¹¹institutetext: School of Computing, Tokyo Institute of Technology, Japan
¹¹email: {bonnet,defago}@c.titech.ac.jp ²²institutetext: ICUBE, University of Strasbourg, CNRS, France
²²email: [email protected] (corresponding author)

Stateless Distributed Ledgers^†^†thanks: This research is partly supported by Japan Science and Technology Agency (JST) OPERA Grant Number JY280149.

François Bonnet 11 Quentin Bramas 22 Xavier Défago 11

Abstract

In public distributed ledger technologies (DLTs), such as Blockchains, nodes can join and leave the network at any time. A major challenge occurs when a new node joining the network wants to retrieve the current state of the ledger. Indeed, that node may receive conflicting information from honest and Byzantine nodes, making it difficult to identify the current state.

In this paper, we are interested in protocols that are stateless, i.e., a new joining node should be able to retrieve the current state of the ledger just using a fixed amount of data that characterizes the ledger (such as the genesis block in Bitcoin).

We define three variants of stateless DLTs: weak, strong, and probabilistic. Then, we analyze this property for DLTs using different types of consensus.

Keywords:

Distributed Ledger Technology Blockchain Consensus.

1 Introduction

Distributed Ledger Technologies (DLTs) are usually partitioned depending on the type of consensus used to order incoming transactions. Here, we consider the three most used classes of technologies: Byzantine agreement, Proof of Work, and Proof of Stake.

Byzantine agreement protocols [7] are used to maintain consistent states replicated over multiple servers. It can tolerate crash or Byzantine faults, up to a number that depends on the synchrony assumption of the communications. Such protocols are executed by known servers in a fixed network environment, a setting called permissioned. They can easily be used by nodes to maintain a ledger of transactions. Every insertion in the ledger is the result of a consensus among participating nodes.

Blockchains based on Proof of Work (PoW) are the first distributed ledger technologies that work in an environment where nodes can join and leave and any node can participate to the protocol. Nodes are elected randomly proportionally to their computational power, and an elected node can append transactions to the ledger. All current PoW Blockchains, including Bitcoin, work with synchronous communications, and assume correct nodes to have strictly more computational power than Byzantine nodes.

Blockchains based on Proof of Stake (PoS) are similar to the PoW based ones, but nodes are elected proportionally to the amount of tokens they own in the blockchain itself. In protocols based on PoS, a well-known concern is called long-range attacks [2], where a group of nodes create an alternative chain extending an old block. This is made possible because block generation is not computationally heavy, and if a node can extend a block at a given time, nothing prevents it from extending the same block in a different way at a later time. This attack becomes even worse when the nodes owning a majority of tokens at a previous time, do not have stake at the current time. Performing such attacks could be appealing as they have nothing to lose. This problem is known as posterior corruption [1].

Existing Proof of Stake based protocols such as SnowWhite [1], Algorand [4], Ouroboros [6], have identified such risks. The main solution proposed is to have some sort of checkpointing mechanism to avoid considering past majorities of stake holders. A variant of this attack is called stake-bleeding attacks [3]. It uses other mechanisms such as block rewards and transaction fees to allow even a past minority of stake holders to execute long-range attacks.

Contributions.

In this paper we aim at defining a general model to capture the main difference between various kind of Distributed Ledger Technologies (DLTs). Our model is abstract enough to be independent of the implementation and capture only the main mechanisms of the DLTs. Then, we focus on one property that we call the Stateless Property. We define this property in our general DLT model and show whether existing technologies satisfies it or not. In particular the fact that Proof of Stake based DLTs are not Stateless implies the existence of the long-range attack vulnerability.

We believe that our model could be use independently to capture other properties and compare technologies in an abstract way.

2 Model

We consider that time is discrete and at each time $t\in\mathbb{N}$ , $\mathcal{N}_{t}$ represents the set of nodes in the network. We consider that communication is instantaneous and there is a communication link between any two nodes in the network at any given time. We also assume that each node is identified, and is able to securely sign messages.

