Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
BPASE 2018 • JAN. 26, 2018
Timo Hanke, Mahnush Movahedi
BPASE 2018 • 2
GOAL
BPASE 2018 • 3
GOAL
Fast Consensus (5 seconds)
Scalability (1m participants)
Randomness
Security (provable)
PoS blockchain consensus providing
BPASE 2018 • 4
GOAL
Fast Consensus (5 seconds)
Scalability (1m participants)
Randomness
Security (provable)
PoS blockchain consensus providing
Short block time,Instant Finality
BPASE 2018 • 5
GOAL
Fast Consensus (5 seconds)
Scalability (1m participants)
Randomness
Security (provable)
PoS blockchain consensus providing
Short block time,Instant Finality
Unpredictable, Unmanipulable
BPASE 2018 • 6
GOAL
Fast Consensus (5 seconds)
Scalability (1m participants)
Randomness
Security (provable)
PoS blockchain consensus providing
Short block time,Instant Finality
Unpredictable, Unmanipulable
Selfish-mining,Nothing-at-stake
BPASE 2018 • 7
CHALLENGES
BPASE 2018 •
ScalabilityInstant Finality
TRADE-OFF
8
CHALLENGES:
Consensus & Scalability
BPASE 2018 •
ScalabilityInstant Finality
TRADE-OFF
9
CHALLENGES:
Consensus & Scalability
PBFT chain PoW chain
BPASE 2018 •
ScalabilityInstant Finality
TRADE-OFF
10
CHALLENGES:
Consensus & Scalability
PBFT chain PoW chainFinality at every block Few nodes
Probabilistic finality over time Arbitrary many nodes
BPASE 2018 •
Derive randomness from a chain?
Chain is not random, manipulable
Assumes everybody agrees on the chain
11
CHALLENGES:
Randomness
BPASE 2018 •
Derive randomness from a chain?
Chain is not random, manipulable
Assumes everybody agrees on the chain
12
CHALLENGES:
Randomness
Must not depend on chain content (“grindable”)
Must not fork
BPASE 2018 • 13
CHALLENGES:
Randomness
“LAST ACTOR” BIAS
The “last actor” sees the randomness and
aborts.
Any fallback mechanism introduces bias.
BPASE 2018 • 14
CHALLENGES:
Randomness
“LAST ACTOR” BIAS
The “last actor” sees the randomness and
aborts.
Any fallback mechanism introduces bias.
EXAMPLES:
Miner discards block
2 or more parties involved
Commit-reveal schemes
…
BPASE 2018 •
PoS ATTACKS
15
CHALLENGES:
Security
Signatures are timeless
Signatures are cheap
Blocks can be equivocated
Blocks can be withheld
Selfish-mining Nothing-at-stake
BPASE 2018 •
FUNDAMENTAL OBSERVATIONS
CHALLENGES
16
BPASE 2018 •
FUNDAMENTAL OBSERVATIONS
1
Threshold groups do not have “last actors”
17
BPASE 2018 •
k out of n members have to act
(necessary and sufficient)
18
FUNDAMENTAL OBSERVATIONS:
No “last actors”
k-of-n THRESHOLD GROUP
BPASE 2018 •
FUNDAMENTAL OBSERVATIONS
2
Consensus without consensus
19
BPASE 2018 • 20
FUNDAMENTAL OBSERVATIONS:
Consensus without consensus
BLS Threshold signatures
BPASE 2018 •
Distributed key generation: No trusted dealer required
21
FUNDAMENTAL OBSERVATIONS:
Consensus without consensus
BLS Threshold signatures
BPASE 2018 •
Distributed key generation: No trusted dealer required
Unique: For every message only one signature verifies
22
FUNDAMENTAL OBSERVATIONS:
Consensus without consensus
BLS Threshold signatures
BPASE 2018 •
Non-interactive: Signature shares created independently
Distributed key generation: No trusted dealer required
Unique: For every message only one signature verifies
23
FUNDAMENTAL OBSERVATIONS:
Consensus without consensus
BLS Threshold signatures
BPASE 2018 •
Non-interactive: Signature shares created independently
Distributed key generation: No trusted dealer required
Unique: For every message only one signature verifies
24
FUNDAMENTAL OBSERVATIONS:
Consensus without consensus
BLS Threshold signatures
“agree once”
“agree always”
BPASE 2018 •
FUNDAMENTAL OBSERVATIONS
3
Randomly sampled committees
25
BPASE 2018 •
FUNDAMENTAL OBSERVATIONS:
Randomly sampled committees
Universe Random Sample
26
BPASE 2018 •
FUNDAMENTAL OBSERVATIONS:
Randomly sampled committees
Universe
30%
Random Sample
27
BPASE 2018 •
FUNDAMENTAL OBSERVATIONS:
Randomly sampled committees
Universe
30%
Random Sample
50% ?
