Trustless Bridges via Random Sampling Light Clients
Abstract
The increasing number of blockchain projects introduced annually has led to a pressing need for secure and efficient interoperability solutions. Currently, the lack of such solutions forces end-users to rely on centralized intermediaries, contradicting the core principle of decentralization and trust minimization in blockchain technology. We propose a decentralized and efficient interoperability solution (aka Bridge Protocol) that operates without additional trust assumptions, relying solely on the Byzantine Fault Tolerance (BFT) properties of the two chains being connected. In particular, relayers (actors that exchange messages between networks) are permissionless and decentralized, hence eliminating any single point of failure. We introduce Random Sampling, a novel technique for on-chain light clients to efficiently follow the history of PoS blockchains by reducing the signature verifications required. Here, the randomness is drawn on-chain, for example, using Ethereum’s RANDAO. We analyze the security of the bridge from a crypto- economic perspective and provide a framework to derive the security parameters. This includes handling subtle concurrency issues and randomness bias in strawman designs. While the protocol is applicable to various PoS chains, we demonstrate the protocol’s practical feasibility by showcasing an instantiated bridge between Polkadot and Ethereum (currently deployed), and discuss some practical security challenges. Furthermore, we evaluate the efficiency of our on-chain light client verifier (implemented as an Ethereum smart contract) against SNARK-based approaches, demonstrating significantly lower gas costs for signature verification – even for validator sets up to .
Keywords and phrases:
PoS Blockchains, Trustless Bridges, Light Clients, Decentralised Relayers, RANDAO BiasCopyright and License:
2012 ACM Subject Classification:
Security and privacy Distributed systems securityAcknowledgements:
We thank Aidan Musnitzky, Alistair Singh, and Vincent Geddes from Snowfork and the Bridge team at Parity Technologies for fruitful discussions on practical challenges in implementation. We also thank Jeffrey Burdges, Robert Hambrock, and Syed Hosseini for useful feedback and for reviewing drafts of this work. Lastly, we thank Alfonso Cevallos and Handan Kilinç Alper for their involvement in the early stages of the project.Editors:
Zeta Avarikioti and Nicolas ChristinSeries and Publisher:
Leibniz International Proceedings in Informatics, Schloss Dagstuhl – Leibniz-Zentrum für Informatik
1 Introduction
Blockchains are designed as islands, it is easy to verify that a transaction is valid within the originating blockchain when one is following its history, but challenging otherwise. While interoperability may be easily resolved with trusted centralized intermediaries, it is not a desirable solution. Recent history has shown how risky this can be - centralised entities can be compromised or even act maliciously. According to a Chainalysis report [19], failures in centralized bridges account for over of all crypto hacks, resulting in losses exceeding B to date. In fact, four out of the top five incidents on the rekt leaderboard [47] are bridge-related hacks. The security of public blockchains hinges on decentralization, therefore, the mantra is to avoid relying on trusted intermediaries.
Bridges are by far the most attacked components in the blockchain space [28, 29], because secure and efficient bridges are difficult to design and resolving attacks requires cooperation between chains which is nearly impossible. Hence it is important that the bridge must not have weaker security than either of the source or target chain. We introduce the notion of crypto-economically sound bridges, where we carefully trade off soundness for efficiency. Assuming the honesty assumption used in the consensus of both chains, in expectation an attack on our bridge protocol would be as expensive as the lower market cap between the two chains. To this end, we present Random Sampling, an interactive Commit-Challenge-Response protocol for interoperability between a source and target PoS blockchain. Our protocol has an on-chain light client of the source chain deployed on the target chain (e.g., as a smart contract). Computation on blockchain networks is expensive, particularly in the context of verifying all signatures from Proof-of-Stake (PoS) validators on the source chain, and hence not feasible. Our light-client protocol (specifically designed for bridge applications) improves the efficiency of following the history of a chain by randomly subsampling the signatures to be checked. Intuitively, the protocol works as follows: a set of relayers claim that rd of validators signed a message (e.g., a block’s finality). On-chain light client draws randomness from the target chain that determines a small subset of signatures to be checked out of those claimed. If the checks pass, we accept that the message was signed by at least one honest validator. The main advantages of our approach are:
-
1.
With permissionless relayers, our bridge eliminates single points of failure without needing additional trust assumption for bridge safety, unlike centralized alternatives.
-
2.
Our approach prioritises and achieves efficient on-chain verification, which is by far the most significant costs in operating trust-minimised bridges. We also provide a framework leveraging crypto-economic arguments to optimise it further.
- 3.
-
4.
The main security parameter (i.e., the number of signatures checked by light client) only grows logarithmically with the validator set size. This property enables random sampling to scale well against large validators sets.
Our crypto-economic security analysis of the random sampling protocol considers attacks such as griefing and safety violations. This includes detecting subtle concurrency issues in strawman designs and fixes which rely on dynamically increasing the key security parameter (i.e., number of signatures checked by verifier) only in case of an attack. We then provide a framework to derive security parameters. Further, we apply the Fiat-Shamir heuristic to transform our interactive protocol into a non-interactive digital signature, and explore its impact on efficiency and interplay with crypto-economic arguments.
Random Sampling is applicable to diverse PoS networks, including Ethereum, Algorand, Sui, Polkadot, and Stellar, which satisfy most of the requirements for source-chains stated in Sec 2.1. Our protocol requires an additional justification layer where validators vote on finalised blocks, facilitating efficient verification by light clients. Consensus mechanisms are typically not designed for efficient light clients. Fortunately, we show that a light-weight justification layer can be modularly added on top of any deterministic finality gadget with low compute overheads and without the need to modify the underlying consensus mechanism. Secondly, crypto-economic arguments for allowing a larger soundness error can’t be applied for source chains without slashing provisions (e.g., Cardano, XRP, Near, ICP). Hence, although random sampling is applicable, its full efficiency can not be harnessed for chains without slashing provisions. On the destination chain, we only require on-chain randomness and support for smart contracts.
Finally, we instantiate our solution for a Polkadot-Ethereum bridge BEEFY, which has been deployed on the main-nets [53]. We discuss practical challenges like implementing slashing and handling bias in RANDAO beacon. We perform a thorough analysis to quantify RANDAO biasability, which offers insights valuable to the security of any protocol relying on RANDAO.
A prominent interoperability solution comparable to our work is Ethereum’s Altair Light Client protocol [3] using sync-committees. In Altair, the source chain subsamples the validators and is fixed for the whole epoch, while our solution lets the verifier on the target chain sample randomly. This key insight lets us improve over Altair along three dimensions:
-
for the same soundness gurantees, our protocol is more efficient by a factor of for large validator sets
-
handles adaptive corruption of validators. An elected sync-committee in Altair remains stagnant for a whole epoch, exposing the committee against targeted attacks. In contrast, validators are sampled from randomness on the destination chain in our approach, leaving only a short window to adaptively corrupt the sampled validators.
-
our protocol exposes a security parameter to the light client that allows tuning the security and efficiency based on the application requirements.
2 Preliminaries and System Model
Proof of Stake consensus mechanisms for blockchains require the nodes to stake the native cryptocurrency for a fixed period. In return, these nodes earn the opportunity to become validators, receiving rewards for producing blocks and participating in consensus. The security of the network is derived by the fact that the stakes of misbehaving nodes can be slashed (forfeited).
Light-clients are blockchain nodes that run in resource constrained environments like browsers or mobile devices to follow a decentralized consensus protocol. They do not maintain the entire blockchain history but instead validate the most critical pieces of information, such as block headers, to verify the integrity of the blockchain state. In particular, light clients have direct applications in building trustless and decentralized bridges between blockchains. Our definition of a bridge is in the broadest sense and application-agnostic. In this work, we define bridges as protocols that let two chains communicate and follow the finality (thru block headers) of each other. Applications like asset-swaps can be built on top of this basic functionality.
2.1 System Model
We formalize our setting, where the objective of an on-chain light client on destination chain is to follow the finality of a source PoS blockchain . For brevity, we model the light client as a smart contract, however, our results hold for other computation models for updating state on . Our setting comprises of three actors: Validators on the source chain , trustless relayer , and a light-client deployed on . We make some standard assumptions on the PoS model of , satisfied by most PoS networks like Cosmos, Ethereum, Polkadot:
- 1.
-
2.
Payloads: Each block in contains a payload capturing the state of after executing block . Typically, the payload is the hash of a crypto accumulator (e.g., Merkle Tree or Merkle Mountain Range Root [56]) where its leaves are the state of .
