https://icstaging.mywikis.net/w/api.php?action=feedcontributions&feedformat=atom&user=VictorShoupInternet Computer Wiki Staging - User contributions [en]2026-06-06T06:15:13ZUser contributionsMediaWiki 1.39.17https://icstaging.mywikis.net/w/index.php?title=IC_consensus_layer&diff=1123IC consensus layer2021-12-01T16:44:51Z<p>VictorShoup: </p>
<hr />
<div><br />
The job of the consensus layer of the IC is to order transaction requests so that all replicas in a subnet will process <br />
such requests in the same order.<br />
There are many protocols in the literature for this problem.<br />
The IC uses a new consensus protocol, which is described here at a high level. <br />
For more details, see the paper https://eprint.iacr.org/2021/1330 (in particular, Protocol ICC1 in that paper).<br />
<br />
Any secure consensus protocol should guarantee two properties, which (roughly stated) are:<br />
* <b>safety</b>: all replicas in fact agree on the same ordering of transaction requests, and<br />
* <b>liveness</b>: all replicas should make steady progress.<br />
The paper https://eprint.iacr.org/2021/1330 proves that the IC consensus protocol satisfies both of these properties<br />
<br />
The IC consensus protocol is designed to be<br />
* extremely simple, and<br />
* robust (performance degrades gracefully when some replicas are malicious).<br />
<br />
==Assumptions==<br />
<br />
As discussed [[The Internet Computer for Computer Scientists|in the introduction]], we assume<br />
* a subnet of <math>n</math> replicas, and<br />
* at most <math>f < n/3</math> of the replicas are faulty.<br />
Faulty replicas may exhibit arbitrary, malicious (i.e., Byzantine) behavior.<br />
<br />
<br />
We assume that communication is <b>asynchronous</b>, with no <i>a priori</i><br />
bound on the delay of messages sent between replicas.<br />
In fact, the scheduling of message delivery may be completely under adversarial control.<br />
The IC consensus protocol guarantees safety under this very weak communication assumption.<br />
However, to guarantee liveness, we need to assume a form of <b>partial synchrony</b>,<br />
which (roughly stated) says that the network will be periodically synchronous<br />
for short intervals of time.<br />
In such intervals of synchrony, all undelivered <br />
messages will be delivered in less than time <math>\delta</math>,<br />
for some fixed bound <math>\delta</math>.<br />
The bound <math>\delta</math> does not have to be known in advance <br />
(the protocol is initialized with a reasonable bound, but will dynamically <br />
adapt and increase this bound if it is too small).<br />
Regardless of whether we are assuming an asynchronous<br />
or a partially synchronous network,<br />
we assume that every message sent from one honest<br />
party to another will <i>eventually</i> be delivered.<br />
<br />
==Protocol overview==<br />
<br />
Like a number of consensus protocols,<br />
the IC consensus protocol is based in a [[wikipedia:blockchain|blockchain]].<br />
As the protocol progresses, a tree of blocks is grown,<br />
starting from a special <i>genesis block</i> that is the root of the tree.<br />
Each non-genesis block in the tree contains (among other things)<br />
a <i>payload</i>, consisting of a sequence of transaction requests,<br />
and a hash of the block's parent in the tree. <br />
The honest replicas have a consistent view of this tree:<br />
while each replica may have a different, partial view<br />
of this tree, all the replicas have a view of the <i>same</i> tree.<br />
In addition, as the protocol progresses,<br />
there is always a path of <i>finalized</i> blocks in this tree.<br />
Again, the honest replicas have a consistent view of this path:<br />
while each replica may have a different, partial view<br />
of this path, all the parties have a view of the <i>same</i> path.<br />
The transaction requests in the payloads of the blocks along this<br />
path are the ordered transaction requests will be processed by the [[IC execution layer|execution layer]]<br />
of the Internet Computer.<br />
<br />
The protocol proceeds in <b>rounds</b>.<br />
In round <math>h</math> of the protocol,<br />
one or more blocks of <b>height</b> <math>h</math> are added to the tree.<br />
That is, the blocks added in round <math>h</math> are always at a distance<br />
of exactly <math>h</math> from the root.<br />
In each round, a pseudo-random process is used to assign<br />
each replica a unique <b>rank</b>, which is an<br />
integer in the range <math>0,\ldots,h-1</math>.<br />
This pseudo-random process is implemented using a <b>random beacon</b> <br />
[[#Random Beacon|(see below)]].<br />
The party of lowest rank is the <b>leader</b> of that round.<br />
When the leader is honest and the network is synchronous,<br />
the leader will propose a block, which will be added to the tree;<br />
moreover, this will be the <i>only</i> block added to the tree<br />
in this round and it will extend the finalized path.<br />
If the leader is not honest or the network is not synchronous,<br />
some other parties of higher rank may also propose blocks,<br />
and also have their blocks added to the tree.<br />
In any case, the logic of the protocol gives highest priority <br />
to the leader's proposed block<br />
and <i>some</i> block or blocks will be added to this tree in this round.<br />
Even if the protocol proceeds for a few rounds without extending the<br />
finalized path, the height of the tree will continue to grow<br />
with each round, so that when the finalized path is extended in round <math>h</math>, <br />
the finalized path will be of length <math>h</math>.<br />
A consequence of this,<br />
even if the <i>latency</i> occasionally<br />
occasionally increases because of faulty replicas or unexpectedly <br />
high network latency,<br />
the <i>throughput</i> of the protocol<br />
remains essentially constant. <br />
<br />
The protocol also enjoys the property known as <b>optimistic responsiveness</b>,<br />
which means that <br />
so long as the leader is honest, the protocol may proceed at the pace<br />
of the actual network delay, rather than some upper bound on<br />
the network delay.<br />
<br />
==Public keys==<br />
<br />
To implement the protocol, each replica is associated with a <br />
public key for the [[wikipedia:BLS_digital_signature|BLS signature scheme]], and each replica also holds<br />
the corresponding secret signing key.<br />
The association of replicas to public keys is maintained by the<br />
[[IC network nervous system (NNS)|network nervous system (NNS) of the Internet Computer]].<br />
These BLS signatures will be used to authenticate messages<br />
sent by replicas.<br />
<br />
The protocol also uses the <br />
<b>signature aggregation</b> feature of BLS signatures,<br />
which allows many signatures on the same message to be aggregated into<br />
a compact multi-signature.<br />
The protocol will use these multi-signatures<br />
for [[#Notarization|notarizations]] and [[#Finalization|finalization]],<br />
which are aggregations of <math>n-f</math> signatures on messages<br />
of a certain form.<br />
<br />
==Random Beacon==<br />
<br />
In addition to BLS signatures and multi-signatures as discussed above,<br />
the protocol makes use of a BLS [[wikipedia:Threshold_cryptosystem|threshold signature scheme]] to implement the <br />
above-mentioned <b>random beacon</b>.<br />
The random beacon for height <math>h</math> is a <math>(f+1)</math>-threshold signature<br />
on a message unique to height <math>h</math>. <br />
In each round of the protocol, each replica broadcasts its share of the beacon for<br />
the next round, so that when the next round begins, all replicas should have enough shares<br />
to reconstruct the beacon for that round.<br />
As discussed above, the random beacon at height <math>h</math> is used to <br />
assign a pseudo-random rank to each replica that will be used in round <math>h</math> of the protocol.<br />
Because of the security properties of the threshold signature,<br />
an adversary will not be able to predict the ranking of the replicas more than one round in advance,<br />
and these rankings will effectively be as good as random.<br />
To set up such a threshold signature scheme, the Internet Computer runs a<br />
[[wikipedia:Distributed_key_generation|distributed key generation (DKG)]] protocol.<br />
There are many DKG protocols in the literature.<br />
The Internet Computer implements a new [[non-interactive DKG (NiDKG) protocol]].<br />
<br />
<br />
==Block making==<br />
<br />
Each replica may at different points in time play the role of a <b>block maker</b>.<br />
As a block maker in round <math>h</math>, <br />
the replica proposes a block <math>B</math> of height <math>h</math> <br />
that to be child of a block <math>B'</math> of height <math>h-1</math><br />
in the tree of blocks.<br />
To do this, the block maker first gathers together a <b>payload</b><br />
consisting of all transaction requests it knows about<br />
(but not including those already included in payloads in blocks in the<br />
path through the tree ending at <math>B'</math>).<br />
The block <math>B</math> consists of<br />
* the payload,<br />
* the hash of <math>B'</math>, <br />
* the rank of the block maker,<br />
* the height <math>h</math> of the block.<br />
After forming the block <math>B</math>, the block maker forms<br />
a <b>block proposal</b>, consisting of<br />
* the block <math>B</math>,<br />
* the block maker's identity, and<br />
* the block maker's signature on <math>B</math>.<br />
A block maker will broadcast its block proposal to all other replicas.<br />
<br />
==Notarization==<br />
<br />
A block is effectively added to the tree of blocks when it becomes <br />
<b>notarized</b>.<br />
For a block to become notarized, <br />
<math>n-f</math> <br />
distinct replicas must <b>support</b> its notarization.<br />
<br />
Given a proposed block <math>B</math> at height <math>h</math>,<br />
a replica will determine if the proposal is <b>valid</b>,<br />
which means that <math>B</math> has the syntactic form described above.<br />
In particular, <math>B</math> should contain the hash of <br />
a block <math>B'</math> of height <math>h'</math> that is already<br />
in the tree of blocks (i.e., already notarized).<br />
In addition, the payload of <math>B</math> must satisfy certain<br />
conditions (in particulat, all of the transaction requests in the payload<br />
must satisfy various constraints, but these constraints are unrelated<br />
to consensus).<br />
Also, the rank of the block maker (as recorded in the block <math>B</math>) <br />
must match<br />
the rank assigned in round <math>h</math> by the random beacon<br />
to the replica that proposed the block (as recorded in the block proposal) .<br />
<br />
If the block is valid and certain other constraints hold,<br />
the replica will <b>support</b> the notarization of the block<br />
by broadcasting a <b>notarization share</b> for <math>B</math>,<br />
consisting of <br />
* the hash of <math>B</math>,<br />
* the height <math>h</math> of <math>B</math>,<br />
* the identity of the supporting replica, and<br />
* the supporting replica's signature on a message comprising the hash of <math>B</math> and the height <math>h</math>.<br />
Any set of <math>n-f</math> notarization shares on <math>B</math><br />
may be aggregated together to form a <br />
<b>notarization</b> for <math>B</math>,<br />
consisting of<br />
* the hash of <math>B</math>,<br />
* the height <math>h</math> of <math>B</math>,<br />
* the set of identities of the <math>n-f</math> supporting replicas,<br />
* an aggregation of the <math>n-f</math> signatures on the message comprising the hash of <math>B</math> and the height <math>h</math>.<br />
<br />
As soon as a replica obtains a notarized block of height <math>h</math>,<br />
it will finish round <math>h</math>,<br />
and will subsequently not support the notarization of<br />
any other blocks at height <math>h</math>.<br />
At this point in time, such a replica will also relay this <br />
notarization to all other replicas.<br />
Note that this replica may have obtained the notarization either by<br />
(1) receiving it from another replica, or (2) aggregating <math>n-f</math><br />
notarization shares that it has received.<br />
<br />
<br />
The <b>growth invariant</b> states that each honest replica will <br />
eventually complete each round, so that the tree of notarized blocks<br />
continues to grow (and this holds only assuming asynchronous eventual delivery,<br />
and not partial synchrony).<br />
We prove the growth invariant <br />
[[#Proof of growth invariant|below]].<br />
<br />
<br />
<br />
==Finalization==<br />
<br />
There may be more than one <br />
notarized block at a given height <math>h</math>.<br />
However, if a block is <b>finalized</b>, then we can be sure that there<br />
is no other notarized block at height <math>h</math>. <br />
Let us call this the <b>safety invariant</b>.<br />
<br />
For a block to become finalized, <br />
<math>n-f</math> <br />
distinct replicas must support its finalization.<br />
Recall that round <math>h</math> ends for a replica when <br />
it obtains a notarized block <math>B</math> of height <math>h</math>.<br />
At that point in time, such a replica will <br />
check if it supported the notarization of any block at height <math>h</math><br />
<i>other</i> than block <math>B</math> (it may or may not have <br />
supported the notarization of <math>B</math> itself).<br />
If not, the replica will support the finalization of <math>B</math><br />
by broadcasting a <br />
<b>finalization share</b> for <math>B</math>.<br />
A finalization share has exactly the same format as a notarization share<br />
(but is tagged in such a way notarization shares<br />
and finalization shares cannot be confused with one another).<br />
Any set of <math>n-f</math> finalization shares on <math>B</math><br />
may be aggregated together to form a <b>finalization</b> for <math>B</math>,<br />
which has exactly the same format as a notarization<br />
(but again, is appropriately tagged).<br />
Any replica that obtains a finalized block will broadcast the finalization <br />
to all other replicas.<br />
<br />
We prove the safety invariant <br />
[[#Proof of safety invariant|below]].<br />
One consequence of the safety invariant is the following.<br />
Suppose two blocks <math>B</math> and <math>B'</math> are finalized,<br />
where <math>B</math> has height <math>h</math>, <math>B'</math> has height<br />
<math>h'\le h</math>.<br />
Then the safety invariant implies that the path <br />
in the tree of notarized blocks<br />
ending at <math>B'</math> is a prefix of the path ending at <math>B</math><br />
(if not, then there would be two notarized blocks at height <math>h'</math>,<br />
contradicting the finalization invariant). <br />
Thus, whenever a replica sees a finalized block <math>B</math>,<br />
it may view all ancestors of <math>B</math> as being <br />
<b>implicitly finalized</b>, and because of the<br />
safety invariant, the <b>safety property</b> is<br />
guaranteed to hold for these (explicitly and implicitly) finalized blocks.<br />
<br />
<br />
<br />
==Delay functions==<br />
<br />
The protocol makes use of two <b>delay functions</b>, <br />
<math>\Delta_\textrm{m}</math> and <math>\Delta_\textrm{n}</math>,<br />
which control<br />
the timing of block making and notarization activity.<br />
Both of these functions map the rank <math>r</math> of the proposing replica<br />
no a nonnegative delay amount,<br />
and it is assumed that each function is monotonely increasing in <math>r</math>,<br />
and that <br />
<math>\Delta_\textrm{m}(r) \le \Delta_\textrm{n}(r)</math><br />
for all <math>r = 0, \ldots, n-1</math>.<br />
The recommended definition of these functions is<br />
<math>\Delta_\textrm{m}(r) = 2 \delta r</math><br />
and<br />
<math>\Delta_\textrm{n}(r) = 2 \delta r + \epsilon</math>,<br />
where <math>\delta</math> is an upper bound on the time to deliver<br />
messages from one honest replica to another,<br />
and <math>\epsilon \ge 0</math> is a "governor" to keep the<br />
protocol from running too fast.<br />
With these definitions, liveness will be ensured in those<br />
rounds in which (1) the leader is honest, and (2) messages really<br />
are delivered between honest parties within time <math>\delta</math>.<br />
Indeed,<br />
if (1) and (2) both hold in a given round, then the block proposed<br />
by the leader in that round will be finalized.<br />
Let us call this the <b>liveness invariant</b>.<br />
We prove this <br />
[[#Proof of liveness invariant|below]].<br />
<br />
<br />
==Putting it all together==<br />
<br />
We now describe in more detail how the protocol works;<br />
specifically, we describe more precisely when a replica will<br />
propose a block and when a replica will support the notarization of a block. <br />
A given replica <math>P</math> will record the time at which it <br />
enters a given round <math>h</math>,<br />
which happens when it has obtained (1) some notarization for a <br />
block of height <math>h-1</math>, and (2) the random beacon for<br />
round <math>h</math>.<br />
Since the random beacon for round <math>h</math> has been determined,<br />
<math>P</math> can determine its own rank <math>r_P</math>, as well as the <br />
rank <math>r_Q</math> of each other replica <math>Q</math> <br />
for round <math>h</math>.<br />
<br />
===Random beacon details===<br />
<br />
As soon as a replica enters round <math>h</math>, it will generate and broadcast <br />
its share of the random beacon at round <math>h+1</math>.<br />
<br />
===Block making details===<br />
<br />
Replica <math>P</math> will only propose its own block <math>B_P</math><br />
provided (1) at least <math>\Delta_\textrm{m}(r_P)</math> time<br />
units have passed since the beginning of the round,<br />
and (2) there is no valid lower ranked block currently seen by <math>P</math>.<br />
<br />
Note that since <math>P</math> is guaranteed to have a notarized block<br />
of height <math>h-1</math><br />
when it enters round <math>h</math>, it can make its proposed<br />
block a child of this notarized block (or any other <br />
notarized block of height <math>h-1</math> that it may have).<br />
Also note that when <math>p</math> broadcasts its proposal for <math>B_P</math>,<br />
it must also ensure that it also has relayed the notarization of <br />
<math>B_P</math>'s parent to all replicas.<br />
<br />
Suppose a replica <math>Q</math> sees<br />
a valid block proposal from a replica <math>P</math><br />
of rank<br />
<math>r_P < r_Q</math><br />
such that<br />
(1) at least <math>\Delta_\textrm{m}(r_P)</math> time<br />
units have passed since the beginning of the round,<br />
and (2) there is no block of rank less than <math>r_P</math> <br />
currently seen by <math>Q</math>.<br />
Then at this point in time, if it has not already done so,<br />
<math>Q</math> will relay this block proposal<br />
(along with the notarization of the proposed block's parent) <br />
to all other replicas. <br />
<br />
===Notarization details===<br />
<br />
Replica <math>P</math> will support the notarization <br />
of a valid block <math>B_Q</math> proposed by a <br />
replica <math>Q</math> of rank <br />
<math>r_Q</math><br />
provided <br />
(1) at least <math>\Delta_\textrm{n}(r_Q)</math> time<br />
units have passed since the beginning of the round,<br />
and<br />
