red belly blockchain€¦ · p1 t1 t3 t2. secure: transactions are signed with private ... g1= the...
TRANSCRIPT
![Page 1: Red Belly Blockchain€¦ · P1 t1 t3 t2. Secure: transactions are signed with private ... G1= The Balance Attack (con’t) 18 Let an attacker issue t A in G1 and delay](https://reader033.vdocuments.site/reader033/viewer/2022043010/5fa09e3e191b9b2fe229f247/html5/thumbnails/1.jpg)
Red Belly BlockchainVincent Gramoli
(Special thanks to Tyler Crain, Mikel Larrea, Chris Natoli, Michel Raynal, Guillaume Vizier)
1
![Page 2: Red Belly Blockchain€¦ · P1 t1 t3 t2. Secure: transactions are signed with private ... G1= The Balance Attack (con’t) 18 Let an attacker issue t A in G1 and delay](https://reader033.vdocuments.site/reader033/viewer/2022043010/5fa09e3e191b9b2fe229f247/html5/thumbnails/2.jpg)
2
Sydney
![Page 3: Red Belly Blockchain€¦ · P1 t1 t3 t2. Secure: transactions are signed with private ... G1= The Balance Attack (con’t) 18 Let an attacker issue t A in G1 and delay](https://reader033.vdocuments.site/reader033/viewer/2022043010/5fa09e3e191b9b2fe229f247/html5/thumbnails/3.jpg)
3
Red Belly Snake
![Page 4: Red Belly Blockchain€¦ · P1 t1 t3 t2. Secure: transactions are signed with private ... G1= The Balance Attack (con’t) 18 Let an attacker issue t A in G1 and delay](https://reader033.vdocuments.site/reader033/viewer/2022043010/5fa09e3e191b9b2fe229f247/html5/thumbnails/4.jpg)
Roadmap
• Context: Blockchain
• Problem: Balance Attack
• Solution: Unforkable Blockchain
• Democratic BFT consensus
• Red Belly Blockchain
4
![Page 5: Red Belly Blockchain€¦ · P1 t1 t3 t2. Secure: transactions are signed with private ... G1= The Balance Attack (con’t) 18 Let an attacker issue t A in G1 and delay](https://reader033.vdocuments.site/reader033/viewer/2022043010/5fa09e3e191b9b2fe229f247/html5/thumbnails/5.jpg)
What is a blockchain?
5
![Page 6: Red Belly Blockchain€¦ · P1 t1 t3 t2. Secure: transactions are signed with private ... G1= The Balance Attack (con’t) 18 Let an attacker issue t A in G1 and delay](https://reader033.vdocuments.site/reader033/viewer/2022043010/5fa09e3e191b9b2fe229f247/html5/thumbnails/6.jpg)
• Chain of blocks
• Starts at a special block called the genesis block
• Each block contains the hash of its predecessor
• To create a block one must solve a crypto-puzzle
Blockchain [Nak’08]
6
genesis b1 b2 b3 b4
![Page 7: Red Belly Blockchain€¦ · P1 t1 t3 t2. Secure: transactions are signed with private ... G1= The Balance Attack (con’t) 18 Let an attacker issue t A in G1 and delay](https://reader033.vdocuments.site/reader033/viewer/2022043010/5fa09e3e191b9b2fe229f247/html5/thumbnails/7.jpg)
Participants can recordtransactions in blocks, to transfer digital assets (called coins) between participants
Blockchain (con’t)
7
genesis
P2
P3
P1t1
t3 t2
![Page 8: Red Belly Blockchain€¦ · P1 t1 t3 t2. Secure: transactions are signed with private ... G1= The Balance Attack (con’t) 18 Let an attacker issue t A in G1 and delay](https://reader033.vdocuments.site/reader033/viewer/2022043010/5fa09e3e191b9b2fe229f247/html5/thumbnails/8.jpg)
