The invention relates to a method for a node being allowed to issue a new block in a distributed system in which transactions and records are organized in blocks, and particularly, to a new block committed to a blockchain in a blockchain network by using a common reference string and a verifiable random function.
Blockchains or blockchain is a distributed database that keeps a continuously growing list of data records. Each data record is protected against tampering and revisions. Blockchains are used with public ledgers of transactions, where the record is enforced cryptographically. Such a blockchain system is a replicated state machine that must be fault tolerant. When designing a blockchain system, there is usually a trade-off between decentralization, scalability and security, which is called the trilemma problem in blockchains. The blockchain trilemma is one of the biggest challenges for cryptocurrencies.
Blockchain systems are being challenged to demonstrate rigorous robustness and high performance in real-world situations. Many applications demand low transaction confirmation latency and high transaction throughput. However, most blockchain systems do not satisfy these criteria. For example, the confirmation latency of Ethereum (with traditional minute-level latency) is about 5 to 10 minutes and the throughput is limited to about 30 transactions per second. By contrast, some blockchain systems achieve high performance but sacrifice the robustness of the systems. For example, EOS achieves high performance, but it is operated with only 21 supernodes, and is vulnerable to DDoS attacks. PCT International Publication No. 2017/192837 discloses Algorand's techniques that are decentralized and have robust safety, which is incorporated herein by this reference, but Algorand's throughput is limited.
Thus, there is a need for a novel blockchain system which achieves high scalability while remaining decentralized and robust in the real-world environment. The application provides a method for a node allowed to issue a new block in a distributed system in which transactions and records are organized in blocks so as to achieve high decentralization and low latency.
The present application provides a method for a node being allowed to issue a new block is described herein. The method is executed in a distributed system including a plurality of blocks, comprises: determining a value R from a common reference string; computing a value s associated to a value of a status with a private key at a node; computing a value r by taking the value s into a function H at the node; and determining whether the node obtains a right to issue a new block by taking the values R and r into a function V. The private key may be a private signing key corresponding to the node. The value s may only be computed by the node with the private key. The value r may be unpredictable and unique to other nodes.
In another embodiment, the value r can be verified with a public key and the value s. The status may be defined to be a shard ID, a chain ID or a height of the block.
In another embodiment, the common reference string may be a public randomness generated by a deterministic algorithm for each epoch. The epoch may consist of a specific number of blocks.
In another embodiment, the common reference string is defined as: Ri=Hash(TSig(Ri−1)), where Ri is generated for the new block, and TSig(⋅) is a threshold signature function whose input is some set of share-signatures produced during previous blocks.
In another embodiment, the common reference string is defined as: Ri=(Sig_{authority}(Ri−1)), where Ri is generated for the new block.
In another embodiment, the function H may be a hash function. The function V is defined as: |R−Hash(Sigsk (status))|, where R is the value R and Hash(Sigsk(status) can be verified by a public key.
In another embodiment, the node obtains the right to issue the new block when a calculated value for the function V is the minimum at the node by comparing with other calculated values for the function at other nodes. The blocks may pertain to a single blockchain.
The present application further provides a method for a node being allowed to issue a new block. The method is executed in a distributed system including a plurality of blocks, comprises: determining a value R from a common reference string; computing a value s associated to a value of a status at a node; computing a value r by taking the value s into a function H at the node; and determining whether the node obtains a right to issue a new block by taking the values R and r into a function V. The value s can be verified by other nodes.
In another embodiment, the value r may be unpredictable and unique to other nodes. The value r can be verified with a public key and the value s.
In another embodiment, the status can be defined to be a shard ID, a chain ID or a height of the block.
In another embodiment, the common reference string may be a public randomness generated by a deterministic algorithm for each epoch. The epoch consists of a specific number of blocks.
In another embodiment, the common reference string is defined as: Ri=Hash(TSig(Ri−1)), where Ri is generated for the new block, and TSig(⋅) is a threshold signature function whose input is some set of share-signatures produced during previous blocks.
In another embodiment, the common reference string is defined as: Ri=(Sig_{authority}(Ri−1)), where Ri is generated for the new block.
In another embodiment, the function H is a hash function. The function V is defined as: |R−Hash(Sigsk(status)), where R is the value R and Hash(Sigsk(status) is verified by a public key.
In another embodiment, the node obtains the right to issue the new block when a calculated value for the function V is the minimum at the node by comparing with other calculated values for the function at other nodes. The blocks may pertain to a single blockchain.
The present application further provides a distributed system comprising: a plurality of first nodes determining a value R from a common reference string; and a plurality of second nodes computing a value s associated to a value of a status and computes a value r by taking the value s into a function H and allowing one of the second nodes to issue a new block by taking the values R and r into a function V; wherein the plurality of first nodes and the plurality of second nodes are connected to each other via an internet.