(2) there is no block of rank less than <math>r_Q</math> <br />
currently seen by <math>P</math>.<br />
<br />
===Proof of growth invariant===<br />
<br />
The growth invariant states that<br />
each honest replica will <br />
eventually complete each round.<br />
Assume that all honest replicas have started round <math>h</math>.<br />
Let <math>r^*</math> be the rank of the lowest ranked <br />
honest replica <math>P^*</math> in round <math>h</math>.<br />
Eventually, <math>P^*</math> will either (1) propose its own block,<br />
or (2) relay a valid block proposed by a lower ranked replica. <br />
In either case, some block must eventually be supported by all honest replicas,<br />
which means that some block will become notarized and all honest replicas<br />
will finish round <math>h</math>.<br />
<br />
<br />
===Proof of safety invariant===<br />
<br />
The <b>safety invariant</b> states that if a block is finalized in a given round,<br />
then no other block may be notarized in that round.<br />
Here is a proof of the safety invariant:<br />
# Suppose that the number of corrupt parties is exactly <math>f^* \le f < n/3</math>.<br />
# If a block <math>B</math> is finalized, then its finalization must have been supported by a set <math>S</math> of at least <math>n-f-f^*</math> honest replicas (by the security property for aggregate signatures). <br />
# Suppose (by way of contradction) that another block <math>B' \ne B</math> were notarized. Then its notarization must have been supported by a set <math>S'</math> of at least <math>n-f-f^*</math> honest replicas (again, by the security property for aggregate signatures).<br />
# The sets <math>S</math> and <math>S'</math> are disjoint (by the finalization logic).<br />
# Therefore, <math>n-f^* \ge |S \cup S'| = |S| + |S'| \ge 2 (n-f-f^*)</math>, which implies <math>n \le 3f</math>, a contradiction.<br />
<br />
===Proof of liveness invariant===<br />
<br />
We say that the network is <br />
<b><math>\delta</math>-synchronous at time <math>t</math></b> if <br />
if all messages that have been sent by honest replicas at or before time <math>t</math> arrive at their destinations before time <math>t</math>.<br />
<br />
The <b>liveness invariant</b> may be stated as follows.<br />
Suppose that <math>\Delta_\mathrm{n}(1) \ge \Delta_\mathrm{m}(0) + 2\delta</math>.<br />
Also <br />
suppose that in a given round <math>h</math>, we have <br />
* the leader <math>P</math> in round <math>h</math> is honest,<br />
* the first honest replica <math>Q</math> to finish round <math>h-1</math> does so at time <math>t</math>, and<br />
* the network is <math>\delta</math>-synchronous at times <math>t</math> and <math>t+\delta+\Delta_\mathrm{m}(0)</math>.<br />
Then the block proposed by <math>P</math> in round <math>h</math> will be finalized.<br />
<br />
Here is a proof of the liveness invariant:<br />
# Under partial synchrony at time <math>t</math>, all honest replicas will enter round <math>h</math> before time <math>t+\delta</math> (the notarization that ended round <math>h-1</math> for <math>Q</math>, as well as the necessary round <math>h</math> random beacon shares, will arrive at all honest replicas before this time).<br />
# The leader <math>P</math> in round <math>h</math> will propose a block <math>B</math> before time <math>t+\delta+\Delta_\mathrm{m}(0)</math>, and again by partial synchrony, this block proposal will be delivered to all other replicas before time <math>t+2\delta+\Delta_\mathrm{m}(0)</math>. <br />
# Since <math>\Delta_\mathrm{n}(1) \ge \Delta_\mathrm{m}(0) + 2\delta</math>, the protocol logic guarantees that each honest replica supports the notarization of block <math>B</math> and no other block, and thus <math>B</math> will become notarized and finalized. <br />
<br />
==Other issues==<br />
<br />
===Growth latency===<br />
<br />
Under a partial synchrony assumption, we can also formulate and prove<br />
a quantitative version of the growth invariant.<br />
For simplicity, assume that the delay functions are defined<br />
as recommended above: <math>\Delta_\textrm{m}(r) = 2 \delta r</math><br />
and<br />
<math>\Delta_\textrm{n}(r) = 2 \delta r + \epsilon</math>,<br />
and further assume that <math>\epsilon \le \delta</math>.<br />
Suppose that at time <math>t</math>, the highest numbered round entered<br />
by any honest replica is <math>h</math>.<br />
Let <math>r^*</math> be the rank of the lowest ranked <br />
honest replica <math>P^*</math> in round <math>h</math>.<br />
Finally, suppose that the network is <math>\delta</math>-synchronous<br />
at all times in the interval <math>[t,t+(3r^*+2)\delta]</math>.<br />
Then all honest replicas will finish round <math>h</math> before time<br />
<math>t+3(r^*+1)\delta</math>.<br />
<br />
===Locally adjusted delay functions===<br />
<br />
When a replica does not see any finalized blocks for several rounds, it will <br />
start increasing its own delay function <math>\Delta_\textrm{n}</math><br />
for notarization.<br />
Replicas need not agree on these locally adjusted notarization delay functions.<br />
<br />
Also, while replicas do not explicitly adjust the delay function <br />
<math>\Delta_\textrm{n}</math>, we can mathematically model local clock drift <br />
by locally adjusting both delay functions.<br />
<br />
Thus, there are many delay fucntions,<br />
parameterized by replica and round.<br />
The critical condition <math>\Delta_\mathrm{n}(1) \ge \Delta_\mathrm{m}(0) + 2\delta</math> needed for liveness then becomes<br />
<math>\max \Delta_\mathrm{n}(1) \ge \min \Delta_\mathrm{m}(0) + 2\delta</math>,<br />
where the <math>\max</math> and <math>\min</math> are taken over all the honest replicas in a given round.<br />
Thus, if finalization fails for enough rounds, all honest replicas<br />
will eventually increase their notarization delay until this holds and finalization<br />
will then resume.<br />
If some honest replicas increase their notarization latency function<br />
more than other replicas, there no penalty in terms of liveness<br />
(but there may be in terms of growth latency).<br />
<br />
<br />
===Fairness===<br />
<br />
Another property that is important in consensus protocols is <b>fairness</b>.<br />
Rather than give a general definition, we simply observe that <br />
the liveness invariant also implies a useful fairness property.<br />
Recall that the liveness invariant basically says that in any round<br />
where the leader is honest and the network is synchronous, <br />
then the block proposed by the leader will be finalized.<br />
In those rounds where this happens, the fact that the leader is<br />
honest ensures that it will include in the payload of its block<br />
all of the transaction requests it knows about (modulo limits on<br />
the payload size).<br />
So, very roughly speaking, <br />
any transaction request that is disseminated to enough<br />
replicas will be included in a finalized block in a reasonable amount<br />
of time with high probability.</div>VictorShouphttps://icstaging.mywikis.net/w/index.php?title=IC_consensus_layer&diff=453IC consensus layer2021-11-11T17:29:35Z<p>VictorShoup: </p>
<hr />
<div><br />
The job of the consensus layer of the IC is to order transaction requests so that all replicas in a subnet will process <br />
such requests in the same order.<br />
There are many protocols in the literature for this problem.<br />
The IC uses a new consensus protocol, which is described here at a high level. <br />
For more details, see the paper https://eprint.iacr.org/2021/1330 (in particular, Protocol ICC1 in that paper).<br />
<br />
Any secure consensus protocol should guarantee two properties, which (roughly stated) are:<br />
* <b>safety</b>: all replicas in fact agree on the same ordering of transaction requests, and<br />
* <b>liveness</b>: all replicas should make steady progress.<br />
The paper https://eprint.iacr.org/2021/1330 proves that the IC consensus protocol satisfies both of these properties<br />
<br />
The IC consensus protocol is designed to be<br />
* extremely simple, and<br />
* robust (performance degrades gracefully when some replicas are malicious).<br />
<br />
==Assumptions==<br />
<br />
As discussed [[The Internet Computer for Computer Scientists|in the introduction]], we assume<br />
* a subnet of <math>n</math> replicas, and<br />
* at most <math>f < n/3</math> of the replicas are faulty.<br />
Faulty replicas may exhibit arbitrary, malicious (i.e., Byzantine) behavior.<br />
<br />
<br />
We assume that communication is <b>asynchronous</b>, with no <i>a priori</i><br />
bound on the delay of messages sent between replicas.<br />
In fact, the scheduling of message delivery may be completely under adversarial control.<br />
The IC consensus protocol guarantees safety under this very weak communication assumption.<br />
However, to guarantee liveness, we need to assume a form of <b>partial synchrony</b>,<br />
which (roughly stated) says that the network will be periodically synchronous<br />
for short intervals of time.<br />
In such intervals of synchrony, all undelivered <br />
messages will be delivered in less than time <math>\delta</math>,<br />
for some fixed bound <math>\delta</math>.<br />
The bound <math>\delta</math> does not have to be known in advance <br />
(the protocol is initialized with a reasonable bound, but will dynamically <br />
adapt and increase this bound if it is too small).<br />
Regardless of whether we are assuming an asynchronous<br />
or a partially synchronous network,<br />
we assume that every message sent from one honest<br />
party to another will <i>eventually</i> be delivered.<br />
<br />
==Protocol overview==<br />
<br />
Like a number of consensus protocols,<br />
the IC consensus protocol is based in a [[wikipedia:blockchain|blockchain]].<br />
As the protocol progresses, a tree of blocks is grown,<br />
starting from a special <i>genesis block</i> that is the root of the tree.<br />
Each non-genesis block in the tree contains (among other things)<br />
a <i>payload</i>, consisting of a sequence of transaction requests,<br />
and a hash of the block's parent in the tree. <br />
The honest replicas have a consistent view of this tree:<br />
while each replica may have a different, partial view<br />
of this tree, all the replicas have a view of the <i>same</i> tree.<br />
In addition, as the protocol progresses,<br />
there is always a path of <i>finalized</i> blocks in this tree.<br />
Again, the honest replicas have a consistent view of this path:<br />
while each replica may have a different, partial view<br />
of this path, all the parties have a view of the <i>same</i> path.<br />
The transaction requests in the payloads of the blocks along this<br />
path are the ordered transaction requests will be processed by the [[IC execution layer|execution layer]]<br />
of the Internet Computer.<br />
<br />
The protocol proceeds in <b>rounds</b>.<br />
In round <math>h</math> of the protocol,<br />
one or more blocks of <b>height</b> <math>h</math> are added to the tree.<br />
That is, the blocks added in round <math>h</math> are always at a distance<br />
of exactly <math>h</math> from the root.<br />
In each round, a pseudo-random process is used to assign<br />
each replica a unique <b>rank</b>, which is an<br />
integer in the range <math>0,\ldots,h-1</math>.<br />
This pseudo-random process is implemented using a <b>random beacon</b> <br />
[[#Random Beacon|(see below)]].<br />
The party of lowest rank is the <b>leader</b> of that round.<br />
When the leader is honest and the network is synchronous,<br />
the leader will propose a block, which will be added to the tree;<br />
moreover, this will be the <i>only</i> block added to the tree<br />
in this round and it will extend the finalized path.<br />
If the leader is not honest or the network is not synchronous,<br />
some other parties of higher rank may also propose blocks,<br />
and also have their blocks added to the tree.<br />
In any case, the logic of the protocol gives highest priority <br />
to the leader's proposed block<br />
and <i>some</i> block or blocks will be added to this tree in this round.<br />
Even if the protocol proceeds for a few rounds without extending the<br />
finalized path, the height of the tree will continue to grow<br />
with each round, so that when the finalized path is extended in round <math>h</math>, <br />
the finalized path will be of length <math>h</math>.<br />
A consequence of this,<br />
even if the <i>latency</i> occasionally<br />
occasionally increases because of faulty replicas or unexpectedly <br />
high network latency,<br />
the <i>throughput</i> of the protocol<br />
remains essentially constant. <br />
<br />
The protocol also enjoys the property known as <b>optimistic responsiveness</b>,<br />
which means that <br />
so long as the leader is honest, the protocol may proceed at the pace<br />
of the actual network delay, rather than some upper bound on<br />
the network delay.<br />
<br />
==Public keys==<br />
<br />
To implement the protocol, each replica is associated with a <br />
public key for the [[wikipedia:BLS_digital_signature|BLS signature scheme]], and each replica also holds<br />
the corresponding secret signing key.<br />
The association of replicas to public keys is maintained by the<br />
[[IC network nervous system (NNS)|network nervous system (NNS) of the Internet Computer]].<br />
These BLS signatures will be used to authenticate messages<br />
sent by replicas.<br />
<br />
The protocol also uses the <br />
<b>signature aggregation</b> feature of BLS signatures,<br />
which allows many signatures on the same message to be aggregated into<br />
a compact multi-signature.<br />
The protocol will use these multi-signatures<br />
for [[#Notarization|notarizations]] and [[#Finalization|finalization]],<br />
which are aggregations of <math>n-f</math> signatures on messages<br />
of a certain form.<br />
<br />
==Random Beacon==<br />
<br />
In addition to BLS signatures and multi-signatures as discussed above,<br />
the protocol makes use of a BLS [[wikipedia:Threshold_cryptosystem|threshold signature scheme]] to implement the <br />
above-mentioned <b>random beacon</b>.<br />
The random beacon for height <math>h</math> is a <math>(f+1)</math>-threshold signature<br />
on a message unique to height <math>h</math>. <br />
In each round of the protocol, each replica broadcasts its share of the beacon for<br />
the next round, so that when the next round begins, all replicas should have enough shares<br />
to reconstruct the beacon for that round.<br />
As discussed above, the random beacon at height <math>h</math> is used to <br />
assign a pseudo-random rank to each replica that will be used in round <math>h</math> of the protocol.<br />
Because of the security properties of the threshold signature,<br />
an adversary will not be able to predict the ranking of the replicas more than one round in advance,<br />
and these rankings will effectively be as good as random.<br />
To set up such a threshold signature scheme, the Internet Computer runs a<br />
[[wikipedia:Distributed_key_generation|distributed key generation (DKG)]] protocol.<br />
There are many DKG protocols in the literature.<br />
The Internet Computer implements a new [[non-interactive DKG (NiDKG) protocol]].<br />
<br />
<br />
==Block making==<br />
<br />
Each replica may at different points in time play the role of a <b>block maker</b>.<br />
As a block maker in round <math>h</math>, <br />
the replica proposes a block <math>B</math> of height <math>h</math> <br />
that to be child of a block <math>B'</math> of height <math>h-1</math><br />
in the tree of blocks.<br />
To do this, the block maker first gathers together a <b>payload</b><br />
consisting of all transaction requests it knows about<br />
(but not including those already included in payloads in blocks in the<br />
path through the tree ending at <math>B'</math>).<br />
The block <math>B</math> consists of<br />
* the payload,<br />
* the hash of <math>B'</math>, <br />
* the rank of the block maker,<br />
* the height <math>h</math> of the block.<br />
After forming the block <math>B</math>, the block maker forms<br />
a <b>block proposal</b>, consisting of<br />
* the block <math>B</math>,<br />
* the block maker's identity, and<br />
* the block maker's signature on <math>B</math>.<br />
A block maker will broadcast its block proposal to all other replicas.<br />
<br />
==Notarization==<br />
<br />
A block is effectively added to the tree of blocks when it becomes <br />
<b>notarized</b>.<br />
For a block to become notarized, <br />
<math>n-f</math> <br />
distinct replicas must <b>support</b> its notarization.<br />
<br />
Given a proposed block <math>B</math> at height <math>h</math>,<br />
a replica will determine if the proposal is <b>valid</b>,<br />
which means that <math>B</math> has the syntactic form described above.<br />
In particular, <math>B</math> should contain the hash of <br />
a block <math>B'</math> of height <math>h'</math> that is already<br />
in the tree of blocks (i.e., already notarized).<br />
In addition, the payload of <math>B</math> must satisfy certain<br />
conditions (in particulat, all of the transaction requests in the payload<br />
must satisfy various constraints, but these constraints are unrelated<br />
to consensus).<br />
Also, the rank of the block maker (as recorded in the block <math>B</math>) <br />
must match<br />
the rank assigned in round <math>h</math> by the random beacon<br />
to the replica that proposed the block (as recorded in the block proposal) .<br />
<br />
If the block is valid and certain other constraints hold,<br />
the replica will <b>support</b> the notarization of the block<br />
by broadcasting a <b>notarization share</b> for <math>B</math>,<br />
consisting of <br />
* the hash of <math>B</math>,<br />
* the height <math>h</math> of <math>B</math>,<br />
* the identity of the supporting replica, and<br />
* the supporting replica's signature on a message comprising the hash of <math>B</math> and the height <math>h</math>.<br />
Any set of <math>n-f</math> notarization shares on <math>B</math><br />
may be aggregated together to form a <br />
<b>notarization</b> for <math>B</math>,<br />
consisting of<br />
* the hash of <math>B</math>,<br />
* the height <math>h</math> of <math>B</math>,<br />
* the set of identities of the <math>n-f</math> supporting replicas,<br />
* an aggregation of the <math>n-f</math> signatures on the message comprising the hash of <math>B</math> and the height <math>h</math>.<br />
<br />
As soon as a replica obtains a notarized block of height <math>h</math>,<br />
it will finish round <math>h</math>,<br />
and will subsequently not support the notarization of<br />
any other blocks at height <math>h</math>.<br />
At this point in time, such a replica will also relay this <br />
notarization to all other replicas.<br />
Note that this replica may have obtained the notarization either by<br />
(1) receiving it from another replica, or (2) aggregating <math>n-f</math><br />
notarization shares that it has received.<br />
<br />
<br />
The <b>growth invariant</b> states that each honest replica will <br />
eventually complete each round, so that the tree of notarized blocks<br />
continues to grow (and this holds only assuming asynchronous eventual delivery,<br />
and not partial synchrony).<br />
We prove the growth invariant <br />
[[#Proof of growth invariant|below]].<br />
<br />
<br />