Secure: transactions are signed with private keys
Blockchain (con’t)
8
genesis
P2
P3
P1𝜎1(t1)
𝜎3(t3) 𝜎2(t2)
![Page 9: Red Belly Blockchain€¦ · P1 t1 t3 t2. Secure: transactions are signed with private ... G1= The Balance Attack (con’t) 18 Let an attacker issue t A in G1 and delay](https://reader033.vdocuments.site/reader033/viewer/2022043010/5fa09e3e191b9b2fe229f247/html5/thumbnails/9.jpg)
Secure: transactions are signed with private keys
Blockchain (con’t)
9
genesis
P2
P3
P1𝜎1(t1)
𝜎1(t2) 𝜎2(t2)
![Page 10: Red Belly Blockchain€¦ · P1 t1 t3 t2. Secure: transactions are signed with private ... G1= The Balance Attack (con’t) 18 Let an attacker issue t A in G1 and delay](https://reader033.vdocuments.site/reader033/viewer/2022043010/5fa09e3e191b9b2fe229f247/html5/thumbnails/10.jpg)
Disagreement ⇒ DAG
ge b1 b2 c3 c4
Blockchain (con’t)
10
P2P3
P1ge b1 b2 b3 b4
ge b1 a2 a3 a4
ge b1 b2 b3 b4
a2 a3 a4
c3 c4
![Page 11: Red Belly Blockchain€¦ · P1 t1 t3 t2. Secure: transactions are signed with private ... G1= The Balance Attack (con’t) 18 Let an attacker issue t A in G1 and delay](https://reader033.vdocuments.site/reader033/viewer/2022043010/5fa09e3e191b9b2fe229f247/html5/thumbnails/11.jpg)
11
Blockchain (con’t)
genesis b1 b2 b3 b4
a2 a3 a4
c3 c4
![Page 12: Red Belly Blockchain€¦ · P1 t1 t3 t2. Secure: transactions are signed with private ... G1= The Balance Attack (con’t) 18 Let an attacker issue t A in G1 and delay](https://reader033.vdocuments.site/reader033/viewer/2022043010/5fa09e3e191b9b2fe229f247/html5/thumbnails/12.jpg)
12
Blockchain (con’t)
genesis b1 b2 b3 b4
a2 a3 a4
c3 c4
𝜎A(tA): Alice gives all her coins to Bob
𝜎A(tA’): Alice gives all her coins to Carole
![Page 13: Red Belly Blockchain€¦ · P1 t1 t3 t2. Secure: transactions are signed with private ... G1= The Balance Attack (con’t) 18 Let an attacker issue t A in G1 and delay](https://reader033.vdocuments.site/reader033/viewer/2022043010/5fa09e3e191b9b2fe229f247/html5/thumbnails/13.jpg)
One branch is selected based on its length, the weight of its subtrees, its content…
13
Blockchain (con’t)
genesis b1 b2 b3 b4
a2 a3 a4
c3 c4
![Page 14: Red Belly Blockchain€¦ · P1 t1 t3 t2. Secure: transactions are signed with private ... G1= The Balance Attack (con’t) 18 Let an attacker issue t A in G1 and delay](https://reader033.vdocuments.site/reader033/viewer/2022043010/5fa09e3e191b9b2fe229f247/html5/thumbnails/14.jpg)
Blockchain (con’t)
14
genesis block decided block undecided block
0 1 i i+1 i+k-1 i+k
blockchain depth = i+k
genesis
We say that a transaction commits when it is in a decided block [NCA’16]
![Page 15: Red Belly Blockchain€¦ · P1 t1 t3 t2. Secure: transactions are signed with private ... G1= The Balance Attack (con’t) 18 Let an attacker issue t A in G1 and delay](https://reader033.vdocuments.site/reader033/viewer/2022043010/5fa09e3e191b9b2fe229f247/html5/thumbnails/15.jpg)
What’s dangerous about it?
