Upload
doantuong
View
218
Download
0
Embed Size (px)
Citation preview
2
OVERVIEW
The arrival of the blockchain technology introduced theworld of decentralization, therefore,
challengingourpreconceivedperspectivesofthecurrentsocial,political,andeconomicsystems,
mostnotably,thecentralbankingsystem.
Thistechnology,however,doeshaveseveralshortcomingsregardingperformance,easeofuse,
andservicequality.HashNETconsensususes"redundancyreducedgossip"and"virtualvoting"
protocolsbasedonadistributedcomputationandalgorithmsfromtheoreticalcomputerscience
whichprovidesafairandfast,byzantinefaulttolerantconsensusalgorithm.Itisanewconsensus
substituteplatforminspiredbytheinnovativedevelopmentofHashgraphmethodology,andis
designedtorunonanon-permissioned(public)networktherebyreachingalargercommunity.
INFORMATIONTRANSFERSOLUTION HashNET provides a novel solution to computational and communicational difficulties of
maintaininglarge-sizepublicdistributedledgers.Thekeyinnovationisourefficientasynchronous
distributedconsensusprotocolonanappropriatelydesigneddirectedacyclicnetworkstructure.
Ourconsensusprotocolbelongstoaclassofgossip-basedprotocols,whichprovideadvantages
over structure-based group communication algorithms as they can handle large group sizes,
sporadicsources,highuserchurns,andrandomnetworkfailures(forthedetailsofthetheoretical
support,see,e.g.,[1,2]).
To ensure history immutability through time, which is an important property for public
distributed ledgers, network nodes are connected using hash pointers ([3] provides an
introductorytechnicaldescription).Itiswellestablished(e.g.,[4,5])thataslongastheselected
hashfunctionissecure,alreadyagreeduponhistorycannotbechangedretroactively.
OneoftheprimarygoalsindesigningHashNETwasasignificantreductionofcomputationaland
3
communicationresourcesneededtooperateandmaintainthesystem.Withthisgoalinmind,
wedesignavariantofaRedundancyReducedGossip(RRG)protocolforinformationtransferon
appropriatelydesignednetwork.SuchRRGprotocolsachieveconsiderablylowertrafficloadthan
conventional push-based gossip protocols and conventional push-pull gossip protocols,while
maintainingthesameprobabilityofsuccessfuldelivery[6].
Figure1:Informationframefrompeer1arediffusedviagossipthatare3-phasemessageexchangesinonecycle:(a)
Phase1:Greeting,(b)Phase2:Response,(c)Phase3:Closure,and(d)Afterallphases;Fanout=2;Peer(s)shaded
blackisinfectedatthebeginningofthephase;Peer(s)shadedgreyisinfectedattheendofthephase;Peersshaded
whiteremainuninfectedattheendofthephase;Asolidlinereferstoamessagecontainingaframe;Adottedline
referstoanemptymessage.[6]
TrafficloadinFigure6ismeasuredintermsofaveragenumberofcopiesofaninformationframe
receivedbyeachpeer.Buteachmessagecontainsprotocolheaders,andtheresultingoverheads
forthetwocomparedprotocolsaredifferent.Whenn=100andtheaveragenumberofactive
peersis lessthan3,withc=2,theoverheadinRRGisaround20%oftotaltraffic.Mostofthe
overhead iscontributedbytheAPL,wheremembership information iscarriedandrequires6
bytes per peer. In the same settings, the overhead of the conventional push gossip and the
conventionalpush-pullgossiparearound40%oftotaltraffic.Mostoftheoverheadiscontributed
bythebuffer-map,whichisatleast12bytespergossipmessage.
Itisimportanttonotethatourprotocolgeneratesasmallernumberofmessagesthanthefully
connectedpeer-to-peeroverlayapproachinN-to-Ncommunication.Thenumberofmessagesin
4
ourprotocolisonlyaround24%thatofthefullyconnectedoverlayapproach.
Figure 2: Performance comparison of redundancy reduced gossip (RRG), the conventional push gossip and the
conventionalpush-pullgossip.[6]
COMPUTATIONALANDCOMMUNICATIONALEFFICIENCY WhileRRGandotherasynchronousdistributedconsensusprotocolsprovidecommunicational
and computational efficiencies, additional implementation improvements are necessary to
handle large fast growing systems. A direct implementation of such protocols could require
exchangingasmuchasO(n^3)messagesforreachingaconsensusonasinglebinaryoutcome
(e.g.,see[7]),whichwouldmakethemnotpracticalandunsustainableforsystemswherethe
numberofnodes,n,islarge.Thus,itisimperativetoimplementtheconsensusprotocolinaway
thatminimizescommunicationalloadduetoinformationtransferamongnodes.
