Whitepaper PDF

Download as pdf or txt
Download as pdf or txt
You are on page 1of 21

Network of Momentum - leaderless BFT dual

ledger architecture
DRAFT v0.1, 31 March 2020

The Zenon Team


portal@zenon.network

Abstract—This paper introduces a new, fast and scalable a rich landscape of thousands of cryptocurrencies. Con-
decentralized ledger system called Network of Momentum sequently, several consensus algorithms and new ledger
that achieves high throughput transactions and enables a data structures have emerged for decentralized systems,
new form of distributed applications. The paper begins
with a short history about distributed systems together each of which retains interesting capabilities and unique
with the core components of the existing architectures, properties as we will explore in the following sections.
alongside with their challenges - the consensus mechanism, This paper presents a decentralized ledger system that
the underlying transactional data structure, the smart features a leaderless, fully-local and scalable consensus
contracts layer, then it presents the proposed architecture algorithm based on virtual voting coupled with proof of
that is leaderless in its nature and is based on a dual
ledger system called Network of Momentum that uses work and proof of stake anti-sybil [6] mechanisms that
virtual voting for consensus. It also provides a brief reaches eventual consensus with probability one. The

FT
introduction into a framework that employs unikernels concept of virtual voting was known long before in the
to run distributed applications, but because it is beyond literature, starting with the pioneering paper ”Byzantine-
the scope of the paper, a more comprehensive study will Resistant Total Ordering Algorithms” [5] by Moser and
follow as a yellow paper. Subsequently, the paper describes
some classical attack scenarios and how to surpass them, Melliar-Smith where they formulated four algorithms
analyzes the complexity and key protocol parameters to establish a total ordering from network events. The
and draws conclusions together with discussing related peculiar concept of virtual voting that later reappeared
potential research directions. in other papers such as Hashgraph [8], PARSEC [9] or
Blockmania [51], was the ability to execute a virtual
Keywords: decentralization, byzantine fault tolerance,
RA
permissionless consensus, P2P network, protocol design
agreement protocol, as authors Moser and Melliar-Smith
cleverly observed long before and exploited the fact that
I. I NTRODUCTION votes weren’t explicitly contained in the messages, but
were deducted from the causal relationships between
Interest in decentralized systems was reignited by them. The contributions of this paper are outlined as
the rise of Bitcoin [1] born in the midst of the 2008 follows: the protocol comprises of a dual ledger archi-
financial crisis and paved the way to countless research tecture, a meta-DAG created by participating consensus
initiatives and innovative technologies in the space of nodes, a projection of the meta-DAG that represents
computer science and beyond, with focus in areas of the transactional ledger, a proof-of-work link between
D

cryptography, distributed systems and game theory. A relayed transactions emitted by clients, together with
new concept, the blockchain, was popularized by emer- the following properties and functions: a vote-weighting
gent cryptocurrencies that exploited the nature of de- function based on proof of stake for participating con-
centralization to create complex economic systems that sensus nodes, an incentivization scheme based of proof
culminated with the implementation of the first general- of work, a difficulty oracle and a super-quorum selector.
purpose bytecode execution platform, Ethereum [2], and The remainder of the paper is organized as follows: in
enabled trusted computation among a group of mutually Section II we will discuss basic notions about the Bitcoin
distrustful participants and further materialized in a myr- protocol and smart contracts and in Section III we will
iad of decentralized applications ranging from creating provide some insights about various state-of-the art com-
self-sovereign identities, peer-to-peer energy markets, ponents that comprises a decentralized ledger system.
prediction markets, improving supply chain logistics to We build our system on a dual directed acyclic graph
complex financial instruments. A wave of innovation based architecture called Network of Momentum that
was fueled by their success in the market and shaped
employs a consensus algorithm that uses a virtual voting Distributed ledgers can be further categorized, de-
technique in association with proof of work (PoW) [3] pending on the nature of the environment i.e. public
and proof of stake (PoS) [4] that we present in Section or private, into permissioned or permissionless: this
V. We then show in Section VI how the network can determines the participation eligibility of nodes or users
withstand different attacks and threat models. In section that can join the system.
VII we analyze the protocol parameters together with In a permissionless distributed ledger, such as Bitcoin,
the complexity and outline the cryptoeconomic system. anyone can become a node and participate in the consen-
In Section VIII we conclude with a summary and discuss sus process for determining the ledger state or commit to
future research directions. the shared state by invoking transactions. A permissioned
distributed ledger e.g. blockchain consortium, in contrast
II. BACKGROUND is operated by a set of entities that can identify and
In this section, we present the core concepts of dis- decide what nodes can join and update the shared state
tributed ledgers. We then explore a simplified specifica- and even can control the transaction issuance. We will
tion of the Bitcoin protocol and present a short review refer to permissionless distributed ledgers as decentral-
about smart contracts. ized ledgers to emphasize this distinction.
A. From distributed to decentralized ledgers B. Bitcoin
A distributed ledger is a consensus of replicated The history of cryptocurrencies started in 2009 when
and synchronized digital data structure shared between an anonymous figure known by the pseudonym of
multiple nodes in a peer to peer network. Each node ”Satoshi Nakamoto” released the first Bitcoin client and
replicates and saves an identical copy of the ledger, mined the first block of the Bitcoin timechain, thus
updating it independently from the rest of the network. successfully managing to solve the decades old problem

FT
The updating process is based on a consensus algorithm
where nodes vote which copy is correct; once the con-
sensus has been reached, all the other nodes update their
ledger accordingly. An important aspect of a distributed
ledger system is that there is no central authority to
enforce rules and therefore no single point of failure,
so the integrity and security are accomplished by using
of double-spending in a permissionless environment. The
release of the first Bitcoin client marked the inception
of a completely decentralized electronic cash system that
facilitates pseudonymous payments without any trusted
third parties.
The problem of double-spending in a decentralized
network was solved by Satoshi using a ”distributed
RA
a consensus algorithm and cryptographic mechanisms. timestamp server” that consists of a proof of work
A consensus algorithm is at the core of a distributed mechanism and an incentivization scheme using an un-
ledger system - it ensures that the nodes agree on a structured peer to peer network with an unknown number
unique order in which entries are appended. An essential of participants susceptible of sybil identities together
aspect of a consensus algorithm is fault tolerance - the with a method of determining the ”legitimate” ledger
property that enables a system to continue operating by each participant independently.
normally in the presence of one or more faults. Therefore The consensus protocol is commonly known, although
the consensus algorithm must be resistant to different informal, as Proof of Work, and is often encountered
types of faults, that can be either unreliable or malicious in literature as the ”Nakamoto protocol” family, imple-
D

nodes attempting to hijack the system. mented in a wide array of cryptocurrency networks; it
There are two main categories of failures a node may virtually uses the longest chain of most accumulated
be subjected to: crash failures and Byzantine failures. proof of work selection rule to probabilistically de-
Crash failures occur when nodes suddenly stop and do termine the valid timechain. A de facto formalization
not resume operation. Byzantine failures are arbitrary of the Bitcoin protocol isn’t broadly accepted by the
faults presenting different symptoms to different ob- academic community given the difficulty in providing
servers - in a decentralized environment they may occur a good generalized definition - that ultimately depends
as a result of malicious activity. on the tight interaction between the various parts that
The problem of designing a system that can cope make up Bitcoin.
with byzantine faults was formulated and presented as A Bitcoin account consists of a public and private
the Byzantine Generals Problem [7], hence a consensus key pair; an address is the hash of the public key and
protocol tolerating byzantine failures must be resilient to is used to receive coins, while the private key of the
any possible error that can appear. account is used to authorize the transfer of coins. A

2
transaction consists of three data fields - inputs, outputs of the blockchain network and the execution of instruc-
and metadata; the metadata holds generic information - tions is deterministic and verifiable by all participating
the hash and size of the transaction, the number of inputs nodes.
and outputs and a lock time field. The transaction fee A desired property of smart contracts is their im-
represents the difference between the total value of the mutability: once a smart contract is deployed it cannot
inputs and the total value of the outputs. If the validation be modified by third parties. This can be a double
procedure passes, the transaction is broadcasted to the edge sword, amplifying both the strength of censorship
network; a correct node only broadcasts it once, in case resistance and the weakness of poorly written code.
it receives the same transaction multiple times. Finally, Fortunately, there are techniques to overcome bugs by
the transaction is included into the mempool and awaits upgrading the vulnerable smart contracts code with the
confirmations i.e. become embedded into the blockchain. use of proxy contracts or by using a formal verification
Every node can participate in the consensus protocol, a framework [22].
process known as mining, by computing a cryptographic Overall, smart contracts dramatically increase the
proof-of-work puzzle; if the node finds a solution, the specter of use-cases for DLTs, from allowing basic
newly created block containing transactions from the conditional payments to more complex business logic.
mempool is propagated through the peer to peer network We will provide a deeper analysis of this topic and
and if valid, it is appended to the blockchain. We will describe our proposed solution in Section V.
discuss different Proof-of-X algorithms in Section III.
III. S TATE OF THE ART
Although Bitcoin taken as a whole is fulfilling its
purpose for more than a decade under real-world condi- A. Ledger types
tions, there have been studies of individual components Even though the terms distributed ledger and

