KasMedia Logo

(This post is part of the Understanding GHOSTDAG series)

In this chapter, we introduce some blockDAG protocols and discuss their properties, focusing on their security.

The first two examples will follow from “DAGifying” existing chain selection rules. In the previous post, we explained in detail how an ordering rule is induced from a chain selection rule. The gist of the matter is that given two blocks BB and BB’, we define the ordering such that BB precedes BB’ if there is a chain going through BB which is “better” (in the sense furnished by the chain selection rule) than all chains going through BB’.

DAGified Heaviest Chain Rule

The DAGified HCR ordering rule prefers BB over BB’ if there is a chain running through BB’ that is heavier than all chains running through BB.

Apparently, the resulting rule does not have the safety property.

Say that at some point the DAG looks like this:

65

One can see that there is a chain of length 66 going through BB, while all chains going through BB’ are smaller. Hence BB precedes BB’.

Now we wait some times to see if this stabilizes. Say that at some point in the future the DAG might look like this:

66

It is easy to verify that the new blocks do not change the ordering between BB and BB. One way to see it is to note that they do not create new tips that are parallel to the original (dark blue) tips. Since there isn’t an original tip that only has one of the blocks BB and BB’ in its past, the chains going through BB and BB’ are extended the same way. One can easily verify that now the longest chain going through BB has nine blocks while the longest chain going through BB’ only has eight.

Now say an attacker posted a few more blocks

67

Note that the attacker created much less blocks than the honest network, yet now the longest chain going through BB’ is longer than any chain going through BB! This proves that “DAGified HCR” is not safe.

So what went wrong? The heaviest chain rule does not allow all blocks in the network to contribute to the security. Even though it provides a way to consistently incorporate the entire DAG, the security only accumulates as fast as the heaviest chain. This means that work done in parallel still doesn’t count towards security even if technically there are “no orphans”. Indeed, a good generalization of HCR will have to somehow extend it to account for the work of parallel blocks. Remember this.

DAGified GHOST (Baby Tangle 1.0)

DAGifying GHOST furnishes the following ordering rule: put BB before BB’ if BB has a heavier future. There is also a probabilistic version: choose randomly between BB and BB’ with probability proportional to the future size. (The Tangle 1.0 protocol is essentially the latter variation with two added constraints: blocks contain only one transaction, and have at most two parents.) For simplicity we will focus on the deterministic version, but the discussion applies to both.

One can prove that DAGified GHOST has safety, which is already an improvement over DAGified HCR. However, it does not have liveness.

Consider the following blockDAG:

68

One can see that B.Future=5|B.Future| = 5 whereas B.Future=4|B’.Future| = 4 so the GHOST rule would prefer BB.

Since it has been some time since BB and BB’ were created, it is very likely that all future honest blocks will have both of them in their past, so after a while the blockDAG might look like this:

69

One can now check that B.Future=8|B.Future| = 8 and B.Future=7|B’.Future| = 7. However, this check in unnecessary. Since all new blocks are in the future of both BB and BB’, we know that the difference didn’t change. In fact, as time progresses, the probability that an honest block has exactly one of the blocks BB and BB’ goes to zero very fast. Hence, the difference remains constant (in this case, exactly one). We can write this as B.Future=B.Future+1|B.Future| = |B’.Future|+1 and note that as long as this is the case, the GHOST rule will always prefer BB over BB’.

However, the assertion that new blocks will have both BB and BB’ in their past only holds for honest blocks. An adversary could create blocks as follows.

70

These blocks increase B.FutureB’.Future by 22 while not contributing to B.FutureB.Future. Soon enough, the network will converge to a situation where all new blocks have the two attacker blocks in their past as well:

71

So the consensus will now suddenly agree that B.Future+1=B.Future|B’.Future| +1 = |B.Future| and that BB’ is actually the precedent block. At least until the attacker posts two more blocks:

72

This, by only posting two blocks at a time, an attacker can indefinitely cause the consensus to switch from preferring BB’ to preferring BB.

The upshot is that if the adversary waits sufficiently long, they can not revert the transaction anymore, making SS finite, establishing safety. However, they could engage in the balancing act above, making LL arbitrarily long, violating liveness!

So what went wrong? The problem is that shortly after BB and BB’ are created, all miners are aware of both, so all future blocks will have both in their past. In other word, as long as it is not manipulated by malicious actors, the difference B.FutureB.Future|B.Future| - |B’.Future| remains fixed. This is bad, because this difference measures the cost of an attack. In contrast, in the chain setting, each new block can be in the future of at most one of the two blocks. This means that the longer the network prefers BB, the more advantage it gets over BB’. The difference B.FutureB.Future|B.Future| - |B’.Future| grows with each block making the cost of an attack increase. By allowing (and actually incentivizing) miners to point at all tips we actually excuse them from making a decision. Only the first few blocks above BB and BB’ weigh in on the decision, while the rest abstain, making it that much easier to overturn retroactively.