<br />
==Finalization==<br />
<br />
There may be more than one <br />
notarized block at a given height <math>h</math>.<br />
However, if a block is <b>finalized</b>, then we can be sure that there<br />
is no other notarized block at height <math>h</math>. <br />
Let us call this the <b>safety invariant</b>.<br />
<br />
For a block to become finalized, <br />
<math>n-f</math> <br />
distinct replicas must support its finalization.<br />
Recall that round <math>h</math> ends for a replica when <br />
it obtains a notarized block <math>B</math> of height <math>h</math>.<br />
At that point in time, such a replica will <br />
check if it supported the notarization of any block at height <math>h</math><br />
<i>other</i> than block <math>B</math> (it may or may not have <br />
supported the notarization of <math>B</math> itself).<br />
If not, the replica will support the finalization of <math>B</math><br />
by broadcasting a <br />
<b>finalization share</b> for <math>B</math>.<br />
A finalization share has exactly the same format as a notarization share<br />
(but is tagged in such a way notarization shares<br />
and finalization shares cannot be confused with one another).<br />
Any set of <math>n-f</math> finalization shares on <math>B</math><br />
may be aggregated together to form a <b>finalization</b> for <math>B</math>,<br />
which has exactly the same format as a notarization<br />
(but again, is appropriately tagged).<br />
Any replica that obtains a finalized block will broadcast the finalization <br />
to all other replicas.<br />
<br />
We prove the safety invariant <br />
[[#Proof of safety invariant|below]].<br />
One consequence of the safety invariant is the following.<br />
Suppose two blocks <math>B</math> and <math>B'</math> are finalized,<br />
where <math>B</math> has height <math>h</math>, <math>B'</math> has height<br />
<math>h'\le h</math>.<br />
Then the safety invariant implies that the path <br />
in the tree of notarized blocks<br />
ending at <math>B'</math> is a prefix of the path ending at <math>B</math><br />
(if not, then there would be two notarized blocks at height <math>h'</math>,<br />
contradicting the finalization invariant). <br />
Thus, whenever a replica sees a finalized block <math>B</math>,<br />
it may view all ancestors of <math>B</math> as being <br />
<b>implicitly finalized</b>, and because of the<br />
safety invariant, the <b>safety property</b> is<br />
guaranteed to hold for these (explicitly and implicitly) finalized blocks.<br />
<br />
<br />
<br />
==Delay functions==<br />
<br />
The protocol makes use of two <b>delay functions</b>, <br />
<math>\Delta_\textrm{m}</math> and <math>\Delta_\textrm{n}</math>,<br />
which control<br />
the timing of block making and notarization activity.<br />
Both of these functions map the rank <math>r</math> of the proposing replica<br />
no a nonnegative delay amount,<br />
and it is assumed that each function is monotonely increasing in <math>r</math>,<br />
and that <br />
<math>\Delta_\textrm{m}(r) \le \Delta_\textrm{n}(r)</math><br />
for all <math>r = 0, \ldots, n-1</math>.<br />
The recommended definition of these functions is<br />
<math>\Delta_\textrm{m}(r) = 2 \delta r</math><br />
and<br />
<math>\Delta_\textrm{n}(r) = 2 \delta r + \epsilon</math>,<br />
where <math>\delta</math> is an upper bound on the time to deliver<br />
messages from one honest replica to another,<br />
and <math>\epsilon \ge 0</math> is a "governor" to keep the<br />
protocol from running too fast.<br />
With these definitions, liveness will be ensured in those<br />
rounds in which (1) the leader is honest, and (2) messages really<br />
are delivered between honest parties within time <math>\delta</math>.<br />
Indeed,<br />
if (1) and (2) both hold in a given round, then the block proposed<br />
by the leader in that round will be finalized.<br />
Let us call this the <b>liveness invariant</b>.<br />
We prove this <br />
[[#Proof of liveness invariant|below]].<br />
<br />
<br />
==Putting it all together==<br />
<br />
We now describe in more detail how the protocol works;<br />
specifically, we describe more precisely when a replica will<br />
propose a block and when a replica will support the notarization of a block. <br />
A given replica <math>P</math> will record the time at which it <br />
enters a given round <math>h</math>,<br />
which happens when it has obtained (1) some notarization for a <br />
block of height <math>h-1</math>, and (2) the random beacon for<br />
round <math>h</math>.<br />
Since the random beacon for round <math>h</math> has been determined,<br />
<math>P</math> can determine its own rank <math>r_P</math>, as well as the <br />
rank <math>r_Q</math> of each other replica <math>Q</math> <br />
for round <math>h</math>.<br />
<br />
===Random beacon details===<br />
<br />
As soon as a replica enters round <math>h</math>, it will generate and broadcast <br />
its share of the random beacon at round <math>h+1</math>.<br />
<br />
===Block making details===<br />
<br />
Replica <math>P</math> will only propose its own block <math>B_P</math><br />
provided (1) at least <math>\Delta_\textrm{m}(r_P)</math> time<br />
units have passed since the beginning of the round,<br />
and (2) there is no valid lower ranked block currently seen by <math>P</math>.<br />
<br />
Note that since <math>P</math> is guaranteed to have a notarized block<br />
of height <math>h-1</math><br />
when it enters round <math>h</math>, it can make its proposed<br />
block a child of this notarized block (or any other <br />
notarized block of height <math>h-1</math> that it may have).<br />
Also note that when <math>p</math> broadcasts its proposal for <math>B_P</math>,<br />
it must also ensure that it also has relayed the notarization of <br />
<math>B_P</math>'s parent to all replicas.<br />
<br />
Suppose a replica <math>Q</math> sees<br />
a valid block proposal from a replica <math>P</math><br />
of rank<br />
<math>r_P < r_Q</math><br />
such that<br />
(1) at least <math>\Delta_\textrm{m}(r_P)</math> time<br />
units have passed since the beginning of the round,<br />
and (2) there is no block of rank less than <math>r_P</math> <br />
currently seen by <math>Q</math>.<br />
Then at this point in time, if it has not already done so,<br />
<math>Q</math> will relay this block proposal<br />
(along with the notarization of the proposed block's parent) <br />
to all other replicas. <br />
<br />
===Notarization details===<br />
<br />
Replica <math>P</math> will support the notarization <br />
of a valid block <math>B_Q</math> proposed by a <br />
replica <math>Q</math> of rank <br />
<math>r_Q</math><br />
provided <br />
(1) at least <math>\Delta_\textrm{n}(r_Q)</math> time<br />
units have passed since the beginning of the round,<br />
and<br />
(2) there is no block of rank less than <math>r_Q</math> <br />
currently seen by <math>P</math>.<br />
<br />
===Proof of growth invariant===<br />
<br />
The growth invariant states that<br />
each honest replica will <br />
eventually complete each round.<br />
Assume that all honest replicas have started round <math>h</math>.<br />
Let <math>r^*</math> be the rank of the lowest ranked <br />
honest replica <math>P^*</math> in round <math>h</math>.<br />
Eventually, <math>P^*</math> will either (1) propose its own block,<br />
or (2) relay a valid block proposed by a lower ranked replica. <br />
In either case, some block must eventually be supported by all honest replicas,<br />
which means that some block will become notarized and all honest replicas<br />
will finish round <math>h</math>.<br />
<br />
<br />
===Proof of safety invariant===<br />
<br />
The <b>safety invariant</b> states that if a block is finalized in a given round,<br />
then no other block may be notarized in that round.<br />
Here is a proof of the safety invariant:<br />
# Suppose that the number of corrupt parties is exactly <math>f^* \le f < n/3</math>.<br />
# If a block <math>B</math> is finalized, then its finalization must have been supported by a set <math>S</math> of at least <math>n-f-f^*</math> honest replicas (by the security property for aggregate signatures). <br />
# Suppose (by way of contradction) that another block <math>B' \ne B</math> were notarized. Then its notarization must have been supported by a set <math>S'</math> of at least <math>n-f-f^*</math> honest replicas (again, by the security property for aggregate signatures).<br />
# The sets <math>S</math> and <math>S'</math> are disjoint (by the finalization logic).<br />
# Therefore, <math>n-f^* \ge |S \cup S'| = |S| + |S'| \ge 2 (n-f-f^*)</math>, which implies <math>n \le 3f</math>, a contradiction.<br />
<br />
===Proof of liveness invariant===<br />
<br />
We say that the network is <br />
<b><math>\delta</math>-synchronous at time <math>t</math></b> if <br />
if all messages that have been sent by honest replicas at or before time <math>t</math> arrive at their destinations before time <math>t</math>.<br />
<br />
The <b>liveness invariant</b> may be stated as follows.<br />
Suppose that <math>\Delta_\mathrm{n}(1) \ge \Delta_\mathrm{m}(0) + 2\delta</math>.<br />
Also <br />
suppose that in a given round <math>h</math>, we have <br />
* the leader <math>P</math> in round <math>h</math> is honest,<br />
* the first honest replica <math>Q</math> to finish round <math>h-1</math> does so at time <math>t</math>, and<br />
* the network is <math>\delta</math>-synchronous at times <math>t</math> and <math>t+\delta</math>.<br />
Then the block proposed by <math>P</math> in round <math>h</math> will be finalized.<br />
<br />
Here is a proof of the liveness invariant:<br />
# Under partial synchrony at time <math>t</math>, all honest replicas will enter round <math>h</math> before time <math>t+\delta</math> (the notarization that ended round <math>h-1</math> for <math>Q</math>, as well as the necessary round <math>h</math> random beacon shares, will arrive at all honest replicas before this time).<br />
# The leader <math>P</math> in round <math>h</math> will propose a block <math>B</math> before time <math>t+\delta</math>, and again by partial synchrony, this block proposal will be delivered to all other replicas before time <math>t+2\delta</math>. <br />
# Since <math>\Delta_\mathrm{n}(1) \ge \Delta_\mathrm{m}(0) + 2\delta</math>, the protocol logic guarantees that each honest replica supports the notarization of block <math>B</math> and no other block, and thus <math>B</math> will become notarized and finalized. <br />
<br />
==Other issues==<br />
<br />
===Growth latency===<br />
<br />
Under a partial synchrony assumption, we can also formulate and prove<br />
a quantitative version of the growth invariant.<br />
For simplicity, assume that the delay functions are defined<br />
as recommended above: <math>\Delta_\textrm{m}(r) = 2 \delta r</math><br />
and<br />
<math>\Delta_\textrm{n}(r) = 2 \delta r + \epsilon</math>,<br />
and further assume that <math>\epsilon \le \delta</math>.<br />
Suppose that at time <math>t</math>, the highest numbered round entered<br />
by any honest replica is <math>h</math>.<br />
Let <math>r^*</math> be the rank of the lowest ranked <br />
honest replica <math>P^*</math> in round <math>h</math>.<br />
Finally, suppose that the network is <math>\delta</math>-synchronous<br />
at all times in the interval <math>[t,t+(3r^*+2)\delta]</math>.<br />
Then all honest replicas will finish round <math>h</math> before time<br />
<math>t+3(r^*+1)\delta</math>.<br />
<br />
===Locally adjusted delay functions===<br />
<br />
When a replica does not see any finalized blocks for several rounds, it will <br />
start increasing its own delay function <math>\Delta_\textrm{n}</math><br />
for notarization.<br />
Replicas need not agree on these locally adjusted notarization delay functions.<br />
<br />
Also, while replicas do not explicitly adjust the delay function <br />
<math>\Delta_\textrm{n}</math>, we can mathematically model local clock drift <br />
by locally adjusting both delay functions.<br />
<br />
Thus, there are many delay fucntions,<br />
parameterized by replica and round.<br />
The critical condition <math>\Delta_\mathrm{n}(1) \ge \Delta_\mathrm{m}(0) + 2\delta</math> needed for liveness then becomes<br />
<math>\max \Delta_\mathrm{n}(1) \ge \min \Delta_\mathrm{m}(0) + 2\delta</math>,<br />
where the <math>\max</math> and <math>\min</math> are taken over all the honest replicas in a given round.<br />
Thus, if finalization fails for enough rounds, all honest replicas<br />
will eventually increase their notarization delay until this holds and finalization<br />
will then resume.<br />
If some honest replicas increase their notarization latency function<br />
more than other replicas, there no penalty in terms of liveness<br />
(but there may be in terms of growth latency).<br />
<br />
<br />
===Fairness===<br />
<br />
Another property that is important in consensus protocols is <b>fairness</b>.<br />
Rather than give a general definition, we simply observe that <br />
the liveness invariant also implies a useful fairness property.<br />
Recall that the liveness invariant basically says that in any round<br />
where the leader is honest and the network is synchronous, <br />
then the block proposed by the leader will be finalized.<br />
In those rounds where this happens, the fact that the leader is<br />
honest ensures that it will include in the payload of its block<br />
all of the transaction requests it knows about (modulo limits on<br />
the payload size).<br />
So, very roughly speaking, <br />
any transaction request that is disseminated to enough<br />
replicas will be included in a finalized block in a reasonable amount<br />
of time with high probability.</div>VictorShouphttps://icstaging.mywikis.net/w/index.php?title=IC_consensus_layer&diff=438IC consensus layer2021-11-11T17:01:34Z<p>VictorShoup: </p>
<hr />
<div><br />
The job of the consensus layer of the IC is to order transaction requests so that all replicas in a subnet will process <br />
such requests in the same order.<br />
There are many protocols in the literature for this problem.<br />
The IC uses a new consensus protocol, which is described here at a high level. <br />
For more details, see the paper https://eprint.iacr.org/2021/1330 (in particular, Protocol ICC1 in that paper).<br />
<br />
Any secure consensus protocol should guarantee two properties, which (roughly stated) are:<br />
* <b>safety</b>: all replicas in fact agree on the same ordering of transaction requests, and<br />
* <b>liveness</b>: all replicas should make steady progress.<br />
The paper https://eprint.iacr.org/2021/1330 proves that the IC consensus protocol satisfies both of these properties<br />
<br />
The IC consensus protocol is designed to be<br />
* extremely simple, and<br />
* robust (performance degrades gracefully when some replicas are malicious).<br />
<br />
==Assumptions==<br />
<br />
As discussed [[The Internet Computer for Computer Scientists|in the introduction]], we assume<br />
* a subnet of <math>n</math> replicas, and<br />
* at most <math>f < n/3</math> of the replicas are faulty.<br />
Faulty replicas may exhibit arbitrary, malicious (i.e., Byzantine) behavior.<br />
<br />
<br />
We assume that communication is <b>asynchronous</b>, with no <i>a priori</i><br />
bound on the delay of messages sent between replicas.<br />
In fact, the scheduling of message delivery may be completely under adversarial control.<br />
The IC consensus protocol guarantees safety under this very weak communication assumption.<br />
However, to guarantee liveness, we need to assume a form of <b>partial synchrony</b>,<br />
which (roughly stated) says that the network will be periodically synchronous<br />
for short intervals of time.<br />
In such intervals of synchrony, all undelivered <br />
messages will be delivered in less than time <math>\delta</math>,<br />
for some fixed bound <math>\delta</math>.<br />
The bound <math>\delta</math> does not have to be known in advance <br />
(the protocol is initialized with a reasonable bound, but will dynamically <br />
adapt and increase this bound if it is too small).<br />
Regardless of whether we are assuming an asynchronous<br />
or a partially synchronous network,<br />
we assume that every message sent from one honest<br />
party to another will <i>eventually</i> be delivered.<br />
<br />
==Protocol overview==<br />
<br />
Like a number of consensus protocols,<br />
the IC consensus protocol is based in a [[wikipedia:blockchain|blockchain]].<br />
As the protocol progresses, a tree of blocks is grown,<br />
starting from a special <i>genesis block</i> that is the root of the tree.<br />
Each non-genesis block in the tree contains (among other things)<br />
a <i>payload</i>, consisting of a sequence of transaction requests,<br />
and a hash of the block's parent in the tree. <br />
The honest replicas have a consistent view of this tree:<br />
while each replica may have a different, partial view<br />
of this tree, all the replicas have a view of the <i>same</i> tree.<br />
In addition, as the protocol progresses,<br />
there is always a path of <i>finalized</i> blocks in this tree.<br />
Again, the honest replicas have a consistent view of this path:<br />
while each replica may have a different, partial view<br />
of this path, all the parties have a view of the <i>same</i> path.<br />
The transaction requests in the payloads of the blocks along this<br />
path are the ordered transaction requests will be processed by the [[IC execution layer|execution layer]]<br />
of the Internet Computer.<br />
<br />
The protocol proceeds in <b>rounds</b>.<br />
In round <math>h</math> of the protocol,<br />
one or more blocks of <b>height</b> <math>h</math> are added to the tree.<br />
That is, the blocks added in round <math>h</math> are always at a distance<br />
of exactly <math>h</math> from the root.<br />
In each round, a pseudo-random process is used to assign<br />
each replica a unique <b>rank</b>, which is an<br />
integer in the range <math>0,\ldots,h-1</math>.<br />
This pseudo-random process is implemented using a <b>random beacon</b> <br />
[[#Random Beacon|(see below)]].<br />
The party of lowest rank is the <b>leader</b> of that round.<br />
When the leader is honest and the network is synchronous,<br />
the leader will propose a block, which will be added to the tree;<br />
moreover, this will be the <i>only</i> block added to the tree<br />
in this round and it will extend the finalized path.<br />
If the leader is not honest or the network is not synchronous,<br />
some other parties of higher rank may also propose blocks,<br />
and also have their blocks added to the tree.<br />
In any case, the logic of the protocol gives highest priority <br />
to the leader's proposed block<br />
and <i>some</i> block or blocks will be added to this tree in this round.<br />
Even if the protocol proceeds for a few rounds without extending the<br />
finalized path, the height of the tree will continue to grow<br />
with each round, so that when the finalized path is extended in round <math>h</math>, <br />
the finalized path will be of length <math>h</math>.<br />
A consequence of this,<br />
even if the <i>latency</i> occasionally<br />
occasionally increases because of faulty replicas or unexpectedly <br />
high network latency,<br />
the <i>throughput</i> of the protocol<br />
remains essentially constant. <br />
<br />
The protocol also enjoys the property known as <b>optimistic responsiveness</b>,<br />
