Abstract
Longest-chain blockchain protocols, such as Bitcoin, guarantee liveness even when the number of actively participating users is variable, i.e., they are adaptive. However, they are not safe under network partitions, i.e., they do not guarantee finality. On the other hand, classical blockchain protocols, like PBFT, achieve finality but not adaptivity. Indeed, the CAP theorem in the context of blockchains asserts that no protocol can simultaneously offer both adaptivity and finality. We propose a new blockchain protocol, called the checkpointed longest chain, that offers individual users the choice between finality and adaptivity instead of imposing it at a system-wide level. This protocol’s salient feature is that it supports two distinct confirmation rules: one that guarantees adaptivity and the other finality. The more optimistic adaptive rule always confirms blocks that are marked as finalized by the more conservative rule, and may possibly confirm more blocks during variable participation levels. Clients (users) make a local choice between the confirmation rules as per their personal preference, while miners follow a fixed block proposal rule that is consistent with both confirmation rules. The proposed protocol has the additional benefit of intrinsic validity: the finalized blocks always lie on a single blockchain, and therefore miners can attest to the validity of transactions while proposing blocks. Our protocol builds on the notion of a finality gadget, a popular technique for adding finality to longest-chain protocols.
S. Sankagiri and X. Wang—Equal contribution.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Bagaria, V., Kannan, S., Tse, D., Fanti, G., Viswanath, P.: Prism: deconstructing the blockchain to approach physical limits. In: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, pp. 585–602 (2019)
Buterin, V., Griffith, V.: Casper the friendly finality gadget. ar**v preprint ar**v:1710.09437 (2017)
Buterin, V., et al.: Combining GHOST and Casper. ar**v preprint ar**v:2003.03052 (2020)
Castro, M., Liskov, B.: Practical byzantine fault tolerance. In: Proceedings of the Third Symposium on Operating Systems Design and Implementation, OSDI 1999, USA, pp. 173–186. USENIX Association (1999)
Chan, B.Y., Shi, E.: Streamlet: textbook streamlined blockchains. IACR Cryptol. ePrint Arch. 2020, 88 (2020)
Chen, J., Gorbunov, S., Micali, S., Vlachos, G.: Algorand agreement: super fast and partition resilient byzantine agreement. IACR Cryptol. ePrint Arch. 2018, 377 (2018)
Chen, J., Micali, S.: Algorand. ar**v preprint ar**v:1607.01341 (2016)
Daian, P., Pass, R., Shi, E.: Snow White: robustly reconfigurable consensus and applications to provably secure proof of stake. In: Goldberg, I., Moore, T. (eds.) FC 2019. LNCS, vol. 11598, pp. 23–41. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-32101-7_2
Dembo, A., et al.: Everything is a race and Nakamoto always wins. ar**v preprint ar**v:2005.10484 (2020). To appear in CCS 2020
Dinsdale-Young, T., Magri, B., Matt, C., Nielsen, J.B., Tschudi, D.: Afgjort: a partially synchronous finality layer for blockchains. In: Security and Cryptography for Networks (SCN) (2020)
Fitzi, M., Gazi, P., Kiayias, A., Russell, A.: Parallel chains: improving throughput and latency of blockchain protocols via parallel composition. IACR Cryptol. ePrint Arch. 2018, 1119 (2018)
Garay, J., Kiayias, A., Leonardos, N.: The bitcoin backbone protocol: analysis and applications. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 281–310. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46803-6_10
Gilbert, S., Lynch, N.: Brewer’s conjecture and the feasibility of consistent, available, partition-tolerant web services. ACM SIGACT News 33(2), 51–59 (2002)
Gilbert, S., Lynch, N.: Perspectives on the cap theorem. Computer 45(2), 30–36 (2012)
Karakostas, D., Kiayias, A.: Securing proof-of-work ledgers via checkpointing. Cryptology ePrint Archive, Report 2020/173 (2020). https://eprint.iacr.org/2020/173
Lewis-Pye, A., Roughgarden, T.: Resource pools and the cap theorem. ar**v preprint ar**v:2006.10698 (2020)
Malkhi, D., Nayak, K., Ren, L.: Flexible byzantine fault tolerance. In: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, pp. 1041–1053 (2019)
Nakamoto, S.: Bitcoin: a peer-to-peer electronic cash system. Technical Report
Neu, J., Tas, E.N., Tse, D.: Ebb-and-flow protocols: a resolution of the availability-finality dilemma. ar**v preprint ar**v:2009.04987 (2020)
Pass, R., Seeman, L., Shelat, A.: Analysis of the blockchain protocol in asynchronous networks. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10211, pp. 643–673. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56614-6_22
Pass, R., Shi, E.: Hybrid consensus: efficient consensus in the permissionless model. In: 31st International Symposium on Distributed Computing (DISC) (2017)
Ren, L.: Analysis of Nakamoto consensus. IACR Cryptol. ePrint Arch. (2019)
Sankagiri, S., Wang, X., Kannan, S., Viswanath, P.: Blockchain cap theorem allows user-dependent adaptivity and finality. ar**v preprint ar**v:2010.13711 (2020)
Stewart, A., Kokoris-Kogias, E.: GRANDPA: a byzantine finality gadget. ar**v preprint ar**v:2007.01560 (2020)
Yin, M., Malkhi, D., Reiter, M.K., Gueta, G.G., Abraham, I.: HotStuff: BFT consensus with linearity and responsiveness. In: Proceedings of the 2019 ACM Symposium on Principles of Distributed Computing, pp. 347–356 (2019)
Acknowledgements
This research is supported in part by a gift from IOHK Inc., an Army Research Office grant W911NF1810332 and by the National Science Foundation under grants CCF 17-05007 and CCF 19-00636.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
Appendix
A Algorand BA is a Checkpointing Protocol
We outline the full Algorand Byzantine Agreement (BA) protocol below for completeness. A minor modification (marked in red), adding validation, is the only addition to the original protocol. Honest checkpointers run a multi-iteration BA to commit checkpoints. The goal of the i-th iteration is to achieve consensus on the i-th checkpoint. Each iteration is divided into multiple periods and view changes will happen across periods.