28
BPASE 2018 •
FUNDAMENTAL OBSERVATIONS:
Randomly sampled committees
Universe
30%
Random Sample
50% ?
0 5 10 15 20
29
BPASE 2018 •
FUNDAMENTAL OBSERVATIONS:
Randomly sampled committees
Universe
30%
Random Sample
50% ?
0 5 10 15 20 0 20 40 60 80 100
30
BPASE 2018 •
FUNDAMENTAL OBSERVATIONS:
Randomly sampled committees
Based on Binomial distribution (arbitrarily large universe)
Prob(G honest) > 1 - 2-x Safe group size
adversary controls
of universe
33.3% 25% 20%
423 173 111
701 287 185
887 363 235
1447 593 383
40
64
80
128
x
31
Group G honest if adversary controls <50% of G
BPASE 2018 •
FUNDAMENTAL OBSERVATIONS
4
Enforcing publication
32
BPASE 2018 •
FUNDAMENTAL OBSERVATIONS:
Enforced publication
33
Majority signature by a committee.
NOTARIZATION
BPASE 2018 •
FUNDAMENTAL OBSERVATIONS:
Enforced publication
34
Majority signature by a committee.
NOTARIZATION
A committee is a random sample of the whole network.
A notarization is a proof of publication.
BPASE 2018 •
FUNDAMENTAL OBSERVATIONS:
Enforced publication
35
Majority signature by a committee.
NOTARIZATION
A committee is a random sample of the whole network.
A notarization is a proof of publication.Only notarized blocks
are valid.
VALID
BPASE 2018 •
FUNDAMENTAL OBSERVATIONS:
Enforced publication
1 2 3 4 5 Block height
36
BPASE 2018 •
FUNDAMENTAL OBSERVATIONS:
Enforced publication
1 2 3 4 5 Block height
Sequence of committeesG_1 G_2 G_3 G_4 G_5
37
BPASE 2018 •
FUNDAMENTAL OBSERVATIONS:
Enforced publication
1 2 3 4 5 Block height
Time interval
Sequence of committeesG_1 G_2 G_3 G_4 G_5
38
BPASE 2018 •
FUNDAMENTAL OBSERVATIONS:
Enforced publication
1 2 3 4 5 Block height
Time interval
Sequence of committeesG_1 G_2 G_3 G_4 G_5
39
A committee is active only during the phase of the block height to which it was assigned.
A notarization is a timestamp.
BPASE 2018 •
FUNDAMENTAL OBSERVATIONS:
Enforced publication
40
Only notarized blocks are valid.
Blocks cannot be withheld.
Impossible to build on old blocks.
BPASE 2018 •
FUNDAMENTAL OBSERVATIONS:
Enforced publication
41
Can notarizations be withheld?
BPASE 2018 •
FUNDAMENTAL OBSERVATIONS:
Enforced publication
42
A committee is active only during the phase of the block height to which it was assigned.
A block can get “half-notarized”.
BPASE 2018 •
1 2 3 4 5 Block height
Notarized Chains
2a1 3a 4a
3b 4b
Time interval
Active groupG_1 G_2 G_3 G_4 G_5
G_1 G_2 G_3 G_4
G_3 G_4
5
5
G_5
G_5
3c 4c
2b
43
FUNDAMENTAL OBSERVATIONS:
Enforced publication
2bG_2
3cG_3
4cG_4
BPASE 2018 • 44
FUNDAMENTAL OBSERVATIONS:
Enforced publication
2bG_2
3cG_3
Every notarization contains honest signatures.
BPASE 2018 • 45
FUNDAMENTAL OBSERVATIONS:
Enforced publication
2bG_2
3cG_3
Every notarization contains honest signatures.
2bG_2
3cG_3
Trick:
BPASE 2018 • 46
FUNDAMENTAL OBSERVATIONS:
Enforced publication
2bG_2
3cG_3
Every notarization contains honest signatures.