SPECTRE

One can take the intuition of blocks “weighing in” — i.e. voting — on the decision quite further.

The idea is that instead of counting how many blocks are in B.FutureB.Future we can ask how many blocks prefer BB.

But what does it mean to “prefer” BB? The intuition is that a block CC would “prefer” BB if from its point of view, there are more blocks that prefer BB than there are blocks that prefer BB’. This definition is recursive: we define the preference of a block based on the preferences of blocks in its past. There is only one exception: a block cannot prefer a block that is not in its past (it only makes sense that you cannot for an option you don’t know exists). This provides us with a basis for the recursion as follows:

  • If CB.FutureC \in B.Future but CB.FutureC \notin B’.Future then CC prefers BB.

  • If CB.FutureB.FutureC\in B.Future\cap B’.Future then CC prefers BB if there are more blocks that prefer BB in B.FutureC.PastB.Future \cap C.Past than there are in B.FutureC.PastB’.Future \cap C.Past.

  • (Define a tie-breaking rule for scenarios where BB and BB’ have the same number of votes).

This chain rule is quite close to the first provably secure blockDAG algorithm in the literature: the SPECTRE algorithm, published in 2016 by Yonatan Sompolinsky, Yoad Lewenberg and Aviv Zohar. However, protocol as we defined it is still not quite secure. While not susceptible to the safety and liveness attacks we have seen, it is still susceptible to premining attacks: if an attacker has enough time to prepare in advance, she could increase her chances to double-spend in the future. This could be solved by extending the rules above to all blocks in the DAG, including those not in the future of BB or BB’. This extension is not complicated, but it is outside the scope of this book. The full details are available in the paper.

To see the difference between DAGified GHOST and SPECTRE consider the following blockDAG:

73

One can verify that B.Past=6|B.Past|=6 and B.Past=5|B’.Past|=5 so DAGified GHOSTDAG would put BB ahead of BB’'.

However, we can see that from the point of view of DD and EE one block prefers BB’ while no block prefers BB. This will cause DD and EE to prefer BB’. Thus, FF sees four blocks that prefer BB’ and only three blocks that prefer BB and it thus prefers BB’ itself.

The subtle point with SPECTRE is that it does not actually output an ordering, it outputs something weaker than that: a pairing. For any two blocks, it tells you what block it prefers. But it could be that it would prefer AA over BB over CC over AA (this is related to something called the Condorcet paradox.) However, the validation rules guarantee that this could never happen if AA, BB, and CC contain a contradiction.

The upshot is that it seems that SPECTRE is the “correct” way to DAGify GHOST. In the next chapter we will similarly see that GHOSTDAG is (despite the annoying name) the “correct” way to DAGify HCR.

Combining DAGs and Chains

One way to combine some of the benefit of DAGs with the simplicity of chains is to use DAGs for throughput but chains for confirmation.

For example, consider the following protocol (which is a simplified version of a protocol called Hathor): there are separate DAG blocks and chain blocks. The chain blocks are arranged in a chain, but any chain block must also point at a DAG block. Furthermore, if BB is a chain block pointing at DAG block PP, and if CC is in the future of BB, then it must point at a DAG block in P.FutureP.Future. The resulting blockDAG could look like this:

74

but not like this:

79

Given the chain, it is easy to define a sorting rule. Any chain block inherits the topological sorting from its parent, and extends it to include the new blocks. It doesn’t really matter how, as long as it is topological. So for example, the sorting from the point of view of chain block CC will start with the sorting of the (closed) past of PP already determined by BB, and append to it the blocks Q,R,S,T,U,VQ,R,S,T,U,V in a topological way. Incidentally, the alphabet order seems to work in this case. Hathor itself uses DAGified GHOST.

It follows that if we are confident that a chain block will not be orphaned, we are equally confidant that the topological ordering of the DAG below this block will not change as well. Hence, all transactions confirmed in that part of the DAG will remain confirmed.

The obvious drawback of this approach is that while it manages to scale throughput, it suffers from confirmation times as slow as traditional blockchains. Other than that, it is also a bit unclear how to set the incentives of the network such that miners will follow the rules.

This protocol is the simplest form of DAG and chain, but not the only one. There are protocols who create a general DAG, but somehow sample “special” blocks out of this DAG. These blocks are chosen in a way that provides a chain, and they act to finalize the DAG blocks below them. This leads to more complex algorithms, but actually simplifies questions about incentive alignment. The two prominent examples are FruitChains and TailStorm.

Enjoyed reading this article?

More articles like this

Comments

No comments yet!

Post a comment

KasMedia logo