A distributed ledger is a data structure with an “append” function. It is maintained by a set of processing nodes. The network receives events and the nodes react to the events according to the distributed ledger protocol. Each time the ledger is updated, a new time instant begins. Formally, a DLT is characterized by its initial state $I$ and a state transition function $\sigma$ that takes a current state $S_{t}$ , the events $E_{t}$ , and the network $\mathcal{N}_{t}$ containing all the nodes that are online at least once before the next “append”. Then $\sigma$ returns a new state $S_{t+1}$ when the “append” function is called at time $t+1$ . A state can be seen as a sequence of “append” and we write $S\preccurlyeq S^{\prime}$ when state $S$ is a prefix of state $S^{\prime}$ , i.e., $S^{\prime}$ can be obtained from $S$ by appending data. The state $S^{-k}$ denotes the truncated state $S$ where the last $k$ occurrences of “append” of $S$ are omitted.

Given a DLT $(I,\sigma)$ , a sequence of $\mathcal{N}=(\mathcal{N}_{t})_{t\in\mathbb{N}}$ of networks and a sequence $E=(E_{t})_{t\in\mathbb{N}}$ of events, we can construct the sequence of states $\mathit{States}(I,\sigma,\mathcal{N},E)=(S_{t})_{t\in\mathbb{N}}$ in the following way $S_{0}=I$ and $\forall t\in\mathbb{N},S_{t+1}=\sigma(S_{t},\mathcal{N}_{t},E_{t})$ .

Stateless DLT.

When a new node joins the network, it obtains the current state from the other nodes in the network. Informally, we say a DLT is stateless if a new joining node is able to deduce what is the current state of the DLT from the information received from the current network and by knowing the initial state.

At a given time $t$ , each node $u\in\mathcal{N}_{t}$ has a local state $LS(u)$ . For a correct node, the local state is exactly the current state $S_{t}$ (communications are supposed instantaneous so all correct nodes agree on the current state at any time). For Byzantine nodes, the local state is constructed by an adversary. The set of pairs $(u,LS(u))$ for all nodes $u$ in $N_{t}$ is denoted $\mathbb{S}_{t}$ i.e., $\mathbb{S}_{t}=\{(u,LS(u))\,|\,u\in\mathcal{N}_{t}\}$ .

Definition 1 (Weakly Stateless DLT)

A DLT is weakly stateless if there exists a function $f$ such that $f(I,\mathbb{S}_{t})=S_{t}$ .

Definition 2 (Strongly Stateless DLT)

A DLT is strongly stateless if there exists a function $f$ such that $f(I,\mathbb{S}_{t})=S_{t}$ and, for any subset $A\subset\mathbb{S}_{t}$ , $f(I,A)=S_{t}$ or $\bot$ .

Definition 3 (Probabilistically Stateless DLT)

A DLT is probabilistically stateless if there exists a function $f$ such that $\forall k,t,t^{\prime}\in\mathbb{N}$ , with $k\leq t\leq t^{\prime}$ , $f(I,\mathbb{S}_{t})^{-k}\preccurlyeq S_{t^{\prime}}$ with probability greater than $1-O(e^{-ck})$ for some constant $c>0$ .

3 Examples of Stateless DLTs

3.0.1 Byzantine Agreement Protocols

It is well-known that, in a fixed network $C$ of known nodes where communication is synchronous, consensus is possible and can tolerate up to $\frac{(|C|-1)}{2}$ Byzantine nodes [7].

We denote by $\sigma_{BA}$ the transition function of a Byzantine agreement protocol among the nodes in $C$ . $\sigma_{BA}$ represents the fact that, at time $t$ , the nodes in $C\subset\mathcal{N}_{t}$ perform a Byzantine agreement to order the transactions received in $E_{t}$ and update the state $S_{t}$ accordingly to obtain $S_{t+1}$ . In the Byzantine agreement protocol, we consider that the state contains the information about the set $C$ of nodes participating in the consensus protocol.

Interestingly, when a majority of nodes in $C$ are correct, any node $u$ outside $C$ can ask the nodes in $C$ for the current state. Then, the current state is the one received by a majority of nodes in $C$ , and is guaranteed to be correct. From this we deduce the following theorem:

Theorem 3.1

For a set of nodes $C$ and an initial state $I$ (which contains the information of $C$ ), if $\forall t\in\mathbb{N},\,C\subset\mathcal{N}_{t}$ and at most $\frac{(|C|-1)}{2}$ nodes in $C$ are Byzantine, then the DLT $(I,\sigma_{BA})$ is strongly stateless.