FT
of Bitcoin that point out limits or even theoretical design blockchain are often used inter-changeably in the
flaws of the protocol; for example, according to Eyal literature, there is a subtle distinction between them
and Sirer et al. Bitcoin is incentive incompatible due to which is worth headlining: a blockchain is just subset
selfish mining [20]. of the larger superset of distributed ledgers. One of
the most important aspects when designing a new
C. Smart contracts architecture is the distributed ledger component that
describes how transactions are embedded.
Another interesting topic is the programmable com-
RA
ponent of a cryptocurrency, smart contracts and decen- Definition 1 A decentralized ledger is defined as a
tralized applications. The basic idea is that one can run distributed data structure with entries that are digital
arbitrary quasi-Turing complete code in a decentralized records of actions, in a permissionless environment.
setting, from simple smart contracts for automated pay-
ments to more complex applications. 1) Blockchain: The most common decentralized
Early blockchain networks such as Bitcoin have a sim- ledger is the blockchain. One definition for the
ple, Turing-incomplete stack-based scripting language blockchain is a distributed, decentralized, public ledger
used as a locking mechanism for transaction outputs: in the form of a cryptographically secured linked list of
”The script is actually a predicate. It’s just an equation blocks holding transactions, without a central authority
D

that evaluates to true or false. Predicate is a long and or coordinator, managed by multiple entities partici-
unfamiliar word so I called it script.” [36]. pating in a peer to peer network, usually in a trust
The smart contract concept was pioneered by Szabo minimized context.
in [21]. With the expansion of the Internet it became The digitally signed transactions are hashed and en-
clear that cryptographic enforcement of agreements can coded into a cryptographically tamper-evident data struc-
become a cornerstone for human cooperation in a digital ture known as a Merkle tree, forming a ”block”. Each
world. Ethereum was the first project to successfully block contains a cryptographic hash of the prior block,
implement the smart contract paradigm. A smart contract creating a linear list of blocks linked by tamper-evident
is a piece of code typically written in a higher level hash pointers, thus enabling a tamper-resistant way to
language, for example Solidity, and compiled down to confirm the integrity of previous blocks, all the way back
bytecode interpreted by a specialized virtual machine. In to the genesis block.
Ethereum’s case, the resulting bytecode is ran inside the Additional integrity measures are used to combat
Ethereum Virtual Machine that is present in every node potentially malicious, byzantine adversaries, such as the

3
requirement that a block hash is smaller than a given which is similar to IOTA, and Avalanche [10], which
target e.g. in Nakamoto protocol family, or a multi- has a more complex model. Another interesting DAG
signature or threshold signature over a block, by the ledger approach is represented by Hashgraph, developed
nodes participating in the blockchain network. by the company Swirlds and used as the backbone of
For example, in order for a block to be added to the the Hedera cryptocurrency. The hashgraph is a special
Bitcoin ledger, the nodes have to participate in a lottery type of DAG where each record is a message that can
where their chances are proportional with the amount accommodate several transactions. Furthermore block-
of computational work invested to find a solution for less, nonlinear data structures are also adopted in many
a cryptographic hash puzzle that allows them to link it recent architecture designs for their potential to enhance
with the previous block. transaction throughput.
Once a valid block is appended by the miner, all 3) Holochain: Another decentralized ledger is the
the transactions from that block become finalized and Holochain [26], a concept implemented in the Holo
immutable, however due to the independent Poisson cryptocurrency presented as a scalable agent-centric
processes in the block proposal race, more than one distributed computing platform. Holochain applies the
miner may propose to extend the blockchain using ”trustless” principle of decentralized ledgers by making
different blocks with corresponding valid proof of work context specific ledgers where trust exists contextually
solutions at roughly the same time, leading to a fork; this and locally, being interoperable with other ledgers that
results in one of the competing blocks to land on a fork are similarly trustful. It is a combination of multiple
and subsequently be discarded given the longest chain concepts: distributed hash tables, git and bittorent. In
selection rule employed by the Nakamoto protocol. Holochain, each node runs its ”local source chain”, an
For this reason, in [19], Garay et al. presents a frame- append-only log and operate autonomously.

FT
work to capture the properties of liveness, validity and
Rather than storing a copy of the full ledger on every
agreement of the Nakamoto consensus protocol by three
node of the network and enforcing a universal consensus
chain based properties: common-prefix, chain growth
protocol, Holochain takes an agent-centric approach and
and chain quality. With these in mind, the proof of
divides the data to many different nodes and establishes
work based Nakamoto protocol can be modeled as a
access only to the data that is useful for a particular
probabilistic Byzantine agreement protocol.
node. Nodes validate each other based on jointly relevant
However, what we described earlier - the proof of
information and on context specific rules.
work Nakamoto consensus of Bitcoin, is not the only
4) Block-lattice: The last ledger data structure
RA
consensus algorithm for blockchains. There are now
many other consensus algorithms that can power a we analyze is the block-lattice. First used by Nano
blockchain network. We will describe them in the fol- cryptocurrency [27], it is designed for throughput
lowing section. and scalability: every user has its own autonomous
Even if the blockchain paradigm has many advantages account-chain, that can be updated independently from
such as robustness and the fact that is well studied and the rest. The blocks from different account-chains
more understandable, it ultimately sacrifices scalability acknowledge each other and collectively form a
due to the limited number of transactions that fit in any mesh-like structure. Because the account-chains can
given block. grow concurrently, the throughput can be quickly
D

2) Directed Acyclic Graph: Nonetheless, in order to scaled up. The blocklattice has many advantages -
boost scalability and increase transaction processing, the scalability, simplicity, and it can be secure provided
linear data structure has been expanded into nonlinear it is implemented with an adequate consensus algorithm.
forms such as block graphs and trees [17], [18]. A DAG,
as the name implies, is a finite directed graph with no Our architecture is based on a dual ledger approach:
directed cycles. For example, IOTA [23] proposed a a generic DAG, called the meta-DAG used for the
custom DAG called Tangle. The Tangle has a genesis consensus layer and a block-lattice data structure used
block, then all the transactions are linked to each other to store the transactional data.
forming a DAG. The Tangle is basically a DAG where We have separated the ledger architecture in order to
each new transaction is linked to two previous trans- achieve a better complexity and faster processing times
actions, an architecture that in theory would allow the when a user wants to query nodes for transactional
structure to be highly scalable. Other cryptocurrencies data. An overview presenting the advantages and
that implemented DAG structures are Byteball [25], disadvantages for different types of ledgers can be seen

4
in Table 1. the throughput of a system is directly affected by
scalability.
• Fault tolerance threshold: Indicates an upper
B. Consensus types
bound of faulty nodes that directly impacts the
The key component of a distributed system that performance of the consensus algorithm. For exam-
enables all participants to agree on a state without a ple, some consensus algorithms have an optimistic
central authority is the consensus algorithm. regime that favors performance.
• Latency: Also known as finality in this context,
Definition 2 Consensus is the process of committing it represents the time it takes for a transaction to
entries to the decentralized ledger that complies with become settled in the ledger.
a set of well-defined rules that are enforced by all
We will review some of the most important
honest network participants after an entry containing
consensus protocol families that are at the core of
transactions is accepted.
countless decentralized systems.
Different consensus algorithms have distinctive design
1) Proof-of-Work: Proof of work was initially de-
choices that have a considerable impact on the system’s
signed as a spam mitigation solution [14] and involves
performance, including its transaction throughput, scal-
the asymmetry in terms of resource usage between two
ability and fault tolerance.
separate entities, the prover and the verifier. The prover
Therefore consensus algorithms have trade-offs be-
performs a resource-intensive task in order to obtain a
tween the level of security and performance. We will
result and presents it to the verifier for validation - the
list security and performance properties that are essential
asymmetry comes from the fact that the validation of the
for a permissionless consensus algorithm designed for a

FT
proof requires only a fraction of the resources invested
decentralized ledger system.
into its generation.
• Adversary resistance: Indicates the threshold of
The core concept of the Proof of Work consensus
byzantine nodes that can be tolerated by the con- algorithm is the competition of nodes in finding solutions
sensus algorithm. for a cryptographic hash puzzle that satisfies a difficulty
• Sybil resistance: Specifies if the consensus al-
requirement based on the measurement of the total hash
gorithm implements an anti-sybil mechanism. For power in order to maintain a specified rate of puzzle
example, the consensus algorithm should have a solutions per time interval; once a solution is found,
RA
mechanism to prevent the generation of sybil iden- nodes create and cryptographically link the block with
tities in a permissionless environment. the tip of the blockchain and advertize it over the peer
• Accountability & non-repudiation: Indicates if
to peer network.
the consensus protocol implements an identity sys- For a cryptographically secure hash function H(·) like
tem and cryptographic signatures. SHA-256 in the case of Bitcoin, and a given difficulty
• Denial of Service resistance: Specifies if the
level D(h), each single query to H(·) is an independent
consensus algorithm implements a denial of ser- and identically distributed Bernoulli trial with a success
vice defense mechanism. For instance, some leader probability described by the following equation:
based consensus algorithms are susceptible to DoS
P r(y : H(xky) ≤ D(h)) = 2−h
D

attacks.
• Censorship resistance: Indicates if the consensus Different implementations of PoW algorithms require
algorithm is censorship resistant. For example, it different rates at which solutions are found in a given
precludes external entities from trying to censor time interval: in the case of Bitcoin this rate is one
transactions. solution for every 600 seconds, and for Ethereum every
From the perspective of quantifying the performance of 15 seconds. The corresponding time period is directly
a consensus algorithm, we will highlight the following correlated with the underlying data structure: for in-
performance indicators: stance, Ethereum implements GHOST [30] to optimally
• Throughput: Represents the number of TPS (i.e. determine the path that has the most computation work
transactions per second) a consensus algorithm can done upon to accommodate the short block times.
process. Cryptocurrencies that have a PoW based consensus al-
• Scalability: Represents the ability for a system to gorithm employ different classes of PoW, (e.g. compute-
expand without degrading performance. Generally, bound PoW, memory-bound PoW, chained PoW or other

