Professional Documents
Culture Documents
▷ Consensus Protocols
▷ Algorand
● Use Cases
● Major
Challenges
▷ Non-blockchain consensus:
○ MaidSafe
▷ Privacy
○ Formed in February 2017 with State Bank of India being the first member,
BankChain now has 27 members from India and the Middle East
○ Projects
● Secure documents ● Know Your Customer
● Peer-to-peer payments ● Blockchain Libraries
● Asset / Charge registry ● Virtual currencies
● Syndication of loans ● Cross border payments
● Blockchain Security Controls ● Trade finance
○ Verification Phase:
■ V asks P to tell label values of some random nodes
Consensus Protocols
● Detour
▷ Byzantine fault is any fault presenting different symptoms to
● Proof of Work different observers.
(PoW) ▷ The objective of Byzantine Fault Tolerance (BFT) is to be able
● Proof of Stake
to defend against Byzantine failures, in which components of a
(PoS) system fail with symptoms that prevent some components of
the system from reaching agreement among themselves.
● Proof of Space
(PoSp)
▷ BFT can be achieved if the loyal (non-faulty) generals have a
unanimous agreement on their strategy.
● Byzantine ▷ Honey Badger [5] demonstrated how BFT can be used to build
Agreements
a cryptocurrency-
○ Designates a set of servers to be in charge of reaching
consensus on the set of approved transactions
○ Bad !! not decentralized !
▷ Hybrid consensus [6,7,8] refines the approach of using the
Nakamoto consensus to periodically select a group of
participants (eg: every day), and runs a Byzantine agreement
between selected participants to confirm transactions until new
servers are selected
○ Bad !! because it is PoW based, forks are still possible !
Algorand[9]
● Big Picture ▷ Algorand is a new cryptocurrency that has properties:
● Assumptions
○ No Latency : confirms transactions with latency on the
● Procedure
order of a minute while scaling to many users.
● Tentative
Consensus
○ No Forks : ensures that users never have divergent
● Advantages views of confirmed transactions, even if some of the
● BA* protocol users are malicious and the network is temporarily
partitioned.
● Problems and
Solutions
○ uses Byzantine Agreement protocol (called BA*) to reach
consensus among users on the next set of transactions.
● Tentative ▷ Messages are signed using the private key of the sender, and
Consensus
peer selection is weighted based on how much money a peer
● Advantages has.
● BA* protocol
▷ The gossip protocol is used by users to submit new
● Problems and
Solutions transactions, and every user collects a block of pending
transactions that they hear about.
● Problems and
Solutions ○ If the network was weakly synchronous (e.g., controlled
by an adversary) then BA★ can reach tentative
consensus on two different blocks, creating a fork.
Algorand automatically repairs these by periodically
running BA★ to reach consensus on which fork to use
going forward.
Algorand
● Big Picture ▷ Unlike many proof-of-stake schemes though, malicious
● Assumptions leaders cannot create forks in the network.
● Procedure
▷ The weights are only there to ensure an attacker cannot
● Tentative amplify their power by using pseudonyms — so long as an
Consensus
attacker controls less than 1/3 of the monetary value
● Advantages Algorand can guarantee that the probability for forks is
● BA* protocol negligible.
● Problems and
Solutions
Algorand
● Big Picture ▷ The inputs to BA★ are a context capturing the current state
● Assumptions of the ledger (sortition seed, user weights, and the last
agreed-upon block), the round number, and a new proposed
● Procedure
block from the highest priority block proposer.
● Tentative
Consensus
▷ As its output, if the highest-priority block proposer was
● Advantages honest, BA★ reaches final consensus, otherwise it may
● BA* protocol declare tentative consensus.
● Problems and
Solutions
Algorand
● Big Picture ▷ Problems:
● Assumptions ○ Sybil attacks
○ Scalability
● Procedure
○ Resilience to DoS attacks
● Tentative ▷ Solutions:
Consensus
○ Weighted Users: It solves the problem of Sybil Attacks
● Advantages ○ Consensus by Committee: It solves the scalability issues.
● BA* protocol But having a committee implies targeted attacks against
committee members
● Problems and
Solutions ○ Cryptographic Sortition : prevents adversary from targeting
committee members. It selects committee members in a
private and non interactive way, but adversary may target
a member after he sends message in BA*.
○ Participant Replacement : mitigates above attack by
requiring each member to speak only once. This mitigates
DOS attacks as well.
Zcash[10]
● Zero-Knowled
ge Proofs ▷ Zcash is privacy preserving protocol designed on top of Bitcoin
● zk-SNARK ▷ Zcash enables users to do transactions without revealing source,
destination and amount.
