AlphaBlock: An Evaluation Framework for Blockchain Consensus Protocols

Haitao Xiang [email protected] XXXXXXXX Mathematical Institute, University of OxfordXXXOxfordUKXXXXX , Zhijie Ren VeChainShanghaiChina [email protected] , Ziheng Zhou VeChainShanghaiChina [email protected] , Ning Wang [email protected] https://orcid.org/0000-0002-6746-5481 Mathematical Institute, University of OxfordXXXOxfordUKOX2 6GG and Hanqing Jin [email protected] https://orcid.org/0000-0002-6746-5481 Mathematical Institute, University of OxfordXXXOxfordUKOX2 6GG

Abstract.

Consensus protocols play a pivotal role to balance security and efficiency in blockchain systems. In this paper, we propose an evaluation framework for blockchain consensus protocols termed as AlphaBlock. In this framework, we compare the overall performance of Byzantine Fault Tolerant (BFT) consensus and Nakamoto Consensus (NC). BFT consensus is reached by multiple rounds of quorum votes from the supermajority, while NC is reached by accumulating credibility with the implicit voting from appending blocks. AlphaBlock incorporates the key concepts of Hotstuff BFT (HBFT) and Proof-of-authority (PoA) as the case study of BFT and NC. Using this framework, we compare the throughput and latency of HBFT and PoA with practical network and blockchain configurations. Our results show that the performance of HBFT dominates PoA in most scenarios due to the absence of forks in HBFT. Moreover, we find out a set of optimal configurations in AlphaBlock, which sheds a light for improving the performance of blockchain consensus algorithms.

Blockchain, Blockchain Performance, Byzantine Fault Tolerant, Nakamoto Consensus, Pareto frontier

^†^†ccs: Computer systems organization Dependable and fault-tolerant systems and networks^†^†ccs: Networks Network Protocols

1. Introduction

Blockchain technology is one of the most significant innovations in recent years that may disrupt many industries. As a decentralized and unchangeable ledger that is jointly maintained by untrusted parties without a globally trusted intermediary, it promises integrity, transparency and resilience that are critical to many economic activities (Bano et al., 2019). Although obtaining its cognition from Bitcoin (Nakamoto, 2019), it has gained attention in more than the financial industry. In government (Wons, 2017), patent (DiNizo Jr, 2018), voting (Abraham and Malkhi, 2016) and real estate (Spielman, 2016), blockchain technology serves as an attractive alternative to current centralized intermediaries with huge trust costs.

The main obstacle lying before the wide adoption of blockchain technology is its unsatisfactory performance and poor scalability as compared to its traditional counterparts. This difficult tradeoff between system performance and intermediary trustworthiness stops most businesses interested in blockchain technology. Therefore it is crucial to find out the features and properties that bottleneck the system performance and scalability. Among the features, the consensus protocol is a critical one. A consensus mechanism guarantees that all honest nodes will eventually agree on a consistency ledger in asynchronous and untrusted networks.

Currently, two types of mainstream consensus protocols prevail. One is Nakamoto Consensus (NC) originated from Bitcoin (Nakamoto, 2019), in which the consensus of a proposed block is not definitive, but probabilistic. More precisely, the probability that there exists another honest node agreeing on a conflicting block drops proportionally to the number blocks appending to it. Then, a block is seen as “confirmed” when this probability is lower than a predetermined security parameter. For instance, Bitcoin confirms a block when there are five blocks appending to it.

The other is Byzantine Fault Tolerant (BFT), in which the consensus is reached through multiple rounds of quorum vote, where a block is guaranteed to reach absolute consistency in the asynchronous network when it receives votes from the supermajority (more than 2/3 of the nodes) two or three times (Castro et al., 1999; Yin et al., 2019). It is worth noting that NC can be used in either permissioned or permissionless networks. In permissioned networks, the number of honest nodes should be more than 50% of the population. In permissionless networks, a proof of the possession of a certain resource should be included in each block and the honest nodes should be in possession of more than 50% of that resource. BFT algorithms, on the other hand, are mostly used in permissioned network where the number of adversaries is less than 1/3 of the population.

Both consensuses have their merits and disadvantages. BFT algorithms like (Castro et al., 1999) are shown to achieve consensus with higher throughput and lower latency in small networks, yet quorum votes are involved in dampening system performance. NC algorithms (Nakamoto, 2019; Wood et al., 2014), on the other hand, does not require quorum votes which is complex in communication. Hence, it is usually believed to achieve higher throughput and lower latency in large practical networks. Recently, new BFT algorithms, like those in (Gilad et al., 2017; Yin et al., 2019; Kwon, 2014), are proposed for blockchains with a relatively large network and good performance under laboratory settings. The design logic of BFT and NC differs in various features including the quorum votes, and these features all affect system performance.

Given the different design logic of the two consensuses, researchers and practitioners will question which consensus is better given a certain network condition and blockchain application. Practically, by “different network conditio” we mean different network delay, bandwidth and byzantine ratio. By “better” we mean greater throughput and less latency. Therefore, it is desirable to have a framework to compare the performance of two protocol under a practical and general setting.

In literature, there are various evaluation frameworks that compare the performance of blockchain systems. Gervais et al. (Gervais et al., 2016) propose a framework to compare different Proof-of-Work (PoW) blockchains. In this framework, the performance of a blockchain is measured by its throughput when a certain security level is obtained under the optimal adversary attack. Dinh et al. (Dinh et al., 2017) propose BLOCKBENCH to evaluate the throughput, latency and security of private blockchains. They compare the performance of three major blockchains: Parity, Ethereum and Hyperledger Fabric. They found that these state of the art blockchain systems fall behind a traditional database system for business-level workloads. Croman et al. (Croman et al., 2016) propose a framework to measure the economic cost of different PoW systems. However, none of the above works ever make the quantitative comparison across the NC and BFT consensuses, needless to say formulating the two consensuses within one coherent framework.