However,weleveragethefactthateverynodehasasufficientinformationontheentireHashNET
structure,includinginformationabouteventsandtheirpropagationthroughthenetwork.We
usethisinformationtocomputecontentofthevastmajorityofmessagesrequiredbyourRRG
5
protocol, thereby eliminating the need for sending them and, consequently, significantly
reducing communication requirements. (A somewhat similar approach towards reducing
communicationrequirementsinanimplementationofadifferentconsensusprotocolhasbeen
proposedin[8].Unlikeoursystem,acriticalrequirementin[8]isthatthenumberofnodesis
constantandmustremainfixedconstantthroughout.)
Animportantprerequisiteforanefficientcomputationofconsensusisthatthetotalnumberof
nodes(“voters”)needstobeknown.Thisprovidesaninherentdifficultyforanimplementation
involvingpublicledger,asthenumberofnodescanvarygreatly.Weovercomethisdifficultyby
assigningtoeverynodethevoteweightthatisequaltotheirstakeatagivenpointoftime.Since,
atanygivenpointoftime,thecurrentsupplyofcoinsinthenetworkisknownandfixed,this
approachensuresproperconsensuscomputations.Thus,byassigningnodeweighttobeitsstake
innetwork,weachievetheabilitytocalculatevotesinsteadofwaitingforand/orsendingactual
votesoverthenetwork.AstheprotocolprovidesaProof-of-Stakeblockchaindiscipline,itoffers
qualitativeefficiency advantagesoverblockchainsbasedonproofofphysical resources (e.g.,
proofofwork).
6
Figure3:IllustrationofHashNETvotingweightandstakechangesthroughthevotingroundsasaresultoftransaction
events.DonotethatineachroundsometransactionshappenthattransferTolarsfromoneparticipanttoanother,
howevertotalvoteweightthroughthenetworkstaysthesameineachround,enablingustohavevirtualvoting
withoutknowingthenumberofnodesinadvance.
Furthermore,withsuchweightassignmenttonodes, incentivesareperfectlyalignedwiththe
stakes,suggestingreducedstrategyspaceforobstructiveandmaliciousbehavior.Indeed,itcan
beshownthattherewardmechanismforincentivizingProof-of-Stakecanbeconstructedinsuch
awaythattruthfulbehaviorisanapproximateNashequilibrium,thusneutralizingselfish-mining
attacks(see,e.g.,[9,10,11]).
REPUTATIONBASEDSYSTEM InadditiontotheProof-of-Stakebaseddiscipline,areputationbasedsystemisintroducedasan
additionalcontrolandverificationmechanism.Thisallowsustomeasure‘severity’ofnetwork
7
protocol violations: some violations could simply be a consequence of sporadic unfortunate
networkconditions(smallnegativeimpactonreputation),whileotherscouldbeattributedtoa
specificmalicious intent (largenegative impacton reputation). Similarly, fornodeswhichare
consistently“fault-free”,i.e.,consistentlycommunicatecorrectinformationandlocallycompute
consensus correctly, a positive reputation is slowly built-up over time. All nodes whose
reputationfallsbehindacertainnegativereputationthresholdarebannedfromthenetworkfor
theamountoftimedecidedbyanexponentialbackoffalgorithm.(Suchreputationbasedsystems
havealreadybeenprovenusefulforself-regulatinginmanyP2Papplications[12].)
Informationaboutnodereputationisrealizedaspartofeventsdistributionalgorithms.
Thereputationscoreiscomputediterativelyandcumulativelyandinvolvesbothpatternanalysis
forabehaviorovertimeofasinglenode,aswellasrandomizedverificationchecks.
ACHIEVINGCONSENSUS Potentially faulty or malicious nodes provide an additional challenge of implementing a
consensus protocol in an asynchronous environment. In fact, it is well-known that it is
theoretically impossible for any deterministic protocol to reach an agreement in such
environments[16].Thus,ourimplementationresortstoaclassofso-callediterativerandomized
approximate consensus algorithms. The goal is to allow fault-free nodes to agree on values,
overcomingtheobstacleposedby(possiblyincorrectorunreliable)informationdisseminatedby
faultynodes.
