HashNET:BeyondBlockchainTechnology

JosipMaričević,Tolar.io

February2018.

2

OVERVIEW

The arrival of the blockchain technology introduced theworld of decentralization, therefore,

challengingourpreconceivedperspectivesofthecurrentsocial,political,andeconomicsystems,

mostnotably,thecentralbankingsystem.

Thistechnology,however,doeshaveseveralshortcomingsregardingperformance,easeofuse,

andservicequality.HashNETconsensususes"redundancyreducedgossip"and"virtualvoting"

protocolsbasedonadistributedcomputationandalgorithmsfromtheoreticalcomputerscience

whichprovidesafairandfast,byzantinefaulttolerantconsensusalgorithm.Itisanewconsensus

substituteplatforminspiredbytheinnovativedevelopmentofHashgraphmethodology,andis

designedtorunonanon-permissioned(public)networktherebyreachingalargercommunity.

INFORMATIONTRANSFERSOLUTION HashNET provides a novel solution to computational and communicational difficulties of

maintaininglarge-sizepublicdistributedledgers.Thekeyinnovationisourefficientasynchronous

distributedconsensusprotocolonanappropriatelydesigneddirectedacyclicnetworkstructure.

Ourconsensusprotocolbelongstoaclassofgossip-basedprotocols,whichprovideadvantages

over structure-based group communication algorithms as they can handle large group sizes,

sporadicsources,highuserchurns,andrandomnetworkfailures(forthedetailsofthetheoretical

support,see,e.g.,[1,2]).

To ensure history immutability through time, which is an important property for public

distributed ledgers, network nodes are connected using hash pointers ([3] provides an

introductorytechnicaldescription).Itiswellestablished(e.g.,[4,5])thataslongastheselected

hashfunctionissecure,alreadyagreeduponhistorycannotbechangedretroactively.

OneoftheprimarygoalsindesigningHashNETwasasignificantreductionofcomputationaland

3

communicationresourcesneededtooperateandmaintainthesystem.Withthisgoalinmind,

wedesignavariantofaRedundancyReducedGossip(RRG)protocolforinformationtransferon

appropriatelydesignednetwork.SuchRRGprotocolsachieveconsiderablylowertrafficloadthan

conventional push-based gossip protocols and conventional push-pull gossip protocols,while

maintainingthesameprobabilityofsuccessfuldelivery[6].

Figure1:Informationframefrompeer1arediffusedviagossipthatare3-phasemessageexchangesinonecycle:(a)

Phase1:Greeting,(b)Phase2:Response,(c)Phase3:Closure,and(d)Afterallphases;Fanout=2;Peer(s)shaded

blackisinfectedatthebeginningofthephase;Peer(s)shadedgreyisinfectedattheendofthephase;Peersshaded

whiteremainuninfectedattheendofthephase;Asolidlinereferstoamessagecontainingaframe;Adottedline

referstoanemptymessage.[6]

TrafficloadinFigure6ismeasuredintermsofaveragenumberofcopiesofaninformationframe

receivedbyeachpeer.Buteachmessagecontainsprotocolheaders,andtheresultingoverheads

forthetwocomparedprotocolsaredifferent.Whenn=100andtheaveragenumberofactive

peersis lessthan3,withc=2,theoverheadinRRGisaround20%oftotaltraffic.Mostofthe

overhead iscontributedbytheAPL,wheremembership information iscarriedandrequires6

bytes per peer. In the same settings, the overhead of the conventional push gossip and the

conventionalpush-pullgossiparearound40%oftotaltraffic.Mostoftheoverheadiscontributed

bythebuffer-map,whichisatleast12bytespergossipmessage.

Itisimportanttonotethatourprotocolgeneratesasmallernumberofmessagesthanthefully

connectedpeer-to-peeroverlayapproachinN-to-Ncommunication.Thenumberofmessagesin

4

ourprotocolisonlyaround24%thatofthefullyconnectedoverlayapproach.

Figure 2: Performance comparison of redundancy reduced gossip (RRG), the conventional push gossip and the

conventionalpush-pullgossip.[6]

COMPUTATIONALANDCOMMUNICATIONALEFFICIENCY WhileRRGandotherasynchronousdistributedconsensusprotocolsprovidecommunicational

and computational efficiencies, additional implementation improvements are necessary to

handle large fast growing systems. A direct implementation of such protocols could require

exchangingasmuchasO(n^3)messagesforreachingaconsensusonasinglebinaryoutcome

(e.g.,see[7]),whichwouldmakethemnotpracticalandunsustainableforsystemswherethe

numberofnodes,n,islarge.Thus,itisimperativetoimplementtheconsensusprotocolinaway

thatminimizescommunicationalloadduetoinformationtransferamongnodes.

