CN111566681A - Fast and partition-resilient block chain - Google Patents

Abstract

At the trade quiltIn a transaction system organized into blocks, a series of previous blocks B are referred to in the following manner⁰,...,B^r‑1Constructing a new block Br for effective transaction: determining an amount Q by the entity based on the previous blocks; having the entity use the secret key to compute a string S uniquely associated with Q and the entity; having the entity calculate from S a quantity T that is: s itself, a function of S and/or a hash value of S; having the entity determine whether T possesses a given attribute; and if T possesses the given attribute, then making the entity pair B^rIs digitally signed and S, B is caused to be^rAnd a digitally signed version of H is available, where B^rMay be presented in a different step of round r and may be presented again a number of times during round r and the entity may verify the hash value H of B whether or not it receives block B.

Description

Fast and partition-resilient block chain

Cross Reference to Related Applications

This application claims priority from: US provisional application No. 62/607,558 entitled FASTERBYZANTINE AGREEMENT IN PROPAGATION NETWORKS WITH >2/3 HONEST MAJORITY filed on 19.12.2017, US provisional application No. 62/632,944 entitled ALGORAND filed on 20.2.2018, US provisional application No. 62/632,944 entitled TRANSACTION FEES IN ALGORAND [ incentives and trades IN ALGORAND ] filed on 3.15.3.2018, US provisional application No. 62/777,410 entitled VIRTUALBLOC LOCALKANOCOLS FOR FAECTIONIC EXCHANGE [ VARTUA BLOCK COPOLOGY FOR PURICE ] filed on 10.12.2018, US provisional application No. 62/777,410 entitled VIRTUALBLOCALKALINE PROTOCOLOR FOR FAECTIONIC EXCHANGE [ EXCHANGE CAVIROCES PROTOCOLOR PRODUCTS ] filed on 12.12.12.2018, all of these applications are incorporated herein by reference.

Technical Field

The present application relates to the field of electronic transactions, and more particularly to the field of distributed public ledgers, protecting the contents of a series of transaction blocks, and validating electronic payments.

Background

A block chain consists of a series of blocks that can be enlarged: b is₁,B₂,., where each tile consists of multiple transactions, a hash of the previous tile, and other data (e.g., an index of the tile, time information, etc.). Useful attributes of the blockchain are: (P1) there is a unique tile corresponding to each index 1, 2., (P2) each user in the system eventually knows the content of each tile, (P3) no one can change the content or order of the tiles, and (P4) any valid transaction will eventually enter a tile in the chain.

The users may digitally sign the messages and thus each user possesses at least one public key and a corresponding secret key. Typically, in a blockchain, one knows the public key, but not necessarily the user who owns the public key. Thus, the public key can be identified by its owner.

Several blockchain systems require that the blocks be certified by digital signatures of enough users in the system. In some systems, this verification user belongs to a fixed set of users. In other systems, this verification user belongs to a dynamically changing set. The latter is preferred because it is more difficult for an adversary to disrupt a dynamically changing set, especially if the set is not only dynamic, but also unpredictable.

A particularly effective way of selecting a set of users in a verifiable but unpredictable way is the password draw technique described in published PCT patent application PCT/US2017/031037, which is incorporated herein by reference. Here, user i belongs to a set of users authorized to use inputs s and r and possibly other inputs and other data based on i during generation of block number r (e.g., for some given integer k, a user has joined the system at least k blocks before block rFact) the result of the calculation performed via his secret key acts in a certain step s. For example, the calculation of i may involve a digital signature of such input of i

Hash processing

And checking whether the hash is less than a given threshold t. (in fact, like any other string, the value of the hash may be interpreted as a number in some standard way.) in this case, the hash will be interpreted as a number

Defined as i the credential for step s for block r. Such credentials prove to anyone that i is indeed entitled to generate a (preferably signed) message

(he uses the voting message for step s in round r (i.e. in the process intended to produce block r)). In fact, the digital signature of i can be checked by anyone, and anyone can hash a given value and then check whether the result is indeed less than (or equal to) the given number.

Blockchains work by propagating messages (e.g., blocks, transactions, voting messages, digital signatures, etc.). Typically, but not exclusively, messages are propagated by chatting the messages in a peer-to-peer manner or via relays. Several blockchain systems require the propagation network to ensure that messages propagated by each honest user are delivered to other honest users within a limited delay. Some systems further require the user to have a (nearly) consistent system clock in order for the user to propagate the message in a synchronous manner-e.g., the user enters step 2 of generating block 100 at U.S. east standard time 11:20:00am, the voting message of this step is delivered before U.S. east standard time 11:20:05am, and then the user enters step 3 of block 100. The requirements posed by Algorand are not high and it is therefore preferable that the user's clock has (almost) the same speed, but the actual times displayed on the clock can be arbitrarily separated from each other. The user starts its own step s of generating a block r based on the message that he has received from the propagation network and ends this step based on the received message and the time that his own clock has advanced since he started this step.

When the propagation network meets this requirement, Algorand ensures that adversaries cannot prevent the blockchain from functioning properly (including implementing attributes P1-P4). However, this relies on the enemy not attacking the propagation network itself. Such attacks include any effort that an adversary may take to disrupt the limited delay of messaging for a sufficiently large number of users-e.g., by dividing users into two equal-sized groups and controlling the messaging channel between them, so that a message that a user propagates from group 1 may have an indefinite delay before reaching any user in group 2.

It is therefore desirable to mitigate this requirement and to provide blockchains and electronic money systems that do not suffer from the inefficiencies and insecurities of known decentralized methods.

Disclosure of Invention

According to the system described herein, an entity manages a transaction system in which transactions are organized into a series of blocks that are validated by a sufficient number of verifiers' digital signatures by: if the r block B^rIf not, the entity is associated with a list of verified blocks B⁰,...,B^r-1Proposing a hash of the block B' comprising the new valid transaction; and if the r block B^rHas been verified by a sufficient number of other entities, the entity proposes block B^rThe hash of (1). A block may be validated by the entity only in response to: confirming the transaction of the block and confirming that the block was constructed and propagated by an entity that has the authority to construct and propagate the block. The entity may present the hash value by digitally signing the hash value to provide a digitally signed version of the hash value, and the entity may propagate the digitally signed version of the hash value to a network that includes other entities. If the r block B^rIf not, the entity may also digitally sign block BName and propagation. The entity may determine a quantity Q from these previous tiles, and may use the secret key in order to calculate a string S uniquely associated with Q, and calculate a quantity T from S that is: s itself, a function of S, and/or a hash value of S, and the entity may propose the hash value by determining whether T possesses a given attribute. S may be the signature of Q under the secret key of the entity, T may be a hash of S, and T may have a given attribute if T is less than the given threshold. The entity may be part of a network of entities, and certain ones of these entities may construct and propagate block B^r. If the entity receives at least a predetermined number of entities to separately authenticate with the r block B^rAn indication of the corresponding hash value, it may be determined that the r-th chunk Br was certified by the entity. Separately certifying the r-th block B in response to receipt by the entity of a predetermined number of entities^rThe entity may increment r to begin adding additional tiles to the series of tiles. Particular ones of the entities may be individually selected as leaders by a predetermined number of the entities. If the indication received by the entity indicates that at least a predetermined number of entities have separately verified that receipt of a particular one of the entities has provided the r-th block B to each of the predetermined number of entities^rAn indication of the corresponding hash value, then the r-th block B^rMay be determined to be verifiable by the entity.

Further according to the system described herein, an entity manages a transaction system in which transactions are organized into a series of validated blocks by: the entity is selected from the list of verified blocks B⁰,...,B^r-1Generating Block B based on New valid transactions^rThe other entity of (a) receiving the hash value for the block; the entity responds to a sufficient number of other entities having indicated the block B was received from other entities^rAnd the hash value for the block B^rValid to verify the block B^r(ii) a The entity receives the block B from other entities in response to an insufficient number of other entity indications^rAgainst a series of verified blocks B⁰,...,B^r-1And generating a new block B 'based on the new valid transaction, wherein B' is different from B^r(ii) a And separately certifying the r-th block B in response to the entity receiving a predetermined number of entities^rOr a predetermined number of entities that individually validate the indication of the new block B', the entity incrementing r to begin adding additional blocks to the series of blocks. These blocks can be verified by digital signatures. New blocks may be proposed by different ones of these entities until an indication is received that a predetermined number of entities individually validated the previously proposed blocks. The entity may respond to the hash value for block B^rInvalid provides an indication that a new block should be generated. The entity may provide an indication that a new block should be generated with respect to a series of proven blocks B in response to a sufficient number of other entities providing an indication that a new block should be generated⁰,...,B^r-1And a new tile B' is generated based on the new valid transaction. The entity may respond that a sufficient number of other entities have indicated that the block B was received from other entities^rAnd the hash value is valid for the chunk Br to provide that the chunk B should be propagated^rAn indication of a hash value of.

Further in accordance with the system described herein, the entity is in a transaction system where transactions are organized into blocks and the blocks are verified by a set of digital signatures, in a new block B that does not access the transactions, by^rWith respect to a given series of blocks B⁰,...,B^r-1Verify the new block B^rProposed hash value of (1): determining an amount Q by the entity based on the previous blocks; having the entity compute the digital signature S of Q; having the entity calculate from S a quantity T that is: s itself, a function of S and/or a hash value of S; having the entity determine whether T possesses a given attribute; and if T possesses the given attribute, regardless of whether the proposed hash value corresponds to the new block B^rThe entity is caused to verify the new block B^rThe proposed hash value of. The entity may be receiving the new block B^rThe new block B is propagated before^rThe proposed hash value of.

In further accordance with the system described herein,in a transaction system where transactions are organized into tiles, a series of previous tiles B are referenced in the following manner⁰,B¹,...,B^r-1Building a new block B of valid transactions^r: determining an amount Q by the entity based on the previous blocks; having the entity use the secret key in order to compute a string S uniquely associated with Q; having the entity calculate from S a quantity T that is: s itself, a function of S and/or a hash value of S; having the entity determine whether T possesses a given attribute; and if T possesses the given attribute, then having the entity compute B^rH, digitally signing H, and making the digital signature to other S, B^rAnd a digitally signed version of H is available. The secret key may be a secret signing key corresponding to the entity 'S public key, and S is the entity' S digital signature on Q. T may be a binary extension of a number and satisfies a given property when T is less than the given number p. Can be obtained by enabling S to be selected from B^rIs inferred and S is made available. Each user may have a balance in the transaction system, and p for each user may vary according to the balance of each user.

Further in accordance with the system described herein, a subset of users is selected in a blockchain system to correspond to a series of previous blocks B⁰,...,B^r-1To verify the data string m includes: having at least some of the users determine a quantity Q from the previous tile; having at least some of these users calculate a digital signature S of Q and other information; having at least some of the users determine a hash value of the digital signature; causing at least some of the users to compare the hash value to a predetermined threshold; and causing the subset of the users to digitally sign m and other information and making the digital signature available to digital signature versions of other S and m in response to the hash value being below a predetermined threshold for each of the subset of the users. If the hash value is below a predetermined threshold, the digital signature may be authenticated. Each user may have a balance in the transaction system, and the predetermined threshold for each user may vary depending on the balance of each user. The predetermined threshold for each user may be selectedSuch that the subset of the users contains a minimum number of users. The data string m may be a new block B^rThe hash value of (a). The data string m can be verified by at least a given number of certified signatures of m.

Further in accordance with the system described herein, a subset of users is selected in a blockchain system to correspond to a series of previous blocks B⁰,...,B^r-1To verify the new block B^rThe method comprises the following steps: having at least some of the users determine a quantity Q from the previous tile; having at least some of these users calculate a digital signature S of Q and other information; having at least some of the users determine a hash value of the digital signature; causing at least some of the users to compare the hash value to a predetermined threshold; having the subset of the users determine B in response to the hash value being below a predetermined threshold for each of the subset of the users^rRelative to B⁰,...,B^r-1The method is effective; and the subset of the users is paired with B^rAnd other information, and makes the digital signature available to other digitally signed versions of S and H. Only if a particular one of these users verifies the new block B^rThe particular one of these users can only be assigned to the new block B when the information provided therein is available^rA digital signature is performed. Each user may have a balance in the transaction system, and the predetermined threshold for each user may vary depending on the balance of each user. The predetermined threshold for each user may be selected such that the subset of users contains a minimum number of users. Block B^rCan be determined by the signal from the already determined B^rRelative to B⁰,...,B^r-1At least a given number H of credential signatures of valid users.

Further in accordance with the system described herein, computer software disposed in a non-transitory computer readable medium includes executable code that implements any of the steps described herein.

The present invention eliminates the need for message passing delay on the propagation network to ensure the security of the new block being authenticated. A new tile is first prepared (e.g., proposed, propagated, and/or agreed upon by at least some users), and then validated. A user who has received a newly constructed tile, a hash value of the new tile, and/or a credential signature within a desired time interval continues to verify and/or validate the new tile. However, we want to validate new blocks even though messages traveling in the network may be delayed indefinitely. The validation of block B ensures that certain valuable attributes are applicable to that block. A typical main attribute is to enable a user (even a user who has not yet participated in or observed the preparation of tile B) to determine that tile B has been added to the blockchain, or even that B is the r-th tile in the blockchain. Another valuable attribute, commonly referred to as termination, ensures that B will not disappear from the blockchain due to soft forking, even in the presence of partitions in the communication network on which the blockchain protocol is executed. The partitioning of the network may result in users being divided into groups, where messages traveling from one group do not reach users in other groups. The partitions can be resolved after an infinitely long amount of time, after which the network will again guarantee message delivery after a limited delay.

It is assumed that block B has been prepared in any way and in any number of steps. It is appreciated that it takes time and effort and verification of each piece of evidence to have properly prepared the blocks. The certificate of B consists of a given number of digital signatures of users with valid credentials. This certificate of B guarantees the user who generated this signature is in the readiness to participate or observe B. At a minimum, the certificate guarantees that if one of the digital signatures of the certificate has been generated by an honest user, the user has checked that B has been properly prepared.

In the system described herein, when a user is targeting a previous tile B⁰,...,B^r-1When properly prepared to collect evidence for one B of the r-th tile in the blockchain, the user can do so with respect to B if he has evidence that B's certificate has not yet been generated in the system⁰,...,B^r-1A new block B' is constructed and proposed as the r-th block in the block chain. The user proposes B' by: according to thisDetermining the quantity Q of the previous blocks; calculating a string S uniquely associated with Q using the secret key; the quantity T is calculated from S as: s itself, a function of S and/or a hash value of S; determining whether T possesses a given attribute; and if T possesses the given attribute, computing a hash value H ' of B ', digitally signing H ', and making the digital signature available to other S, B ' and digitally signed versions of H '. The secret key may be a secret signing key corresponding to the entity 'S public key, and S is the entity' S digital signature on Q. T may be a binary extension of a number and satisfies a given property when T is less than the given number p. S can be made available by enabling S to be inferred from B'. Each user may have a balance in the transaction system, and p for each user may vary according to the balance of each user.

In the system described herein, when a user is targeting a previous tile B⁰,...,B^r-1When properly prepared to collect evidence for one B of the r-th tile in the tile chain, the user may re-propose B as the r-th tile in the tile chain if he has evidence that the certificate for B may have been generated in the system but is not yet available to him. The user may re-propose B if B itself has not been received but a given number of user digital signatures with valid credentials that have verified the hash value of B have been received. The user may re-propose B by: determining a quantity Q based on the previous blocks; calculating a string S uniquely associated with Q using the secret key; the quantity T is calculated from S as: s itself, a function of S and/or a hash value of S; determining whether T possesses a given attribute; and if T possesses the given attribute, digitally signing the hash value H of B and making the digital signature available to other digitally signed versions of S and H. The secret key may be a secret signing key corresponding to the entity 'S public key, and S is the entity' S digital signature on Q. T may be a binary extension of a number and satisfies a given property when T is less than the given number p. S can be made available by enabling S to be inferred from B'. Each user may have a balance in the transaction systemAnd p for each subscriber may vary according to the balance of each subscriber.

During the generation of the r-th block of the block chain, the proposing of a new block and the re-proposing of an existing block may occur an unlimited number of times and may be performed by different users. Block B may have more than one certificate generated from the asynchronous step. However, during the generation of the r-th chunk of the blockchain, there is and only one chunk that has a certificate and is therefore considered by the user as the r-th chunk of the blockchain.

The efficiency of the system described herein derives from the following fact. First, user i may verify and/or re-propose the hash value for chunk B before the user can receive B itself. Second, a new tile B' may be proposed as the r-th tile before all users may have collected evidence that the previously proposed tile B as the r-th tile did not generate credentials in the system. In fact, B' may be proposed once a user has collected such evidence. Third, the previously proposed tile B may be re-proposed as the r-th tile in the tile chain before all users may have collected that the credentials for B may have been generated in the system but are not available to all users. In fact, B can be re-proposed once a user has collected such evidence.

The proof may consist of a properly formed set of certified signatures to verify the data string m. Evidence for different purposes may consist of different numbers of signatures. The security of the system described herein results from the appropriate selection of a predetermined threshold against which the user compares the hash value of his signature when verifying different data strings, and from the appropriate selection of a number of signatures sufficient to form evidence for different purposes. Let p be the maximum percentage of malicious users in the system, for example. Typically, malicious users are in a minority, e.g., p < 1/3. The predetermined threshold t and a sufficient number n of signatures used to form the tiles ' certificates may then be selected such that with a sufficiently high probability (a) for any possible tile value B there are n or more honest user's credentialed signatures to form B's certificate, and (B) among any certificates of B, more than 2/3 credentialed signatures belong to honest users.

The system described herein is agnostic as to whether or not temporary keys are used in the blockchain: when a user proposes a new tile, re-proposes an existing tile, or verifies a data string, the user may use a long-term secret key to generate a credential signature (where the key may be reused for the life of the system), or the user may use a temporary secret key (where one key may only be used once), or the user may use a combination of long-term and temporary keys.

As part of the system described herein, user i may have not only a credential signature for participating in the generation of a tile, but also a weighted credential signature (essentially a credential signature associated with multiple votes). In fact, the weight of a credential signature for i participating in tile generation may depend on how much currency i has in the system. In practice, rather than providing all users with a single predetermined threshold t for participating in tile generation, each user i may have its own threshold t_iThe higher the monetary amount of i, the higher its own threshold. And user i may have different thresholds for participating in tile generation in different ways (e.g., propose new tiles, propose tiles anew, or verify a data string m of a particular format). For simplicity, but without intended limitation, the system will continue to be described, treating credential signed user i with weight-n as n users, each user having a credential signature of (weight-1).