▷ Potential application of zk-SNARK[11] for Bitcoin:
○ Lightweight Clients: Blockchain Compression
“Here’s a summary of the 24 GB Blockchain with head H”
Source :
https://www.newsinbit.com/bitcoin-blockchain-size-reaches-120gb-and-increasing/
Zcash
● Zero-Knowledge ▷ zero knowledge- Succinct Non-interactive ARgument of
Proofs
● zk-SNARK Knowledge
● Homomorphic ○ Homomorphic Hidings [12]
Hidings
○ Blind Evaluation of Polynomials [13]
● Blind
Evaluation of ○ Knowledge of Coefficient Test and Assumption [14]
Polynomials ○ Making Blind Evaluation of Polynomials Verifiable [15]
● Knowledge of ○ From Computations to Polynomials [16]
Coefficient Test
and
Assumption ▷ The following slides are based on all the blogs cited above.
● Making Blind
Evaluation of
Polynomials
Verifiable
● From
Computations
to Polynomials
Zcash
● Zero-Knowledge
Proofs ▷ Homomorphic Hiding (HH) are essentially same as blind
● zk-SNARK signature schemes which are based on discrete-log problem
● Homomorphic
Hidings ▷ An HH E(x) of a number x is a function which satisfies:
● Blind
○ Given E(x), it is hard to find x
Evaluation of
Polynomials
○ If x != y, then, E(x)!=E(y)
● Knowledge of ○ If someone knows E(x) and E(y), then one can compute
Coefficient Test E(x+y)
and
Assumption ▷ Example: E(x)=gx, for x in Z*p, a cyclic group with generator g
● Making Blind and p being prime.
Evaluation of ○ Given E(x), E(y), we can compute E(ax+by) as -
Polynomials E(ax+by) = g(ax+by) = g(ax) . g(by) = (E(x))a . (E(y))b
Verifiable
● From
Computations
to Polynomials
Zcash
● Zero-Knowledge
Proofs ▷ Polynomial P of degree d over Fp :
● zk-SNARK P(x) = a0 + a1 . x + a2 . x2 + … + ad . xd
● Homomorphic ▷ Let Alice have a polynomial P of degree d and Bob have point s
Hidings in Fp that he chooses randomly. Bob wishes to learn E(P(s))
● Blind
▷ Two Simple ways:
Evaluation of
Polynomials
○ Alice sends P to Bob, and he computes E(P(s)) by himself
● Knowledge of ○ Bob sends s to Alice, she computes E(P(s)) and sends it to
Coefficient Test Bob
and ▷ But, in Blind Evaluation Problem, we want Bob to learn E(P(s))
Assumption without learning P - which precludes the first option; and,
● Making Blind most importantly, we don't want Alice to learn s, which
Evaluation of rules out the second.
Polynomials ▷ We can do it as follows:
Verifiable
○ Bob sends to Alice the hidings E(1), E(s), …, E(sd)
● From
Computations
○ Alice computes E(P(S)) from the elements she received
to Polynomials and sends E(P(S)) to Bob
Zcash
● Zero-Knowledge
Proofs ▷ We saw in the above protocol that Alice is able to compute
● zk-SNARK E(P(S)), but it does not mean she will indeed send E(P(S)) to Bob.
● Homomorphic She can send some other value as well.
Hidings ▷ Hence we need a way to force Alice to follow the protocol. We
● Blind
achieve this by Knowledge of Coefficient (KC) Test.
Evaluation of
Polynomials
▷ The KC Test
● Knowledge of ○ For q in F*p, we call a pair (a,b) a q-pair if a,b!=0 and b=q.a
Coefficient Test ○ The test is:
and ■ Bob chooses a random q in F*p and a in Group G and
Assumption computes b=q.a
● Making Blind ■ Bob sends (a,b) the challenge pair to Alice.
Evaluation of ■ Alice must respond with a different (a’,b’) that is also
Polynomials q-pair
Verifiable
■ Bob accepts if (a’,b’) is q-pair
● From
Computations
○ Alice can do this easily by choosing c in F*p and responding
to Polynomials with (a’,b’) = (c.a,c.b)
▷ Knowledge of Coefficient Assumption (KCA): If Alice returns a
valid (a’,b’), then she knows r s.t. a’=c.a
Zcash
● Zero-Knowledge
Proofs ▷ Extended KCA:
● zk-SNARK ○ Suppose in the protocol, B sends multiple q-pairs to Alice -
● Homomorphic (a1,b1), ...., (ad,bd) and then Alice generates a different q-pair
Hidings (a’,b’)
● Blind
○ It turns out now Alice has more ways to generate (a’,b’)
Evaluation of
Polynomials
○ Alice can take any linear combination of the given d pairs,
● Knowledge of ie, choose c1, …., cd in Fp s.t.