5
TABLE I: Ledger types
Ledger type Advantages Disadvantages
Blockchain Wide-scale adoption in industry Limited scalability
Robust and well studied
DAG Can scale better than a blockchain Increased attack surface
Block-lattice, Holochain Account independence Decentralization trade-offs
Asynchronous transactional model
HashGraph The consensus is derived locally from the graph Potential delays for reaching consensus
Graph bloat

custom implementations) to obtain some desired proper- static set of delegators, while others utilize a dynamic
ties like ASIC-resistance, such as to avoid some forms size of the set of delegators; as for the dPoS terminology,
of miner centralization. in a blockchain network they are called block producers.
In a decentralized model, PoW consensus assumes For instance EOS [41] and Lisk [44] employ a fixed
that a majority of hashing power is controlled by honest number of 21 and 101 delegators respectively, while
parties. Tezos [42] takes a different approach with a technique
2) Proof-of-Stake: Proof of Stake was proposed as that allows anyone to amount delegated coins such that
candidate to solve a number of potential shortcomings it meets the threshold to become a baker, in exchange
of the proof of work consensus such as energy consump- returning for this service a certain proportion of the block
tion, miner centralization and certain types of economic rewards back to the delegating party.
attacks. 4) Proof-of-X: Proof-of-X consensus algorithms are
One of the first cryptocurrencies to implement PoS extending the concept beyond work and stake to non-

FT
as a consensus algorithm in their blockchain network interactively prove a commitment of computational re-
was Peercoin [47], released in 2012; the success sparked sources.
a wave of innovation, culminating with the Ouroboros A PoX scheme should be resistant to puzzle grinding
protocol, a provably secure PoS algorithm [31] that is at (i.e. the puzzle must meet several criteria to satisfy
the core of the Cardano cryptocurrency [24]. completeness, soundness, non-invertibility, and fresh-
The core notion of the PoS consensus algorithm is ness), including aggregation or outsourcing [34] of the
the block creation process that requires a proof that computational resources and manipulation of the leader
the participating node owns a certain number of coins. election process. This leads to hybridizations such as
RA
Naive implementations of PoS may lead to unexpected Proof of Activity, a combination of PoW and PoS used
problems that naturally don’t occur in PoW based in Decred [39] or Proof of Importance, used in NEM
cryptocurrencies: the ”nothing at stake” problem [49], [40] that is based on PoS and an ”importance score”
short or long range attacks, coin-age accumulation, pre- calculated from the net coin transfers from an account.
computing attacks, stake-grinding or cartel formation For instance, PoX can also be designed to incentivize
attacks. distributed storage provision like proof of capacity, proof
Some of the problems can be avoided by a slashing of storage [16], proof of retrievability and proofs of space
mechanism within the protocol during the block creation and time.
D

process. A node that wants to participate in the consen- In Proof of Elapsed Time, each of the block producers
sus algorithm first needs to lock a certain number of has to wait a random time to create a block; an equivalent
coins; this stake represents a collateral. The node that for it would be a verifiable delay function [45], suitable
seals the stake is called a leader, forger, or minter in for the permissionless regime. PoET and similar variants
PoS terminology and can lose this collateral through a use a trusted execution environment to enforce these
technique called slashing, in case it deviates from the random delays. One notable example is Hyperledger
protocol specification. [37], but a major drawback is that it is only suitable
3) Delegated Proof-of-Stake: A popular variant of for a permissioned environment given that the process
PoS is the delegated proof of stake consensus algorithm depends on a non-standard secure hardware enclave
(dPoS), where each user can choose to delegate its coins within the processor.
to a node that takes part in the consensus algorithm. 5) Hybrid BFT consensus: Byzantine fault-tolerant
The idea is similar to the committees found in classical consensus protocols are a vast topic with a long history
consensus models; some cryptocurrencies have a fixed, of research and development, and became candidates for

6
hybridization with current blockchain consensus algo- processes and execute a consensus algorithm to derive a
rithms: for example, PoW-BFT and PoS-BFT are most total ordering of events. An example of a cryptocurrency
widespread. network that uses virtual voting to derive consensus
Due to the scalability constraints of the BFT pro- is Hedera. They implement a modified virtual voting
tocol in terms of communication overhead, the above consensus algorithm, called gossip about gossip, where
hybridization is intended to decouple the committee nodes gossip information not only about transactions but
election from the actual consensus. also about the gossip they receive. In this way the nodes
The primary functionality of the PoX mechanism is will arrive at the same conclusion, knowing how votes
to simulate the leader election in the traditional BFT would be casted if a voting process would happen, so
protocols; thus it is utilized for managing a stable they only compute a local ”virtual” vote in order to
consensus committee for each BFT protocol instance. achieve consensus.
An example of PoW-BFT hybrid architecture is Ziliqa Other systems that use virtual voting techniques
[29] that uses PoW to allow identity establishment and are [51] and [35], where the communication DAG is
group assignment and multiple rounds of PBFT over the subsequently interpreted to derive consensus. We will
consensus committee. also present a customized implementation of virtual
As for the PoS-BFT hybrid architecture, a prominent voting in section VI.
example is the Tendermint protocol [15]; the committee
formation of the block validators is made using a PoS Our architecture will implement a virtual voting
process that involves a bond deposit. Moreover, the size scheme based on a hybridization between proof of stake
of the bond stake is proportional to the voting power and proof of work. A summary of the consensus types
and the leader of the committee is designated using a can be seen in Table 2.

FT
round-robin strategy.
Another alternative is delegated BFT, where the initial IV. P REREQUISITES
problem of the byzantine generals is slightly adapted A. Definitions
with representative leaders for the generals. This, how-
ever, centralizes the network in a similar way to dPoS, We will use a few definitions needed for a better
even if the delegates can be replaced; a notable example understanding of our ledger architecture and the
implementing dBFT is NEO [43]. consensus protocol.
Algorand [52] also relies on a customized hybrid PoS-
Definition 3. A node is a software program running
RA
BFT consensus protocol for committing transactions.
The PoS mechanism is used to compute via crypto- on a device that participates in the NoM network
graphic sortition the probability of a node to participate and complies to the protocol specification. It can
in a committee proportional to its stake and the total directly participate in the consensus algorithm, manage
current stake in the network and a verifiable random accounts, observe traffic and relay transactions.
function is used to generate a publicly verifiable BFT-
committee of random nodes. There are three kinds of nodes in NoM, depending on
Generally, hybrid BFT protocols enhance overall net- their contributions towards the health of the network, as
work throughput and provide faster finality times in follows:
D

contrast with Nakamoto inspired protocols. • Trusting nodes called Sentry nodes. A basic type of
6) Cellular Automata: New Kind of Network [50] node, lightweight in the sense that they only store
proposes a new consensus algorithm that is based on the transaction ledger or a pruned version of it. A
cellular automata and a mathematical framework devel- light node only monitors traffic for specific accounts
oped for the Ising model. The nodes act as cells and allowing minimal network usage and resources.
together with a message-passing algorithm based only • Trustless nodes called Sentinel nodes. A trustless
on sparse local neighbors and a MVCA algorithm [48] node is similar to a Pillar node, but only acts as
(i.e. Majority Vote Cellular Automata, an algorithm that an observer, it doesn’t participate in the consensus
uses majority vote as updating rules for the cells) they algorithm. It carries out the creation of PoW links
reach consensus. for transactions and requires moderate resources to
7) Virtual voting: Virtual voting is a concept intro- operate.
duced by authors Moser and Melliar-Smith in 1999, • Consensus nodes called Pillar nodes. They
where the main idea is to interpret messages as virtual participate in the consensus protocol and have

7
TABLE II: Consensus types
Consensus type Advantages Disadvantages
PoW Enables large scale decentralization Doesn’t scale well with a traditional approach
PoS Power efficient in comparison with PoW More attack vectors non-existent in PoW
DPoS More scalable than PoS More susceptible to centralization
PoET Power efficient, suitable for permissioned Susceptible to third party interferences e.g. in the case
environments of hardware enclaves
BFT consensus Well studied and understood Need to be coupled with other mechanisms for
Based on quorums permissionless networks
High complexity
Cellular Automata Good scalability Complex
Requires specific network topology
Virtual Voting Efficiency of the voting process Delays can happen until a transaction is accepted

information about the transactions made in the Definition 8. Virtual voting - the concept that
network by users. A Pillar requires additional voting is not done with explicit messages. Instead, a
resources as it relays network traffic from other node computes the state of the ledger based on the
Pillars and processes it. information received throughout many epochs from the
network. We will show that after some epochs, if a node
Definition 4. Pillar nodes representing more than a can reach to a conclusion regarding a transaction, all
fraction of the locked stake in any given epoch  are the honest nodes will reach the same conclusion.
called supermajority, as follows:
Definition 9. Broadcast – the process of sending
N ∗2

FT
ζ= +1 the finishing PoW and the transactions for undecided
3
epochs to all Pillar nodes.