In this paper, we present AlphaBlock, an evaluation framework to compare the performance of NC and BFT in practice. Critical features of the two consensuses, especially those affecting the performance of the blockchain in practical network scenarios, are modelled, including quorum communication, fork rate, empty block, the interval between blocks, block broadcast etc. Moreover, these features are all translated into two key performance indicators: throughput and latency. We show how network delay, bandwidth, and the ratio of the adversaries could affect the performance of both consensuses. Eventually, we give recommendations and general principles on the selection and the configuration of consensus in various networks.

2. Background

NC lays the critical foundation for not only Bitcoin (Nakamoto, 2019), but also other mainstream cryptocurrency designs like Litecoin (Haferkorn and Diaz, 2014) and Ethereum (Wood et al., 2014), which promises a bright future of decentralized payment and financial system (Huberman et al., 2019). However, with its wide adoption, the concerns over its bottlenecks are getting louder. The concern of undesirable performance is partially resolved with leader selection based algorithms like (Eyal et al., 2016; Kiayias et al., 2017) or graph-based protocol like PHANTOM (Sompolinsky and Zohar, 2018).

The problem of BFT is proposed in the 1980s by Lamport et al. in (Lamport et al., 1982) and has been extensively studied before blockchain was born (Bracha, 1987; Ben-Or et al., 1994; Castro et al., 1999). Essentially, BFT consensus can be categorized into state-machine replication protocols (Schneider, 1990) that finds majority consensus in the presence of malicious agents, which naturally meets the demand of blockchain. Therefore, a lot of BFT based systems were proposed, like Tendermint (Kwon, 2014), Algorand (Gilad et al., 2017), Casper FFG (Buterin and Griffith, 2017) and BEAT (Duan et al., 2018). Classical BFT algorithms like PBFT (Castro et al., 1999) are criticized for its poor scalability (Vukolić, 2015), namely, an $\mathcal{O}(N^{2})$ message complexity, which is not suitable for blockchains in large networks. Several blockchain application-oriented BFT algorithms like Algorand, Tendermint and Hotstuff BFT (HBFT)(Yin et al., 2019) have reduced the average message complexity per transaction in a normal consensus process to $\mathcal{O}(N)$ , which is identical to NC algorithms. In particular, Hotstuff BFT also achieves optimal responsiveness and $\mathcal{O}(N)$ message complexity for view change, which makes it similar in form to NC algorithms.

In the next subsection, we will briefly introduce Proof-of-Authority (PoA) algorithm and HBFT algorithm, which is an NC algorithm and a BFT algorithm, respectively. In each subsection, we will summarize performance-related factors from 3 levels: network, blockchain and protocol, which will motivate the proposition of our evaluation framework.

2.1. PoA

PoA is a type of permissioned NC algorithms that are used by blockchains like Parity¹¹1Proof-of-Authority Chains - Wiki Parity Tech Documentation: https://wiki.parity.io/Proof-of-Authority-Chains and VeChain²²2VeChain: https://www.vechain.com. In this paper, we propose a simple PoA algorithm which is merely a permissioned version of PoW. Firstly, we assume that honest nodes have a consistent view of Global Standard Time (GST) and the time is divided into rounds with a predetermined duration. Then, associated with each block, rather than a hash preimage proving the computation work conducted by the block proposer, a proof proving that the block is proposed by an authorized node which is in charge of proposing block in that round is provided.

The block will be broadcast to the network through gossip protocol. When each node receives a block, it should first validate the block before broadcast it and append it to its blockchain. Invalid block, i.e., blocks including invalid transactions or proposed by the incorrect or unauthorized nodes, will not be broadcast. A malicious node may create a fork, i.e., more than one valid block in a round. Then, honest nodes should apply the “longest chain rule” to determine the valid chain and the valid block. It is guaranteed that honest nodes could eventually reach consensus if blocks could be synchronized in a round and honest nodes are more than 50% of the network.

2.2. HBFT

In HBFT, in each round, a leader is selected according to a predetermined schedule. When a block is proposed by the leader, the leader will broadcast the block to the whole network and all nodes should send their votes with their signature to the leader to participate in the consensus process. When $2f$ agree with votes from the network are received, a quorum consensus (QC) is reached. Here, $f$ is number of the adversaries and $3f+1\leq N$ holds. In HBFT, a three-phase commitment approach will be used to reach consensus for this block. More specifically, a block is only confirmed when it reaches QC for 3 times. In this paper, we consider the chained HBFT proposed in (Yin et al., 2019), where the three-phase commitment scheme is pipelined in a chain. More precisely, in each round, a block is proposed with $2f+1$ votes from different nodes (including the block proposer). Then, a block is confirmed when it is appended by 2 blocks. Moreover, HBFT could function in partial synchronous network by increasing the timeout every time a QC is failed to be reached before the timeout. In this paper, in order to make a fair comparison, we consider a synchronous network where the network delay is known and thus the round duration could be set such that $2f$ votes could be collected with high probability.

3. Framework setup

As in the background, our framework should consist of a module to describe network properties, a module to describe blockchain properties, and a protocol module that accommodates both BFT and NC consensuses. We first introduce factors in the three modules, and define throughput and latency by these factors. Then we introduce the evaluation framework (AlphaBlock), which is essentially a system with a block proposing leader and a block validating & confirming committee. We simulate the AlphaBlock multiple times to obtain its average throughput and latency. We also fit BFT and NC into the framework in this section.

3.1. Key Concepts

In this section, we introduce key concepts relating to our AlphaBlock.

3.1.1. network properties

Number of nodes $N$ is the number of agents in the blockchain system.

Committee size $C$ is the number of agents of the block committee. The committee is used to validate and confirm a block. In BFT, the committee size $C=N$ , namely the whole network needs to reach consensus in validating a block. In NC, a block is validated individually and $C=0$ , namely no consensus is needed in validating a block. In AlphaBlock, $C$ can take any integer value between $0$ and $N$ , which enable framework to accommodate more consensuses other than BFT and NC.