Proof

Assuming at most $\frac{(|C|-1)}{2}$ nodes are Byzantine, for any sequence $\mathcal{N}$ and $E$ , all the correct nodes in $C$ agree on all the state $S_{t}\in\mathit{States}(I,\sigma_{BA},\mathcal{N},E)$ for any $t\in\mathbb{N}$ . The function $f$ returns the local state that appears in at least $\frac{|C|+1}{2}$ pairs associated with a node in $C$ . If no such state exists (if the set of local states is only a subset of $\mathbb{S}$ ), $f$ returns $\bot$ . Formally, we have
$f(I,A)=S$ if $|\{u\in C|(u,S)\in A\}|>\frac{|C|}{2}$ , and $f(I,A)=\bot$ otherwise. ∎

3.0.2 Proof of Work Blockchains

In PoW Blockchains, there are no assumptions about the nodes in the network, except that at any time $t$ , in $\mathcal{N}_{t}$ , the computational power of the correct nodes is strictly greater than the computational power of the Byzantine nodes. Then, the transition function $\sigma_{\mathit{PoW}}$ applies an ordering on the transactions received in $E_{t}$ (decided by some node in the network) and appends the block of transactions to state $S_{t}$ resulting in $S_{t+1}$ . In addition, from state $S_{t}$ , one can compute the proof of work performed until time $t$ , denoted $\mathit{PoW}(S_{t})$ . So $\mathit{PoW}(S_{t+1})$ is the sum of $\mathit{PoW}(S_{t})$ and the proof of work corresponding to the last “append”. For the initial state $I$ , $\mathit{PoW}(I)=0$ .

Theorem 3.2

For an initial state $I$ , if for all $t$ the computational power of correct nodes in $\mathcal{N}_{t}$ is strictly greater than the computational power of Byzantine nodes in $\mathcal{N}_{t}$ , then the DLT $(I,\sigma_{\mathit{PoW}})$ is probabilistically stateless.

Proof

Let $f$ be the function returning the local state that maximizes the Proof of Work, $f(I,\mathbb{S}_{t})=\operatorname*{\mathbf{argmax}}_{S}(\{\mathit{PoW}(S)|\exists u,(u,S)\in\mathbb{S}_{t}\})$ . Such a local state could have been generated by an adversary. If $k$ denotes the number of blocks we have to truncate to obtain a prefix of the correct state $S_{t}$ , then the probability decreases exponentially fast when $k$ tends to infinity. Indeed, let $p_{t}$ , resp. $q_{t}$ , be the computational power of the correct nodes, resp. of the adversary, at time $t$ . By assumption, $\forall t,p_{t}>q_{t}$ . Let $\lambda_{t}=\max_{t^{\prime}\leq t}(p_{t^{\prime}}q_{t^{\prime}})$ .

From [5] (Th.2), we deduce that, at a given time $t$ , the probability that an adversary rewrites the last $k$ blocks is in $O(e^{-cz})$ with $c=\log(1/(4\lambda_{t}))>0$ . ∎

4 Impossibility of Stateless Proof of Stake Blockchains

In PoS Blockchains, the consensus at a given time $t$ is possible assuming the nodes owning a majority of the tokens are correct. So we can assume that the state transition function $\sigma_{\mathit{PoS}}$ is performed by those correct nodes, owning a majority of the tokens, creating a new state $S_{t+1}$ from state $S_{t}$ and incoming events $E_{t}$ . However nothing prevents the nodes in $\mathcal{N}_{0}$ to create an alternative state after time $0$ .

Theorem 4.1

Even if, at each time, all the nodes owning tokens are correct, the PoS DLT is not weakly stateless.

Proof

To simplify, assume that, at some time $t>0$ , all nodes in $\mathcal{N}_{0}$ are owned by the adversary. Indeed, there is no assumption on the correctness of $\mathcal{N}_{0}$ after time $0$ . Then, the adversary can simulate an execution of the DLT in a sequence of networks $\mathcal{N}_{t}^{\prime}$ where each node in $\mathcal{N}_{t}^{\prime}$ is owned by the adversary and such that there is a bijection $m$ mapping any nodes in $u\in\mathcal{N}_{t}$ to a malicious node $m(u)\in\mathcal{N}_{t}^{\prime}$ , for all $t\in\mathbb{N}$ ( $m(u)=u$ if $u$ is already malicious). Hence, the sequences of networks $(\mathcal{N}_{t}^{\prime})_{t}$ and $(\mathcal{N}_{t})_{t}$ differ only in the addresses that identify nodes. The adversary can execute the same DLT using the same sequence of events $(E_{t})_{t}$ but in the malicious sequence of networks $\mathcal{N}^{\prime}=(\mathcal{N}_{t}^{\prime})_{t}$ , which gives a different sequence of states $\mathit{States}(I,\sigma_{\mathit{PoS}},\mathcal{N}^{\prime},E)\neq\mathit{States}(I,\sigma_{\mathit{PoS}},\mathcal{N},E)$ .