Definition 5. Representative – A sentinel node that B. Network Model


knows about user transactions. We consider the execution of the protocol in an
open, dynamic, distributed system enabled by a message
Definition 6. Transaction – A transaction can oriented transport protocol for data packets exchange,
RA
be of two types: ordinary send transactions with where nodes can join or leave freely. Nodes represent
a corresponding receive transaction or special the core infrastructure of the network and clients are
transactions for different circumstances: to mark the external in the sense that they are issuing transactions
entrance in a new round of consensus, the finishing for nodes to agree upon. We assume an asymmetric
PoW for a round or smart transactions regarding zApps. cryptographic signature scheme that enables participants
An ordinary transaction contains the address of the to authenticate messages. A node is considered honest
sender and its balance, the address of the receiver, and if it follows the protocol as described or byzantine if
metadata containing hashes for PoW solutions. it deviates arbitrarily from the protocol specification. In
addition, the system is considered asynchronous i.e. there
D

Definition 6. zApp – A distributed application that is are no bounds on messages delivery.


based on an unikernel controlled by a smart contract.
C. Goals and assumptions
Definition 7. Epoch - The transactions are grouped NoM allows Pillar nodes to agree on an ordered log
in consensus rounds called epochs. In every epoch, each of transactions and attains three goals with respect to the
of the nodes that participate in the consensus algorithm log:
must compute a PoW with adjustable difficulty. The • Liveness goal – Even if there is a number of active
finish of a PoW is marked by a special transaction, byzantine nodes and under additional assumptions
which is then sent through the network via broadcast. about network conditions, the system will eventu-
After receiving the finishing PoW transaction from ζ, ally make progress i.e. continue appending transac-
the node enters in the next epoch and marks this with a tions to the log.
particular transaction. • Safety goal – With high probability all the honest
nodes will reach to the same conclusion regarding

8
the order of the transactions; specifically, if an E. Theorems
honest node accepts transaction T (i.e. it is included • T1. Availability. If a user will emit a transaction
in the log), then any future transactions accepted by to an honest node, in the absence of attacks (e.g.
other honest nodes will appear in a log that already denial of service), all honest nodes will receive
contains T. that transaction.
• Finality goal – Once a transaction is included into
the log and confirmed by honest nodes, it will • T2. Validity. A double spend is not possible
remain confirmed in the log, despite any actions assuming a supermajority of honest nodes.
from byzantine nodes.
• Scalability goal – The network will keep optimal • T3. Safety. If there is a supermajority of honest
confirmation times for non-conflicting transactions, nodes, once a node reaches to a conclusion
even if the number of nodes is constantly increas- regarding a transaction, all the honest nodes will
ing. reach the same conclusion.
Starting with these assumptions, the byzantine agree-
ment consensus algorithm has to simultaneously meet • T4. Liveness. If the number of byzantine nodes
the following three properties: is bounded i.e. f < 31 , the system will come
• Validity: If all correct processes propose the same to an agreement about the total ordering of the
value ϑ, then any correct process that decides, transactions.
decides ϑ.
• Agreement: No two correct processes decide dif- • T5. Scalability. Transaction times processing will
ferently. grow linearly with the number of pillar nodes.

FT
• Termination: Every correct process eventually de-
cides. • T6. Finality. If a transaction is confirmed (i.e. is
part of the ledger), it will remain forever in the
The first two properties are safety properties, i.e.,
ledger.
properties that state that ”bad things” cannot happen and
the last one is a liveness property, i.e. a property that
states that ”good things” must happen. Proofs for the theorems are available in Appendix A.
V. N O M L EDGER AND C ONSENSUS
RA
D. Important attributes
A. NoM Ledger
When designing a distributed system, there are some
Our proposed NoM ledger architecture consists of two
attributes any distributed system exhibits and we want
separate ledgers – the actual ledger consisting of settled
to obtain a good balance between them:
transactions structured as a block-lattice where there are
• Consistency: when a node requests the state of the stored independent individual user account chains, and a
system – in our case the distributed ledger, the DAG called the meta-DAG that contains the transactions
consistency means that we will obtain the most required by the virtual voting algorithm.
recent state of the system. The block-lattice consists of actual transactions ap-
D

• Availability: For a request for the state of the ledger, pearing in the network that are settled - send, receive
there must be an answer, even if the answer does and zApp related transactions.
not reflect the latest state of the ledger. Every user has an account chain that is independently
• Partition tolerance: The system continues to be updated from other account chains as the virtual voting
functional even if there are message failures in the progresses.
system. The flow of issuing a transaction is as follows: a user
The CAP theorem [46] states that it is impossible to will have assigned some representative nodes, sentinel
achieve all three properties simultaneously. However, we nodes that will process their transactions and that can be
design the network to have partition tolerance, availabil- queried in order to pull new information regarding the
ity and eventual consistency – after a number of retries, account chain or the state of the ledger.
a node will eventually find the state of the network at the However, in order to prevent denial of service attacks,
time of the request. The eventual consistency is preferred the queries can require a fee that needs to be applied in
over availability in many other distributed systems. order to return a valid response: for example, a user can

9
use the sentinel nodes for querying the state of the ledger of three hops is required by a min relay dimension con-
or sentry nodes to get updates regarding its account stant, and an upper bound will be dynamically imposed
chain. by a difficulty parameter. The proof of work will be
As we highlighted earlier in the Definitions subsec- calculated with respect to the transaction fee paid by the
tion, not all network participants are also consensus user to issue the transaction. The sentinels will continue
nodes; only full nodes (i.e. pillar and sentinel nodes) to forward the transactions to other sentinels until the
keep both the transactional ledger and consensus ledger proof of work meets a specific weight threshold; when
used for the virtual voting process. The consensus ledger the PoW link is complete, the transaction will be sent
is organized in virtual epochs, and the consensus is to a pseudorandomly chosen consensus node (i.e. pillar
achieved per epoch. node). Finally, the PoW link will serve an additional
objective in the consensus algorithm, representing an
B. PoW Links eliminatory criteria to select between two conflicting
In this subsection, we will introduce a novel anti- transactions in case of a double spend. An overview
sybil and anti-spam mechanism called proof of work about the dissemination and composition of a PoW link
links that will enhance connectivity within the network can be seen in Algorithm 1.
and limit certain attacks by sharing their commitment
and contributing resources for routing and efficient data Algorithm 1 PoW Link Algorithm
delivery. 1: procedure P OW L INK
There are two goals this mechanism aims to achieve: 2: while True do
the first one is to strengthen the ledger by adding weight 3: t ← ReceiveT ransaction();
into it (i.e. recording the resulting work of the PoW link) 4: if t.Sender() in Users then

FT
and the second is to further incentivize the sentinel nodes 5: t.weight += ComputeP oW (t, t.f ee);
to safeguard the network against different attacks such 6: t.links++;
as spam or distributed denial of service. 7: s ← ChooseRandom(Sentinels);
A PoW link needs to satisfy the following conditions: 8: SendToSentinel(t,s);
• Only Sentinel nodes can participate in the creation
9: else
of a proof of work link. 10: t.weight += ComputeP oW (t, t.f ee);
• Only the private key owner of a Sentinel node can
11: t.links++;
produce valid signatures to be used the composition 12: if t.weight ≥ min target weight then
RA
process a proof of work link. 13: p ← ChooseRandom(P illars);
• The signature attached to any transaction should be
14: SendToPillar(t,p);
unique (i.e. only one signature will be considered 15: else
for any key pair). 16: s ← ChooseRandom(Sentinels);
• A minimum overall weight for the proof of work
17: SendToSentinel(t,s);
link is required in order to be considered valid; a 18: end if
difficulty parameter is computed in order to obtain 19: end if
a min target weight for the transaction. 20: end while
21: end procedure
D

Users constantly issue transactions that are dissemi-


nated to a number of sentinels equal with log σn , where
σn is the total number of the sentinels that a user is A visual representation of this algorithm can also be
aware of. seen in Figure 1.
Sentinel nodes prove the receipt of the transaction by
C. The consensus explained
adding a small PoW computation and other additional
data (e.g. digital signature, metadata), then they will In this paragraph, we will describe how the consensus
relay that transaction to another sentinel node in a ran- is achieved in NoM.
dom manner. Basically, for each transaction, the sentinels Clients can connect to specific nodes called represen-
will attach a small PoW computation to it, then they tatives and submit transactions for processing. For this
will randomly relay the transaction to other sentinels, consensus algorithm description we will also suppose
which will continue to add PoW and further relay that that there are no malicious actors and there are no
transaction, constructing a PoW link; a minimum number ongoing attacks (e.g. denial of service, eclipse attacks,

10
epoch; we will call this the ”finishing PoW” transaction.
After receiving the finishing PoW from ζ pillar nodes,
it will proceed to the next epoch, 1 .
Note that the pillar could receive a finishing PoW
transaction before it finished computing its own PoW
transaction and other transactions. If it hasn’t completed
the PoW yet, it will abandon it and broadcast a message
with its transactions, then marks itself as being in epoch
1 .
Fig. 1: PoW Link messages Second stage
The process continues with other transactions from users,
but marked now as belonging to epoch 1 . Again, the
etc.); we reserve for treating those particular cases in the node will start working for the proof of work in order
following section. to enter in epoch 2 ; again, it will enter after receiving
In order to make a transaction, a user needs to inform ”finishing PoW” transactions from ζ and so on.
the representatives, in this case sentinel nodes. If the user Notice that if a node already received messages from
is running a sentinel node, it will further disseminate the a supermajority of pillar nodes informing it that they
transaction to other sentinels in order to prevent eclipse finished the PoW for the current epoch, it will abort the
attacks; the PoW link generation starts and develops as proof of work generation and enter automatically into
described by the algorithm from the previous paragraph. the next epoch. The reason for aborting the proof of
Let’s shift the focus to what happens with the transac-