However,weleveragethefactthateverynodehasasufficientinformationontheentireHashNET

structure,includinginformationabouteventsandtheirpropagationthroughthenetwork.We

usethisinformationtocomputecontentofthevastmajorityofmessagesrequiredbyourRRG

5

protocol, thereby eliminating the need for sending them and, consequently, significantly

reducing communication requirements. (A somewhat similar approach towards reducing

communicationrequirementsinanimplementationofadifferentconsensusprotocolhasbeen

proposedin[8].Unlikeoursystem,acriticalrequirementin[8]isthatthenumberofnodesis

constantandmustremainfixedconstantthroughout.)

Animportantprerequisiteforanefficientcomputationofconsensusisthatthetotalnumberof

nodes(“voters”)needstobeknown.Thisprovidesaninherentdifficultyforanimplementation

involvingpublicledger,asthenumberofnodescanvarygreatly.Weovercomethisdifficultyby

assigningtoeverynodethevoteweightthatisequaltotheirstakeatagivenpointoftime.Since,

atanygivenpointoftime,thecurrentsupplyofcoinsinthenetworkisknownandfixed,this

approachensuresproperconsensuscomputations.Thus,byassigningnodeweighttobeitsstake

innetwork,weachievetheabilitytocalculatevotesinsteadofwaitingforand/orsendingactual

votesoverthenetwork.AstheprotocolprovidesaProof-of-Stakeblockchaindiscipline,itoffers

qualitativeefficiency advantagesoverblockchainsbasedonproofofphysical resources (e.g.,

proofofwork).

6

Figure3:IllustrationofHashNETvotingweightandstakechangesthroughthevotingroundsasaresultoftransaction

events.DonotethatineachroundsometransactionshappenthattransferTolarsfromoneparticipanttoanother,

howevertotalvoteweightthroughthenetworkstaysthesameineachround,enablingustohavevirtualvoting

withoutknowingthenumberofnodesinadvance.

Furthermore,withsuchweightassignmenttonodes, incentivesareperfectlyalignedwiththe

stakes,suggestingreducedstrategyspaceforobstructiveandmaliciousbehavior.Indeed,itcan

beshownthattherewardmechanismforincentivizingProof-of-Stakecanbeconstructedinsuch

awaythattruthfulbehaviorisanapproximateNashequilibrium,thusneutralizingselfish-mining

attacks(see,e.g.,[9,10,11]).

REPUTATIONBASEDSYSTEM InadditiontotheProof-of-Stakebaseddiscipline,areputationbasedsystemisintroducedasan

additionalcontrolandverificationmechanism.Thisallowsustomeasure‘severity’ofnetwork

7

protocol violations: some violations could simply be a consequence of sporadic unfortunate

networkconditions(smallnegativeimpactonreputation),whileotherscouldbeattributedtoa

specificmalicious intent (largenegative impacton reputation). Similarly, fornodeswhichare

consistently“fault-free”,i.e.,consistentlycommunicatecorrectinformationandlocallycompute

consensus correctly, a positive reputation is slowly built-up over time. All nodes whose

reputationfallsbehindacertainnegativereputationthresholdarebannedfromthenetworkfor

theamountoftimedecidedbyanexponentialbackoffalgorithm.(Suchreputationbasedsystems

havealreadybeenprovenusefulforself-regulatinginmanyP2Papplications[12].)

Informationaboutnodereputationisrealizedaspartofeventsdistributionalgorithms.

Thereputationscoreiscomputediterativelyandcumulativelyandinvolvesbothpatternanalysis

forabehaviorovertimeofasinglenode,aswellasrandomizedverificationchecks.

ACHIEVINGCONSENSUS Potentially faulty or malicious nodes provide an additional challenge of implementing a

consensus protocol in an asynchronous environment. In fact, it is well-known that it is

theoretically impossible for any deterministic protocol to reach an agreement in such

environments[16].Thus,ourimplementationresortstoaclassofso-callediterativerandomized

approximate consensus algorithms. The goal is to allow fault-free nodes to agree on values,

overcomingtheobstacleposedby(possiblyincorrectorunreliable)informationdisseminatedby

faultynodes.

Theoretically,themostchallengingcaseareleader-basedconsensusalgorithms,whichrelyona

smallnumberofnodes thatcannotbe faulty (e.g., suchas [8]). Suchprotocolsareprone to

failureandusuallyexhibitseveralunresolvedissuesinthecaseofamaliciousnodebecominga

leader[13].Incontrast,fullydistributedprotocols(inwhicheverynodeinthenetworkcouldbe

decisiveandinwhichnonodeisalwaysdecisive)allowfordesignofalgorithmsthatovercome

8

faultynodesaslongasfault-freenodesformasupermajorityatanypointoftime.Moreprecisely,

the approximate consensus algorithm can be constructed even on fully connected graphs