Byzantine ratio $\alpha$ is the ratio of malicious nodes in the blockchain system. The malicious nodes will play to dampen the system performance and lower the system safety. To measure the performance of a system, we consider the case with the worst behaviour of malicious nodes. Therefore, when a block proposing node is malicious, we assume it will try to create a fork when we compute fork rate, and it will try to create an empty block when we compute probability of empty block, or conversely block rate.

Byzantine number $f$ is the number of the malicious nodes, and given $\alpha$ and $N$ , we have $f=\lceil(N-1)\alpha\rceil$ .

Endorsement size $d$ is the minimum number of committee members needed to validate a block. In BFT, $d=2f$ , namely the leader has to collect at least $d$ votes or signatures to validate a block in a round. In NC, no committee is needed to validate a block, so $d=0$ . Another choice of $C$ is also permissible in AlphaBlock.

Effective Bandwidth $B_{\textrm{width}}$ is the overall network bandwidth determined by

(1)

B_{\textrm{width}}=\frac{\textrm{data size}}{\textrm{time to broadcast data to the whole network}}.

Communication network $G(N,p,D,B_{\textrm{width}})$ is a randomly connected graph with parameters

•

$N$ nodes;
•

the linkage probability $p$ ;
•

the delay factor $D$ ;
•

the effective bandwidth of the network $B_{\textrm{width}}$ ;

In AlphaBlock, we assume the communication delay $\tau$ between linked nodes is lognormal with mean $0$ and variance $D^{2}$ , and messages propagate along the path with the shortest delay.

3.1.2. blockchain properties

Block size $B_{\textrm{size}}$ is the maximum number of transactions a block can hold. Since we are interested in the system theoretical performance, in the AlphaBlock workflow we assume each time a block is proposed, it contains $B_{\textrm{size}}$ transactions.

Message size $M_{\textrm{size}}$ is the size of a message. We define the message as information other than block, because the propagation of these information is dominated by network latency rather than bandwidth.

Security level $\epsilon$ is a maximal acceptable level of the probability that an inconsistency occurs in a system. Here, an inconsistency means that two honest nodes agree on different blocks. It seems that AlphaBlock is unfair for BFT in the sense that the consistency in BFT is definitive. However, as it is commonly believed that a small enough $\epsilon$ is secure enough and NC and BFT are indistinguishably used in many blockchain applications, it is reasonable to directly compare the performance of NC and BFT giving a small $\epsilon$ .

Simulation rounds $SR$ is the number of rounds of simulation of AlphaBlock to compute the system performance.

3.1.3. protocol properties

Block interval $B_{\textrm{interval}}$ is the time interval between two blocks. It is subject to three factors: block broadcast time (BBT), committee communication time (CCT), and blockhead broadcast latency (BBL). The BBT is the time needed to broadcast the block to the whole network, expressed as:

(2)

\textrm{BBT}=B_{\textrm{size}}/B_{\textrm{width}}.

The CCT is consensus-based. In BFT and all AlphaBlock with a non-zero endorsement committee, it takes 1 round of communication for the leader to collect votes and send out collected votes, and the time is delay dominant, so approximately two times the $d^{th}$ delay.

(3)

\textrm{CCT}_{C>0}=2\times d^{th}\textrm{ delay from leader to committee}.

In NC, it does not require committee communication, so

(4)

\textrm{CCT}_{C=0}=0.

The BBL is the biggest delay of block broadcast, so it is the maximum of delay from the leader to all $N$ member nodes.

(5)

\textrm{BBL}=\max(\textrm{delay from leader to }N\textrm{ members}).

Putting together, we have

(6)

B_{\textrm{interval}}=\max(\textrm{BBT},\textrm{CCT},\textrm{BBL}).

Fork rate $F_{\textrm{rate}}$ is the probability of fork. In AlphaBlock, a fork emerges when the leader and no less than $d$ committee members are malicious. Therefore

(7)

F_{\textrm{rate}}=Pr(\textrm{fork})=\alpha\times\textrm{Hygcdf}(d|N-1,N\alpha-1,C).

where $\textrm{Hygcdf}(X|M,K,Y)$ is the cumulative distribution function of hypergeometric distribution as follows:

(8)

\textrm{Hygcdf}(X|M,K,Y)=\sum_{0\leq x<X}\frac{{K\choose x}{M-K\choose Y-x}}{{M\choose Y}}.

Interestingly, equation 7 holds in both BFT and NC. In BFT, the fork rate is 0, so equation 7 applies. In NC, the fork rate is $\alpha$ , so equation 7 applies as well.

Block rate $B_{\textrm{rate}}$ is the probability of successfully proposing a block in a round, which requires no compromise on liveness. We compute block rate by considering the worst case attack on liveness, as shown in Table 1, which means when a committee could either create a fork or empty round, it would choose an empty round. Therefore

(9)

B_{\textrm{rate}}=(1-\alpha)\times(1-\textrm{Hygcdf}(C-d+1|N-1,N\times\alpha,C)).

Interestingly, equation 9 holds in both BFT and NC. In BFT, the block rate is $1-\alpha$ , so equation 9 applies. In NC, the fork rate is $1-\alpha$ , equation 9 applies as well.

Table 1. Worst case attack on liveness

Case	Leader	Committee member	Probability
Case 1	Malicious	# $\geq$ 0	$\alpha$
Case 2	Good	# of good $<$ d	$(1-\alpha)\times\textrm{Hygcdf}(C-d+1,N-1,N\times\alpha,C)$

Committee rate $C_{\textrm{rate}}$ is the proportion of bandwidth used by committee communication.

(10)

C_{\textrm{rate}}=\frac{\#\textrm{of CC edges}\times M_{\textrm{size}}}{\#\textrm{of CC edges}\times M_{\textrm{size}}+\#\textrm{of broadcast edges}\times B_{\textrm{size}}},

where $CC$ means committee communication. In BFT, $C_{\textrm{rate}}$ is non-zero but small. In NC, $C_{\textrm{rate}}$ is 0.