FT
work is that there will be no reward for it, because at
tions when they reach a pillar node. As time progresses a later epoch the nodes will compute which were the
pillars are incorporating transactions into the consensus fastest nodes for that particular epoch and issue rewards
ledger and initially mark them as not decided. The accordingly.
reason is that a user can make a double spend and Now, let’s consider two random, independent pillars
disseminate it to two different representatives. After a from the network in a certain moment during the
number of epochs, all the pillar nodes will detect with consensus algorithm: between the finishing PoW
high probability the double spend transaction and they transaction and entering into the next epoch. When
RA
will vote only one to remain in the ledger. After some a node sends a broadcast, it also includes all the
time, we will presumably have many transactions – send transactions it knows about from other nodes, so in
and receive pairs, that are individually held by consensus perfect network conditions after a broadcast all the
nodes. nodes will know about the transactions between the
We will further detail how the normal operation of the start of epoch and the finishing PoW directly from it.
consensus algorithm takes place, assuming only honest However, they will not know about the transactions
participants. between the finishing PoW and the next epoch. After the
First stage finishing PoW transaction from epoch 1 , the node will
At the start of the algorithm, let’s suppose that all broadcast all its transactions, including those between
D

transactions are marked as being in epoch 0 . So when the finishing PoW from epoch 0 and the start of epoch
a user issues a transaction, the pillar node will keep the 1 .
transaction received from a sentinel node if valid, and
marks it as belonging to epoch 0 . At the same time, all Third stage
the pillars will compute a proof of work with adjustable At the beginning of epoch 2 , every node will know
difficulty, in order to keep the epoch duration within about all the transactions from epoch 0 – they will
some time bounds, for example 1 minute. After a pillar receive information about the transactions between the
node finishes its proof of work, it will broadcast a special start of epoch and the finishing PoW transaction from ζ.
transaction to all other pillar nodes from the network, to This will happen because, in the meantime, all the
announce them that it has finished the PoW for epoch 0 . pillars found out about those transactions at the end of
The special transaction includes additional information epoch 2 and they also send a broadcast at epoch 2 , but
like the number of the current epoch and represents the they will have only one copy regarding the messages
fact that the pillar node is ready to enter into the next from the finishing PoW and the start of epoch 1 –

11
only the transaction made by the pillar itself. However, network conditions, a pillar will show the new ledger
at epoch 2 , all the nodes will make another broadcast. to a sentinel after three epochs – if a user have made a
Let’s suppose that all pillars will have a copy of those transaction at epoch 0 , it will find about it at epoch 3 .
messages between the finishing PoW in epoch 0 and In the next section we will discuss some attack scenar-
the start of epoch 2 . ios and also the complexity of the consensus algorithm.

Fourth stage
At the start of epoch 3 , pillars will have messages from
ζ regarding all the transactions between epoch 0 and
epoch 1 – the transactions between the start of epoch
0 and the finishing PoW transaction will be discovered
at the start of epoch 2 , and the remaining transactions
will be found at the start of epoch 3 , so any pillar will
apply the same ordering to them.

Later stages
Fig. 2: Consensus algorithm visualization
However, special cases can appear where not all mes-
sages will arrive to all pillars, so even if the pillar will
The consensus mechanism can be better visualized
receive messages from ζ, not all the pillars will have all
in Figure 2. There are four pillars, A, B, C and D.
the transactions.
Each pillar computes a proof of work during an epoch,
Let’s assume that only a simple majority will have
receiving transactions supplied by sentinel nodes. At the

FT
them. In that situation, the pillar will have to wait for
beginning of epoch 1 , A doesn’t know the transactions
the next epochs until all the transactions between epoch
that happen between the finishing PoW transaction for B
0 and epoch 1 will be confirmed by a supermajority
and the starting of epoch 1 for B. At the start of epoch
of nodes. For theoretical reasons, if a conclusion can’t
2 , A has received those transactions, but only from B.
be reached after a certain number of epochs, a coin
At the beginning of epoch 3 , A has received messages
round will be needed - every honest pillar will randomly
from all the pillars regarding the transactions at epoch
vote on transactions, in order to prevent an attacker
0 , including those between the finishing PoW and the
controlling the internet traffic from deducing the votes.
start of the epoch.
RA
The node will further broadcast its vote in the next
The consensus is summarized in Algorithm 2.
epoch.
Now, regarding the previous theorems, if a node will D. Pillars PoW pools
know the transactions between epoch 0 and epoch 1 In order for the pillars to be competitive in the process
and it will apply a deterministic ordering algorithm and of producing the proof of work, they will have the
in case of double spends, a deterministic tie-breaker possibility to outsource it using the mining pool concept.
algorithm, thus all the remaining honest nodes will arrive This will create a market efficient ecosystem that will
at the same decision. After the node will have a super- further strengthen the network and clients committing
majority of messages with all the transactions between resources for Pillar pools will be rewarded proportionally
D

epoch 0 and 1 (as per definition 4, the supermajority is to their contribution of processing power. We are also
weighted with a proof of stake mechanism), it will start investigating the use of a custom difficulty adjustment
to virtually vote on the ordering. mechanism that will balance between ASIC-friendly and
The vote is not actually a real one in the sense that ASIC-resistant hashing algorithms in order to improve
it doesn’t involve sending additional network messages, network security and obtain a higher degree of decen-
but a set of rules that define a deterministic way to tralization. We will defer a detailed specification for a
order the transactions, such as: the PoW link weight, later date.
the timestamp when they arrived at the pillar and, as
tiebreakers, the hash of the transaction. After a node E. Unikernels and distributed applications
will order the transactions, it will know that the order The following subsection is describing the core com-
is the same for all the nodes so it will mark them in ponent of our future distributed apps system, called
the ledger and for every transaction it will put an id zApps, which will be integrated into the NoM archi-
to know the number of the transaction. So, in optimal tecture. We are introducing a novel design based on

12
Algorithm 2 Consensus Algorithm
1: procedure C ONSENSUS ALGORITHM
2: Thread WaitForTransactions = new WaitThread();
3: ComputePoW = new ComputeThread();
4: WaitForTransactions.run();
5: Epoch ← 0;
6: min consensus delay ← 3;
7: min coin round delay ← 5;
8: LastConsensusEpoch ← 0;
9: while True do
10: count ← 0;
11: zeta ← 2/3 ∗ N odes + 1;
12: while count < zeta do
13: count+ = AcceptedBroadcast();
14: if Epoch < CurrentEpoch() then
15: Epoch ← CurrentEpoch();
16: end if
17: if ComputePow.finish() then
18: BroadcastPoWandTxs();

FT
19: end if
20: end while
21: if !ComputePoW.ended() then
22: ComputePoW.abort();
23: BroadcastTxs();
24: end if
25: Epoch ← Epoch + 1
26: if Epoch ≥ min consensus delay then
RA
27: for t in UnresolvedTransactions do
28: if t.Epoch() ≤ Epoch − min consensus delay then
29: if countV otes(t) > zeta then
30: TxEpochs[Epoch].add(t);
31: counter[Epoch]++;
32: end if
33: end if
34: if t.Epoch() ≤ Epoch − min consensus delay − min coin round delay then
35: if t.HasConflict() then
D

36: tc ← t.GetConf lict();


37: coin ← random(0, 1);
38: if coin = 0 then
39: remove(t);
40: else
41: remove(tc);
42: end if
43: end if
44: end if
45: end for

13
Algorithm 2 Consensus algorithm (continued)
46: for i ← Epoch − min consensus delay; i >= LastConsensusEpoch; i −= 1 do
47: HaveToOrder = [];
48: if counter[i] = T otalT ransactions[i] then
49: LastConsensusEpoch = min(LastConsensusEpoch, i);
50: for t in TxEpochs[Epoch] do
51: HaveToOrder.add(t);
52: UnresolvedTransactions.remove(t);
53: end for
54: end if
55: end for
56: if HaveT oOrder.size() > 0 then
57: sort(HaveToOrder);
58: for t in HaveToOrder do Ledger.add(t);
59: end for
60: end if
61: end if
62: end while
63: end procedure

FT
unikernels [54] to expand the limits of smart contracts configuration and management are carried out by smart
and enable complex computational tasks. An ideal ver- contracts that handle certain aspects of the applications’
sion of a zApps platform should exhibit the following life cycle such as compilation or deployment. By us-
characteristics: ing this approach, errors like accidental configuration
• Security: The environment for the applications alterations can be prevented and the exploitation can
should be sandboxed with granular permission poli- exclusively be carried only on the end application. Per-
cies. formance is another issue for many systems; unikernels
• Immutability: The zApps should be immutable in have several benefits such as fast booting times (e.g.
RA
the sense that they cannot be modified or tampered can boot several orders of magnitude faster than normal
with. Running zApps on untrusted hardware should virtual machines), avoiding context switching and using
be trustless and deterministic and one should expect minimum system resources.
consistent results. The infrastructure to run zApps will consist of special
• Privacy: To provide means that protect the privacy nodes that will have specific requirements (e.g. minimum
of participants, both internal between them and resources in terms of connectivity, hardware specifi-
external from third parties, based on secure multi- cations, collateral, etc.). The idea is similar to a de-
party computation protocols. centralized infrastructure-as-a-service model where users
can have access to an instant computing infrastructure,
D