15
![Page 16: Red Belly Blockchain€¦ · P1 t1 t3 t2. Secure: transactions are signed with private ... G1= The Balance Attack (con’t) 18 Let an attacker issue t A in G1 and delay](https://reader033.vdocuments.site/reader033/viewer/2022043010/5fa09e3e191b9b2fe229f247/html5/thumbnails/16.jpg)
The Balance Attack [DSN’17]
16
Consider a communication graph G=<V,E>
![Page 17: Red Belly Blockchain€¦ · P1 t1 t3 t2. Secure: transactions are signed with private ... G1= The Balance Attack (con’t) 18 Let an attacker issue t A in G1 and delay](https://reader033.vdocuments.site/reader033/viewer/2022043010/5fa09e3e191b9b2fe229f247/html5/thumbnails/17.jpg)
The Balance Attack (con’t)
17
Consider a communication graph G=<V,E>
Let G1 and G2 be two subgraphs of G with the same mining power separated by E3 such that E = E1 ∪ E2 ∪ E3
E3
G2=<V2,E2>
G1=<V1,E1>
![Page 18: Red Belly Blockchain€¦ · P1 t1 t3 t2. Secure: transactions are signed with private ... G1= The Balance Attack (con’t) 18 Let an attacker issue t A in G1 and delay](https://reader033.vdocuments.site/reader033/viewer/2022043010/5fa09e3e191b9b2fe229f247/html5/thumbnails/18.jpg)
The Balance Attack (con’t)
18
Let an attacker issue tA in G1 and delay links E3
Then the two subgraphs end up with branches of similar lengths or weights W1 and W2
E3
G2
G1
![Page 19: Red Belly Blockchain€¦ · P1 t1 t3 t2. Secure: transactions are signed with private ... G1= The Balance Attack (con’t) 18 Let an attacker issue t A in G1 and delay](https://reader033.vdocuments.site/reader033/viewer/2022043010/5fa09e3e191b9b2fe229f247/html5/thumbnails/19.jpg)
The Balance Attack (con’t)
19
The attacker has only to mine |W1-W2|+1 blocks in G2
The weight of a branch in G2 exceeds G1’s branches
E3
G2
G1
![Page 20: Red Belly Blockchain€¦ · P1 t1 t3 t2. Secure: transactions are signed with private ... G1= The Balance Attack (con’t) 18 Let an attacker issue t A in G1 and delay](https://reader033.vdocuments.site/reader033/viewer/2022043010/5fa09e3e191b9b2fe229f247/html5/thumbnails/20.jpg)
The Balance Attack (con’t)
20
When the attacker stops delaying the messages
tA is discarded, allowing double spending with tA’
![Page 21: Red Belly Blockchain€¦ · P1 t1 t3 t2. Secure: transactions are signed with private ... G1= The Balance Attack (con’t) 18 Let an attacker issue t A in G1 and delay](https://reader033.vdocuments.site/reader033/viewer/2022043010/5fa09e3e191b9b2fe229f247/html5/thumbnails/21.jpg)
Unforkable Blockchain
21
![Page 22: Red Belly Blockchain€¦ · P1 t1 t3 t2. Secure: transactions are signed with private ... G1= The Balance Attack (con’t) 18 Let an attacker issue t A in G1 and delay](https://reader033.vdocuments.site/reader033/viewer/2022043010/5fa09e3e191b9b2fe229f247/html5/thumbnails/22.jpg)
Unforkable blockchain
22
genesis block decided block
0 1 i i+1 i+k-1 i+k
blockchain depth = i+k
genesis
We say that a transaction commits when it is in a decided block [NCA’16]
![Page 23: Red Belly Blockchain€¦ · P1 t1 t3 t2. Secure: transactions are signed with private ... G1= The Balance Attack (con’t) 18 Let an attacker issue t A in G1 and delay](https://reader033.vdocuments.site/reader033/viewer/2022043010/5fa09e3e191b9b2fe229f247/html5/thumbnails/23.jpg)
23
Model• Distributed system: n processes ⇐ but additional processes can
issue transactions and read the blockchain
• Partially synchronous: the upper-bounds on the delay of messages and computation is not known ⇐ Internet can be congested
• Byzantine failures: there can only be t < n/3 arbitrary failures, all other processes are correct ⇐ Attackers have incentives to try
stealing
• Point-to-point reliable channel: a message sent by a correct process is eventually received by a correct process ⇐ Public key encryptions can implement it
![Page 24: Red Belly Blockchain€¦ · P1 t1 t3 t2. Secure: transactions are signed with private ... G1= The Balance Attack (con’t) 18 Let an attacker issue t A in G1 and delay](https://reader033.vdocuments.site/reader033/viewer/2022043010/5fa09e3e191b9b2fe229f247/html5/thumbnails/24.jpg)
Byzantine Consensus?