-
3.
Justifications: Oblivious of the underlying consensus mechanism, once a block is finalised in , the payload is signed by all honest validators in the associated validator set of size . We assume at most validators are malicious, such that . The validator use an unforgeable signature scheme to attest the payloads. Let be the signature of on , which can be verified against its public-key . We often identify the validator by its public-key. A block is considered justified (or finalised when context is clear) if its payload has been signed by at least validators in . The set of such valid signatures are called justifications, denoted . We say a justification is valid iff and ’s are valid signatures from validators in . Assuming the underlying consensus mechanism is safe, note that for a particular block-height , only a unique block can have valid justifications.
-
4.
Stakes: Validator has a stake locked on . Any malicious behavior by results in partial or full slash of validator’s stake. We assume the delay in detecting an offense and enforcing the slash and is bounded by , the slashing delay.
-
5.
Epochs: The blockchain is divided into consecutive set of blocks called epochs, denoted . For any , the validator set remains unchanged for all blocks within an epoch .
-
6.
Epoch Transitions: A commitment (e.g. Merkle Root) to the next validator set is included in the payload of ’s last block. PoS networks provide this functionality to facilitate light-clients to sync-up efficiently to the head of the chain by tracking only blocks with validator set changes.
Note: Justifications are succinct proofs of finality designed to simplify the light-client’s process for following the chain head. We require honest validators to justify a payload only if the payload has already been finalized by the underlying finality gadget. Unlike consensus mechanism where an honest validator may sign a non-finalized block, an honest validator never signs justification for a block that has not already been finalized. Hence, the justification of a block guarantees stronger properties than being finalized by the underlying finality gadget like Grandpa or Casper-FFG. We show it is straightforward to construct a justification layer on top of any finality gadget in Section 5.1.
Relayers (denoted ) are entities that collect justifications from and interact with the light-client to convince it of the newly finalised blocks. In the process, they may collect fees for their efforts. Relayers are completely permissionless, i.e, they do not deposit any stakes either on or nor there is any registration. Relayers can communicate with by calling transactions of the smart contract . The only requirement on is:
-
1.
Randomness: provides a source of randomness accessible to . Ideally, is unbiasable by the relayers, and for that matter, even by ’s validators. We model the source of randomness as a random function , where is the randomness generated at block .
2.2 Attacker Model
We model the attackers as rational agents, ie., an attack is launched only if the expected outcome of an attack is positive. Our attacker model allows collusion between the relayers and validators on , as well as validators on . We tolerate adversarial faction up to the limit determined by the underlying consensus mechanism on both and , without adding new trust assumption for safety of the bridge. In particular, relayers are completely permissionless and trustless. The relayer have no stake attached on either nor . The relayer also can arbitrarily initiate and break an interactive session with the light client. This also means relayer can spawn multiple session concurrently. However, we assume the existence of at least one honest relayers for liveness of the bridge.
2.3 Problem Statement
We tackle the problem of building trustless bridges using light clients [63]. Typically, a light client synchronizing block headers of the source chain is implemented as a smart contract on the destination chain. This ensures the destination chain can verify information about the state of without relying on external parties. Moreover, it allows anyone to prove the existence of transactions on for smart contracts on (using Merkle proofs), paving the way for generic applications. We formally lay out the desired properties of a light client protocol between verifier and prover , with an objective to update ’s view of the latest finalised block on . The (prover) wants to convince the (verifier) that at least one honest validator on signed the payload of a recently finalised block . We introduce the notion of crypto-economic soundness for light-client protocols which lets us trade-off negligible soundness guarantees for efficiency.
Definition 1 (-Soundness).
Let be the protocol between and . Assume no honest validator in signed . If the (prover) can convince (verifier) of ’s authenticity with probability at most , then is defined to be -sound. We term as the soundness error of .
Our attacker model does not make any honesty assumptions on relayers. Any safety violation in our approach is traced back to the validators signing malicious payloads. We require the light client protocol to be accountable, i.e, malicious validators on can be identified and slashed. Our goal is to design a light client protocol that is crypto-economically sound, as defined below:
Definition 2 (Crypto-economic Soundness).
Let be -Sound. If is such that the expected outcome of an adversary attacking is negative, then is Crypto-economically Sound.
3 Interactive Random Sampling Protocol
We describe an interactive light-client protocol between a relayer listening to finalised blocks on and light-client deployed on . wishes to convince of a new finalised block on which succeeds the latest finalised block known to . Here, by convince, we mean that the light-client is ensured that at least one honest validator signed .
Once a block is finalised on , the relayers collects the justifications and initiates . In practice, the relayer can obtain the justifications by running a full-node of and listening to it’s consensus gossip-network. Naively, can check the finality of by verifying signatures (where denotes the malicious nodes on ) in , ensuring at least one honest validator signed . Combining the above observation with byzantine assumptions () on , the light-client is required to verify signatures in . is a Commit-Challenge-Response [25] which reduces the number of signature verifications (sub-linear w.r.t validator-set size) performed on the verifier’s side. In particular, can be viewed as an instantiation of Interactive Oracle Proofs (IOP) [8] for the language of digital signatures with extensions to equip it with accountability. We synonymously use the term Prover for the relayer and Verifier for the light-client .
3.1 Description
The prover initiates the protocol claiming to have valid justification for the finality of block , where ’s are signatures of on payload . Instead of sharing the whole justification (super-majority of signatures), the relayer shares its , a bitfield of length (validator-set size) which represents the validator signatures claimed to be possessed by . For accountability reasons, the tuple in the commit phase also includes a validator signature along with the claims, which we term as the backing validator of the current claim. Note that Backing Validators is only an expository term we use to describe the protocol and prove its security. As such, backing validators are not special actors in the protocol. We assume the verifier knows the Merkle Root of the set of validators (identified by their public keys) for the epoch in which is finalised. As outlined in section 2.1, the epoch transition mechanism on source chain comprises of a hand-over process, where the Merkle Root of the validator set responsible for next epoch is included in the state by the last block of the current epoch. Such hand-overs are mandatorily enforced as part of the protocol. In unforeseen circumstances when such handovers are unsuccessful, fall-backs mechanism can designed using on-chain governance. To bootstrap the protocol, either the genesis block or a trusted snapshot can be used. The verifier has access to public randomness which it can query at a particular block on . In the challenge phase, it uses to query a random subset of the signatures. The prover responds by sending the signatures and openings of the randomly sampled signatures in the response phase. The verifier maintains two variables in its state: and , denoting the block-height and payload of the latest know block finalised on . If the signatures and opening submitted in the response phase verifies, the payload () is accepted the state is accordingly updated.
| Protocol 1 Interactive Random Sampling. |
| 1. Commit: Prover sends a tuple to the verifier, where: : Payload for the block . : a bitvector of length . An honest prover sets iff they possess the signature on that verifies against . : signature of the backing validator . : opening of to (i.e., the Merkle co-path). 2. Challenge: Verifier checks if has at least indices set to s, else it terminates. If the signature is valid and opens to for , then the verifier samples indices where each is chosen uniformly at random (using ) from the positions of bits in set to s. 3. Response: Prover sends signatures , the public keys and openings of to for to the verifier. 4. Verify: Verifier performs the following checks and terminates if any fail: the openings against the corresponding public keys and at the randomly chosen indices . signatures against the public keys and . If , makes the following state updates: – – Else, is stale and state remains unchanged. |
We assume the signature scheme is unforgeable and the commitment scheme is binding. We ignore the negligible probability that the prover can find a signature that verifies against the public key of an honest validator that did not sign the message or that they can find an opening of at position to a value other than that verifies. To ensure randomness is unpredictable to the prover at commit phase, verifier uses the randomness only revealed after the commit phase as concluded. Equipped with the above assumptions, we now present the soundness and completeness results for .
Theorem 3 (-Soundness).
Consider prover initiates for block . If no honest validator in signed , then the verifier accepts with probability at most , where is the security parameter, i.e., the number of signatures randomly sampled by the verifier.
Proof.
Let’s assume no honest validator signed . The prover must provide a bitfield with at least 1s.
Consider for some . The public key belongs to a dishonest validator only if is one of at most possible values out of s at the least. Since and is unpredictable and uniformly random, with probability at least , belongs to an honest validator. Since the s are each chosen independently, the probability that no for any belongs to an honest validator is at most .