Bandwidth efficiency $B_{\textrm{eff}}$ is how efficiently the bandwidth is used for the transmission of the eventual confirmed transactions. Two relevant factors: fork will waste bandwidth, and committee communication will also occupy bandwidth. For simplicity, we first consider the scenario that the malicious leader and committee will create exactly one fork when they have the chance to do so, and consider other scenarios in Subsection 4.4. Subtracting the two factors will give net block propagating bandwidth. Therefore, bandwidth efficiency goes as follows:

(11)

B_{\textrm{eff}}=(1-F_{\textrm{rate}})\times(1-C_{\textrm{rate}}).

Confirmation number $K$ is the number satisfying

(12)

(F_{\textrm{rate}})^{K}\leq\epsilon,

where $\epsilon$ is the security level.

Note that the confirmation of HBFT and PoA are very different as the consensus types and the synchronous assumptions are different. However, the performance of both algorithms are compared directly regardless of their consensus. Hence, in a practicality perspective, we simply use “double standards” on the confirmation, according to their own confirmation rules in each consensus algorithm.

(13)

K=\left\{\begin{aligned} \lceil\log{\epsilon}/\log F_{\textrm{rate}}\rceil,&&\textrm{PoA}\\ 3,&&\textrm{HBFT}\end{aligned}\right..

3.1.4. System Performance

We are interested in the throughput and latency of the blockchain system.

Throughput $T$ is evaluated as transactions per second, and it is originally concerned with number of transactions within a block interval. However, due to forks, empty blocks, and waste of bandwidth due to committee communication, the throughput at security level $\epsilon$ is adjusted as follows:

(14)

T=\frac{B_{\textrm{size}}}{B_{\textrm{interval}}}\times B_{\textrm{rate}}\times B_{\textrm{eff}}.

Latency $L$ is evaluated as average time delay to confirm a transaction. it is originally concerned with number of appending blocks $K$ needed to confirm a block, which is originally equivalent to number of block intervals. However, due to empty rounds, $K$ needs to be adjusted by block rate, so the latency at security level $\epsilon$ is as follows:

(15)

L=\frac{K}{B_{\textrm{rate}}}\times B_{\textrm{interval}}.

3.2. AlphaBlock

With key concepts defined, we propose the evaluation framework, namely AlphaBlock, which is able to accommodate to both PoA of NC and HBFT of BFT. AlphaBlock loop over the following five parts adapted from (Xiao et al., 2020): Initialization; block proposal; information propagation; block validation; block finalization.

•

Initialization. A communication network $G(N,p,D,B_{\textrm{width}})$ is set according to 3.1.1, in which there are a proportion of $\alpha$ malicious or byzantine nodes. At the beginning of each round, A leader is randomly selected to propose a block, which matches PoA and HBFT. A committee of size $C$ is randomly selected to validate a block, and at least $d$ endorsements are needed to validate a block. In HBFT, $C=N,d=2f$ . In PoA, $C=0,d=0$ .
•

Block Proposal. In a round, the leader proposes a block, in which $B_{\textrm{size}}$ transactions are added by the leader. The probability that selected leader happens to be malicious is $\alpha$ . If the leader is malicious, it may create an empty block, and the probability of a non-empty block is block rate $B_{\textrm{rate}}$ . The malicious leader may also create a fork, and the probability of a fork is fork rate $F_{\textrm{rate}}$ . Note $B_{\textrm{rate}}$ and $F_{\textrm{rate}}$ apply to both HBFT and PoA as explained in key concepts.
•

Information propagation. When a block is proposed by the leader, the leader will send the block to the whole network using gossip, which takes time the bigger of broadcast time BBT and BBL. Meanwhile the leader communicate with the committee to confirm the block, which takes time CCT. Note BBT, BBL and CCT are explained in block interval of key concepts and all accommodated to HBFT and PoA. Therefore, the block propagation time BBT, the block broadcast latency BBL, and the back-and-forth of committee communication time CCT should all be smaller than or equal to block interval to ensure successful propagation.
•

Block validation. After Each node receiving the block, AlphaBlock will need to implement $R$ rounds of votes to validate the block. When the block is validated, it is appended to the blockchain, and the round starts over. In each round, at least $d$ votes must be collected to validate the block, otherwise the block will be nullified and the round will fail. In HBFT, a node will agree the proposed block by signing it and sending the signed vote to the leader. The leader will collect at least $2f$ signatures sent by other nodes, wrap them up, and broadcast the wrapped collected signatures to the whole network. Nodes then add the received wrapped signatures into the block before appending the block to its local blockchain; In PoA, it will take $R=0$ round: a node will just validate the block as long as the leader’s signature is verified, and there is no need of extra committee communication.
•

Block confirmation. To confirm a transaction in a block, It requires $K-1$ appending blocks. As explained in the key concepts, $K$ is protocol based. In HBFT, $K=3$ , namely it takes 3 rounds of votes from the super-majority to achieve definitive consensus. In PoA, $K=5$ , and it only guarantees a probabilistic consensus with a security level of $\epsilon$ .

We present the above idea in Algorithm 1. As a simplified version, instead of validating a block, we compute the exact probability of a block being validated and compute variables regardless of the validity of the round. This is reasonable because the variables computed within and without a valid round only differ with respect to the Byzantine ratio, but the communication network is assumed symmetric with respect to being Byzantine. The schematic workflow goes as in Algorithm 1:

Input: A random connected graph

G(N,p,D,B_{\textrm{width}})

; A blockchain model

Ch(u,r=0)

, where

r

is the # of valid round, and

u

is the index of the leader in round

r

that succeeds to generate a block; parameter

C

d

\alpha

\epsilon

B_{\textrm{size}}

SR

Output:

(T(C,d,B_{\textrm{size}}),L(C,d,B_{\textrm{size}}))

, namely Throughput-Latency pair as a function of

C,d

, and

B_{\textrm{size}}

for $i=1$ to $SR$ do

Com=randint(N,C+1)

;

// (Initialization)

r=com(0),\textrm{broadcast block }B_{r}\textrm{ to }com(j),j=1,...C

;