1
2
324
Agreement: no two correct processes decide differently
Termination: every correct process decides
Validity: the decided value is proposed by a correct process
Each correct process invokes propose(v) with its value v and decides the returned value such that:
![Page 25: Red Belly Blockchain€¦ · P1 t1 t3 t2. Secure: transactions are signed with private ... G1= The Balance Attack (con’t) 18 Let an attacker issue t A in G1 and delay](https://reader033.vdocuments.site/reader033/viewer/2022043010/5fa09e3e191b9b2fe229f247/html5/thumbnails/25.jpg)
Byzantine Consensus?
1
2
325
Agreement: no two correct processes decide differently
Termination: every correct process decides
Validity: the decided value is proposed by a correct process
Each correct process invokes propose(v) with its value v and decides the returned value such that:
![Page 26: Red Belly Blockchain€¦ · P1 t1 t3 t2. Secure: transactions are signed with private ... G1= The Balance Attack (con’t) 18 Let an attacker issue t A in G1 and delay](https://reader033.vdocuments.site/reader033/viewer/2022043010/5fa09e3e191b9b2fe229f247/html5/thumbnails/26.jpg)
Blockchain Consensus [AlgoTel’17]
1
2
326
Agreement: no two correct processes decide differently
Termination: every correct process decides
Validity: the decided value satisfies the predicate valid()
Provided an application-specific valid() predicate, each correct process invokes propose(v) and decides the returned value such that:
![Page 27: Red Belly Blockchain€¦ · P1 t1 t3 t2. Secure: transactions are signed with private ... G1= The Balance Attack (con’t) 18 Let an attacker issue t A in G1 and delay](https://reader033.vdocuments.site/reader033/viewer/2022043010/5fa09e3e191b9b2fe229f247/html5/thumbnails/27.jpg)
Democratic BFT
27
![Page 28: Red Belly Blockchain€¦ · P1 t1 t3 t2. Secure: transactions are signed with private ... G1= The Balance Attack (con’t) 18 Let an attacker issue t A in G1 and delay](https://reader033.vdocuments.site/reader033/viewer/2022043010/5fa09e3e191b9b2fe229f247/html5/thumbnails/28.jpg)
Binary Byzantine Consensus
1
2
328
Agreement: no two correct processes decide differently
Termination: every correct process decides
Validity: if all correct processes propose the same value, then no other value can be decided
Each correct process invokes propose(v) with its value v∈{0,1} and decides the returned value such that:
![Page 29: Red Belly Blockchain€¦ · P1 t1 t3 t2. Secure: transactions are signed with private ... G1= The Balance Attack (con’t) 18 Let an attacker issue t A in G1 and delay](https://reader033.vdocuments.site/reader033/viewer/2022043010/5fa09e3e191b9b2fe229f247/html5/thumbnails/29.jpg)
29
Safe DBFT [CGLR’17]est: local current estimate of the value to decide
r: local round number, initially 0
bin-values[]: array of binary values for all rounds
b, auxiliary binary value
valuesi, auxiliary set of values
The algorithm uses two message types EST[r]() used at round r to BV-bcast est. AUX[r]() used at round r to broadcast bin-values[r]
![Page 30: Red Belly Blockchain€¦ · P1 t1 t3 t2. Secure: transactions are signed with private ... G1= The Balance Attack (con’t) 18 Let an attacker issue t A in G1 and delay](https://reader033.vdocuments.site/reader033/viewer/2022043010/5fa09e3e191b9b2fe229f247/html5/thumbnails/30.jpg)
30
Safe DBFT (con’t)BV-broadcast [JACM’15]
• BV-obligation: if t+1 correct BV-bcast v, then v is eventually added to the set bin-values of all correct processes
• BV-justification: if pi is correct and v in bin-valuesi, then v was BV-bcast by a correct process
• BV-uniformity: if v is added to bin-valuesi of correct pi, then eventually v will be in bin-valuesj for all correct pj
• BV-termination: eventually bin-values of correct pi is not empty
