Cryptocurrency with central bank regulations: the RSCoin framework

Cryptocurrency

with central bank regulations:

the RSCoin framework

Roman Oliynykov,Ph.D., Dr.Habil.,

Arseniy Seroka, Jonn Mostovoy

IOHK

IACR Summer School on Blockchain TechnologiesCorfu, Greece

June 1st, 2016

Roman Oliynykov, Arseniy Seroka, Jonn Mostovoy The RSCoin framework 1 / 41

Outline

Thanks to George Danezis andSarah Meiklejohn, developers of RSCoin, foressentially new approach in architecture ofcryptocurrencies.

Bitcoin open problems and governmentalinterest to Blockchain-based technologiesapplication.

Architecture and general properties of RSCoin.

Haskell implementation of RSCoin.

Open questions of RSCoin.

Proposals for RSCoin further development.


Some open problems for Bitcoin

poor scalability: practically available number of transactionsup to 7 per second; cf: VISA and MasterCard can processtens of thousands transaction per second;

network latency: long time for transaction approval: up totens of minutes or even longer in specific cases;

liquidity limits (still actual in 2016): exchanges which tradebitcoins unable to convert really big amount of bitcoins to thefiat currency;

stability and predictability issues:exponential growth of mining difficulty leads to oligopoly of Bitcoinnetwork control: a very few mining pools may dictate rules for the wholeBitcoin network;a Goldfinger attack: an entity with computational resources over a somethreshold can effectively work against the rest of the Bitcoin network;wasting computational power and energy (up to 1 GW);enormous Bitcoin miner bonus on each transaction (paid by a big numberof newcomers): at least, $3 even on penny-size money transfer (cf.: morethan $600 millions annual miners’ reward in 2015 and not more than 7transactions per second, with 31.5 millions seconds per year).


Governmental interest in

Blockchain-based technologies

https://www.gov.uk/government/uploads/system/

uploads/attachment data/file/492972/gs-16-1-distributed-ledger-technology.pdf


Open problem for traditional decentralized

cryptocurrencies: governmental application

the loss of control over monetary supply;

little to no flexibility for macroeconomic policy;

extreme volatility in their value as currencies.


RSCoin: cryptocurrency framework proposal

for central banks

a central bank is a trusted entity(and the central bank only);

centralization of the monetary supply: every unit of aparticular currency is created by the central bank;

a transparent transaction ledger;

a distributed system for maintaining transaction ledger;

a globally visible monetary supply (and more visibletransactions on shares, derivatives, etc.);

easily scalable solution (to provide necessary amount oftransactions per second).

Proposed in ”Centrally Banked Cryptocurrencies”by George Danezis and Sarah Meiklejohn


Different types of participants in RSCoin

a central bank (the only trusted entity);

mintettes (institutions authorized by a

central bank for validating transactions

for some period of time);

users (senders and receivers of

transactions).

NB: mintettes and users are not trusted and their misbehaviorcan be detected and ultimately held accountable.


Functions of each participant in RSCoin (I)

central bank:

authorization of mintettes for a given period oftime (authorization is accomplished by aPKI-type functionality);

forming higher-level block from lower-levelblocks provided by mintettes;

arbitration procedures (when necessary);

monetary supply for macroeconomic policy.

NB: there is no interaction between the central bank and users.


Functions of each participant in RSCoin (II)

mintette:

transaction certification that for its inputaddresses there is no double-spending (fortransactions provided by users);

verification of transactions with evidence fromother mintettes; including these transactionsinto own lower-level block and providing to theuser evidence that the transaction will beincluded in the higher-level block;

providing lower-level blocks to the central bankfor forming higher-level block.

NB: there is no direct interaction between mintettes, but they havecross-hashing for their lower level blocks.


Functions of each participant in RSCoin (III)

user:

requesting evidence of double-spending

absence from sender’s mintettes;

sending that evedence to receiver’s

mintettes and obtaining confirmation that

the transaction will be included in the

higher-level block;

Users’ transactions are divided between mintettes into ”shards”,

each transactions is served by several mintettes.


Simplified model of RSCoin transactions


Including only valid transactions in the next block

each (honest) mintette verifies all transactionsprovided by user; only valid transactions will beincluded to its lower-level block;

a central bank receives cross-hashed lower-levelblocks from mintettes and forms higher-levelblock;

each user has the evidence from the mintette(s)(with digital signature) that the transaction willbe included in the higher-level block.


Incentivizing mintettes for active participation

reward fees for transactions;

special coin generation transactions (cf.: blockmining reward in Bitcoin) allowed by a centralbank.