which means that <br />
so long as the leader is honest, the protocol may proceed at the pace<br />
of the actual network delay, rather than some upper bound on<br />
the network delay.<br />
<br />
==Public keys==<br />
<br />
To implement the protocol, each replica is associated with a <br />
public key for the [[wikipedia:BLS_digital_signature|BLS signature scheme]], and each replica also holds<br />
the corresponding secret signing key.<br />
The association of replicas to public keys is maintained by the<br />
[[IC network nervous system (NNS)|network nervous system (NNS) of the Internet Computer]].<br />
These BLS signatures will be used to authenticate messages<br />
sent by replicas.<br />
<br />
The protocol also uses the <br />
<b>signature aggregation</b> feature of BLS signatures,<br />
which allows many signatures on the same message to be aggregated into<br />
a compact multi-signature.<br />
The protocol will use these multi-signatures<br />
for [[#Notarization|notarizations]] and [[#Finalization|finalization]],<br />
which are aggregations of <math>n-f</math> signatures on messages<br />
of a certain form.<br />
<br />
==Random Beacon==<br />
<br />
In addition to BLS signatures and multi-signatures as discussed above,<br />
the protocol makes use of a BLS [[wikipedia:Threshold_cryptosystem|threshold signature scheme]] to implement the <br />
above-mentioned <b>random beacon</b>.<br />
The random beacon for height <math>h</math> is a <math>(f+1)</math>-threshold signature<br />
on a message unique to height <math>h</math>. <br />
In each round of the protocol, each replica broadcasts its share of the beacon for<br />
the next round, so that when the next round begins, all replicas should have enough shares<br />
to reconstruct the beacon for that round.<br />
As discussed above, the random beacon at height <math>h</math> is used to <br />
assign a pseudo-random rank to each replica that will be used in round <math>h</math> of the protocol.<br />
Because of the security properties of the threshold signature,<br />
an adversary will not be able to predict the ranking of the replicas more than one round in advance,<br />
and these rankings will effectively be as good as random.<br />
To set up such a threshold signature scheme, the Internet Computer runs a<br />
[[wikipedia:Distributed_key_generation|distributed key generation (DKG)]] protocol.<br />
There are many DKG protocols in the literature.<br />
The Internet Computer implements a new [[non-interactive DKG (NiDKG) protocol]].<br />
<br />
<br />
==Block making==<br />
<br />
Each replica may at different points in time play the role of a <b>block maker</b>.<br />
As a block maker in round <math>h</math>, <br />
the replica proposes a block <math>B</math> of height <math>h</math> <br />
that to be child of a block <math>B'</math> of height <math>h-1</math><br />
in the tree of blocks.<br />
To do this, the block maker first gathers together a <b>payload</b><br />
consisting of all transaction requests it knows about<br />
(but not including those already included in payloads in blocks in the<br />
path through the tree ending at <math>B'</math>).<br />
The block <math>B</math> consists of<br />
* the payload,<br />
* the hash of <math>B'</math>, <br />
* the rank of the block maker,<br />
* the height <math>h</math> of the block.<br />
After forming the block <math>B</math>, the block maker forms<br />
a <b>block proposal</b>, consisting of<br />
* the block <math>B</math>,<br />
* the block maker's identity, and<br />
* the block maker's signature on <math>B</math>.<br />
A block maker will broadcast its block proposal to all other replicas.<br />
<br />
==Notarization==<br />
<br />
A block is effectively added to the tree of blocks when it becomes <br />
<b>notarized</b>.<br />
For a block to become notarized, <br />
<math>n-f</math> <br />
distinct replicas must <b>support</b> its notarization.<br />
<br />
Given a proposed block <math>B</math> at height <math>h</math>,<br />
a replica will determine if the proposal is <b>valid</b>,<br />
which means that <math>B</math> has the syntactic form described above.<br />
In particular, <math>B</math> should contain the hash of <br />
a block <math>B'</math> of height <math>h'</math> that is already<br />
in the tree of blocks (i.e., already notarized).<br />
In addition, the payload of <math>B</math> must satisfy certain<br />
conditions (in particulat, all of the transaction requests in the payload<br />
must satisfy various constraints, but these constraints are unrelated<br />
to consensus).<br />
Also, the rank of the block maker (as recorded in the block <math>B</math>) <br />
must match<br />
the rank assigned in round <math>h</math> by the random beacon<br />
to the replica that proposed the block (as recorded in the block proposal) .<br />
<br />
If the block is valid and certain other constraints hold,<br />
the replica will <b>support</b> the notarization of the block<br />
by broadcasting a <b>notarization share</b> for <math>B</math>,<br />
consisting of <br />
* the hash of <math>B</math>,<br />
* the height <math>h</math> of <math>B</math>,<br />
* the identity of the supporting replica, and<br />
* the supporting replica's signature on a message comprising the hash of <math>B</math> and the height <math>h</math>.<br />
Any set of <math>n-f</math> notarization shares on <math>B</math><br />
may be aggregated together to form a <br />
<b>notarization</b> for <math>B</math>,<br />
consisting of<br />
* the hash of <math>B</math>,<br />
* the height <math>h</math> of <math>B</math>,<br />
* the set of identities of the <math>n-f</math> supporting replicas,<br />
* an aggregation of the <math>n-f</math> signatures on the message comprising the hash of <math>B</math> and the height <math>h</math>.<br />
<br />
As soon as a replica obtains a notarized block of height <math>h</math>,<br />
it will finish round <math>h</math>,<br />
and will subsequently not support the notarization of<br />
any other blocks at height <math>h</math>.<br />
At this point in time, such a replica will also relay this <br />
notarization to all other replicas.<br />
Note that this replica may have obtained the notarization either by<br />
(1) receiving it from another replica, or (2) aggregating <math>n-f</math><br />
notarization shares that it has received.<br />
<br />
<br />
The <b>growth invariant</b> states that each honest replica will <br />
eventually complete each round, so that the tree of notarized blocks<br />
continues to grow (and this holds only assuming asynchronous eventual delivery,<br />
and not partial synchrony).<br />
We prove the growth invariant <br />
[[#Proof of growth invariant|below]].<br />
<br />
<br />
<br />
==Finalization==<br />
<br />
There may be more than one <br />
notarized block at a given height <math>h</math>.<br />
However, if a block is <b>finalized</b>, then we can be sure that there<br />
is no other notarized block at height <math>h</math>. <br />
Let us call this the <b>safety invariant</b>.<br />
<br />
For a block to become finalized, <br />
<math>n-f</math> <br />
distinct replicas must support its finalization.<br />
Recall that round <math>h</math> ends for a replica when <br />
it obtains a notarized block <math>B</math> of height <math>h</math>.<br />
At that point in time, such a replica will <br />
check if it supported the notarization of any block at height <math>h</math><br />
<i>other</i> than block <math>B</math> (it may or may not have <br />
supported the notarization of <math>B</math> itself).<br />
If not, the replica will support the finalization of <math>B</math><br />
by broadcasting a <br />
<b>finalization share</b> for <math>B</math>.<br />
A finalization share has exactly the same format as a notarization share<br />
(but is tagged in such a way notarization shares<br />
and finalization shares cannot be confused with one another).<br />
Any set of <math>n-f</math> finalization shares on <math>B</math><br />
may be aggregated together to form a <b>finalization</b> for <math>B</math>,<br />
which has exactly the same format as a notarization<br />
(but again, is appropriately tagged).<br />
Any replica that obtains a finalized block will broadcast the finalization <br />
to all other replicas.<br />
<br />
We prove the safety invariant <br />
[[#Proof of safety invariant|below]].<br />
One consequence of the safety invariant is the following.<br />
Suppose two blocks <math>B</math> and <math>B'</math> are finalized,<br />
where <math>B</math> has height <math>h</math>, <math>B'</math> has height<br />
<math>h'\le h</math>.<br />
Then the safety invariant implies that the path <br />
in the tree of notarized blocks<br />
ending at <math>B'</math> is a prefix of the path ending at <math>B</math><br />
(if not, then there would be two notarized blocks at height <math>h'</math>,<br />
contradicting the finalization invariant). <br />
Thus, whenever a replica sees a finalized block <math>B</math>,<br />
it may view all ancestors of <math>B</math> as being <br />
<b>implicitly finalized</b>, and because of the<br />
safety invariant, the <b>safety property</b> is<br />
guaranteed to hold for these (explicitly and implicitly) finalized blocks.<br />
<br />
<br />
<br />
==Delay functions==<br />
<br />
The protocol makes use of two <b>delay functions</b>, <br />
<math>\Delta_\textrm{m}</math> and <math>\Delta_\textrm{n}</math>,<br />
which control<br />
the timing of block making and notarization activity.<br />
Both of these functions map the rank <math>r</math> of the proposing replica<br />
no a nonnegative delay amount,<br />
and it is assumed that each function is monotonely increasing in <math>r</math>,<br />
and that <br />
<math>\Delta_\textrm{m}(r) \le \Delta_\textrm{n}(r)</math><br />
for all <math>r = 0, \ldots, n-1</math>.<br />
The recommended definition of these functions is<br />
<math>\Delta_\textrm{m}(r) = 2 \delta r</math><br />
and<br />
<math>\Delta_\textrm{n}(r) = 2 \delta r + \epsilon</math>,<br />
where <math>\delta</math> is an upper bound on the time to deliver<br />
messages from one honest replica to another,<br />
and <math>\epsilon \ge 0</math> is a "governor" to keep the<br />
protocol from running too fast.<br />
With these definitions, liveness will be ensured in those<br />
rounds in which (1) the leader is honest, and (2) messages really<br />
are delivered between honest parties within time <math>\delta</math>.<br />
Indeed,<br />
if (1) and (2) both hold in a given round, then the block proposed<br />
by the leader in that round will be finalized.<br />
Let us call this the <b>liveness invariant</b>.<br />
We prove this <br />
[[#Proof of liveness invariant|below]].<br />
<br />
<br />
==Putting it all together==<br />
<br />
We now describe in more detail how the protocol works;<br />
specifically, we describe more precisely when a replica will<br />
propose a block and when a replica will support the notarization of a block. <br />
A given replica <math>P</math> will record the time at which it <br />
enters a given round <math>h</math>,<br />
which happens when it has obtained (1) some notarization for a <br />
block of height <math>h-1</math>, and (2) the random beacon for<br />
round <math>h</math>.<br />
Since the random beacon for round <math>h</math> has been determined,<br />
<math>P</math> can determine its own rank <math>r_P</math>, as well as the <br />
rank <math>r_Q</math> of each other replica <math>Q</math> <br />
for round <math>h</math>.<br />
<br />
===Random beacon details===<br />
<br />
As soon as a replica enters round <math>h</math>, it will generate and broadcast <br />
its share of the random beacon at round <math>h+1</math>.<br />
<br />
===Block making details===<br />
<br />
Replica <math>P</math> will only propose its own block <math>B_P</math><br />
provided (1) at least <math>\Delta_\textrm{m}(r_P)</math> time<br />
units have passed since the beginning of the round,<br />
and (2) there is no valid lower ranked block currently seen by <math>P</math>.<br />
<br />
Note that since <math>P</math> is guaranteed to have a notarized block<br />
of height <math>h-1</math><br />
when it enters round <math>h</math>, it can make its proposed<br />
block a child of this notarized block (or any other <br />
notarized block of height <math>h-1</math> that it may have).<br />
Also note that when <math>p</math> broadcasts its proposal for <math>B_P</math>,<br />
it must also ensure that it also has relayed the notarization of <br />
<math>B_P</math>'s parent to all replicas.<br />
<br />
Suppose a replica <math>Q</math> sees<br />
a valid block proposal from a replica <math>P</math><br />
of rank<br />
<math>r_P < r_Q</math><br />
such that<br />
(1) at least <math>\Delta_\textrm{m}(r_P)</math> time<br />
units have passed since the beginning of the round,<br />
and (2) there is no block of rank less than <math>r_P</math> <br />
currently seen by <math>Q</math>.<br />
Then at this point in time, if it has not already done so,<br />
<math>Q</math> will relay this block proposal<br />
(along with the notarization of the proposed block's parent) <br />
to all other replicas. <br />
<br />
===Notarization details===<br />
<br />
Replica <math>P</math> will support the notarization <br />
of a valid block <math>B_Q</math> proposed by a <br />
replica <math>Q</math> of rank <br />
<math>r_Q</math><br />
provided <br />
(1) at least <math>\Delta_\textrm{n}(r_Q)</math> time<br />
units have passed since the beginning of the round,<br />
and<br />
(2) there is no block of rank less than <math>r_Q</math> <br />
currently seen by <math>P</math>.<br />
<br />
===Proof of growth invariant===<br />
<br />
The growth invariant states that<br />
each honest replica will <br />
eventually complete each round.<br />
Assume that all honest replicas have started round <math>h</math>.<br />
Let <math>r^*</math> be the rank of the lowest ranked <br />
honest replica <math>P^*</math> in round <math>h</math>.<br />
Eventually, <math>P^*</math> will either (1) propose its own block,<br />
or (2) relay a valid block proposed by a lower ranked replica. <br />
In either case, some block must eventually be supported by all honest replicas,<br />
which means that some block will become notarized and all honest replicas<br />
will finish round <math>h</math>.<br />
<br />
<br />
===Proof of safety invariant===<br />
<br />
The <b>safety invariant</b> states that if a block is finalized in a given round,<br />
then no other block may be notarized in that round.<br />
Here is a proof of the safety invariant:<br />
# Suppose that the number of corrupt parties is exactly <math>f^* \le f < n/3</math>.<br />
# If a block <math>B</math> is finalized, then its finalization must have been supported by a set <math>S</math> of at least <math>n-f-f^*</math> honest replicas (by the security property for aggregate signatures). <br />
# Suppose (by way of contradction) that another block <math>B' \ne B</math> were notarized. Then its notarization must have been supported by a set <math>S'</math> of at least <math>n-f-f^*</math> honest replicas (again, by the security property for aggregate signatures).<br />
# The sets <math>S</math> and <math>S'</math> are disjoint (by the finalization logic).<br />
# Therefore, <math>n-f^* \ge |S \cup S'| = |S| + |S'| \ge 2 (n-f-f^*)</math>, which implies <math>n \le 3f</math>, a contradiction.<br />
<br />
===Proof of liveness invariant===<br />
<br />
We say that the network is <br />
<b><math>\delta</math>-synchronous at time <math>t</math></b> if <br />
if all messages that have been sent by honest replicas at or before time <math>t</math> arrive at their destinations before time <math>t</math>.<br />
<br />
The <b>liveness invariant</b> may be stated as follows.<br />
Suppose that <math>\Delta_\mathrm{n}(1) \ge \Delta_\mathrm{m}(0) + 2\delta</math>.<br />
Also <br />
suppose that in a given round <math>h</math>, we have <br />
* the leader <math>P</math> in round <math>h</math> is honest,<br />
* the first honest replica <math>Q</math> to finish round <math>h-1</math> does so at time <math>t</math>, and<br />
* the network is <math>\delta</math>-synchronous at times <math>t</math> and <math>t+\delta</math>.<br />
Then the block proposed by <math>P</math> in round <math>h</math> will be finalized.<br />
<br />
Here is a proof of the liveness invariant:<br />
# Under partial synchrony at time <math>t</math>, all honest replicas will enter round <math>h</math> before time <math>t+\delta</math> (the notarization that ended round <math>h-1</math> for <math>Q</math>, as well as the necessary round <math>h</math> random beacon shares, will arrive at all honest replicas before this time).<br />
# The leader <math>P</math> in round <math>h</math> will propose a block <math>B</math> before time <math>t+\delta</math>, and again by partial synchrony, this block proposal will be delivered to all other replicas before time <math>t+2\delta</math>. <br />
# Since <math>\Delta_\mathrm{n}(1) \ge \Delta_\mathrm{m}(0) + 2\delta</math>, the protocol logic guarantees that each honest replica supports the notarization of block <math>B</math> and no other block, and thus <math>B</math> will become notarized and finalized. <br />
<br />
==Other issues==<br />
<br />
===Growth latency===<br />
<br />
Under a partial synchrony assumption, we can also formulate and prove<br />
a quantitative version of the growth invariant.<br />
For simplicity, assume that the delay functions are defined<br />
as recommended above: <math>\Delta_\textrm{m}(r) = 2 \delta r</math><br />
and<br />
<math>\Delta_\textrm{n}(r) = 2 \delta r + \epsilon</math>,<br />
and further assume that <math>\epsilon \le \delta</math>.<br />
Suppose that at time <math>t</math>, the highest numbered round entered<br />
by any honest replica is <math>h</math>.<br />
Let <math>r^*</math> be the rank of the lowest ranked <br />
honest replica <math>P^*</math> in round <math>h</math>.<br />
Finally, suppose that the network is <math>\delta</math>-synchronous<br />
at all times in the interval <math>[t,t+(3r^*+2)\delta]</math>.<br />
Then all honest replicas will finish round <math>h</math> before time<br />
<math>t+3(r^*+1)\delta</math>.<br />
<br />
===Locally adjusted delay functions===<br />
<br />
When a replica does not see any finalized blocks for several rounds, it will <br />
start increasing its own delay function <math>\Delta_\textrm{n}</math><br />
for notarization.<br />
Replicas need not agree on these locally adjusted notarization delay functions.<br />
<br />
Also, while replicas do not explicitly adjust the delay function <br />
<math>\Delta_\textrm{n}</math>, we can mathematically model local clock drift <br />
by locally adjusting both delay functions.<br />
<br />
Thus, there are many delay fucntions,<br />
parameterized by replica and round.<br />
The critical condition <math>\Delta_\mathrm{n}(1) \ge \Delta_\mathrm{m}(0) + 2\delta</math> needed for liveness then becomes<br />
<math>\max \Delta_\mathrm{n}(1) \ge \min \Delta_\mathrm{m}(0) + 2\delta</math>,<br />
where the <math>\max</math> and <math>\min</math> are taken over all the honest replicas in a given round.<br />
Thus, if finalization fails for enough rounds, all honest replicas<br />
will eventually increase their notarization delay until this holds and finalization<br />
will then resume.<br />
If some honest replicas increase their notarization latency function<br />
more than other replicas, there no penalty in terms of liveness<br />