In the following, after a quick recall of the conventional Algorand system, an example of a preferred embodiment is provided on the basis of Algorand, without any intended limitation.

Drawings

Embodiments of the system described herein are explained in more detail with reference to the figures of the accompanying drawings, which are briefly described below.

Fig. 1 is a schematic representation of a network and computing stations according to an embodiment of the system described herein.

Fig. 2 is a schematic and conceptual summary of the first step of the Algorand system, in which a new block of transactions is proposed.

Fig. 3 is a schematic and conceptual summary of the agreement and validation of new blocks in the Algorand system.

Fig. 4 is a schematic diagram showing an authentication path of a merkel tree and a value contained in one of its nodes.

Fig. 5 is a schematic diagram showing 8 mercker trees corresponding to the first 8 blocks constructed in the block tree.

FIG. 6 is a schematic representation of a partitioned network and computing stations according to an embodiment of the system described herein.

Detailed Description

The system described herein provides a mechanism for distributed transaction verification and propagation such that no entity is solely responsible for performing computations to verify and/or propagate transaction information. Instead, each of the participating entities shares in computing that is performed in a verifiable and reliable manner to propagate the transaction.

Referring to FIG. 1, a diagram 20 shows a plurality of computing workstations 22a-22c connected to a data network 24, such as the Internet. The workstations 22a-22c communicate with each other via the network 24 to provide distributed transaction propagation and verification, as described in more detail elsewhere herein. The system may accommodate any number of workstations capable of providing the functionality described herein, so long as the workstations 22a-22c are capable of communicating with each other. Each of the workstations 22a-22c may independently perform processing to propagate the transaction to all other workstations in the system and verify the transaction, as described in more detail elsewhere herein.

Fig. 2 summarizes diagrammatically and conceptually the first step of the r-th round in the Algorand system, in which each of several selected users proposes its own candidate for the r-th block. Specifically, this step begins with users a,..., z in the system individually undergoing a secret password drawing process that decides which users to select for proposing a block, and where each selected user secretly computes credentials that prove itself to have the right to produce the block. Only users b, d and h are selected to propose tiles and their respectively computed credentials are

And

each selected user i assembles its own proposed tile

The block is signed temporarily (i.e., digitally signed with a temporary key, as explained later) and propagated to the network along with its own credentials. The leader of the round is the selected user whose credentials have the smallest hash. The figure indicates that the leader is user d. Thus, the user proposed blocks

Is the block to be given as input to the byzantine agreement protocol.

Fig. 3 summarizes, diagrammatically and conceptually, the r-th block B of Algorand for agreeing and verifying that the proposed block is official^rThe process of (1). Since the first step of Algorand consists of proposing new blocks, this process starts with the second step. In practice, this step is in agreement with the preferred Byzantine Agreement protocol BA of Algorand^★Is identical to the first step of (a). Each step in this protocol is performed by a different "committee" of participants who are randomly selected by a secret password drawing (not shown in the figure). Thus, the users selected to perform each step may be quite different. BA^★The number of steps of (a) may vary. FIG. 3 depicts a BA involving 7 steps^★From step 2 of Algorand up to step 8 of Algorand the users selected to perform step 2 are a, e and q

Propagated to the network, the credential proves that i is indeed entitled to send a message in step 2 of the r-th round of Algorand, and that it belongs exactly to the message of this step

Is temporarily signed. Steps 3 to 7 are not shown. In a final step 8, the figure shows that the official block B has been in as the r-th round^rThe corresponding selected users B, f and x agreed upon propagate their own pair of blocks B^rTemporary signatures (these signatures together verify B)^r) And its own credentials, thereby proving that these users are entitled to act in step 8.

Fig. 4 schematically illustrates a merkel tree and one of its authentication paths. In particular, FIG. 4.A shows a complete Merck tree with a depth of 3. Each node x (where x is represented by a binary string of length ≦ 3) stores a value ν x. If x is less than or equal to 2, then v x ═ H (v)_x0,ν_x1). For the mercker tree of fig. 4.a, fig. 4.B shows the authentication path for the value v 010.

Fig. 5 schematically shows 8 mercker trees corresponding to the first 8 blocks constructed with a block tree constructed in a complete binary tree of depth 3. In FIG. 5.i, the nodes marked by integers belong to the Merck tree T_i. The contents of the nodes marked by i (respectively by 1) are temporary (respectively permanent).

The description herein focuses on transactions as payments and on describing the system herein as a currency platform. Those skilled in the art will recognize that the system described herein may also process a variety of transactions.

The system described herein has a very flexible design and can be implemented in various but related ways. The flexibility is demonstrated by detailing two possible embodiments of the overall design of the system. From these two possible embodiments, a person skilled in the art will also know how to arrive at various other embodiments.

To facilitate an understanding of the present invention and to allow internal cross-referencing of its various parts, its presentation is organized in numbered and titled sections. The first section is common to both detailed embodiments.

Introduction to 1

Currency is becoming more and more virtual. It is estimated that about 80% of the dollars today exist only as ledger entries. Other financial instruments follow it as well.

In our ideal world, which we can rely on a universally trusted central entity (protected from all possible cyber attacks), monetary and other financial transactions can be fully electronic. Unfortunately, we do not live in such a world. Therefore, distributed cryptocurrencies such as bitcoins and "smart contract" systems such as etherhouses have been proposed. At the heart of these systems is a shared ledger that reliably records a series of transactions that vary as payments and contracts are tamperproof. The preferred technique to ensure such tamper resistance is blockchain. Blockchains support applications such as cryptocurrency, financial applications, and the internet of things. Several techniques have been proposed to manage blockchain-based ledgers: proof of workload, proof of rights, practical byzantine fault tolerance, or some combination.

However, at present, the management efficiency of the ledger is low. For example, the bitcoin workload proving method requires a large amount of calculation, is uneconomical, and is poorly scalable. In addition, this in fact focuses power on the very few hands.

It is therefore desirable to propose a new approach to implementing public ledgers that provides the convenience and efficiency of a centralized system run by trusted and non-infringeable institutions without the inefficiencies and weaknesses of current decentralized implementations. We call our own method Algorand because we use algorithmic randomness to select the set of verifiers responsible for building the next block for a valid transaction based on the ledger built so far. We naturally ensure that this choice is provably manipulation-free and unpredictable up to the last minute, and that this choice will eventually be universally unambiguous.

The Algorand method is rather democratic in the sense that it does not in principle and in fact create different categories of users (such as "miners" and "ordinary users" in bitcoin). In Algorand, "all rights belong to the set of all users".

One notable attribute of Algorand is its transaction historyWith very little probability (e.g., parts per trillion, i.e., or even 10)^-18) May diverge. Algorand may also address some legal and political issues.

The Algorand method applies to block chains and, more generally, to any method of generating a tamper-resistant series of blocks. In fact, a new approach is proposed that can have independent benefits-an alternative to blockchains and is more efficient than blockchains.

Hypothesis and technical problem of 1.1 bit currency

Bitcoin is a very smart system and has motivated a great deal of follow-up research. However, bitcoins are also problematic. One summarizes the underlying assumptions and technical problems of bitcoin-in fact, substantially all cryptocurrencies based on proof of work (e.g., bitcoin) have these problems.

To this end, it suffices to recall the following: in bitcoin, a user may possess multiple public keys for a digital signature scheme; the currency is associated with a public key; and payment is a digital signature that transfers an amount of money from one public key to another. Bitcoin organizes substantially all processed payments into blockchain B₁,B₂,.. (each tile consists of multiple payments), so that B is₁All payments (in any order) followed by B₂All payments (in any order) etc. of (c) constitute a series of valid payments. Each block was generated on average every 10 minutes.

This series of blocks is a chain in that it is structured to ensure that any changes (even in a single block) can infiltrate all subsequent blocks, making it easier to discover any changes to the payment history. (as will be seen, this is accomplished by including a cryptographic hash of the previous chunk in each chunk.) this chunk structure is called a chunk chain.

Suppose that: honest most computing power bitcoin assumes that no malicious entity (nor a federation of cooperating malicious entities) controls most of the computing power devoted to block generation. In fact, such an entity would be able to modify the blockchainAnd thus overwrites the payment history as it is wished. In particular, such entities may make payments

Obtain the benefits paid and then "erase"

Any trace of (a).

Technical problem 1: the workload proof method for block generation that calculates the wasted bitcoin requires a very large amount of calculation. Currently, with only hundreds of thousands of public keys in a system, the first 500 supercomputers with the strongest functions can only aggregate 12.8% of the total computing power required by bitcoin participants. This amount of computation will increase significantly if significantly more users join the system.

Technical problem 2: today, users trying to create new tiles using ordinary desktop computers (let alone cell phones) are expected to lose money due to the excessive amount of computation required. In fact, for computing a new block with a common computer, the expected cost of the necessary electricity to power the computation outweighs the expected return. Only using a pool of specially built computers that do nothing other than "mine new blocks" may one expect to profit by generating new blocks. Thus, in fact, there are two disjoint user categories today: ordinary users who only pay and professional mining pools that only search for new blocks.

Therefore, it should not be surprising that, by far the latest, the total computational power for tile generation is located in only five pools. In this case, the assumption that most computing power is honest becomes less trustworthy.

Technical problem 3: ambiguity a blockchain is not necessarily unique among bitcoins. In fact, the latest part of the blockchain is often forked: according to one user, the block chain may be, for example, B₁,...,B_k,B'_k+1,B'_k+2And may be B according to another user block chain₁,...,B_k,B"_k+1,B"_k+2,B"_k+3. Only after adding a few tiles to the chain can it be reasonably determined that the first k +3 tiles are the same for all users. Therefore, the payment contained in the last block of the chain cannot be immediately relied upon. It is more prudent to wait and observe whether a block becomes deep enough and therefore stable enough in the blockchain.

Law enforcement and monetary policy issues have also attracted attention, respectively, with respect to bitcoin.¹

1.2 briefly, Algorand

The environment Algorand works in a very hard environment. In short,

(a) even in a completely unlicensed environment, Algorand works efficiently and securely, in which any number of users are allowed to join the system at any time, without any review or license of any kind. Of course, Algorand works even better in licensed environments.

(b) Algorand withstands very powerful adversaries, which can

(1) Destroying any user that they want at any instant of time if 2/3 of the currency in the system belongs to an honest user in an unlicensed environment. (in a licensed environment, regardless of currency, it is sufficient if 2/3 in the user is honest.)

(2) Fully controlling and perfectly coordinating all broken users; and

(3) scheduling delivery of all messages if each message m sent by a honest user is at time λ_m(which depends only on the size of m) to all (or enough) honest users.

The main attribute is that, despite the presence of strong enemies, in Algorand,

the amount of computation required is minimal. Essentially, each of the one-thousand-five hundred users must perform a computation of at most a few seconds, no matter how many users are present in the system.

New blocks are generated quickly and will in fact never leave the chain of blocks. That is, the Algorand's block chains diverge with only a negligible probability (i.e., less than one part per billion or 10)^-18). Thus, the user may rely on the payment contained in the tile immediately after the new tile appears.

All rights belong to the user himself. Algorand is a truly distributed system. Specifically, there is no foreign entity (such as a "miner" in bitcoin) that can control which transactions are identified.

Algorand's technique.

1. Algorand delivers binary Byzantine Agreement (BA) protocol BA via inventive cipher^★A new block is generated. Agreement BA^★Not only are some of the additional attributes satisfied (which will be discussed shortly), but they are also very fast. Roughly speaking, the binary input version of the protocol consists of a 3-step loop, in which participant i sends a single message m to all other participants_i. Participant honesty (probability) at times exceeding 2/3>1/3), the protocols executed in the complete and synchronized network form a consensus after each cycle. (emphasis is placed on agreement BA^★The initial definition of the byzantine agreement is satisfied without any weakness. )

In different communication models, Algorand agrees on each new block using this binary BA protocol. The agreed upon block is then validated via a prescribed number of digital signatures by the appropriate verifier and propagated through the network.

2. Agreement BA, although very fast, when joined by millions of users^★Would benefit from faster speeds. Hence, Algorand selects BA^★As a much smaller subset of the set of all users. To avoid the problem of concentration of powers of different kinds, the verifier will be selected by a single set SV of verifiers^rVia pair BA^★Is constructed and executedAnd agree on each new block B^r. In principle, selecting such a set may be compared to directly selecting B^rAs difficult. This potential problem is studied in detail by a novel approach known as secret password drawing. A draw is the random selection of officers from a larger set of qualified individuals. (drawing has been practiced across centuries: e.g. by the republic of Athens, Florence and Venice in modern judicial systems, random selection is often used to select a co-panel^rThe random coins required by the members of (a) are problematic. Thus, resort is made to cryptography in order to select each set of verifiers from the population of all users in a manner that ensures automation (i.e., no message exchange is required) and randomness. In a similar manner, it is selected as the responsibility to propose a new block B^rAnd the set of verifiers SV responsible for agreeing on the block proposed by the leader (leader)^r. The system of the invention makes use of a certain piece of information Q^r-1This information can be inferred from the content of the previous tile and is not manipulable even in the presence of very powerful adversaries.

3. Quantity (seed) Q^rUsing the last block B in the block chain^r-1To automatically determine the next verifier set and responsible for building a new block B^rThe leader of (1). The challenge with this approach is that a strong adversary will get great control over the next leader by only selecting slightly different payments in the previous round. Even though only controlling 1/1000 the participants/currencies in the system, a strong adversary can ensure that all leaders are malicious. (see intuition section 4.1.) this challenge is at the heart of the ownership proof approach and, to our knowledge, has not been satisfactorily addressed to date.

To address this challenge, a separate and carefully defined quantity Q is purposefully constructed and continually updated^rThis amount is not only demonstrably unpredictable for strong enemies, but also is insusceptible to it. Can be substituted by Q^rIs called the r < th >Seed, since Algorand is just according to Q^rAll users that will play a special role in the generation of the r-th tile are selected via secret password drawing. Can be selected from block B^r-1Deducing the seed Q^r。

4. To select verifier set and be responsible for building new block B^rRandomly and explicitly using the current last block B^r-1It is not sufficient. Due to the generation of B^rBefore B^r-1Must be known and can therefore be derived from B^r-1Last of the inferred unaffected quantities Q^r-1Must also be known. Thus, the verifier and the responsible calculation block B^rSo too is the leader of (1). Thus, a strong adversary may participate in relation to B at all verifiers and leaders^rBefore destroying them to gain full control of the blocks certified by the verifier and leader.

To prevent this problem, the leader (and indeed the verifier as well) knows its role in secrecy, but can compute appropriate credentials that can prove to everyone that actually takes that role. When a user privately realizes that he is the leader of the next tile, he first secretly assembles his own proposed new tile and then disseminates the new tile with the user's own credentials (so that validation can occur). In this way, while an adversary will immediately realize who the leader of the next tile is, and while an adversary can immediately destroy the leader, it is too late for the adversary to influence the selection of new tiles. In fact, enemies cannot "call back" the leader's messages, and only powerful governments can put messages spread by wiki decrypt (wikieaks) viruses back into bottles.

As will be seen, there is no guarantee that the leader is unique nor that everyone be sure who is the leader, including the leader himself! However, in Algorand, a clear progression will be guaranteed.

5. After the new block is proposed, the leader may also "die" (or be destroyed by an adversary),because the leader's work has been completed. However, for SV^rTo the verifier in (1), the matter is not so simple. In fact, the new block B is signed with enough signatures^rThese verifiers performing the validation must first run a byzantine agreement on the blocks proposed by the leader. The problem is that, regardless of the efficiency, BA^★Require multiple steps and their participants>2/3 integrity. This is a problem because for efficiency reasons, the BA^★Is a small set SV randomly selected from the set of all users^rAnd (4) forming. Thus, a strong adversary, while not able to subvert 1/3 for all users, must nonetheless subvert the SV^rAll members in!

Fortunately, the agreement BA, which is performed by propagating messages in a peer-to-peer manner, will be proved^★Are participants replaceable. This novel requirement means that the agreement correctly and efficiently reaches consensus even though each of its steps is performed by a completely new and randomly independently selected set of participants. Thus, in the case of millions of users, with BA^★Each small set of participants associated with step (a) is most likely to have an empty intersection with the next set.

In addition, BA^★The set of participants at different steps of (a) will likely have completely different cardinalities. Furthermore, the members of each collection do not know who the participants of the next collection will be and do not pass through any internal state in secrecy.

In fact, the properties of the replaceable participant are crucial to defeat the dynamic and very powerful adversary envisaged. It is believed that the protocol of the alternate participants will prove crucial in many contexts and applications. In particular, the protocol of these alternative participants will be crucial for securely executing small sub-protocols embedded in a larger domain of participants in the case of dynamic adversaries, which can only destroy a small part of the total participants without destroying all the participants in the smaller sub-protocols.

Additional attributes/techniques: lazy honest users follow their prescribed instructions including being online and running the protocol. Since Algorand has only modest computational and communication requirements, running the protocol "in the background" while online is not a major sacrifice. Of course, some "absence" of honest participants (such as those due to sudden loss of connection or need for reboot) is automatically tolerated (as this may always treat a small number of participants as temporarily malicious). However, it should be noted that Algorand can be simply adapted to work in a new model where honest users are mostly offline. A new model can formally be introduced as follows.

Roughly speaking, i is lazy but honest if (1) when user i is required to participate in a protocol, he follows all of his prescribed instructions and (2) he is rarely required to participate in a protocol and sends appropriate notifications in advance.

With this loose honesty concept we can be even more confident that honest people will be present when we need them, while Algorand guarantees that, in this case,

the system operates safely even if at a given point in time, most of the participating participants are malicious.

2 preliminary knowledge

2.1 Cryptographic primitives

It will rely on an efficiently computable cryptographic hash function H that maps arbitrarily long strings to fixed length binary strings. Following the long tradition, modeling H as a random oracle is essentially a function H(s) that maps each possible string s to a randomly and independently selected (and then fixed) binary string of selected length.

In the described embodiment, H has an output of 256 bits long. In practice, this length is short enough for the system to be efficient and long enough for the system to be safe. For example, it is desirable that H have collision resilience. That is, it should be difficult to find two different character strings x and y such that h (x) h (y). When H is a random prediction with 256 bit long output, find anythingSuch string pairs do have difficulties. (random attempts and relying on birthday paradox would require 2^256/2＝2¹²⁸And (5) carrying out secondary test. )

Digital signatures allow users to mutually authenticate information without sharing any secret key. The digital signature scheme consists of three fast algorithms: a probabilistic key generator G, a signature algorithm S and a verification algorithm V.