2bG_2
3cG_3
Trick:
Block references the previous notarization
Notarizations cannot be withheld
BPASE 2018 •
1 2 3 4 5 Block height
Notarized Chains
2a1 3a 4a
3b 4b
Time interval
Active groupG_1 G_2 G_3 G_4 G_5
G_1 G_2 G_3 G_4
G_3 G_4
5
5
G_5
G_5
2b
47
FUNDAMENTAL OBSERVATIONS:
Enforced publication
2bG_2
3c
BPASE 2018 •
1 2 3 4 5 Block height
Notarized Chains
2a1 3a 4a
3b 4b
Time interval
Active groupG_1 G_2 G_3 G_4 G_5
G_1 G_2 G_3 G_4
G_3 G_4
5
5
G_5
G_5
3c
2b
48
FUNDAMENTAL OBSERVATIONS:
Enforced publication
2bG_2
3c
G_2
BPASE 2018 •
1 2 3 4 5 Block height
Notarized Chains
2a1 3a 4a
3b 4b
Time interval
Active groupG_1 G_2 G_3 G_4 G_5
G_1 G_2 G_3 G_4
G_3 G_4
5
5
G_5
G_5
3c
2b
49
FUNDAMENTAL OBSERVATIONS:
Enforced publication
2bG_2
3c
G_2
BPASE 2018 •
THE SYSTEM
CHALLENGES
50
BPASE 2018 •
RandomnessUnique threshold
signatures
ScalabilityCommittees
Provable security Fast consensus
Notarization
51
SOLUTION
BPASE 2018 • 52
Identity Layer
Random Beacon Layer
Blockchain Layer
Register
Transaction
Observe
Users
Notary Layer
Con
sens
us P
roto
col L
ayer
s
Exte
rnal
Act
orsObservers
New Clients
SOLUTION:
Protocol Layers
BPASE 2018 • 53
Notary
RandomBeacon
BlockMakers1. Random
value
1. Randomvalue
2. Blockproposals
3. NotarizedBlock
3. NotarizedBlock
SOLUTION SOLUTION:
Rounds
BPASE 2018 • 54
SOLUTION:
Random Beacon
BPASE 2018 • 55
SOLUTION:
Random Beacon
BPASE 2018 • 56
SOLUTION:
Random Beacon
BPASE 2018 •
SOLUTION:
57
BPASE 2018 • 58
SOLUTION:
Blockchain
⇠r�1 ⇠r
Br�1 Br
zr�1
�Br,i1�Br,i2...�Br,it
BPASE 2018 • 59
SOLUTION:
Blockchain
⇠r�1 ⇠r
Br�1 Br
zr�1
�Br,i1�Br,i2...�Br,it
⇠r�1 ⇠r
Br�1 Br
zr�1 zr
BPASE 2018 • 60
SOLUTION:
Blockchain
⇠r�1 ⇠r
Br�1 Br
zr�1
�Br,i1�Br,i2...�Br,it
⇠r�1 ⇠r
Br�1 Br
zr�1 zr
⇠r�1 ⇠r
Br�1 Br
zr�1 zr
�r||⇠r,i1�r||⇠r,i2...�r||⇠r,it
BPASE 2018 • 61
SOLUTION:
Blockchain
⇠r�1 ⇠r
Br�1 Br
zr�1
�Br,i1�Br,i2...�Br,it
⇠r�1 ⇠r
Br�1 Br
zr�1 zr
⇠r�1 ⇠r
Br�1 Br
zr�1 zr
�r||⇠r,i1�r||⇠r,i2...�r||⇠r,it
⇠r�1 ⇠r
Br�1 Br
zr�1
⇠r+1
zr
BPASE 2018 •
2a1 3a 4aG_1 G_2 G_3 G_4
5
52b
62
FUNDAMENTAL OBSERVATIONS:
Normal operation
G_2
G_5
G_5
First block maker honest+
Network synchronous
Only one block gets notarized
BPASE 2018 • 63
SOLUTION:
Blockchain
r � 3 r � 2 r � 1 r
0
1
2
FINAL
DEAD
DEAD
FINAL
DEAD
BPASE 2018 •
CONCLUSIONS
CHALLENGES
64
BPASE 2018 • 65
Consensus algorithm landscape
BYZANTINE AGREEMENT IN AUTHENTICATED SETTING
(n replicas, f adversary, asynchrony)
FLP
f = 0
BPASE 2018 • 66
Consensus algorithm landscape
BYZANTINE AGREEMENT IN AUTHENTICATED SETTING
(n replicas, f adversary, asynchrony)
FLP Bracha/Toueg
probabilistic
f = 0 n > 3f
BPASE 2018 • 67
Consensus algorithm landscape
BYZANTINE AGREEMENT IN AUTHENTICATED SETTING
(n replicas, f adversary, asynchrony)
+ synchrony (for liveness)
FLP Bracha/Toueg
PBFT
probabilistic practical
f = 0 n > 3f n > 3f
BPASE 2018 • 68
Consensus algorithm landscape
BYZANTINE AGREEMENT IN AUTHENTICATED SETTING
(n replicas, f adversary, asynchrony)
+ synchrony (for liveness)
+ synchrony+ probabilistic
termination
FLP Bracha/Toueg
PBFT Blockchain
probabilistic practical
f = 0 n > 3f n > 2fn > 3f
BPASE 2018 • 69
Consensus algorithm landscape
BYZANTINE AGREEMENT IN AUTHENTICATED SETTING
(n replicas, f adversary, asynchrony)
+ synchrony (for liveness)
+ synchrony(for liveness & safety)
+ synchrony+ probabilistic
termination
FLP Bracha/Toueg
PBFT Dfinity Blockchain
probabilistic practical scale
f = 0 n > 3f n > 2f + ✏ n > 2fn > 3f
BPASE 2018 • 70
Consensus algorithm landscape
BYZANTINE AGREEMENT IN AUTHENTICATED SETTING
(n replicas, f adversary, asynchrony)
+ synchrony (for liveness)
+ synchrony(for liveness & safety)
+ synchrony+ probabilistic
termination
FLP Bracha/Toueg
PBFT Dfinity Blockchain