Key integrity properties

no double-spending;

non-repudiable sealing;

timed personal audits;

universal audits;

exposed inactivity.


Consensus parties for each transaction

a user;

mintettes of input (sender) address;

mintettes of output (receiver) address;

the central bank.

NB: consensus is reached by some subsets of mintettes withthe central bank arbitration(not by the whole network like in Bitcoin)


General properties of RSCoin

a framework that allows any central bank to deploytheir own cryptocurrency;

full control over monetary supply, its visibility forthe central bankmore visible transactions on shares, derivatives, etc.;

scalability and fast transaction approval: addingmintettes allows linear scaling; simulation by authors ofthe paper gives that 30 mintettes process approx. 2000trans/sec (cf. 7 trans/sec for Bitcoin);

no wasted resources (electricity, etc.) with proof-of-work;

the central bank is always assumed to be honest;

a cross-hashed transaction low-level ledgers frommintettes;it may be invisible to users (or visible if it is allowed bythe central bank);


Haskell implementation of RSCoin


Current implementation

Followed by Dr. Danezis and Dr. Meiklejohn work

Close to paper as much as possible

Implemented everything from scratch

Haskell as programming language


Why haskell?

Industrial applicability

Ease of implementation of academic papers

Strong guarantees during the compilation

QuickCheck as testing framework

authored by Dr. Hughesgeneric testing of distributed systems by KonstantinIvanov of ITMO University with help of David Turner


Codebase

Open: https://github.com/input-output-hk/rscoin-haskell

≈ 900 commits, 6 contributors

Clean

Hackable

Decoupled


Implementation details (technologies)

MsgPack-RPC for communication

debuggable binary protocolour team developed a patch

Blake2b for hashing

ED25519 for signing

acid-state as persistence layer

conduit as streaming data processing


Performance

Benchmarking, profiling, tuning, tweaking, etc.


Performance pitfalls

Networking (lots of communication due to protocol)

Haskell-related (immutability, GC)

IO (database)

Threads (context switches, locks)


Approach (1 / 2)

Tuning GC with right RTS options

Persistence almost as fast as memory-based

Fast libraries (text, bytestring, unordered-containers,vector, pqueue, etc.)

Strictness


Approach (2 / 2)

Green threads over native ones

stm for transactions

Profiling tools

Compiler and RTS options

ghc-prof-flamegraph & FlameGraph

ThreadScope for OS threads

ghc-events-analyze for green threads

criterion for pure functions

strace


Benchmark conditions and results (1)

Serokell version:1 computer, 4 cores

1 bank

1 mintette

2 users (2000transaction total)

760 TPS (transactions persecond)

Paper (Danezis)version:

Amazon EC2t2.microinstances

25 users

5-30 mintettes

9 mintettes: ≈ 760 TPS1 mintette: ≈ 400 TPS


Further development of RSCoin


Open questions of RSCoin (I)

1 Mintettes incentive procedure for fair fee distribution.The need to take into account mintettes activity both from input

and output shards, with condition of unreliable (delayed) physical

network and possibly of users’ software dishonest behaviour.

2 Mintette incentive for their investments to infrastructurefor providing better service.Building own reliable data center with reserved high-speed internet

channels, etc. should definitely give possibility to maximize

mintette profit.


Open questions of RSCoin (II)

3 Potentially long time between the periods for a high-levelblock generation by the central bank.Merging all lower-level blocks from mintettes requires removal

many duplicated records of transactions, that needs many

sequential operations and cannot be fully run in parallel.

4 Variants for further increasing attack complexity ofdouble-spent transactions.As in RSCoin there are no transaction ledger forks and network

votes for selection one of them, a double-spent transaction, if it

appears, may be removed by administrative means of the central

bank only. Complexity of such attacks may be additionally

increased (comparing to the current model where the majority of

some shard mintettes are dishonest ones).


Potential weaknesses of the RSCoin current version

(the worst case scenario)

The system may not have its best performance.There is no principal advantage for mintettes which invest into

infrastructure.

Not clearly defined procedure for mintette rewards mightlead to (being presented as network transport problems):

user’s software may infiltrate competitive mintettesreplies, decreasing their income (in case when user’ssoftware implemented by a company affiliated with somemintette).

Problems with transparent investigation of mentionedcases.Presence of dishonest officials in the central bank might help to

hide unfair competition.


Proposed further features for RSCoin

Mintette rewards clear procedure with possibility fortransparent control of the competition fairness (notinvolving administrative requests to the bank, etc.)Additional info needed to check the competition fairness should be

automatically included to the ledger.