Considering the security parameter k (a sufficiently large integer), user i uses G to generate a pair of k-bit keys (i.e., a string): public key pk_iAnd a matching "secret" signing key sk_i. It is crucial that the public key does not "leak" its corresponding secret key. I.e. even considering the knowledge of pk_iNo one other than i can calculate sk in less than astronomical time_i。

User i digitally signs the message using ski. For each possible message (binary string) m, i first hashes m and then runs the algorithm S on the inputs h (m) and ski to produce a k-bit string

²

Binary string sig_pki(m) digital signature called i vs. m (relative to pk)_i) And when the public key pk_iSigs may be used more simply when explicit depending on context_i(m) represents.

Known as pk_iCan use the binary string to verify the digital signature produced by i. Specifically, at input (a) of the public key pk of the participant i_iAnd (b) message m, and (c) string s (i.e., a so-called digital signature of i on message m), the verification algorithm V outputs YES or NO.

The attributes required according to the digital signature scheme are:

1. the legal signature is always verified: if s is sig_i(m) is then V (pk)_iM, s) ═ YES; and

2. digital signatures are difficult to forge: in the case of unknown sk_iIn the case of message m that was not signed by i, finding the string s results in V (pk)_iThe time for m, s) ═ YES is astronomically long.

(following strict security requirements even if a signature of any other message is available.)

Therefore, in order to prevent anyone else from signing the message on behalf of participant i, this participant must keep its signing key sk_iIs secret (hence the term "secret key") and, in order to enable anyone to verify that he really signed the message, i is interested in disclosing his key pk_i(hence the term "public key").

Signed message m with message retrievability cannot normally sign sig from it_i(m) retrieved. To virtually process digital signatures that satisfy a conceptually convenient "message retrievability" attribute (i.e., to ensure that signers and messages can be easily computed from the signatures), definitions are defined

And if pk_iIs unambiguous, then SIG_i(m)＝(i，m，sig_i(m))。

A digital signature scheme (G, S, V) is also contemplated that satisfies the following additional attributes.

3. It is difficult to find the character strings pk ', m, s and s' so that

s ≠ s 'and V (pk', m, s) ═ V (pk ', m, s') -1.

(Note that the uniqueness property also applies to strings pk' that are not legally generated public keys, however, in particular, the uniqueness property means that if one uses a specified key generator G to compute the public key pk with a matching secret key sk, and thus the sk is known, it would be substantially impossible for those to find two different digital signatures of the same message relative to pk.)

Remarks for note

Mapping m → H (sig) against a digital signature scheme with a uniqueness property_i(m)) is associated with each possible string m (a unique randomly selected 256-bit string) and takes into account the signature sig_i(m), the correctness of this mapping can be proven.

That is, an ideal hashing and digital signature scheme that satisfies the uniqueness property essentially provides a basic implementation of Verifiable Random Functions (VRFs).

VRFs are a special kind of digital signature. Can write out VRF_i(m) to indicate such special signature of i on message m. In addition to satisfying the uniqueness property, the verifiable random function also produces an output that is guaranteed to be sufficiently random. That is, VRF_i(m) is random in nature and unpredictable until generated. In contrast, SIG_i(m) need not be sufficiently random. For example, user i may select his public key, causing SIG_i(m) is always a small (in dictionary order) k-bit string (i.e., its first few bits may always be 0). However, it should be noted that since H is an ideal hash function, H (SIG)_i(m)) will always be a random 256-bit string. In the preferred embodiment, hashing with precision a digital signature that satisfies the uniqueness property is widely used to enable a unique random number to be associated with each message m and each user i. If the Algorand is implemented with VRF, one can use VRF_i(m) replacement of H (SIG)_i(m)). In particular, user i does not need to first compute SIG_i(m) then calculating H (SIG)_i(m)) (to, for example, convert H (SIG)_i(m)) is compared to the number p). He may calculate VRF directly_i(m) of the reaction mixture. In summary, it is understood that H (SIG)_i(m)) can be interpreted as VRF_i(m), or a sufficiently random number associated unambiguously with i and m that is easily calculated by participant i but unpredictable to anyone else.

In Algorand, user i relies on a digital signature for

(1) Authenticating i's own payment. In this application, the key may be "long-term" (i.e., used to sign many messages over a long period of time) and come from a common signature scheme.

(2) Credentials are generated that prove that i is entitled to act in some steps s of round r. Here, the key may be long-term, but must come from a scheme that satisfies the uniqueness property.

(3) The message sent by i in each step it acts on is authenticated. Here, the key must be temporary (i.e. destroyed after first use), but may come from a common signature scheme.

For simplicity, it is envisaged that each user i has a single long-term key. Therefore, such keys must come from a signature scheme with a uniqueness property. This simplicity is computationally inexpensive. Typically, the generation and verification of unique digital signatures is in fact somewhat more costly than ordinary signatures.

2.2 idealized public Account book

Algorand attempts to mimic the following payment system based on an idealized public ledger.

1. Currency is associated with an individual public key (privately generated and owned by the user). Let pk₁,...,pk_jIs an initial public key and a₁,...,a_jFor their respective initial amounts of monetary units, the initial state is

S₀＝(pk₁,a₁),...,(pk_j,a_j),

This initial state is assumed to be common knowledge in the system.

2. Let pk be the public key currently having a ≧ 0 monetary units, pk 'be another public key, and a' be a nonnegative number no greater than a. Then (valid) payment

Is to specify a' monetary units from pk together with some additional informationDigital signature relative to pk transferred to pk'. In the manner of a symbol, the first and second,

where I represents any additional information deemed useful but not sensitive (e.g., time information and payment identifier), and

indicating any additional information deemed sensitive (e.g., the reason for payment, the identity of the owner who may be pk and pk'), etc.).

Pk (or its owner) is called payer, each pk '(or its owner) is called payee and a' is called payment

The amount of (c).

It should be noted that users can join the system at any time by generating their own public/secret key pair. Thus, payment occurs above

The public key pk' in (1) may be a newly generated public key that has never previously "owned" any currency.

3. In an idealized system, all payments are valid and appear in a tamper-resistant manifest L of a collection of payments "posted on the sky" for everyone to see:

L＝PAY¹,PAY²,...，

each block PAY^r+1From self-block PAY^rThe set of all payments since the occurrence. In an ideal system, new blocks appear after a fixed (or limited) amount of time.

Discussion is made.

More general payment and unspent transaction output. More generally, if the public key pk owns the amount a, then effective payment of pk

May be prepared from'₁,a'₂,. ', respectively transferred to the key pk'₁,pk'₂,., so long as ∑_ja′_jA is less than or equal to a.

In bitcoin and similar systems, the currency possessed by the public key pk is separated into individual amounts, and the payment p made by pk must all be transferred by this separated amount a. If pk wishes to transfer only a part of a' < a to another key, it must also transfer the balance (unspent transaction output) to another key, which may be pk itself.

Algorand also works with a key with a separate amount. However, to focus on the novel aspects of Algorand, it is conceptually simpler to adhere to simpler forms of payment and the keys that associate a single amount with these simpler forms of payment.

The idealized scheme does not directly provide information about the current state of the system (i.e., information about how many monetary units each public key has). This information can be inferred from the magic ledger.

In an ideal system, the active user is constantly storing and updating the latest state information, otherwise the active user would have to rebuild the current state from the beginning or the last time it computed the latest state information. (however, it will be shown later how to increase Algorand so that its user can recreate the current state in an efficient manner.)

Digital signatures ensure that nobody can forge the payment of another user. On payment

In (1), the public key and the amount of money are not hidden, but sensitive information is hidden

In fact, only

Appear at

And since H is an ideal hash function, so

Is a random 256-bit value and therefore no simpler guess is made

And a better way to calculate what it is. However, to prove

What is (e.g., to prove the reason for payment), the payer may only disclose

Can be calculated by

And the obtained value is compared with

Is compared to verify that

The correctness of the operation. In fact, since H is crash elastic, it is difficult to find the second value

So that

2.3 basic concepts and symbols

Keys, users, and owners unless otherwise noted, each public key (simply "key") is long-term and relative to a digital signature scheme having a uniqueness property. Public key i joins the system when another public key j already in the system pays for i.

For color, the key is personified. We refer to the key i as "he" such as i being honest, i sending and receiving messages, etc. The user is a synonym for the key. The terms "digital key" and "owner" are used when it is desired to distinguish between a key and the person to which it belongs, respectively.

If a digital key can be freely joined at any time and the owner can own multiple digital keys, then the system is unlicensed; otherwise, the system is licensed.

Each object in the Algorand has a unique representation. Specifically, each set { (X, Y, Z.): X ∈ X, Y ∈ Y, Z ∈ Z. } is ordered in a pre-specified manner: for example, first x, then y, etc. are lexicographically ordered.

The same speed clock has no global clock: instead, each user has its own clock. The user clocks need not be synchronized in any way. However, it is assumed that the user clocks all have the same speed.

For example, the clock time according to another user j may be 2:30pm when the clock time according to user i is 12pm, but the clock time according to j will be 2:31 when the clock time according to i will be 12: 01. That is, "one minute is the same (sufficiently, substantially the same) for each user.

The rounds of Algorand are organized in logical units, r is 0, 1.

Superscript is used throughout to indicate the round. To indicate that a non-digital quantity Q (e.g., a string, public key, collection, digital signature, etc.) refers to the r-th round, simply written as Q^r. Q is only written when it is a true number (rather than a binary string that can be interpreted as a number)^(r)So that the symbol r cannot be interpreted as an exponent of Q.

At (a) th>At round 0, the set of all public keys is PK^rAnd the system state is

Wherein the content of the first and second substances,

is the monetary amount available for public key i. Note that PK^rCan be selected from S^rIs deduced and S^rOther components may also be specified for each public key i.

For round 0, PK⁰Is a set of initial public keys, and S⁰Is the initial state. PK⁰And S⁰Both are considered to be common knowledge in the system. For simplicity, at the beginning of round r, PK¹,...,PK^rAnd S¹,...,S^rAs well as so.

In the r-th wheel, the system status is from S^rConversion to S^r+1: in the manner of the symbol, the optical fiber,

and (3) round number r: s^r→S^r+1。

Payment in Algorand, the user makes payments continuously (and distributes payments in the manner described in subsection 2.7.) user i ∈ PK^rPayment of (2)

With the same format and semantics as in an ideal system. That is to say that the first and second electrodes,

if (1) pay

Amount a of less than or equal to

And (2) the payment does not appear in any official payment set PAY^r'，r'<r inThen the payment is valid alone in round r (abbreviated as round r payment). (As explained below, the second condition means that

Has not yet come into effect.

If the sum of the amounts of the sets of the r' th round payments of i is at most

The collection is collectively valid.

Payment set the r-th round payment set

Is the set of the r-th payment, so that for each user i,

payments of (possibly none of) i are collectively valid. The set of all the r-th payment sets is

If it is not

Is not the r-th round payment set, then the r-th round payment set

Is the largest.

Actually propose payment

Also specifies the round

And for some fixed non-negative integer k, at [ rho, rho + k]And is not valid in any other round.³

Official payment sets for each r-th round, Algorand publicly selects (in a manner described later) a single (possibly empty) payment set PAY^r(official payment collection for this round). (essentially, PAY)^rIndicating that the "actually" occurred payment round r. )

As in the ideal system (and bitcoin), (1) the only way a new user j enters the system is to become the official payment set PAY belonging to a given round r^rA recipient of the payment of (1); and (2) PAY^rDetermining the state S of the next round according to the state Sr of the current round^r+1. In the manner of the symbol, the optical fiber,

PAY^r：S^r→S^r+1。

in particular, the amount of the solvent to be used,

1. set of public keys PK of round r +1^r+1Is prepared from PK^rCombined and first present in PAY^rIs made up of a set of all payee keys in the payment; and is

2. The amount of money that user i owns in round r +1

Is a_i(r) (i.e., i the amount of money held in the previous round (if any)

Then 0)) and according to PAY^rSum of the amounts paid to i.

In summary, as in the ideal system, each state S can be inferred from previous payment histories^r+1：

PAY⁰,...,PAY^r。

2.4 blocks and proven blocks

In Algorand₀In (1), block B corresponding to the r-th wheel^rSpecifying: r itself; payment collection PAY of round r^r(ii) a Quantity to be interpreted SIG_lr(Q^r-1) (ii) a And the hash of the previous block H (B)^r-1). Thus, from a certain fixed zoneBlock B⁰Initially, with a conventional blockchain:

B¹＝(1,PAY¹,SIG_l1(Q⁰),H(B⁰)),B²＝(2,PAY²,SIG_l2(Q¹),H(B¹)),...

in Algorand, the authenticity of a block is actually determined by a separate piece of information "block certificate" CERT^rTo guarantee, the block certificate B^rBecome a proven block

Thus, the magic ledger is implemented by a series of certified blocks,

discussion as will be seen, CERT^rFrom H (B)^r) Set of digital signatures, SV^rAnd that each of those members do belong to an SV^rThe composition of (a). Of course, certificate CERT may be used^rIncluded in the block itself, but it was found that keeping it apart would be more conceptually clear. )

In bitcoins, each chunk must satisfy a special property, i.e., "contain a solution to the cryptographic problem," which makes the chunk generation computationally expensive and forking neither avoidable nor uncommon. In contrast, the block chain of Algorand has two main advantages: the blockchain is generated with minimal computation and the blockchain will not diverge with a high probability. Once in the block chain, each block BⁱIt is safely final.

2.5 acceptable probability of failure

To analyze the security of Algorand, we specify a probability F at which we are willing to accept something wrong (e.g., verifier set SV)^rNot honest for the most part). F is also a parameter as in the case of the output length of the cryptographic hash function H. However, it is possible to use a single-layer,as in that case, it is found useful to set F to a specific value in order to more intuitively understand the fact that: in Algorand it is indeed possible to enjoy both sufficient safety and sufficient efficiency. To emphasize that F is a parameter that can be set as desired, in the first and second embodiments we set up we separately

F＝10^-12And F is 10^-18。

Discussion it should be noted that 10^-12In fact less than one part per trillion, and it is believed that this choice of F is sufficient in applications. It should be emphasized that 10^-12Not the probability that an adversary can forge a payment of an honest user. All payments are digitally signed and therefore, if the correct digital signature is used, the probability of counterfeiting a payment is well below 10^-12And, in fact, is substantially 0. An adverse event we would like to tolerate with probability F is block chain branching of Algorand. It should be noted that with F and one minute long runs, forking is expected to occur infrequently in the block chain of Algorand (approximately) once every 190 ten thousand years. In contrast, in bitcoin, forking often occurs.

A person with higher demand may set F to a lower value. For this reason, in the second embodiment, it is considered that F is set to 10 to 18. It should be noted that assuming one block is generated per second, 10 is true¹⁸Is the estimated number of seconds spent by the universe so far: from major explosions to the present. Thus, when F is 10^-18In the case of (2), if a block is generated in one second, one should expect to see a bifurcation in the epoch of the universe.

2.6 antagonism model

Algorand is designed to be safe in a very resistant model. As will be explained.

Honest and malicious users are honest and are fully capable of sending and receiving messages if the user follows all of their protocol instructions. A user is malicious if he may deviate arbitrarily from his prescribed instructions (i.e., byzantine in the parlance of distributed computing).

An adversary who can immediately make any user that he wants malicious any time he wants (limited only by the upper bound on the number of users that the adversary can destroy) is an efficient (technically polynomial-time) algorithm for color personification.

The adversary has complete control and perfectly coordinates all malicious users. The adversary takes all actions on behalf of all malicious users (including receiving and sending all their messages) and can let all malicious users deviate from all malicious user-specified instructions in any way. Alternatively, an adversary may only quarantine the corrupted users who sent and received the message. It should be clarified that although the maliciousness of the user i may occur due to actions the adversary has made him, no other person automatically knows that the user i is malicious.

However, this powerful adversary

There is no unbounded computing power and the digital signature of an honest user cannot be forged successfully, except with negligible probability; and

the exchange of messages between honest users cannot be disturbed in any way.

Furthermore, the ability of an adversary to attack honest users is limited by one of the following assumptions.

Honesty most currencies consider the continuous honesty most currency (HMM) assumption: i.e., for each non-negative integer k and real number h >1/2,

HHM_k>h: the number of honest users owned in each r-th round is greater than h for all currencies in the r-k round system.

Assuming that all malicious users perfectly coordinate their actions (as if controlled by a single entity (adversary)) is a rather pessimistic hypothesis. Perfect coordination between too many individuals is difficult to achieve. Perhaps coordination occurs only in a single group of malicious participants. However, the security is more repentable than others because the degree of coordination a malicious user may enjoy cannot be determined.

It is also pessimistic to assume that an adversary can secretly, dynamically, and immediately destroy the user. After all, it is realistic that it should take some time to fully control the operation of the user.

Hypothesis HMM_k>h means that, for example, if a round is performed within one minute (averaging), then at k 120, the majority of the currencies in a given round will remain in the honest user's hands for at least two hours, and at k 10,000, the majority of the currencies in a given round will remain in the honest user's hands for at least one week.

It should be noted that the HMM assumption is relevant in the sense that most of the computing power assumptions of previous honesty are: since computing power may be purchased in currency, malicious users may gain a large portion of their computing power if they possess a large portion of the currency.

2.7 communication model

Imagine propagating messages (i.e., "peer-to-peer chat"⁴) As the only means of communication and assuming that each propagated message reaches almost all honest users in time. Basically it is assumed that each message m propagated by honest users reaches all honest users within a given amount of time depending on the length of m. (in fact, it suffices that m reaches a sufficiently high percentage of honest users.)

3 BA Agreement BA in legacy Environment^★

As already emphasized, the byzantine agreement is a key component of algoranad. Indeed, it is by using this BA agreement that Algorand is not affected by forking. However, to combat strong enemies, algorannd must rely on BA agreements that satisfy new participant replaceability constraints. In addition, for Algorand to be efficient, this BA protocol must be very efficient.

The BA agreement was initially defined for an idealized communication model synchronous complete network (SC network). This model allows for simpler design and analysis of the BA agreement. Therefore, in this section, a new BA agreement BA was introduced^★For SC networks and ignore altogetherThe problem of participant replaceability is solved. Agreement BA^★Is a contribution to individual value. In fact, this protocol is the most efficient cryptographic BA protocol known so far for SC networks.

For using the protocol in the Algorand protocol, for BA^★Some modifications are made to illustrate different communication models and contexts.

Recall from BA^★The concept of a model and byzantine agreement in which to operate begins.

3.1 synchronizing complete networks and matching adversaries

In SC networks, there is a common clock that ticks every integer time r 1, 2.

At each even-time click r, each participant i sends a single message to each participant j (including himself) instantly and simultaneously

(possibly an empty message). Each is correctly received by participant j at time click r +1

And the identity of sender i.