At time $t$ , the adversary can connect all nodes $\mathcal{N}_{t}^{\prime}$ to the network so that the set of local states is $\mathbb{S}_{t}=\{(u,LS(u))|u\in\mathcal{N}_{t}\}\cup\{(u,LS(u))|u\in\mathcal{N}_{t}^{\prime}\}$ . The set is symmetric as half of the local states contain $S_{t}$ and the other half contain $S_{t}^{\prime}$ and both states differ only in the addresses used to identify nodes.

$\mathit{States}(I,\sigma_{\mathit{PoS}},\mathcal{N}^{\prime},E)$ is a valid sequence of states if the sequence of networks was $\mathcal{N}^{\prime}$ and if the adversary creates symmetrically the state $S_{t}$ using the sequence of networks $\mathcal{N}_{t}$ . A function $f$ should answer $S_{t}$ in the first case and $S_{t}^{\prime}$ in the second case, with exactly the same input, which is a contradiction. ∎

One way to make the PoS DLT stateless is to assume that any set of nodes owning a majority of the token at a given time $t$ are correct at any time $t^{\prime}>t$ . This is a very strong assumption as for instance, it gives the same kind of trust in the initial set of nodes as in the Byzantine agreement protocol. Indeed, if the nodes in $\mathcal{N}_{0}$ are still connected at time $t$ then, they act as a trusted committee. We could even remove the proof of stake entirely and only rely on standard Byzantine agreement between nodes in $\mathcal{N}_{0}$ . In the case where nodes in $\mathcal{N}_{0}$ go offline, they can select replacement nodes (using any method including election or simply one-to-one replacement), and include a signed message that define their choice in the state so that any joining node could identify the current set of trusted nodes. In future work, we plan to identify other sufficient conditions for the existence of Stateless DLTs.

References

[1] Iddo Bentov, Rafael Pass, and Elaine Shi. Snow white: Provably secure proofs of stake. IACR Cryptology ePrint Archive, 2016(919), 2016.
[2] Evangelos Deirmentzoglou, Georgios Papakyriakopoulos, and Constantinos Patsakis. A survey on long-range attacks for proof of stake protocols. IEEE Access, 7:28712–28725, 2019.
[3] Peter Gaži, Aggelos Kiayias, and Alexander Russell. Stake-bleeding attacks on proof-of-stake blockchains. In 2018 Crypto Valley Conference on Blockchain Technology (CVCBT), pages 85–92. IEEE, 2018.
[4] Yossi Gilad, Rotem Hemo, Silvio Micali, Georgios Vlachos, and Nickolai Zeldovich. Algorand: Scaling byzantine agreements for cryptocurrencies. In Proceedings of the 26th Symposium on Operating Systems Principles, pages 51–68, 2017.
[5] Cyril Grunspan and Ricardo Pérez-Marco. Double spend races. International Journal of Theoretical and Applied Finance, 21(08):1850053, 2018.
[6] Aggelos Kiayias, Alexander Russell, Bernardo David, and Roman Oliynykov. Ouroboros: A provably secure proof-of-stake blockchain protocol. In Annual International Cryptology Conference, pages 357–388. Springer, 2017.
[7] Michel Raynal. Distributed algorithms for message-passing systems, volume 500. Springer, 2013.

Stateless Distributed Ledgers††thanks: This research is partly supported by Japan Science and Technology Agency (JST) OPERA Grant Number JY280149.

Abstract

Keywords:

1 Introduction

Contributions.

2 Model

Stateless DLT.

Definition 1 (Weakly Stateless DLT)

Definition 2 (Strongly Stateless DLT)

Definition 3 (Probabilistically Stateless DLT)

3 Examples of Stateless DLTs

3.0.1 Byzantine Agreement Protocols

Theorem 3.1

Proof

3.0.2 Proof of Work Blockchains

Theorem 3.2

Proof

4 Impossibility of Stateless Proof of Stake Blockchains

Theorem 4.1

Proof

References

Stateless Distributed Ledgers^†^†thanks: This research is partly supported by Japan Science and Technology Agency (JST) OPERA Grant Number JY280149.