diff --git a/pdf/grandpa.bib b/pdf/grandpa.bib index d8039d3..5c157cd 100644 --- a/pdf/grandpa.bib +++ b/pdf/grandpa.bib @@ -37,7 +37,7 @@ @article{BitcoinBA, title={Anonymous byzantine consensus from moderately-hard puzzles: A model for bitcoin}, author={Miller, Andrew and LaViola Jr, Joseph J}, - url={https://nakamotoinstitute.org/research/anonymous-byzantine-consensus/} + url={https://nakamotoinstitute.org/research/anonymous-byzantine-consensus/}, year={2014} } diff --git a/pdf/grandpa.pdf b/pdf/grandpa.pdf index 28296e5..c5731dc 100644 Binary files a/pdf/grandpa.pdf and b/pdf/grandpa.pdf differ diff --git a/pdf/grandpa.tex b/pdf/grandpa.tex index 14c85fb..685bbb4 100644 --- a/pdf/grandpa.tex +++ b/pdf/grandpa.tex @@ -71,7 +71,7 @@ We can change this definition to assume that instead of having an initial value, Note that, in the case $|S| > 2$, this definition of validity is stronger than that of the obvious generalisation for Multi-valued Byzantine agreement, that all honest voters decide a value with which some honest voter started with. This is because that definition would be impossible if the fraction of Byzantine voters is bigger than $1/|S|$, as we cannot detect Byzantine voters who act like honest voters, except for lying about their initial value. So if fewer than $1/|S|$ voters act like they have some initial value, the protocol cannot know if any are honest. -But for the case $|S|=2$, the two possible definitions of validity are equivalent. This means that we can reduce the binary version of the Byzantine finality gadget problem above to binary Byzantine agreement, by each voter just calling $A$ at the start to obtain their initial value, since if $A$ does not return the same value to every honest voter all the time, then it returns both values to honest voters some times. Thus there are many existing algorithms for the binary Byzantine finality gadget problem. However the interesting problem in this case is whether the celebrated impossibility result of \cite{flp} generalizes to this finality gadget problem, i.e., whether this oracle which is guaranteed to achieve eventual consensus makes it possible to have an asynchronous and deterministic protocol for agreement. A reduction is not immediately obvious. It turns out that the finality gadget version is indeed impossible see \ref{ssec:impossibility}. +But for the case $|S|=2$, the two possible definitions of validity are equivalent. This means that we can reduce the binary version of the Byzantine finality gadget problem above to binary Byzantine agreement, by each voter just calling $A$ at the start to obtain their initial value, since if $A$ does not return the same value to every honest voter all the time, then it returns both values to honest voters some times. Thus there are many existing algorithms for the binary Byzantine finality gadget problem. However the interesting problem in this case is whether the celebrated impossibility result of \cite{flp} generalizes to this finality gadget problem, i.e., whether this oracle which is guaranteed to achieve eventual consensus makes it possible to have an asynchronous and deterministic protocol for agreement. A reduction is not immediately obvious. It turns out that the finality gadget version is indeed impossible see \ref{ssec:impossibility}. Now how do we extend this to agreeing on a chain of blocks? We will need the block production mechanism to build on finalised blocks, so the best chain rule must include them. We assume a kind of conditional eventual consensus. If we keep building on our last finalised block $B$ and don't finalise any new blocks, then eventually we have consensus on a longer chain than just $B$, which the finality gadget can use to finalise another block. We also want a protocol that does not terminate, but instead keeps on finalising more blocks. @@ -79,7 +79,11 @@ We assume that there is a block production protocol $P$ that runs at the same ti We say that the system $F$,$G$ and $A$ achieves conditional eventual consensus, if $F$ has finalised a block $B$, then eventually, either $F$ will finalise some descendant of $B$ or else all the chains with head $A_{v,s_v}(B)$ for all voters $v$ at all future states $s_v$ will contain the same descendant $B'$ of $B$. -\begin{definition} \label{def:finality-gadget} A protocol for the blockchain Byzantine finality gadget problem has a set of voters $V$, a constant fraction of which may be Byzantine, each of whom has access to an oracle for the best chain given the last finalised block with the property that, as long as no new block is finalised, it achieves eventual consensus on some child of the last finalised block such that the following holds: +\begin{definition} \label{def:finality-gadget} +Let $F$ be a protocol with a set of voters $V$, a constant fraction of which may be Byzantine. +We say that $F$ solves the Byzantine finality gadget problem if for every block production protocol $P$ a voting rule $A$ such that the system $F,G,A$ achieves conditional eventual consensus, then we have th following + +A protocol for the blockchain Byzantine finality gadget problem has , each of whom has access to an oracle $A$ for the best chain given the last finalised block with the property that, as long as no new block is finalised, it achieves eventual consensus on some child of the last finalised block such that the following holds: \begin{itemize} \item{\bf Safety:} All honest voters finalise the same block at each block number.