Coefficient Test a’= (c1 . a1 + c2 . a2 + … + cd . ad)
and b’= (c1 . b1 + c2 . b2 + … + cd . bd)
Assumption ○ Extended KCA states that the above is the only way for
● Making Blind Alice to generate new q-pair.
Evaluation of ▷ Formally, suppose G is a group of size p with generator g
Polynomials written additively. The d-KCA in G is as follows:
Verifiable
▷ d-KCA: Suppose Bob chooses random q in F*p and s in Fp and
● From
Computations
sends q-pairs to Alice - (g , q.g), (s.g , qs.g), ...., (sd . g , q sd . g). If
to Polynomials Alice outputs q-pair (a’,b’), then Alice knows c0, …, cd in Fp such
that c0 s0 . g + … + cd sd . g = a’
▷ Verifiable Blind Evaluation Protocol is exactly what is described
above. Here polynomial P is P(x) = c0 . x0 + … + cd . xd
Zcash
● Zero-Knowledge
Proofs ▷ In summary, till now we have developed a protocol for
● zk-SNARK verifiable blind evaluation of a polynomial. All that remains to
● Homomorphic show is how to translate statements we want to prove and
Hidings verify to the language of polynomials.
● Blind
▷ In 2013, Gennaro, Gentry, Parno and Raykova defined an
Evaluation of
Polynomials
extremely useful translation of computations into
● Knowledge of polynomials called a Quadratic Arithmetic Program (QAP).
Coefficient Test QAPs are the basis for modern zk-SNARK construction
and used in Zcash.
Assumption
● Making Blind
Evaluation of
Polynomials
Verifiable
● From
Computations
to Polynomials
Source: https://z.cash/blog/snark-explain5.html
Conclusion
▷ Among more than 1000s of blockchains running publicly as on today, only few
have tried all together new protocols. Most of them are variants of existing
protocols, which are experimental approaches to solve the problems but we feel
more focus needs to be on solving theoretical fundamental problems first.
▷ Consensus Protocols are the first most important step towards deploying
blockchains in a practical scenario. Problems related to scalability, forks and
regulation essentially boil down to the consensus protocol being used.
▷ One of the key ideas behind bitcoin was to provide anonymity, but with time
people realized that it essentially is pseudonymous. Zero Knowledge Proofs have
opened up the possibility of achieving anonymity as well. The idea of private
blockchains was to provide anonymity and ZKPs have the potential of doing away
with their need (though governments may not like this ! ) and take us a step closer
to an ideal world of truly democratic and privacy ensuring blockchains.
▷ In our limited knowledge, till date no one has been able to come up with convincing
enough proof of concept of the blockchain they are developing. This essentially
deals with network evolution which we did not touch upon. Nonetheless, it is safe
to say that even after resolving all the other problems, this will be an essential
problem that needs to be solved for mass scale adoption of the technology.
Recent Developments - (CESC’17 at UCB)
CryptoEconomics and Security Conference
Recent Developments - (CESC’17 at UCB)
CryptoEconomics and Security Conference
Thank You !
Questions ?
Source : http://ericsammons.com/what-is-the-blockchain/
References
[1]: http://www.bankchain.org.in/
[2]: http://www.idrbt.ac.in/assets/publications/Best%20Practices/BCT.pdf
[3]: Dwork, C., Naor, M.: Pricing via processing or combatting junk mail
[4]: Dziembowski, Faust, Kolmogorov, Pietrzak: Proofs of Space
[5]: A. Miller, Y. Xia, K. Croman, E. Shi, D. Song. : The Honey Badger of BFT
protocols
[6]: A. Kiayias, I. Konstantinou, A. Russell, B. David, R. Oliynykov. :
Ouroboros: A provably secure proof-of-stake blockchain protocol.
[7]: E. Kokoris-Kogias, P. Jovanovic, N. Gailly, I. Khoffi, L. Gasser, B. Ford.
Enhancing Bitcoin security and performance with strong consistency via
collective signing
[8]:R. Pass and E. Shi. Hybrid consensus: Efficient consensus in the
permissionless model
[9]: Y Gilad, R Hemo, S Micali, G Vlachos, N Zeldovich : Algorand: Scaling
Byzantine Agreements for Cryptocurrencies
[10]: https://z.cash
References
[11]: E Ben-Sasson, A Chiesa, D Genkin, E Tromer, M Virza : SNARKs for C:
Verifying Program Executions Succinctly and in Zero Knowledge
[12]: https://z.cash/blog/snark-explain.html
[13]: https://z.cash/blog/snark-explain2.html
[14]: https://z.cash/blog/snark-explain3.html
[15]: https://z.cash/blog/snark-explain4.html
[16]: https://z.cash/blog/snark-explain5.html
Declarations and Resources
● For a complete list of references please refer to the project report.