Again, in the communication protocol, a participant is honest if it follows all of its prescribed instructions, and malicious otherwise. All malicious participants are fully controlled and perfectly coordinated by the adversary, who in particular immediately receives all messages destined for the malicious participants and selects the messages sent by the malicious participants.

An adversary can click at any odd time he wants to immediately make any honest user he wants a malicious user (limited only by the possible upper bound t on the number of malicious participants). I.e. the adversary "cannot disturb the messages already sent by the honest user i", which will be transmitted as usual.

The adversary is additionally able to instantly view the messages sent by the current honest participants on every even turn and instantly use this information to select the messages sent by the malicious participants at the same time ticks.

3.2 concept of Byzantine agreement

The concept of the byzantine agreement may have been introduced first for the binary case (i.e., when each initial value consists of bits). However, the concept quickly expands to arbitrary initial values. BA agreement means an arbitrary value agreement.

Definition 3.1 in synchronous networks, let

Protocol for n participants (the set of participants of which is a common knowledge between the participants), let t be a positive integer, such that n ≧ 2t + 1. if for each set V (respectively for V ═ 0,1}) which does not contain the value of the special symbol ⊥, in an execution where a maximum of t participants are malicious and each participant i starts with an initial value vi ∈ V, each honest participant j stops with a probability of 1, outputting the value outi ∈ V ∪ { ⊥ } such that the following two conditions are satisfied with a probability of at least σ, we say that

Is an arbitrary value (binary, respectively) (n, t) -byzantine agreement protocol with rationality σ ∈ (0, 1):

1. agreement that there is out ∈ V ∪ { ⊥ } such that out is for all honest participants i_i＝out。

2. Consistency if V for a certain value V ∈ V, V for all participants i_iAnd v, out is v.

We call out as

And will each out_iReferred to as participant i's output.

3.3 BA symbol #

In the BA agreement, a participant is required to calculate how many participants sent a given message to the participant in a given step. Thus, for each possible value v that may be transmitted,

(or when s is explicit, only # i (v)) is the number of participants j for which i received v in step s.

Recall that participant i has just received one message from each participant j, if the number of participants is n, then for all i and s,

3.4 New binary BA protocol BBA^★

In this section, a new binary BA protocol BBA is presented^★It relies on more than two-thirds of the honesty among the participants and is very fast: regardless of what a malicious participant might do, each execution of its main loop is not only simply performed, but also agrees with the probability of 1/3 for the participant.

In BBA^★Each participant has its own public key for a digital signature scheme that satisfies the unique signature property. Since this protocol is intended to run over a synchronous complete network, participant i is not required to sign every one of their messages.

The digital signature is used to generate substantially common random bits in step 3. (in Algorand, the digital signature is also used to authenticate all other messages.)

The protocol requires minimal settings: a common random string r independent of the participant's key. (in Algorand, r is actually measured by the quantity Q^rAnd (6) replacing. )

Protocol BBA^★Is a 3-step loop in which participants repeatedly exchange boolean values and different participants can exit the loop at different times. Participant i exits the loop by propagating a special value of 0 or a special value of 1 at a certain step, thereby indicating that all participants "pretend" that they received 0 and 1 from i in all subsequent steps, respectively. (in other words, assuming that the last message that participant j received from another participant i is bit bIn any step of j, it acts as if i sent bit b to him. )

The protocol uses a counter gamma which indicates how many times its 3-step loop has been executed. In BBA^★At the beginning, γ is 0. (γ can be considered a global counter, but in practice this counter is incremented by each individual participant each time a loop is executed.)

There is n ≧ 3t +1, where t is the maximum possible number of malicious participants. The binary string x is identified by an integer whose binary representation (possibly starting with 0) is x; and lsb (x) represents the least significant bits of x.

Protocol BBA^★

(communication) step 1.[ Cool-Fixed-To-0 step]Each participant i sends b_i。

1.1 if

I sets b_i0, sending theta, outputting out_iAnd stop at 0.

1.2 if

I sets b_i＝1。

1.3 otherwise, i sets b_i＝0。

(communication) step 2.[ Cool-Fixed-To-1 step]Each participant i sends b_i。

2.1 if

I sets b _i1, send 1 x, output out_i1 and stop.

2.2 if

I sets b_i＝0。

2.3 otherwise, i sets b_i＝1。

(communication) step 3.[ Coin-geninely-fluidized step]Each participant i sends b_iAnd SIG_i(r，γ)。

3.1 if

I sets b_i＝0。

3.2 if

I sets b_i＝1。

3.3 otherwise, set S_iJ ∈ N, which sent the appropriate message to i in this step 3, i sets

Increasing γ i by 1; and returns to step 1.

Theorem 3.1 BBA whenever n is greater than or equal to 3t +1^★Is a binary (n, t) -BA protocol with 1 as a justification.

Proof of theorem 3.1 can be found in: https:// people. csail.mit. edu/silvio/selectedsien-tificPapers/distributedcputation/ByzantagreemTMADRTRIVIAL.15pdf.

3.5 hierarchical consensus and protocol GC

Recall that for arbitrary values, the notion of consensus is much weaker than the byzantine agreement.

Definition 3.2. set

For a set in which all participants are common knowledge and each participant i is privately known an arbitrary initial value v'_iThe protocol of (1).

If in each execution of n participants, of which up to t are malicious, each honest participant i stops outputting value-rank pairs (v)_i,g_i) Wherein g is_i∈ {0,1,2} so as to satisfy the following three conditions, we say that

Is a (n, t) hierarchical consensus protocol:

1. for all honestyReal participants i and j, | g_i-gj|≤1。

2. For all honest participants i and j,

3. if for a certain value v, v'₁＝…＝v′_nV, then for all honest participants i, v_iV and g_i＝2。

The following two-step protocol GC is a hierarchical consensus protocol in the literature. To protocol Algorand 'with section 4.1'₁The steps of GC are named 2 and 3, respectively. (actually, Algorand'₁The first step of (2) involves other things: i.e. a new block is proposed. )

Protocol GC

Step 2. Each participant i sends v 'to all participants'_i。

Step 3, if and only if

Each participant i sends a string x to all participants.

Each participant i outputs a pair (v) calculated as follows_i,g_i)：

If for a certain x,

v is then_iX and g_i＝2。

If for a certain x,

v is then_iX and g_i＝1。

Else, v_i⊥ and g_i＝0。

Since the protocol GC is a protocol in the literature, it is known that the following theorem holds.

Theorem 3.2 if n ≧ 3t +1, GC is the (n, t) -hierarchical broadcast protocol.

3.6 Agreement BA^★

Now, via the binary BA protocol BBA^★And a hierarchical consensus GC to describe an arbitrary value BA-agreement BA^★. Hereinafter, the initial value of each participant i is v'_i。

Agreement BA^★

Step 1 and step 2. input v 'for each participant i'_iGC is performed to calculate the pair (v)_i,g_i)。

Each participant i performs BBA^★(if g is_i2, then the initial input is 0, otherwise the initial input is 1) to compute the bit out_i。

Output determination, if out_i0, then each participant i outputs ν_iOtherwise ⊥ is output.

Theorem 3.3, BA whenever n is greater than or equal to 3t +1^★Is the (n, t) -BA protocol with 1 as the rationality.

First prove consistency and then prove agreement.

Suppose, for a certain value V ∈ V, V'_iV. Then all honest participants output (v,2) after GC is performed, according to the hierarchical consensus attribute of 3. Thus, in BBA^★At the end of the execution of (1), the initial bit of all honest participants is 0. Thus, based on the agreement attribute of the binary Byzantine agreement, at BA^★Out for all honest participants_i0. This means BA^★Wherein the output of each honest participant i is v_i＝v。□

Agreement proves that BBA^★Is a binary BA protocol, and therefore

(A) For all honest participants i, out_i1 or

(B) For all honest participants i, out_i＝0。

In case A, BA^★⊥ and thus the agreement holds^★In the implementation of (2), of at least one honest participant iThe initial bit is 0. (in fact, if the initial bit of all honest participants is 1, then according to BBA^★For all honesty j, there will be out_j1. ) Therefore, after the GC is performed, the pair (v,2) is output for a certain value v, i. Thus, according to the hierarchical consensus attribute 1, j, g are given to all honest participants_j>0. Thus, according to the hierarchically-consensus attribute 2, j, v are given to all honest participants_jV. This means that in BA^★At the end, each honest participant j outputs v. Thus, in case B, the agreement is also true. □

BA since both consistency and agreement hold^★Is an arbitrary value BA agreement. □

Agreement BA^★It can also work in a chatty network and in fact satisfies the participant replaceability property that is crucial for the security of Algorand in the envisaged very resistant model.

BBA^★And BA^★The participant replaceability of (a) now provides intuition about: why agreement BA^★And BBA^★May be adapted to perform in a network communicating via peer-to-peer chat, satisfying participant replaceability. In particular, assume that the network has 10M users and a BBA^★(or BA)^★) Each step x of (a) is performed by a committee of 10,000 participants who are randomly selected by drawing a secret password and thus have credentials proving the right to send a message in step x. It is assumed that each message sent in a given step specifies a step number, is digitally signed by its sender, and includes a credential proving that its sender has the right to speak in that step.

First, if the percentage of honest participants, h, is sufficiently greater than 2/3 (e.g., 75%), then the committee selected at each step has the required 2/3 honest majority with overwhelming probability.

In addition, the fact that 10,000 committees of strict random selection changed at each step did not prevent BBA^★Or BA^★To operate correctly. In any protocol, in fact, participant i reacts in step s only to the multiplicity with which it has received a given message m in step s-1. Since in the chat network, all messages sent in step s-1 will reach (immediately, for this intuitive purpose) all users (including those selected to participate in step s). Furthermore, because all messages sent in step s-1 specify a step number and include credentials that the sender is indeed authorized to speak in step s-1. Thus, the user i selected to participate in step s is fully able to correctly count the multiplicity with which he receives the correct step s-1 message, regardless of whether he happens to also be selected in step s-1. It is not at all important, so far, whether the user is always involved in all steps. All users are "on the same ship" and can therefore be easily replaced by other users.

Two examples of 4 Algorand

As discussed, at very high levels, the Algorand round is ideally performed as follows. First, a randomly selected user (leader) proposes and passes through a new tile. (this process involves initially selecting several potential leaders and then ensuring that a single common leader occurs at least most of the time.) secondly, a randomly selected committee of users is selected, and the randomly selected committee of users achieves a byzantine agreement on the block proposed by the leader. (this process includes running each step of the BA protocol by a separately selected committee.) then, by a given threshold (T)_H) The committee member of (a) digitally signs the agreed-upon blocks. These digital signatures are propagated so that everyone determines which is the new tile. (this includes passing the signer's credentials and only authenticating the hash of the new tile, ensuring that everyone knows the tile once its hash is clear.)

In the next two sections, two embodiments of the basic Algorand design are presented: algorand'₁And Algorand'₂The two embodiments each work under the appropriate assumption of most honest users. In section 7 it is shown how these can be employedThe embodiment works on the assumption of honesty in most currencies.

Algorand'₁Only conceive of>2/3 is honest. In addition, in Algorand'₁The number of steps for reaching the byzantine agreement is limited to a suitably high number so as to ensure agreement with an overwhelming probability (but possibly requiring time than Algorand ') within a fixed number of steps'₂Longer steps). In the remote case where agreement has not been reached by the last step, the committee decides on a null block, which is always valid.

Algorand'₂It is envisaged that the number of honest members in the committee is always greater than or equal to a fixed threshold t_H(this ensures that at least 2/3 of the committee members are honest with overwhelming probability). Further, Algorand'₂Allowing Byzantine agreement to be reached in any number of steps (but possibly in better than Algorand'₁In a shorter time).

Those skilled in the art will recognize that many variations of these basic embodiments may be made. In particular, Algorand 'is considered'₂Algorand 'is easily modified'₁So as to achieve a Byzantine agreement in an arbitrary number of steps.

These two embodiments share the following common core, notation, concept and parameters.

4.1 common core

The goal is that for each r-th round, Algorand should satisfy the following properties:

1. perfect correctness all honest users agree on the same block B^r。

2. Integrity 1. when probability is 1, block B^rHas been selected by honest users.

(in fact, a malicious user may always select a block whose payment set contains only the payments of the malicious user's "friends")

Of course, it is simple to only guarantee perfect correctness: everyone always selects the official payment set PAY^rIs empty. But in this case the integrity of the system will be 0. Unfortunately, in the presence of nauseaIn the case of an intended user, it is not easy to guarantee both perfect correctness and integrity 1. Hence Algorand takes a more realistic goal. Informally, let h denote the percentage of honest users, h>2/3, Algorand aims at

Perfect correctness and integrity close to h are guaranteed with overwhelming probability.

Putting correctness on integrity seems to be a reasonable choice: unprocessed payments in one round can be processed in the next round, but forking should be avoided if possible.

The prevailing byzantine agreement temporarily ignores the excess time and communication and can guarantee perfect correctness as follows. At the beginning of round r, each user i proposes its own candidate block

All users then reach a byzantine agreement on only one of the candidate blocks. By way of introduction, the BA agreement employed requires an honest majority of 2/3 and is participant replaceable. Each of the steps of the protocol may be performed by a small and randomly selected set of verifiers that do not share any internal variables.

Unfortunately, this approach does not work well. This is so because candidate blocks proposed by honest users are likely to be quite different from each other. In fact, each honest user sees a different payment. Thus, while the payment sets seen by different honest users may overlap by much, it is unlikely that all of the honest users will have made a proposal for the same tile construction. Thus, the coherency protocol of the BA protocol never has a binding force, only the protocol has a binding force, and thus the protocol may always be fulfilled on ±, rather than on good tiles.

Algorand' avoids this problem as follows. First, a leader/of the r-th round is selected^r. Then, l^rPropagating its own candidate block

Finally, the user is actually at his/her slave l^rAgreeing on the received block. Because each time l is taken^rBeing honest, perfect correctness and completeness 1 both hold, so Algorand' ensures that^rWith a probability close to h being honest.

Leader is selected in Algorand, the r-th block is in the form of

B^r＝(r,PAY^r,SIG_lr(Q^r-1),H(B^r-1)。

As already mentioned in the introduction, the quantity Q^r-1Are carefully constructed so as to be essentially non-manipulable by very powerful adversaries. (after this section, some intuition will be provided as to why this is the case.) at the beginning of round r, until now, blockchain B is known to all users⁰,...,B^r-1The users infer the previous per-turn set of users from the blockchain: namely, PK¹,...,PK^r-1. The potential leader of round r is user i, such that

.H(SIG_i(r,1,Q^r-1))≤p。

As will be explained. It should be noted that since block B can be selected from^r-1Estimate Q^r-1Because of the message retrievability property of the underlying digital signature scheme. Furthermore, the underlying signature scheme satisfies the uniqueness property. Thus, SIG_i(r,1,Q^r-1) Is a binary string uniquely associated with i and r. Thus, since H is a random predictor, H (SIG)_i(r,1,Q^r-1) Is a random 256-bit length string uniquely associated with i and r. At H (SIG)_i(r,1,Q^r-1) The preceding symbol ". is a decimal (in this case, binary) point, such that

Is a random 256-bit binary expansion between 0 and 1 uniquely associated with i and r. Thus, r_iThe probability of being less than or equal to p is substantially p.

The probability p is chosen such that with an overwhelming (i.e., 1-F) probability, at least one potential verifier is honest. (in fact, this probability that p is chosen to be the smallest.)

It should be noted that since i is the only user that can compute his own signature, only he can determine whether he is a potential verifier of round 1. However, by revealing their own credentials

i can prove to anyone that it is a potential verifier of round r.

Leader l^rDefined as a potential leader whose hashed credential is less than all other potential leaders j: namely, it is

Note that l is malicious^rIts credentials may not be revealed, so the correct leader of round r may never be unknown, and unless there is a small potential tie, l^rIs indeed the only leader of the r-th round.

Finally, last but important details are presented: user i can become a potential leader (and thus a leader) for round r only if he belongs to the system for at least k rounds. This ensures Q^rAnd all future Q quantities. In fact, one of the potential leaders will actually determine Q^r。

The verifier selects each step s of round r>1 by a small set of verifiers SV^r,sAgain, each verifier i ∈ SV^r,sFrom users who have been in k rounds in the system before r and again via a special quantity Q^r-1Specifically, if the following holds, i ∈ PK^r-kIs SV^r,sVerifier in (1)

.H(SIG_i(r，s，Q^r-1))≤p′。

Again, only i knows whether or not it belongs to an SV^r,sHowever, if this is the case, i can be authenticated by revealing its own credentials

To prove this, verifier i ∈ SV^r,sSending messages in round r step s

And this message includes its credentials

So as to enable the verifier f of the next step to recognize

Is a legitimate step s message.

The probability p' is chosen to ensure that at SV^r,sIn the above description, if # good is the number of honest users and # bad is the number of malicious users, the following two conditions hold an overwhelming probability.

For example Algorand'₁：

(1) # good > 2. # bad and

(2)#good+4·#bad<2n, wherein n is SV^r,sThe expected cardinality of (a).

For example Algorand'₂：

(1)#good>t_HAnd is

(2)#good+2#bad<2t_HWherein, t_HIs a specified threshold.

These conditions mean that, with a sufficiently high probability, (a) in the final step of the BA agreement, there will be at least a given number of honest participants for the new block B^rDigitally signing, (b) only one block per round can have the necessary number of signatures and (c) the BA agreement used has (at each step) the honest majority of 2/3 required.

Clear Block Generation if the r-th round leader l^rIf honest, the corresponding block has the following form:

wherein the payment collection PAY^rAnd max. (recall that by definition all payment sets are collectively valid.) else (i.e., if l^rIs malicious), then B^rHas one of two possible forms:

B^r＝(r，PAY^r，SIG_i(Q^r-1)，H(B^r-1) And are) and

in the first form, the PAY^rIs (not necessarily the largest) set of payments and may be

And i is a potential leader of the r-th round. (however, i may not be leader i^r. This can indeed be at^rKeeping his credentials secret and not revealing himself. )

When all honest participants output a default value in the r-th round of execution of the BA agreement (which default value in the application is a null block)

) The second form appears (by definition, possible output of the BA agreement includes default values, generally indicated by ⊥. see section 3.2.)

It should be noted that although the payment set is empty in both cases, the payment set is empty

And

are syntactically different blocks and occur in two different cases: respectively, "all progress is smooth in the execution of the BA agreement" and "the BA agreement is in error and a default value is output".