Theoretically,themostchallengingcaseareleader-basedconsensusalgorithms,whichrelyona
smallnumberofnodes thatcannotbe faulty (e.g., suchas [8]). Suchprotocolsareprone to
failureandusuallyexhibitseveralunresolvedissuesinthecaseofamaliciousnodebecominga
leader[13].Incontrast,fullydistributedprotocols(inwhicheverynodeinthenetworkcouldbe
decisiveandinwhichnonodeisalwaysdecisive)allowfordesignofalgorithmsthatovercome
8
faultynodesaslongasfault-freenodesformasupermajorityatanypointoftime.Moreprecisely,
the approximate consensus algorithm can be constructed even on fully connected graphs
providedthatthetotalnumberofnodesn>3f,wherefisthenumberoffaultynodes[17].Our
implementationleveragesthisresult:ifaconsensusisnotreachedafteranumberofroundsof
ourRRGprotocol,weinitiateasequenceof“randomrounds”.Inarandomround,anynon-faulty
nodeswillchosetheirvotesatrandom,andwillhaveanon-zeroprobabilityofallchoosingthe
samevote.Therandomizationissuchthatguaranteesthecorrectagreementamongnon-faulty
nodes with high probability. Thus, implementing a small number of random rounds results
ensures convergence to consensus (i.e., the probability of failure is converging to zero at an
exponential rate). Finally, we note that randomization does not need to pose a significant
computationalburdenandcanbemanipulation-free,asbitsprovidedbyeventhash(thatneed
tobecomputedanyway)canbeusedasasourceofpseudorandomdata[18].
HASHNETUTXOSTORAGEREQUIREMENTS InadditiontoaforementionedspeedperformanceguaranteesmadepossiblebyHashNETdesign,
wearealsoabletoguaranteeimprovementsintheglobaldatastoragesize.Specifically,HashNET
datastorageisdesignedbygeneralizingtheapproachlaidoutinMimbleWimblewhitepaper[14].
Themain benefit of this approach is that itmanages to simultaneously handle security and
versatility.
We utilize concepts such as Confidential Transactions and "One-Way Aggregate Signatures"
(OWAS),whichareshowntoprovideprivateexchangesandbetteradaptability.Themainidea
behindOWASisthatwhentheoutputsarecreatedanddestroyed,itisthesameastheynever
existed.Consequently,toapprovetheentirechain,aclientonlyneedstoknowwhencoinswere
inputted into the framework and what are last unspent yields.We then utilize Confidential
Transactions to conceal the sums andOWAS, thereby obscuring the exchange diagram. This
approach utilizes less space than, e.g., Bitcoin to enable clients to verify the blockchain. For
instance,theBitcoinblockchainiscurrentlyabout160GBinsize,whileHashNETwouldrequirea
smallfractionofthatamountforthesameamountoftransactions,thusallowingeventoday's
9
standardsmartphonestoactasnodes.
Inourapproach(similartoMimbleWimble),thebeneficiaryoftransactioncreatestheblinding
elementwhichisutilizedtodemonstrateresponsibilityforcoins.Thisisdonethroughthe"excess
value",whichisthecontrastbetweentheinformationsourcesandyields.Thisoverabundance
esteem is an arrangement of arbitrary numbers that guarantee that only the individualwho
created the blinding factor (the collector/receiver) can spend the coins. Thus, the blinding
variablesdon'tindicatezeroanylonger,butinsteadanothernumber,resemblingaprivatekey.
The important feature of our approach is that it is not interactive, which in turn creates
efficienciesbyeliminatingtheneedforstoringanyredundantinformationonhistoryofindividual
transactions.Ratherthancontainingcompletehistoryofalltransactions,theblocks(analogous
toMimbleWimble)onlyhavealistofnewinputs,alistofnewoutputs,andalistofsignatures
which are created from the aforementioned excess value (Note that the latter list provides
sufficientrecordofallhistoricaltransactions).
In summary, generalizing, adapting and implementingMimbleWimble approach for use on a
HashNETprovidesachainformatthathasexcellentscalability,privacyandfungibilityproperties.
DEMOCRATICUSER-GOVERNEDSYSTEM OneofthecentralfeaturesofHashNETdesignisademocraticgovernancesystemwhichallows
forinvolvementtheentirecommunityandisopentoeveryone.
Specifically,anynodeinHashNETnetworkcanproposetenders,andthenMagnusConsilium
decidesandvotesoneachsuchproposal.MagnusConsiliumiscomprisedofallthe
masternodeswithpositivereputationinHashNET.Votingisdecidedbysimplemajority.
Nextweprovideexamplesofeligibletenders:
• socialimpact
• distributedgovernance
10
• contribution
• outreach
• extensiveness
FUTUREOFHASHNET
Decentralizedapplications Oncedesiredthroughputisachieved,EthereumVirtualMachine(EVM)willbedeployedontop
ofnetwork.TheEVMisavirtualmachinespecificallydesignedtorununtrustedcodeonanetwork
ofcomputers.EverytransactionappliedtotheEVMmodifiestheStatewhich ispersisted ina
MerklePatriciatree.Thisdatastructureallowstosimplycheckifagiventransactionwasactually
appliedtotheVMandcanreducetheentireStatetoasinglehash(merkleroot)ratheranalogous
toafingerprint.
TheEVM ismeantbeused in conjunctionwitha systemthatbroadcasts transactionsaccross
network participants and ensures that everyone executes the same transactions in the same
order.EthereumusesaBlockchainandaProofofWorkconsensusalgorithm.Here,wewilluse
HashNET.