// (proposal)

com(j)\textrm{ vote or not to the leader }r

;

// (propagation)

\textrm{Broadcast to all }N\textrm{ nodes to append }B_{r}\textrm{ to }Ch(u,r),r=r+1

; ;

// (validation, confirmation)

\textrm{Compute the variables in Section}\ref{key concepts}\textrm{ except }T\textrm{ and }\ L

end for

\textrm{compute\ expected\ block\ interval }B_{\textrm{interval}}\textrm{ and committee rate }C_{\textrm{rate}}

;

\textrm{compute }T\textrm{ and }L\textrm{ with expected }B_{\textrm{interval}}\textrm{ and }C_{\textrm{rate}}

;

return $T,L$

Algorithm 1 Committee based consensus algorithm

3.3. Frontier Identification Algorithm

AlphaBlock accommodates more protocols than HBFT and PoA. It is interesting to find some optimal protocols in this framework by changing controllable parameters. In terms of throughput and latency, we can figure out these optimal protocols by the throughput-latency frontier in the sense that the throughput cannot be improved without compromising latency and vice versa. The frontier is a strong guidance of future blockchain system design.

More accurately, we are interested in optimising the throughput and latency of a system by choosing proper parameters $(C,d,B_{\textrm{size}})$ from a certain feasible set ${\mathbb{D}}$ . If we denote by $T(C,d,B_{\rm size})$ and $L(C,d,B_{\rm size})$ the throughput and latency of the system with parameters $(C,d,B_{\rm size})$ , then the problem can be formulated as

(16)

\min{-T(C,d,B_{\textrm{size}})},\min{L(C,d,B_{\textrm{size}})},\ (C,d,B_{\textrm{size}})\in{\mathbb{D}}.

The solution of this two-objective optimisation can be defined by Pareto Dominance. Given $y^{1}=(-t^{1},l^{1})$ and $y^{2}=(-t^{2},l^{2})$ then $y^{1}$ is said to Pareto Dominate $y^{2}$ (namely $y^{1}\prec_{Pareto}y^{2}$ ), iff

(17)

\forall i\in{1,2}:y_{i}^{1}\leq y_{i}^{2}\ and\ \exists j\in{1,2}:y_{j}^{1}<y_{j}^{2}.

and the set of all optimal solutions to the problem is described as the Pareto Frontier, which is defined as

(18)

P(Y)=\{y^{\prime}\in Y:\{y^{\prime\prime}\in Y:y^{\prime\prime}\prec_{Pareto}y^{\prime},y^{\prime\prime}\neq y^{\prime}\}=\emptyset\}.

Namely, Pareto Frontier is the set in which no other points outside the set can Pareto dominate any point in the set. We find the Pareto frontier by Algorithm 2.

Input: Y=(-T,L)

Output: Pidx ,namely Index for Pareto Frontier of Y.

[~{},idx]=sort(T,^{\prime}ascend^{\prime})

;

for $i=1$ to length(idx) do

[I]=find(L==min(L(idx(i:end))),1)

;

Lidx(i)=I

;

end for

Lidx=unique(Lidx);

[~{},idx]=sort(L,^{\prime}ascend^{\prime})

;

for $i=1$ to length(idx) do

[I]=find(T==min(T(idx(i:end))),1)

;

Tidx(i)=I

;

end for

Tidx=unique(Tidx);

Pidx=intersect(Lidx,Tidx)

return Pidx

Algorithm 2 Frontier identification algorithm

4. Results and discussion

In this section, unless otherwise specified, we use the baseline parameter setting specified in Table 2 . Furthermore, the Byzantine ratio is assumed to be 0.1, which is mild. The security level $\epsilon$ is taken so that the confirmation number K of PoA is 5. We first choose the number of agents to be $N=101$ as seen in VeChain and Libra³³3https://libra.org/en-US/white-paper/?noredirect=en-US. The connection probability p is taken to be 0.06, which is typical to model internet (Boccaletti et al., 2006). The network delay parameter is fitted from the data in (Gencer et al., 2018). The message size is approximated from (Georgiadis, 2019). The bandwidth is a mild assumption adapted from (Croman et al., 2016). The block size is assumed from typical data of Bitcoin (Georgiadis, 2019).

Table 2. parameter setup

$\alpha$	$\epsilon$	$N$	$p$	Networkdelay factor $D$	Message size $M_{\textrm{size}}$	Bandwidth $B_{\textrm{width}}$	Block size $B_{\textrm{size}}$
0.1	$10^{-5}$	101	0.06	0.1	0.1 KB	1 MB/s	2000 tx/block

4.1. Latency

In this subsection, we focus on the latency of HBFT and PoA with different values of block size, network delay and Byzantine ratio, respectively. We take the block size $B_{\textrm{size}}\in\{1,2,...100\}\times 40$ , the network delay $D\in\{0.1,0.3,0.5\}$ , and the byzantine ratio $\alpha\in\{0.1,0.2,0.3\}$ . We show the dependence of the latency on these three variables and the comparison between HBFT and PoA by our numerical experiments shown in Figure 1.

In the left panel of Figure 1, we can see that the latency of both consensus protocols remain flat when the block size stays below 1000, and start to rise after the block size exceeds 1000. This phenomenon can also be seen from the definition of the latency, in which the block size plays it role through the block interval defined as the maximum value among $B_{\textrm{size}}/B_{\textrm{width}}$ , the committee communication, and the blockhead broadcast. This maximum will increase together with the increasing of block size only when the block size is big enough, in which case the increasing is a linear style. Furthermore, with the bigger confirmation number $K$ , the slope of this increasing for PoA should be bigger, and this is also shown in Figure 1. By the definition of latency, block size only affects latency through block interval, the behavior of latency regarding block size results from block interval. In fact, the flat region is mainly due to the block interval setting that takes maximum from three variables as in key concepts. When block size is smaller than around 1000, the block interval will remain unchanged because the blockhead broadcast and committee communication are dominant to the determination of block interval. Therefore, we see a flat region. When block size larger than 1000, the block interval is dominated by block broadcast, so latency increases linearly in block size. The slope of PoA is greater than HBFT because of their difference in confirmation number $K$ .