Block B is now described intuitively^rHow to generate in the first place of Algorandr in round. in the first step, each eligible participant (i.e., each participant i ∈ PK^r-k) Check if it is a potential leader. If this is the case, i is asked to use all payments he sees so far and the current blockchain B⁰,...,B^r-1Secretly preparing a maximum set of payments

And secretly assembles his candidate blocks

That is, i includes not only the just-prepared payment set as its second component

In, also couple itself to Q^r-1Signature, last block B^r-1Is included as its third component. Finally, i propagates his r' th round-step 1 message

The message includes (a) a candidate block of i

(b) i proper signature of his own candidate block (i.e. his pair)

Hashed signature of) and (c) i's own credentials that prove that he is indeed the potential verifier of round r

(Note that until honest i generates his message

Previously, the adversary did not know that i is a potential verifier). If an adversary wishes to break honest potential leaders, the adversary may alsoDestroying random honest participants. However, once the enemy sees

Since this item contains the credential of i, the adversary knows and can destroy i, but cannot prevent the virus from spreading

To all users in the system. )

In a second step, each selected verifier j ∈ SV^r,2Attempting to identify the leader of the round. In particular, j gets the appropriate step 1 message contained in the message he has received

Step 1 certificate in

Hashing, i.e. computing, all of these credentials

Finding a credential

The hash of the credential is the smallest in lexicographic order; and will be

Considered as the leader of the r-th wheel.

Recall that each credential considered is Q^r-1Of (3) digital signature, SIG_i(r,1,Q^r-1) Is through i and Q^r-1Uniquely determined, H is a random prophetic and thus each H (SIG)_i(r,1,Q^r-1) Is a random 256-bit long string unique to each potential leader i of the r-th round.

It follows that if a 256-bit string Q is used^r-1Itself randomly and independently selected, then the hashed credentials of all potential leaders of round rAs will be the case. In fact, all potential leaders have a clear definition, and so are their credentials (whether actually computed or not). Moreover, the set of potential leaders of round r is a random subset of users of round r-k, and honest potential leader i always constructs and propagates his messages properly

The message contains the credentials for i. Thus, since the percentage of honest users is h, whatever the malicious potential leader may do (e.g., reveal or hide their own credentials), the least hashed potential leader credential belongs to honest users, which must be recognized by everyone as a leader of the r-th round, i^r. Thus, if 256-bit string Q^r-1Itself is chosen randomly and independently, then with a probability of exactly h: (a) leader l^rIs honest and (b) verifiers j, l for all honest step 2_j＝l^r。

In effect, the hashed credential is positively, randomly selected, but depends on Q being not randomly and independently selected^{r -1}. However, careful analysis ensures Q^r-1Is sufficiently non-manipulable to ensure with a probability h' close enough to h that the leader of a turn is honest: i.e. h'>h²(1+h-h²) For example, if h ═ 80%, then h'>.7424。

After identifying the leader of a turn (when leader l^rHonestly, they will do so correctly), step 2 the verifier's task is to start executing the BA with the initial value of the block they consider to be the leader^★Indeed, to minimize the required traffic, verifier j ∈ SV^r,2Does not use him to actually follow_jBlock B received (leader considered by user j)_jAs his input value v 'to the Byzantine protocol'_jRather, the leader uses the hash of the tile as its input value to the Byzantine protocol, i.e., v'_j＝H(B_i). Thus, upon termination of the BA agreement, the verifier of the last step does not computeDesired r-th round block B^rInstead, H (B) is computed (authenticated and propagated)^r). Therefore, due to H (B)^r) Is digitally signed by a sufficient number of verifiers at the last step of the BA agreement so that users in the system will recognize H (B)^r) Is the hash of the new chunk. However, these users must also retrieve (or wait because execution is rather asynchronous) block B^rBy itself, the protocol ensures that the block is available no matter what the adversary may do.

Asynchronous and timed Algorand'₁And Algomnd'₂Has great degree of asynchronism. This is so because an adversary has a great degree of freedom in scheduling delivery of the propagated messages. In addition, there is a difference in the number of steps actually taken, regardless of whether there is an upper limit to the total number of steps in a round.

User i-knows B⁰,...,B^r-1Calculates Q from the certificate^r-1And starts round r to check if it is a potential leader or verifier in some step s of round r.

Given that i must act at step s, i relies on various policies to ensure that it has enough information before acting in view of the asynchrony discussed.

For example, i may wait to receive at least a given number of messages (as in Algorand ') from the verifier of the previous step'₁As in Algorand ') or wait enough time to ensure that it receives enough verifier messages (as in Algorand ') of the previous step '₂As in (1).

Seed Q^rRecall from the backtracking parameter k that, ideally, the quantity Q^rShould be random and independent, although it is sufficient for these quantities to be sufficiently unmanageable by an adversary.

At first sight, Q can be changed^r-1Selected as and H (PAY)^r-1) And (4) the same. However, preliminary analysis reveals that malicious users may utilize this selection mechanism.⁵Some additional efforts have shown that countless other alternatives based on traditional block amounts are readily available to adversaries to ensure that malicious leaders are very frequent. Phase (C)Instead, a completely new quantity Q is defined specifically and inductively^rSo that it can prove to be unworkable by an adversary. That is to say that the first and second electrodes,

if B is present^rIf not, then

Otherwise

Why Q^rThe intuition that this configuration of (2) works is as follows. Temporary hypothesis Q^r-1Are truly random and independently selected. Then, Q^rWill it be so? When l is^rThe answer is (roughly) positive when honest. This is so because

Is a random function. However, when l^rWhen malicious, Q^rIs no longer according to Q^r-1And l^rThe meaning is clearly defined. Q^rThere are at least two separate values. One continuation is

And the other is H (Q)^r-1R). It was first demonstrated that the second option is absolutely mandatory, although it is somewhat arbitrary. The reason for this is that^rIt always results in a completely different candidate block being received by the honest verifier of the second step.⁶Once this occurs, it is easy to ensure that the block eventually agreed upon via the r-th round's BA agreement will be the default block and therefore will not contain any human pair Q^r-1The digital signature of (1). But the system must continue and for this reason the r-th wheel requires a leader. If the leader is automatically and publicly selected, the enemyThe opponent will simply destroy the leader. If the leader passed the previous Q^r-1Selected via the same process, then l^rWill again become the leader in round r + 1. It is specifically proposed to use the same secret password drawing mechanism, but apply to the new Q quantity: i.e., H (Q)^r-1R). By taking this quantity as the output of H, it is guaranteed that the output is random, and by including r as the second input of H, while all other users of H have a single input or at least three inputs, "guarantee" such Q^rAre independently selected. Again, Q is replaced^rThe particular choice of (a) is not critical, and it is important that l^rFor Q^rThere are two options and therefore he may have double the chance of another malicious user becoming the next leader.

For control of malicious I^rFor the enemy of (2), Q^rMay even have more options. For example, let x, y, and z be three malicious potential leaders of round r, such that

And is

Particularly small. I.e., so small that the hashed credentials of each honest potential leader

And is likely to be smaller. Then, by asking x to hide its credentials, it is very likely that an adversary will make y the leader of round r-1. This means that an adversary is directed to Q^rThere is another option: that is to say that the first and second electrodes,

similarly, an adversary may require both x and y to retain their credentials in order for the adversary to be able toz becomes the leader of round r-1 and gets a leader for Q^rAnother option of (1): i.e., H (SIG)_z(Q^r-1)，r)。

However, each of these and other options certainly has a non-zero chance of failing because the adversary cannot predict hashes of digital signatures of honest potential users.

Careful markov-like chain analysis shows that no matter what option the adversary chooses to make in round r-1, he cannot reduce the probability of an honest user becoming the leader in round r +40 far below h as long as he cannot inject a new user into the system. This is why the potential leader of the r-th round is required to be a user already present in the r-k round. This is a way to ensure that adversaries in round r-k cannot drastically alter the probability of a honest user becoming the leader of round r. In fact, no matter what users an adversary can add to the system in rounds r-k through r, they are not eligible to be potential leaders (let alone leaders) in rounds r. Therefore, the backtracking parameter k is ultimately a security parameter. (however, as will be seen in chapter

Temporary keys although execution of the protocol cannot generate a bifurcation (except with negligible probability), after generating the legitimate block r, an adversary may generate a bifurcation at the r-th block.

Roughly, once B is generated^rThe adversary knows who the verifier is at each step of the r-th round. Thus, an adversary can thus destroy all these verifiers and force them to prove a new block

Since this false block may only be propagated after the legitimate block, a user who is always concerned will not be fooled.⁷In spite of this, it is possible to provide,

will be syntactically correct and want to be prevented from being manufactured.

This is done by means of new rules. Essentially, the verifier set SV of step s of round r^r,sMember of (2) using a temporary public key

Digitally signing their messages. These keys are single-use only, and their corresponding secret keys

And will be destroyed once used. In this way, if the verifier is later corrupted, the adversary cannot force the verifier to sign anything else that he did not originally sign.

We must naturally ensure that it is impossible for an adversary to calculate a new key

And truthful user believes that the key happens to be the verifier i ∈ SV^r,sA temporary key to be used in step s.

4.2 common summary of symbols, concepts and parameters

Symbol

R.gtoreq.0: the current round number.

S.gtoreq.1: the current step number in round r.

·B^r: the block generated in round r.

·PK^r: set of public keys at the end of round r-1 and the beginning of round r.

·S^r: system status at the end of round r-1 and the beginning of round r.⁸

·PAY^r: is contained in B^rThe set of payments in (1).

·l^r: leader of the r-th round. l^rSelecting the Pay Payment set of round r^r(and determining the next Q^r)。

·Q^r: the seed of round r, the quantity generated at the end of round r and used to select the verifier of round r +1 (i.e., the binary string). Q^rIndependent of payment set in the block and cannot be |)^rAnd (6) operating.

·SV^r,s: the set of verifiers selected for step s of round r.

·SV^r: set of verifiers, SV, for round r selection^r＝∪_s≥1SV^r,s。

·MSV^r,sAnd HSV^r,s: are respectively SV^r，sMalicious verifier set and honest verifier set in (1). MSV^r，s∪HSV^r，s＝SV^r，sAnd is

·

And

is each SV^r,1Expected number of potential leaders and per SV^r,s(s>1) Expected verifier number of.

It should be noted that n₁<<n is due to SV^r,1At least one honest member is required, but each SV^r,s(s>1) At least the majority of honest members are required.

H ∈ (0, 1): a constant greater than 2/3 h is the honesty ratio in the system, i.e., each PK^rThe fraction of honest users or honest currencies depending on the hypothesis used is at least h.

H: is modeled as a cryptographic hash function of random predictions.

T: a special string of the same length as the output of H.

F ∈ (0, 1): parameters specifying the allowed error probability. Probability ≧ F is considered "negligible," and probabilities ≧ 1-F are considered "overwhelming.

·p_h∈ (0,1) leader l of the r-th wheel^rHonesty probabilities. Ideally, p_hH. In the presence of an enemy, p_hWill be determined in the analysis.

·

And (6) backtracking parameters. I.e., the verifier of round r is selected from round r-k, i.e.,

⁹

·p₁∈ (0,1) for the first step of the r-th round, users in the r-k-th round with probability

Is selected to join SV^r,s。

P ∈ (0,1) for each step s of the r-th round>1, users in the r-k round with probability

Is selected to join SV^r,s。

·CERT^r：B^rThe certificate of (2). The credential is H (B) from the appropriate verifier in round r^r) T of_HA set of signatures.

·

Is a proven block.

If user i owns (and successfully verifies) both parts of the certified block, the useThe family knows B^r. Note that CERT is seen by different users^rMay be different.

·

User i knows B^rThe (local) time of (c). In the Algorand protocol, each user has its own clock. The clocks of the different users need not be synchronized but must have the same speed. For analysis purposes only, a reference clock is considered and the relative time of the participants with respect to the reference clock is measured.

·

And

respectively the (local) time at which user i starts and ends its execution of step s of round r.

Λ and λ: essentially an upper bound on the time required to perform step 1 and the time required to perform any other step of the Algorand protocol, respectively.

The parameter Λ forms an upper bound on the time to propagate a single 1MB block.

The parameter λ forms an upper bound on the time to propagate a small message per verifier in step s > 1.

We assume Λ ≦ 4 λ.

Concept

Verifier selection.

For each r-th round and step s>1，

Each user i ∈ PK^r-kCalculates its signature privately using its own long-term key, and decides whether or not i ∈ SV is present^r,sIf i ∈ SV^{r ,s}Then SIG_i(r，s，Q^r-1) Is a (r, s) certificate of i, using

Simple ground surfaceShown in the figure.

For the first step of the r-th wheel, SV^r,1And

is similarly defined, wherein p is replaced by p₁。

SV^r,1Is a potential leader.

Leader selection.

If the leader j ∈ SVr, 1,

then user i ∈ SV^r,1Is the leader of the r-th wheel, consisting of^rAnd (4) showing. Whenever the hashes of the credentials of two participants are compared, in the unlikely event of a tie, the protocol always breaks the tie in dictionary order according to (the long-term public key of) the potential leader.

By definition, participant l^rIs also the PK in all users^r-kAnd is minimal. It should be noted that a potential leader cannot privately decide whether or not it is a leader without seeing the credentials of other potential leaders.

Since the hash values are randomly uniform, when SV is^r,1Non-empty time,/^rAlways present and honest with a probability of at least h. Parameter n₁Large enough to ensure each SV with overwhelming probability^r,1Is not empty.

The block structure.

The non-empty block is in the form of

And the empty block is in the form of

It should be noted that if no payment occurred in this round or if the leader is malicious, the non-empty block may still contain an empty payment set PAY^r. However, the non-empty blocksMeans l^rIdentity of, certificate of

And

are all revealed in time. The protocol guarantees that if the leader is honest, the block will be non-empty with an overwhelming probability.

Seed Q^r.

If B is present^rIs not empty, then

Otherwise

Parameter(s)

The relationship between the various parameters.

Verifier and potential leader of round r is a slave PK^r-kWhere k is selected such that an adversary cannot predict Q backwards at round r-k-1 with a probability better than F^r-1: otherwise, the adversary will be able to introduce malicious users for round r-k (all of which will become potential leaders/verifiers in round r), so that for some steps s he desires, at SV^r,sSuccessfully possess a malicious leader or malicious majority.

-for step 1 of each r-th round, selecting n₁So that with the overwhelming probability,

example selection of important parameters.

The output of-H is 256 bits long.

—h＝80％，n₁＝35。

- Λ 1 min and λ 15 sec.

Initialization of the protocol.

Protocol fromStarting at time 0, where r is 0. Due to the absence of "B^-1"OR" CERT^-1", thus syntactically, B^-1Is a common parameter (the third component of which specifies Q^-1) And all users know B at time 0^-1。

5 Algorand'₁

In this section, a version of Algorand' was constructed according to the following assumptions.

Honesty most users assume: each PK^rMore than 2/3 are honest.

In section 7 it is shown how the above assumptions are replaced by the desired honest majority currency assumptions.

5.1 additional symbols and parameters

Symbol

·

Maximum number of steps in binary BA agreement, multiple of 3.

·L^rM/3 or less: random variable, representing when each trial takes probability

Is 1 and at most m/3 tests see a number of bernoulli tests required of 1. If all tests fail, then

L^rWill be used to form the generation block B^rThe upper bound of time required.

·

The number of signatures required in the end conditions of the protocol.

·CERT^r：B^rThe certificate of (2). The credential is H (B) from the appropriate verifier in round r^r) T of_HA set of signatures.

Parameter(s)

The relationship between the various parameters.

For each step s >1 of the r-th round, n is chosen such that with overwhelming probability,

|HSV^r，s|＞2|MSV^r，sand HSV^T，s|+4|MSV^r，s|＜2n。

The closer the value of h is to 1, the smaller n needs to be. In particular, the (variant of the) chernoff boundary is used to ensure that the desired condition holds with overwhelming probability.

-selecting m such that L^r<m/3 has an overwhelming probability.

Example selection of important parameters.

—F＝10^-12。

-n ≈ 1500, k ≈ 40 and m ≈ 180.

5.2 in Algorand'₁In implementing a temporary key

As already mentioned, it is desirable to have a verifier i ∈ SV^r，sUsing a temporary secret key which he destroys immediately after use

With respect to temporary public keys

Message to his step s in round r

A digital signature is performed. Therefore, there is a need for an efficient method to ensure that each user can authenticate

Indeed for verifying i pairs

The signed key of (1). This is achieved by (to the best of our knowledge) a new use of identity-based signature schemes.

At a high level, in such a scheme, central authority a generates a public master key PMK and a corresponding secret master key SMK. In view of ginsengThe identity U, A of the adder U calculates a secret signing key sk via the SMK with respect to the public key U_UAnd privately will sk_UHanded over to U. (in fact, in an identity-based digital signature scheme, the public key of user U is just U itself!) in this way, if A destroys the SMK after calculating the secret key of the user he wants to realize generating the digital signature and does not save any calculated secret key, then U is the only user who can digitally sign the message with respect to the public key U. Thus, anyone who knows "the name of the U" automatically knows the public key of the U and can therefore verify the signature of the U (possibly also using the public master key PMK).

In an application, the organization a is a user i, and the set of all possible users U is compared with, for example, S ═ { i } × { r⁶The round-step pairs (r, s) in the rounds × { 1., m +3} are consistent, where r' is the given round and m +3 is an upper bound on the number of steps that may occur in the round, hi this way,

so that the signature of i is seen

Can be verified immediately with overwhelming probability in the first million rounds r 'after r'.

In other words, i first generates the PMK and SMK then i publishes that the PMK is i in any round r ∈ [ r ', r' +10⁶]And a secret key of each triplet (i, r, S) ∈ S is privately generated and stored using the SMK

After doing so, i destroys the SMK. If i determines that it is not SV^r,sI can leave alone

(since the protocol does not require i to authenticate any message in step s of round r). Otherwise, i is used first

To aim its message

Digitally signing and then destroying

It should be noted that when i first enters the system, he may publish his first public master key. I.e. the same payment that brings i into the system (in round r 'or in round close to r')

Any round r ∈ [ r ', r' +10 ] of i may also be specified at the request of i⁶]Is a PMK (e.g., by including a pair of forms (PMK, [ r ', r' + 10)⁶]))。

It should also be noted that since m +3 is the maximum number of steps in the round, the storage of the temporary key so generated will cause i to last for the last two years, assuming that the round takes one minute. At the same time, the generation of these temporary secret keys will not take i too long. Each secret key is calculated in a few microseconds using an elliptic curve based system with 32B keys. Thus, if M +3 is 180, all 180M secret keys can be calculated in less than an hour.