providedthatthetotalnumberofnodesn>3f,wherefisthenumberoffaultynodes[17].Our

implementationleveragesthisresult:ifaconsensusisnotreachedafteranumberofroundsof

ourRRGprotocol,weinitiateasequenceof“randomrounds”.Inarandomround,anynon-faulty

nodeswillchosetheirvotesatrandom,andwillhaveanon-zeroprobabilityofallchoosingthe

samevote.Therandomizationissuchthatguaranteesthecorrectagreementamongnon-faulty

nodes with high probability. Thus, implementing a small number of random rounds results

ensures convergence to consensus (i.e., the probability of failure is converging to zero at an

exponential rate). Finally, we note that randomization does not need to pose a significant

computationalburdenandcanbemanipulation-free,asbitsprovidedbyeventhash(thatneed

tobecomputedanyway)canbeusedasasourceofpseudorandomdata[18].

HASHNETUTXOSTORAGEREQUIREMENTS InadditiontoaforementionedspeedperformanceguaranteesmadepossiblebyHashNETdesign,

wearealsoabletoguaranteeimprovementsintheglobaldatastoragesize.Specifically,HashNET

datastorageisdesignedbygeneralizingtheapproachlaidoutinMimbleWimblewhitepaper[14].

Themain benefit of this approach is that itmanages to simultaneously handle security and

versatility.

We utilize concepts such as Confidential Transactions and "One-Way Aggregate Signatures"

(OWAS),whichareshowntoprovideprivateexchangesandbetteradaptability.Themainidea

behindOWASisthatwhentheoutputsarecreatedanddestroyed,itisthesameastheynever

existed.Consequently,toapprovetheentirechain,aclientonlyneedstoknowwhencoinswere

inputted into the framework and what are last unspent yields.We then utilize Confidential

Transactions to conceal the sums andOWAS, thereby obscuring the exchange diagram. This

approach utilizes less space than, e.g., Bitcoin to enable clients to verify the blockchain. For

instance,theBitcoinblockchainiscurrentlyabout160GBinsize,whileHashNETwouldrequirea

smallfractionofthatamountforthesameamountoftransactions,thusallowingeventoday's

9

standardsmartphonestoactasnodes.

Inourapproach(similartoMimbleWimble),thebeneficiaryoftransactioncreatestheblinding

elementwhichisutilizedtodemonstrateresponsibilityforcoins.Thisisdonethroughthe"excess

value",whichisthecontrastbetweentheinformationsourcesandyields.Thisoverabundance

esteem is an arrangement of arbitrary numbers that guarantee that only the individualwho

created the blinding factor (the collector/receiver) can spend the coins. Thus, the blinding

variablesdon'tindicatezeroanylonger,butinsteadanothernumber,resemblingaprivatekey.

The important feature of our approach is that it is not interactive, which in turn creates

efficienciesbyeliminatingtheneedforstoringanyredundantinformationonhistoryofindividual

transactions.Ratherthancontainingcompletehistoryofalltransactions,theblocks(analogous

toMimbleWimble)onlyhavealistofnewinputs,alistofnewoutputs,andalistofsignatures

which are created from the aforementioned excess value (Note that the latter list provides

sufficientrecordofallhistoricaltransactions).

In summary, generalizing, adapting and implementingMimbleWimble approach for use on a

HashNETprovidesachainformatthathasexcellentscalability,privacyandfungibilityproperties.

DEMOCRATICUSER-GOVERNEDSYSTEM OneofthecentralfeaturesofHashNETdesignisademocraticgovernancesystemwhichallows

forinvolvementtheentirecommunityandisopentoeveryone.

Specifically,anynodeinHashNETnetworkcanproposetenders,andthenMagnusConsilium

decidesandvotesoneachsuchproposal.MagnusConsiliumiscomprisedofallthe

masternodeswithpositivereputationinHashNET.Votingisdecidedbysimplemajority.

Nextweprovideexamplesofeligibletenders:

• socialimpact

• distributedgovernance

10

• contribution

• outreach

• extensiveness

FUTUREOFHASHNET

Decentralizedapplications Oncedesiredthroughputisachieved,EthereumVirtualMachine(EVM)willbedeployedontop

ofnetwork.TheEVMisavirtualmachinespecificallydesignedtorununtrustedcodeonanetwork

ofcomputers.EverytransactionappliedtotheEVMmodifiestheStatewhich ispersisted ina

MerklePatriciatree.Thisdatastructureallowstosimplycheckifagiventransactionwasactually

appliedtotheVMandcanreducetheentireStatetoasinglehash(merkleroot)ratheranalogous

toafingerprint.

TheEVM ismeantbeused in conjunctionwitha systemthatbroadcasts transactionsaccross

network participants and ensures that everyone executes the same transactions in the same

order.EthereumusesaBlockchainandaProofofWorkconsensusalgorithm.Here,wewilluse

HashNET.

