a determininstic sequence . We allow multiple sequences of instances to exist at the same time. To be precise, we denote the -th sequence by shard . For simplicity, we fix the number of shards as . Each is a normal shard. Besides normal shards, we have a primary shard composed of nodes. The job of the primary shard is to finalize the ordering of the output of normal shards as well as implementing the coordinator in distributed transaction processing systems. And the normal shards, instead of directly connecting with Hybrid Consensus component, submit logs to the primary shard, which in turn talks to Hybrid Consensus.

We don’t allow any two shards (either normal or primary) to share common nodes, which can be enforced in the committee selection procedure. The election of multiple shards is similar to the election procedure described in Section 4.3.

We partition the state data (in terms of account range) uniformly into shards. This will make sure that every query to the corresponding shard will return a consistent state. Since we are going to include meta data for each data unit, we split data into units of data sectors and assign each data sector with an address. We have a mapping from data position to data sector address. For simplicity, from now on, we only discuss at the level of data sectors. Each data sector has metadata of .

We assume the partition principle is public and given the address we can get its host shard by calling the function .

Notice that if we treat every normal shard (when the number of adversaries is not large) as a distributed processing unit, we can incorporate the design of logical timestamps [33] in distributed transaction processing systems [21], which will empower the processing of transactions. Here we utilized a simplified version of MaaT where we don’t do auto-adjustment of other transaction’s timestamps.

For normal shards, it acts exactly as described in except the following changes to make it compatible for parallel speculative execution.

1 On BecomeShard:
2    Initialize all the state data sectors: With transaction on shard :
3 On Initialization:
4     ;
5     ;
6     ;
7     ;
8     ;
9     ;
10 On Read Address():
11 if  then
12       Send to itself;
13      
14else
15       Broadcast to ;
16       Async wait for valid signed replies within timeout ;
17       Abort when the timeout ticks;
18      
19Let be the majority reply;
20 ;
21 ;
22 return ;
23 On Write Address():
24 if  then
25       Send to itself;
26      
27else
28       Broadcast to ;
29       Async wait for valid signed replies within timeout ;
30       Abort when the timeout ticks.
31Let be the majority reply;
32 ;
33 return;
34 On Finish Execution: for every  do
35       TX.lowerBound = max(TX.lowerBound, TX’.upperBound);
36      
37for every  do
38       TX.upperBound = min(TX.upperBound, TX’.lowerBound);
39      
40if TX.lowerBound ¿ TX.upperBound then
41       Abort TX;
42      
43Broadcast to all the previous remote shards which has accessed;
// If TX.upperBound = , we can set an arbitrary number larger than .
44 On receive :
45 if  then
46       ;
47       return ;
48      
49else
50       Ignore
51On receive :
52 if  then
53       ;
54       Write to a local copy;
55       return ;
56      
57else
58       Ignore
Algorithm 3 Sharding and Speculative Transaction Processing
Figure 2. Pseudo-Code for Sharding and Speculative Transaction Processing
1 On receive :
2 Look up TX by ID;
3 if Found and not in  then
4       Broadcast to the sender’s shard.;
5      
6TX.lowerBound = TX.upperBound = cts;
7 For every data sector reads, set ;
8 For every data sector writes, set ;
9 Broadcast to the sender’s shard.;
// batchCounter is a number which increases by 1 whenever the shard submit a batch of log to the primary shard.
10 On receive from each remote shards which has accessed:
11 TX.lowerBound = TX.upperBound = cts;
12 For every data sector reads, set ;
13 For every data sector writes, set ;
14 Mark committed;
15 Let ;
16 On output log
Sort ’s based on their . Break ties by physical timestamp.
Algorithm 4 Sharding and Speculative Transaction Processing (cont.)

For the primary shard, it collects output from all the normal shards. Notice that, the data dependency of transactions can be easily inferred by their metadata. And a fact is that, if a transaction visits multiple remote shards, it will leave traces in all the shards involved. When a normal shard submit logs to the primary shard, it will also write to the snailchain.

When the primary shard receives (or fetchs from the snailchain) a batch of txns from a shard, it will check if it has received from all the shards transactions within this batch. If after certain timeout it has not received transactions from a particular batch, it means that batch has failed. In this case, a whole committee switch will be triggered at the next day starting point. After receiving all the shards’ logs, the primary shard sorts the transactions based on their commit timestamps (if some transaction has earlier batch number, it will be considered as the first key in the sorting, however, if its physical timestamp violates the timestamps from many shards, we decide that batch as invalid and all the transactions inside that batch are aborted). After sorting, the primary shard filters all the transactions and keeps a longest non-decreasing sequence in terms of physical timestamps. Out the log to the Hybrid Consensus component as that day’s log.

