Abstract
Consensus protocols have traditionally been studied in the permissioned setting, where all participants are known to each other from the start of the protocol execution. What differentiates the most prominent blockchain protocol Bitcoin [15] from these previously studied protocols is that it operates in a permissionless setting, i.e. it is a protocol for establishing consensus over an unknown network of participants that anybody can join, with as many identities as they like in any role. The arrival of this new form of protocol brings with it many questions. Beyond Bitcoin and other proof-of-work (PoW) protocols, what can we prove about permissionless protocols in a general sense? How does the recent stream of work on permissionless protocols relate to the well-developed history of research on permissioned protocols?
To help answer these questions, we describe a formal framework for the analysis of both permissioned and permissionless systems. Our framework allows for “apples-to-apples” comparisons between different categories of protocols and, in turn, the development of theory to formally discuss their relative merits. A major benefit of the framework is that it facilitates the application of a rich history of proofs and techniques for permissioned systems to problems in blockchain and the study of permissionless systems. Within our framework, we then address the questions above. We consider a programme of research that asks, “Under what adversarial conditions, and for what types of permissionless protocol, is consensus possible?” We prove several results for this programme, our main result being that deterministic consensus is not possible for permissionless protocols.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
See www.coinmarketcap.com for a comprehensive list of cryptocurrencies and their market capitalisations.
- 2.
For appendices, see the arXiv version: https://arxiv.org/abs/2101.07095.
- 3.
There are a number of papers analysing Bitcoin [10, 16] that take the approach of working within the language of the UC framework of Canetti [4]. Our position is that this provides a substantial barrier to entry for researchers in blockchain who do not have a strong background in security, and that the power of the UC framework remains largely unused in the subsequent analysis.
- 4.
For the appendix, see https://arxiv.org/abs/2101.07095.
- 5.
As described more precisely in Sect. 2.3, whether the resource pool is determined or undetermined will decide whether we are in the sized or unsized setting.
- 6.
For a PoW protocol like Bitcoin, the resource balance of each identifier will be their (relevant) computational power at the given timeslot (and hence independent of the message state). For PoS protocols, such as Ouroboros [13] and Algorand [6], however, the resource balance will be determined by ‘on-chain’ information, i.e. information recorded in the message state M.
- 7.
To model a perfectly co-ordinated adversary, we will later modify this definition to allow the adversary to make requests of a slightly more general form (see the Appendix 5).
- 8.
See Appendix 5 for a detailed explanation of what it means to be a ‘probabilistic function’.
- 9.
In the authenticated setting the response of the permitter is now allowed to be a probabilistic function also of \(\texttt{U}_p\). See Appendix 3 for details.
- 10.
So, in this simple model, we don’t deal with any notion of a ‘transaction’. It is clear, though, that the model is sufficient to be able to define what it means for blocks to be confirmed, to define notions of liveness (roughly, that the set of confirmed blocks grows over time with high probability) and consistency (roughly, that with high probability, the set of confirmed blocks is monotonically increasing over time), and to prove liveness and consistency for the Bitcoin protocol in this model (by importing existing proofs, such as that in [10]).
- 11.
It is standard practice in PoS blockchain protocols to require a participant to have a currency balance that has been recorded in the blockchain for at least a certain minimum amount of time before they can produce new blocks, for example. So, a given participant may not be permitted to extend a given chain of blocks at timeslot t, but may be permitted to extend the same chain at a later timeslot \(t'\).
- 12.
We consider resource pools with range restricted in this way, because it turns out to be an overly strong condition to require a protocol to function without any further conditions on the resource pool, beyond the fact that it is a function to \(\mathbb {R}_{\ge 0}\). Bitcoin will certainly fail if the total resource balance over all identifiers decreases sufficiently quickly over time, or if it increases too quickly, causing blocks to be produced too quickly compared to \(\varDelta \).
- 13.
The names ‘single-permitter’ and ‘multi-permitter’ come from the sizes of the resulting permission sets when modelling blockchain protocols. For PoW protocols the the permission set received at a single step will generally be of size at most 1, while this is not generally true for PoS protocols.
- 14.
It is technically convenient here to allow that processors can still submit requests, but that requests always get the same response (the particular value then being immaterial).
- 15.
For an exposition of Algorand that explains how to deal with the partially synchronous setting, see [5].
- 16.