With the rise of the unikernel (i.e. minimal stand alone


virtual machine), these properties can be achieved using managed and provisioned within the NoM network.
a smart contract layer to create a hybrid system suitable The unikernel design ensures both internal and ex-
for complex workloads. The most important advantages ternal protection for the underlying infrastructure that
in using an unikernel based approach are in terms of performs the execution. Furthermore, we are analyzing
security - they are completely isolated from the host several economical models to implement in order to
and performance - they are lightweight and run at native ensure that an application will reach the end of an
speeds. execution without issues, including providing a way for
Regarding security, unikernels are systems designed the user to hire several other nodes to verify certain
with a single process and a limited number of system checkpoints for example.
calls, further reducing the attack surface in terms of re- Periodically, the users will need to pay for the zApps
mote code execution, shellcode attacks, etc. They further usage; this system will be designed in a similar way gas
limit potential attacks by lacking a user based system: the [53] is implemented for smart contracts as a fees mech-

14
anism that prevents abuse and circumvent the Turing will decide on the same transaction to be retained in
completeness property (e.g. infinite loops). This process the ledger as confirmed, using the predefined rules we
will be automatized through a series of smart contracts presented earlier and discarding the double spend.
that will be used to manage the zApps operation and If a pillar node gets corrupted and is acting mali-
the transfer of gas. The user will have the possibility to ciously, it can accept a double-spending transaction and
cancel at any time the execution of the app, by either send contradictory information to other pillars. This at-
explicitly sending an abort command or by not paying tack scenario is improbable but entirely possible; pillars
the corresponding gas to the node. unlike miners have no economic incentive to attack the
In Figure 3 we describe how unikernels can be network; nevertheless, it is an irrational attack because
integrated into the system. attempting to violate the ledger would be destructive to
the network as a whole, which in turn would undermine
the validity of their investment. Byzantine pillars are
accounted for and as long as there is only a malicious
minority, after a number of epochs all honest pillars will
eventually detect the double spend and discard it. We are
also considering a penalizing algorithm to punish such
behavior for corrupted pillars.
B. Forking
A forking attack can happen at any stage, including
from the start of the ledger - the attack is also known as

FT
ledger cloning and all pure proof of stake solutions are
Fig. 3: Unikernels and zApps
vulnerable to it.
However, NoM is not affected because we employ two
proof of work mechanisms: virtuous transactions need
VI. P OSSIBLE ATTACKS
a PoW threshold satisfied obtained from the PoW link
Since every distributed network is designed to with- algorithm to get into the ledger, together with the proof
stand byzantine activity, it is necessary to highlight the of work mechanism used by the pillars.
most important related attack vectors for a decentralized For each pillar, a proof of work translated into com-
RA
ledger system. putational power is required to complete each epoch and
[55] gives us a detailed list of attacks targeted at the an attacker needs to outrun all honest pillars in order to
Bitcoin network. We will analyze the most important obtain a heavier ledger in terms of accumulated PoW.
problems and how the network confronts them. Also, we take into account that a user cannot be tricked
An in-depth analysis of these attack vectors and mit- to land on a forked ledger. A malicious adversary can
igation solutions are presented in the following subsec- only try to convince new nodes that his fork it the real
tions. ledger, but there are certain ways to deter this: a node
will connect to several pillars to get the ledger. Upon
A. Double-spending
successful synchronization it will observe which is the
D

One of the first classes of attacks and one of the heaviest one before legitimizing it. Therefore forking the
most important problem when designing a decentralized ledger at any time is an irrational attack.
ledger system is the double-spending problem. Bitcoin
emerged as the most influential cryptocurrency network C. DNS Attacks
because it was the first to solve the double-spending A DNS attack may occur when a new user wants to
problem in a decentralized environment. The integrity join the network and connects to a list of peers obtained
property of the consensus algorithm states that for any from a DNS query; this is a common network discovery
honest node, accepted transactions are consistent among mechanism used by many major blockchain networks. If
honest nodes (i.e. double-spending cannot occur). the attacker manages to inject his IP addresses instead
Any user can initiate a double spend if it distributes of the original ones, the new user can be compromised.
two transactions with the same parent to different pillars; This attack can be part of a chain of attacks; there
however, after a number of epochs all of the pillars is research regarding DNS attacks and there are some
will know about both transactions and all honest pillars solutions to this kind of attack [56] [57]. This attack

15
can’t be totally neglected and is still a valid attack for The worst case scenario is an attacker taking down
any type of distributed network, but there are many some pillar nodes, but it will have a limited impact on
viable solutions that are already implemented in real- the network that will continue to confirm transactions
world systems. with lag. There are some mechanisms to prevent this
like a detection of the consensus delay mechanism and
D. Eclipse attacks a special coin round.
An eclipse attack means that an attacker manages to
isolate a user from the rest of the network. Even if H. Majority attack
an eclipse attack is not possible for a pillar, because This is one of the most destructive attacks that can
it has access to all the other ones and it is very unlikely occur in a decentralized network, however, it is highly
to replace pillar identities with fake ones, an eclipse improbable due to the incentive mechanisms of the
attack can occur for a single user which connects to a system.
percentage of the pillars, as discussed earlier. If an attacker can somehow obtain pillars that have
After an eclipse attack, the user will only see what the a cumulated stake of 51%, it can add or alter new
attacker wants, and this can have bad consequences, like transactions. It can’t modify transactions that happened
a double spend. However, this attack is common to other in the past, but nonetheless, the network is compromised
decentralized systems and there are some strategies, for in this case. In order to avoid this attack, the honest
example random connection at the nodes in the begin- majority assumption should hold at all times:
ning, making very unlikely for an attacker to accomplish
this attack. Honest nodes > Malicious nodes

E. Sybil attacks Even with a stake of ζ2 +1 the attacker can overpower the

FT
Sybil attacks are among the most destructive for a network - because there will be no honest supermajority.
decentralized network because if an entity is able to This is worth mentioning as a hard limit for the net-
create a large number nodes on a machine in order to work. So, in order to function properly, a vital condition
gain control over the network. However, because the for the network is:
voting is weighted based on the pillar’s stake, adding Honest nodes >= 2 ∗ Malicious nodes + 1
more nodes will not gain the attacker extra power in the
consensus algorithm. Therefore there are no advantages VII. PARAMETERS AND COMPLEXITY
RA
to be attained with a sybil attack.
A. Complexity analysis
F. DoS attacks We will now discuss the complexity of the algorithms.
The denial of service attack can occur if a malicious We can express the complexity regarding the number of
user sends a lot of transactions to the sentinels. We messages and time. As we have seen earlier, during an
made this attack harder by adding a transaction fee, epoch, users make transactions, that are first distributed
which means that the attacker will make the sentinels at a small number of sentinels and that are further
unavailable at the cost of investing resources in the forwarded to other sentinels – we can consider this
system, which is a positive aspect for the network and O(log(S)) in terms of messages, where S is the number
D

a negative one for the attacker, taking into account that of the sentinels.
the consensus is unaffected. The most consuming time happens in the consensus
algorithm, where all the pillar nodes send broadcasts
G. Consensus delay to all other pillar nodes, so during an epoch the total
A consensus delay can happen if the attacker can number of messages is O(N 2 ). However, if we assume
interfere with network traffic among pillar nodes. This good network conditions and if we consider the calcu-
attack is unlikely to cause damage if there is a sufficient lations per pillar, during an epoch, we will obtain that a
number of active pillars in the network; an attacker could pillar has to send a message to every other pillar node
interfere with messages between a certain number of and receive a message from every other pillar node. In
nodes – for example, by initiating a DDoS attack. In conclusion, we will obtain O(N ) number of messages
this case, the consensus may be delayed resulting in un- per pillar, and O(N ) time complexity. Due to the fact
confirmed transactions; still, the probability of reaching a that we assumed good network conditions, the total time
supermajority is one as the number of epochs increases. spent for a broadcast is small enough in order for the

16
network to support thousands of messages per second attack, if a user connects to malicious nodes. This is
during the consensus epochs. the reason why each user has to send his transactions
Because the network has a representative system, if to log(S) , where S is the number of the sentinels.
there are N users which send M messages per epoch each Because sentinel nodes are interested in maintaining a
and we have K number of pillars and we suppose a user healthy network by computing PoW links and consuming
sends a transaction to log(K) pillars (log(K) sentinels fees, we can assume that most of them will be honest.
which further send to a pillar), that means we will have Coupled with a random selection algorithm for choosing
τ messages, where the sentinels, even for 40 sentinels, if 12 are corrupt
sentinels (33%), the probability of choosing all sentinels
τ = log(K) ∗ M being malicious is under 0.1%. The same logic can be
applied for pillars. Another problem is how to choose the
A pillar will support θ messages during an epoch, so
initial bootstrapping nodes. The user will connect to a
for every log(K) messages a pillar will receive only one,
number of nodes and will choose randomly among them,
with
and they will send a list of sentinels from the network
M ∗ log(K) to it. This way, the chance for an attack is very small.
θ=
K
C. Cryptoeconomic system
During optimal network conditions, with speeds of
100 Mb/s, and for a packet of 100 kb, a pillar can In order for the network to function properly, a
support 1000 messages per second. For a number of cryptoeconomic layer will be put in place for all the
1024 pillars, however, each 10 pillars will have the same network participants. The sentinel nodes will benefit
messages, but there will be 102 groups of 10 pillars with from the fees by consuming them in order to compute the