(but there may be in terms of growth latency).</div>VictorShouphttps://icstaging.mywikis.net/w/index.php?title=IC_consensus_layer&diff=432IC consensus layer2021-11-10T23:40:53Z<p>VictorShoup: </p>
<hr />
<div>The job of the consensus layer of the IC is to order transaction requests so that all replicas in a subnet will process <br />
such requests in the same order.<br />
There are many protocols in the literature for this problem.<br />
The IC uses a new consensus protocol, which is described here at a high level. <br />
For more details, see the paper https://eprint.iacr.org/2021/1330 (in particular, Protocol ICC1 in that paper).<br />
<br />
Any secure consensus protocol should guarantee two properties, which (roughly stated) are:<br />
* <b>safety</b>: all replicas in fact agree on the same ordering of transaction requests, and<br />
* <b>liveness</b>: all replicas should make steady progress.<br />
The paper https://eprint.iacr.org/2021/1330 proves that the IC consensus protocol satisfies both of these properties<br />
<br />
The IC consensus protocol is designed to be<br />
* extremely simple, and<br />
* robust (performance degrades gracefully when some replicas are malicious).<br />
<br />
==Assumptions==<br />
<br />
As discussed [[The Internet Computer for Computer Scientists|in the introduction]], we assume<br />
* a subnet of <math>n</math> replicas, and<br />
* at most <math>f < n/3</math> of the replicas are faulty.<br />
Faulty replicas may exhibit arbitrary, malicious (i.e., Byzantine) behavior.<br />
To simplify the presentation, we assume here that <math>n=3f+1</math>.<br />
<br />
<br />
We assume that communication is <b>asynchronous</b>, with no <i>a priori</i><br />
bound on the delay of messages sent between replicas.<br />
In fact, the scheduling of message delivery may be completely under adversarial control.<br />
The IC consensus protocol guarantees safety under this very weak communication assumption.<br />
However, to guarantee liveness, we need to assume a form of <b>partial synchrony</b>,<br />
which (roughly stated) says that the network will be periodically synchronous<br />
for short intervals of time.<br />
In such intervals of synchrony, all undelivered <br />
messages will be delivered in less than time <math>\delta</math>,<br />
for some fixed bound <math>\delta</math>.<br />
The bound <math>\delta</math> does not have to be known in advance <br />
(the protocol is initialized with a reasonable bound, but will dynamically <br />
adapt and increase this bound if it is too small).<br />
Regardless of whether we are assuming an asynchronous<br />
or a partially synchronous network,<br />
we assume that every message sent from one honest<br />
party to another will <i>eventually</i> be delivered.<br />
<br />
==Protocol overview==<br />
<br />
Like a number of consensus protocols,<br />
the IC consensus protocol is based in a [[wikipedia:blockchain|blockchain]].<br />
As the protocol progresses, a tree of blocks is grown,<br />
starting from a special <i>genesis block</i> that is the root of the tree.<br />
Each non-genesis block in the tree contains (among other things)<br />
a <i>payload</i>, consisting of a sequence of transaction requests,<br />
and a hash of the block's parent in the tree. <br />
The honest replicas have a consistent view of this tree:<br />
while each replica may have a different, partial view<br />
of this tree, all the replicas have a view of the <i>same</i> tree.<br />
In addition, as the protocol progresses,<br />
there is always a path of <i>finalized</i> blocks in this tree.<br />
Again, the honest replicas have a consistent view of this path:<br />
while each replica may have a different, partial view<br />
of this path, all the parties have a view of the <i>same</i> path.<br />
The transaction requests in the payloads of the blocks along this<br />
path are the ordered transaction requests will be processed by the [[IC execution layer|execution layer]]<br />
of the Internet Computer.<br />
<br />
The protocol proceeds in <b>rounds</b>.<br />
In round <math>h</math> of the protocol,<br />
one or more blocks of <b>height</b> <math>h</math> are added to the tree.<br />
That is, the blocks added in round <math>h</math> are always at a distance<br />
of exactly <math>h</math> from the root.<br />
In each round, a pseudo-random process is used to assign<br />
each replica a unique <b>rank</b>, which is an<br />
integer in the range <math>0,\ldots,h-1</math>.<br />
This pseudo-random process is implemented using a <b>random beacon</b> <br />
[[#Random Beacon|(see below)]].<br />
The party of lowest rank is the <b>leader</b> of that round.<br />
When the leader is honest and the network is synchronous,<br />
the leader will propose a block, which will be added to the tree;<br />
moreover, this will be the <i>only</i> block added to the tree<br />
in this round and it will extend the finalized path.<br />
If the leader is not honest or the network is not synchronous,<br />
some other parties of higher rank may also propose blocks,<br />
and also have their blocks added to the tree.<br />
In any case, the logic of the protocol gives highest priority <br />
to the leader's proposed block<br />
and <i>some</i> block or blocks will be added to this tree in this round.<br />
Even if the protocol proceeds for a few rounds without extending the<br />
finalized path, the height of the tree will continue to grow<br />
with each round, so that when the finalized path is extended in round <math>h</math>, <br />
the finalized path will be of length <math>h</math>.<br />
A consequence of this,<br />
even if the <i>latency</i> occasionally<br />
occasionally increases because of faulty replicas or unexpectedly <br />
high network latency,<br />
the <i>throughput</i> of the protocol<br />
remains essentially constant. <br />
<br />
The protocol also enjoys the property known as <b>optimistic responsiveness</b>,<br />
which means that <br />
so long as the leader is honest, the protocol may proceed at the pace<br />
of the actual network delay, rather than some upper bound on<br />
the network delay.<br />
<br />
==Public keys==<br />
<br />
To implement the protocol, each replica is associated with a <br />
public key for the [[wikipedia:BLS_digital_signature|BLS signature scheme]], and each replica also holds<br />
the corresponding secret signing key.<br />
The association of replicas to public keys is maintained by the<br />
[[IC network nervous system (NNS)|network nervous system (NNS) of the Internet Computer]].<br />
These BLS signatures will be used to authenticate messages<br />
sent by replicas.<br />
The protocol also uses the <br />
<b>signature aggregation</b> feature of BLS signatures,<br />
which allows many signatures on the same message to be aggregated into<br />
a compact multi-signature.<br />
<br />
==Random Beacon==<br />
<br />
In addition to BLS signatures and multi-signatures as discussed above,<br />
the protocol makes use of a BLS [[wikipedia:Threshold_cryptosystem|threshold signature scheme]] to implement the <br />
above-mentioned <b>random beacon</b>.<br />
The random beacon for height <math>h</math> is a <math>(f+1)</math>-threshold signature<br />
on a message unique to height <math>h</math>. <br />
In each round of the protocol, each replica broadcasts its share of the beacon for<br />
the next round, so that when the next round begins, all replicas should have enough shares<br />
to reconstruct the beacon for that round.<br />
As discussed above, the random beacon at height <math>h</math> is used to <br />
assign a pseudo-random rank to each replica that will be used in round <math>h</math> of the protocol.<br />
Because of the security properties of the threshold signature,<br />
an adversary will not be able to predict the ranking of the replicas more than one round in advance,<br />
and these rankings will effectively be as good as random.<br />
To set up such a threshold signature scheme, the Internet Computer runs a<br />
[[wikipedia:Distributed_key_generation|distributed key generation (DKG)]] protocol.<br />
There are many DKG protocols in the literature.<br />
The Internet Computer implements a new [[non-interactive DKG (NiDKG) protocol]].<br />
<br />
<br />
==Block making==<br />
<br />
Each replica may at different points in time play the role of a <b>block maker</b>.<br />
As a block maker in round <math>h</math>, <br />
the replica proposes a block <math>B</math> of height <math>h</math> <br />
that to be child of a block <math>B'</math> of height <math>h-1</math><br />
in the tree of blocks.<br />
To do this, the block maker first gathers together a <b>payload</b><br />
consisting of all transaction requests it knows about<br />
(but not including those already included in payloads in blocks in the<br />
path through the tree ending at <math>B'</math>).<br />
The block <math>B</math> consists of<br />
* the payload,<br />
* the hash of <math>B'</math>, <br />
* the rank of the block maker,<br />
* the height <math>h</math> of the block.<br />
After forming the block <math>B</math>, the block maker forms<br />
a <b>block proposal</b>, consisting of<br />
* the block <math>B</math>,<br />
* the block maker's identity, and<br />
* the block maker's signature on <math>B</math>.<br />
A block maker will broadcast its block proposal to all other replicas.<br />
<br />
==Notarization==<br />
<br />
A block is effectively added to the tree of blocks when it becomes <br />
<b>notarized</b>.<br />
For a block to become notarized, <br />
<math>2f+1</math> <br />
distinct replicas must <b>support</b> its notarization.<br />
<br />
Given a proposed block <math>B</math> at height <math>h</math>,<br />
a replica will determine if the proposal is <b>valid</b>,<br />
which means that <math>B</math> has the syntactic form described above.<br />
In particular, <math>B</math> should contain the hash of <br />
a block <math>B'</math> of height <math>h'</math> that is already<br />
in the tree of blocks (i.e., already notarized).<br />
In addition, the payload of <math>B</math> must satisfy certain<br />
conditions (in particulat, all of the transaction requests in the payload<br />
must satisfy various constraints, but these constraints are unrelated<br />
to consensus).<br />
Also, the rank of the block maker (as recorded in the block <math>B</math>) <br />
must match<br />
the rank assigned in round <math>h</math> by the random beacon<br />
to the replica that proposed the block (as recorded in the block proposal) .<br />
<br />
If the block is valid and certain other constraints hold,<br />
the replica will <b>support</b> the notarization of the block<br />
by broadcasting a <b>notarization share</b> for <math>B</math>,<br />
consisting of <br />
* the hash of <math>B</math>,<br />
* the height <math>h</math> of <math>B</math>,<br />
* the identity of the supporting replica, and<br />
* the supporting replica's signature on a message comprising the hash of <math>B</math> and the height <math>h</math>.<br />
Any set of <math>2f+1</math> notarization shares on <math>B</math><br />
may be aggregated together to form a <br />
<b>notarization</b> for <math>B</math>,<br />
consisting of<br />
* the hash of <math>B</math>,<br />
* the height <math>h</math> of <math>B</math>,<br />
* the set of identities of the <math>2f+1</math> supporting replicas,<br />
* an aggregation of the <math>2f+1</math> signatures on the message comprising the hash of <math>B</math> and the height <math>h</math>.<br />
Each replica will finish round <math>h</math><br />
as soon as it obtains a notarized block of height <math>h</math>,<br />
and will not subsequently support the notarization of<br />
any other blocks at height <math>h</math>.<br />
At this point in time, such a replica will also broadcast this <br />
notarization to all other replicas.<br />
<br />
<br />
<br />
<br />
==Finalization==<br />
<br />
There may be more than one <br />
notarized block at a given height <math>h</math>.<br />
However, if a block is <b>finalized</b>, then we can be sure that there<br />
is no other notarized block at height <math>h</math>. <br />
Let us call this the <b>safety invariant</b>.<br />
<br />
For a block to become finalized, <br />
<math>2f+1</math> <br />
distinct replicas must support its finalization.<br />
Recall that round <math>h</math> ends for a replica when <br />
it obtains a notarized block <math>B</math> of height <math>h</math>.<br />
At that point in time, such a replica will <br />
check if it supported the notarization of any block at height <math>h</math><br />
<i>other</i> than block <math>B</math> (it may or may not have <br />
supported the notarization of <math>B</math> itself).<br />
If not, the replica will support the finalization of <math>B</math><br />
by broadcasting a <br />
<b>finalization share</b> for <math>B</math>.<br />
A finalization share has exactly the same format as a notarization share<br />
(but is tagged in such a way notarization shares<br />
and finalization shares cannot be confused with one another).<br />
Any set of <math>2f+1</math> finalization shares on <math>B</math><br />
may be aggregated together to form a <b>finalization</b> for <math>B</math>,<br />
which has exactly the same format as a notarization<br />
(but again, is appropriately tagged).<br />
Any replica that obtains a finalized block will broadcast the finalization <br />
to all other replicas.<br />
<br />
We prove the safety invariant <br />
[[#Proof of safety invariant|below]].<br />
One consequence of the safety invariant is the following.<br />
Suppose two blocks <math>B</math> and <math>B'</math> are finalized,<br />
where <math>B</math> has height <math>h</math>, <math>B'</math> has height<br />
<math>h'\le h</math>.<br />
Then the safety invariant implies that the path <br />
in the tree of notarized blocks<br />
ending at <math>B'</math> is a prefix of the path ending at <math>B</math><br />
(if not, then there would be two notarized blocks at height <math>h'</math>,<br />
contradicting the finalization invariant). <br />
Thus, whenever a replica sees a finalized block <math>B</math>,<br />
it may view all ancestors of <math>B</math> as being <br />
<b>implicitly finalized</b>, and because of the<br />
safety invariant, the <b>safety property</b> is<br />
guaranteed to hold for these (explicitly and implicitly) finalized blocks.<br />
<br />
<br />
<br />
==Delay functions==<br />
<br />
The protocol makes use of two <b>delay functions</b>, <br />
<math>\Delta_\textrm{m}</math> and <math>\Delta_\textrm{n}</math>,<br />
which control<br />
the timing of block making and notarization activity.<br />
Both of these functions map the rank <math>r</math> of the proposing replica<br />
no a nonnegative delay amount,<br />
and it is assumed that each function is monotonely increasing in <math>r</math>,<br />
and that <br />
<math>\Delta_\textrm{m}(r) \le \Delta_\textrm{n}(r)</math><br />
for all <math>r = 0, \ldots, n-1</math>.<br />
The recommended definition of these functions is<br />
<math>\Delta_\textrm{m}(r) = 2 \delta r</math><br />
and<br />
<math>\Delta_\textrm{n}(r) = 2 \delta r + \epsilon</math>,<br />
where <math>\delta</math> is an upper bound on the time to deliver<br />
messages from one honest replica to another,<br />
and <math>\epsilon \ge 0</math> is a "governor" to keep the<br />
protocol from running too fast.<br />
With these definitions, liveness will be ensured in those<br />
rounds in which (1) the leader is honest, and (2) messages really<br />
are delivered between honest parties within time <math>\delta</math>.<br />
Indeed,<br />
if (1) and (2) both hold in a given round, then the block proposed<br />
by the leader in that round will be finalized.<br />
Let us call this the <b>liveness invariant</b>.<br />
We prove this <br />
[[#Proof of liveness invariant|below]].<br />
<br />
<br />
==Putting it all together==<br />
<br />
We now describe in more detail how the protocol works;<br />
specifically, we describe more precisely when a replica will<br />
propose a block and when a replica will support the notarization of a block. <br />
A given replica <math>P</math> will record the time at which it <br />
enters a given round <math>h</math>,<br />
which happens when it has obtained (1) some notarization for a <br />
block of height <math>h-1</math>, and (2) the random beacon for<br />
round <math>h</math>.<br />
Since the random beacon for round <math>h</math> has been determined,<br />
<math>P</math> can determine its own rank <math>r_P</math>, as well as the <br />
rank <math>r_Q</math> of each other replica <math>Q</math> <br />
for round <math>h</math>.<br />
<br />
===Block making===<br />
<br />
Replica <math>P</math> will only propose its own block <math>B_P</math><br />
provided (1) at least <math>\Delta_\textrm{m}(r_P)</math> time<br />
units have passed since the beginning of the round,<br />
and (2) there is no valid lower ranked block currently seen by <math>P</math>.<br />
<br />
Note that since <math>P</math> is guaranteed to have a notarized block<br />
of height <math>h-1</math><br />
when it enters round <math>h</math>, it can make its proposed<br />
block a child of this notarized block (or any other <br />
notarized block of height <math>h-1</math> that it may have).<br />
<br />
===Notarization===<br />
<br />
Replica <math>P</math> will support the notarization <br />
of a valid block <math>B_Q</math> proposed by a <br />
replica <math>Q</math> of rank <br />
<math>r_Q</math><br />
provided <br />
(1) at least <math>\Delta_\textrm{n}(r_Q)</math> time<br />
units have passed since the beginning of the round,<br />
and<br />
(2) there is no block of rank less than <math>r_Q</math> <br />
currently seen by <math>P</math>.<br />
<br />
===Block proposal relay===<br />
<br />
<br />
Suppose <math>P</math> sees<br />
a valid block proposal that is proposed by a <br />
replica <math>Q</math> of rank <br />
<math>r_Q < r_P</math><br />
such that<br />
(1) at least <math>\Delta_\textrm{m}(r_Q)</math> time<br />
units have passed since the beginning of the round,<br />
and (2) there is no block of rank less than <math>r_Q</math> <br />
currently seen by <math>P</math>.<br />
Then at this point in time, if it has not already done so,<br />
<math>P</math> will broadcast this block proposal to all other replicas. <br />
<br />
===Proof of liveness invariant===<br />
<br />
Here is a proof of the liveness invariant:<br />
# Suppose the first honest <math>Q</math> replica finishes round <math>h-1</math> at time <math>t</math>.<br />
# Under partial synchrony at time <math>t</math>, all honest replicas will enter round <math>h</math> before time <math>t+\delta</math> (the notarization that ended round <math>h-1</math> for <math>Q</math>, as well as the necessary round <math>h</math> random beacon shares, will arrive at all honest replicas before this time).<br />
# The leader <math>P</math> in round <math>h</math> will propose a block <math>B</math> before time <math>t+\delta</math>, and again by partial synchrony, this block proposal will be delivered to all other replicas before time <math>t+2\delta</math>. <br />
# Assuming <math>\Delta_\mathrm{n}(1) \ge \Delta_\mathrm{m}(0) + 2\delta</math>, the protocol logic guarantees that each honest replicas support the notarization of block <math>B</math> and no other block, and thus <math>B</math> will become notarized and finalized. <br />
<br />
<br />
===Proof of safety invariant===<br />
<br />
Here is a proof of the safety invariant:<br />