![Page 31: Red Belly Blockchain€¦ · P1 t1 t3 t2. Secure: transactions are signed with private ... G1= The Balance Attack (con’t) 18 Let an attacker issue t A in G1 and delay](https://reader033.vdocuments.site/reader033/viewer/2022043010/5fa09e3e191b9b2fe229f247/html5/thumbnails/31.jpg)
31
Safe DBFT (con’t)est ← v r ← 0 while (true) { r ← r+1 BV-bcast EST[r](est) wait until (bin-values[r] ≠ ∅) bcast AUX[r](bin-values[r]) wait until (messages AUX[r](bvalp1), …, AUX[r](bvalp(n-t)) received from (n-t) distinct processes p(x), 1≤x≤n-t, and their content is such that: ∃ a non-empty set valuesi such that (i) valuesi in bin-values[r]i and (ii) valuesi = U b_valx b ← r mod 2 if (valuesi = {v}) { est ← v if (v=b) then decide(v) if not done yet } else { est ← b } }
![Page 32: Red Belly Blockchain€¦ · P1 t1 t3 t2. Secure: transactions are signed with private ... G1= The Balance Attack (con’t) 18 Let an attacker issue t A in G1 and delay](https://reader033.vdocuments.site/reader033/viewer/2022043010/5fa09e3e191b9b2fe229f247/html5/thumbnails/32.jpg)
32
Safe DBFT (con’t)est ← v r ← 0 while (true) { r ← r+1 BV-bcast EST[r](est) wait until (bin-values[r] ≠ ∅) bcast AUX[r](bin-values[r]) wait until (messages AUX[r](bvalp1), …, AUX[r](bvalp(n-t)) received from (n-t) distinct processes p(x), 1≤x≤n-t, and their content is such that: ∃ a non-empty set valuesi such that (i) valuesi in bin-values[r]i and (ii) valuesi = U b_valx b ← r mod 2 if (valuesi = {v}) { est ← v if (v=b) then decide(v) if not done yet } else { est ← b } }
Filter out values proposed only by
Byzantine processes
![Page 33: Red Belly Blockchain€¦ · P1 t1 t3 t2. Secure: transactions are signed with private ... G1= The Balance Attack (con’t) 18 Let an attacker issue t A in G1 and delay](https://reader033.vdocuments.site/reader033/viewer/2022043010/5fa09e3e191b9b2fe229f247/html5/thumbnails/33.jpg)
33
Safe DBFT (con’t)Lemma 1: If at the beginning of a round, all correct processes have the same estimate, they never change their estimate thereafter.
Proof sketch. Assume all correct have the same estimate v at round r. BV-Obligation and BV-Justification => bin_values[r] = {v}. Hence, at every correct we have values = {v}, so that est becomes v.
![Page 34: Red Belly Blockchain€¦ · P1 t1 t3 t2. Secure: transactions are signed with private ... G1= The Balance Attack (con’t) 18 Let an attacker issue t A in G1 and delay](https://reader033.vdocuments.site/reader033/viewer/2022043010/5fa09e3e191b9b2fe229f247/html5/thumbnails/34.jpg)
34
Safe DBFT (con’t)Lemma 2: Let pi and pj be correct. If their values are singletons, they are the same.
Proof sketch. If a correct process has values = {v} then it received AUX[r]{v} from n-t distinct processes and t+1 correct. For two correct processes to have w and v as this singleton, it would mean they received these distinct values from n-t processes each. As (n-t)+(t+1) > n, one correct process must have sent the same value to both, and we have v=w.
![Page 35: Red Belly Blockchain€¦ · P1 t1 t3 t2. Secure: transactions are signed with private ... G1= The Balance Attack (con’t) 18 Let an attacker issue t A in G1 and delay](https://reader033.vdocuments.site/reader033/viewer/2022043010/5fa09e3e191b9b2fe229f247/html5/thumbnails/35.jpg)
35
Safe DBFT (con’t)Theorem [Agreement]: No two correct processes decide different values.
Proof sketch. Let r be the 1st round where a correct process decides, hence values[r] = {v=r mod 2}. If another correct process decides w in the same round, then v=w by Lemma 2. Let pj be a correct that does not decide in round r. By Lemma 2, valuesj≠{w} so valuesj = {0,1}. Thus estj = v. All correct have thus the same estimate in round r+1, and stick to it (Lemma 1).