It remains to show that if some belongs to an honest validator, then the prover cannot convince the verifier. The prover cannot provide an opening of at position to a value other than because the commitment scheme is binding. The prover cannot provide a signature that verifies against because the signature scheme is unforgeable and honest validators did not sign . Hence the prover can not convince the verifier in this case. We note that if , the protocol is deterministically sound. If the verifier needs to be absolutely sure, the verifier can verify signatures, since at least one of those signatures will be of an honest validator.
Theorem 4 (Completeness).
is complete. If relayer (prover) posses valid justifications of a valid block , then the light clients (verifier) updates it’s state of the latest synced block to .
Example 5.
Suppose has 100 validators of which at most 33 are byzantine. A block gets finalised with at least 67 signatures in its justifications. The relayer collects these justifications and starts to convince the verifier that the block has been finalised. If the verifier samples signatures in the challenge phase, it can be sure that at least one of these signatures is from an honest validator. If the verifier only samples signatures in challenge phase and the verify-phase goes thru, then Theorem 3 guarantees that the probability of the light client accepting a malicious (invalid justifications) block is at most .
3.2 Optimisation: Sampling Without Replacement
Observe that the verifier samples indices in the Challenge phase in Protocol 1, where indices are chosen uniformly at random from the positions of bits in set to s. This sampling is done with replacement, i.e., the same index can be sampled multiple times. However, the soundness error can be improved by sampling without replacement, i.e., all the sampled indices are unique. Assuming the validator set size is of which at most are malicious, and signatures chosen uniquely at random by the verifier, the soundness error is bounded by:
| (1) |
The soundness error bounds for sampling with and without replacement converge asymptotically with respect to , but for practical validator set sizes , the difference is significant. More importantly, one can get away sampling fewer signatures without replacement for the same soundness error. For example, sampling signatures without replacement provides the same soundness error as sampling 128 signatures with replacement to achieve a soundness error of .
3.3 Crypto-Economic Security
guarantees probabilistic -Soundness with the soundness error , solely dependent on , the number of signatures sampled in the challenge phase. This leads to a natural question: how to set the security parameter ? We provide a crypto-economic framework for deriving the security parameter, striking a balance between efficiency and security.
Accountability and Slashing Exposure.
We specifically require to include at least one signature (i.e., backing validator ’s signature) from their in the commit-phase. If the payload is malicious, then the backing validator who signed the malicious payload can be identified and slashed on . In absence of backing validator signatures in the commit phase, the provers can initiate arbitrarily many instances of sequentially or concurrently. The relayer would then have the choice to continue only in instances where the randomness drawn by the verifier in challenge phase is favorable. The validators have no economic disincentive for signing malicious payloads. Consequently, the relayers can increase the number of attempts (more turns at rolling the dice) in submitting malicious payloads. Therefore, any attempt by validators at signing malicious blocks (i.e., a block not finalised on ) needs to be penalised/slashed.
We assume adversaries are rational, implying that an attack is initiated only if the expected economic value of the attack is positive. Our model considers the economic value of a successful attack to be the market-cap of , denoted . If the attack is unsuccessful, we consider the lowest stake of the validators on to be the economic loss for the attackers. We assume the stake of all validators on are identical, however, our framework can be extended to weighted PoS systems. The expectation of the economic value of an attack is computed as: , where is random variable for the economic value of the attack and is soundness error of . Setting , we derive .
Consequently, assuming the ratio of staked token to total issuance is and the stakes are equally distributed among the validators, the slashable stake per validator is , where is the validator set size. Hence, the derived security parameter is logarithmically dependent on .
3.4 Discussions on Safety and Liveness
If a relayer initiates the Commit phase for a canonical block but does not respond to the Challenges by the verifier (either due to genuine or malicious reasons), there is no necessity to slash the backing validator revealed in the commit phase. Slashing any validator that signs a non-canonical block (i.e. with no valid justifications) suffices for the -soundness of . A soundness attack (i.e. relaying a malicious block) is public already at the Commit phase and eventually the backing validator who signed a malicious payload gets slashed, guaranteeing -soundness without any honesty assumptions on the relayers.
We assume there is one honest relayer who relays at least one block per epoch for liveness of the bridge, i.e., the verifier is in sync with the latest finalised blocks on the source chain. Presence of at least one honest relayer per epoch ensures that the verifier can track the validator set changes. A subtle corner case impacting soundness arises when there is no honest relayer for a time-period greater than the unbonding period, i.e, time allowed for an active validator to unbond their stake and exit the network (usually 20-30 days). If no blocks are relayed and updated by the light client over such a long period, then there is a possibility that validators on source chain unbond their stake and hence there is no stake to slash for attempts after the unbonding period. However, we feel this is unlikely for bridge applications with a clear monetary incentive to stay live. Moreover, the lengthy unbonding period provides ample time to detect and rectify the situation. The problem of bootstrapping efficiently from genesis [1] is more of a concern for light clients that are frequently offline (e.g. light clients embedded in user wallets) unlike bridge applications.
4 Dynamic Random Sampling
is prone to a subtle concurrency attack that increases the soundness error () exploiting the following observations:
-
Relayers are trustless and permissionless (in-line with our design principle). Hence, an adversary can spawn arbitrarily many relayers that initiate .
-
It takes non-negligible time for slashing a validator (on ) after detecting its signature on a malicious payload. Moreover, it takes the duration of a full epoch () for the light client to discover the change in validator set (i.e., malicious validator has been ejected).
Concretely, lets assume an adversary controls validators on , implying can obtain validators signatures on any malicious payload. The adversary proceeds by initiating concurrent instances of for a particular block (with malicious payload signed by the malicious validators) with the same backing signature but different claims bitvectors in the Commit phase. Since there is a delay before the light-client is aware of the slashing and validator set change, the adversarial relayer can reuse the same backing validators signature without increasing slashing exposure of his instances. The adversary then proceed with the protocol only in those instances where the random sampling of challenge indices in the Challenge phase is favorable, i.e., the challenge indices correspond to malicious validators. Concretely, the success probability of the attack can now be quantified as . However, the slashing exposure is at most , as only , the signature of the malicious backing validator is exposed. Analogous to the expected obtained in Section 3.3, we can compute expected outcome under the above attack scenarios with concurrent instance of as:
| (2) |
The expected attack value increases with , the number of concurrent relay instances spawned. For every , there exists a such that . This is a clear attack on the crypto-economic soundness of .
4.1 Counter-measure: Dynamically Increasing Signature Checks
To counter the concurrency issue described above, we propose , an extension of . In , the security parameter (signatures sampled) dynamically increases based on the number of relay instance backed by the same backing validator. The light client (verifier) now keeps a counter for each backing validator in epoch that increments by 1 whenever there is an initial claim made by a relayer. For any further relay instances by a relayer (or a set of relayer) using the same backing validator , the number of signatures sampled during challenge phase is increased by . If instances of are initiated concurrently using the same backing validator, the probability of attack succeeding is bounded by summation over all the instances using union bounds:
| (3) |
This dynamic increase in the number of signature checks ensures that the probability of successful attack is bounded irrespective of the number of concurrent initiated, and the advantage gained by using the same backing validator multiple times is neutralized.
The setup for is very similar to except that the verifier () maintains an additional mapping , where captures the number of time a validator has been used for the backing signature in the commit-phase. Here, the backing validator is identified by its public-key. We do not keep track of relayers as they are permissionless and any attempt to keep track is not sybil resistant. Intuitively, the dynamic random sampling described in Protocol 2 ensures the adversary does not increase probability of successful attack without increasing its slashing exposure. Importantly, note that the security parameter remains unchanged if no concurrency attack is launched.
| Protocol 2 : Dynamic Random Sampling. |
| 1. Commit: The prover sends a tuple to the verifier, where: : Payload for the block . : a bitvector of length . An honest prover sets iff they possess the signature on that verifies against . : signature of the backing validator . : opening of to (i.e., the Merkle co-path). 2. Challenge: Verifier increments corresponding to the current epoch and validator with public-key . Verifier checks if has at least indices set to s, else it terminates. If the signature opens to and is valid, then the verifier samples indices where each is chosen uniformly at random (using random function ) from the positions of bits in set to s. Here is a statically chosen security parameter. 3. Response: Identical to , the prover sends signatures, public keys and openings for the random indices requested in challenge-phase. 4. Verify: Identical to , the verifier checks the signatures and validates the openings for the response. If all checks pass, the state is updated: delete entries in for all epochs preceding ’s epoch Else, is stale and verifier’s state remains unchanged. |
Theorem 6 (Dynamic Random Sampling Soundness).