# Suppose that the number of corrupt parties is exactly <math>f^* \le f < n/3</math>.<br />
# If a block <math>B</math> is finalized, then its finalization must have been supported by a set <math>S</math> of at least <math>n-f-f^*</math> honest replicas (by the security property for aggregate signatures). <br />
# Suppose (by way of contradction) that another block <math>B' \ne B</math> were notarized. Then its notarization must have been supported by a set <math>S'</math> of at least <math>n-f-f^*</math> honest replicas (again, by the security property for aggregate signatures).<br />
# The sets <math>S</math> and <math>S'</math> are disjoint (by the finalization logic).<br />
# Therefore, <math>n-f^* \ge |S \cup S'| = |S| + |S'| \ge 2 (n-f-f^*)</math>, which implies <math>n \le 3f</math>, a contradiction.</div>VictorShouphttps://icstaging.mywikis.net/w/index.php?title=The_Internet_Computer_for_Computer_Scientists&diff=431The Internet Computer for Computer Scientists2021-11-10T20:55:22Z<p>VictorShoup: </p>
<hr />
<div>To a first approximation, the IC (Internet Computer) is a network of <br />
[[wikipedia:state machine replication|replicated state machines]].<br />
<br />
Each replicated state machine comprises a <b>subnet</b> of <b>replicas</b>.<br />
Subnets may communicate with one another,<br />
but otherwise they operate (for the most part) independently of each other.<br />
<br />
As in any replicated state machine, a series of <b>transaction requests</b> is processed.<br />
A transaction request may come from either an external client<br />
or from another state machine in the IC.<br />
The replicas in a subnet must run a <b>[[wikipedia:Consensus_(computer_science)|consensus protocol]]</b> to order the<br />
incoming transaction requests, so that each replica processes the transaction requests in the same order.<br />
Each replica processes the transaction requests in the agreed-upon order.<br />
In processing a transaction request, each replica will update its internal <b>state</b> <br />
according to a deterministic function that maps the pair (current state, transaction request) to a new state.<br />
Because all replicas in a subnet process transaction requests in the same order, <br />
their internal states will evolve over time in exactly the same way.<br />
In response to processing a transaction, a subnet may also generate an outgoing message,<br />
which can be sent to either an external client or to another state machine in the IC.<br />
<br />
The reason for using a replicated state machine, rather than just a single state machine,<br />
is to achieve [[wikipedia:fault tolerance|fault tolerance]]: a subnet should continue <br />
to function &mdash; and to function <i>correctly</i> &mdash; even if some replicas are <b>faulty</b>.<br />
Generally in this area, one considers two types of replica failures: <b>crash failure</b> and <br />
<b>[[wikipedia:Byzantine_fault|Byzantine failures]]</b>.<br />
A <b>crash failure</b> occurs when a replica abruptly stops and does not resume. <b>Byzantine failures</b> are failures in which a replica may deviate in an arbitrary way from its prescribed protocol. Moreover, with Byzantine failures, one or possibly several replicas may be directly under the control of a malicious adversary.<br />
Of the two types of failures, Byzantine failures are potentially far more disruptive.<br />
<br />
Protocols for consensus and for implementing replicated state machines typically make assumptions<br />
about <b>how many</b> replicas may be faulty and to <b>to what degree</b> (crash or Byzantine) they may be faulty.<br />
In the IC, the assumption is that if a given subnet has <math>n</math> replicas, then less than <math>n/3</math><br />
of these replicas are faulty and these faults may be Byzantine.<br />
(Note that the different subnets in the IC may have different sizes.)<br />
<br />
Protocols for consensus and for implementing replicated state machines also typically make<br />
assumptions about the <b>communication model</b>, which characterizes the ability of an adversary <br />
to delay the delivery of messages between replicas.<br />
At opposite ends of the spectrum, we have the following models:<br />
* In the <b>synchronous model</b>, there exists some known finite time bound <math>\delta</math>, such that for any message sent, it will be delivered in less than time <math>\delta</math>.<br />
* In the <b>asynchronous model</b>, for any message sent, the adversary can delay its delivery by any finite amount of time, so that there is no bound on the time to deliver a message; however, each message must <b>eventually</b> be delivered.<br />
<br />
<br />
Since the replicas in an IC-subnet are typically distributed around the globe, a synchronous communication model would be highly unrealistic.<br />
In this setting, the most robust model is the asynchronous model.<br />
Unfortunately, there are no known consensus protocols in this model that are truly practical.<br />
So like most other practical Byzantine fault tolerant systems that cannot rely on synchronous communication,<br />
the IC opts for a compromise: a <b>partial synchrony</b> communication model.<br />
Such partial synchrony models can be formulated in various ways.<br />
The partial synchrony assumption used by the IC says, roughly speaking,<br />
that for each subnet, communication among replicas in that subnet is periodically synchronous for short intervals of time;<br />
moreover, the synchrony bound <math>\delta</math> does not need to be known in advance.<br />
This partial synchrony assumption is only needed to ensure that the consensus protocol makes progress<br />
(the so-called liveness property) &mdash; it is not needed to ensure correct behavior of consensus<br />
(the so-called safety property), nor is it needed anywhere else in the IC protocol stack.<br />
<br />
Under the assumption of partial synchrony and Byzantine faults, it is known that our bound of <math>f < n/3</math><br />
on the number of faults is optimal.<br />
<br />
Related topics:<br />
* [[IC architecture overview]]<br />
* [[IC canisters]]<br />
* [[IC network nervous system (NNS)]]<br />
* [[IC threshold signatures and distributed key generation]]<br />
* [[IC crossnet communication]]<br />
* [[IC catchup packages]]<br />
* [[IC fault model]]<br />
* [[IC tokens]]</div>VictorShouphttps://icstaging.mywikis.net/w/index.php?title=The_Internet_Computer_for_Computer_Scientists&diff=430The Internet Computer for Computer Scientists2021-11-10T20:54:43Z<p>VictorShoup: </p>
<hr />
<div>To a first approximation, the IC (Internet Computer) is a network of <br />
[[wikipedia:state machine replication|replicated state machines]].<br />
<br />
Each replicated state machine comprises a <b>subnet</b> of <b>replicas</b>.<br />
Subnets may communicate with one another,<br />
but otherwise they operate (for the most part) independently of each other.<br />
<br />
As in any replicated state machine, a series of <b>transaction requests</b> is processed.<br />
A transaction request may come from either an external client<br />
or from another state machine in the IC.<br />
The replicas in a subnet must run a <b>[[wikipedia:Consensus_(computer_science)|consensus protocol]]</b> to order the<br />
incoming transaction requests, so that each replica processes the transaction requests in the same order.<br />
Each replica processes the transaction requests in the agreed-upon order.<br />
In processing a transaction request, each replica will update its internal <b>state</b> <br />
according to a deterministic function that maps the pair (current state, transaction request) to a new state.<br />
Because all replicas in a subnet process transaction requests in the same order, <br />
their internal states will evolve over time in exactly the same way.<br />
In response to processing a transaction, a subnet may also generate an outgoing message,<br />
which can be sent to either an external client or to another state machine in the IC.<br />
<br />
The reason for using a replicated state machine, rather than just a single state machine,<br />
is to achieve [[wikipedia:fault tolerance|fault tolerance]]: a subnet should continue <br />
to function &mdash; and to function <i>correctly</i> &mdash; even if some replicas are <b>faulty</b>.<br />
Generally in this area, one considers two types of replica failures: <b>crash failure</b> and <br />
<b>[[wikipedia:Byzantine_fault|Byzantine failures]]</b>.<br />
A <b>crash failure</b> occurs when a replica abruptly stops and does not resume. <b>Byzantine failures</b> are failures in which a replica may deviate in an arbitrary way from its prescribed protocol. Moreover, with Byzantine failures, one or possibly several replicas may be directly under the control of a malicious adversary.<br />
Of the two types of failures, Byzantine failures are potentially far more disruptive.<br />
<br />
Protocols for consensus and for implementing replicated state machines typically make assumptions<br />
about <b>how many</b> replicas may be faulty and to <b>to what degree</b> (crash or Byzantine) they may be faulty.<br />
In the IC, the assumption is that if a given subnet has <math>n</math> replicas, then less than <math>n/3</math><br />
of these replicas are faulty and these faults may be Byzantine.<br />
(Note that the different subnets in the IC may have different sizes.)<br />
<br />
Protocols for consensus and for implementing replicated state machines also typically make<br />
assumptions about the <b>communication model</b>, which characterizes the ability of an adversary <br />
to delay the delivery of messages between replicas.<br />
At opposite ends of the spectrum, we have the following models:<br />
* In the <b>synchronous model</b>, there exists some known finite time bound <math>\delta</math>, such that for any message sent, it will be delivered in time less than <math>delta</math>.<br />
* In the <b>asynchronous model</b>, for any message sent, the adversary can delay its delivery by any finite amount of time, so that there is no bound on the time to deliver a message; however, each message must <b>eventually</b> be delivered.<br />
<br />
<br />
Since the replicas in an IC-subnet are typically distributed around the globe, a synchronous communication model would be highly unrealistic.<br />
In this setting, the most robust model is the asynchronous model.<br />
Unfortunately, there are no known consensus protocols in this model that are truly practical.<br />
So like most other practical Byzantine fault tolerant systems that cannot rely on synchronous communication,<br />
the IC opts for a compromise: a <b>partial synchrony</b> communication model.<br />
Such partial synchrony models can be formulated in various ways.<br />
The partial synchrony assumption used by the IC says, roughly speaking,<br />
that for each subnet, communication among replicas in that subnet is periodically synchronous for short intervals of time;<br />
moreover, the synchrony bound <math>\delta</math> does not need to be known in advance.<br />
This partial synchrony assumption is only needed to ensure that the consensus protocol makes progress<br />
(the so-called liveness property) &mdash; it is not needed to ensure correct behavior of consensus<br />
(the so-called safety property), nor is it needed anywhere else in the IC protocol stack.<br />
<br />
Under the assumption of partial synchrony and Byzantine faults, it is known that our bound of <math>f < n/3</math><br />
on the number of faults is optimal.<br />
<br />
Related topics:<br />
* [[IC architecture overview]]<br />
* [[IC canisters]]<br />
* [[IC network nervous system (NNS)]]<br />
* [[IC threshold signatures and distributed key generation]]<br />
* [[IC crossnet communication]]<br />
* [[IC catchup packages]]<br />
* [[IC fault model]]<br />
* [[IC tokens]]</div>VictorShouphttps://icstaging.mywikis.net/w/index.php?title=The_Internet_Computer_for_Computer_Scientists&diff=429The Internet Computer for Computer Scientists2021-11-10T20:51:44Z<p>VictorShoup: </p>
<hr />
<div>To a first approximation, the IC (Internet Computer) is a network of <br />
[[wikipedia:state machine replication|replicated state machines]].<br />
<br />
Each replicated state machine comprises a <b>subnet</b> of <b>replicas</b>.<br />
Subnets may communicate with one another,<br />
but otherwise they operate (for the most part) independently of each other.<br />
<br />
As in any replicated state machine, a series of <b>transaction requests</b> is processed.<br />
A transaction request may come from either an external client<br />
or from another state machine in the IC.<br />
The replicas in a subnet must run a <b>[[wikipedia:Consensus_(computer_science)|consensus protocol]]</b> to order the<br />
incoming transaction requests, so that each replica processes the transaction requests in the same order.<br />
Each replica processes the transaction requests in the agreed-upon order.<br />
In processing a transaction request, each replica will update its internal <b>state</b> <br />
according to a deterministic function that maps the pair (current state, transaction request) to a new state.<br />
Because all replicas in a subnet process transaction requests in the same order, <br />
their internal states will evolve over time in exactly the same way.<br />
In response to processing a transaction, a subnet may also generate an outgoing message,<br />
which can be sent to either an external client or to another state machine in the IC.<br />
<br />
The reason for using a replicated state machine, rather than just a single state machine,<br />
is to achieve [[wikipedia:fault tolerance|fault tolerance]]: a subnet should continue <br />
to function &mdash; and to function <i>correctly</i> &mdash; even if some replicas are <b>faulty</b>.<br />
Generally in this area, one considers two types of replica failures: <b>crash failure</b> and <br />
<b>[[wikipedia:Byzantine_fault|Byzantine failures]]</b>.<br />
A <b>crash failure</b> occurs when a replica abruptly stops and does not resume. <b>Byzantine failures</b> are failures in which a replica may deviate in an arbitrary way from its prescribed protocol. Moreover, with Byzantine failures, one or possibly several replicas may be directly under the control of a malicious adversary.<br />
Of the two types of failures, Byzantine failures are potentially far more disruptive.<br />
<br />
Protocols for consensus and for implementing replicated state machines typically make assumptions<br />
about <b>how many</b> replicas may be faulty and to <b>to what degree</b> (crash or Byzantine) they may be faulty.<br />
In the IC, the assumption is that if a given subnet has <math>n</math> replicas, then less than <math>n/3</math><br />
of these replicas are faulty and these faults may be Byzantine.<br />
(Note that the different subnets in the IC may have different sizes.)<br />
<br />
Protocols for consensus and for implementing replicated state machines also typically make<br />
assumptions about the <b>communication model</b>, which characterizes the ability of an adversary <br />
to delay the delivery of messages between replicas.<br />
At opposite ends of the spectrum, we have the following models:<br />
* In the <b>synchronous model</b>, there exists some known finite time bound <math>\delta</math>, such that for any message sent, the adversary can delay its delivery by less than <math>\delta</math> time units.<br />
* In the <b>asynchronous model</b>, for any message sent, the adversary can delay its delivery by any finite amount of time, so that there is no bound on the time to deliver a message; however, each message must <b>eventually</b> be delivered.<br />
<br />
<br />
Since the replicas in an IC-subnet are typically distributed around the globe, a synchronous communication model would be highly unrealistic.<br />
In this setting, the most robust model is the asynchronous model.<br />
Unfortunately, there are no known consensus protocols in this model that are truly practical.<br />
So like most other practical Byzantine fault tolerant systems that cannot rely on synchronous communication,<br />
the IC opts for a compromise: a <b>partial synchrony</b> communication model.<br />
Such partial synchrony models can be formulated in various ways.<br />
The partial synchrony assumption used by the IC says, roughly speaking,<br />
that for each subnet, communication among replicas in that subnet is periodically synchronous for short intervals of time;<br />
moreover, the synchrony bound <math>\delta</math> does not need to be known in advance.<br />
This partial synchrony assumption is only needed to ensure that the consensus protocol makes progress<br />
(the so-called liveness property) &mdash; it is not needed to ensure correct behavior of consensus<br />
(the so-called safety property), nor is it needed anywhere else in the IC protocol stack.<br />
<br />
Under the assumption of partial synchrony and Byzantine faults, it is known that our bound of <math>f < n/3</math><br />
on the number of faults is optimal.<br />
<br />
Related topics:<br />
* [[IC architecture overview]]<br />
* [[IC canisters]]<br />
* [[IC network nervous system (NNS)]]<br />
* [[IC threshold signatures and distributed key generation]]<br />
* [[IC crossnet communication]]<br />
* [[IC catchup packages]]<br />
* [[IC fault model]]<br />
* [[IC tokens]]</div>VictorShouphttps://icstaging.mywikis.net/w/index.php?title=The_Internet_Computer_for_Computer_Scientists&diff=428The Internet Computer for Computer Scientists2021-11-10T19:49:08Z<p>VictorShoup: </p>
<hr />
<div>To a first approximation, the IC (Internet Computer) is a network of <br />
[[wikipedia:state machine replication|replicated state machines]].<br />
<br />
Each replicated state machine comprises a <b>subnet</b> of <b>replicas</b>.<br />
Subnets may communicate with one another,<br />
but otherwise they operate (for the most part) independently of each other.<br />
<br />
As in any replicated state machine, a series of <b>transaction requests</b> is processed.<br />
A transaction request may come from either an external client<br />
or from another state machine in the IC.<br />
The replicas in a subnet must run a <b>[[wikipedia:Consensus_(computer_science)|consensus protocol]]</b> to order the<br />
incoming transaction requests, so that each replica processes the transaction requests in the same order.<br />
Each replica processes the transaction requests in the agreed-upon order.<br />
In processing a transaction request, each replica will update its internal <b>state</b> <br />
according to a deterministic function that maps the pair (current state, transaction request) to a new state.<br />
Because all replicas in a subnet process transaction requests in the same order, <br />
their internal states will evolve over time in exactly the same way.<br />
In response to processing a transaction, a subnet may also generate an outgoing message,<br />
which can be sent to either an external client or to another state machine in the IC.<br />
<br />
The reason for using a replicated state machine, rather than just a single state machine,<br />
is to achieve [[wikipedia:fault tolerance|fault tolerance]]: a subnet should continue <br />
to function &mdash; and to function <i>correctly</i> &mdash; even if some replicas are <b>faulty</b>.<br />
Generally in this area, one considers two types of replica failures: <b>crash failure</b> and <br />
<b>[[wikipedia:Byzantine_fault|Byzantine failures]]</b>.<br />
