diff --git a/pdf/grandpa.tex b/pdf/grandpa.tex index 0de1d69..e6056a3 100644 --- a/pdf/grandpa.tex +++ b/pdf/grandpa.tex @@ -3,6 +3,7 @@ \usepackage{amsmath} \usepackage{amssymb} \usepackage{amsthm} +\usepackage{color} \usepackage{fullpage} \usepackage[bookmarks=true, unicode=true, pdftitle={GRANDPA: a blockchain finality gadget}, pdfauthor={Alistair Stewart},pdfkeywords={blockchain finality gadget, consensus, Polkadot, Substrate},pdfborder={0 0 0.5 [1 3]}]{hyperref} @@ -28,6 +29,10 @@ \def\GST{\mathrm{GST}} +\long\def\com#1{} + +\long\def\xxx#1{{\color{red} {\bf XXX }{\small [#1]}}} + \begin{document} @@ -37,22 +42,48 @@ \section{Introduction} -We consider the question of finality for blockchain protocols: when will a block never be reverted. Many such protocols, such as the original blockchain, Bitcoin, have the property of eventual consensus - that an ever growing prefix of the chain will be agreed upon by all participants forever onward. But they generally only give probabilistic finality on a specific block - that under some assumptions about the network and participants, if we see a few blocks building on a given block, we can estimate the probability that it is final. -But what we'd prefer is to have provable finality - for example a signed statement by a set of authorities, the set of whom can be tracked, that the block is final. +Bitcoin~\cite{nakamoto09bitcoin} and its descendant~\cite{wood14ethereum} are cryptocurrencies that provide +secure automated value exchange without the need for a central managing authority. +In order to achieve this, they build on peer-to-peer networks where special nodes (usually called miners) +collect transactions from users and run a consensus protocol in order to maintain a distributed public ledger +usually termed as the \textit{blockchain} +One of the challenges of the Nakamoto consensus protocol run by these systems is that they only have the property of eventual consensus - that an ever growing prefix of the chain will be agreed upon by all participants forever onward. But this process generally takes tens of minutes and only gives probabilistic guarantees - if we see a few blocks building on a given block, we can estimate the probability that it is final. +Unfortunately these guarantees only hold if the underlying network is well-connected and the client able to find an uncensored source of information, two assumptions that +do not hold in Bitcoin~\cite{apostolaki17hijacking, gervais16tampering, hellman15eclipse}. + +The underlying problem which enables these attacks is that first generation blockchain protocols do not consider finality (i.e., when will a block never be reverted) as a first class property, prioritizing liveness instead. +New generation protocols propose the complete opposite, to block liveness when finality is not readily achievable. +This can only happen if we change the existing infrastructure and provide hybrid BFT solutions, (byzcoin etc.), however it also has multiple shortcomings. +First, it is exclusive and leads to centralization as these protocols need to put a limit on the size of the group running the protocol in order to achieve good performance. +Second, tying consensus with liveness of the chain means that there is no optimism and blocks are committed only when all verification information are available. + + +In this work we show the that the middle ground also merits exploration. We introduce the idea of lazy finality which is encapsulated in the abstraction of a \emph{finality gadget.} +Separating the liveness of the consensus protocol from the finality of the blocks can have 4 concrete benefits for the overlying blockchain protocol. First, not every node that is competing to mine a block needs to be part of the finality gadget, hence we can get the \textit{best of both worlds} (i.e., full inclusive decentralization and scalable fast finality). Second we can reorganize \xxx{Al put a sentence on why this is a cool property.}. Third, finality gadget can be deployed gradually and light clients can choose to consult them or follow the longest chain rule and ignore them, enabling light client heterogenity. This is useful to prove what happened to light clients, who do not have the full chain or are not actively listening to the network, and to communicate with other chains, possibly as part of a scalability solution, where not anyone receives or stores all the data in the system. +Finally, the finality gadget are simpler than consensus protocols since they do not require complex and costly view change protocols -Another popular family of consensus mechanisms for blockchains involves getting Byzantine agreement on each block \cite{Tendermint.AlgorandAgreement}. -This gives provable finality immediately. However this is slow if we have a large set of participants in the Byzantine agreement. -The approach that we will take is similar to the approach that Ethereum plans to take with Casper the Friendly Finality Gadget (Casper FFG)\cite{CasperFFG}, which combines these approaches. -We will use a block production mechanism and chain selection rule that give eventual consensus and then add a finality gadget, a protocol that finalises blocks that the participants already agree on, to get provable finality. +More specifically, this work introduces the abstraction of a \emph{finality gadget} that runs along any block production mechanism (e.g., Nakamoto consensus) and +provides provable finality guarantees instead of probabilistic. +To this end we formalise the finality gadget problem and show that it is impossible to satisfy its properties with a deterministic asynchronous protocol. +Instead , we introduce the GRANDPA finality gadget that works in a partially synchronous network model, in the presence f up to $1/3$ Byzantine actors. As a result the combination of GRANDPA with a classic block production mechanism like GHOST~\cite{xxx} results in the existing deployment of the polkadot network which provides fast finality under good network conditions and protects the clients without compromising the liveness when under attack. -We present a finality gadget that works in a partially synchronous network model, GRANDPA, that works in the presence f up to $1/3$ Byzantine actors as well as an asynchronous finality gadget, that can cope with $1/5$ Byzantine actors. -Recent research on consensus has come up with many different block production mechanisms that give eventual consensus. We want formal guarantees to hold for finality gadgets that can easily be applied to many possible block production mechanisms. Thus we want to make the least assumptions about the block production mechanism as possible. -An important goal of this work is to formalise the finality gadget problem. We want formal guarantees for safety and liveness for finality gadget. + + + + +%The approach that we will take is similar to the approach that Ethereum plans to take with Casper the Friendly Finality Gadget (Casper FFG)\cite{CasperFFG}, which combines these approaches. +%We will use a block production mechanism and chain selection rule that give eventual consensus and then add a finality gadget, a protocol that finalises blocks that the participants already agree on, to get provable finality. + +%We present a finality gadget that works in a partially synchronous network model, GRANDPA, that works in the presence f up to $1/3$ Byzantine actors as well as an asynchronous finality gadget, that can cope with $1/5$ Byzantine actors. + + + +\section{Model, Definitions, and Impossibilities} \subsection{Formalising the problem} @@ -124,7 +155,7 @@ As long as we do not change the chain we are building on by finalising another b Thus any finality gadget that satisfies Definition \ref{def:finality-gadget}, will work in this system so that all honest voters finalise an increasingly long common chain. Thanks to the abstraction above, we can switch $F$ for one of many possible alternative consensus algorithms and $G$ will still work. - +\com{ To analyse the performance of our finality gadget, we will need versions of the last two properties that appropriately depend on time: \begin{itemize} @@ -188,7 +219,7 @@ It is not clear that it is, nor is it clear how to prove liveness for such a rul \section{Preliminaries} \label{sec:prelims} - +} {\bf Network model}: We will mostly be using a partially synchronous gossip network model, such as that described in \cite{Tendermint} section II A. Participants communicate via a gossip network, where they are connected to a subset of other participants, and forward all messages they receive to all their connected peers. We assume that the network graph is such that any Byzantine participants are not able to cut off an honest participant and so any message sent or received by an honest participant reaches all honest participants. @@ -262,6 +293,7 @@ Note that it is possible for an intolerant $S$ to both have a supermajority for \end{itemize} \end{lemma} + \section{The GRANDPA protocol} \label{sec:grandpa} In this section, we give the protocol for GRANDPA, our finality gadget in the partially synchronous setting.