![Page 36: Red Belly Blockchain€¦ · P1 t1 t3 t2. Secure: transactions are signed with private ... G1= The Balance Attack (con’t) 18 Let an attacker issue t A in G1 and delay](https://reader033.vdocuments.site/reader033/viewer/2022043010/5fa09e3e191b9b2fe229f247/html5/thumbnails/36.jpg)
36
Safe DBFT (con’t)BC, binary consensus instance
mv-propose() { // similar to [PODC'94] RB-bcast VAL(v) // reliable broadcast [Bra’87] repeat if (∃ k : proposals[k]≠⊥ ∧ BC[k].binpropose() not invoked) BC[k].binpropose(1) until(∃ l: bin-decisions[l]=1) for each k such that BC[k].binpropose() not invoked: BC[k].binpropose(0) wait until (∧1≤x≤n bin-decisions[x]≠⊥) j = min{x : bin-decisions[j] = 1} wait until proposals[j] ≠⊥ decide(∪
∀j:bin-decisions[j]=1proposals[j]) }
when val(v) is RB-delivered from pj do // reliable broadcast delivery if valid(v) then proposalsi[j] <- v; BV-deliver b-val[1](1) to BC[j]
when BC[k].binpropose() returns b do bin-decisions[k] <- b
![Page 37: Red Belly Blockchain€¦ · P1 t1 t3 t2. Secure: transactions are signed with private ... G1= The Balance Attack (con’t) 18 Let an attacker issue t A in G1 and delay](https://reader033.vdocuments.site/reader033/viewer/2022043010/5fa09e3e191b9b2fe229f247/html5/thumbnails/37.jpg)
37
Safe DBFT (con’t)BC, binary consensus instance
mv-propose() { // similar to [PODC'94] RB-bcast VAL(v) // reliable broadcast [Bra’87] repeat if (∃ k : proposals[k]≠⊥ ∧ BC[k].binpropose() not invoked) BC[k].binpropose(1) until(∃ l: bin-decisions[l]=1) for each k such that BC[k].binpropose() not invoked: BC[k].binpropose(0) wait until (∧1≤x≤n bin-decisions[x]≠⊥) j = min{x : bin-decisions[j] = 1} wait until proposals[j] ≠⊥ decide(∪
∀j:bin-decisions[j]=1proposals[j]) }
when val(v) is RB-delivered from pj do // reliable broadcast delivery if valid(v) then proposalsi[j] <- v; BV-deliver b-val[1](1) to BC[j]
when BC[k].binpropose() returns b do bin-decisions[k] <- b
Spawn multiple binary cons. instances
Use binary decisions as a
bitmask
![Page 38: Red Belly Blockchain€¦ · P1 t1 t3 t2. Secure: transactions are signed with private ... G1= The Balance Attack (con’t) 18 Let an attacker issue t A in G1 and delay](https://reader033.vdocuments.site/reader033/viewer/2022043010/5fa09e3e191b9b2fe229f247/html5/thumbnails/38.jpg)
Red Belly Blockchain
38
![Page 39: Red Belly Blockchain€¦ · P1 t1 t3 t2. Secure: transactions are signed with private ... G1= The Balance Attack (con’t) 18 Let an attacker issue t A in G1 and delay](https://reader033.vdocuments.site/reader033/viewer/2022043010/5fa09e3e191b9b2fe229f247/html5/thumbnails/39.jpg)
The Red Belly Blockchain
39
All nodes communicate through TCP + SSL
Certificates are given in the genesis block
genesis
![Page 40: Red Belly Blockchain€¦ · P1 t1 t3 t2. Secure: transactions are signed with private ... G1= The Balance Attack (con’t) 18 Let an attacker issue t A in G1 and delay](https://reader033.vdocuments.site/reader033/viewer/2022043010/5fa09e3e191b9b2fe229f247/html5/thumbnails/40.jpg)
The Red Belly Blockchain
40
The genesis block also contains a list of n participants
genesis
![Page 41: Red Belly Blockchain€¦ · P1 t1 t3 t2. Secure: transactions are signed with private ... G1= The Balance Attack (con’t) 18 Let an attacker issue t A in G1 and delay](https://reader033.vdocuments.site/reader033/viewer/2022043010/5fa09e3e191b9b2fe229f247/html5/thumbnails/41.jpg)
A tx is committed if t+1 participants say so.