As the current round gets closer to r' +10⁶To process the next million rounds, i generates a new (PMK ', SMK') pair and processes the SIG by, for example, conditioning the SIG_i(PMK′，[r′+10⁶+1，r′+2·10⁶+1]) The new block is entered with some additional information either as a separate "transaction" or as part of the payment to inform him what the temporary key is next stored. By doing so, i informs everyone that it should use PMK' in the next million rounds to verify the temporary signature of i. And so on.

(Note that this basic approach is followed for other parties implementing temporary keys without using identity-based signaturesOf course, the formula is possible. For example via the mercker tree.¹⁰)

Other ways for implementing the temporary key are of course possible, e.g. via the merckel tree.

5.3 to Algorand'₁Step (2) and BA^★Match those steps of

As we said, Algorand'₁Has a maximum of m +3 steps.

Step 1. in this step, each potential leader i computes and propagates his candidate blocks

And his own credentials

Recall that this credential identifies i unambiguously. This is so because

The potential verifier i also connects his pair

Is propagated as part of his message. i this signature of the unprocessed payment or credential is relative to his temporary public key

The following steps: i.e. i propagation

Given conventions, i can propagate

Rather than propagation

And

however, in the analysis, it is necessary to specifically pair

And (4) obtaining.

Step 2. in this step, each verifier i will be

Set to the potential leader whose hash credential is minimal and will

Is arranged to be composed of

The proposed block. Since it is desirable to agree on H (B) for efficiency^r) Instead of directly agreeing on B^rSo that i is initialized with

Propagate what he would have been at BA^★The message propagated in the first step of (1). That is, i propagates v'_i(of course, after it is temporarily signed). (i.e., with respect to the correct temporary public key (in this case, yes)

) After signing it. ) Also i of course transmits its own credentials.

Due to BA^★Consists of the first step of the hierarchical consensus protocol GC, so step 2 of Algorand' corresponds to the first step of the GC.

Step 3. in this step, each verifier i ∈ SV^r,2Performing BA^★The second step of (1). That is, the verifier transmitsHe would have sent the same message in the second step of the GC. Again, the message of i is temporarily signed and accompanied by the credential of i. (from now on, we will omit the verifier from provisionally signing his message and also propagate the statement of his credentials.)

Step 4. in this step, each verifier i ∈ SV^r,4Calculate the output of GC (v)_i,g_i) And for him to be in BA^★In the third step (i.e., at BBA)^★In the first step) and sends it, if g) the same message sent is signed_iIf 2, the initial bit is 0, otherwise the initial bit is 1.

Step s 5.., m +2. if ever reached, this step corresponds to BA^★Step s-1 of (1) and thus corresponds to BBA^★Step s-3.

Since the propagation model is sufficiently asynchronous, the possibility must be considered that, in the middle of such step s, the verifier i ∈ SV is presented^r,sProving that block B has been selected^rReaches the verifier. In this case, i stops its own execution of the r-th round of Algorand' and starts executing its (r +1) -th round instruction.

Thus, except for corresponding to BBA^★Other than the instruction of step s-3, verifier i ∈ SV^r,sFurther comprising checking the BBA^★Whether the execution of (c) has stopped in the previous step s'. Due to BBA^★It can only stop in the Coin-Fixed-to-0 step or in the Coin-Fixed-to-1 step, so the instruction distinguishes between:

a (end condition 0): s' -2 ≡ 0mod 3, or

B (end condition 1): s' -2 ≡ 1mod 3.

In fact, in case A, block B^rIs non-null, and therefore requires additional instructions to ensure i properly rebuilds B^rAnd its appropriate certificate CERT^r. In case B, block B^rIs empty and thus indicates the i setting

And calculating CERT^r。

If i does not see block B during i performs step s^rAny evidence that has been generated, then i sends that he would have been at the BBA^★The same message sent in step s-3.

Step m +3. if during step m +3, i ∈ SV^r,m+3Seeing that a block has been generated in the previous step s', i proceeds as explained above.

Otherwise, instruct i to calculate B based on the information he owns^rAnd its corresponding certificate CERT^rInstead of sending that he would have been at the BBA^★The same message sent in step m.

Recall that, in fact, the upper bound for the total number of steps of a round is m +3.

5.4 actual protocol

Recall that in each step s of round r, verifier i ∈ SV is^r,sUsing his long-term public secret key pair to generate his credentials

And SIG_i(Q^r-1) (in the case where s ═ 1). Verifier i uses his temporary secret key

To his (r, s) message

And (6) signing. For simplicity, when r and s are clear, write esig down_i(x) Rather than to

To represent the appropriate temporary signature of i at the value x in step s of round r, and write the ESIG_i(x) Rather than to

To represent (i, x, esig)_i(x))。

Step 1: block proposition

For each user i ∈ PK^r-kThe instructions of (1): a knows B^r-1User i starts step 1 of his own round r.

User i according to B^r-1Third component of (2) calculating Q^r-1And checking whether i ∈ SV is present^r,1。

If

I immediately stops his own execution of step 1.

If i ∈ SV^r,1(i.e. if i is a potential leader), he collects the r' th rounds of payments that have been propagated to him so far and calculates from these payments the maximum set of payments

Next, i calculates his "candidate blocks"

Finally, i calculate message

Destroying his temporary secret key

And then spread

In practice, it is important to selectively propagate the (r,1) message in order to shorten the global execution of step 1. I.e. for each user i in the system, for the first (r,1) message he has received and successfully authenticated,¹¹participant i disseminates it as usual. For all other (r,1) messages that participant i receives and successfully authenticates, only if the hash value of the credential that the message contains has been received so far at that participant and successfully authenticatedThe participant propagates the message only if there is a minimum in the hash value of the credentials contained in all (r,1) messages. In addition, each potential leader i also propagates its own credentials separately, as suggested by Georgios Vlachos

It is useful that: those small messages travel faster than the blocks, ensuring timely propagation

(where the included credentials have small hash values) while those credentials with large hash values are quickly disappeared.

Step 2: first step of hierarchical consensus protocol GC

For each user i ∈ PK^r-kThe instructions of (1): a knows B^r-1User i starts step 2 of his own round r.

User i according to B^r-1Third component of (2) calculating Q^r-1And checking whether i ∈ SV is present^r，2。

If

I immediately stops his own execution of step 2.

If i ∈ SV^r，2Then wait a certain amount of time

Thereafter, i acts as follows.

I discover user l so that all credentials that are part of the successfully authenticated (r,1) message he has received so far

12

2. If i receives a valid message from l

¹³Then it is set up

Otherwise, i is set

I calculation messages

¹⁴Destroying his temporary secret key

And then spread

And step 3: second step of GC

For each user i ∈ PK^r-kThe instructions of (1): a knows B^r-1User i starts step 3 of his own round r.

User i according to B^r-1Third component of (2) calculating Q^r-1And checking whether i ∈ SV is present^r，3。

If

I immediately stops his own execution of step 3.

If i ∈ SV^r，3Then wait a certain amount of time

Thereafter, i acts as follows.

1. If there is a value v' ≠ ⊥ such that all valid messages received at i

More than 2/3 of these messages have the form

Without any contradiction being present, the device is not suitable for the application,¹⁵then i calculates the message

Otherwise, i calculates

I destroy his temporary secret key

And then spread

And 4, step 4: output of GC and BBA^★First step of

For each user i ∈ PK^r-kThe instructions of (1): a knows B^r-1User i starts step 4 of his own round r.

User i according to B^r-1Third component of (2) calculating Q^r-1And checking whether i ∈ SV is present^r，4。

If

I immediately stops his own execution of step 4.

If i ∈ SV^r，4Then wait a certain amount of time

Thereafter, i acts as follows.

I calculate the output v of the GC as follows_iAnd g_i。

(a) If there is a value v' ≠ ⊥ such that all received at i haveEffect message

More than 2/3 of these messages have the form

Then i is set

And is

(b) Otherwise, if there is a value v' ≠ ⊥ such that all valid messages received at i

More than 1/3 of these messages have the form

Then i is set

And is

¹⁶

(c) Otherwise, i is set

And is

I calculation of BBA as follows^★Input b of_i：

If g is_iWhen 2, then

If not, then,

i calculation messages

Destroying his temporary secret key

And then spread

Step s,5 is less than or equal to m +2, s-2 ≡ 0mod 3: BBA^★The coil-Fixed-To-0 step of

For each user i ∈ PK^r-kThe instructions of (1): a knows B^r-1User i starts step s of his own round r.

User i according to B^r-1Third component of (2) calculating Q^r-1And checking whether i ∈ SV is present^r，s。

If

I immediately stops its own execution of step s.

If i ∈ SV^r，sThen i acts as follows.

-i waits until a certain amount of time

In the past.

-end condition 0: if during such waiting and at any point in time, there is a string v ≠ and step s' such that

(a) 5. ltoreq. s ', s ' -2 ≡ 0mod 3, i.e. step s ' is a Coin-Fixed-To-0 step,

(b) i receive at least

Stripe efficient message

¹⁷And is

(c) i receipt of a valid message

And

i immediately stops its own execution of step s (of the r-th round in practice) without propagating anything; is provided with

And will have his own CERT^rMessage set to substep (b)

A collection of (a).¹⁸

-end condition 1: if during such waiting and at any point in time, there is a step s' such that

(a ') 6. ltoreq. s'. ltoreq.s, s '-2 ≡ 1mod 3, i.e. step s' is a Coin-Fixed-To-1 step, and

(b') i receives at least t_HStripe efficient message

¹⁹

I immediately stops its own execution of step s (of the actual round r) without propagating anything; is provided with

And will have his own CERT^rMessage arranged as sub-step (b

A collection of (a).

Otherwise, at the end of the wait, user i proceeds with the following.

i will v_iSet to all validness it receives

In the second component of (a) v_jMost votes for.

i calculate b as follows_i。

If all received i are valid

Of 2/3 has the form

Then i is set

Otherwise, if i receives all validness

Of 2/3 has the form

Then i is set

Otherwise, i is set

i calculation messages

Destroying his temporary secret key

And then spread

Step s, s is more than or equal to 6 and less than or equal to m +2, s-2 ≡ 1mod 3: BBA^★The coil-Fixed-To-1 step of

For each user i ∈ PK^r-kThe instructions of (1): a knows B^r-1User i starts step s of his own round r.

User i according to B^r-1Third component of (2) calculating Q^r-1And checking whether i ∈ SV is present^r，s。

If

I immediately stops its own execution of step s.

If i ∈ SV^r，sThen i proceeds to the following.

-i waits until a certain amount of time

In the past.

-end condition 0: the same instruction as the bin-Fixed-To-0 step.

-end condition 1: the same instruction as the bin-Fixed-To-0 step.

Otherwise, at the end of the wait, user i proceeds with the following.

i will v_iSet to all validness it receives

In the second component of (a) v_jMost votes for.

i calculate b as follows_i。

If all received i are valid

Of 2/3 has the form

Then i is set

Otherwise, if i receives all validness

Of 2/3 has the form

Then i is set

Otherwise, i is set

i calculation messages

Destroying his temporary secret key

And then spread

Step s, s is more than or equal to 7 and less than or equal to m +2, s-2 ≡ 2mod 3: BBA^★The coil-geninely-fluidized step of (1)

For each user i ∈ PK^r-kThe instructions of (1): a knows B^r-1User i starts step s of his own round r.

User i according to B^r-1Third component of (2) calculating Q^r-1And checking whether i ∈ SV is present^r，s。

If

I immediately stops its own execution of step s.

If i ∈ SV^r，sThen i proceeds to the following.

-i waits until a certain amount of time

In the past.

-end condition 0: the same instruction as the bin-Fixed-To-0 step.

-end condition 1: the same instruction as the bin-Fixed-To-0 step.

Otherwise, at the end of the wait, user i proceeds with the following.

i will v_iSet to all validness it receives

In the second component of (a) v_jMost votes for.

i calculate b as follows_i。

If all received i are valid

Of 2/3 has the form

Then i is set

Otherwise, if i receives all validnessOf 2/3 has the form

Then i is set

Otherwise, set

Receive valid message for i from

The set of (r, s-1) verifiers of (a). i setting

i calculation messages

Destroying his temporary secret key

And then spread

Step m + 3: BBA^★Last step of (2)²⁰

For each user i ∈ PK^r-kThe instructions of (1): a knows B^r-1User i starts step m +3 of his own round r.

User i according to B^r-1Third component of (2) calculating Q^r-1And checking whether i ∈ SV is present^r，m+3。

If

I immediately stops its own execution of step m +3.

If i ∈ SV^r，m+3Then i proceeds to the following.

-i waits until a certain amount of time

In the past.

-end condition 0: the same instruction as the bin-Fixed-To-0 step.

-end condition 1: the same instruction as the bin-Fixed-To-0 step.

Otherwise, at the end of the wait, user i proceeds with the following.

i setting

And is

i calculation messages

Destroying his temporary secret key

And then spread

To confirm B^r。²¹

Reconstruction of the r-th round block by a non-verifier

For each user i in the system: user i-knows B^r-1His own round r is started and block information is waited for as follows.

If during such waiting and at any point in time, there is a string v and a step s' such that

(a) S 'is more than or equal to 5 and less than or equal to m +3, wherein s' -2 ≡ 0mod 3,

(b) i receive at least t_HStripe efficient message

And is

(c) i receipt of a valid message

Wherein the content of the first and second substances,

i immediately stops its own execution of the r-th round; is provided with

And will have his own CERT^rMessage set to substep (b)

A collection of (a).

If during such waiting and at any point in time, there is a step s' such that

(a ') 6. ltoreq. s '. ltoreq.m +3 wherein, s ' -2. ltoreq.1 mod 3, and

(b') i receives at least t_HStripe efficient message

I immediately stops its own execution of the r-th round; is provided with

And will have his own CERT^rMessage arranged as sub-step (b

A collection of (a).

-if during such waiting and at any point in time i receives at least t_HStripe efficient message

I immediately stops his own execution, setting of the r-th wheel

And will have his own CERT^rIs set to pair 1 and

of a message

A collection of (a).

6 Algorand'₂

In this section, a version of Algorand' was constructed according to the following assumptions.

Honesty most users assume: each PK^rMore than 2/3 are honest.

In section 7 it is shown how the above assumptions are replaced by the desired honest majority currency assumptions.

6.1 Algorand'₂Additional symbols and parameters of

Symbol

·

A practical upper limit on the number of steps that will actually be performed in a round with overwhelming probability. (As will be seen, the parameter μ controls how many temporary keys the user has prepared in advance for each round.)

·L^r: random variable, representing when each trial takes probability

The number of bernoulli tests required to see 1 at 1. L is^rWill be used to form the generation block B^rThe upper bound of time required.

·t_H: step s of round r>1 number of honest verifiers, such that with overwhelming probability (given n and p) at SV^r,sIn existence of>t_HAn honest verifier.

Parameter(s)

The relationship between the various parameters.

For each step s >1 of the r-th round, n is chosen such that with overwhelming probability,

|HSV^r，s|＞t_Hand | HSV^r，s|+2|MSV^r，s|＜2t_H。

It should be noted that the above two inequalities together mean | HSV^r，s|＞2|MSV^r，sL: that is, inOf the verifiers selected, the honesty is most 2/3.

The closer the value of h is to 1, the smaller n needs to be. In particular, the (variant of the) chernoff boundary is used to ensure that the desired condition holds with overwhelming probability.

Specific selection of important parameters.

—F＝10^-18。

—n≈4000,t_H≈0.69n,k＝70。

6.2 in Algorand'₂In implementing a temporary key

Recall that verifier i ∈ SV^r，sUsing a temporary secret key which he destroys immediately after use

With respect to temporary public keys

Message to his step s in round r

A digital signature is performed. When the number of possible steps that can be taken for a round is limited by a given integer mu, we have seen how to actually handle the temporary key. E.g. as already in Algorand'₁As explained in (where μ ═ m +3), in order to handle all its possible temporary keys, from the r 'th round to the r' +10 th round⁶User i publishes the PMK and uses the SMK to generate a secret key for each possible temporary public key (and destroys the SMK after doing so). i the set of temporary public keys that i uses for the relevant round is S { i } × { r ',. r' +10⁶J × { 1.,. mu. } (when the round r' +10, as discussed above)⁶When close, i "refreshes" his pair (PMK, SMK). )

In practice, if μ is sufficiently large, Algorand'₂Will not exceed μ steps. However, in principle, there is little possibilityThe number of steps for a certain r-th round will actually exceed μ. When this happens, i will not be able to identify him at any step s>Message of mu

The signature is made because he has previously prepared the mu secret keys for the r-th round only. Furthermore, he cannot prepare and publish a newly stored temporary key as previously discussed. In fact, for this purpose he will need to insert a new public master key PMK' in the new block. However, if round r takes more and more steps, no new tile will be generated.

However, solutions exist. For example, i may use the last temporary key of round r as follows,

i generates another stored key pair for the r-th round-e.g., by (1) generating another master key pair

(2) Use the pair to generate another, e.g. with the r-th round, step μ +1⁶Corresponding to 10⁶A temporary key

(3) Relative to

Use of

To pair

(and any (r, mu) messages if i ∈ SV^r，μIf) to perform a digital signature; and (4) erasing

And

if i becomes step μ + s (where s ∈ { 1.., 10.)⁶H) then i is relative to his new key

For his (r, mu + s) message

A digital signature is performed. Of course, to verify this signature of i, others need to determine that this public key corresponds to the new public master key of i

Thus, in addition to this signature, i also transmits its signature

To pair

The digital signature of (1).

Of course, as long as the round r continues with more and more steps, the method can be repeated as many times as necessary! The last temporary secret key is used to verify the new master public key and thus for another stored temporary key of round r. And so on.

6.3 Algorand'₂Actual protocol of

Recall again that in each step s of round r, the verifier i ∈ SV is in round r^r，sUsing his long-term public secret key pair to generate his credentials

And SIG_i(Q^r-1) (in the case where s ═ 1). Verifier i uses his ephemeral key pair

To sign any other messages m that may be needed. For simplicity, write down esig_i(m) instead of

To represent the appropriate temporary signature of i m in this step, and write the ESIG_i(m) instead of

Step 1: block proposition

For each user i ∈ PK^r-kThe instructions of (1): user i Once owning CERT^r-1It starts its own round r, step 1, which certificate enables i to explicitly calculate H (B)^r-1) And Q^r-1。

User i uses Q^r-1To check whether i ∈ SV^r，1. If it is not

i does nothing in step 1.

If i ∈ SV^r，1That is, if i is a potential leader, then i proceeds as follows.