Of course, it is crucial to our analysis here that PoW protocols are being modelled in the unsized setting. It is also interesting to understand why Theorem 3 does not contradict the results of Sect. 7 in [10]. In that paper, they consider the form of partially synchronous setting from [8] in which the delay bound \(\varDelta \) always holds, but is undetermined. In order for the ‘common prefix property’ to hold in Lemma 34 of [10], the number of blocks k that have to be removed from the longest chain is a function of \(\varDelta \). When \(\varDelta \) is unknown, the conditions for block confirmation are therefore also unknown. It is for this reason that the Bitcoin protocol cannot be used to give a probabilistic solution to BB in the partially synchronous and unsized setting.
References
Brewer, E.A.: Towards robust distributed systems. In: PODC, Portland, OR, vol. 7, pp. 343477–343502 (2000)
Brown-Cohen, J., Narayanan, A., Psomas, A., Weinberg, S.M.: Formal barriers to longest-chain proof-of-stake protocols. In: Proceedings of the 2019 ACM Conference on Economics and Computation, pp. 459–473 (2019)
Buterin, V.: What is Ethereum? Ethereum Official webpage. www.ethdocs.org/en/latest/introduction/what-is-ethereum.html. Accessed 14 2018
Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols. In: Proceedings 42nd IEEE Symposium on Foundations of Computer Science, pp. 136–145. IEEE (2001)
Chen, J., Gorbunov, S., Micali, S., Vlachos, G.: ALGORAND AGREEMENT: super fast and partition resilient Byzantine agreement. IACR Cryptol. ePrint Arch. 2018, 377 (2018)
Chen, J., Micali, S.: Algorand. arXiv preprint arXiv:1607.01341 (2016)
Dolev, D., Strong, H.R.: Authenticated algorithms for Byzantine agreement. SIAM J. Comput. 12(4), 656–666 (1983)
Dwork, C., Lynch, N.A., Stockmeyer, L.: Consensus in the presence of partial synchrony. J. ACM 35(2), 288–323 (1988)
Garay, J., Kiayias, A., Ostrovsky, R.M., Panagiotakos, G., Zikas, V.: Resource-restricted cryptography: revisiting MPC bounds in the proof-of-work era. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12106, pp. 129–158. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45724-2_5
Garay, J.A., Kiayias, A., Leonardos, N.: The bitcoin backbone protocol: analysis and applications (2018)
Gilbert, S., Lynch, N.: Brewer’s conjecture and the feasibility of consistent, available, partition-tolerant web services. ACM SIGACT News 33(2), 51–59 (2002)
Guo, Y., Pass, R., Shi, E.: Synchronous, with a chance of partition tolerance. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11692, pp. 499–529. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26948-7_18
Kiayias, A., Russell, A., David, B., Oliynykov, R.: Ouroboros: a provably secure proof-of-stake blockchain protocol. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10401, pp. 357–388. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63688-7_12
Lamport, L., Shostak, R., Pease, M.: The Byzantine generals problem. ACM Trans. Program. Lang. Syst. (TOPLAS) 4(3), 382–401 (1982)
Nakamoto, S., et al.: Bitcoin: a peer-to-peer electronic cash system (2008)
Pass, R., Seeman, L., shelat, a.: Analysis of the blockchain protocol in asynchronous networks (2016). https://eprint.iacr.org/2016/454.pdf
Pass, R., Shi, E.: Rethinking large-scale consensus. In: 2017 IEEE 30th Computer Security Foundations Symposium (CSF), pp. 115–129. IEEE (2017)
Pease, M., Shostak, R., Lamport, L.: Reaching agreement in the presence of faults. J. ACM (JACM) 27(2), 228–234 (1980)
Ren, L., Devadas, S.: Proof of space from stacked expanders. In: Hirt, M., Smith, A. (eds.) TCC 2016. LNCS, vol. 9985, pp. 262–285. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53641-4_11
Terner, B.: Permissionless consensus in the resource model. IACR Cryptol. ePrint Arch. 2020, 355 (2020)
Zamani, M., Movahedi, M., Raykova, M.: Rapidchain: scaling blockchain via full sharding. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pp. 931–948 (2018)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 International Financial Cryptography Association
About this paper
Cite this paper
Lewis-Pye, A., Roughgarden, T. (2024). Byzantine Generals in the Permissionless Setting. In: Baldimtsi, F., Cachin, C. (eds) Financial Cryptography and Data Security. FC 2023. Lecture Notes in Computer Science, vol 13950. Springer, Cham. https://doi.org/10.1007/978-3-031-47754-6_2
Download citation
DOI: https://doi.org/10.1007/978-3-031-47754-6_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-47753-9
Online ISBN: 978-3-031-47754-6
eBook Packages: Computer ScienceComputer Science (R0)