Instant Confirmation Rafael Pass and Elaine Shi Cornell Tech & - - PowerPoint PPT Presentation

Thunderella: Blockchains with Optimistic Instant Confirmation

Rafael Pass and Elaine Shi

Cornell Tech & Cornell University

State-machine replication

(a.k.a. linearly ordered log, consensus, blockchain)

State-machine replication

(a.k.a. linearly ordered log, consensus, blockchain)

Consistency:

honest nodes agree on log

Liveness:

TXs are incorporated soon

Classical

(e.g. PBFT, Paxos)

Blockchains

Classical

(e.g. PBFT, Paxos)

Fast (most of the time) Complex Asynch

Blockchains

Classical

(e.g. PBFT, Paxos)

Fast (most of the time) Complex Asynch

Blockchains

(PoW and non-PoW)

Slow Sync Simple Robust

Thunderella

As simple and robust as a blockchain Confirm in 2 actual network rounds in the “optimistic case” Fall back to blockchain when things “go bad”

Classical

(e.g. PBFT, Paxos)

Let’s start with this

Roadmap

Blockchains

(PoW and non-PoW)

Classical

(e.g. PBFT, Paxos)

Blockchains

(PoW and non-PoW)

Roadmap

Leader proposes transaction

(Seq, )

Everyone “ack’s”

Confirm on upon “enough” acks

Ex: Assume ⅔n+1 honest; wait for ⅔n+1 acks

⅔n+1 ⅔n+1

“Y”

Must intersect at an honest node

Assume ⅔n+1 honest

⅔n+1 ⅔n+1

“Y”

Must intersect at an honest node

Assume 1/3n malicious

⅔n+1 ⅔n+1

“Y”

Must intersect at an honest node

Thus X = Y

Assume ⅔ honest and online

Assume ⅔ honest and online

Consistency Liveness

Assume ⅔ honest and online

Consistency Liveness Consistency No liveness

How do we achieve liveness?

How do we achieve liveness?

You don’t want to know …

[PBFT, Paxos...]

Anatomy of classical consensus

Simple normal path Complicated recovery path

Classical

(e.g. PBFT, Paxos)

Blockchains

(PoW and non-PoW)

Roadmap

blockchain

Thunderella

Thunderella

for

permissionless Thunderella

for

permissioned

Thunderella

for

permissionless

For concreteness, we’ll focus on this

blockchain miners Leader/ ”accelerator” Committee

(recent miners/ stakeholders)

3/4 fraction honest and online

“Optimistic” mode: Instant confirmation

honest and

• nline

majority honest

majority honest majority honest

(but need not be online)

But, still SECURE as long as:

majority Arbitrary deviation!

¾n+1 “X” ¾n+1 “Y”

Must intersect at an honest node

Assume ½n+1 honest

Ack Propose (seq, )

Propose (seq, ) Ack

¾ acks:

notarized

¾ voted:

notarized Confirm maximal “lucky” sequence

Confirm maximal “lucky” sequence

¾ voted:

notarized

No liveness when

blockchain collects evidence

• f

blockchain collects evidence

• f

Now enter slow mode

What evidence do we collect?

Need: faulty nodes cannot implicate honest leader

Miners “tell blockchain” everything they know

What evidence do we collect?

k blocks

What evidence do we collect?

k blocks

has not appeared in a lucky sequence

blockchain collects evidence

• f

Now enter slow mode

Now enter slow mode

Nodes have different logs when entering slow mode

Now enter slow mode

Need: agree on log before entering slow mode

Grace period: k blocks

• Stop optimistic output
• Share knowledge
• All knowledge → blockchain

Stop “acking” new transactions Tell others what you know Miners tell blockchain what they know

Summary

k blocks

Slow mode has not appeared in a lucky sequence Grace period

3/4 fraction honest and online

“Optimistic” mode: Instant confirmation

honest and

• nline

majority honest

majority honest majority honest

(but need not be online)

But, still SECURE as long as:

majority Arbitrary deviation!

Thank you.