FT
different messages, so the total number of messages per PoW links. Also, the sentinels can enable a separate fee
second in the network can top at 100000 TPS. However, system for user queries that retrieve information about
this is from a purely theoretical perspective, but it gives the state of the ledger. The pillars will be incentivized
as an upper bound for the calculations. The real speed for computing the proof of work for the current epoch.
will decrease due to the cost of the broadcasts. A pillar If a pillar receives a supermajority of messages from the
receives θ messages during an epoch and sends only next epoch before finishing its PoW, it will no longer
K messages, but those messages will be bigger and will be rewarded. This is designed to ensure a network wide
take a larger amount of time to be propagated throughout competitiveness: the pillars can outsource the proof of
RA
the network. work, acting as mining pools to amass resources and
In the future, we plan to make some experiments rewarding accordingly the clients that supply them with
to quantify the supported number of transactions per computational power. The last type of incentivization is
second. Another research direction that we will tackle for the zApp platform, where a gas like system will be
is to see how the traditional broadcast will compare to implemented in order to reward nodes that support this
more scalable alternatives. In general, there is a trade- feature.
off between latency and the number of messages. If the D. Managing epochs
bandwidth is good enough and the number of pillars
is reasonable, the traditional broadcast method has the In order for the transactions to be confirmed as fast as
D

advantage of having O(1) latency. possible, there are two important factors that need to be
A scalable type of broadcast can be made, for ex- accounted for – the proof of work should be completed
ample, by sending the broadcast in rounds - the user in a decent time frame, according to a desired difficulty
will send a transaction to log(K) pillars, then they will for an epoch and the messages should have a high
further transmit the information, each of them to other delivery success rate. The second condition is harder to
log(K) pillars and so on. accomplish, but in general, we can safely assume that
The number of the messages will be much lower, a negligible amount of messages will be lost due to
O(log K), but there will be some latency involved - for network connectivity issues. Regarding the the proof of
logK
example, in [58] they have a latency of O log(logK) . work, in order to maintain an adequate time frame we
employ a difficulty mechanism and an incentivization
B. Finding a representative scheme that was described earlier.
The problem of finding a representative is important Thus, if non-competitive pillars that are overrun dur-
because there can be some attacks, like the eclipse ing an epoch by a supermajority of pillars will not

17
receive rewards for their work. This competition will ASIC-friendly hashing algorithm will be activated, and
ensure that the epochs will have similar periods and that also if the difficulty is above a threshold, an ASIC-
transactions are approved as fast as possible and included resistant will come into effect.
in the ledger. Also, after receiving ζ messages from the The time of one epoch is responsible for the minimum
network, an honest pillar must abandon its proof of work time after a transaction is confirmed – a transaction is
and automatically enter into the next epoch. If there is confirmed after three or four epochs, in the best case, so
not clear which are the winner nodes, each pillar will for a one minute epoch it will least at least three minutes
compute the faster winner, then the runner-up and so in order for the transaction to be confirmed.
on. Even if a pillar tries to cheat by saying it belongs to If we note with ∆ti the difference between the times-
the list and sends its proof of work later, the other honest tamps for two consecutive finishing PoW transactions,
pillars will know that the faulty pillar tried to mislead, the mean time will be
as they will see in the ledger that the other ones have
received its PoW later. Pn
δti
i=1
Just for theoretical reasons, if there is an attacker who Avg = , ∆ti ∈ / outliers
n
can control the internet traffic and messages between
F. Replacing regular quorums with proof of stake
pillars, we have introduced a shared coin epoch: if there
are more than four consecutive epochs that don’t end up The consensus timeline is divided into virtual epochs.
with a conclusion (i.e. either it is a tie or the majority In a centralized, non-malicious environment classical
criteria isn’t met), all honest pillars will vote randomly. distributed consensus algorithms use a quorum for the
This way, the attacker will have only half chances to voting process: every node has an equally N1 , N being
guess what is the decision of honest pillars, and after a the total number of nodes. In our case, a decentralized,
byzantine environment this approach is vulnerable to

FT
number of epochs the probability of reaching consensus
will be 1. However, this technique is implemented only sybil attacks where a malicious entity can gain an unfair
for theoretical completeness, in a real-world system the advantage and manipulate the voting process. That’s why
probability for a coin round is insignificant. nodes can lock a certain amount of stake in order to
The expected time to finish is O(1), given this round, obtain different roles in the network, e.g. to become
and the probability of finishing is sentinel and pillar nodes. At the start of each epoch, all

nodes determine the stake weight of all the nodes in the
Y 1 network. In the case of pillar nodes, network participants
P =1− =1
RA
r=1
2 can directly delegate stake.
The virtual voting process is determined on the basis
Regarding the minimum number of epochs ν needed of the total stake during a virtual epoch. Pillar nodes with
for a transaction in order to be included in the ledger, stake make the decisions within the consensus algorithm
we have the following equation: to finalize transactions. Nodes can freely unlock the
3 <= ν < ∞ stake at any moment; however, consensus nodes have to
wait for a period of time known as ”unstaking period”.
. Upon deciding transactions during the next epoch, nodes
process all transactions relating to locking, delegating
D

E. Adjusting the difficulty of PoW and unlocking stake, and update the staking stats of the
As we have previously stated, the idea behind the nodes for the next epoch.
proof of work mechanism has multiple advantages – These mechanisms aim to keep a healthy system, by
prevents ledger cloning, acts as an additional anti-sybil involving all network participants to collaborate towards
layer and provides a fair incentivization scheme for the a common good.
consensus nodes. The PoW will be adjusted in order to
keep an epoch at a constant time, for example 1 minute. VIII. C ONCLUSIONS AND FUTURE WORK
The algorithm will check at every epoch the time needed This work presents a new decentralized system
for every pillar to solve the proof of work, will remove architecture, namely a new decentralized ledger that
the outliers and then will compute a median time. We employs a virtual voting-based consensus. We first
plan to release a self-balancing difficulty algorithm that presented the most important works regarding ledger
will use both ASIC-friendly and ASIC-resistant hashing types, consensus algorithms, and smart contracts. We
algorithms; if the difficulty is below a threshold an continued by making some definitions and assumptions,

18
stating some properties and theorems, then we described [17] Y. Sompolinsky, Y. Lewenberg, and A. Zohar, Spectre:
the core of the architecture - the dual ledger system A fast and scalable cryptocurrency protocol, IACR
Cryptology ePrint Archive, Report 2016/1159, 2016,
and the consensus algorithm. We analyzed frequent https://eprint.iacr.org/2016/1159/
attack scenarios, the complexity and how to choose [18] A. Kiayias and G. Panagiotakos, On trees, chains and fast
different protocol parameters for optimal performance. transactions in the blockchain, IACR Cryptology ePrint Archive,
Report 2016/545, 2016, https://eprint.iacr.org/2016/545/
The Network of Momentum has a continuous cycle [19] J. Garay, A. Kiayias, and N. Leonardos, The bitcoin backbone
of research and is still under active research; as a protocol: Analysis and applications, in Advances in Cryptology
result, some parts will require further clarification or - EUROCRYPT 2015: 34th Annual International Conference on
the Theory and Applications of Cryptographic Techniques, Part
revision. We also plan to release a technical yellow II, Sofia, Bulgaria, Apr. 2015, pp. 281–310.
paper dedicated to a detailed presentation of the zApps [20] I. Eyal and E. G. Sirer, Majority is not enough: Bitcoin mining
component and other improvements. is vulnerable, in Financial Cryptography and Data Security: 18th
International Conference, Christ Church, Barbados, Mar. 2014,
pp. 436–454.
[21] Nick Szabo. Formalizing and securing relationships on public
ACKNOWLEDGMENT networks. First Monday. 1997.
[22] Bruno Bernardo et al. Mi-Cho-Coq, a framework for certifying
We want to thank Professor Z for his support and for Tezos Smart Contracts. arxiv:1909.08671 [Online]. 2019
the continuous research and development program. [23] S. Popov, The tangle, cit. on, p. 131, 2016.
[24] Cardano Platform. [Online] Available:
https://www.cardanohub.org/en/home/
[25] A. Churyumov, Byteball: A decentralized system for
R EFERENCES storage and transfer of value. [Online]. Available:
https://byteball.org/Byteball.pdf. 2016
[1] S. Nakamoto. Bitcoin: A Peer-to-Peer Electronic Cash System. [26] A. Brock et al. Holo Green Paper. [Online]. Available:
[Online]. Available: https://bitcoin.org/bitcoin.pdf. 2008 https://files.holo.host/2018/03/Holo-Green-Paper.pdf. 2018