ThecombinationofEVMandHashNETmakes fora fastandsecuredecentralizedapplications

platform.

Quantumresistance The elliptic curve signature scheme used by Bitcoin is well-known to be broken by Shor’s

algorithm [17] for computing discrete logarithms. That's why in the next 5 years it will be

imperativetoswitchtoalternativesignatureschemesthatarebelievedtobequantumsafe.Exact

schemethatwillbeimplementedinHashNETisstillbeingdecidedon.

11

12

REFERENCES [1]JelasityM.,MontresorA.andBabaogluO.2005.Gossip-basedaggregationinlargedynamic

networks.ACMTrans.Comput.Syst.23,3(August2005),219-252.

DOI=http://dx.doi.org/10.1145/1082469.1082470

[2]AllavenaA.,DemersA.,andHopcroftJ.2005.Correctnessofagossipbasedmembership

protocol.InProceedingsofthetwenty-fourthannualACMsymposiumonPrinciplesof

distributedcomputing(PODC'05).ACM,NewYork,NY,USA,292-301.

DOI:https://doi.org/10.1145/1073814.1073871

[3]Hashpointersanddatastructures,http://learningspot.altervista.org/hash-pointers-and-

data-structures/,retrieved23.03.2018.

[4]RogawayP.,ShrimptonT.(2004)CryptographicHash-FunctionBasics:Definitions,

Implications,andSeparationsforPreimageResistance,Second-PreimageResistance,and

CollisionResistance.In:RoyB.,MeierW.(eds)FastSoftwareEncryption.FSE2004.Lecture

NotesinComputerScience,vol3017.Springer,Berlin,Heidelberg

[5]CoronJS.,DodisY.,MalinaudC.,PuniyaP.(2005)Merkle-DamgårdRevisited:Howto

ConstructaHashFunction.In:ShoupV.(eds)AdvancesinCryptology–CRYPTO2005.CRYPTO

2005.LectureNotesinComputerScience,vol3621.Springer,Berlin,Heidelberg

[6]Wing-HeiLukV.,Kai-SunWongA.,Chin-TauLea,WentaoOuyangR.,RRG:redundancy

reducedgossipprotocolforreal-timeN-to-Ndynamicgroupcommunication,Journalof

InternetServicesandApplications20134:14

[7]CorreiaM.M.,VeroneseG.S.,NevesN.F.,andVerissimoP.Byzantineconsensusin

asynchronousmessage-passingsystems:asurvey.InternationalJournalofCriticalComputer-

13

BasedSystems,2(2):141–161,2011.

[8]LeemonB.TheSwirldsHashgraphConsensusAlgorithm:Fair,Fast,ByzantineFault

Tolerance,SWIRLDSTECHREPORTSWIRLDS-TR-2016-01,2016.

[9]PPCoin:Peer-to-PeerCrypto-CurrencywithProof-of-

Stake,https://pdfs.semanticscholar.org/0db3/8d32069f3341d34c35085dc009a85ba13c13.pdf

[10]BentovI.,GabizonA.,MizrahiA.:Cryptocurrencieswithoutproofofwork.CoRR,

abs/1406.5694(2014)

[11]KiayiasA.,RussellA.,DavidB.,OliynykovR.(2017)Ouroboros:AProvablySecureProof-of-

StakeBlockchainProtocol.In:KatzJ.,ShachamH.(eds)AdvancesinCryptology–CRYPTO2017.

CRYPTO2017.LectureNotesinComputerScience,vol10401.Springer,Cham

[12]DamianiE.,DeCapitanidiVimercati,ParaboschiS.,SamaratiP.,andViolanteF.2002.A

reputation-basedapproachforchoosingreliableresourcesinpeer-to-peernetworks.In

Proceedingsofthe9thACMconferenceonComputerandcommunicationssecurity(CCS'02),

VijayAtluri(Ed.).ACM,NewYork,NY,USA,207-216.

DOI=http://dx.doi.org/10.1145/586110.586138

[13]CachinC.,VukolićM.,BlockchainConsensusProtocolsinthe

Wild,https://arxiv.org/abs/1707.01873v2

[14]TomElvisJedusor,MimbleWimble,July

2016,https://download.wpsoftware.net/bitcoin/wizardry/mimblewimble.txt

[15]MoutonY.H.,IncreasingAnonymityinBitcoin,retrievedon

18.02.2018.https://download.wpsoftware.net/bitcoin/wizardry/horasyuanmouton-owas.pdf

[16]FischerM.J.,LynchN.A.,andPatersonM.S.Impossibilityofdistributedconsensuswith

onefaultyprocess.JournaloftheACM,32(2):374–382,Apr.1985.

[17]ShorP.W.Polynomial-TimeAlgorithmsforPrimeFactorizationandDiscreteLogarithmson

aQuantumComputer.SIAMReview,41(2):303–332,jan1999.