Transparent transaction ledger obligatory available to allmintettes.For the current version of RSCoin, the central bank may share

UTXO for specific shards only (not revealing high-level blocks), and

it will be enough to have normal work of the system.

High-level block is produced by mintettes.For a rather long period involving millions of transactions, merging

of lower-level blocks by the central bank may require significant

time, delaying the next period.


Proposal for further RSCoin development

High-level block is formed by mintettes (based onRSCoin-like and BitShares-like procedure) and only signedby the central bank.The system becomes transparent (mintettes have access to the

transaction ledger in any case) and a new period is not delayed by

the bank due lower-level blocks merging procedure.

Introducing mintette ”veto” on transactions.As all mintettes are authorized by the bank and may be penalized

by it, such a feature increases attack complexity for double-spent

transaction be included in the high-level block.

User software includes mintettes replies obligatorypreserving their order.This feature allows to select the fastest mintettes to get addtional

reward. If users’ software returns list of incorrect order, it can be

easily revealed by simple analysis.


High-level block is formed by mintettes

It is introduced another layer of mintettes forming high-levelblock.Output (receiver) mintettes on confirming user’s transaction notonly include it into their lower-level block, but also spread itamong the shard of ”high-level” mintettes (like users do).Such a ”high-level” mintette:

having enough confirmations for a consensus among output(receiver) mintettes, send the transaction to the current”witness” mintette for including into the high-level block(obligatory preserving confirmation list order);

being a ”witness” in its turn, collect transactions from othermintettes and form a high-level block (in predefined order,like in BitShares), spreading the new block among othermintettes;

The central bank just take transactions from high-level block (skippingreplies from sender and receiver mintettes, etc.) and signs such a block.


Advantages of forming high-levels block by

mintettes

The system running improved cryptocurrency:

has obligatory transparency for ”high-level” mintettes inall cases, they need all transactions, which, in turn, havea lot of additional info from users and mintettes;the fair competition may be easily verified by any ”high-level”

mintette;

remains easily scalable;

may produce high-level blocks with required frequency(e.g., 1 per second);

does not lead to delays from the central bank betweenperiods.


Introducing mintette ”veto” on transactions

All mintettes are authorized by the bank and required to havehonest behaviour.

A single contradiction among mintettes meansmisbehaviour (not processing the last block for UTXOupdate) or attempt to work against rules by somemintette(s).

A transaction with at least one ”veto” vote is blocked,and send to the central bank for the investigation forpenalizing dishonest participants and rewarding honest.

Application of RSCoin by commercial companies mayadditionally include security deposits from mintettes forpenalizing and assurance policy.


Advantages of mintette ”veto” on transactions

Attack difficulty of double-spent transaction to beincluded in high-level block increases.

An attacker must create a transaction where

a majority of mintettes are dishonest (to the rest ofhonest it is not sent);such a statistics where there are a few confirmations fromsender mintettes may be additionally verified by receivermintette as suspicious, that also increases attackdifficulty;attacker must also take into account the majority of receiver shard;

or

all sender mintettes are dishonest;the number of collaborating dishonest mintettets increases as the

attack difficulty.


User software includes mintettes replies obligatory

preserving their order

The fastest mintettes will statistically appear to be first inmost transactions.

The central bank pays additional bonus to mintettes whichfaster serve users (e.g., to 33% of the fastest mintettes).

It creates an incentive for mintettes to invest into theirinfrastructure for providing better service.

Dishonest user software can be easily revealed by analyzingstatistics in transaction ledger (by comparing replies fromdifferent user software clients working at the same networkprovider).

The same principle is also applied to output mintettes.


Advantages of obligatory preserving order of

mintettes replies

mintette incentive to create the best infrastructurefor fastest processing of users’ requests (the central bankreward);

combined with transparent transaction ledger, it allowsverification of competition fairness to anyparticipant (”high-level” mintette);

dishonest users’ software is easily revealed bystatistical analysis of the ledger, as well as to collect thedirect evidence by analysis of input and output traffic.


Additional properties of RSCoin with implemented

proposals

Mintettes’ incentive to invest to infrastructure forproviding the best service.

Transparent fee distribution among mintettes, easilyverifiable by any participant (”high-level” mintettes).The central bank dictates its rules, but every participantmay verify if everyone follows them, not depending onofficial investigation by the bank.

High-speed of high-level block production, remaininghighly-scalable.

No significant delay before starting a new period by thecentral bank.

Increased difficulty of double-spending attacks.

All key integrity properties of the current version of RSCoinremain valid.


IOHK

CASCADING DISRUPTION


Internet

Cryptocurrency with central bank regulations: the RSCoin framework