Let denote an instantiation of (Protocol 2) where security parameter is set s.t . For any PPT adversary controlling at most validator on , the expected incentive for an attacker is negative.
Proof.
We first compute the probability of successful attack by defining the following events:
-
: adversary convinces the verifier an un-finalised block without justifications, i.e., the adversary successfully attacks .
-
: the adversary succeeds and in the verifiers state.
-
: the adversary attempts using as the backing validator in commit phase for the attempt, i.e., after the attempt.
The success probability for an adversary is computed as follows:
| (4) | ||||
| (5) | ||||
| (6) | ||||
| (7) | ||||
| (8) |
Hence, for any adversary , the expected incentive is:
| (9) | ||||
| (10) |
In fact, the expectation decreases linearly w.r.t the number of backing validators used by the adversary.
4.2 Griefing Attacks are Expensive
Since initiating is permissionless, an adversary can attempt to grief honest relayers by intentionally inflating the dynamic security parameter. This results in increased network workload and added costs, however, we show such griefing attacks are expensive and hence impractical for a rational adversary. Assuming the mapping on the destination chain is publicly observable, an honest relayer in the commit phase can always pick a validator with the least usage, i.e., in the epoch . Thus, an adversary with objective of griefing honest relayers has to uniformly increase the usage counter () across all possible backing validators for the epoch. Let be the cost for a relayer to initiate and be the cost of checking each additional signature in the verify phase. need to be initiated by the adversary for increasing the security parameter by only . Recall that the security parameter grows by . We compute the griefing factor [14] (ratio of additional costs on victims to cost incurred by the attacker) for the above optimal strategy.
| (11) |
Therefore, the griefing factor asymptotically drops exponentially for as the attack prolongs. In most practical scenarios, if not , resulting in low griefing factor for even small values of . Moreover, the griefing attacks do not extend beyond the epoch in which they are launched, as the usage counter is reset every epoch.
4.3 Safety and Liveness
Theorem 3 proves that is -sound for a single interaction and theorem 6 shows that is unconditionally safe with soundness error within the same epoch. We do not make any trust assumptions on the relayer for the safety results. However, theorem 4 in conjunction with one honest relayer ensures liveness. Note that our soundness depends on validators being slashed for signing malicious payloads. Similar to , soundness of is affected in the highly unlikely case where blocks relayed for a period longer than the unbonding period (described in Section 3.4). The overall requirements for dynamic sampling is similar to changes adopted in the interactive protocol
5 BEEFY: Polkadot-Ethereum Bridge
The protocol has been instantiated to implement a trustless and decentralized bridge BEEFY from Polkadot to Ethereum and is currently live. This section outlines the key design decisions and security considerations. We start with describing how a light-weight justification layer can be modularly added on top of any deterministic finality gadget without modifying the underlying consensus mechanism.
5.1 Light-weight Succinct Finality on Polkadot
Polkadot [13] uses GRANDPA [54], a deterministic finality gadget, for finalising blocks. GRANDPA is designed for secure and fast finalisation for the network, but was not primarily designed for light clients. In particular, finality proofs for GRANDPA are large (votes on forks not blocks) and light clients are required to maintain forks to follow finality. We argue that optimising the on-chain verifier workload is a priority. Hence, adding a light-weight finality layer that requires all validators to sign on the source-chain is a fair trade-off if it facilitates more efficient on-chain verification using destination-chain randomness. We design BEEFY [7] as an additional light-weight finality layer on GRANDPA such that:
-
BEEFY justifications satisfy the properties in Section 2.1
-
BEEFY uses the ECDSA (secp256k1 [61]) signature scheme which is efficiently verifiable on-chain on Ethereum.
-
The validator sets for BEEFY and GRANDPA are identical for each epoch.
In our current design, BEEFY finality lags GRANDPA finality by a few seconds. Note that it is not necessary for every Grandpa finalised block to be BEEFY finalised. The payload is root of an MMR (Merkle Mountain Range) capturing the state of Polkadot, allowing efficient append operations as the chain and state grow [56]. MMRs also allow more efficient block inclusion and ancestry checks on the verifier side [12].
We now describe at a high-level the BEEFY protocol in a partially synchronous setting. The protocol is designed to be modular and can be plugged into PoS chains with any deterministic finality gadget. We extend the consensus mechanism with an extra voting round. Each validator has a local belief of the following:
-
1.
Highest GRANDPA finalized block number ().
-
2.
Highest BEEFY finalized block number ().
-
3.
Last block of the previous epoch ().
Initially, they are all set to the genesis block. GRANDPA is independently finalising blocks and BEEFY’s objective is to produce justifications for a subset of those blocks. Since GRANDPA does not allow forks, BEEFY validators are essentially voting on a single chain. Hence, the crucial part of the protocol is to determine the block height to vote on.
The protocol runs in rounds from the viewpoint of validators. A BEEFY round is an attempt by validators to produce a BEEFY Justification. Round number is defined as the block height of a GRANDPA finalised block that the validators vote on. The protocol expects honest validators to gossip their vote. From the local view of a validator, a round ends if either of the following events occur:
-
1.
Validator collects valid votes for the current round, i.e. the block obtains BEEFY justifications.
-
2.
Validator receives a BEEFY Justification for a block higher than the currently known highest BEEFY block.
The validator proceeds to determine the new round number in both the cases. As a strawman approach, BEEFY validators could just pick the next GRANDPA finalised block. However, this would be inefficient as BEEFY finality is not required (due to MMRs) for every GRANDPA finalised block. Moreover, if for unknown reasons (e.g. network latency) the two mechanism drift apart, then there is a risk of BEEFY significantly lagging behind GRANDPA. To address this inefficiency, we introduce a more sophisticated round selection mechanism which ensures the gap between GRANDPA and BEEFY finalised blocks is bounded, even if the rate at which GRANDPA finalises block is exponentially more than the rate at which BEEFY finalises blocks.
Round Selection.
We define two kinds of blocks from the perspective of BEEFY validators:
-
1.
Mandatory Blocks: ones that MUST have BEEFY justification. Validators are required to mandatorily provide BEEFY justifications for these blocks. Last block in each epoch is defined to be a mandatory block.
-
2.
Non-mandatory Blocks: validators are encouraged to finalize as many blocks as possible to enable lower latency for light clients and hence end users, without significantly lagging behind GRANDPA finalised blocks.111Since the BEEFY authority set is the same as the GRANDPA authority set for any GRANDPA finalized block, the epoch boundaries for BEEFY are exactly the same as the ones for GRANDPA.
The next round number to participate is determined by BEEFY validator based on its local view of , and as follows:
| (12) | ||||
| (13) |
where:
-
is if the mandatory block in the previous epoch is already finalized or otherwise.
-
returns the smallest number greater than or equal to that is a power of two.
-
is the minimum of its arguments.
Intuitively, the next round number selected is either the mandatory block (with least height) without a BEEFY justification, or the highest GRANDPA-finalized block whose block number difference with block is a power of two. The mental model for round selection is to first finalize the mandatory block and then to attempt to pick a block taking into account how fast BEEFY catches up with GRANDPA. In case GRANDPA makes progress, but BEEFY lags behind, validators are changing rounds less often to increase the chances of BEEFY catching up with GRANDPA. This is mainly due to the fact that BEEFY justifications are not required for every GRANDPA finalised block, and hence the round selection mechanism is designed to ensure that BEEFY justifications are produced for mandatory blocks, while also allowing BEEFY to catch up with GRANDPA using function.
5.2 Slashing for BEEFY misbehaviors
Slashing on-chain for BEEFY participants signing is crucial for security guarantees of and . To this end, we store recent payloads on-chain, however, a slash reporter can always generate an MMR ancestry proof [56] to show that a block (not stored on-chain) was the prefix of a recent block. The slashing conditions are straight-forward: validators in BEEFY are slashed for signing a block that is not in the current chain (GRANDPA finalised). This includes blocks with height less than or equal to the head of the current chain but are not in the chain, and blocks with a higher block number. As long as GRANDPA is safe, validators can only be slashed for voting for blocks they do not see as finalised by GRANDPA, which honest validators will never do. In theory the full-stake can be slashed but the validator can go rogue until the slash is enforced. Hence, we settle on slashing only half the stake, keeping room for slashing misbehaviors in other subsystems of the Polkadot protocol.