There are still many optimisation spaces. One certain con is that the confirmation time in this design is not instant.

6. Smart Contracts in Virtual Machines

6.1. Design Rationale

Of all the reasons to have an Ethereum Virtual Machine (EVM) [32], one of aims is to meter the usage with a transaction fee in a Proof of Work model. Since ours is a hybrid model, we’ll take the liberty of exploring this design space a little bit further. Let us consider the possibility of a hybrid cloud ecosystem.

A basic problem people have faced is the kind of crude mathematical notations followed in Ethereum’s Yellow Paper [32]. We therefore hope to follow something like KEVM jellopaper [18] to list out the EVM and TVM (described in 6.2) specifications. And in future, we hope to maintain our own specifications through Truechain’s github account (https://github.com/truechain).

6.1.1. What about containers instead of VMs?

One of the blockchain frameworks out there that come as close to this idea as possible, is Hyperledger’s Fabric framework [9]. If one sets out to convert Fabric’s permissioned nature into permissionless, one of the foremost challenges would be to solve the chaincode issue. What this means is while it’s possible to keep a chaincode/smart contract in a single container, that is not a scalable model for a public chain. Having such a model for public chain means having to run several thousand containers, per se, several thousand smart contracts on a single node (because each node maintains a copy).

There have been attempts from the community on being able to run a certain maximum containers per node. The limit currently is 100 pods per node, per se, approximately 250 containers per node, as illustrated in Kubernetes container orchestration platform [5] and Red Hat’s Openshift Container Platform 3.9’s Cluster Limits [7]. Even with latest storage techniques like brick multiplexing [1], the max possible value (say ) of containers could not possibly reach (at least right now) 1000. This issue could further be looked up in the discussions on kubernetes issues github page [4] around workload-specific limits that usually determine the maximum pods per node. People who wish to scale containers usually prefer horizontal scaling rather than a vertical scaleup [2, 6], as the latter significantly increases complexity of design decisions. And there’s no one-size-fits-them-all rule for a cluster scale configuration as that entirely depends on the workload, which being more in our case due to its decentralized nature, isn’t very convincing for taking a step towards scaling this. At this point, it becomes more of an innovation problem than a simple technical specification search. Ethereum currently has smart contracts deployed. Therefore this would be nothing but a crude attempt at optimizing the container ecosystem’s design space.

Now let us expand a bit on the container scenario. Given the above crisis, a possible solution is to use container in a serverless architecture. But consider a scenario where contracts are online and the concurrent requests, i.e., invocation calls to chaincode (a moving window) at a time exceed value, we then face the same problem all over again. Therefore, it is only advisable to add a throttling rate limit on the max concurrent requests. This severly limits the Transactions Per Second from the consensus, by design. Engineering should not be a bottleneck to what could be achievable alternatively. Therefore, we choose to stick to EVM design, although a bit modified for our purpose.

6.2. Truechain Virtual Machine (TVM)

A typical example in this space would be that of the Ethereum Virtual Machine (EVM)  [32], which tries to follow total determinism, is completely optimized and is as simple as it gets, to make incentivization a simple step to calculate. It also supports various features like off-stack storage of memory, contract delegation and inter-invocation value storage.

We would reuse the EVM specifications for the snailchain, but add a new specification for TVM in the next version of this Yellow Paper, after careful consideration of the design rationale similar to EVM, deriving the stack based architecture utilizing the Keccak-256 hashing technique and the Elliptic-curve cryptography (ECC) approach.

The Truechain infrastructure will utilize a combination of EVM and another EVM-like bytecode execution platform for launching smart contracts. We choose to use run VM only on , embedded within each full node, so they could manage invocation calls on per-need basis.

The TVM backs the DailyBFT powered chains, which interact with the following components:

  • re-using some of the concepts from tendermint, like the ABCI (Application BlockChain Interface) which offers an abstraction level as means to enable a consensus engine running in one process to manage an application state running in another.

  • A different consensus engine pertaining to dailyBFT chain,

  • A permissioned Ethereum Virtual Machine

  • An RPC gateway, which guarantees (in a partially asynchronous network) transaction finality

7. Incentive design and gas fee

The Proof of work protocol have a proven track record of attracting computational resources at an unprecedented rate. While existing PoW networks such as bitcoin and ethereum have been successful in their own right, the computational resources they attracted have been nothing more than very powerful hash calculators. They cost a lot of electricity to run, and produce nothing useful.