The Red Belly Blockchain
41
External nodes access the blockchain through these participants
![Page 42: Red Belly Blockchain€¦ · P1 t1 t3 t2. Secure: transactions are signed with private ... G1= The Balance Attack (con’t) 18 Let an attacker issue t A in G1 and delay](https://reader033.vdocuments.site/reader033/viewer/2022043010/5fa09e3e191b9b2fe229f247/html5/thumbnails/42.jpg)
are regularly changed: n, n’, n’’… but t’<n’/3, t’’<n’’/3…
The Red Belly Blockchain
42
The n nodes running the consensus…
![Page 43: Red Belly Blockchain€¦ · P1 t1 t3 t2. Secure: transactions are signed with private ... G1= The Balance Attack (con’t) 18 Let an attacker issue t A in G1 and delay](https://reader033.vdocuments.site/reader033/viewer/2022043010/5fa09e3e191b9b2fe229f247/html5/thumbnails/43.jpg)
The Red Belly Blockchain
43
And encoded in the next blockgenesis
if the correct n participants agree (consensus)
![Page 44: Red Belly Blockchain€¦ · P1 t1 t3 t2. Secure: transactions are signed with private ... G1= The Balance Attack (con’t) 18 Let an attacker issue t A in G1 and delay](https://reader033.vdocuments.site/reader033/viewer/2022043010/5fa09e3e191b9b2fe229f247/html5/thumbnails/44.jpg)
How does it perform?
44
![Page 45: Red Belly Blockchain€¦ · P1 t1 t3 t2. Secure: transactions are signed with private ... G1= The Balance Attack (con’t) 18 Let an attacker issue t A in G1 and delay](https://reader033.vdocuments.site/reader033/viewer/2022043010/5fa09e3e191b9b2fe229f247/html5/thumbnails/45.jpg)
45
Experimental Settings• Initiator sends a message to all to start
• Each node connects to each other through TLS
• 50 instances of consensus in which: Each node proposes a block of 10K txs Each tx is a 300-byte UTXO transaction Each node spawns n instances of RBbcast and BBC and quasi-validates each transaction (0.3msec) Once n-t decided values 1
![Page 46: Red Belly Blockchain€¦ · P1 t1 t3 t2. Secure: transactions are signed with private ... G1= The Balance Attack (con’t) 18 Let an attacker issue t A in G1 and delay](https://reader033.vdocuments.site/reader033/viewer/2022043010/5fa09e3e191b9b2fe229f247/html5/thumbnails/46.jpg)
46
ScalabilityAmazon EC2, c4.4xlarge, 16vCPU, 30GiB mem, 2Gbps, t=6
Tran
sact
ions
per
sec
ond
0
125000
250000
375000
500000
Number of consensus participants
20 40 60 80 100
RBBC Visa Bitcoin
![Page 47: Red Belly Blockchain€¦ · P1 t1 t3 t2. Secure: transactions are signed with private ... G1= The Balance Attack (con’t) 18 Let an attacker issue t A in G1 and delay](https://reader033.vdocuments.site/reader033/viewer/2022043010/5fa09e3e191b9b2fe229f247/html5/thumbnails/47.jpg)
47
Comparison with PBFT [CL02]
Late
ncy
(milli
seco
nd)
0
750
1500
2250
3000
Number of consensus participants
4 8 12 16 20 24 28 32
PBFT DBFT
Intel E5530 2.4GHz 8CPU, 1Gbps, t=1
![Page 48: Red Belly Blockchain€¦ · P1 t1 t3 t2. Secure: transactions are signed with private ... G1= The Balance Attack (con’t) 18 Let an attacker issue t A in G1 and delay](https://reader033.vdocuments.site/reader033/viewer/2022043010/5fa09e3e191b9b2fe229f247/html5/thumbnails/48.jpg)
48
Comparison with PBFT [CL02]Intel E5530 2.4GHz 8CPU, 1Gbps, t=1
Spee
dup
over
RBB
C w
ith P
BFT
0
2.75
5.5
8.25
11
Number of consensus participants
4 8 12 16 20 24 28 32
![Page 49: Red Belly Blockchain€¦ · P1 t1 t3 t2. Secure: transactions are signed with private ... G1= The Balance Attack (con’t) 18 Let an attacker issue t A in G1 and delay](https://reader033.vdocuments.site/reader033/viewer/2022043010/5fa09e3e191b9b2fe229f247/html5/thumbnails/49.jpg)