5.3 Verifier Accessing RANDAO on Ethereum
We describe an implementation of a light-client verifier, specifically, the challenge phase in : The prover sends a transaction including the commit message to a smart contract which stores the message and the block number in which the transaction is included. The verifier’s challenge is derived from the RANDAO randomness from some block with number in the range for some parameters . represents the number of slots to be waited to ensure the RANDAO value is unpredictable, while represents the number of slots of opportunity provided to the relayer to respond to the challenge after the delay. A smart contract call made by the prover included in block records this challenge. Then the prover can send a final transaction including the response to the smart contract, which verifies according to the interactive protocol. We note that smart contracts on Ethereum have access to the RANDAO randomness from the previous block as well as the block number, as well as the slot numbers since the merge of EIP-4788 [55] as part of Dencun upgrade [45] on Ethereum Mainnet 222The analysis is more involved if the smart contract has only access to block numbers. Block producers are assigned to slot numbers in an epoch, not block numbers. Some slot numbers will have more adversarial slots before them and hence more choices for the randomness. By choosing whether or not to produce blocks in earlier slots, which do not affect the number of choices for the randomness, the adversary may be able to ensure that the sampling block occurs at their choice of slot number..
5.4 RANDAO Bias Analysis
We instantiate the random function (used in the challenge-phase) in with the RANDAO beacon on Ethereum. While we assumed is uniformly random and unbiasable, it is well-known that RANDAO is biasable [27, 2]. We focus on quantifying the bias for our specific objective: an attacker who wants to bias an interactive protocol (e.g., ) that uses RANDAO. We analyze the bias and how it affects our security parameter.
In this section, we consider public-coin protocols with Commit-Challenge-Response phases and abstract away from . In a public-coin protocol, the verifier challenge is chosen uniformly at random from some challenge set , however if the verifier is implemented on a blockchain, adversarial participants can introduce bias in the randomness. We quantify this bias as follows:
Definition 7.
A verifier of a public-coin protocol is -biasable if for any adversary, for any challenge , V.
Assumptions.
We assume that at least rd validators are honest, and the adversary cannot forge signatures or predict honest validator’s randomness contributions (for Ethereum, both covered by the unforgeability of BLS signatures). As in the previous analyzes, though they don’t make it explicit, we assume that an attacker is unable to prevent an honest block producer’s block from being included in the chain. Though unlikely, such attacks are feasible using the attack on LMD Casper outlined in [41, 52] or by performing denial of service attacks on the block producers whose identity is public, however we exclude it from our analysis. Under the above assumptions, we derive a s.t the interactive protocol ( instantiated with Ethereum as the target chain) has a -biasable verifier protocol.
The key quantity is the tail length , the number of slots with adversarial block producers in sequence, before the RANDAO value is used at the end of the epoch or the challenge block for BEEFY. The last honest block producer before this point produces a block that must be included, whose contribution to the randomness is random and unknown in advance. The adversarial contributions to the randomness are fixed by this point, so the adversary has the choice of publishing a block or not. This gives them choices of randomness. We build upon the TAIL-MAX strategy described in [2], and modeled as a Markov Decision Process in [2].
Adversarial Strategy.
The adversary can employ TAIL-MAX continuously and wait until the current or next epoch has an exceptionally high . After blocks for longer than two epoch lengths, an adversary waits until the current epoch (or a close epoch) before committing. Consequently, this results in several adversarial validators at the end. Then blocks later, the current epoch may still be biasable, allowing the adversary to have a more than usual chance to get many adversarial blocks before the trigger block. We can bound this bias by calculating how much the adversary can bias by running TAIL-MAX (synonymously TM) until epoch which gives the optimal biasability.
Analysis.
We denote as the state at the time of commit and write as the probability that happens with adversary (or a policy in the MDP) . We denote by , the number of adversarial slots before a slot occurs in epoch . Maximising this is very similar to , except that the sequence of consecutive adversarially controlled blocks may extend into the previous epoch. The optimal policy -MAX for the MDP for maximising runs TAIL-MAX until epoch .
We denote as the length of the sequence which is in epoch so we have
| (14) |
The distribution of under -MAX is similar to a truncated version of that of under TAIL-MAX.
Concretely, we have:
| (15) |
for since both require a particular slots to be adversarially controlled. We hence have the following bound:
| (16) |
Note that for the policy -MAX, and are independent because the Markov chains for odd and even epochs are independent.
We now compute a reasonable bound on the number of slots an adversary can feasibly wait for at the end of an epoch. From our simulations in [4], we obtained from the stationary distribution, i.e. under the continuous attack above, tail lengths of occur in expectation once in every 8, 24.1 and 72.3 years respectively. It seems rather expensive in terms of missed block rewards to carry out the attack for that long. Without the continuous attack, tail lengths 15,16,17 only occur in expectation every 26.2,78.6,235.8 years respectively. We fix as the maximum feasible tail length for the adversary to wait.
The adversary could feasibly know the block producers in epochs and if the commit slot is close to the end of epoch . We assume that both have tail length at most . If there is a tail length of 16 in future epoch , then the distribution of is that of transitions of the Markov chain from the state corresponding to tail length 16. Concretely we compute that e.g. for , is 172.8. Note that this decreases in .
Putting It All Together:
The adversary can take , the number of adversarially controlled slots before the RANDAO randomness is sampled for the challenge, to be the maximum value of over slot numbers. They have choices of RANDAO samples. Each of these choices is uniformly distributed and random (though they are not independent). Thus by a union bound for a particular challenge value , they have at most probability of getting as the challenge. So the verifier is -biasable for . Plugging in the parameters for , we obtain that is at most -biasable333The analysis in this section is backed by numerical computations in [4].. This results in an additional signature checks in the challenge phase of to negate the bias in RANDAO induced by adversarial validators on Ethereum in collusion with relayers.
5.5 Gas costs for Verification
Gas costs for verifying ECDSA signatures on Ethereum using the ecrecover precompile is Gwei. We compare gas costs for verifying BEEFY finality justifications using 3 different approaches across validator set sizes (assuming Polkadot’s total stake rate of , i.e., the ratio of tokens staked to total issuance):
-
1.
with no concurrency attack, but including the extra signatures required for negating RANDAO bias.
-
2.
Naive approach of verifying all signatures.
-
3.
SNARK circuits for verifying ECDSA signatures using UltraPlonk [58].
| Naive | UltraPLONK | |||
|---|---|---|---|---|
| 20 | 44811 | 24129 | 797216 | |
| 55152 | 230919 | 816107 | ||
| 65493 | 2299148 | 811825 | ||
| 79281 | 22981129 | 819116 | ||
| 99963 | 2298001141 | 943720 |
As evident from the table, the costs for random sampling logarithmically increase with (explained in Section 3.3) and are an order of magnitude less than the SNARK verification even for . For , the gas requirement for Naive approach already exceeds the gas limit per block in Ethereum mainnet, making it infeasible. Further, such bulk usage for verifying signatures drives up the price of gas. As of 27/11/2024, each BEEFY consensus update on Ethereum mainnet costs ETH (USD).
6 Applying Fiat-Shamir Heuristic
As a natural extension, the Fiat-Shamir heuristic can be applied to transform the interactive protocol into a non-interactive proof of knowledge protocol , enabling the generation of a compact certificate that convinces the verifier that at least one honest validator has signed the payload. Albeit in a more general setting, Compact Certificates for Collective Knowledge introduced in [40] tackles a similar problem. Their non-interactive protocol is in spirit similar to our work but caters to a setting with weighted votes. Our work leverages on-chain randomness and crypto-economic arguments to drastically reduce the on-chain costs compared to Compact Certificates [44] for real-world PoS networks provisioning slashing mechanism. In the compact certificates approach, the randomness sampled in challenge phase of is replaced by the prover computing a hash on all publicly know data to the verifier. can similarly be transformed such that the prover uses a cryptographic hash function over , , . The security parameter (number of signatures in the certificate to be checked by verifier) in purely depends on the assumed hash power of the adversary to break . Assuming that an adversary can query hashes, Theorem-1 from [40], shows that signatures are required to be checked in the certificate for to achieve a soundness error of . In contrast, requires only signature checks for the same soundness error .