In this section we will present a concept of compensation infrastructure in order to balance the workload of committee members and non-member full nodes. We invented a new incentive design for PoW, where participating resources can be redirected to do useful things, such as scaling transactions per second (referred to as “TPS” from hereon), and providing on-chain data storage.

Ethereum gas price is determined by a spot market with no possibility of arbitrage, similar to that of electricity spot market studied in [30]. We consider this market to be incomplete, and therefore fundamental theorem of asset pricing does not apply[14]. Thus, the underlying gas price will follow a shot-noise process, that is known for its high volatility. We introduce a “gas market place” where gas will be traded as futures, and this market is complete in the infinitesimal limit. This is expected to significantly reduce gas price volatility compared to Ethereum.

The following subsections will talking about each component of the incentive design in detail.

7.1. ASIC resistance

Truechain’s mining algorithm will be fundamentally ASIC resistant. We will define what this means, and why Truehash can achieve fundamental ASIC resistance in a forthcoming paper. Here, we will briefly outline what we have done. ASIC’s are far better hash calculators than any general purpose computer, but they can only one procedure and cannot be reprogrammed. Therefore, if there is an automated procedure that would switch the mining algorithm once every few months (12000 blocks), then it would not be profitable for anyone to build them.

We came up with the following conditions for fundamental ASIC resistance,

  1. There exist a large pool of potential mining algorithms (e.g. 2048!) that is unfeasible to hard code each of them to an ASIC chip.

  2. The mining algorithm is capable of automatically switching without having human interference, such as a hard fork.

  3. The correctness of the new mining algorithm must be provable (so all nodes can come to consensus), and the process must be verifiably unpredictable (so its impossible to secretly build ASIC miners before the switch).

The classical PoW mining basically repeated calculate , where is a function that takes the mining

, block header and pads it to the correct dimension. We compute instead, the modified hash function,

. Here, is a large group (e.g. ) and , is a homomorphism from

to a vector space

, so that the matrix multiplication is valid on .

As we can see, by simply replacing to , for a different element , we get a completely different hash algorithm. Since is a large group, , the space of potential hash algorithms to choose from is 2048!.

Finally, we can generate the new group element from the hash data of , through application of group representation theory. The new mining algorithm is therefore provable and unpredictable.

7.2. Gas fee and sharding

Gas price is traded in a futures market, where the futures contract is manifested by a smart contract. Specifically, the contract will be executed as follows.

  • Party A agree to pay party B TRUE, while party B promises to execute party A’s smart contract, between time and , that cost exactly 1 gas to run.

  • Party B will contribute TRUE to a pool corresponding to the committee C that executed party A’s smart contract. This is called the gas pool.

  • Members of C will receive an equal share of the pool, and return an average cost per gas for the pool.

  • If B contributed less than , she must make up for the difference by paying another party who contributed more than . If B contributed more than , she will receive the difference from another party.

Under this scheme, liquidity providers are rewarded when they correctly anticipate network stress, and hence creating a complete market in the infinitesimal limit. Price volatility are absorbed by the averaging mechanism in the gas pool making the price itself a good indicator of network stress.

Our intention to ensure gas price is traded roughly within a predetermined interval. Hence, if the moving average price sustain above a certain threshold, a new PBFT committee is spawned through a quantum appearance process. On the other hand, if the moving average price sustain below a certain threshold, an existing PBFT committee will not be given a successor after it finished serving its term.

The proportion of mining reward will be distributed as follows. Let be the number of PBFT committee running at a certain instance, and . Proportion of mining reward going to PBFT nodes is equal to , and PoW nodes . This is to reflect that in later stages of the chain, new nodes are incentivized to contribute to the blockchain’s overall TPS, hence ensuring continued scalability of the chain. The parameter represent the number of PBFT committees when mining reward is divided 50-50.

8. Data storage

Truechain aim to achieve 10,000 TPS on each shard, and number of shards is designed to grow linearly with respect to the volume transaction demand (roughly correlates to number of nodes). The bitcoin network has generated roughly 170 gb of transaction history data over the course of 10 years at 10 TPS. Going from 10 to 10,000, the same volume of data is expected to be generated every 3 days. At 100 shards, or 1 million TPS, we can expect it to generate every 45 minutes. Hence, having every node to store the entire transaction history like bitcoin, is no longer feasible in a high TPS public chain.