All checkpointers start period 1 of iteration 1 at the same time (time 0). Checkpointer i starts period 1 of iteration n after it receives \(2t + 1\) cert-votes for some value v for the same period p of iteration \(n-1\) and waits for another fixed time e, and only if it has not yet started an iteration \(n' > n\). Checkpointer i starts period \(p \ge 2\) of iteration n after it receives \(2t + 1\) next-votes for some value v for period \(p - 1\) of iteration n, and only if it has not yet started a period \(p' > p\) for the same iteration n, or some iteration \(n' > n\). For any iteration n, checkpointer i sets its starting value for period \(p \ge 2\), \(st^p_i\), to v (the value for which \(2t+1\) next-votes were received and based on which the new period was started). For \(p = 1\), \(st^1_i = \perp \). The moment checkpointer i starts period p of iteration n, he finishes all previous periods and iterations and resets a local timer \({clock}_i\) to 0. At the beginning of every period, every honest checkpointer i sets \(v_i\) to be the checkpointed longest chain in its view at that time.
Each period has a unique leader known to all checkpointers. The leader is assigned in an i.i.d. fashion by the permitter oracle O. Each checkpointer i keeps a timer \({clock}_i\) which it resets to 0 every time it starts a new period. As long as i remains in the same period, \({clock}_i\) keeps counting. Recall that we assume the checkpointers’ individual timers have the same speed. In each period, an honest checkpointer executes the following instructions step by step.
Step 1: [Value Proposal by leader]. The leader of the period does the following when \({clock}_i = 0\); the rest do nothing. If \((p = 1)\) OR \(((p \ge 2)\) AND (the leader has received \(2t + 1\) next-votes for \(\perp \) for period \(p - 1\) of iteration n)), then it proposes its value \(v_i\). Else if \(((p \ge 2)\) AND (the leader has received \(2t + 1\) next-votes for some value \(v \ne \perp \) for period \(p - 1\) of iteration n)), then the leader proposes v.
Step 2: [The Filtering Step]. Checkpointer i does the following when \({clock}_i = 2\varDelta \). If\((p = 1)\) OR \(((p \ge 2)\) AND (i has received \(2t + 1\) next-votes for \(\perp \) for period \(p - 1\) of iteration n)), then i soft-votes the value v proposed by the leader of current period . Else if \(((p \ge 2)\) AND (i has received \(2t + 1\) next-votes for some value \(v \ne \perp \) for period \(p - 1\) of iteration n)), then i soft-votes v.
Step 3: [The Certifying Step]. Checkpointer i does the following when \({clock}_i \in (2\varDelta ,4\varDelta )\). If i sees \(2t + 1\) soft-votes for some value \(v \ne \perp \), then i cert-votes v.
Step 4: [The Period’s First Finishing Step]. Checkpointer i does the following when \({clock}_i = 4\varDelta \). If i has certified some value v for period p, he next-votes v. Else if ( \((p \ge 2)\) AND (i has seen \(2t+1\) next-votes for \(\perp \) for period \(p-1\) of iteration n)), he next-votes \(\perp \). Else he next-votes his starting value \(st^p_i\).
Step 5: [The Period’s Second Finishing Step]. Checkpointer i does the following when \({clock}_i \in (4\varDelta ,\infty )\) until he is able to finish period p. If i sees \(2t + 1\) soft-votes for some value \(v\ne \perp \) for period p, then i next-votes v. If \(( (p \ge 2)\) AND (i sees \(2t + 1\) next-votes for \(\perp \) for period \(p-1\)) AND (i has not certified in period p)), then i next-votes \(\perp \).
Halting condition: Checkpointer i HALTS current iteration if he sees \(2t+1\) cert-votes for some value v for the same period p, and sets v to be his output. Those cert-votes form a certificate for v. The block that is exactly k-deep in v is chosen as the checkpoint in current iteration.
A proposed value v (with block B being exactly k-deep in it) from period p of iteration n is VALID for checkpointer i (in the same period and iteration) if:
-
Value v is proposed by the leader of that period;
-
Block B is a descendant of all previously checkpointed blocks with smaller iteration number;
-
Block B is contained in the checkpointed longest chain that the checkpointer i holds when entering period p.
The only modification to the protocol is in Step 2, in the first condition, where the notion of validity is introduced. This is the only place where new proposals are considered. The validity notion helps transform the Algorand BA protocol into the multi-iteration checkpointing protocol that we desire. In Appendix B (see full version [23]), we show that this protocol indeed satisfies properties CP0–CP3, as mentioned in Sect. 4.
Rights and permissions
Copyright information
© 2021 International Financial Cryptography Association
About this paper
Cite this paper
Sankagiri, S., Wang, X., Kannan, S., Viswanath, P. (2021). Blockchain CAP Theorem Allows User-Dependent Adaptivity and Finality. In: Borisov, N., Diaz, C. (eds) Financial Cryptography and Data Security. FC 2021. Lecture Notes in Computer Science(), vol 12675. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-64331-0_5
Download citation
DOI: https://doi.org/10.1007/978-3-662-64331-0_5
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-64330-3
Online ISBN: 978-3-662-64331-0
eBook Packages: Computer ScienceComputer Science (R0)