(a) If i sees B by itself⁰,...,B^r-1(any of

Can be easily derived therefrom at CERT^jAnd thus assuming "seen"), then i collects the payments that have been propagated up to now to his r-th round and calculates from these payments the maximum set of payments

(b) If i has not seen all B yet⁰,...,B^r-1Then i is set

(c) Next, i calculates his "candidate blocks"

(c) Finally, i calculate message

Destroying his temporary secret key

And then propagate the two messages separately but simultaneously

And

²²

selective propagation

To shorten the global execution and the whole round of step 1, it is important to selectively propagate the (r,1) message. I.e., for each user j in the system,

for the first (r,1) message that he received once and successfully authenticated,²³whether the message contains blocks or is just a credential and Q^r-1The participant j would propagate it as usual.

For all other (r,1) messages that participant j receives and successfully authenticates, the participant propagates the message only if the hash value of the credential that the message contains is minimal among the hash values of the credentials contained in all (r,1) messages that the participant has received and successfully authenticated so far.

However, if j receives a message with a form from the same participant i

The two different pieces of information of the message,²⁴j discards the second message regardless of the hash value of the credential for i.

It should be noted thatUnder selective propagation, each potential leader i and

propagating their credentials separately

It is useful that:²⁵those small messages travel faster than the blocks, ensuring timely propagation

(where the included credentials have small hash values) while those credentials with large hash values are quickly disappeared.

Step 2: first step of hierarchical consensus protocol GC

For each user i ∈ PK^r-kThe instructions of (1): a has CERT^r-1User i starts step 2 of his own round r.

User i waits a maximum amount of time

During waiting, i acts as follows.

1. After waiting a time 2 λ, i discovers user l so that all credentials that are part of the successfully verified (r,1) message he has received so far are signed up for

²⁶

2. If i is received and contained in CERT^r-1Hash value of (A) H (B)^r-1) Matched block B^r-1，²⁷And if it receives a valid message from l

²⁸I stops waiting and sets

3. Otherwise, at time t₂At exhaustion, i set

4. When v 'has been set'_iWhen i is according to CERT^r-1Calculating Q^r-1And checking whether i ∈ SV is present^r，2。

5. If i ∈ SV^r，2Then i calculates the message

²⁹Destroying his temporary secret key

And then spread

Otherwise, i stops without propagating anything.

And step 3: second step of GC

For each user i ∈ PK^r-kThe instructions of (1): a has CERT^r-1User i starts step 3 of his own round r.

User i waits a maximum amount of time

During waiting, i acts as follows.

1. If there is a value v such that i receives at least t_HThe strip has a form

Is available message

Without any contradiction being present, the device is not suitable for the application,³⁰i stops waiting and sets v' ═ v.

2. Otherwise, at time t₃At the time of exhaustionI sets υ' ⊥.

3. When the value of v' has been set, i is according to CERT^r-1Calculating Q^r-1And checking whether i ∈ SV is present^r，3。

4. If i ∈ SV^r，3Then i calculates the message

Destroying his temporary secret key

And then spread

Otherwise, i stops without propagating anything.

And 4, step 4: output of GC and BBA^★First step of

For each user i ∈ PK^r-kThe instructions of (1): upon completion of his own step 3, user i starts step 4 of his own round r.

User i waits for a maximum amount of time 2 λ³¹. During waiting, i acts as follows.

I calculate the output v of the GC as follows_iAnd g_i。

(a) If there is a value v' ≠ ⊥ such that i receives at least t_HStripe efficient message

I stops waiting and sets

And

(b) if i receives at least t_HStripe efficient message

I stops waiting and sets

And

³²

(c) otherwise, when the time 2 λ expires, if there is a value v' ≠ ⊥ such that i receives at least

Stripe efficient message

Then i is set

And

³³

(d) otherwise, when time 2 λ is exhausted, i is set

And

2. when the value v has been set_iAnd g_iWhen i calculates BBA as follows^★Input b of_i: if g is_iWhen 2, then

Otherwise

I according to CERT^r-1Calculating Q^r-1And checking whether i ∈ SV is present^r，4。

4. Such asFruit i ∈ SV^r，4Then i calculates the message

Destroying his temporary secret key

And spread

Otherwise, i stops without propagating anything.

Step s,5 is less than or equal to m +2, s-2 ≡ 0mod 3: BBA^★The coil-Fixed-To-0 step of

For each user i ∈ PK^r-kThe instructions of (1): upon completion of his own step s-1, user i starts his own round of step s.

User i waits for a maximum amount of time 2 λ³⁴. During waiting, i acts as follows.

-end condition 0: if at any time, there is a string v ≠ and step s' such that

(a) 5. ltoreq. s ', s ' -2 ≡ 0mod 3, i.e. step s ' is a Coin-Fixed-To-0 step,

(b) i receive at least t_HStripe efficient message

³⁵And is

(c) i receipt of a valid message

Where j is the second component of v,

i stops waiting and immediately ends its own execution of step s (of the actual round r), without propagating anything as (r, s) verifier; h (B)^r) A first component set to v; and will have his own CERT^rSetting as the message of step (b)

And

a collection of (a).³⁶

-end condition 1: if at any time there is a step s' such that

(a ') 6. ltoreq. s'. ltoreq.s, s '-2 ≡ 1mod 3, i.e. step s' is a Coin-Fixed-To-1 step, and

(b') i receives at least t_HStripe efficient message

³⁷

I stops waiting and immediately ends its own execution of step s (of the actual round r), without propagating anything as (r, s) verifier; is provided with

And will have his own CERT^rMessage arranged as sub-step (b

A collection of (a).

-if at least t is received at any time i_HThe strip has a form

Is effective

I stops waiting and sets

-if at least t is received at any time i_HThe strip has a form

Is effective

But they do not agree on the same v, then i stops waiting and sets

Else, when the time 2 λ is exhausted, i is set

When the value b has been set_iWhen i is according to CERT^r-1Calculating Q^r-1And checking whether i ∈ SV is present^r，s。

If i ∈ SV^r，sThen i calculates the message

Wherein v is_iIs the value he calculated in step 4, destroys his temporary secret key

And then spread

Otherwise, i stops without propagating anything.

Step s, s is more than or equal to 6 and less than or equal to m +2, s-2 ≡ 1mod 3: BBA^★The coil-Fixed-To-1 step of

For each user i ∈ PK^r-kThe instructions of (1): upon completion of his own step s-1, user i starts his own round of step s.

User i waits a maximum amount of time 2 λ. During waiting, i acts as follows.

-end condition 0: the same instruction as in the Coin-Fixed-To-0 step.

-end condition 1: the same instruction as in the Coin-Fixed-To-0 step.

-if at least t is received at any time i_HThe strip has a form

Is effective

I stops waiting and sets

³⁸

Else, when the time 2 λ is exhausted, i is set

When the value b has been set_iWhen i is according to CERT^r-1Calculating Q^r-1And checking whether i ∈ SV is present^r，s。

If i ∈ SV^r，sThen i calculates the message

Wherein v is_iIs the value he calculated in step 4, destroys his temporary secret key

And then spread

Otherwise, i stops without propagating anything.

Step s, s is more than or equal to 7 and less than or equal to m +2, s-2 ≡ 2mod 3: BBA^★The Coin-library-flash procedure of (A) for each user i ∈ PK^r-kThe instructions of (1): upon completion of his own step s-1, user i starts his own round of step s.

User i waits a maximum amount of time 2 λ. During waiting, i acts as follows.

-end condition 0: the same instruction as in the Coin-Fixed-To-0 step.

-end condition 1: the same instruction as in the Coin-Fixed-To-0 step.

-if at least t is received at any time i_HThe strip has a form

Is effective

I stops waiting and sets

-if at least t is received at any time i_HThe strip has a form

Is effective

I stops waiting and sets

-otherwise, when the time 2 λ is exhausted, set

Receive valid message for i from

Set of (r, s-1) verifiers of (i, s-1), i set

When the value b has been set_iWhen i is according to CERT^r-1Calculating Q^r-1And checking whether i ∈ SV is present^r，s。

If i ∈ SV^r，sThen i calculates the message

Wherein v is_iIs the value he calculated in step 4, destroys his temporary secret key

And then spread

Otherwise, i stops without propagating anything.

As discussed, if this happens, the user i ∈ SV can be used to determine whether the user is in a turn, as discussed in section 6.2^r，s(wherein, s>μ) has exhausted his stored pre-generated temporary key and must authenticate his (r, s) message by "concatenating" the temporary key

Therefore, the messages of i become longer and it will take a bit more time to transmit these longer messages. Thus, after such multiple steps for a given run, the value of the parameter λ will automatically increase slightly. (but once a new block is created and a new round is started, it will revert to the original λ.)

Reconstruction of the r-th round block by a non-verifier

For each user i in the system: a has CERT^r-1User i starts his own round r.

I follows the instructions of the steps of the protocol, participating in the propagation of all messages, but does not initiate any propagation in this step if he is not the verifier therein.

I by reaction with the corresponding CERT^rEnd condition 0 or end condition 1 is entered in some step to end his own round r.

From here, i starts his round r +1 while waiting for receptionActual block B^r(unless he has received the chunk), the hash of the chunk H (B)^r) Subjected to CERT^rOf (3) is performed. Third, if CERT^rIndication of

Then i has CERT at him^rIs known to B^r。

7 ' protocol Algorand ' with honesty majority of money '

Now, it is finally explained how to replace the honest majority of user assumptions with the more meaningful honest majority of currency assumptions the basic idea is to (in the way of proof of rights) select user i ∈ PK^r-kBelong to SV^r,sIts weight (i.e., decision weight) is proportional to the monetary amount that i owns. "³⁹

By HMM assumption it can be chosen whether the amount should be owned at round r-k or at (the beginning of) round r. The latter option is selected, provided that continued participation is not mind. (to cancel continued participation, the previous choice will be selected, and more preferably, the amount of money held for the r-k-2,000 rounds.)

There are many ways to implement this idea. The simplest way is to have each key hold a maximum of 1 currency unit, then from the PK^r-kIn the random selection of n users i, so that

The next simplest implementation

The next simplest implementation might be to require a maximum monetary amount M per public key for some fixed M. The value M is small enough compared to the total monetary amount in the system so that the probability that the key belongs to the set of verifiers for more than one step in, say, k rounds is negligible. Then, if the following formula holds, the amount of money is held in the r-th round

Key i ∈ PK^r-kIs selected to belong to SV^r,s

And all proceed as before.

A more complex implementation

The last embodiment "forces rich participants in the system to have many keys".

Another embodiment described below summarizes the concept of state and considers that each user i consists of K +1 copies (i, v), each copy being independently selected as a verifier and will have its own temporary key in round r, step s

The value K depends on the amount of money i has in round r

How such a system works is now understood in more detail.

The number of copies is set to n as the target expected cardinality for each set of verifiers, and set

Is the amount of money that user i owns in round r. Let A^rIs in the r-th round PK^r-kThe total amount of money owned by the user in (1), that is,

if i is PK^r-kThe copy of i is (i,1), (i, K +1), where,

examples are given as n ═ 1,000, A^r＝10⁹And is and

millions. Then the process of the first step is carried out,

verifier and credential assume i is PK^r-kWith K +1 copies of the user.

For each v 1.. K, copy (i, v) automatically belongs to SV^r,s. I.e. the credential of i is

But the corresponding conditions become

This is always true.

For copy (i, K +1), i checks for each step s of the r-th round whether or not

If so, copy (i, K +1) belongs to SV^r,s. To prove this, i propagates the credential

For example, in the previous example, let n be 1K,

A^r1B, and i has 4 copies: (i,1),. and (i, 4). Then, the first 3 copies automatically belong to SV^r,s. Conceptually, Algorand' throws the partial coin independently for the 4 th copy with a positive probability of 0.7. Copy (i,4) is selected if and only if the coin is thrown to the front.

(of course, this partial coin flipping is performed by hashing, signing and comparing (as is done throughout this application) to enable i to prove his results.)

The conventional business has explained how to select the verifier and how to compute its credentials in each step of the r-th round, the round being performed similarly to what has been explained.

8 Algorand assuming no network partitioning

Essentially, in Algorand, blocks are generated in rounds. In the r-th wheel, the first wheel,

(1) the leader with the appropriate credentials proposes the new block, and then

(2) A user with the appropriate credentials runs the appropriate Byzantine Agreement (BA) protocol on the proposed tile in several steps.

The preferred BA agreement is BA^★. The block proposal step can be considered as step 1, so that BA^★Is 2, 3, …

Only the appropriate user i, randomly selected among the users in the system, has the right to send messages in round r step s

Algorand is very fast and secure because such a user i checks whether he has the right to speak. If this is the case, user i is actually certified, i.e. a credential. If it is the turn i speaks in step s of round r, i propagates its credentials in the network

And its digitally signed message

The credentials prove to other users that these other users should be messaging

Taking this into account.

The necessary condition for user i to have the right to speak in round r, step s, is that i isSeveral runs have been in the system before. In particular, the r-th round is preceded by k rounds, where k is a parameter called the 'backtrack' parameter. That is, to qualify for speaking in round r, i must belong to PK^r-k(set of all public keys/users already in the system in round r-k). (the user can be identified with his public key.) this condition is easily verified in the sense that it is available from the blockchain.

Other conditions are

H(SIG_i(r,s，Q^r-1))＜p

Wherein p is control SV^r,s(i.e. the set of users who have the right to speak in step s of round r) is determined. If this condition is satisfied, the credential of i is defined as

Of course, only i can determine whether he belongs to an SV^r,sAll other users who do not know the secret signing key of i do not know this, however, given the blockchain so far, if i ∈ SV^r，sI can be propagated to its credentials

This is proven to be the case to all. In fact, recall that (1) Q^r-1Can easily be derived from the previous block B^r-1(but could be a number of blocks that were not sufficiently predictable previously) and (2) anyone can verify the digital signature of i (relative to the long-term key of i in the system).

Recall that in the Algorand version so far, a new tile is proposed only once in round r (i.e., in step 1). The BA agreement allows the user to reach consensus on one of the blocks (or empty blocks) and not to propose further new blocks or to re-propose blocks already proposed for the r-th round. When the network is not partitioned and the time upper limit for propagating messages is met, the user can efficiently and safely reach consensus.

9-resiliency of Algorand to network partitions

Let us describe a new embodiment of Algorand2 that eliminates the assumption of no network partitioning. New protocols are presented under the Honest Majority of Users (HMU) assumption. Using the same approach as in section 7, the HMU hypotheses can be replaced with honest majority currency (HMM) hypotheses.

9.1 communication model

When a network is partitioned into more than one user group, an adversary determines whether a message m propagated by users from one group will be passed to users of other groups, which users in the other groups will receive m, and when they will receive m₁Last until time t₂And assuming that M is the set of messages propagated during the partition, then all users are at time t₂The message in M was previously received. Those skilled in the art will recognize that the system described herein may handle other situations where messages in M take some time to reach all users or to be re-propagated by users receiving those messages.

9.2 parameter selection

The expected committee size n and the threshold t are selected according to the following conditions_H. Let PK be the user set, HPK and MPK be the set of honest users and the set of malicious users respectively. Let HPK₁Is an arbitrary subset of HPK with half the size when each user i ∈ PK is probabilistic

When selected independently and randomly, the first and second images,HSV is arranged₁And MSV is from HPK₁And a selected set of users in the MPK. Then with an overwhelming probability,

|HSV₁|+|MSV|＜t_H。

further, let HSV be the set of users selected from HPK. Then with an overwhelming probability,

|HSV|≥t_H。

it should be noted that the above two conditions mean | HSV | >2| MSV |.

For example, when h is 80% and PK is sufficiently large, n is 3500 and t may be selected_H＝2,625。

9.3 general Structure

The protocol generates one block per round. One run consists of cycles 1, 2.. and one cycle consists of steps 1, 2.. a. At any time, each user i works on exactly one turn-cycle pair. Specifically, the period p of the r-th round is denoted by r.p.

In step 1 of cycle 1, the user proposes a new tile. In step 1 of the following cycle, the user proposes a new tile or re-proposes tiles already proposed in the earlier cycle.

Each step s of the period r.p has a committee, denoted SV, selected by password discretion^r,p,sWe use the same backtracking parameters as in section 4.1, denoted k, e.g. k 70 if i ∈ PK^r-kThen user i is eligible to be selected in the committee of round r. The expected size of the committee of step 1 per cycle is n₁(e.g., 35), all other committees expect a size of n. The committee member of step 1 is referred to as the potential leader.

It should be noted that for simplicity, but without intended limitation, the new embodiment is described herein with all other steps except step 1 of each cycle having the same expected committee size n. Those skilled in the art will recognize that different committees may have different sizes and may also understand how to arrive at various other embodiments.

All credentials for cryptographic discretionAre signed using the long-term key of the user to implement a digital signature scheme with a unique signature, a random seed Q being specified in a block^rAs well as so. All other messages are signed using the temporary key of the corresponding step. Generally, we will use SIG_i(m) to represent the signature of user i on message m without specifying a key.

It should be noted that for simplicity, but without intended limitation, the new embodiments are described herein in terms of temporary keys. Those skilled in the art will understand how to use the chain of blocks with message credentials, including using the techniques introduced in the existing version of Algorand to derive other embodiments.

Definition 9.1. credentials: credentials of user i for round r, period p and step s

Is SIG_i(Q^r-1，r,p，s)。

Committee members of a step always propagate their respective credentials along with the message of the step, and we will not explicitly mention the propagation of credentials.

Definition 9.2. leader: leader l for period r.p_r.pFor the user

When user i identifies his own leader/for period r.p_i,r.pWhen i is to l_i,r.pSet up as a user

Wherein S is_iIs the set of potential leaders from which i has received valid credentials.

Definition 9.3. valid block: if and only if all transactions for the tile proposed during round r are related to tile B⁰,B¹,···,B^r-1Seed Q that is both valid and specified by the block^rWe only call this block valid when the protocol rules are followed.

Committee members generate three types of voting messages.

Define 9.4. certificate vote: the certificate vote of user i for value v of period r.p is signature SIG_i(v,“cert”,r.p)。

When user i propagates SIG_i(v, "cert", r.p), he is said to have performed a certificate vote on the value v of the period r.p.

Define 9.5. soft voting: the soft vote of user i for the value v of the period r.p is the signature SIG_i(v,“soft”,r.p)。

When user i propagates SIGI (v, "soft", r.p), it is said that he has soft voted on the value v of period p.

Definition 9.6. next ticket: the next ticket for user i for the value v of period r.p and step s is the signature SIG_i(v,“next”,r.p.s)。

When a user propagates SIG_i(v, "next", r.p.s), it is said that he casts the next ticket to the value v.⁴⁰

The voted value v is either a value within the range of the hash function H or a special symbol ⊥ having the same length but outside the range H.⁴¹

Each user i maintains a timer clock_iIt is reset to 0 each time a new cycle is started. Clock as long as i remains in the same cycle_iIt is continuously counted. The individual timers of the users need not be synchronized or nearly synchronized. The only requirement is that they have the same speed.