The middle panel of Figure 1 shows that the latency is increasing in the networkdelay factor $D$ for both HBFT and PoA. This monotonicity can also be explained by the block interval. For a given block size, a bigger network delay factor $D$ will result in a bigger blockhead broadcast and a bigger committee communication, which pushes the latency higher. While our figure shows that this increasing relation is strict, it is true only for big block size according to our explanation here.

The right panel of Figure 1 shows that latency is increasing in Byzantine ratio for both HBFT and PoA. For PoA, this monotonicity comes from the increasing confirmation number $K$ decreasing block rate, as implied in Equation (9) and (13). While for HBFT, this monotonicity comes only from the decreasing block rate. Therefore, it is natural that PoA has a greater slope of the increasing than HBFT, which is also confirmed in Figure 1.

Compare the latency between HBFT and PoA in all three panels in Figure 1, we can find that HBFT has less latency than PoA, and we interpret this comparison mainly by the higher confirmation number $K$ of PoA. While this conclusion contradicts the common belief that BFT performs poorer than PoA when the block size is small. The key argument in this common belief is that BFT has a heavier committee communication overhead. This argument is true for traditional BFT whose communication overhead is $\mathcal{O}(N^{2})$ . While for HBFT, the communication overhead is reduced to $\mathcal{O}(N)$ , and hence the argument does not apply.

4.2. Throughput

In this subsection, we study the throughput of HBFT and PoA as a function of the block size, the network delay and the Byzantine ratio. We take the block size $B_{\textrm{size}}\in\{1,2,...100\}\times 40$ , the network delay factor $D$ in the set $D\in\{0.1,0.3,0.5\}$ , and the Byzantine ratio $\alpha\in\{0.1,0.2,0.3\}$ . Our experimenal results are shown in Figure 2. To understand implications of these figures, we need the following theorem, whose proof is deferred to Appendix.

Theorem 4.1.

As the block size $B_{\textrm{size}}\rightarrow\infty$ ,

\frac{\mbox{Throughput of PoA}}{\mbox{Throughput of HBFT}}\rightarrow(1-\alpha).

In fact, the limit in Theorem 1 is the ratio of $1-\mbox{Fork rate}$ between the two consensuses, and we know the fork rate of PoA is $\alpha$ , while it is $0$ for HBFT.

In Figure 2(a), we can see that the throughput of both consensus protocols increase linearly when the block size is below 1000, and then remain flat after the block size exceed 1000. We can examine this phenomenon by the definition of the throughput as in (13), in which the block rate $B_{\textrm{rate}}$ is a constant, the bandwidth efficiency $B_{\textrm{eff}}$ is very close to the constant value $1-F_{\textrm{rate}}$ . So the throughput is approximately a linear function of $B_{\textrm{size}}$ . As explained in the Subsection 4.1, the block interval remains a constant when When the block size is below 1000, and increases linearly otherwise. This shows the dependence of the throughput on the block size. With the flat property and the limit in Theorem 1, we can conclude that the throughput of PoA is lower than that of HBFT when the block size is big. This conclusion can also be interpreted in another way: when the blockchain system is dominated by bandwidth bottleneck, PoA throughput will be smaller than HBFT throughput.

Figure 2(b) shows then moving of throughputs when the network delay factor $D$ changes. We can see that both throughputs are decreasing in $D$ . The reason is similarly due to changes in the block interval, as analyzed in the last subsection. Moreover, we can see from the figure that BFT throughput is more sensitive to the network delay. This is consistent with the comparison of the block intervals. The committee communication is $0$ in PoA, but it can be the dominating factor among the three factors involved in the block interval, which makes the throughput of HBFT more sensible.

In Figure 2(c), we can see that throughput of both HBFT and PoA are decreasing in the Byzantine ratio $\alpha$ . This can be confirmed by the fact that both the block rate and the fork rate are decreasing in $\alpha$ .

In all three panels of Figure 2, we find that HBFT has better throughput than PoA. Although this is not an unconditional conclusion, we are confident that it holds for most practical settings of parameters.

4.3. Throughput-latency performance plot

Throughputs and latencies are studied separately in the last two subsection. In this subsection, we check these two measures jointly for PoA and HBFT in different settings. In Figure 3, we present the joint performance on throughtputs and latencies for PoA and HBFT with different parameter settings. In all 9 settings of parameters, we find that HBFT dominates PoA in the sense that HBFT has higher throughput and lower latency. In this dominance, the higher fork rate of PoA plays a key role, which pushes up the latency and pulls down the throughput. Furthermore, in all cases, when the throughput is pushed up, the latency stays approximately flat before some critical value of throughput, and then spikes up a little bit the value. For a throughput-latency curve, we call the point on the curve with the critical throughput as the turning point (Tpt) of the curve. A Tpt is informative to measure the performance of a consensus protocol, in which its throughput and latency indicate the bottleneck values of the protocol. In all $3\times 3$ panels in Figure 3, we have the following observations.

•

Tpt’s throughputs for both HBFT and PoA decrease in $\alpha$ . This naturally arise from the block rate in bandwidth efficiency. The difference between the Tpt’s throughputs of HBFT and PoA increases in $\alpha$ because of the difference in their fork rates.
•

Tpt’s throughput for both PoA and HBFT remains almost unchanged in the network delay factor $D$ . This means that the network delay has little impact on the bottleneck throughput of either system.
•

Tpt’s latency for PoA increases in $\alpha$ , but remains unchanged for HBFT, so their difference increases in $\alpha$ . This phenomenon can be confirmed by the fact that the fork rate for HBFT does not depend on $\alpha$ , but it equals $\alpha$ for PoA. We conclude that the Byzantine ratio affects the bottleneck latency for PoA only.
•

Tpt’s latency for PoA and HBFT increases in the network delay factor $D$ . This is natural given the fact that a greater delay leads to a greater block interval in general. The difference between the two Tpt’s latencies increases in the network delay factor $D$ , which is due to the greater confirmation number $K$ of PoA compared with that of HBFT.