A <b>crash failure</b> occurs when a replica abruptly stops and does not resume. <b>Byzantine failures</b> are failures in which a replica may deviate in an arbitrary way from its prescribed protocol. Moreover, with Byzantine failures, one or possibly several replicas may be directly under the control of a malicious adversary.<br />
Of the two types of failures, Byzantine failures are potentially far more disruptive.<br />
<br />
Protocols for consensus and for implementing replicated state machines typically make assumptions<br />
about <b>how many</b> replicas may be faulty and to <b>to what degree</b> (crash or Byzantine) they may be faulty.<br />
In the IC, the assumption is that if a given subnet has <math>n</math> replicas, then less than <math>n/3</math><br />
of these replicas are faulty and these faults may be Byzantine.<br />
(Note that the different subnets in the IC may have different sizes.)<br />
<br />
Protocols for consensus and for implementing replicated state machines also typically make<br />
assumptions about the <b>communication model</b>, which characterizes the ability of an adversary <br />
to delay the delivery of messages between replicas.<br />
At opposite ends of the spectrum, we have the following models:<br />
* In the <b>synchronous model</b>, there exists some known finite time bound <math>\delta</math>, such that for any message sent, the adversary can delay its delivery by at most <math>\delta</math>.<br />
* In the <b>asynchronous model</b>, for any message sent, the adversary can delay its delivery by any finite amount of time, so that there is no bound on the time to deliver a message; however, each message must <b>eventually</b> be delivered.<br />
<br />
<br />
Since the replicas in an IC-subnet are typically distributed around the globe, a synchronous communication model would be highly unrealistic.<br />
In this setting, the most robust model is the asynchronous model.<br />
Unfortunately, there are no known consensus protocols in this model that are truly practical.<br />
So like most other practical Byzantine fault tolerant systems that cannot rely on synchronous communication,<br />
the IC opts for a compromise: a <b>partial synchrony</b> communication model.<br />
Such partial synchrony models can be formulated in various ways.<br />
The partial synchrony assumption used by the IC says, roughly speaking,<br />
that for each subnet, communication among replicas in that subnet is periodically synchronous for short intervals of time;<br />
moreover, the synchrony bound <math>\delta</math> does not need to be known in advance.<br />
This partial synchrony assumption is only needed to ensure that the consensus protocol makes progress<br />
(the so-called liveness property) &mdash; it is not needed to ensure correct behavior of consensus<br />
(the so-called safety property), nor is it needed anywhere else in the IC protocol stack.<br />
<br />
Under the assumption of partial synchrony and Byzantine faults, it is known that our bound of <math>f < n/3</math><br />
on the number of faults is optimal.<br />
<br />
Related topics:<br />
* [[IC architecture overview]]<br />
* [[IC canisters]]<br />
* [[IC network nervous system (NNS)]]<br />
* [[IC threshold signatures and distributed key generation]]<br />
* [[IC crossnet communication]]<br />
* [[IC catchup packages]]<br />
* [[IC fault model]]<br />
* [[IC tokens]]</div>VictorShouphttps://icstaging.mywikis.net/w/index.php?title=The_Internet_Computer_for_Computer_Scientists&diff=427The Internet Computer for Computer Scientists2021-11-10T19:44:11Z<p>VictorShoup: </p>
<hr />
<div>To a first approximation, the IC (Internet Computer) is a network of <br />
[[wikipedia:state machine replication|replicated state machines]].<br />
<br />
Each replicated state machine comprises a <b>subnet</b> of <b>replicas</b>.<br />
Subnets may communicate with one another,<br />
but otherwise they operate (for the most part) independently of each other.<br />
<br />
As in any replicated state machine, a series of <b>transaction requests</b> is processed.<br />
A transaction request may come from either an external client<br />
or from another state machine in the IC.<br />
The replicas in a subnet must run a <b>[[wikipedia:Consensus_(computer_science)|consensus protocol]]</b> to order the<br />
incoming transaction requests, so that each replica processes the transaction requests in the same order.<br />
Each replica processes the transaction requests in the agreed-upon order.<br />
In processing a transaction request, each replica will update its internal <b>state</b> <br />
according to a deterministic function that maps the pair (current state, transaction request) to a new state.<br />
Because all replicas in a subnet process transaction requests in the same order, <br />
their internal states will evolve over time in exactly the same way.<br />
In response to processing a transaction, a subnet may also generate an outgoing message,<br />
which can be sent to either an external client or to another state machine in the IC.<br />
<br />
The reason for using a replicated state machine, rather than just a single state machine,<br />
is to achieve [[wikipedia:fault tolerance|fault tolerance]]: a subnet should continue <br />
to function &mdash; and to function <i>correctly</i> &mdash; even if some replicas are <b>faulty</b>.<br />
Generally in this area, one considers two types of replica failures: <b>crash failure</b> and <br />
<b>[[wikipedia:Byzantine_fault|Byzantine failures]]</b>.<br />
A <b>crash failure</b> occurs when a replica abruptly stops and does not resume. <b>Byzantine failures</b> are failures in which a replica may deviate in an arbitrary way from its prescribed protocol. Moreover, with Byzantine failures, one or possibly several replicas may be directly under the control of a malicious adversary.<br />
Of the two types of failures, Byzantine failures are potentially far more disruptive.<br />
<br />
Protocols for consensus and for implementing replicated state machines typically make assumptions<br />
about <b>how many</b> replicas may be faulty and to <b>to what degree</b> (crash or Byzantine) they may be faulty.<br />
In the IC, the assumption is that if a given subnet has <math>n</math> replicas, then less than <math>n/3</math><br />
of these replicas are faulty and these faults may be Byzantine.<br />
(Note that the different subnets in the IC may have different sizes.)<br />
<br />
Protocols for consensus and for implementing replicated state machines also typically make<br />
assumptions about the <b>communication model</b>, which characterizes the ability of an adversary <br />
to delay the delivery of messages between replicas.<br />
At opposite ends of the spectrum, we have the following models:<br />
* In the <b>synchronous model</b>, there exists some known finite time bound <math>\delta</math>, such that for any message sent, the adversary can delay its delivery by at most <math>\delta</math>.<br />
* In the <b>asynchronous model</b>, for any message sent, the adversary can delay its delivery by any finite amount of time, so that there is no bound on the time to deliver a message; however, each message must <b>eventually</b> be delivered.<br />
<br />
<br />
Since the replicas in an IC-subnet are typically distributed around the globe, a synchronous communication model would be highly unrealistic.<br />
In this setting, the most robust model is the asynchronous model.<br />
Unfortunately, there are no known consensus protocols in this model that are truly practical.<br />
So like most other practical Byzantine fault tolerant systems that cannot rely on synchronous communication,<br />
the IC opts for a compromise: a <b>partial synchrony</b> communication model.<br />
Such partial synchrony models can be formulated in various ways.<br />
The partial synchrony assumption used by the IC says, roughly speaking,<br />
that for each subnet, communication among replicas in that subnet is synchronous for short periods of time<br />
every now and then;<br />
moreover, the synchrony bound <math>\delta</math> does not need to be known in advance.<br />
This partial synchrony assumption is only needed to ensure that the consensus protocol makes progress<br />
(the so-called liveness property) &mdash; it is not needed to ensure correct behavior of consensus<br />
(the so-called safety property), nor is it needed anywhere else in the IC protocol stack.<br />
<br />
Under the assumption of partial synchrony and Byzantine faults, it is known that our bound of <math>f < n/3</math><br />
on the number of faults is optimal.<br />
<br />
Related topics:<br />
* [[IC architecture overview]]<br />
* [[IC canisters]]<br />
* [[IC network nervous system (NNS)]]<br />
* [[IC threshold signatures and distributed key generation]]<br />
* [[IC crossnet communication]]<br />
* [[IC catchup packages]]<br />
* [[IC fault model]]<br />
* [[IC tokens]]</div>VictorShouphttps://icstaging.mywikis.net/w/index.php?title=IC_consensus_layer&diff=246IC consensus layer2021-11-09T00:57:59Z<p>VictorShoup: </p>
<hr />
<div>The job of the consensus layer of the IC is to order transaction requests so that all replicas in a subnet will process <br />
such requests in the same order.<br />
There are many protocols in the literature for this problem.<br />
The IC uses a new consensus protocol, which is described here at a high level. <br />
For more details, see the paper https://eprint.iacr.org/2021/1330 (in particular, Protocol ICC1 in that paper).<br />
<br />
Any secure consensus protocol should guarantee two properties, which (roughly stated) are:<br />
* <b>safety</b>: all replicas in fact agree on the same ordering of transaction requests, and<br />
* <b>liveness</b>: all replicas should make steady progress.<br />
The paper https://eprint.iacr.org/2021/1330 proves that the IC consensus protocol satisfies both of these properties<br />
<br />
The IC consensus protocol is design to be<br />
* extremely simple, and<br />
* robust (performance degrades gracefully when some replicas are malicious).<br />
<br />
As discussed [[The Internet Computer for Computer Scientists|in the introduction]], we assume<br />
* a subnet of <math>n</math> replicas, and<br />
* at most <math>f < n/3</math> of the replicas are faulty.<br />
Faulty replicas may exhibit arbitrary, malicious (i.e., Byzantine) behavior.<br />
To simplify the presentation, we assume here that <math>n=3f+1</math>.<br />
<br />
<br />
We assume that communication is <b>asynchronous</b>, with no <i>a priori</i><br />
bound on the delay of messages sent between replicas.<br />
In fact, the scheduling of message delivery may be completely under adversarial control.<br />
The IC consensus protocol guarantees safety under this very weak communication assumption.<br />
However, to guarantee liveness, we need to assume a form of <b>partial synchrony</b>,<br />
which (roughly stated) says that the network will be periodically <b>timely</b> .<br />
Somewhat more precisely, there exists a bound <math>\Delta</math> such that<br />
periodically all undelivered <br />
messages will be delivered within time <math>\Delta</math>.<br />
The bound <math>\Delta</math> does not have to be known in advance <br />
(the protocol is initialized with a bound, but will dynamically <br />
adapt and increase this bound if it is too small).<br />
Regardless of whether we are assuming an asynchronous<br />
or a partially synchronous network,<br />
we assume that every message sent from one honest<br />
party to another will <i>eventually</i> be delivered.<br />
<br />
Like a number of consensus protocols,<br />
the IC consensus protocol is based in a [[wikipedia:blockchain|blockchain]].<br />
As the protocol progresses, a tree of blocks is grown,<br />
starting from a special <i>genesis block</i> that is the root of the tree.<br />
Each non-genesis block in the tree contains (among other things)<br />
a <i>payload</i>, consisting of a sequence of transaction requests,<br />
and a hash of the block's parent in the tree. <br />
The honest replicas have a consistent view of this tree:<br />
while each replica may have a different, partial view<br />
of this tree, all the replicas have a view of the <i>same</i> tree.<br />
In addition, as the protocol progresses,<br />
there is always a path of <i>finalized</i> blocks in this tree.<br />
Again, the honest replicas have a consistent view of this path:<br />
while each replica may have a different, partial view<br />
of this path, all the parties have a view of the <i>same</i> path.<br />
The transaction requests in the payloads of the blocks along this<br />
path are the ordered transaction requests will be processed by the [[IC execution layer|execution layer]]<br />
of the Internet Computer.<br />
<br />
The protocol proceeds in <b>rounds</b>.<br />
In round <math>h</math> of the protocol,<br />
one or more blocks of <b>height</b> <math>h</math> are added to the tree.<br />
That is, the blocks added in round <math>h</math> are always at a distance<br />
of exactly <math>h</math> from the root.<br />
In each round, a pseudo-random process is used to assign<br />
each replica a unique <b>rank</b>, which is an<br />
integer in the range <math>0,\ldots,h-1</math>.<br />
This is pseudo-random process is implemented using a <b>random beacon</b> (see below).<br />
The party of lowest rank is the <b>leader</b> of that round.<br />
When the leader is honest and the network is timely,<br />
the leader will propose a block, which will be added to the tree;<br />
moreover, this will be the <i>only</i> block added to the tree<br />
in this round and it will extend the finalized path.<br />
If the leader is not honest or the network is not timely,<br />
some other parties of higher rank may also propose blocks,<br />
and also have their blocks added to the tree.<br />
In any case, the logic of the protocol gives highest priority <br />
to the leader's proposed block<br />
and <i>some</i> block or blocks will be added to this tree in this round.<br />
<br />
When the network is timely, <br />
the message complexity in a given round of the IC consensus protocol is <math>O(n^2)</math><br />
with overwhelming probability. <br />
The protocol also enjoys the property known as <b>optimistic responsiveness</b>,<br />
which means that <br />
so long as the leader is honest, the protocol will proceed at the pace<br />
of the actual network delay, rather than some upper bound on<br />
the network delay.<br />
<br />
==Public keys==<br />
<br />
To implement the protocol, each replica is associated with a <br />
public key for the [[wikipedia:BLS_digital_signature|BLS signature scheme]], and each replica also holds<br />
the corresponding secret signing key.<br />
The association of replicas to public keys is maintained by the<br />
[[IC network nervous system (NNS)|network nervous system (NNS) of the Internet Computer]].<br />
These BLS signatures will be used to authenticate messages<br />
sent by replicas.<br />
The protocol also uses the <br />
<b>signature aggregation</b> feature of BLS signatures,<br />
which allows many signatures on the same message to be aggregated into<br />
a compact multi-signature.<br />
<br />
==Random Beacon==<br />
<br />
In addition to BLS signatures and multi-signatures as discussed above,<br />
the protocol makes use of a BLS [[wikipedia:Threshold_cryptosystem|threshold signature scheme]] to implement the <br />
above-mentioned <b>random beacon</b>.<br />
The random beacon for height <math>h</math> is a <math>(f+1)</math>-threshold signature<br />
on a message unique to height <math>h</math>. <br />
In each round of the protocol, each replica broadcasts its share of the beacon for<br />
the next round, so that when the next round begins, all replicas should have enough shares<br />
to reconstruct the beacon for that round.<br />
As discussed above, the random beacon at height <math>h</math> is used to <br />
assign a pseudo-random rank to each replica that will be used in round <math>h</math> of the protocol.<br />
Because of the security properties of the threshold signature,<br />
an adversary will not be able to predict the ranking of the replicas more than one round in advance,<br />
and these rankings will effectively be as good as random.<br />
To set up such a threshold signature scheme, the Internet Computer runs a<br />
[[wikipedia:Distributed_key_generation|distributed key generation (DKG)]] protocol.<br />
There are many DKG protocols in the literature.<br />
The Internet Computer implements a new [[non-interactive DKG (NiDKG) protocol]].<br />
<br />
<br />
==Block making==<br />
<br />
Each replica may at different points in time play the role of a <b>block maker</b>.<br />
As a block maker in round <math>h</math>, <br />
the replica proposes a block <math>B</math> of height <math>h</math> <br />
that to be child of a block <math>B'</math> of height <math>h-1</math><br />
in the tree of blocks.<br />
To do this, the block maker first gathers together a <b>payload</b><br />
consisting of all transaction requests it knows about<br />
(but not including those already included in payloads in blocks in the<br />
path through the tree ending at <math>B'</math>).<br />
The block <math>B</math> consists of<br />
* the payload,<br />
* the hash of <math>B'</math>, <br />
* the rank of the block maker,<br />
* the height <math>h</math> of the block.<br />
After forming the block <math>B</math>, the block maker forms<br />
a <b>block proposal</b>, consisting of<br />
* the block <math>B</math>,<br />
* the block maker's identity, and<br />
* the block maker's signature on <math>B</math>.<br />
A block maker will broadcast its block proposal to all other replicas.<br />
<br />
==Notarization==<br />
<br />
A block is only added to the tree of blocks when it becomes <br />
<b>notarized</b>.<br />
For a block to become notarized, <br />
<math>2f+1</math> <br />
distinct replicas must support its notarization.<br />
Given a proposed <math>B</math> at height <math>h</math>,<br />
a replica will verify a number of conditions,<br />
and if these tests pass, the replica will support the notarization of the block<br />
by broadcasting a <b>notarization share</b> for <math>B</math>,<br />
consisting of <br />
* the hash of <math>B</math>,<br />
* the height <math>h</math> of <math>B</math>,<br />
* the identity of the supporting replica, and<br />
* the notarizing replica's signature on a message comprising the hash of <math>B</math> and the height <math>h</math>.<br />
Any set of <math>2f+1</math> notarization shares on <math>B</math><br />
may be aggregated together to form a <br />
<b>notarization</b> for <math>B</math>,<br />
consisting of<br />
* the hash of <math>B</math>,<br />
* the height <math>h</math> of <math>B</math>,<br />
* the set of identities of the <math>2f+1</math> supporting replicas,<br />
* an aggregation of the <math>2f+1</math> signatures on the message comprising the hash of <math>B</math> and the height <math>h</math>.<br />
Each replica will finish round <math>h</math><br />
as soon as it obtains a notarized block of height <math>h</math>,<br />
and will not subsequently notarize any other blocks at height <math>h</math>.<br />
<br />
==Finalization==<br />
<br />
There may be more than one <br />
notarized block at a given height <math>h</math>.<br />
However, if a block is <b>finalized</b>, then we can be sure that there<br />
is no other notarized block at height <math>h</math>. <br />
Let us call this the <b>finalization invariant</b>.<br />
<br />