49
Number of FailuresIntel E5530 2.4GHz 8CPU, 1Gbps, n=32
Tran
sact
ions
per
sec
ond
0
27500
55000
82500
110000
Fault tolerance (t)
1 2 3 4 5 6 7 8 9 10
![Page 50: Red Belly Blockchain€¦ · P1 t1 t3 t2. Secure: transactions are signed with private ... G1= The Balance Attack (con’t) 18 Let an attacker issue t A in G1 and delay](https://reader033.vdocuments.site/reader033/viewer/2022043010/5fa09e3e191b9b2fe229f247/html5/thumbnails/50.jpg)
50
Failures types
Tran
sact
ions
per
sec
ond
0
10000
20000
30000
40000
Byzantine behavior
mute flood flip
DBFT (10000 txs per block)
Intel E5530 2.4GHz 8CPU, 1Gbps, n=32, t=10
![Page 51: Red Belly Blockchain€¦ · P1 t1 t3 t2. Secure: transactions are signed with private ... G1= The Balance Attack (con’t) 18 Let an attacker issue t A in G1 and delay](https://reader033.vdocuments.site/reader033/viewer/2022043010/5fa09e3e191b9b2fe229f247/html5/thumbnails/51.jpg)
51
DynamismByzantine fault tolerant reconfiguration to 7 nodes
Num
ber o
f mes
sage
s
0
650
1300
1950
2600
Initial number of consensus participants
3 4 5 6
![Page 52: Red Belly Blockchain€¦ · P1 t1 t3 t2. Secure: transactions are signed with private ... G1= The Balance Attack (con’t) 18 Let an attacker issue t A in G1 and delay](https://reader033.vdocuments.site/reader033/viewer/2022043010/5fa09e3e191b9b2fe229f247/html5/thumbnails/52.jpg)
52
Conclusion• Blockchain systems provide guarantees not well-understood
• This may lead to dramatic anomalies (and then double-spending attack)
• We propose the Red Belly Blockchain
• Efficient: 400+ KTPS
• Scale to 90 server nodes
• Deterministic: with a new leaderless Byzantine consensus algorithm
• Dynamic: A membership reconfiguration
• The next steps is to deploy it and build applications on top
![Page 53: Red Belly Blockchain€¦ · P1 t1 t3 t2. Secure: transactions are signed with private ... G1= The Balance Attack (con’t) 18 Let an attacker issue t A in G1 and delay](https://reader033.vdocuments.site/reader033/viewer/2022043010/5fa09e3e191b9b2fe229f247/html5/thumbnails/53.jpg)
References• [Nak’08] S. Nakamoto, “Bitcoin: a peer-to-peer electronic cash system,” 2008. http://
www.bitcoin.org
• [DSN’17] C. Natoli, V. Gramoli.
• [AlgoTel’17] T. Crain, V. Gramoli, M. Larrea, M. Raynal. Blockchain Consensus. May 2017.
• [CGLR’17] T. Crain, V. Gramoli, M. Larrea, M. Raynal. (Leader, randomization, signature)-tree Byzantine consensus for consortium blockchain. arXiv.
• [JACM’15] A. Mostefaoui, M. Raynal. Signature-Free Asynchronous Binary Byzantine Consensus with t < n/3, O(n2) Messages, and O(1) Expected Time. J. ACM 2015.
• [PODC’94] Asynchronous Secure Computations with Optimal Resilience. pp. 183-192. PODC 1994.
• [Bra’87] Bracha G., Asynchronous Byzantine agreement protocols. Information & Computation, 75(2):130-143, 1987.
• [CL’02] M. Castro and B. Liskov. Practical byzantine fault tolerance and proactive recovery, ACM Trans. Comput. Syst., vol. 20, no. 4, pp. 398– 461, 2002.
53
![Page 54: Red Belly Blockchain€¦ · P1 t1 t3 t2. Secure: transactions are signed with private ... G1= The Balance Attack (con’t) 18 Let an attacker issue t A in G1 and delay](https://reader033.vdocuments.site/reader033/viewer/2022043010/5fa09e3e191b9b2fe229f247/html5/thumbnails/54.jpg)
See you in Sydney
54