A number of solutions have been proposed such as having a check point once every few hours/days, where every node is only required to store transaction history from previous check points. But where do we store rest of the transaction history, as nobody is incentivized to store that.

Our solution is to seamlessly merge transaction processing with the storage capability of an IPFS in a unified incentive infrastructure. This will provide a solution to store transaction history, and allow a plethora of sophisticated applications to be running completely decentralized on the Truechain architecture. Data storage on Truechain will be possible in three levels,

  • Level 1: Stored on every PoW node like bitcoin and ethereum. It is the most permanent way of storage, alas also the least efficient. It’s predominately designed to store the block’s Merkel root, and other information of high value density. Users will pay a gas fee to PoW miners.

  • Level 2: There will be an IPFS-like file system where a limited copy of the data is distributed to storage nodes throughout the chain. This is designed for storing the bulk of main net’s historical transactions and data-heavy decentralized applications. Users will pay miners a fee for both storage and retrieval.

9. Future Direction

Even after optimizations to the original Hybrid Consensus, we acknowledge various optimizations possible on top of what was proposed in this paper. There are following possibilities:

  • Improving timestamp synchronization for all nodes, with no dependency on centralized NTP servers.

  • Detailed incentivization techniques for compensation infrastructure, so heavy infrastructure investors don’t suffer from ’left-out’, ’at a loss’ problem

  • Sharding techniques with replica creation to minimize the transaction set rejection from the BFT committee.

  • Addition of zero knowledge proof techniques for privacy.

  • Hybrid infrastructure of EVM, TVM and Linux container ecosystem.

  • Sections for Virtual Machine Specification, Binary Data Encoding Method, Signing Transactions, Fee schedule and Ethash alternative.

10. Conclusions

We have formally defined Hybrid Consensus protocol and its implementation along with plausible speculations in the original proposal. In this draft, we have introduced various new concepts some of which we will detail in the next version very soon. We recommend people to choose ASIC resistant hardware for deployment of the PoW only versus full nodes, although more details on hardware shall follow soon.

  • A permissioned BFT chain that runs on a few nodes in the permissionless PoW based network.

  • The BFT committee is a rotating one, preventing corruption in a timely manner

  • The BFT committee is responsible for transaction validation, and the PoW nodes are only responsible for choosing/electing the committee members according to some rules we’ve derived and re-defined.

  • The new permissioned VM, we’ve surmised, could be inspired from the EVM, but with different block states and transaction execution flows

  • The contemporary permissionless EVM in the PoW chain co-exists with this new permissioned VM (which we call Truechain Virtual Machine - TVM)

  • The TVM would be the one to validate any transactions related to consensus, while the traditional EVM would need to be re-worked to not really mine for consensus, but for election of BFT using Variable Day length puzzle.

  • The incentivation model needs to be re-worked such that it is based off of TVM, and we still reward the miners in PoW chain.

  • We invented a new market mechanism, satisfying the assumptions of fundamental theorem of asset pricing, for how gas should be traded.

  • We would eventually support sharding for the BFT committee nodes, for scalability.

  • We address the storage issue for high TPS public chains, and introduced a method that seamlessly merge transaction process with decentralized data storage.

  • A compensation infrastructure, which accounts for node configuration non-uniformity (different CPU/memory/network bandwidth in the node pool), would eventually be a part of the consensus, thus speeding up transactions.

  • The smart contracts execution would thus only happen in TVM (BFT node).

11. Acknowledgements

We owe a great deal of appreciation and are thankful, to the following folks for their untiring work towards pushing the protocols for a decentralized sovereignty, for their design rationale and implementations which served as a solid reference architecture in our proposal above. These folks and their legacies are as mentioned below:

  • Rafael Pass, Miguel Castro, Satoshi Nakamoto, Vitalik Buterin, Gavin Wood, Ethan Buchman, Andrew Miller et al for their untiring work, contributions and continuous improvisations while spearheading the glamorous Improvement Proposals forums in addition to the active participation through Reddit, Mailing lists, chat forums, white and Yellow Papers, and rest of the mediums alike.

  • CNCF and Kubernetes communities for their inspiring ventures into hybrid cloud computing.

References

Appendix A Terminology

TrueChain Virtual Machine (TVM):

In contrast to EVM which handles incentivization and rotating committee selection, a TVM is based on similar design principles but carries out actual consensus and voting based off of PBFT based Hybrid Consensus.