In order to sufficiently understand the essence, advantages and the preferred embodiments of the present invention, the following detailed description will be more clearly understood by referring to the accompanying drawings.
The following description shows the preferred embodiments of the present invention. The present invention is described below by referring to the embodiments and the figures. Thus, the present invention is not intended to be limited to the embodiments shown, but is to be accorded the principles disclosed herein. Furthermore, that various modifications or changes in light thereof will be suggested to persons skilled in the art and are to be included within the spirit and purview of this application and scope of the appended claims.
The members in SCRS 104 are responsible for updating the CRS. The members in Snotary 106 have right to propose a block and are responsible for deciding whose block can be chosen for the single chain.
Process 200 begins with step 202, in which the members in SCRS generate a value R from a common reference string (CRS). An epoch consists of a specific number of blocks. The CRS is a public randomness generated by a deterministic algorithm for each epoch; no user in the system can predict the CRS of any future epoch. In an exemplary embodiment, the CRS of epoch i is updated by Ri=Hash(TSig (Ri−1)), where Ri is generated for the new block, Hash(⋅) is a hash function that maps arbitrarily long strings to binary strings of fixed length, and TSig(⋅) is a threshold signature function whose input is some set of share-signatures produced during previous blocks (i.e., the CRS nodes compute the randomness according to results from a previous epoch).
In another exemplary embodiment, the common reference string is defined as: Ri=(Sig_{authority}(Ri−1)) under Proof-of-Authority blockchain, where Ri is generated for the new block.
At Step 204, each node in Snotary computes a value s associated to a value of a status with the private key, and the status is the public predictable information of the block (e.g. shard ID, chain ID or block height). In an exemplary embodiment, each node in Snotary computes the signature with its private key sk as: s=Sigsk(status), where Sigsk(status) is a binary string and referred to as the digital signature of the status of the private key sk.
At next step 206, each node in Snotary computes a value r by taking value s into a function H, where the function H may be a Hash function. The value r can be verified with the public key and the value s by other nodes.
The value r may be unpredictable and unique to other nodes.
At step 208, the node in Snotary determines which node obtains a right to issue a new block by taking the value R and r into a function V. The function V is the verifiable random function (VRF), defined as: |Ri−Hash(Sigsk(status))| where, the Ri is the value R and Hash(Sigsk(status)) is verified by the public key. The node obtains the right to issue the new block when a calculated value for the function V is minimum at the node by comparing with other calculated values for the function at other nodes. To determine which node obtains the right to issue a block by computing:
l
q=arg minj∈U
Where, lq is the node obtaining the right or the leader of node q, the Uq is the set of nodes whose signatures are valid, and Sigskj(status) is the digital signature of the status of the private key sk at the node j.
The embodiment adopt a VRF to decide the node q to issue a block. This serves to minimize the communication cost so that a large population can join the protocol. The determination is independent of the round index so that the nodes are not required to propose their values at each round.
Consequently, except for the first round, the running time of each round reduces to 2λ, where λ is a time bound for the messages between any two correct nodes. The blocks may pertain to a single block chain.
The VRF has three benefits compared to the VRF in the prior art. The verifiable random function used in the prior art is Hash(Sigskj(Qi−1; x)), where Qi−1 is the randomness from the previous block. It is troublesome whether an adversary can choose to propose a block depends on the randomness of that adversary's block. If the randomness has advantage for Byzantine nodes (e.g. the probability of proposing a block for next block), then the adversary proposes the block. Thus, the overall advantage of the adversary increases up to (1/3)/(1−1/3)=1/2. The main problem is that the proposer decides the block and the randomness at the same time. Therefore, this embodiment separates the permission of proposing a block and generating the randomness in order to avoid such bias attacks. Second, the configuration is more flexible to compute the function because each user can compute part of the VRF for any status at any time, say, Hash Sigskj(x). At the beginning of each epoch, any user or node can get the CRS of the epoch and compute the probability of proposing a block in the epoch. However, The VRF of the prior art requires Qi−1 to compute Qi. Third, the configuration has better space consumption. This embodiment uses the same randomness for many blocks in one epoch. Thus, the space complexity is reduced by a constant.
Process 300 begins with step 302, in which the members in SCRS generate a value R from a common reference string (CRS). An epoch consists of a specific number of blocks. The CRS is a public randomness generated by a deterministic algorithm for each epoch; no user in the system can predict the CRS of any future epoch. In an exemplary embodiment, the CRS of epoch i is updated by Ri=Hash(TSig(Ri−1)), where Ri is generated for the new block, and TSig(⋅) is a threshold signature function whose input is some set of share-signatures produced during previous blocks (i.e., the CRS nodes compute the randomness according to results from a previous epoch).