probabilistic practical scale fast termination
f = 0 n > 3f n > 2f + ✏ n > 2fn > 3f
BPASE 2018 • 71
Algorithm flexibility
PBFT(synchrony only for liveness)
n/5 n/3 n/2 f
n
102
106
1
BPASE 2018 • 72
Algorithm flexibility
DFINITY(synchrony for liveness and safety)
PBFT(synchrony only for liveness)
n/5 n/3 n/2 f
n
102
106
1
BPASE 2018 • 73
Algorithm flexibility
DFINITY(synchrony only for liveness)
DFINITY(synchrony for liveness and safety)
PBFT(synchrony only for liveness)
n/5 n/3 n/2 f
n
102
106
1
BPASE 2018 • 74
Algorithm flexibility
DFINITY(synchrony only for liveness)
DFINITY(synchrony for liveness and safety)
PBFT(synchrony only for liveness)
n/5 n/3 n/2 f
n
102
106
1
BPASE 2018 •
BPASE 2018
PART 2
75
BPASE 2018 • 76
Open participation
BPASE 2018 • 77
Randomness defines the new groups The group members run distributed key generation They join by providing their group public key
Open participation
BPASE 2018 •
Challenge
How to agree on the group public key?
78
BPASE 2018 •
Solution
Use Dfinity chain at the current epoch to change the behavior of the
system itself at future epochs.
79
BPASE 2018 •
Requires Agreement: Dfinity chain has already created an efficient medium for consensus
Using the same blockchain: the result will be used only on the side of a fork on which it is used
80
Distributed Key Generation
System Contracts
Node Registration Group Registration
System Parameters
DFN Payment BNS
System contracts
BPASE 2018 •
DKG Contract
81
BPASE 2018 • 82
Mahnush
Movahedi
BPASE 2018 •
(t, n) Distributed Key Generation
Create a master public key and set of partial signing keys.
83
BPASE 2018 •
Studied extensively in the crypto literature
Utilizes point-to-point communication
Assumes/implements a reliable broadcast channel as a bullet-in-board
We use Dfinity chain as the bullet-in-board
84
Previous versions of the DKG
BPASE 2018 •
It goes trough the following phases 1. Dealing
2. Complaint
3. Justification
4. Registration
Prefer contracts that are event driven
85
{-# LANGUAGE ScopedTypeVariables, FlexibleContexts #-} module Main where
import Data.List (delete) import Control.Monad import Control.Monad.Task import Contract import System
type VerificationVector = String
data DkgEvent = Deal Int VerificationVector | Complain Int Int | Justify Int Int VerificationVector | GetGroupKey deriving (Eq, Show)
DKG phases
BPASE 2018 •
Many dealers (contributors).
Each Dealer will • Share a secret value using a polynomial
• Create commitment to the polynomial
• Encrypt the shares
• Send the vector to the contract
86
Dealing phase
collectDeals deal@(i,_) deals = case lookup i deals of Just _ -> logConsole ("deal already exists", i) >> return deals Nothing -> return (deal : deals)
BPASE 2018 •
Receive your share and commitment vector
Check the validity of your share
Send your complain to the contract if: • No share received
• The share was invalid
87
Complain phase
BPASE 2018 •
For each complaint: • Send the share in clear text to the contract
For each justification, the contract: • Check if the share is valid
• If it is valid, it removes the complain and accepts the sharing.
88
Justification phase
BPASE 2018 •
The group public key is the sum of the verification vector of each successful dealer
Successful Dealer: not have any unjustified complains remaining
89
Registration phase
BPASE 2018 •
System contracts can be used to manage the future behavior of the system
Carefully design the contract that most of the code which do not need consensus is happening on the client side.
Only the data that need agreement over will pass to the contract
90
Take away
THANK YOU
dfinity.org
twitter.com/dfinity
dfinity.org/tech
bit.ly/DFN_TestNet
medium.com/dfinity
reddit.com/r/dfinity