FT
[2] Ethereum Foundation, Ethereum wire protocol. [Online]. [27] Colin LeMahieu. 2018. Nano: A Feeless Dis-
Available: https://github.com/ethereum/wiki/wiki/Ethereum- tributed Cryptocurrency Network. [Online]. Available:
Wire-Protocol https://nano.org/en/whitepaper/
[3] Juels, Ari; Brainard, John. Client puzzles: A cryptographic de- [28] M. Castro, B. Liskov. Practical Byzantine Fault Tolerance. 3rd
fense against connection depletion attacks. NDSS. 1999. OSDI. 1999.
[4] King, S., Nadal, S.: Ppcoin: Peer-to-peer crypto-currency with [29] The Ziliqa Team. The ziliqa technical whitepaper. [Online].
proof-of-stake (2012) Available: https://docs.zilliqa.com/whitepaper.pdf. 2017
[5] Moser, L. E. and Melliar-Smith. Byzantine-resistant total order- [30] Y. Sompolinsky and A. Zohar. Secure high-rate transaction pro-
ing algorithms. Information and Computation. 1999 cessing in bitcoin. Financial Cryptography and Data Security,
[6] J. R. Douceur, The sybil attack, in Peer-to-Peer Systems, P. Dr- 2015.
RA
uschel, F. Kaashoek, and A. Rowstron, Eds. Berlin, Heidelberg: [31] Kiayias,A.,Russell,A.,David,B.,andOliynykov,R. Ouroboros: A
Springer Berlin Heidelberg, 2002, pp. 251–260. provably secure proof-of-stake blockchain protocol. Annual In-
[7] The Byzantine Generals Problem, LESLIE LAMPORT, ROBERT ternational Cryptology Conference pp. 357-388. August, 2017.
SHOSTAK, and MARSHALL PEASE. SRI International. [32] Steemit article. [Online]. Available:
[8] Dr. Leemon Baird, Mance Harmon, and Paul Madsen. [Online]. https://steemit.com/dpos/@dantheman/dpos-consensus-
Available: https://www.hedera.com. 2019 algorithm-this-missing-white-paper/
[9] Pierre Chevalier, Bart lomiej Kami´nski, Fraser Hutchi- [33] NXT Whitepaper. [Online]. Available:
son, Qi Ma, and Spandan Sharma. Protocol for asyn- www.nxtdocs.jelurida.com/Nxt Whitepaper
chronous, reliable, secure and efficient consensus (PAR- [34] A. Miller, A. Kosba, J. Katz, and E. Shi, Nonoutsourceable
SEC). [Online]. Available: http://docs.maidsafe.net/ Whitepa- scratch-off puzzles to discourage bitcoin mining coalitions, in
pers/pdf/PARSEC.pdf, Jun 2018. Proceedings of the 22nd ACM SIGSAC Conference on Computer
[10] Team Rocket, Snowflake to Avalanche: A Novel Metastable and Communications Security, ser. CCS ’15. Denver, CO: ACM,
D

Consensus Protocol Family for Cryptocurrencies, 2018. [Online]. Oct. 2015, pp. 680–691.
Available: https://ipfs.io/ipfs/QmUy4jh5mGNZvLkjies1RW- [35] Aleph: Efficient Atomic Broadcast in Asynchronous
M4YuvJh5o2FYopNPVYwrRVGV Networks with Byzantine Nodes. [Online]. Available:
[11] Driscoll, K.; Hall, B.; Paulitsch, M.; Zumsteg, P.; Sivencrona, H. https://arxiv.org/pdf/1908.05156.pdf
The Real Byzantine Generals. The 23rd Digital Avionics Systems [36] S. Nakamoto. Bitcoin Talk Forum. [Online]. Available:
Conference. 2004 https://bitcointalk.org/index.php?topic=195.msg1611
[12] Lamport et al. L. Lamport, R. Shostak, M. Pease. The Byzantine [37] Tamas Blummer et al. An introduction to Hyperledger. [Online].
generals problem. ACM Trans.on Programming. 1982 Available: An Introduction to Hyperledger. 2018.
[13] L. Lamport. The part-time parliament. ACM TOCS 16, 2 (1998), [38] Chain whitepaper. [Online]. Available:
133–169. https://crypto.com/images/chain whitepaper.pdf. 2019
[14] Dwork, Cynthia and Naor, Moni. Pricing via processing or com- [39] Decred (DCR) – Whitepaper. [Online]. Available:
batting junk mail Annual International Cryptology Conference. https://decred.org/research/buterin2014.pdf. 2014
1992 [40] NEM - Whitepaper. [Online]. Available: https://nem.io/wp-
[15] J. Kwon, Tendermint: Consensus without mining (draft), content/themes/nem/files/NEM techRef.pdf. 2018
Self-published Paper, fall 2014. [Online]. Available: [41] EOS Platform. [Online] Available: https://eos.io/
https://tendermint.com/static/docs/tendermint.pdf/ [42] Tezos Platform. [Online] Available: https://tezos.com/
[16] Filecoin: A decentralized storage network, Protocol Labs. [43] NEO Platform. [Online] Available: https://neo.org/

19
[44] Lisk Whitepaper. [Online] Available: https://github.com/
slasheks/lisk- whitepaper/blob/development/LiskWhitepaper.md
[45] Verifiable Delay Functions. Dan Boneh, Joseph Bonneau,
Benedikt Bunz, and Ben Fisch. [Online] Available:
https://eprint.iacr.org/2018/601.pdf
[46] Perspectives on the CAP Theorem. [Online]. Available:
https://groups.csail.mit.edu/tds/papers/Gilbert/Brewer2.pdf
[47] Peercoin discussion forum, discussion 2524. [Online]. Available:
https://talk.peercoin.net/t/the-complete-guide-to-minting/
[48] Majority-Vote Cellular Automata, Ising Dynamics, and
P-Completeness Cristopher Moore. [Online] Available:
https://arxiv.org/pdf/cond-mat/9701118.pdf
[49] Proof of Stake versus Proof of Work. [Online]. Available:
http://bitfury.com/content/5- white- papers-research/pos-vs-pow-
1.0.2.pdf
[50] NKN Lab. NKN: a Scalable Self-Evolving and Self-
Incentivized Decentralized Network. [Online]. Available:
https://www.nkn.org/doc/NKN Whitepaper.pdf. 2018
[51] George Danezis, David Hrycyszyn. Blockmania: from Block
DAGs to Consensus. arXiv:1809.01620. 2018
[52] Jing Chen, Silvio Micali. Alogrand. arxiv:1607.01341v9. 2017
[53] Empirically Analyzing Ethereum’s Gas Mechanism. Renlord
Yang, Toby Murray, Paul Rimba, Udaya Parampalli. [Online]
Available: https://arxiv.org/pdf/1905.00553.pdf
[54] Unikernels: Library Operating Systems for the Cloud, Anil
Madhavapeddy, Richard Mortier, Charalampos Rotsos,
David Scott, Balraj Singh, Thomas Gazagnaire, Steven
Smith, Steven Hand and Jon Crowcroft. [Online] Available:

FT
http://mort.io/publications/pdf/asplos13-unikernels.pdf
[55] Muhamaad Saad et al. Exploring the Attack Surface of
Blockchain: A Systematic Overview. arxiv:1904.03487. 2019
[56] P. Silva. Dnssec: The antidote to DNS cache poisoning and other
dns attacks, A F5 Networks, Inc. Technical Brief. 2009.
[57] T. Peng, C. Leckie, and K. Ramamohanarao. Survey of network-
based defense mechanisms countering the DoS and DDoS prob-
lems,. ACM Computing Surveys (CSUR), vol. 39, no. 1, p. 3.
2007.
[58] Scalable Byzantine Reliable Broadcast. Rachid Guerraoui, Petr
Kuznetsov, Matteo Monti, Matej Pavlovic, and Dragos-Adrian
RA
Seredinschi
D

20
A PPENDIX Proof of Theorem 6
Proof. Transaction times processing will grow
A. Proof of theorems sublogarithmically with the number of pillar nodes.
Proof of Theorem 1
Proof. If a node emits a transaction and it is received
by its representatives, the representatives will send the
information about the transaction to the pillars that will
further broadcast it, and every honest pillar node will
know about the transaction. For maximizing the chance
of receiving the transaction, a node will have not just
one representative, but a logarithmic size of the total
number of sentinel nodes. After three epochs, if the
transaction is not seen throughout the network upon a
request, it means with high probability that the initial
transaction wasn’t received. However, in the absence of
a DoS, the transaction will eventually be seen by the
entire network.

Proof of Theorem 2
Proof. Suppose that we have a double spend and we
also assume that the rest of the pillars are malicious i.e.

FT
K - ζ. After they all broadcast them and all have them
both, one will be chosen based on the rules and the
other discarded. If the majority vote for transaction A
and the minority instead keep B, a fork will be created,
but no double spend.

Proof of Theorem 3
Proof. When pillars are in epoch k , all of them have
RA
received all transactions from epoch k−3 . The pillars
from the majority will choose one transaction based on
the rules and the minority will choose the other, not
reaching the total number of votes required and it will
not be integrated. If they still decide to accept it, a fork
will be created.

Proof of Theorem 4
D

Proof. After the first pillar finishes the proof of work


and sends it along with the transaction, the rest of the
honest nodes will follow and the vote count for this
transaction will reach majority, so it will be integrated
into the ledger, even if the minority of malicious pillars
will decide not to relay it.

Proof of Theorem 5
Proof. The complexity of the messages is M * log(K)
per round so when a new pillar joins the network, it will
become M * log(K + 1). An increase of the number of
pillars is almost unnoticed in the complexity.

21

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy