Fully-Fluctuating Participation in Sleepy Consensus
Abstract
Proof-of-work allows Bitcoin to boast security amidst arbitrary fluctuations in participation of miners throughout time, so long as, at any point in time, a majority of hash power is honest. In recent years, however, the pendulum has shifted in favor of proof-of-stake-based consensus protocols. There, the sleepy model is the most prominent model for handling fluctuating participation of nodes. However, to date, no protocol in the sleepy model rivals Bitcoin in its robustness to drastic fluctuations in participation levels, with state-of-the-art protocols making various restrictive assumptions. In this work, we present a new adversary model, called external adversary. Intuitively, in our model, corrupt nodes do not divulge information about their secret keys. In this model, we show that protocols in the sleepy model can meaningfully claim to remain secure against fully fluctuating participation, without compromising efficiency or corruption resilience. Our adversary model is quite natural, and arguably naturally captures the process via which malicious behavior arises in protocols, as opposed to traditional worst-case modeling. On top of which, the model is also theoretically appealing, circumventing a barrier established in a recent work of Malkhi, Momose, and Ren.
Keywords and phrases:
Sleepy Consensus, fully-fluctuating dynamic ParticipationCopyright and License:
2012 ACM Subject Classification:
Theory of computation Distributed algorithms ; Security and privacy Distributed systems securityAcknowledgements:
We thank Joseph Bonneau, Javier Nieto, and Ling Ren for fruitful discussions.Editors:
Zeta Avarikioti and Nicolas ChristinSeries and Publisher:
Leibniz International Proceedings in Informatics, Schloss Dagstuhl – Leibniz-Zentrum für Informatik
1 Introduction
Byzantine-fault tolerant (BFT) consensus, the problem of reaching agreement on a value amongst nodes, of which a fraction are corrupted and controlled by an adversary, is one of the most fundamental problems in distributed computing, with research spanning over four decades [19, 26]. The last decade has seen a significant growth in work and interest in the problem, mainly motivated by the pivotal role that consensus protocols play in the design and analysis of blockchains [23, 17, 7, 1, 25, 13].
Traditionally, it is assumed that apart from the corrupt nodes, all other nodes follow the protocol at all times. This assumption, while justified for applications such as data centers, is arguably optimistic in the context of blockchains, where the participants in the protocol may come and go at arbitrary points in time. Specifically, the desiderata for many blockchain protocols, such as Bitcoin and Ethereum, requires maintaining security even in the presence of many unexpected temporary crash faults, in which some subset of the nodes may go offline for an undetermined interval of time. In particular, the protocol may experience alternating periods of high participation and low participation.111Throughout, we assume a fixed set of potential participants known to the protocol; i.e., the set of nodes allowed to partake is fixed, and fluctuation in participation occurs w.r.t. that set. Reconfiguration of the nodes partaking in the protocol is orthogonal to the unexpected and wide fluctuations in participation considered here, and reconfiguration is expressly not considered in this work. The seminal Bitcoin protocol [23], also known as proof-of-work Nakamoto consensus, was the first protocol to achieve secure consensus under such circumstances, allowing participants in the protocol to come and go as they please so long as an honest majority (of hash-based mining power) is maintained at any point in time. Its deftly formalized proof-of-work framework allowed for protocol design which is completely agnostic to the total number of participating nodes (corrupt or honest!) across present, past, or future. For example, if tomorrow the honest participation in Bitcoin drops to a level below the corrupt participation today, it would not render Bitcoin insecure (so long as corrupt participation decreases accordingly). The same holds for if corrupt participation tomorrow exceeds honest participation today (assuming honest participation increases accordingly).
As the years went on, proof-of-work ceded its spot in the limelight to proof-of-stake, which presently is the dominant approach to Sybil-resistance among blockchain protocols. In the translation, however, resilience to fluctuation in participation was lost. In the context of proof-of-stake, a formal model that captures fluctuating participation is the sleepy consensus model, introduced in [24] by Pass and Shi. This model is the focus of our work. In the sleepy model, there is a fixed set of nodes, identified via a public key infrastructure (PKI). Besides being classified as honest or corrupt, nodes can alternate (adversarially) between two states at each point in time: awake, or asleep. Awake nodes can participate in the protocol normally, i.e., perform local computation, send and receive messages. On the other hand, asleep nodes cannot perform any computation and cannot engage in the protocol in any way, until they wake up. While a proof-of-stake instantiation of Nakamoto’s protocol was proven secure [24] in the sleepy model, the proof assumes significant restrictions on fluctuating participation. Namely, that honest participation at any time exceeds corrupt participation at all times. Such a concession perhaps felt inherent, with many follow-up works in the sleepy model making the same assumption [24, 16, 12, 2, 25, 8, 13]. This intuition for the necessity of such an assumption was formalized in [21], which showed that indeed any consensus protocol that does not employ time-based cryptography (e.g., verifiable delay functions [5], henceforth VDF) must heavily restrict fluctuating participation.
The impossibility [21] is established by the following key transfer attack. Consider a consensus protocol that makes use of a PKI setup, where it is assumed that prior to the initiation of the protocol, all nodes were privately handed secret-key/public-key pairs. Pondering on the PKI assumption for a moment, however, one observes that the notion of an asleep corrupt node makes little sense, as any corrupt node that is awake for even a single point in time, and whose behaviour is completely controlled by the adversary, can simply broadcast its secret key to all other corrupt nodes, and then be put to sleep. Thus allowing essentially a single awake corrupt node to simulate a behaviour indistinguishable from all corrupt nodes being awake. Such an attack clearly renders a protocol vulnerable to the case where honest participation decreases over time.
What remains is perhaps an unfortunate state of affairs, in which proof-of-stake protocols seem to inherently carry the burden of rigid participation constraints. The goal of this work is to challenge this status quo. We do so by revisiting the adversary model. Specifically, [21] has already observed that such a strong adversary model capable of executing the key transfer attack may be a tad unrealistic: “The (standard) adversary assumption, where nodes can extract all corrupt nodes’ private states, is too strong in practice. In particular in the proof-of-stake protocols, it is highly unlikely that corrupt nodes hand off their secret keys to the adversary (or other corrupt nodes) at the risk of losing their entire stake.” [21] They conclude by raising the problem of achieving sleepy consensus under fully-fluctuating corrupt nodes in a “more realistic adversarial model.”
Motivated by similar principles, we consider in this work a mildly relaxed adversary model, which we refer to as an external adversary. Informally, an external adversary is external to the network and the protocol; the adversary can observe the protocol from a birds eye view. In turn, corrupt nodes are not inherently malicious, but opportunistic: they are recruited by the external adversary to perform arbitrary behavior in the protocol, but won’t divulge information about their own secret key to any other node. We believe it is much more likely that a malicious entity would be able to “rent” keys in the protocol, by means of recruiting nodes to engage in Byzantine behavior, rather than convince nodes to give up their secret keys. Stating a formal model that accurately captures the above intuition turns out to be quite simple, but does requires some care, and we tend to it in Sec.˜2. Not only does this model still capture a rich plethora of attack vectors pertinent in practice, but it is also theoretically appealing: Disallowing corrupt nodes to share information about their secret keys with one another is precisely the minimal relaxation required to render the key transfer attack infeasible.
The settings.
Pondering on the notion of fluctuating participation of nodes in the protocol, one can identify several interesting settings to consider. See also Fig.˜1.
-
1.
Consistent participation. (Fig.˜1(a)) This is the most common assumption in the context of the sleepy model [24, 16, 12, 2, 25, 8, 13], where it is assumed that new (i.e., after time 0) corrupt nodes may never wake up, and corrupt nodes may never go to sleep. Additionally, an honest majority is assumed to hold at all times. In other words, for any point time, honest participation exceeds corrupt participation at all times.
-
2.
Increasing participation. (Fig.˜1(d)) In this setting, participation of corrupt nodes is guaranteed to be non decreasing as time progresses. In other words, new corrupt nodes may wake up throughout the protocol, but may no go to sleep once woken up. Note that in this setting, even assuming an honest majority at any point in time, it could be that as time goes on, corrupt participation exceeds honest participation in earlier points in time. As a matter of fact, this setting has received a fair amount of attention recently [22, 21, 9, 10, 11], in several works showcasing efficient consensus protocols for this setting.
-
3.
Decaying participation. (Fig.˜1(c)) In this setting, participation of corrupt nodes is guaranteed to be non increasing as time progresses. In other words, corrupt nodes may go to sleep throughout the protocol, but can never be newly woken up. In this setting, even with an honest majority at any point in time, it could be that as time goes on, corrupt participation in the past exceeds current honest participation.
-
4.
Fully-fluctuating. (Fig.˜1(b)) This is the most general setting in the context of the sleepy model. In this setting, participation of both honest and corrupt nodes can both increase and decrease over time, to the discretion of the adversary. In particular, any of the scenarios mentioned in the previous settings can also occur in this setting.
1.1 Main results
Our results establish that assuming an external adversary allows protocols in the sleepy model to be endowed with resilience to fluctuating participation of nodes, rivaling Nakamoto in its graceful handling of unknown participation patterns.
(1) Sleepy consensus under decaying participation.
Our first result establishes the utility of the external adversary model by showcasing a separation from the standard adversary model. Namely, consider the case where participation of both honest and corrupt nodes decreases over time. In particular, for any point in time, future honest participation may be eclipsed by current corrupt participation. Recent work [21] showed that in this setting, no protocol can be secure in the presence of an adversary that can carry out key transfer.
Our first result shows that against an external adversary, a consensus protocol resilient to decaying participation is not only feasible, but can be made highly efficient and requires only standard cryptographic assumptions.
Theorem (Informal, see Thm.˜6).
Assuming a PKI, a VRF, and an external adversary, we present a randomized protocol solving consensus in the decaying participation setting with expected constant latency.
(2) Consensus under fully-fluctuating participation.
Thm.˜6 establishes the strength of the external adversary model from the lens of protocol design, allowing us to obtain provable security guarantees known to be impossible under the standard notion of an adversary, that is able to carry out the key transfer attack. We now turn our attention to the more general setting of fully-fluctuating participation, in which participation of honest and corrupt nodes can both increase and decrease over time, to the discretion of the adversary. Designing a protocol secure in the fully-fluctuating setting in a relaxed adversary model was explicitly stated as an open problem in [21]. We show that with the help of VDFs, one can design an efficient consensus protocol for the fully-fluctuating participation setting, secure against an external adversary.
Theorem (Informal, see Thm.˜8).
Assuming a PKI, a VRF, a VDF, and an external adversary, we present a randomized protocol solving consensus that tolerates fully-fluctuating participation with expected constant latency.
1.2 Key techniques
The challenge.
Even in non-sleepy synchrony settings [27], any consensus protocol must assume that the adversary is limited in corrupting only a minority of the participants. The sleepy model, being a generalization of the traditional setting, clearly must also abide by an assumption of similar flavour. Note further that in the sleepy model, the awake/asleep status of every node at every point in time is also dictated by the adversary. Thus the changing nature of node participation in the sleepy model makes such an assumption non-trivial to state. Arguably the minimal assumption one could make, is that at each point in time, honest participation exceeds corrupt participation. E.g., this is the assumption for which Nakamoto consensus [23] is proven secure in the proof-of-work setting. In the translation to proof-of-stake, however, such a minimal assumption forces any purported protocol to be resilient against the following two attack vectors. We emphasize that these attacks remain a concern in the external adversary model, and are described to go through within the confines of the model. To envisage the attack vectors in a tangible manner, we consider here as a running example the proof-of-stake version of Nakamoto consensus.
-
Backward simulation. (Fig.˜2(a)) Consider the following. The adversary commences the protocol at time with low participation of both corrupt and honest nodes. As time goes on, the adversary increases participation of corrupt (and respectively, honest) nodes until at some point in time , corrupt participation at time exceeds honest participation at timeslot by a sufficiently large amount. At this point, the corrupt nodes, via a costless simulation attack, can construct a private chain whose length exceeds the length of the honest chain constructed thus far. From the point of view of a newly woken up honest node at time , the longest chain rule will cause it to build on top of the corrupt chain, violating safety. Such an attack is a concern in periods of increasing participation.
-
Forward simulation. (Fig.˜2(b)) Alternatively, consider the following scenario. Participation starts out high, and as time goes on, the adversary puts corrupt (and honest, respectively) nodes to sleep until at some time , the number of awake corrupt nodes at time exceeds honest participation at time by a sufficiently large amount. Assume further that the leader order is predictable from time . The corrupt nodes awake at time can simulate an execution from time to time with a consistent participation rate equal to the number of corrupt nodes awake at time . From the point of view of a newly woken up honest node at time , the longest chain rule will cause it to build on top of the corrupt chain, violating safety. Such an attack is a concern in periods of decreasing participation.
In this work, we devise several tools to deal with such attack vectors.
Wakeness vectors.
We define a new primitive in the context of the sleepy model, which might be of independent interest, which we call wakeness vectors. Intuitively, wakeness vectors allow nodes to have an estimate on the timeslots in which other nodes were awake throughout the execution a protocol. A similar idea was explored by Bar-Joseph, Keidar, and Lynch [4] in the context of crash failures. Both of our protocols (for the decaying setting, and the fully-fluctuating setting) begin with establishing that the respective models we consider allow the nodes to implement wakeness vectors of sufficient quality. The construction of these vectors employs different techniques in each of the settings. See Sec.˜4 and Sec.˜5 for an in-depth overview of the main ideas behind the construction of wakeness vectors for the decaying and fully-fluctuating settings, respectively, along with the formal proofs. Armed with this primitive, we then show how can be used to to secure protocol against forward/backward simulation attacks, and enhance protocols in the sleepy model to remain secure amidst decaying/fully-fluctuating participation.
General compiler.
For our protocols (Thms.˜6 and 8) we actually prove a more general statement than discussed above. We identify key properties, which most existing protocols in the literature satisfy, that are necessary for a protocol to be compatible with our techniques, and then prove that any such protocol can be augmented to be secure amidst fully-fluctuating or decaying participation, in the presence of an external adversary. In the next section (Sec.˜2), we pour rigor into above discussion by formally defining the models and problems we consider in this work.
| Paper | Resilience | VDF | Latency | Adversary restrictions | ||
| [23, 15] | 0 | 0 | ✗ | Proof of work | ||
| [24, 8, 2] | ✗ | – | ||||
| [16] | ✗ | – | ||||
| [3] | ✗ | – | ||||
| [18] | ✗ | Nodes announce going to sleep | ||||
| [4] | ✗ | Crash failures | ||||
| [14] | ✗ | Time-stamped messages | ||||
| [21, 10] | ✗ | – | ||||
| [21] | ✗ | Message timeout | ||||
| [11] | ✓ | External adversary | ||||
| [9] | ✗ | – | ||||
| This paper | ✗ | External adversary | ||||
| This paper | ✓ | External adversary |
2 Preliminaries
Sleepy model.
We work in the extended sleepy model that allows fully-fluctuating participation of corrupt nodes as defined in [21]. Specifically, we operate in the permissioned setting, i.e., there exists a set of size which contains the identifiers of all the nodes, which are public and known to all nodes. Without loss of generality, we will assume that . At each timeslot , any node can exist in one of two states, awake or asleep. The number of awake nodes at timeslot is denoted by . Asleep nodes at time are prohibited from sending messages or executing any code at time , and all messages delivered to them at time are buffered until the next time step in which they are awake. Given a protocol , there are two types of nodes, honest and corrupt. Corrupt nodes are controlled by the adversary (defined shortly) and can behave in any manner under the restrictions imposed on a given adversary. Honest nodes are the nodes not controlled by the adversary, and they execute at all timeslots. As for message delivery, we assume a synchronous network, with synchrony parameter that is fixed and known to all nodes: for every timeslot , if a node is awake at timeslot , then we assume that they have received all messages sent to them prior to timeslot . We assume that the adversary has control over message delivery timing so long as it abides by the -synchrony assumption. As to not over encumber notation, we omit from the list of inputs to protocols and algorithms discussed in this work. As mentioned earlier, asleep nodes receive all messages sent to them by timeslot , where is the first timeslot when they are awake after timeslot . Throughout this paper, we assume that communication is point-to-point.
The environment.
We consider an external party to the protocol, the environment, which has the role of providing inputs to nodes from some universe of inputs.
Oracles.
We adopt the notion of oracles to model ideal versions of cryptographic primitives, formally defined in [20]. Such a modeling choice assists us in easily formalizing external adversary model we consider in this work, and to more cleanly state our results. Specifically, the description of a protocol also specifies a set of oracles . At each timeslot , each node may issue a finite amount of queries to an oracle , to which it receives a response at some timestep. An oracle’s behaviour may depend on the nodes identity , the current timeslot , the input query , and the internal randomness of the oracle, if the oracle models a random function. More formally, a deterministic oracle is modeled by a function mapping tuples such that implies that if queried with input at timeslot , then obtained a response at timeslot . A random oracle is modeled by a distribution over deterministic oracles. Intuitively, in this work, oracles are going to model trusted hardware access to cryptographic primitives. From here on, we denote protocols by the tuple where is an algorithm executed by honest nodes, and is the set of oracles employed by . When is clear from context, we refer to a protocol as .
Adversary and fluctuating participation.
Throughout this paper, we focus on the static adversary model, i.e., the identities of corrupt nodes are chosen by the adversary prior to the initiation of the protocol, and prior to any randomness being drawn, and in particular, nodes that begin the protocol as honest, cannot be corrupted later. Denote by the total number of corrupt nodes, and by the set of all corrupt nodes. To formalize the notion of fully-fluctuating participation of corrupt nodes, we adopt the terminology introduced in [21]. Specifically, let be the set of corrupt nodes awake at timeslot , and let be defined as follows.
When are clear from context, we at times refer to by . To provide some intuition for this notation, the parameters indicate how resilient the protocol has to be to forward simulation and backward simulation, respectively. In particular, for a given corrupt node , if is awake at time , then is it considered awake for time-steps prior to being awake, and for steps after being awake. For a given , unless otherwise stated, we always assume that for all .
Furthermore, the adversary has complete control over the environment and over the set of nodes awake at any timeslot . While the choice of corrupt nodes occurs at the beginning of the protocol and is thus static, the same does not hold for the awake/asleep status. Namely, the set of nodes awake at each timeslot can be adaptively chosen by the adversary based on the current transcript (i.e., the contents of all messages sent by honest nodes up to, but not including, the current timeslot) of the protocol and internal state of the corrupt nodes.
External adversary.
The view of cryptography via oracles (introduced in [20]) allows us to define the external adversary model in a clean manner, in which (polynomial time) corrupt nodes do not know their secret key, and in particular, due to idealized cryptographic guarantees of the primitives implemented by the oracles, can not produce signatures on behalf of other asleep corrupt nodes, except for with negligible probability. This is achieved by not distributing the secret keys of nodes to them, but only allowing them oracle access to cryptographic functionalities that make use of said keys. More formally, in the external adversary model, given a protocol , each node (honest or corrupt) can only issue queries to any oracle of the form throughout the execution of . In particular, corrupt nodes, even when colluding, can not obtain fresh oracle queries using the keys of asleep corrupt nodes.
This is in contrast to the standard adversary in which each node can access all the secret of corrupt nodes. Rephrased in oracle terms: Every can query any with queries of the form , for all , regardless of the asleep/awake status of .
Protocols and executions.
We are now ready to define the notion of a protocol and an execution of a protocol. A protocol is specified by a pair , where is the algorithm run by the honest nodes, and is the set of oracles employed by . An execution of a protocol is determined by a 4-tuple, , where is an adversary, and the vector specifies the random coins of all nodes and the adversary. An execution refers further to the contents of all messages sent and received by nodes at each timeslot. Given an execution , we denote thus by the contents of the execution up to timeslot , i.e., all random coins and messages received by nodes up to timeslot . Given an execution , a timeslot , and a node awake at timeslot , we denote by the view of node of the execution , which includes the internal state of , the protocol , and all messages received by and the timeslots in which they were received. For a given adversary , we define the transcript of at time to be all the messages sent by honest nodes up to time , and the internal state of the adversary at time , and we denote it by . Throughout the entire paper, we consider a finite execution horizon of . We assume that is known in advance to all nodes and in particular can be taken into account in the protocol design. We say that an execution is admissible in the -sleepy model iff for all timesteps it holds that .
Atomic broadcast.
We consider the atomic broadcast (AB) problem, in which the nodes are required to agree on a linearizable log of their inputs. For every timeslot , every honest node reports a log, denoted by , of its decided values . Honest nodes make decisions about the contents of their log based on their internal state, , and the messages they received so far in any given execution. More formally, given the random variable over executions defined by and , is the random variable that denotes the contents of the log of node at timeslot , and it depends only on . When and are clear from context, we omit them from the superscript and subscript of .
We say that a protocol solves the atomic broadcast problem with probability in a given execution if the following is maintained throughout the entire execution horizon.
-
1.
-Safety. For every timeslot , and every such that and are honest with logs , with probability we have: where .
-
2.
-Liveness. For all the following holds: If input was sent to an honest node by the environment at timeslot , then holds for all honest nodes .
Cryptographic primitives.
Let be a security parameter. Throughout the paper, we make use of three cryptographic primitives. Namely, a PKI (for signatures), a VRF, and a VDF. We employ a cryptographic hash function (known and computable by all nodes), which we model as a random oracle, and denote by . Similarly to previous work, we denote by the fact that the message was signed by node . We model all three of these primitive in an idealized fashion, using oracles that are defined as follows:
-
1.
Oracle on a given input where is a node, is a timeslot, and is a message is defined to be . In other words, receives in the same timeslot in which it issued the query. From here on in, unless explicitly said otherwise, we assume that every message being sent in any protocol by an honest node is signed by its sender.
-
2.
Oracle is defined as . In other words, receives in the same timeslot in which it issued the query. Here, is a VRF scheme based on ’s secret key , known by the oracle , and is the accompanying proof as per the VRF primitive. Again, to keep the focus of the paper on protocol design, we model the functionality of all the VRFs as random oracles. We further assume that the VRF functions accessible to each node all have the same domain (), and the same range ().
-
3.
Oracle is defined as follows when sends queries to the oracle:
In other words, receives at timeslot . Here, is the VDF computation result on input string , and is the accompanying proof as per the VDF primitive. We stipulate the following restriction on : For every round and every node , can call at most once at timestep . In other words, we capture the delay property of by not allowing adaptive queries to in any single timestep. This restriction applies to both honest and corrupt nodes, thus in particular, the adversary has no advantage in computing the VDF. We consider this modeling as an idealized model for a VDF. We model our VDF as a random function for the purposes of the analysis. We assume that the VDF accessible to each node has domain , and range .
This would be the place to mention, that even though we model our cryptographic primitives using oracles that execute their ideal functionality, we still assume that all corrupt nodes are computationally bounded in the sense that there exists a polynomial that depends on the total number of nodes such that the total number of queries to oracles performed by any node in a single timeslot satisfies . Finally, for an event we say that holds with high probability (w.h.p.) if .
3 Tools and definitions
3.1 Wakeness vectors
Consider vectors whose dimension is . These vectors are defined as follows for each timeslot : For all and all , if and only if node was awake at timeslot , and otherwise. Endowing honest nodes with such vectors should intuitively make protocol design in the sleepy model substantially easier. Our upper bounds are constructed by having nodes implement subroutines that allow them to emulate an approximate version of this ideal functionality. The formal definition is as follows.
Definition 1.
Let be a protocol and let be the random variable indicating a sample from the distribution over executions of defined by adversary . For a given , we say that is a -valid wakeness vector of node with respect to iff, except with negligible probability, implies that is awake at a timeslot . Furthermore, if is honest, then being awake at timeslot implies . When is a -valid wakeness vector, we simply refer to it as valid.
Throughout the paper, we assume without loss of generality (w.l.o.g.) that all honest nodes keep a local view of wakeness vectors. I.e., if is a protocol, then in any execution of , each honest node stores , where for all . We say that deems node to be awake at timeslot iff . For an interval of timeslots, we at times abuse notation and use to refer to all coordinates in in . The main two upper bounds we prove in this work can be formalized as a general statement about augmenting atomic broadcast protocols with wakeness vectors. We present the formal lemmas in the appropriate sections.
Both our upper bounds are general compiler results, that augment protocols working in the -sleepy model with wakeness vectors of sufficient quality to support fully-fluctuating participation. These augmentations however don’t work for arbitrary protocols. Specifically, there is a key set of properties regarding the structure of a protocol that we must assume in order for our results to go through. It turns out, however, that the vast majority of literature on protocols for the sleepy model already posses these properties. Specifically, we define notions that we refer to as Statelessness and Unpredictability.
Stateless protocols.
Intuitively, a protocol is said to be stateless if an honest nodes action depends on messages it received from nodes it has deemed to be awake in recent timeslots. We assume w.l.o.g. that in any protocol , honest node keep a local view of wakeness vectors. Note that these vectors are not necessarily -valid for any . Such a property depends on the model and protocol in question. We further assume w.l.o.g. that honest nodes always attach the current timeslot to their messages.
Definition 2.
Let be a protocol. We say that is -stateless if the following holds for all honest nodes and timeslots and pair of executions . Let be the wakeness vectors viewed by at timeslot . Let , chosen by , and consider the set . Then if is the same in both , and furthermore, the messages sent from nodes in to are the same in both , then the distribution over actions of is the same at timeslot in both . Furthermore, solves atomic broadcast in any execution in which for all honest nodes and timeslots , has a strict honest majority.
Unpredictability.
Intuitively, this property captures the adversary’s ability to predict the contents of the log of honest nodes at some future timeslot.
Definition 3.
Let be a protocol that solves atomic broadcast. We say that has -unpredictability if the following holds for all , and for all adversaries . Let be the transcript of the protocol up to timeslot , and let be an adversarial log, which we refer to as the adversary’s guess. Then for all honest nodes , it holds that .
4 Decaying participation
Efficient protocols for the regime (i.e., increasing participation) can be found in [22, 21, 9], with being nearly optimal, namely with . In this section, we tackle the yet unstudied case, in which participation is decaying. Namely, in the decaying participation model, corrupt nodes are allowed to go to sleep, but may never wake up after timeslot . We show that that PKI, VRF, and an external adversary suffice to design protocols in this setting, with , where is the security parameter, with error probability of . This result establishes the benefit of considering an external adversary, as an impossibility result by [21] established that atomic broadcast is impossible to solve in the case against a standard adversary that can carry out the key transfer attack.
Blocks.
We employ the notion of a block. Discussing blocks allows our black box protocols to be compatible with previous protocols in the literature that employ such a notion. We think of blocks as being built from the inputs sent by the environment to the nodes in the following way. In general, each block added to the chain is going to have the following structure: Each block has the form , where is the content of the block. You should think of as all of the inputs sent by the environment to nodes that the block constructor has seen thus far that are not already decided. Here, is a hash of the previous block in the chain, with all honest nodes initializing their chain with the genesis block, denoted by . At times, protocols induce a partition of the timeslots into intervals which are referred to as views and epochs, when that is the case, indicates the view in which the block was created, and is the epoch in which the block was created. When the protocols we discuss do not make use of views and epochs, we simply omit these coordinates from the description of a block. Lastly is an ancillary string. Similarly, when we discuss protocols in which the entry is not used, we simply omit it from the block description. We denote by and the view and epoch, respectively, in which block is was (or claimed to be) created. We define the height of a block to be its distance in the chain from the genesis block, and we denoted it by .
Note that any block defines a unique path from back to the genesis block, and thus defines a unique log. We say that a block extends a block if if or is an ancestor of . We say that two block conflict with each other if neither one of them extends the other. We say that a block is valid if its ancestor block is valid and or ( and ). If the view or epoch are omitted from the block, the above conditions hold vacuously.
Permissible block.
On top of being valid, a protocol may impose additional constraints on blocks in order for them to be considered for confirmation. This usually takes the form a locally computable (i.e., no communication required) predicate , computable efficiently and locally by every node, so that if is considered a permissible block, and otherwise. Messages involving impermissible blocks simply get ignored by honest nodes throughout the execution of the protocol.
4.1 Graded proposal election
To obtain the result we require the observation that the protocol of [21] can be endowed with the unpredictability property with a slight modification which we discuss formally later in the section. This modification concerns a procedure called graded proposal election, which we define here for completeness.
Definition 4.
In graded proposal election (GPE), each node has an input block , and outputs a single pair of a block and a grade () with the following properties.
-
1.
Consistency. If two honest nodes output blocks respectively, so that , then .
-
2.
Graded Delivery. If an honest node outputs , then all honest nodes output .
-
3.
Validity. With probability (w.p.) at least , all honest nodes output for some block that was the input of some honest node .
-
4.
Integrity. If an honest node outputs , then either , or there exists an honest node that received the content of from the environment.
In their paper, Malkhi, Momose, and Ren [21] exhibit a protocol solving GPE in timesteps in the -sleepy model.
4.2 Protocol and proof
We now have all the tools to state our results formally. The following result employs the notions of log unpredictability (Def.˜3), and the notion of a stateless protocol (Def.˜2). We can now formally state the following lemma, which intuitively says that assuming an external adversary, one can turn any protocol with non-trivial unpredictability and statelessness, into a protocol that can tolerate decaying participation.
Lemma 5.
Let be a protocol solving atomic broadcast w.p. and liveness parameter in the -sleepy model, and assume that:
-
has -unpredictability, and
-
is -stateless.
Then assuming an external adversary, , there is a protocol that solves the atomic broadcast problem in the -sleepy model w.p. and liveness parameter . Furthermore, expected latency is upper bounded by that of , and incurs an additive factor of communication per timeslot. In particular, assuming an external adversary, one can implement -valid wakeness vectors in the -sleepy model.
Lem.˜5 is established via a reduction, depicted in Alg.˜1, that constructs given blackbox access to the given protocol in the premise of the lemma. Instantiating in the reduction of Lem.˜5 with a modification (detailed in Alg.˜2) of the atomic broadcast protocol of [21, Alg. 3], we get the following result:
Theorem 6.
Assuming PKI, VRF, and an external adversary, there is a protocol , solving the atomic broadcast problem w.p. in the -sleepy model with expected latency, and liveness parameter .
We next provide an overview of the main ideas that go into the proof of Lem.˜5. The key observation for the decaying participation setting against an external adversary is that honest nodes can always rely on the messages claimed to have been sent in the earlier timeslots, due to the assumption. The rough idea then is two-fold.
-
1.
Random log. The main challenge in the decaying participation setting is dealing with forward simulation attacks, similarly to Fig.˜2(b). Our idea for handling such attacks is by introducing nested randomness to the log decided by honest nodes. Specifically, along with a proposal for a block, the proposal must include a VRF output, which is computed on the VRF output attached to the parent of the proposed block. In case the proposer is honest, this randomness is unknown to the corrupt nodes until the moment of broadcasting the proposal. As such, corrupt nodes attempting to construct a corrupt chain will not be able to do so with the randomness of honest nodes beyond the latest available block/proposal sent by honest nodes. Thus, the key is to ensure that blocks proposed by honest nodes are decided often enough. This endows the log with an unpredictability property of the contents of the log with corrupt nodes awake in the early timeslots, but not in the current timeslot. We show that we can ensure that w.h.p., a block proposed by an honest node gets decided once every timeslots, hence our choice of .
-
2.
Tolerating forward simulation. In the model, we are susceptible to forward simulation attacks, in which corrupt nodes active in early rounds send messages to honest nodes awake far in the future, pretending to have been awake all along. With the randomness introduced in the first bullet point, honest nodes joining the protocol at a late time can recover the honest log by inductively building it, starting from the first block. The inductive argument then intuitively goes as follows.
-
The correct recovery of the first block in the log is guaranteed by the assumption. Namely, the number of honest nodes awake at the commencement of the protocol is greater than the total number of corrupt nodes that are ever going to be awake during the execution. This is the base step of the reduction.
-
The randomness introduced to the log and the choice of allows honest nodes to safely deduce the next block in the log, given correct recovery up to block , for any . Roughly, this follows from two observations. First, any forward simulation of the protocol constructing a corrupt log up to timeslots forward is going to get outvoted by honest nodes, due to the assumption. Any attempt by corrupt nodes to forward simulate the protocol for timeslots is foiled by the fact that any adversarial log is almost certainly different than the honest log, as its suffix contains no blocks proposed by honest nodes, and thus the randomness attached to it is unpredictable to corrupt nodes. Hence, honest nodes awake during the following timeslots are still going to outvote the fake log, due to the assumption. This allows honest nodes to safely deduce block of the log by deciding on the block for which they observe a majority of votes.
-
The proof of Lem.˜5 involves augmenting a general protocol with resilience to forward simulation, this augmentation is presented in Alg.˜1. Afterwards, in order to obtain Thm.˜6, we explain how to augment the protocol of [21, Alg. 3] with randomness and thus endow it with -unpredictability (see Def.˜3).
Proof of Lem.˜5.
Let be the protocol given in the premise of Lem.˜5. The protocol we construct is described in Alg.˜1. The protocol is divided into epochs, each of length . Each node that wakes up, reconstructs the contents of the log inductively starting from the first epoch. The inductive step is then implemented by each honest node ignoring all messages regarding blocks of epoch that do not extend a block of epoch confirmed by the node. This is formalized as described in Alg.˜1. In Alg.˜1, the notation corresponds to all coordinates of corresponding to epoch . First we prove the following property of Alg.˜1.
Lemma 7.
Except for with negligible probability, it holds that for any timeslot and honest node , are -valid wakeness vectors in all -sleepy executions. Furthermore, it holds that at the end of iteration of update log (See line 2 of Alg.˜1), that contains a block of epoch of , and contains no blocks that were not decided by at least one honest node.
Proof.
We prove this by induction over the epochs. Denote by the current timeslot. For , the wakeness vector statement is trivial, i.e., whenever for an honest node for some , then node was awake at timeslot at least . For , Let be a block in that extends the genesis block, this implies that observed a majority of decide messages for amongst all decide messages it received for blocks extending the genesis block. This includes all the honest nodes awake during epoch , by line 16 of Alg.˜1. By the -sleepy model, the honest nodes awake during epoch exceed the total number of corrupt nodes that are ever going to be awake during the execution. This implies that received a decide message for from at least one honest node , i.e., for some timeslot , as required. The log contains the genesis block, and thus contains a block of of epoch . For the induction step, consider the claim to be true for all epochs at most , we prove the claim for epoch . Let be an honest node awake at timeslot of epoch and let be a node such that . This implies that received a decide message from extending a block in of epoch . Consider the event in which was last awake during epoch . By the induction hypothesis, up to epoch , all wakeness vectors stored by all honest nodes are valid. In particular, due to the -sleepy assumption, and due to the -stateless property of , we get that at least up to the end of epoch , correctly solves the atomic broadcast problem, as by line 11 of Alg.˜1, all honest nodes consider messages from a set that has an honest majority. This allows us to invoke the -unpredictability of , together with the second induction assumption, that assures us that contains a block in of epoch to claim that the probability that could send to a block extending a block of epoch in is . This invokes the external adversary assumption, meaning that a message observed to be from can be sent only by (or other corrupt node) at a timeslot in which is awake. Thus occurs with at most negligible probability. Applying a union bound over all corrupt nodes and over all timeslots during the execution horizon (both polynomial in ) maintains this negligible probability, and proves the claim for the wakeness vectors. This guarantees the correctness of for epoch by its -stateless property. This implies that is consistent between all honest nodes at timeslot . Now we must prove that at iteration , a block of epoch in is added to , and no blocks that are not decided by some honest node are added.
Assume that for an honest node no block of epoch is added to by the end of iteration . This implies that there exists an honest node , awake at timeslot , that doesn’t have any blocks of epoch in . This again holds by the induction assumption of for iteration , the -validity of the wakeness vectors, the -unpredictability of , and the -sleepy execution. All these imply that is hearing from an honest majority, even when restricted to honest nodes awake at timeslot . So if all honest nodes awake at timeslot had a block of epoch decided, consistency of would imply that it is added to for at line 9 of Alg.˜1.
This event can only happen with negligible probability, as otherwise we contradict the -unpredictability of , as the adversary at round had already seen all blocks of epoch at most communicated between honest nodes, including the transcript of the protocol, and all messages received by , and could thus compute with non negligible confidence. Thus except for with negligible probability, all honest nodes awake at timeslot have a block of epoch decided, and thus this block is added to by at timeslot by the behaviour of the protocol and the induction assumption. Lastly, again since hears from an honest majority, we get that every block added to was decided by at least one honest node, i.e., added to for some honest node at a timeslot . The -validity of the wakeness vectors given by Lem.˜7, combined with the -sleepy executions, and the -statelessness of , allow us to deduce that (Alg.˜1) solves the atomic broadcast correctly as required. Notice that block confirmation in coincides with block confirmation in , and thus they have the same latency properties. The only added communication occurs in decision messages part of the protocol, and each message is of length , thus the total communication blowup per timeslot is , as required.
Proof of Thm.˜6.
All that is left to obtain Thm.˜6, is to observe that the protocol (specifically, Algorithm 3) of [21] (henceforth [21, Alg. 3]) is -stateless, works in the -sleepy model (see Thm.˜11). It can be augmented to be -unpredictable with an incredibly simple change to the GPE invocation part of the protocol, which we describe in Alg.˜2. In words, each honest node, when inputting a block to , simply includes in its a VRF computation on the current timeslot and the parent block of . This ensures that the contents of each block contain a component with high entropy, thus making the logs of honest nodes unpredictable.
More formally, the augmented algorithm is described in Alg.˜2, with the red lines indicating changes from the original pseudo-code. Due to the simplicity of the change, and not to burden the write up with the technical details of [21, Alg. 3], we provide below a sketch of the proof argument. [21, Alg. 3] is divided into views, each consisting of timeslots, during which an attempt to agree on this next block in the log is executed. This attempt is captured by the GPE procedure, which is executed once every view. By the properties (in particular, validity) of the GPE subroutine (see Def.˜4) and the behaviour of [21, Alg. 3], w.p. at least , at the end of the GPE subroutine, all honest nodes decide a block proposed by an honest node into their log. Conditioned on this event, the contents of are uniformly random and unpredictable to any adversary not awake before the beginning of the current view. In particular, the adversary attempting at timeslot to guess the contents of the log of any honest node, succeeds w.p. at most . As different GPE executions are independent, we get that after views, condition 3 in Def.˜4 is invoked except w.p. . Thus in total, the probability that an adversary at timeslot can correctly guess the contents of the log of any honest node at timeslot is at most , as required.
5 Fully-fluctuating participation
Finally, we move on to consider fully-fluctuating participation regime, where both . We show that assuming an external adversary and a VDF, one can design efficient protocols in this setting.
Theorem 8.
Assuming a PKI, a VRF, a VDF, and an external adversary, there exists a randomized protocol that with high probability (w.h.p.) solves atomic broadcast with expected latency of , and liveness parameter in all admissible -sleepy executions.
The proof of Thm.˜8 is driven by two lemmas. The first lemma (Lem.˜9, stated below) is to show that there is an efficient protocol that implements valid wakeness vectors, assuming PKI, VRF, and VDF oracles, and an external adversary:
Lemma 9.
Assuming a PKI, a VRF, a VDF, and an external adversary, there is a protocol with communication complexity per timeslot that w.h.p. implements valid wakeness vectors for all timeslots over an execution horizon of length .
The second lemma (Lem.˜10, stated below) is a general result that gives a black-box simulation showing how to convert any stateless protocol for atomic broadcast in the -sleepy model into an atomic broadcast protocol in the stronger -sleepy model:
Lemma 10.
Let be a protocol solving atomic broadcast w.p. in the -sleepy model with liveness parameter . Furthermore, assume that is -stateless (Def.˜2). Then, assuming a PKI, a VRF, an external adversary, , and valid wakeness vectors, there exists a protocol solving atomic broadcast in the -sleepy model w.p. and liveness parameter . Furthermore, has expected latency upper bounded by that of and incurs an additive communication cost per timeslot.
We prove Lem.˜10 and Lem.˜9 by presenting a protocol (Alg.˜3) that both implements wakeness vectors using VDFs in the external adversary model, and uses a given protocol as a black box. In a high level, every node at each timeslot has three responsibilities:
-
1.
Extracting decided log so far from received messages. This computation is internal, i.e. involves no communication.
-
2.
Extension of wakeness vectors.
-
3.
Running .
The idea is to build, along with the blockchain of inputs of nodes, an object we refer to as VDF chains, from which one can extract valid wakeness vectors for honest nodes to convince other honest nodes of them being awake at certain timeslots. This allows the honest nodes that wake up after a long period of sleepiness to only consider messages from nodes that were awake in recent timeslots to realize the current state of the blockchain; the interval in both forward simulation and backwards simulation give us the needed majority to make sure the honest nodes can perform these tasks successfully.
The proofs of wakeness allow honest nodes to determine the identities of of nodes that were awake in the previous view, and take only their messages into account in deciding on the state of the log, using the -sleepy assumption regarding the permissible executions.
Thm.˜8 follows from Lem.˜9 and Lem.˜10, by instantiating the protocol to be the protocol from [21]. Specifically, [21, Alg. 3] proves the following theorem, despite not stating the stateless property explicitly.
Theorem 11 (Theorem 1, [21]).
Assuming a PKI and a VRF, there exists a -stateless protocol solving atomic broadcast w.p. with expected latency , and liveness parameter , in any admissible -sleepy execution.
5.1 Constructing wakeness vectors from VDFs
This section is devoted to proving Lems.˜9 and 10. Thm.˜8 then follows. In the external adversary model, where corrupt nodes may only access their secret keys via oracles, a VDF assumption allows any honest node to prove w.h.p. the following statement for any timeslot , if it is true: “node was awake at some timeslot ”. In order to prove this statement with VDF, we need to define a few notions first.
Definition 12.
Let be some value in the range of the VDF function, and let be some node. We say that is a valid depth- value w.r.t. if there exists values , where , and nodes , where , such that following holds.
-
1.
For all , .
-
2.
Node has received for all .
We call the prover, and the v-proof.
We first note that if received a valid depth- value from , then knows that w.h.p. sent that value at a timeslot , and in particular was awake at a timeslot . We give a formal proof of this below.
Claim 13.
In the presence of a external adversary, if a node receives a valid depth- value from a node , then except with negligible probability, sent at timeslot , and was awake at a timeslot .
Proof.
We prove this by induction on . For , the claim is trivial since a node that wasn’t awake at any time can not send any messages. Assume that node received a valid depth- value from , for that was not awake at any timeslot . Denote the corresponding nodes and values by , . Note that in particular, is a valid depth- value w.r.t. , sent by , and thus by the induction assumption, it was sent by at timeslot .
Now assume that was sent by at a timeslot , this means that had not yet received from . Denote by the total number of queries to the VDF oracle made by any node by timeslot , that number is bounded by , in particular, the probability that appeared as the valid output of a VDF oracle at timeslot is at most , and thus as long as , w.h.p. could not have computed before timeslot , for any . Thus w.h.p. could have computed only after sent , which occurred at timestep at least , i.e., could have only queried at timestep at least , and received a response at timestep at least due to the behavior of , thus sent at timestep at least , and was thus awake at timestep at least , as required.
Proof of Lem.˜9.
The full algorithm is depicted in Alg.˜3, specifically in the wakeness vector updates and VDF chain extension parts.
With Clm.˜13 in mind, the main observation is that to prove the lemma, it suffices to prove that at every timeslot, every honest node extends a valid VDF chain of at least one other honest node. Notice that this is necessary as well, as otherwise, consider the following case involving 3 nodes .
-
1.
Node is corrupt and awake at timeslot , node is honest and awake at timeslot , node is honest and awake at timeslot .
-
2.
Node computes , and sends it to , but not to .
-
3.
By instructions of some protocol , computes and broadcasts it.
Note now that by timeslot did not receive , and thus in particular, w.h.p. is not considered a valid depth- value w.r.t. to , even though was indeed awake at timeslot .
The trivial solution to this would be to instruct each honest node to extend the VDF chains it received from all nodes, thus extending all honest node’s chains. However, this incurs a multiplicative cost in communication. A better approach, and the one we implement in Alg.˜3, is to let each honest node sample of the nodes it received valid depth- VDF computations from, and extend those chains, thus guaranteeing that except with negligible probability, at least one of the chosen nodes is honest (due to the honest majority assumption in any admissible execution) and that for all , except with negligible probability all honest nodes at all timeslots observe valid chains from all honest nodes for the appropriate timeslots they were awake.
We prove this by induction on the timeslot. The base case of clearly holds as all honest nodes have valid wakeness vectors. Assume correctness for and consider time , let be an honest node awake at time . By the induction assumption, had valid wakeness vectors, and so set for all honest nodes awake at time . In particular, by the behavior of the protocol, this implies that observed valid depth- w.r.t. all honest nodes awake at time . Furthermore, the validness of the wakeness vectors of at timeslot , the set of nodes for which has an honest majority. As such, by lines 11, 12 of Alg.˜3, when chooses random nodes amongst these, the probability of an honest node not being chosen is at most . Thus w.h.p. extends in round a valid depth- chain sent by an honest node, which implies that at round , all honest nodes see a valid depth- honest chain from , and thus set as being awake in their wakeness vectors, as required. This proves the completeness of the wakeness vectors at time , i.e., that for all honest awake at time , and all and all honest awake at time , we have that . The soundness of the wakeness vectors at time is implied by Clm.˜13. This completes the induction argument and concludes the proof.
Proof of Lem.˜10.
Denote the given protocol in the premise of Lem.˜10 by . Lem.˜9 proves that wakeness vector updates and VDF chain extension correctly implement valid wakeness vectors. Which in turns implies, due to the -sleepy model, that is executed by every honest node by only considering messages from an honest majority at every timeslot. By the -stateless property of , we thus have that solves the atomic broadcast problem correctly. Thus inherits -Safety, and -Liveness from . Protocol decides blocks when decides them, thus the expected latency of can not be worse than that of , and implementing wakeness vector updates and VDF chain extension requires an additive overhead in communication at every timeslot, as required.
6 Additional related work
The early protocols designed for the synchronous sleepy model [24, 8, 2, 13] follow the longest chain approach of Nakamoto [23]. While inheriting its simplicity and elegance, they tend to suffer from high latency in the worst case. Furthermore, all of these protocols assume fixed and non-fluctuating participation of corrupt nodes. In this setting, the works of [3, 16] are geared at breaking the latency barrier. Prism [3] designs a protocol whose latency is independent of under a certain optimistic condition, while [16] designs a protocol whose latency is independent of the participation rate (see Tab.˜1 for the concrete bounds). Momose and Ren [22] designed the first protocol to achieve near optimal latency, namely in expectation. This was followed up by [21] in which the latency was further improved, as well as modifying the protocol to work in the growing participation setting [9]. The protocols of [22, 21] differ from the earlier protocols in the sleepy model, by emulating the PBFT [6, 28] approach to consensus, as opposed to longest chain based techniques.
Adversary restrictions.
On the road to improve latency and supporting fluctuating participation of corrupt nodes, many works have imposed restrictions on adversary capabilities. The early work of [4] designs a protocol that can be instantiated in the fully-fluctuating sleepy model which is secure only against crash failures, with the early decision property. Namely, the latency of the protocol is proportional to the actual number of crash failures in the network. The work of [14] designs a expected latency protocol in the sleepy model that remains secure against fully-fluctuating participation, but restricts the adversary to only send time-stamped messages, i.e., each message sent by the adversary includes the real timeslot in which it was sent. In particular, this implies that the adversary is not allowed to equivocate (send conflicting messages to honest nodes in a given timeslot). The work of [18] considers a model where honest nodes know whether or not they will be awake or asleep in the next timeslot, and as such may use this information during the execution of the protocol (e.g., to announce their impending sleepiness to the rest of the nodes). The paper of [11] does not discuss fully-fluctuating participation of corrupt nodes, but their protocol, when instantiated in the external adversary model we introduce in this paper, is secure against fully-fluctuating participation, and makes use of a VDF [5]. An early version of [21] showcased a protocol that supports fully-fluctuating participation and has optimal latency. They assume authenticated channels (i.e., identity of message sender is attached to each message), and further assume that messages that do not get delivered after timeslots (because the recipients are asleep) get dropped from the network and never get delivered. This essentially prevents the adversary from performing forward simulation attacks.
Permissionless setting.
In this paper we consider the setting where the total set of nodes allowed to participate in the protocol is fixed and known to all nodes. The work of Lewis-Pye and Roughgarden [20] explores a generalized version of the sleepy model in which the set of allowed participants in the protocol changes over time (via stake), and their identities are not known in advance to nodes.
PoSAT.
It is worth noting that an existing consensus protocol is already resilient against fully-fluctuating node participation, under our external-adversary model! Specifically, despite the model not being discussed or defined directly in the paper, the PoSAT protocol [11], which makes use of time-based cryptography (specifically, VDFs) to achieve consensus in the growing participation setting, can be proven secure in the fully-fluctuating participation setting against an external adversary. Both the resilience and latency of the protocol are sub-optimal, however, with resilience and latency , where is the participation rate of nodes, i.e., , and is the security parameter. Our protocol obtains optimal resilience and expected constant latency, respectively. See Sec.˜5 for details.