4.4. Alternative fork strategy

In the previous subsections, we showed that the performance of PoA is dominated by HBFT in all numerical experiments. Although the communication overhead hurts the performance of HBFT, the bandwidth wasted by forks in PoA bites on the performance of PoA. In our experiments, the minimal fork rate is $0.1$ , which is high enough to make HBFT outperform PoA. In practice, if the malicious nodes use different strategies, the fork rate can vary in a wider range. For instance, on the one hand, by introducing economic penalty, the fork rate in Bitcoin is only $0.0178$ according to (Decker and Wattenhofer, 2013) in 2013, and this fork rate can be reduced further by stronger economic penalty. On the other hand, in Proof-of-Stake (PoS) algorithms like Peercoin, malicious nodes could perform Nothing-at-stakes attack to create a large number of forks (Bentov et al., 2016), resulting a large fork rate. In this work, we fix other parameters and vary the fork rate in $(0,1)$ , and find that the PoA will dominate HBFT when the fork rate is less than $0.001$ . We show our comparison when taking the fork rate at $0.001$ in Figure 4. By this comparison, we conclude that PoA can be a better choice if the fork rate can be pressed low by introducing some discouraging on forks.

4.5. When the system is large

In our previous numerical experiments, the number of nodes is set to be a relatively small number $N=101$ for the convenience of our experiments. In practice, HBFT and PoA are deployed on much larger systems. To make sure that our comparison still makes sense in a large system, we set $N=1001$ , and present the same comparison in Figure 5, which shows that the dominance of BFT over PoA still holds. Therefore, although contrary to the common belief, we are confident that HBFT dominates PoA even in a practically larger system.

4.6. Frontier identification

Finally, let us zoom out of the comparison between HBFT and PoA, and go to find better systems in AlphaBlock in terms of throughput and latency. The variables we can choose here are committee size $C$ , endorsement size $d$ and block size $B_{size}$ . We show in figure 6 the throughput-latency performance of AlphaBlock systems with different choices of the three variables above. In this figure, we highlight those for HBFT, PoA, and those on the Pareto frontier who has the highest throughput with a certain level of latency or the lowest latency with a certain level of throughput. It may not be possible to achieve some throughput-latency on the Pareto frontier, but we can sense the performance of a system by its difference to the Pareto frontier.

5. Conclusion

This paper proposes a general framework termed as AlphaBlock to evaluate consensus protocols for blockchain. We compare the performance of Byzantine Fault Tolerance (BFT) and Nakamoto Consensus (NC), and we take Hotstuff-BFT (HBFT) and Proof-of-Authority (PoA) as two specific examples. In comparison, we find that HBFT outperforms PoA in most practical settings, which contrasts the common belief. This out-performance can be reversed if the fork rate in PoA can be reduced sufficiently by some discouragement on forks. We also identify the Pareto-optimal choices of committee size $C$ , endorsement size $d$ and block size $B_{\textrm{size}}$ in the framework of AlphaBlock, which provides a direction for improving the performance of blockchain consensus algorithms.

6. Appendices

Proof of Theorem 4.1:

For both protocols, when $B_{\textrm{size}}\rightarrow\infty$ , we have $B_{\textrm{interval}}\rightarrow\frac{B_{\textrm{size}}}{B_{\textrm{width}}}$ and $C_{\textrm{rate}}\rightarrow 0$ .

Recall the definition of throughput

(19)

T=\frac{B_{\textrm{size}}}{B_{\textrm{interval}}}\times B_{\textrm{rate}}\times B_{\textrm{eff}}.

So when $B_{\textrm{size}}\rightarrow\infty$ , we have

(20)

T\rightarrow B_{\textrm{width}}\times B_{\textrm{rate}}\times(1-F_{\textrm{rate}}).

Since the block rate is $1-\alpha$ for both protocals, we have

(21)

\frac{T(PoA)}{T(HBFT)}\rightarrow\frac{(1-F_{\textrm{rate}})_{PoA}}{(1-F_{\textrm{rate}})_{HBFT}}=1-\alpha,

where $T(PoA)$ and $T(HBFT)$ are the throughputs of PoA and HBFT respectively.