To ensure 256-bit security for , can be set to 256. However, can we have a more realistic bound on the hash power of adversary? Interestingly, we can rely on the rationality of the adversary. We assume that the amount of value gained in attacking the bridge () is less than the market cap of Bitcoin. If the number of hashes in expectation required to mine a bitcoin block, should if used to brute force gives no high a probability for an attack than the fraction of all bitcoin given as a mining reward currently, it is rational to use any hash power to mine bitcoin rather than attack the bridge. Since mining a block requires getting a 256 bit hash lower than the CurrentTarget, we can bound the maximum hash power of an adversary (see Equation 17). Plugging in parameters with the values at the time of writing, we obtain , where .
| (17) |
Table 2 compares the signature checks required by verifier for Polkadot and Ethereum for the various versions of our protocol and Altair.
| Network | Altair | ||||
|---|---|---|---|---|---|
| Polkadot | 576 | 10 | 256 | 111 | 201 |
| Ethereum | 3761875 | 21 | 256 | 122 | 512 |
| Algorand | 460 | 9 | 256 | 110 | 61 |
| Binance SC | 260 | 9 | 256 | 110 | 30 |
7 Related Work
While there has been advances in application specific (e.g. token swaps and payment channels) bridging solutions [49, 39, 64, 36], we focus on approaches supporting functionality of following finality for PoS networks. Most bridge architectures [48, 6, 62] involve a centralised and trusted intermediary (via a multi-sig) that run full-nodes of the bridged chains. Time and again, the trusted centralised entities have been compromised [5] resulting in massive financial implications. In essence, centralised bridges are optimistic protocols where the claims by intermediary are accepted by the target chain without verifying the finality of the claim on the source chain. On the other end of the spectrum, the target chain can verify the full quorum certificate of the claims finality, however, this approach is expensive and not scalable with respect to validator set size on the source chain. Our work bridges the gap between these two extremes by proposing a light-client protocol that is efficient and secure without trust assumption on intermediaries. Our random sampling protocol introduces negligible and controllable soundness error with the objective of drastically reducing on-chain computation and storage costs compared to verification of full certificates. The soundness error falls exponentially with respect to the security parameter (i.e. of signature checks) and hence can be arbitrarily reduced by increasing . Assuming a rational adversary, the crypto-economics arguments introduced in Section 3.3 justifies tolerating a higher soundness error, hence further improving the efficiency. Within our crypto-economic framework, the security parameter itself depends logarithmically on the validator set size, therefore, our protocol scales well with large validator sets.
Source-chain Randomness.
Ethereum’s Altair upgrade [3] introduced a light-client protocol based based on sync-committees [26], a significantly smaller subset of validators (currently 512) responsible for attesting the finality of blocks. The sync-committee is randomly chosen for each epoch ( hours) using RANDAO beacon, and remains unchanged for a given epoch. Similar to Altair, does not require any custom crypto or SNARK primitives on the prover or verifier side, hence can be integrated readily on existing blockchains, and particularly efficient for large validator sets. We skip the already know issues with Altair [31, 44] and focus on the advantages of specifically for bridge applications which demand higher security guarantees and efficiency requirements:
-
1.
For the same soundness error, the signature checks required in are significantly lower than Altair. The current sync-committee size of 512 guarantees soundness error of and requires 342 signature checks, while requires only . Detailed further in Appendix A.
-
2.
is more resilient to adaptive adversaries. The sync-committee for the upcoming epoch is known in advance, hence the adversary can use the whole epoch duration to adaptively corrupt members. In contrast, the adversary has a much shorter duration, the difference between the challenge and response phase (configured per scenario), in to corrupt adaptively.
-
3.
All bridges would be affected if the sync-committee is compromised, while bridges using are independent as the randomness is sourced on the destination chain. An attack on one bridge does not affect the rest.
-
4.
lets the verifier configure the security parameter enabling it to trade-off security and efficiency depending on the crypto-economic setting.
Approximate Lower-Bound Arguments [18] by Chaidos et al. is another protocol which uses source chain randomness to generate comparct certificates. Our work focuses on the rational setting with slashing, where we use crypto-economics to argue that a larger soundness-error is tolerable, hence improving efficiency. The fair comparison with Dynamic Telescope (the most efficient version of the protocols described in [18]) would be to our interactive protocol also aiming for negligible soundness-error. For soundness-error , assuming our destination-chain randomness is unbiasable, we require 128 signatures in contrast to 159 (setting parameters used in Fig-2 [18]) for Decentralized Telescopes [18]. Our interactive protocol leveraging destination-chain randomness requires signature checks, where accounts for negating randomness bias. Our implementation also uses an optimization (Section 3.2) where the sampling is performed without replacement but the efficiency gained by this optimization depends on the validator set size.
Optimistic Techniques With Fishermen.
Several bridges like Nomad [42] and Near’s Rainbow [46] are examples of optimistic protocols (aka Claim and Challenge schemes) that leverage fraud-proofs [16]. Typically, the light client optimistically accepts a state without verifying and relies on economically incentivised Fishermen/WatchDogs to detect invalid updates. Unlike our approach, the relayers and fishermen need to be staked to avoid spamming and forcing all signatures being verified by making false positive challenges. Further, the security of such bridges depend on the censorship resistance of target chain during the challenge period. Dynamic transaction fees on the target chain worsen the issue, resulting in high challenge rewards and stakes. Moreover, the challenge period needs to be long trading off latency and security. In comparison, our solution requires less data since all signatures do not need to be published on chain and our bridge has lower confirmation latency. If the target chain is censored, our protocol loses liveness rather than safety but optimistic protocols also lose safety.
SNARK Based Bridges.
Recently, embedding SNARK-based on-chain light-clients has been quite popular approach for trustless bridges [10, 60, 63]. Accountable Light Client system introduce in [24] guarantees that a large number (e.g.rd) misbehaving validators can be identified when a light client is misled, a crucial property for PoS blockchains. These solutions require custom SNARKs and cryptographic primitives like aggregatable signatures which are difficult to implement in existing networks. Our approach is simpler and a secure implementation is less involved [21].
Threshold Signatures.
An alternative approach is using a threshold signature scheme with a single public key for all validators, as adopted by Dfinity [33]. These schemes typically use secret sharing for the secret key, which has two main drawbacks. First, they require a communication-intensive distributed key generation protocol for setup, which is challenging to scale for large validator sets (even with 100 validators). Despite recent advancements [34, 33, 32], implementing such setups across a large peer-to-peer network remains difficult and may need repeating when the validator set changes. Second, secret sharing-based threshold signatures do not reveal which subset of validators signed, lacking accountability. Dfinity [33] employs a re-shareable BLS threshold signature, maintaining the same public key even with validator set changes. This provides a constant-size proof for the verifier but fails to identify misbehaving validators or the specific validator set responsible, as the signature remains the same for any threshold subset. Gazi et al. intorduce a new cryptographic primitive Ad-Hoc Threshold Multisignatures (ATMS) [30] to enable cross-chain certifications for PoS networks, where the signers are selected on the fly from an existing key set. Their protocol is designed to be efficient and secure against adaptive adversaries, i.e., the adversary can corrupt validators adaptively during the protocol execution. Our interactive protocol and the Compact Certificates [40] satisfy relaxations of the ATMS definition applied to the whole validator set. A key difference is that the side chain protocol described in [30] uses source-side committees, similar to Altair though adaptively secure. We believe adaptive security for our protocol would require key evolving signatures as well as a timing guarantee that ensures the randomness is only predictable after honest validators have forgotten their keys.
Randomness Beacons.
There is a series of work on randomness beacons for blockchains [23]. Our work directly benefits from advances in unbiasabale and unpredictable randomness generation by blockchains. Schemes based on Publicly Verifiable Secret Sharing [9, 51] and Verifiable Delay Functions [37, 50] that are immune against last-revealer attacks directly improves the efficiency of our random sampling protocol, since we do not need to increase the security parameter to negate the bias.
8 Conclusion and Future Work
We presented an interactive light-client protocol for PoS blockchains using on-chain randomness. leverages crypto-economic arguments to drastically improve efficiency (on-chain computation usage) without compromising security. The practicality of our protocol is demonstrated by instantiating a trustless and decentralized bridge between Polkadot and Ethereum. As future work, we plan to design incentive mechanism’s for the relayer market. We are interested in settings where the relayers are incentivised by public good funding (DAO treasuries) [38, 59, 43] as well as fees generated by users of the bridge.
