Aviv Zohar

The Hebrew University & QED-it

Joint work with

Yonatan Sompolinsky & Yoad Lewenberg
Two related problems
A block every 10 minutes
A Long wait for transaction
confirmations

1MB per block (pre SegWit)

A limit on number of transactions
per second (3.3 TPS)
*assuming 0.5KB per transaction
 Higher block
Larger blocks
creation rates

More forks in
chain

*Data generously shared by Decker & Wattenhofer

 Higher block
Larger blocks
creation rates

More forks in
chain

Lost Skewed Lower

Capacity Rewards Security

50% attack with

less than 50%
of hash power
Lots of new protocols to address
scalability
BitcoinNG, Solidus, Algorand, Hybrid
Consensus, Byzcoin

Each with slightly different properties

I will talk about SPECTRE

Designed for payments (not so good for

smart contracts).
Insight 1: DAGs are more powerful
Direct Revelation.
Let each block reveal its full worldview
We can still tell what the longest chain is
Insight 2: Bitcoin is related to voting
Consider each block as voting for any chain
that contains it (against chains that dont)

B C

A D E F

G H I

The longest chain wins

9
Cloning in elections

Trump
Republican
Cruz
Democrat
Clinton

A voting rule is clone proof if it then

maintains the result of the elections
even when one of the alternatives is
cloned (maintaining order)

10
Plurality is not clone-proof
x3 x4
Dem. Rep.

Rep. Dem.

x3 x2 x2
Clinton Trump Cruz

Trump Cruz Trump

Cruz Clinton Clinton

A Condorcet loser is elected

11
 Cloning in Bitcoin

Trump

Cruz

Clinton

We should prefer visible (published) blocks over ones that

were hidden. That helps us be clone proof

12
Insight 3: amplification
Miners strengthen the majority decision
and thus make it more robust

B C

Add new block

A D E F here!

G H I

13
SPECTRE: A Fast and Scalable Cryptocurrency Protocol [Lewenberg, Sompolinsky, Z]
https://eprint.iacr.org/2016/1159.pdf
What do miners do?
Create blocks with transactions (with PoW)
Blocks point to all known tips of the DAG
Thats it.

Blocks created in parallel may contain

conflicting transactions.
 Nodes observe (local copy) of DAG
decide if Tx is Accepted or Rejected

Accepted
TXs

Just like Bitcoin:

Accepted

Rejected
But REALLY what we should think of
transactions in 3 states:
RobustReject, Pending, RobustAccept

Just like in Bitcoin:

RobustAccept Pending

RobustReject
Properties that we are aiming for
Consistency: Tx is Accepted iff all inputs are
accepted and all conflicts are rejected.

Safety: If Tx is RobustAccepted by any node, then

(with high prob) all nodes will RobustAccept, forever.

Weak Liveness: if a Tx is published in DAG

and no conflicting Txs are published for a while,
it is RobustAccepted quickly.

As long as the attacker is <50%

Even if blocks are created fast, and delay is high.

What do these properties give us?
If Alice pays at the store, and does not
double spend, payment is irreversibly
accepted. FAST.

If Eve pays at the store and double spends

One Tx May be accepted (forever)
Both Txs may be Pending forever.
The protocol has two steps:
Clinton

1. Vote over blocks (pairwise) Trump

2. Use result to accept / reject Txs.

*Robust accept is a bit more complex,

but basically: check that there are
enough votes.
Accept transaction Tx in block B if:
All inputs are accepted
in Block is
For every conflicting
defeated (B wins pairwise vs )

Tx1

Tx2
Analogy to bitcoin:
Accept a Tx if conflicts appear later in
chain or in orphan blocks
Tx1 Tx3

Tx2
For every pair of blocks hold a vote to see:
how many think A<B, and
how many think B<A?

22
Blocks that know A but not B: say A<B

23
Blocks that know A but not B: say A<B

Blocks that know B but not A: say B<A

(CLONE PROOF)

24
Blocks that know both A and B:
make a recursive call.

Vote according to order computed from their

past DAG (AMPLIFICATION)

25
Blocks who dont know either one, vote
according to the majority of their future
(More amplification)

26
Blocks who dont know either one, vote
according to the majority of their future

27
 10
A B
4

28
 C

9 5
10
A B
4

29
Just like Bitcoin (Again)

A A A A

A A A A

B B B
Why this protocol is super awesome
A transaction with no visible conflict is quickly
confirmed (it is safe from hidden attacks up to 50%).

31
Why this protocol is super awesome
Censorship attacks also seem to fail
(up to 50% attackers)

32
Lots more to discuss
Selfish mining (trivially solved)
Efficient implementation (code forthcoming)
Difficulty adjustments
Minting
Smart contracts

Another protocol in the works

(SPECTRE 2 temp name)
Providing total order + scalability
DAGlabs
An implementation effort joined by
(SPECTRE coauthors) Yonatan
Sompolinsky, Yoad Lewenberg, Ethan
Heilman (TumbleBit),

A cryptocurrency with DAGs (SPECTRE) +

Privacy + other blockchain advancements

Contact point for the project is Guy Corem

www.daglabs.com
Conclusion

We think that Blockchains BlockDAGs

can be fast and secure!

Even at high rate

35