References

(1)
Abraham and Malkhi (2016) Ittai Abraham and Dahlia Malkhi. 2016. BVP: Byzantine vertical paxos. Distributed Cryptocurrencies and Consensus Ledgers (DCCL) (2016).
Bano et al. (2019) Shehar Bano, Alberto Sonnino, Mustafa Al-Bassam, Sarah Azouvi, Patrick McCorry, Sarah Meiklejohn, and George Danezis. 2019. SoK: Consensus in the age of blockchains. In Proceedings of the 1st ACM Conference on Advances in Financial Technologies. 183–198.
Ben-Or et al. (1994) Michael Ben-Or, Boaz Kelmer, and Tal Rabin. 1994. Asynchronous secure computations with optimal resilience. In Proceedings of the thirteenth annual ACM symposium on Principles of distributed computing. ACM, 183–192.
Bentov et al. (2016) Iddo Bentov, Ariel Gabizon, and Alex Mizrahi. 2016. Cryptocurrencies Without Proof of Work. In Financial Cryptography and Data Security, Jeremy Clark, Sarah Meiklejohn, Peter Y.A. Ryan, Dan Wallach, Michael Brenner, and Kurt Rohloff (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 142–157.
Boccaletti et al. (2006) Stefano Boccaletti, Vito Latora, Yamir Moreno, Martin Chavez, and D-U Hwang. 2006. Complex networks: Structure and dynamics. Physics reports 424, 4-5 (2006), 175–308.
Bracha (1987) Gabriel Bracha. 1987. Asynchronous Byzantine agreement protocols. Information and Computation 75, 2 (1987), 130–143.
Buterin and Griffith (2017) Vitalik Buterin and Virgil Griffith. 2017. Casper the friendly finality gadget. arXiv preprint arXiv:1710.09437 (2017).
Castro et al. (1999) Miguel Castro, Barbara Liskov, et al. 1999. Practical Byzantine fault tolerance. In OSDI, Vol. 99. 173–186.
Croman et al. (2016) Kyle Croman, Christian Decker, Ittay Eyal, Adem Efe Gencer, Ari Juels, Ahmed Kosba, Andrew Miller, Prateek Saxena, Elaine Shi, Emin Gün Sirer, et al. 2016. On scaling decentralized blockchains. In International conference on financial cryptography and data security. Springer, 106–125.
Decker and Wattenhofer (2013) Christian Decker and Roger Wattenhofer. 2013. Information propagation in the bitcoin network. In IEEE P2P 2013 Proceedings. IEEE, 1–10.
Dinh et al. (2017) Tien Tuan Anh Dinh, Ji Wang, Gang Chen, Rui Liu, Beng Chin Ooi, and Kian-Lee Tan. 2017. Blockbench: A framework for analyzing private blockchains. In Proceedings of the 2017 ACM International Conference on Management of Data. 1085–1100.
DiNizo Jr (2018) Antonio M DiNizo Jr. 2018. From Alice to Bob: The Patent Eligibility of Blockchain in a post CLS Bank World. Case W. Res. JL Tech. & Internet 9 (2018), 1.
Duan et al. (2018) Sisi Duan, Michael K Reiter, and Haibin Zhang. 2018. Beat: Asynchronous bft made practical. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. 2028–2041.
Eyal et al. (2016) Ittay Eyal, Adem Efe Gencer, Emin Gun Sirer, and Robbert Van Renesse. 2016. Bitcoin-NG: A scalable blockchain protocol. In 13th USENIX Symposium on Networked Systems Design and Implementation (NSDI 16). USENIX Association, 45–59.
Gencer et al. (2018) Adem Efe Gencer, Soumya Basu, Ittay Eyal, Robbert Van Renesse, and Emin Gün Sirer. 2018. Decentralization in bitcoin and ethereum networks. In International Conference on Financial Cryptography and Data Security. Springer, 439–457.
Georgiadis (2019) Evangelos Georgiadis. 2019. How many transactions per second can bitcoin really handle? Theoretically. IACR Cryptology ePrint Archive 2019 (2019), 416.
Gervais et al. (2016) Arthur Gervais, Ghassan O Karame, Karl Wüst, Vasileios Glykantzis, Hubert Ritzdorf, and Srdjan Capkun. 2016. On the security and performance of proof of work blockchains. In Proceedings of the 2016 ACM SIGSAC conference on computer and communications security. 3–16.
Gilad et al. (2017) Yossi Gilad, Rotem Hemo, Silvio Micali, Georgios Vlachos, and Nickolai Zeldovich. 2017. Algorand: Scaling byzantine agreements for cryptocurrencies. In Proceedings of the 26th Symposium on Operating Systems Principles. 51–68.
Haferkorn and Diaz (2014) Martin Haferkorn and Josué Manuel Quintana Diaz. 2014. Seasonality and interconnectivity within cryptocurrencies-an analysis on the basis of bitcoin, litecoin and namecoin. In International Workshop on Enterprise Applications and Services in the Finance Industry. Springer, 106–120.
Huberman et al. (2019) Gur Huberman, Jacob Leshno, and Ciamac C Moallemi. 2019. An economic analysis of the bitcoin payment system. Columbia Business School Research Paper 17-92 (2019).
Kiayias et al. (2017) Aggelos Kiayias, Alexander Russell, Bernardo David, and Roman Oliynykov. 2017. Ouroboros: A provably secure proof-of-stake blockchain protocol. In Annual International Cryptology Conference. Springer, 357–388.
Kwon (2014) Jae Kwon. 2014. Tendermint: Consensus without mining. Draft v. 0.6, fall 1, 11 (2014).
Lamport et al. (1982) Leslie Lamport, Robert Shostak, and Marshall Pease. 1982. The Byzantine generals problem. ACM Transactions on Programming Languages and Systems (TOPLAS) 4, 3 (1982), 382–401.
Nakamoto (2019) Satoshi Nakamoto. 2019. Bitcoin: A peer-to-peer electronic cash system. Technical Report. Manubot.
Schneider (1990) Fred B Schneider. 1990. Implementing fault-tolerant services using the state machine approach: A tutorial. ACM Computing Surveys (CSUR) 22, 4 (1990), 299–319.
Sompolinsky and Zohar (2018) Yonatan Sompolinsky and Aviv Zohar. 2018. PHANTOM: A Scalable BlockDAG Protocol. IACR Cryptology ePrint Archive 2018 (2018), 104.
Spielman (2016) Avi Spielman. 2016. Blockchain: digitally rebuilding the real estate industry. Ph.D. Dissertation. Massachusetts Institute of Technology.
Vukolić (2015) Marko Vukolić. 2015. The quest for scalable blockchain fabric: Proof-of-work vs. BFT replication. In International workshop on open problems in network security. Springer, 112–125.
Wons (2017) Mike Wons. 2017. Digital Transformation in Government, The Illinois Blockchain Initiative. In NASCIO Enterprise Architecture & Governance Committee Monthly Conference Call.
Wood et al. (2014) Gavin Wood et al. 2014. Ethereum: A secure decentralised generalised transaction ledger. Ethereum project yellow paper 151, 2014 (2014), 1–32.
Xiao et al. (2020) Yang Xiao, Ning Zhang, Wenjing Lou, and Y Thomas Hou. 2020. A survey of distributed consensus protocols for blockchain networks. IEEE Communications Surveys & Tutorials (2020).
Yin et al. (2019) Maofan Yin, Dahlia Malkhi, Michael K Reiter, Guy Golan Gueta, and Ittai Abraham. 2019. Hotstuff: Bft consensus with linearity and responsiveness. In Proceedings of the 2019 ACM Symposium on Principles of Distributed Computing. 347–356.