ThecombinationofEVMandHashNETmakes fora fastandsecuredecentralizedapplications
platform.
Quantumresistance The elliptic curve signature scheme used by Bitcoin is well-known to be broken by Shor’s
algorithm [17] for computing discrete logarithms. That's why in the next 5 years it will be
imperativetoswitchtoalternativesignatureschemesthatarebelievedtobequantumsafe.Exact
schemethatwillbeimplementedinHashNETisstillbeingdecidedon.
12
REFERENCES [1]JelasityM.,MontresorA.andBabaogluO.2005.Gossip-basedaggregationinlargedynamic
networks.ACMTrans.Comput.Syst.23,3(August2005),219-252.
DOI=http://dx.doi.org/10.1145/1082469.1082470
[2]AllavenaA.,DemersA.,andHopcroftJ.2005.Correctnessofagossipbasedmembership
protocol.InProceedingsofthetwenty-fourthannualACMsymposiumonPrinciplesof
distributedcomputing(PODC'05).ACM,NewYork,NY,USA,292-301.
DOI:https://doi.org/10.1145/1073814.1073871
[3]Hashpointersanddatastructures,http://learningspot.altervista.org/hash-pointers-and-
data-structures/,retrieved23.03.2018.
[4]RogawayP.,ShrimptonT.(2004)CryptographicHash-FunctionBasics:Definitions,
Implications,andSeparationsforPreimageResistance,Second-PreimageResistance,and
CollisionResistance.In:RoyB.,MeierW.(eds)FastSoftwareEncryption.FSE2004.Lecture
NotesinComputerScience,vol3017.Springer,Berlin,Heidelberg
[5]CoronJS.,DodisY.,MalinaudC.,PuniyaP.(2005)Merkle-DamgårdRevisited:Howto
ConstructaHashFunction.In:ShoupV.(eds)AdvancesinCryptology–CRYPTO2005.CRYPTO
2005.LectureNotesinComputerScience,vol3621.Springer,Berlin,Heidelberg
[6]Wing-HeiLukV.,Kai-SunWongA.,Chin-TauLea,WentaoOuyangR.,RRG:redundancy
reducedgossipprotocolforreal-timeN-to-Ndynamicgroupcommunication,Journalof
InternetServicesandApplications20134:14
[7]CorreiaM.M.,VeroneseG.S.,NevesN.F.,andVerissimoP.Byzantineconsensusin
asynchronousmessage-passingsystems:asurvey.InternationalJournalofCriticalComputer-
13
BasedSystems,2(2):141–161,2011.
[8]LeemonB.TheSwirldsHashgraphConsensusAlgorithm:Fair,Fast,ByzantineFault
Tolerance,SWIRLDSTECHREPORTSWIRLDS-TR-2016-01,2016.
[9]PPCoin:Peer-to-PeerCrypto-CurrencywithProof-of-
Stake,https://pdfs.semanticscholar.org/0db3/8d32069f3341d34c35085dc009a85ba13c13.pdf
[10]BentovI.,GabizonA.,MizrahiA.:Cryptocurrencieswithoutproofofwork.CoRR,
abs/1406.5694(2014)
[11]KiayiasA.,RussellA.,DavidB.,OliynykovR.(2017)Ouroboros:AProvablySecureProof-of-
StakeBlockchainProtocol.In:KatzJ.,ShachamH.(eds)AdvancesinCryptology–CRYPTO2017.
CRYPTO2017.LectureNotesinComputerScience,vol10401.Springer,Cham
[12]DamianiE.,DeCapitanidiVimercati,ParaboschiS.,SamaratiP.,andViolanteF.2002.A
reputation-basedapproachforchoosingreliableresourcesinpeer-to-peernetworks.In
Proceedingsofthe9thACMconferenceonComputerandcommunicationssecurity(CCS'02),
VijayAtluri(Ed.).ACM,NewYork,NY,USA,207-216.
DOI=http://dx.doi.org/10.1145/586110.586138
[13]CachinC.,VukolićM.,BlockchainConsensusProtocolsinthe
Wild,https://arxiv.org/abs/1707.01873v2
[14]TomElvisJedusor,MimbleWimble,July
2016,https://download.wpsoftware.net/bitcoin/wizardry/mimblewimble.txt
[15]MoutonY.H.,IncreasingAnonymityinBitcoin,retrievedon
18.02.2018.https://download.wpsoftware.net/bitcoin/wizardry/horasyuanmouton-owas.pdf
[16]FischerM.J.,LynchN.A.,andPatersonM.S.Impossibilityofdistributedconsensuswith
onefaultyprocess.JournaloftheACM,32(2):374–382,Apr.1985.
[17]ShorP.W.Polynomial-TimeAlgorithmsforPrimeFactorizationandDiscreteLogarithmson
aQuantumComputer.SIAMReview,41(2):303–332,jan1999.