References
- [1] Shresth Agrawal, Joachim Neu, Ertem Nusret Tas, and Dionysis Zindros. Proofs of proof-of-stake with sublinear complexity. CoRR, abs/2209.08673, 2022. doi:10.48550/arXiv.2209.08673.
- [2] Kaya Alpturer and S. Matthew Weinberg. Optimal randao manipulation in ethereum, 2024. doi:10.48550/arXiv.2409.19883.
- [3] Altair light client – sync protocol. https://ethereum.github.io/consensus-specs/specs/altair/light-client/sync-protocol/, 2024.
-
[4]
Anonymised Artifact.
Randao analysis.
https://anonymous.4open.science/r/fc25-randao-
analysis-AFCD/, 2025. - [5] André Augusto, Rafael Belchior, Miguel Correia, André Vasconcelos, Luyao Zhang, and Thomas Hardjono. Sok: Security and privacy of blockchain interoperability. In 2024 IEEE Symposium on Security and Privacy (SP), pages 3840–3865, 2024. doi:10.1109/SP54263.2024.00255.
- [6] Axelar: Connecting applications with blockchain ecosystems. https://www.axelar.network/whitepaper, 2021.
-
[7]
Polkadot Specifications: Beefy.
https://spec.polkadot.network/sect-finality#sect-grandpa-beefy, 2023. - [8] Eli Ben-Sasson, Alessandro Chiesa, and Nicholas Spooner. Interactive oracle proofs. In Martin Hirt and Adam D. Smith, editors, Theory of Cryptography - 14th International Conference, TCC 2016-B, Beijing, China, October 31 - November 3, 2016, Proceedings, Part II, volume 9986 of Lecture Notes in Computer Science, pages 31–60, 2016. doi:10.1007/978-3-662-53644-5_2.
- [9] Adithya Bhat, Nibesh Shrestha, Aniket Kate, and Kartik Nayak. RandPiper – reconfiguration-friendly random beacons with quadratic communication. Cryptology ePrint Archive, Paper 2020/1590, 2020. doi:10.1145/3460120.3484574.
- [10] Joseph Bonneau, Izaak Meckler, Vanishree Rao, and Evan Shapiro. Coda: Decentralized cryptocurrency at scale. IACR Cryptol. ePrint Arch., page 352, 2020. URL: https://eprint.iacr.org/2020/352.
- [11] Ethan Buchman, Jae Kwon, and Zarko Milosevic. The latest gossip on BFT consensus. CoRR, abs/1807.04938, 2018. arXiv:1807.04938.
- [12] Benedikt Bunz, Lucianna Kiffer, Loi Luu, and Mahdi Zamani. Flyclient: Super-light clients for cryptocurrencies. In 2020 IEEE Symposium on Security and Privacy, SP 2020, San Francisco, CA, USA, May 18-21, 2020, pages 928–946. IEEE, 2020. doi:10.1109/SP40000.2020.00049.
- [13] Jeff Burdges, Alfonso Cevallos, Peter Czaban, Rob Habermeier, Syed Hosseini, Fabio Lama, Handan Kilinç Alper, Ximin Luo, Fatemeh Shirazi, Alistair Stewart, and Gavin Wood. Overview of polkadot and its design considerations. CoRR, abs/2005.13456, 2020. arXiv:2005.13456.
- [14] Vitalik Buterin. A griefing factor analysis model. https://ethresear.ch/t/a-griefing-factor-analysis-model/2338, 2018.
- [15] Vitalik Buterin and Virgil Griffith. Casper the friendly finality gadget. CoRR, abs/1710.09437, 2017. arXiv:1710.09437.
- [16] Ran Canetti, Ben Riva, and Guy N. Rothblum. Refereed delegation of computation. Information and Computation, 226:16–36, 2013. Special Issue: Information Security as a Resource. doi:10.1016/j.ic.2013.03.003.
- [17] Miguel Castro and Barbara Liskov. Practical byzantine fault tolerance. In Margo I. Seltzer and Paul J. Leach, editors, Proceedings of the Third USENIX Symposium on Operating Systems Design and Implementation (OSDI), New Orleans, Louisiana, USA, February 22-25, 1999, pages 173–186. USENIX Association, 1999. URL: https://dl.acm.org/citation.cfm?id=296824.
- [18] Pyrros Chaidos, Aggelos Kiayias, Leonid Reyzin, and Anatoliy Zinovyev. Approximate lower bound arguments. In Marc Joye and Gregor Leander, editors, Advances in Cryptology - EUROCRYPT 2024 - 43rd Annual International Conference on the Theory and Applications of Cryptographic Techniques, Zurich, Switzerland, May 26-30, 2024, Proceedings, Part IV, volume 14654 of Lecture Notes in Computer Science, pages 55–84. Springer, 2024. doi:10.1007/978-3-031-58737-5_3.
- [19] Chainalysis. Vulnerabilities in cross-chain bridge protocols emerge as top security risk. https://www.chainalysis.com/blog/cross-chain-bridge-hacks-2022/, 2022.
- [20] Stefanos Chaliasos, Jens Ernstberger, David Theodore, David Wong, Mohammad Jahanara, and Benjamin Livshits. Sok: what don’t we know? understanding security vulnerabilities in snarks. In Proceedings of the 33rd USENIX Conference on Security Symposium, SEC ’24, USA, 2024. USENIX Association. URL: https://www.usenix.org/conference/usenixsecurity24/presentation/chaliasos.
- [21] Stefanos Chaliasos, Jens Ernstberger, David Theodore, David Wong, Mohammad Jahanara, and Benjamin Livshits. Sok: What don’t we know? understanding security vulnerabilities in snarks. CoRR, abs/2402.15293, 2024. doi:10.48550/arXiv.2402.15293.
- [22] Herman Chernoff. A measure of asymptotic efficiency for tests of a hypothesis based on the sum of observations. The Annals of Mathematical Statistics, 23(4):493–507, 1952. doi:10.1214/aoms/1177729330.
- [23] Kevin Choi, Aathira Manoj, and Joseph Bonneau. Sok: Distributed randomness beacons. In 2023 IEEE Symposium on Security and Privacy (SP), pages 75–92, 2023. doi:10.1109/SP46215.2023.10179419.
- [24] Oana Ciobotaru, Fatemeh Shirazi, Alistair Stewart, and Sergey Vasilyev. Accountable light client systems for pos blockchains. IACR Cryptol. ePrint Arch., page 1205, 2022. URL: https://eprint.iacr.org/2022/1205.
- [25] Ronald Cramer. Modular design of secure yet practical cryptographic protocols. Ph. D.-thesis, CWI and U. of Amsterdam, 2, 1996.
- [26] Ben Edgington. One page annotated spec. https://eth2book.info/capella/annotated-spec/, 2022.
- [27] Ben Edgington. Upgrading Ethereum, chapter RANDAO Biasability, pages 152–153. Ben Edgington, 2023. URL: https://eth2book.info/capella/part2/building_blocks/randomness/#randao-biasability.
- [28] Over $1 billion stolen from bridges so far in 2022 as harmonys horizon bridge becomes latest victim in $100 million hack, 2022. URL: bit.ly/3fvlIME.
-
[29]
Nomad loses $156 million in seventh major crypto exploit of 2022.
https://hub.elliptic.co/
analysis/nomad-loses-156-million-in-seventh-major-crypto-bridge-exploit-of-
2022/, 2022. - [30] Peter Gazi, Aggelos Kiayias, and Dionysis Zindros. Proof-of-stake sidechains. In 2019 IEEE Symposium on Security and Privacy, SP 2019, San Francisco, CA, USA, May 19-23, 2019, pages 139–156. IEEE, 2019. doi:10.1109/SP.2019.00040.
- [31] Vincent Geddes and Aidan Musnitsky. Snowfork’s analysis of sync committee security. https://forum.polkadot.network/t/snowforks-analysis-of-sync-committee-security/2712/10, 2023.
- [32] Craig Gentry, Shai Halevi, and Vadim Lyubashevsky. Practical non-interactive publicly verifiable secret sharing with thousands of parties. ePrint 2021/1397, 2021. URL: https://eprint.iacr.org/2021/1397.
- [33] Jens Groth. Non-interactive distributed key generation and key resharing. ePrint 2021/339, 2021. URL: https://eprint.iacr.org/2021/339.