9.4 actual protocol Algorand2

In the protocol below, credentials from blocks and potential leaders from different periods are selectively propagated as in section 5.

R th wheel, cycle 1

The following is an instruction of cycle 1 for the normal user i. If user i is not in the committee of a particular step, he will still calculate his vote in that step, but will not propagate it.

When user i starts his own round r, he starts cycle 1 and clocks_iReset to 0.

Step 1: [ block scheme ] of]When clock_iWhen 0, the user i performs the following operation.

If i is a potential leader, he will prepare the block he proposes

Among them, includes his signature

To define the seed he proposes

⁴²He propagates

And thereafter also propagates the block itself.

Step 2: [ filtration step]When clock_iWhen 2 λ, the user i performs the following operation.

He recognizes his leader l_i,r.pAnd soft votes for the chunk hashes proposed by its leader.⁴³

And step 3: [ confirmation procedure]Is provided with

When clock_i∈ (2 λ, T), user i performs the following operations.

If i sees valid blocks B and t_HFor soft votes on H (B), i votes on H (B) for the certificate. And 4, step 4: [ first completion step]When clock_iWhen T, the user i performs the following operation.

If i has already performed a certificate vote on a certain value v in step 3,⁴⁴he casts the next ticket to v;

otherwise, he throws the next ticket on T.

And 5: [ second completion step]When clock_i∈ [ T, T + L) (where L is equal to, say, 50 Λ), user i performs the following.⁴⁵

If i sees valid blocks B and t_HIf there is a soft vote for H (B), i will cast the next vote for H (B). Step s is more than or equal to 6: [ continuous completion step]

If s is even, then when clock_iWhen T + (s-4) L/2, i executes the same voting instruction as in step 4.

Else (i.e., s is odd), then when clock_i∈ [ T + (s-5) L/2, T + (s-3) L/2), i executes the same voting instructions as in step 5.

The r-th wheel with period p not less than 2

The following is an instruction for the period p of the normal user i. Again, if user i is not in the committee of a particular step, he will still calculate his vote in that step, but will not propagate it.

User i receives t at the same step s of period p-1_HA next ticket to a certain value v (which may be equal to ⊥) and only if he has not started period p'>p begins the period p. User i will start value of period p

Set to v. From the moment i starts cycle p, he completes all previous cycles and will clock_iReset to 0.

Step 1: [ block scheme ] of]If user i is a potential leader, then when clock_iWhen 0, it performs the following operation.

If i sees t at the same step s of period p-1_HThe next ticket of a pair ⊥,⁴⁶i propose new block

The new block is to set the seed of i

Is defined as H (Q)^r-1,r)。⁴⁷He propagates

And thereafter propagate the block itself;

else (i.e. i receives only t at the same step s of period p-1_HThe next ticket to a certain v ≠ ⊥ and

) I by propagation

To propose it;⁴⁸

step 2: [ filtration step]When clock_iWhen 2 λ, the user i performs the following operation.

If i sees t at the same step s of period p-1_HThe next ticket of a pair ⊥,⁴⁹i identifies his leader i at period p_i,pAnd is paired with_i,pSoft voting is carried out on the proposed value v;

else (i.e. i receives only t at the same step s of period p-1_HThe next ticket for a pair v ≠ ⊥ and

) I pairs

Soft voting is performed.

And step 3: [ confirmation procedure]When clock_i∈ (2 λ, T), T Λ + λ, the user i performs the following operations.

If i sees valid blocks B and t_HA soft vote on h (b),i votes for h (b). And 4, step 4: [ first completion step]When clock_iWhen T, the user i performs the following operation.

If i has already voted on the certificate for a certain value v in step 3, he casts the next vote for v;

else, if i sees t at the same step s of period p-1_HThe next ticket for pair ⊥, he casts the next ticket for pair ⊥.

Else, he is right

The next ticket is cast.

Step 5.1: [ second completion step]When clock_i∈ [ T, T + L), user i performs the following operations.

If i sees valid blocks B and t_HIf there is a soft vote for H (B), i will cast the next vote for H (B). Step 5.2: [ second completion step]When clock_i∈ [ T, T + L), user i performs the following operations.⁵⁰

If i has not yet performed a certificate vote in step 3, and he sees t at the same step s of period p-1_HThe next ticket for pair ⊥, then the i pair ⊥ casts the next ticket.

Step s is more than or equal to 6: [ continuous completion step ]

If s is even, then when clock_iWhen T + (s-4) L/2, i executes the same voting instruction as in step 4.

Else (i.e., s is odd), then when clock_i∈ [ T + (s-5) L/2, T + (s-3) L/2), i executes the same voting instructions in parallel as in steps 5.1 and 5.2.

Changing round

For each user i ∈ PK:

at any time i is working on round r, if i sees the string v ≠ j ≠ and the period r '. p (where r' ≧ r) is such that

-i receives at least t within a period r'. p_HOne votes on the certificate of v,⁵¹and is

I has received a block header corresponding to v,⁵²

then i votes for v for the certificate in period r'. p,⁵³will own CERT^r' set to the set of votes for v's credentials and start round r ' + 1.

Referring to FIG. 6, a diagram 20 ' shows a first plurality of computing workstations 22a-22c connected to a first portion 24 ' of a data network, such as the Internet, and a second plurality of computing workstations 22a ' -22c ' connected to a second portion 24 ' of the data network. The workstations 22a-22c communicate with each other via a first portion 24 'of the network and the workstations 22 a' -22c 'communicate with each other via a second portion 24' of the network. However, unlike the diagram 20 of FIG. 1, the workstations 22a-22c do not communicate with the workstations 22a ' -22c ' because the network has been divided into a first portion 24 ' and a second portion 24 "by the partitioning mechanism 26. The partitioning mechanism 26 may be any mechanism that inhibits communication between the portions 24', 24 "of the network. Note that the partitioning mechanism 26 may be intentionally plugged into the network by an adversary, or may occur due to an unexpected network outage caused by natural or artificial phenomena (e.g., a power outage or a network switch error). In the system described herein, each of the workstations 22a-22c, 22a '-22 c' performs the above-described steps, but the first plurality of workstations 22a-22c are not in communication with the second plurality of workstations 22a '-22 c'. That is, each entity 22a-22c manages the trading system locally within section 24 ', while each entity 22a ' -22c ' manages the trading system locally within section 24 ". At most only one of the portions 24', 24 "has enough users (entities) to generate a verified tile. After the partition mechanism 26 is removed and the portions 24 ', 24 "converge to a single network (like the network 24 discussed above in connection with FIG. 1), all of the workstations 22a-22c, 22a ' -22c ' communicate with each other and are able to resume operation at the same point (block) of the chain. After removing partition mechanism 26, each entity 22a-22c, 22a '-22 c' manages a single trading system in the network, where all entities 22a-22c, 22a '-22 c' communicate with each other.

Even when the network is partitioned, the new embodiment is still secure, i.e. at most one block is validated per round r. At a high level, this is because honest users can only make a maximum of one vote of credentials in each cycle of round r, committee size n and threshold t_HThe choice of (c) ensures that at most one hash value h (B) of a valid chunk B can obtain a certificate in each period r.p. Viewed from a different direction, suppose that B is relative to⁰,...,B^r-1Period r.p generates t for one valid block B_HOne certificate votes and generates t for another valid block B_HVoting by certificate, then selecting n and t_HThe condition of (a) means that at least one honest user has already voted for a certificate for the hash value of both B and B', which is in contradiction to the fact that one honest user can only vote for a certificate at most once in period r.p.

If, in some period r.p, the valid blob B has obtained a certificate (i.e., at least t)_HVotes for the certificate of its hash value h (b), then p 'in all future periods'>p (if they ever arrived), B will be the only block where the certificate can be obtained in period r.p'. in fact, if an honest user has voted for the certificate for H (B) in period r.p, it will not cast the next vote for ⊥ in r.p_HWith the same option, there will be no t at any step s ≧ 4 of period r.p_HThe next ticket for a pair ⊥ or for any other value v ≠ H (B.) therefore only if an honest user has received at least t_HThe next ticket to h (b) moves to cycle r. (p +1). Thus, H (B) will be the only value that was (re) proposed in step 1 of period r. (p +1), the only value that the honest user will have soft votes in step 2 of period r. (p +1), and thus the only value that will have certificate votes in step 3 of period r. (p +1) and cast the next vote in step s ≧ 4. This is true for all successive periods as demonstrated by induction.

It should be noted that when the network is partitioned, B obtaining the certificate within period r.p does not mean that an honest user will receive the certificate. In fact, during network zoning, the adversary controls how messages are delivered in the system. For example, an adversary may allow all messages to be delivered correctly except for a credential vote, in which case he does not allow a credential vote from one group of users to be delivered to another group. However, B getting the certificate means that enough honest users have voted on it, and no further votes will be cast on anything else, which will prevent any other tile from being validated at period r.p and any future periods.

The efficiency of the new embodiment comes from two parts. First, when the network is not partitioned, consensus on the r-th block can be achieved quickly. Indeed, if the leader of step 1 of period r.1 is honest, all honest users immediately vote on their proposed tile B for a certificate, B obtained the certificate after step 3 of period r.p, and all honest users then complete the r-th round.

Similarly, the r-th round has reached a period p ≧ 2, and the leader l of period p is honest, then the block newly proposed or re-proposed by l is validated in step 3, and all honest users then complete the r-th round. This is because if l already sees t from the period p-1_HThe next votes for pair ⊥ and the new block proposed, then these next votes will reach all honest users within time λ who will soft vote on the proposal of l, otherwise l only sees t from period p-1_HThe next vote to hash h (B) of valid chunk B and re-propose h (B) the starting value of period p for all honest users is either ⊥ or h (B) and in either case they make a soft vote for h (B) -because in the former case they follow the leader's proposal and in the latter case they will vote in favor of their own starting value.

Furthermore, if a certificate for a valid tile B is generated in period r.p, all honest users will complete round r shortly thereafter. This is because, if at least t_HOne vote for the certificates of B comes from honest users, all of them will receive them within time λ and r rounds will be completed with B as the r-th block. If t is_HAny set of votes on the certificate of B toIf there is less than one malicious user, the malicious user may choose not to send his certificate vote and the honest user will not receive the certificate of B immediately. However, n and t_HEnsures that the certificate of B contains at least one honest user i, and that i has received t before voting the certificate for B_HA soft vote on B. Since i has propagated these soft votes and the network is not partitioned, all honest users will receive them within time λ and cast the next vote for h (b) in step 5.1. Thus, all honest users start the cycle r. (p +1) with the start value h (b) and will soft vote on it in step 2 of the cycle r. (p +1) regardless of the honesty of the leader of the cycle r. (p +1). As a result, honest users will vote on h (B) for credentials in step 3, now B has credentials from honest users, all honest users will receive them and complete round r within time λ.

Seed Q used in the new embodiment, as in the original Algorand protocol^rAnd selection of a password draw ensures that each period p of round r has a high probability of being an honest leader, and a detailed analysis of the lack of efficiency of the new embodiment when no network partition is present will continue therefrom.

Second, after the network partition is resolved, the protocol will recover and quickly reach consensus. Indeed, if some honest users received the block B certificate in round r during partitioning and moved to round r +1, all honest users would receive B such certificate and move to round r +1 once the partitioning is resolved. Further, let p be the farthest period in round r +1 that honest user i has reached during partitioning. All the next tickets that allow i to move to period (r +1). p will reach other honest users after resolving the partition and these honest users will also move to period (r +1). p. The protocol will then proceed from there as usual, following the same analysis as when no network partition is present. If no honest users move from round r to round r +1 during partitioning, all honest users are in the same round, but may be in different cycles. In this case, let p be the farthest period that the honest user i has reached during partitioning in round r. Similarly, after resolving the partition, all the next tickets that allow i to move to period r.p will reach other honest users, and these honest users will also move to period r.p. Again, the protocol will continue from there as usual.

In summary, the new embodiment is secure and does not soft-fork even when the network is partitioned. When the network is not partitioned, it can efficiently generate tiles and quickly recover after network partitioning is resolved.

10 range

It should be noted that the mechanisms described herein are applicable to other blockchain systems in which it is desirable to prevent more than one block from being validated during network partitioning and to quickly restore activity after the partitions are resolved. Thus, the system described herein may be adapted for other blockchain schemes, even schemes that are not directly related to currency.

The system described herein may be adapted to apply to or be combined with mechanisms set forth in any or all of the following: PCT/US2017/031037 filed on day 5/4 of 2017, 15/551,678 filed on day 17 of 2017, 16/096,107 filed on day 24 of 2018, PCT/US2018/053360 filed on day 28 of 2018, 9/28 of 2018, PCT/US2018/054311 filed on day 4 of 2018, month 10, 62/632,944 filed on day 20 of 2018, 62/643,331 filed on day 15 of 2018, month 10 of 2018, 62/777,410 filed on day 10 of 2018, and 62/778,482 filed on day 12 of 2018, all of which are incorporated herein by reference.

Software implementations of systems described herein may include executable code stored in a computer readable medium and executed by one or more processors. The computer-readable medium may be non-transitory and include a computer hard drive, ROM, RAM, flash memory, a portable computer storage medium such as a CD-ROM, DVD-ROM, flash drive, SD card, and/or other drive with, for example, a Universal Serial Bus (USB) interface, and/or any other suitable tangible or non-transitory computer-readable medium or computer memory on which executable code may be stored and executed by a processor. The system described herein may be used in conjunction with any suitable operating system.

Other embodiments of the invention will be apparent to those skilled in the art from consideration of the specification or practice of the invention disclosed herein. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the invention being indicated by the following claims.

Claims (20)

1. A method for an entity to manage a transaction system in which transactions are organized into a series of blocks that are validated by a sufficient number of verifiers' digital signatures, the method comprising:

if the r block B^rIf not, the entity is associated with a list of verified blocks B⁰,...,B^r-1Proposing a hash of the block B' comprising the new valid transaction; and

if the r block B^rHaving been verified by a sufficient number of other entities, the entity proposes the block B^rThe hash of (1).

2. The method of claim 1, wherein a block is validated by the entity only in response to: confirming the transaction of the block and confirming that the block was constructed and propagated by an entity that has the authority to construct and propagate the block.

3. The method of claim 1, wherein the entity presents a hash value by digitally signing the hash value to provide a digitally signed version of the hash value, and wherein the entity propagates the digitally signed version of the hash value to a network that includes other entities.

4. The method of claim 3, wherein if the r block B^rIf not, the entity also digitally signs and propagates block B'.

5. A method according to claim 1, wherein an entity is caused to determine a quantity Q from the previous tiles, and to use a secret key in order to calculate a string S uniquely associated with Q, and to calculate a quantity T from S that is at least one of: s itself, a function of S, and a hash value of S, and wherein the entity proposes the hash value by determining whether T possesses a given attribute.

6. The method of claim 5, wherein S is a signature of Q under the secret key of the entity, T is a hash of S, and T has a given attribute if T is less than the given threshold.

7. The method of claim 1, wherein the entity is part of a network of entities, and wherein a particular one of the entities constructs and propagates the block B^r。

8. The method of claim 7, wherein the r block B is verified separately from the r block B if the entity receives at least a predetermined number of entities^rAn indication of the corresponding hash value, then the r-th block B is determined^rVerified by the entity.

9. The method of claim 8 wherein the r block B is validated individually in response to the entity receiving a predetermined number of entities^rThe entity increments r to begin adding additional blocks to the series of blocks.

10. The method of claim 7, wherein a particular entity of the entities is individually selected as a leader by a predetermined number of entities.

11. The method of claim 10, wherein the r block B is provided to each of the predetermined number of entities if the indication received by the entity indicates that at least the predetermined number of entities have separately verified that receipt of a particular one of the entities has provided the r block B to each of the predetermined number of entities^rAn indication of the corresponding hash value, then the r-th block B^rIs determined to be obtainable byAnd (5) entity confirmation.

12. A method for an entity to manage a transaction system in which transactions are organized into a series of validated blocks, the method comprising:

the entity is selected from the list of verified blocks B⁰,...,B^r-1Generating Block B based on New valid transactions^rThe other entity of (a) receiving the hash value for the block;

the entity responds to a sufficient number of other entities having indicated the block B was received from other entities^rAnd the hash value for the block B_rValid to verify the block B^r；

The entity receives the block B from other entities in response to an insufficient number of other entity indications^rAgainst a series of verified blocks B⁰,...,B^r-1And generating a new block B 'based on the new valid transaction, wherein B' is different from B^r(ii) a And

separately certifying the r-th block B in response to receipt by the entity of a predetermined number of entities^rOr a predetermined number of entities that individually validate the indication of the new block B', the entity incrementing r to begin adding additional blocks to the series of blocks.

13. The method of claim 12, wherein the blocks are each verified by a digital signature.

14. The method of claim 12, wherein new blocks are proposed by different ones of the entities until an indication is received that a predetermined number of entities individually validated previously proposed blocks.

15. The method of claim 12, wherein the entity responds to the hash value for block B^rInvalid provides an indication that a new block should be generated.

16. The method of claim 15, wherein the first and second light sources are selected from the group consisting of,wherein the entity provides an indication that a new block should be generated relative to a series of proven blocks B in response to a sufficient number of other entities providing an indication that a new block should be generated⁰,...,B^r-1And a new tile B' is generated based on the new valid transaction.

17. The method of claim 12, wherein the entity responds to a sufficient number of other entities having indicated receipt of the block B from other entities^rAnd the hash value for the block B^rEffectively providing that the block B should be propagated^rAn indication of a hash value of.

18. A method for an entity to access a new block B of a transaction in a transaction system where transactions are organized into blocks and the blocks are verified by a set of digital signatures^rWith respect to a given series of blocks B⁰,...,B^r-1Verify the new block B^rThe proposed hash value of, the method comprising:

causing the entity to determine an amount Q based on the previous blocks;

having the entity compute the digital signature S of Q;

having the entity calculate from S a quantity T that is at least one of: s itself, the function of S and the hash value of S;

having the entity determine whether T possesses a given attribute; and

if T has the given attribute, then it is checked whether the proposed hash value corresponds to the new block B^rThe entity is caused to verify the new block B^rThe proposed hash value of.

19. The method of claim 18, wherein the entity is receiving the new block B^rThe new block B is propagated before^rThe proposed hash value of.

20. Computer software disposed in a non-transitory computer readable medium, the computer software comprising: executable code implementing the method according to one of the preceding claims 1 to 19.

Images