References
- [1] Ittai Abraham, Dahlia Malkhi, Kartik Nayak, Ling Ren, and Alexander Spiegelman. Solida: A blockchain protocol based on reconfigurable byzantine consensus. In OPODIS, volume 95 of LIPIcs, pages 25:1–25:19. Schloss Dagstuhl – Leibniz-Zentrum für Informatik, 2017. doi:10.4230/LIPICS.OPODIS.2017.25.
- [2] Christian Badertscher, Peter Gazi, Aggelos Kiayias, Alexander Russell, and Vassilis Zikas. Ouroboros genesis: Composable proof-of-stake blockchains with dynamic availability. In CCS, pages 913–930. ACM, 2018. doi:10.1145/3243734.3243848.
- [3] Vivek Kumar Bagaria, Sreeram Kannan, David Tse, Giulia Fanti, and Pramod Viswanath. Prism: Deconstructing the blockchain to approach physical limits. In CCS, pages 585–602. ACM, 2019. doi:10.1145/3319535.3363213.
- [4] Ziv Bar-Joseph, Idit Keidar, and Nancy A. Lynch. Early-delivery dynamic atomic broadcast. In DISC, volume 2508 of Lecture Notes in Computer Science, pages 1–16. Springer, 2002. doi:10.1007/3-540-36108-1_1.
- [5] Dan Boneh, Joseph Bonneau, Benedikt Bünz, and Ben Fisch. Verifiable delay functions. In CRYPTO (1), volume 10991 of Lecture Notes in Computer Science, pages 757–788. Springer, 2018. doi:10.1007/978-3-319-96884-1_25.
- [6] Miguel Castro and Barbara Liskov. Practical byzantine fault tolerance and proactive recovery. ACM Trans. Comput. Syst., 20(4):398–461, 2002. doi:10.1145/571637.571640.
- [7] Tyler Crain, Vincent Gramoli, Mikel Larrea, and Michel Raynal. DBFT: efficient leaderless byzantine consensus and its application to blockchains. In NCA, pages 1–8. IEEE, 2018. doi:10.1109/NCA.2018.8548057.
- [8] Phil Daian, Rafael Pass, and Elaine Shi. Snow White: Robustly reconfigurable consensus and applications to provably secure proof of stake. In Financial Cryptography, volume 11598 of Lecture Notes in Computer Science, pages 23–41. Springer, 2019. doi:10.1007/978-3-030-32101-7_2.
- [9] Francesco D’Amato, Joachim Neu, Ertem Nusret Tas, and David Tse. Goldfish: No more attacks on ethereum?! In FC (1), volume 14744 of Lecture Notes in Computer Science, pages 3–23. Springer, 2024. doi:10.1007/978-3-031-78676-1_1.
- [10] Francesco D’Amato and Luca Zanolini. Streamlining sleepy consensus: Total-order broadcast with single-vote decisions in the sleepy model. CoRR, abs/2310.11331, 2023. doi:10.48550/arXiv.2310.11331.
- [11] Soubhik Deb, Sreeram Kannan, and David Tse. Posat: Proof-of-work availability and unpredictability, without the work. In Financial Cryptography (2), volume 12675 of Lecture Notes in Computer Science, pages 104–128. Springer, 2021. doi:10.1007/978-3-662-64331-0_6.
- [12] Yuval Efron and Ertem Nusret Tas. Dynamically available common subset. Cryptology ePrint Archive, Paper 2025/016, 2025. URL: https://eprint.iacr.org/2025/016.
- [13] Matthias Fitzi, Peter Gaži, Aggelos Kiayias, and Alexander Russell. Parallel chains: Improving throughput and latency of blockchain protocols via parallel composition. Cryptology ePrint Archive, Paper 2018/1119, 2018. URL: https://eprint.iacr.org/2018/1119.
- [14] Eli Gafni and Giuliano Losa. Brief announcement: Byzantine consensus under dynamic participation with a well-behaved majority. In DISC, volume 281 of LIPIcs, pages 41:1–41:7. Schloss Dagstuhl – Leibniz-Zentrum für Informatik, 2023. doi:10.4230/LIPICS.DISC.2023.41.
- [15] Juan A. Garay, Aggelos Kiayias, and Nikos Leonardos. The bitcoin backbone protocol: Analysis and applications. In EUROCRYPT (2), volume 9057 of Lecture Notes in Computer Science, pages 281–310. Springer, 2015. doi:10.1007/978-3-662-46803-6_10.
- [16] Vipul Goyal, Hanjun Li, and Justin Raizes. Instant block confirmation in the sleepy model. In Financial Cryptography (2), volume 12675 of Lecture Notes in Computer Science, pages 65–83. Springer, 2021. doi:10.1007/978-3-662-64331-0_4.
- [17] Vincent Gramoli. From blockchain consensus back to byzantine consensus. Future Gener. Comput. Syst., 107:760–769, 2020. doi:10.1016/J.FUTURE.2017.09.023.
- [18] Pankaj Khanchandani and Roger Wattenhofer. Byzantine agreement with unknown participants and failures. In IPDPS, pages 952–961. IEEE, 2021. doi:10.1109/IPDPS49936.2021.00104.
- [19] Leslie Lamport, Robert E. Shostak, and Marshall C. Pease. The byzantine generals problem. ACM Trans. Program. Lang. Syst., 4(3):382–401, 1982. doi:10.1145/357172.357176.
- [20] Andrew Lewis-Pye and Tim Roughgarden. Permissionless consensus. CoRR, abs/2304.14701, 2023. doi:10.48550/arXiv.2304.14701.
- [21] Dahlia Malkhi, Atsuki Momose, and Ling Ren. Towards practical sleepy BFT. In CCS, pages 490–503. ACM, 2023. doi:10.1145/3576915.3623073.
- [22] Atsuki Momose and Ling Ren. Constant latency in sleepy consensus. In CCS, pages 2295–2308. ACM, 2022. doi:10.1145/3548606.3559347.
- [23] Satoshi Nakamoto. Bitcoin: A peer-to-peer electronic cash system, 2008. URL: https://bitcoin.org/bitcoin.pdf.
- [24] Rafael Pass and Elaine Shi. The sleepy model of consensus. In ASIACRYPT (2), volume 10625 of Lecture Notes in Computer Science, pages 380–409. Springer, 2017. doi:10.1007/978-3-319-70697-9_14.
- [25] Rafael Pass and Elaine Shi. Thunderella: Blockchains with optimistic instant confirmation. In EUROCRYPT (2), volume 10821 of Lecture Notes in Computer Science, pages 3–33. Springer, 2018. doi:10.1007/978-3-319-78375-8_1.
- [26] Marshall C. Pease, Robert E. Shostak, and Leslie Lamport. Reaching agreement in the presence of faults. J. ACM, 27(2):228–234, 1980. doi:10.1145/322186.322188.
- [27] Srivatsan Sridhar, Ertem Nusret Tas, Joachim Neu, Dionysis Zindros, and David Tse. Consensus under adversary majority done right. In Financial Cryptography, 2025. URL: https://eprint.iacr.org/2024/1799.
- [28] Maofan Yin, Dahlia Malkhi, Michael K. Reiter, Guy Golan-Gueta, and Ittai Abraham. HotStuff: BFT consensus with linearity and responsiveness. In PODC, pages 347–356. ACM, 2019. doi:10.1145/3293611.3331591.