- [34] Kobi Gurkan, Philipp Jovanovic, Mary Maller, Sarah Meiklejohn, Gilad Stern, and Alin Tomescu. Aggregatable distributed key generation. ePrint 2021/005, 2021. URL: https://eprint.iacr.org/2021/005.
- [35] Mor Harchol-Balter. Introduction to probability for computing. https://www.cs.cmu.edu/˜harchol/Probability/chapters/chpt18.pdf, 2024.
- [36] Rongjian Lan, Ganesha Upadhyaya, Stephen Tse, and Mahdi Zamani. Horizon: A gas-efficient, trustless bridge for cross-chain transactions. CoRR, abs/2101.06000, 2021. arXiv:2101.06000.
- [37] Arjen K. Lenstra and Benjamin Wesolowski. A random zoo: sloth, unicorn, and trx. Cryptology ePrint Archive, Paper 2015/366, 2015. URL: https://eprint.iacr.org/2015/366.
- [38] Lu Liu, Sicong Zhou, Huawei Huang, and Zibin Zheng. From technology to society: An overview of blockchain-based dao. IEEE Open Journal of the Computer Society, 2:204–215, 2021. doi:10.1109/OJCS.2021.3072661.
- [39] Giulio Malavolta, Pedro Moreno-Sanchez, Clara Schneidewind, Aniket Kate, and Matteo Maffei. Anonymous multi-hop locks for blockchain scalability and interoperability. In 26th Annual Network and Distributed System Security Symposium, NDSS 2019, San Diego, California, USA, February 24-27, 2019. The Internet Society, 2019. URL: https://www.ndss-symposium.org/ndss-paper/anonymous-multi-hop-locks-for-blockchain-scalability-and-interoperability/.
- [40] Silvio Micali, Leonid Reyzin, Georgios Vlachos, Riad S. Wahby, and Nickolai Zeldovich. Compact certificates of collective knowledge. In 42nd IEEE Symposium on Security and Privacy, SP 2021, San Francisco, CA, USA, 24-27 May 2021, pages 626–641. IEEE, 2021. doi:10.1109/SP40001.2021.00096.
- [41] Michael Neuder, Daniel J. Moroz, Rithvik Rao, and David C. Parkes. Low-cost attacks on ethereum 2.0 by sub-1/3 stakeholders. CoRR, abs/2102.02247, 2021. arXiv:2102.02247.
- [42] Nomad protocol. https://docs.nomad.xyz/the-nomad-protocol/overview, 2021.
-
[43]
Polkadot Wiki: Treasury.
https://wiki.polkadot.network/docs/learn-polkadot-opengov-treasury, 2024. - [44] James Preswitch. Altair has no light client. https://prestwich.substack.com/p/altair, 2023.
- [45] Ethereum Foundation Protocol Support Team. Dencun mainnet announcement. https://blog.ethereum.org/2024/02/27/dencun-mainnet-announcement, 2024.
- [46] What is the rainbow bridge? https://doc.aurora.dev/bridge/introduction/, 2024.
- [47] Rekt leaderboard. https://rekt.news/tr/leaderboard/, 2024.
- [48] Ronin bridge documentation. https://docs.roninchain.com/apps/ronin-bridge, 2024.
- [49] Giulia Scaffino, Lukas Aumayr, Mahsa Bastankhah, Zeta Avarikioti, and Matteo Maffei. Alba: The dawn of scalable bridges for blockchains. IACR Cryptol. ePrint Arch., page 197, 2024. URL: https://eprint.iacr.org/2024/197.
- [50] Philipp Schindler, Aljosha Judmayer, Markus Hittmeir, Nicholas Stifter, and Edgar Weippl. RandRunner: Distributed randomness from trapdoor VDFs with strong uniqueness. Cryptology ePrint Archive, Paper 2020/942, 2020. URL: https://eprint.iacr.org/2020/942.
- [51] Philipp Schindler, Aljosha Judmayer, Nicholas Stifter, and Edgar Weippl. Hydrand: Efficient continuous distributed randomness. In 2020 IEEE Symposium on Security and Privacy (SP), pages 73–89, 2020. doi:10.1109/SP40000.2020.00003.
- [52] Caspar Schwarz-Schilling, Joachim Neu, Barnabé Monnot, Aditya Asgaonkar, Ertem Nusret Tas, and David Tse. Three attacks on proof-of-stake ethereum. In Ittay Eyal and Juan A. Garay, editors, Financial Cryptography and Data Security - 26th International Conference, FC 2022, Grenada, May 2-6, 2022, Revised Selected Papers, volume 13411 of Lecture Notes in Computer Science, pages 560–576. Springer, 2022. doi:10.1007/978-3-031-18283-9_28.
- [53] Snowbridge: A trustless bridge between polkadot and ethereum. https://github.com/snowfork/snowbridge/, 2024.
- [54] Alistair Stewart and Eleftherios Kokoris-Kogia. GRANDPA: a byzantine finality gadget. CoRR, abs/2007.01560, 2020. arXiv:2007.01560.
- [55] Alex Stokes, Ansgar Dietrichs, Danny Ryan, Martin Holst Swende, and lightclient. Eip-4788: Beacon block root in the evm. https://eips.ethereum.org/EIPS/eip-4788, 2022.
- [56] Peter Todd. Making utxo set growth irrelevant with low-latency delayed txo commitments. https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2016-May/012715.html, 2016.
- [57] Dmytro Tymokhanov and Omer Shlomovits. Alpha-rays: Key extraction attacks on threshold ECDSA implementations. Cryptology ePrint Archive, Paper 2021/1621, 2021. URL: https://eprint.iacr.org/2021/1621.
- [58] Ultraplonk verifier by aztec. https://github.com/AztecProtocol/barretenberg/tree/master/sol/src/ultra, 2024.
- [59] Paul Van Vulpen and Slinger Jansen. Decentralized autonomous organization design for the commons and the common good. Frontiers in Blockchain, 6:1287249, 2023. doi:10.3389/FBLOC.2023.1287249.
- [60] Psi Vesely, Kobi Gurkan, Michael Straka, Ariel Gabizon, Philipp Jovanovic, Georgios Konstantopoulos, Asa Oines, Marek Olszewski, and Eran Tromer. Plumo: An ultralight blockchain client. In Ittay Eyal and Juan A. Garay, editors, Financial Cryptography and Data Security - 26th International Conference, FC 2022, Grenada, May 2-6, 2022, Revised Selected Papers, volume 13411 of Lecture Notes in Computer Science, pages 597–614. Springer, 2022. doi:10.1007/978-3-031-18283-9_30.
- [61] Gavin Wood et al. Ethereum: A secure decentralised generalised transaction ledger. Ethereum project yellow paper, 151(2014):1–32, 2014.
- [62] Wormhole architecture overview. https://wormhole.com/docs/learn/fundamentals/architecture/, 2024.
- [63] Tiancheng Xie, Jiaheng Zhang, Zerui Cheng, Fan Zhang, Yupeng Zhang, Yongzheng Jia, Dan Boneh, and Dawn Song. zkbridge: Trustless cross-chain bridges made practical. In Heng Yin, Angelos Stavrou, Cas Cremers, and Elaine Shi, editors, Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, CCS 2022, Los Angeles, CA, USA, November 7-11, 2022, pages 3003–3017. ACM, 2022. doi:10.1145/3548606.3560652.
- [64] Alexei Zamyatin, Dominik Harz, Joshua Lind, Panayiotis Panayiotou, Arthur Gervais, and William J. Knottenbelt. XCLAIM: trustless, interoperable, cryptocurrency-backed assets. In 2019 IEEE Symposium on Security and Privacy, SP 2019, San Francisco, CA, USA, May 19-23, 2019, pages 193–210. IEEE, 2019. doi:10.1109/SP.2019.00085.
Appendix A Efficiency Comparison with Altair
Let be the random variable denoting the number of malicious validators being picked in the Sync-Committee. Since the validator set on Ethereum is , we can approximate the hypergeometric distribution of to , where is the probability of picking a malicious validator from byzantine assumptions. The probability that a majority of malicious validators comprise the sync-committee can be bounded using Pretty Chernoff’s inequality [22, 35] as follows:
Substituting and , we obtain soundness error bound
Plugging the values for Ethereum, we obtain a bound on probability the a super-majority malicious validators were elected in the sync-committee (soundness error) . To obtain the same soundness error via , the number of signature checks (security parameter) required is 176 (i.e., ). In fact, the result can be generalised: the ratio of signature checks required in to Altair for achieving the same soundness errors is .