In another exemplary embodiment, the common reference string is defined as: Ri=(Sig_{authority}(Ri−1)) under Proof-of-Authority blockchain, where Ri is generated for the new block.
At step 304, each node in Snotary computes a value s associated to a value of a status, the status is the public predictable information of the block (e.g. shard ID, chain ID or block height), wherein the value s can be verified by other nodes. In an exemplary embodiment, one of node q in Snotary computes the value s, and other nodes can verify the value s with public key pkq using zero-knowledge proofs (one party, usually called PROVER, to convince another party, called VERIFIER, that PROVER knows some facts without revealing to the VERIFIER any information about his knowledge).
At step 306, each node in Snotary computes a value r by taking value s into a function H, where the function H may be a Hash function. The value r can be verified with the public key and the value s by other nodes. The value r may be unpredictable and unique to other nodes.
At step 308 the node in Snotary determines which node obtains a right to issue a new block by taking the value R and r into a function V. The function V is the verifiable random function (VRF), defined as: |Ri−Hash(Sig(status))| where, the Ri is the value R and Hash(Sig(status)) is verified by the public key. The node obtains the right to issue the new block when a calculated value for the function V is minimum at the node by comparing with other calculated values for the function at other nodes. To determine which node obtains the right to issue a block by computing:
l
q=arg minj∈U
Where, lq is the node obtaining the right or the leader of node q, the Uq is the set of nodes whose signatures are valid, and Sigskj(status) is the digital signature of the status at the node j. This embodiment serves to minimize the communication cost so that a large population can join the protocol. The determination is independent of the round index, so the nodes are not required to propose their values at each round. Consequently, except for the first round, the running time of each round reduces to 2λ, where λ is a time bound for the messages between any two correct nodes. The blocks may pertain to a single block chain.
The timeline 400 shows the method for building a single chain of the present invention, the method providing: a single blockchain 402; a plurality of randomness Ri 404, Ri+1 406 and Ri+2 408 of a CRS chain 418; a plurality of epoch: epoch i−1 410, epoch i 412, epoch i+1 414 and epoch i+2 416; and a plurality of valid nodes set Snodei−1, Snodei and Snodei+1.
Any user with enough deposit can register its own public key in the blockchain 402. The users who want to enter or leave Snode can announce the request. The request will be recorded in the blocks. The node is called valid if it owns enough deposit and has registered a valid public key. The set Snodei+1 can be updated by Snodei and the blocks in the epoch i 412.
The members in SCRS are responsible for updating the CRS chain 418. The members in Snotary have right to propose a block and are responsible for deciding whose block can be chosen for the single chain 402. The decision of whose block can be chosen is determined by the public predictable information status, Ri 404 and the private keys, the node in Snotary compute the value |Ri−Hash (Sigskq(status))| locally.
The members in SCRS and Snotary are re-elected for each epoch. Each epoch i correspond to the randomness Ri 404 of CRS chain 418. When SCRS is re-elected, the members in SCRS will update the CRS chain 418 for the next epoch. In an exemplary embodiment, the set SCRSi and the set Snotaryi are the CRS set and the notary set of epoch i 412. The set SCRSi, the set Snotaryi and the randomness Ri 404 are decided before the epoch i 412 starts. When the epoch i 412 starts, the members in SCRSi generate the randomness Ri+1 406 as: Ri+1=Hash(TSig(Ri)), where TSig(Ri) is the threshold signature signed by the nodes in SCRSi. After Ri+1406 is decided, the set SCRSi+1 and the set Snotaryi+1 can be elected by Fisher-Yate shuffle with the randomness Ri+1406 from the set Snodei. Finally, the members in SCRSi+1 and Snotaryi+1 run the key generation algorithm of the threshold signature scheme, respectively.
According to the present invention, the method and system for a node to issue a new block for building an agreed single chain by using the common reference string (CRS) and verifiable random function (VRF). It minimizes the communication cost and reduces the time bound so that achieving high decentralization and low latency.
The foregoing embodiments of the invention have been presented for the purpose of illustration. Although the invention has been described by certain preceding examples, it is not to be construed as being limited by them. They are not intended to be exhaustive, or to limit the scope of the invention. Modifications, improvements and variations within the scope of the invention are possible in light of this disclosure.
This patent application claims the benefit of U.S. Provisional Application No. 62/757,423 filed Nov. 8, 2018 and the disclosure is incorporated herein by reference in its entirety.
Number | Date | Country | |
---|---|---|---|
62757423 | Nov 2018 | US |