For a block to become finalized, <br />
<math>2f+1</math> <br />
distinct replicas must support its finalization.<br />
Recall that round <math>h</math> ends for a replica when <br />
it obtains a notarized block <math>B</math> of height <math>h</math>.<br />
At that point in time, such a replica will <br />
check if it supported the notarization of any block at height <math>h</math><br />
other than block <math>B</math>.<br />
If not, the replica will support the finalization of <math>B</math><br />
by broadcasting a <br />
<b>finalization share</b> for <math>B</math>.<br />
A finalization share has exactly the same format as a notarization share<br />
(but is tagged in such a way notarization shares<br />
and finalization shares cannot be confused with one another).<br />
Any set of <math>2f+1</math> finalization shares on <math>B</math><br />
may be aggregated together to form a <b>finalization</b> for <math>B</math>,<br />
which has exactly the same format as a notarization.<br />
<br />
One can easily see that the logic for finalizing blocks<br />
implies that the finalization invariant must hold.<br />
Here is a proof:<br />
# Suppose that the number of corrupt parties is exactly <math>f^* \le f < n/3</math>.<br />
# If a block <math>B</math> is finalized, then its finalization must have been supported by a set <math>S</math> of at least <math>n-f-f^*</math> honest replicas (by the security property for aggregate signatures). <br />
# If another block <math>B' \ne B</math> were notarized, then its notarization must have been supported by a set <math>S'</math> of at least <math>n-f-f^*</math> honest replicas (again, by the security property for aggregate signatures).<br />
# The sets <math>S</math> and <math>S'</math> are disjoint (by the finalization logic).<br />
# Therefore, <math>n-f^* \ge |S| + |S'| \ge 2 (n-f-f^*)</math>, which implies <math>n \le 3f</math>, a contradiction.<br />
<br />
<br />
<br />
One consequence of the finalization invariant is the following.<br />
Suppose one replica sees a finalized block <math>B</math> at height <math>h</math><br />
and that another replica sees a finalized block <br />
<math>B'</math> at height <math>h' \le h</math>.<br />
Then the finalization invariant implies that the path in the tree of notarized blocks<br />
ending at <math>B'</math> is a prefix of the path ending at <math>B</math><br />
(if not, then there would be two notarized blocks at height <math>h'</math>,<br />
contradicting the finalization invariant). <br />
Thus, whenever replica sees a finalized block <math>B</math>,<br />
it may view all ancestors of <math>B</math> as being <br />
<b>implicitly finalized</b>, and because of the<br />
finalization invariant, the <b>safety property</b> is<br />
guaranteed to hold for these (explicitly and implicitly) finalized blocks.<br />
<br />
<br />
<br />
==Delay functions==<br />
<br />
The protocol makes use of two <b>delay functions</b>, <br />
<math>\Delta_\textrm{p}</math> and <math>\Delta_\textrm{n}</math>,<br />
which control<br />
the timing of block making and notarization activity.<br />
Both of these functions map the rank of the proposing replica<br />
no a nonnegative delay amount,<br />
and it is assumed that <br />
<math>\Delta_\textrm{p}(r) \le \Delta_\textrm{n}(r)</math><br />
for all <math>r = 0, \ldots, n-1</math>.<br />
The recommended definition of these functions is<br />
<math>\Delta_\textrm{p}(r) = 2 \delta r</math><br />
and<br />
<math>\Delta_\textrm{n}(r) = 2 \delta r + \epsilon</math>,<br />
where <math>\delta</math> is an upper bound on the time to deliver<br />
messages from one honest replica to another,<br />
and <math>\epsilon</math> is a "governor" to keep the<br />
protocol from running too fast.<br />
With these definitions, liveness will be ensured in those<br />
rounds in which (1) the leader is honest, and (2) messages really<br />
are delivered between honest parties within time <math>\delta</math>.<br />
Indeed,<br />
if (1) and (2) both hold in a given round, then the block proposed<br />
by the leader in that round will be finalized.<br />
Let us call this the <b>liveness invariant</b>.<br />
Note that even if (1) or (2) do not hold in a given round, <br />
the protocol is still guaranteed to make progress in the sense<br />
that at least one notarized block will be added to the tree in that round. <br />
Also note that the safety property of the protocol is always <br />
guaranteed.<br />
<br />
==Putting it all together==<br />
<br />
We now describe in more detail how the protocol works;<br />
specifically, we describe more precisely when a replica will<br />
propose a block and when a replica will support the notarization of a block. <br />
A given replica <math>P</math> will record the time at which it <br />
enters a given round <math>h</math>,<br />
which happens when it has obtained (1) some notarization for a <br />
block of height <math>h-1</math>, and (2) the random beacon for<br />
round <math>h</math>.<br />
Since the random beacon for round <math>h</math> has been determined,<br />
<math>P</math> can determine its own rank <math>r_P</math>, as well as the <br />
rank <math>r_Q</math> of each other replica <math>Q</math> <br />
for round <math>h</math>.<br />
<br />
===Block making===<br />
<br />
Replica <math>P</math> will only propose its own block <math>B_P</math><br />
provided (1) at least <math>\Delta_\textrm{p}(r_P)</math> time<br />
units have passed since the beginning of the round,<br />
and (2) there is no <i>better</i> block available to <math>P</math>.<br />
A block is deemed to be <i>better</i> than <math>B_P</math> <br />
if it was proposed by a replica of rank less than <math>r_P</math><br />
that has not been <i>disqualified</i> <br />
[[#Disqualify or relay|(see below)]].<br />
<br />
Note that since <math>P</math> is guaranteed to have a notarized block<br />
of height <math>h-1</math><br />
when it enters round <math>h</math>, it can make its proposed<br />
block a child of this notarized block (or any other <br />
notarized block of height <math>h-1</math> that it may have).<br />
<br />
===Notarization===<br />
<br />
Replica <math>P</math> will support the notarization <br />
of a valid block <math>B_Q</math> proposed by a <br />
non-disqualified replica <math>Q</math> of rank <br />
<math>r_Q</math><br />
provided <br />
(1) at least <math>\Delta_\textrm{n}(r_Q)</math> time<br />
units have passed since the beginning of the round,<br />
(2) there is no better block available to <math>P</math>,<br />
and (3) there is no<br />
<i>evidence of inconsistent behavior</i> by <math>Q</math> in this round<br />
[[#Disqualify or relay|(see below)]].<br />
<br />
===Disqualify or relay===<br />
<br />
<br />
Suppose <math>P</math> sees<br />
of a valid block <math>B_Q</math> proposed by a <br />
non-disqualified replica <math>Q</math> of rank <br />
<math>r_Q < r_P</math><br />
such that<br />
(1) at least <math>\Delta_\textrm{p}(r_Q)</math> time<br />
units have passed since the beginning of the round,<br />
and (2) there is no better block available to <math>P</math>.<br />
At this point in time, <math>P</math> will either <br />
<b>disqualify</b> the replica <math>Q</math> (for the current round)<br />
or <br />
<b>relay</b> the block <math>B_Q</math>. <br />
<br />
Party <math>P</math> will <b>disqualify</b> <math>Q</math> if there is<br />
<i>evidence of inconsistent behavior</i> by <math>Q</math> in this round.<br />
Such evidence consists of either (1) two different block proposals<br />
by <math>Q</math> in this round, or (2) a <i>proof of inconsistent behavior</i><br />
obtained from another replica.<br />
Such a proof of inconsistent behavior is simply a message consisting<br />
of two distinct block proposals from <math>Q</math>.<br />
In either case, <math>P</math> will mark <math>Q</math> as <i>disqualified</i><br />
for the current round, and broadcast to all replicas a proof of inconsistent <br />
behavior. <br />
Note that since block proposals are signed, it is infeasible<br />
to construct a proof of inconsistent behavior against an honest replica.<br />
<br />
If <math>P</math> does not disqualify <math>Q</math>, and has not already<br />
relayed the block <math>B_Q</math>, it will <b>relay</b> <math>B_Q</math>, which<br />
means it will broadcast <math>B_Q</math> to all replicas and mark <br />
<math>B_Q</math> as <i>relayed</i>.</div>VictorShouphttps://icstaging.mywikis.net/w/index.php?title=IC_consensus_layer&diff=245IC consensus layer2021-11-08T21:13:23Z<p>VictorShoup: </p>
<hr />
<div>The job of the consensus layer of the IC is to order transaction requests so that all replicas in a subnet will process <br />
such requests in the same order.<br />
There are many protocols in the literature for this problem.<br />
The IC uses a new consensus protocol, which is described here at a high level. <br />
For more details, see the paper https://eprint.iacr.org/2021/1330 (in particular, Protocol ICC1 in that paper).<br />
<br />
Any secure consensus protocol should guarantee two properties, which (roughly stated) are:<br />
* <b>safety</b>: all replicas in fact agree on the same ordering of transaction requests, and<br />
* <b>liveness</b>: all replicas should make steady progress.<br />
The paper https://eprint.iacr.org/2021/1330 proves that the IC consensus protocol satisfies both of these properties<br />
<br />
The IC consensus protocol is design to be<br />
* extremely simple, and<br />
* robust (performance degrades gracefully when some replicas are malicious).<br />
<br />
As discussed [[The Internet Computer for Computer Scientists|in the introduction]], we assume<br />
* a subnet of <math>n</math> replicas, and<br />
* at most <math>f < n/3</math> of the replicas are faulty.<br />
Faulty replicas may exhibit arbitrary, malicious (i.e., Byzantine) behavior.<br />
To simplify the presentation, we assume here that <math>n=3f+1</math>.<br />
<br />
<br />
We assume that communication is <b>asynchronous</b>, with no <i>a priori</i><br />
bound on the delay of messages sent between replicas.<br />
In fact, the scheduling of message delivery may be completely under adversarial control.<br />
The IC consensus protocol guarantees safety under this very weak communication assumption.<br />
However, to guarantee liveness, we need to assume a form of <b>partial synchrony</b>,<br />
which (roughly stated) says that the network will be periodically <b>timely</b> .<br />
Somewhat more precisely, there exists a bound <math>\Delta</math> such that<br />
periodically all undelivered <br />
messages will be delivered within time <math>\Delta</math>.<br />
The bound <math>\Delta</math> does not have to be known in advance <br />
(the protocol is initialized with a bound, but will dynamically <br />
adapt and increase this bound if it is too small).<br />
Regardless of whether we are assuming an asynchronous<br />
or a partially synchronous network,<br />
we assume that every message sent from one honest<br />
party to another will <i>eventually</i> be delivered.<br />
<br />
Like a number of consensus protocols,<br />
the IC consensus protocol is based in a [[wikipedia:blockchain|blockchain]].<br />
As the protocol progresses, a tree of blocks is grown,<br />
starting from a special <i>genesis block</i> that is the root of the tree.<br />
Each non-genesis block in the tree contains (among other things)<br />
a <i>payload</i>, consisting of a sequence of transaction requests,<br />
and a hash of the block's parent in the tree. <br />
The honest replicas have a consistent view of this tree:<br />
while each replica may have a different, partial view<br />
of this tree, all the replicas have a view of the <i>same</i> tree.<br />
In addition, as the protocol progresses,<br />
there is always a path of <i>finalized</i> blocks in this tree.<br />
Again, the honest replicas have a consistent view of this path:<br />
while each replica may have a different, partial view<br />
of this path, all the parties have a view of the <i>same</i> path.<br />
The transaction requests in the payloads of the blocks along this<br />
path are the ordered transaction requests will be processed by the [[IC execution layer|execution layer]]<br />
of the Internet Computer.<br />
<br />
The protocol proceeds in <b>rounds</b>.<br />
In round <math>h</math> of the protocol,<br />
one or more blocks of <b>height</b> <math>h</math> are added to the tree.<br />
That is, the blocks added in round <math>h</math> are always at a distance<br />
of exactly <math>h</math> from the root.<br />
In each round, a pseudo-random process is used to assign<br />
each replica a unique <b>rank</b>, which is an<br />
integer in the range <math>0,\ldots,h-1</math>.<br />
This is pseudo-random process is implemented using a <b>random beacon</b> (see below).<br />
The party of lowest rank is the <b>leader</b> of that round.<br />
When the leader is honest and the network is timely,<br />
the leader will propose a block, which will be added to the tree;<br />
moreover, this will be the <i>only</i> block added to the tree<br />
in this round and it will extend the finalized path.<br />
If the leader is not honest or the network is not timely,<br />
some other parties of higher rank may also propose blocks,<br />
and also have their blocks added to the tree.<br />
In any case, the logic of the protocol gives highest priority <br />
to the leader's proposed block<br />
and <i>some</i> block or blocks will be added to this tree in this round.<br />
<br />
When the network is timely, <br />
the message complexity in a given round of the IC consensus protocol is <math>O(n^2)</math><br />
with overwhelming probability. <br />
The protocol also enjoys the property known as <b>optimistic responsiveness</b>,<br />
which means that <br />
so long as the leader is honest, the protocol will proceed at the pace<br />
of the actual network delay, rather than some upper bound on<br />
the network delay.<br />
<br />
==Public keys==<br />
<br />
To implement the protocol, each replica is associated with a <br />
public key for the [[wikipedia:BLS_digital_signature|BLS signature scheme]], and each replica also holds<br />
the corresponding secret signing key.<br />
The association of replicas to public keys is maintained by the<br />
[[IC network nervous system (NNS)|network nervous system (NNS) of the Internet Computer]].<br />
These BLS signatures will be used to authenticate messages<br />
sent by replicas.<br />
The protocol also uses the <br />
<b>signature aggregation</b> feature of BLS signatures,<br />
which allows many signatures on the same message to be aggregated into<br />
a compact multi-signature.<br />
<br />
==Random Beacon==<br />
<br />
In addition to BLS signatures and multi-signatures as discussed above,<br />
the protocol makes use of a BLS [[wikipedia:Threshold_cryptosystem|threshold signature scheme]] to implement the <br />
above-mentioned <b>random beacon</b>.<br />
The random beacon for height <math>h</math> is a <math>(f+1)</math>-threshold signature<br />
on a message unique to height <math>h</math>. <br />
In each round of the protocol, each replica broadcasts its share of the beacon for<br />
the next round, so that when the next round begins, all replicas should have enough shares<br />
to reconstruct the beacon for that round.<br />
As discussed above, the random beacon at height <math>h</math> is used to <br />
assign a pseudo-random rank to each replica that will be used in round <math>h</math> of the protocol.<br />
Because of the security properties of the threshold signature,<br />
an adversary will not be able to predict the ranking of the replicas more than one round in advance,<br />
and these rankings will effectively be as good as random.<br />
To set up such a threshold signature scheme, the Internet Computer runs a<br />
[[wikipedia:Distributed_key_generation|distributed key generation (DKG)]] protocol.<br />
There are many DKG protocols in the literature.<br />
The Internet Computer implements a new [[non-interactive DKG (NiDKG) protocol]].<br />
<br />
<br />
==Block making==<br />
<br />
Each replica may at different points in time play the role of a <b>block maker</b>.<br />
As a block maker in round <math>h</math>, <br />
the replica proposes a block <math>B</math> of height <math>h</math> <br />
that to be child of a block <math>B'</math> of height <math>h-1</math><br />
in the tree of blocks.<br />
To do this, the block maker first gathers together a <b>payload</b><br />
consisting of all transaction requests it knows about<br />
(but not including those already included in payloads in blocks in the<br />
path through the tree ending at <math>B'</math>).<br />
The block <math>B</math> consists of<br />
* the payload,<br />
* the hash of <math>B'</math>, <br />
* the rank of the block maker,<br />
* the height <math>h</math> of the block.<br />
After forming the block <math>B</math>, the block maker forms<br />
a <b>block proposal</b>, consisting of<br />
* the block <math>B</math>,<br />
* the block maker's identity, and<br />
* the block maker's signature on <math>B</math>.<br />
A block maker will broadcast its block proposal to all other replicas.<br />
<br />
==Notarization==<br />
<br />
A block is only added to the tree of blocks when it becomes <br />
<b>notarized</b>.<br />
For a block to become notarized, <br />
<math>2f+1</math> <br />
distinct replicas must support its notarization.<br />
Given a proposed <math>B</math> at height <math>h</math>,<br />
a replica will verify a number of conditions,<br />
and if these tests pass, the replica will support the notarization of the block<br />
by broadcasting a <b>notarization share</b> for <math>B</math>,<br />
consisting of <br />
* the hash of <math>B</math>,<br />
* the height <math>h</math> of <math>B</math>,<br />
* the identity of the supporting replica, and<br />
* the notarizing replica's signature on a message comprising the hash of <math>B</math> and the height <math>h</math>.<br />
Any set of <math>2f+1</math> notarization shares on <math>B</math><br />
may be aggregated together to form a <br />
<b>notarization</b> for <math>B</math>,<br />
consisting of<br />
* the hash of <math>B</math>,<br />
* the height <math>h</math> of <math>B</math>,<br />
* the set of identities of the <math>2f+1</math> supporting replicas,<br />
* an aggregation of the <math>2f+1</math> signatures on the message comprising the hash of <math>B</math> and the height <math>h</math>.<br />
Each replica will finish round <math>h</math><br />
as soon as it obtains a notarized block of height <math>h</math>,<br />
and will not subsequently notarize any other blocks at height <math>h</math>.<br />
<br />
==Finalization==<br />
<br />
There may be more than one <br />
notarized block at a given height <math>h</math>.<br />
However, if a block is <b>finalized</b>, then we can be sure that there<br />
is no other notarized block at height <math>h</math>. <br />
Let us call this the <b>finalization invariant</b>.<br />
<br />
For a block to become finalized, <br />
<math>2f+1</math> <br />
distinct replicas must support its finalization.<br />
Recall that round <math>h</math> ends for a replica when <br />
it obtains a notarized block <math>B</math> of height <math>h</math>.<br />
At that point in time, such a replica will <br />
check if it supported the notarization of any block at height <math>h</math><br />
other than block <math>B</math>.<br />
If not, the replica will support the finalization of <math>B</math><br />
by broadcasting a <br />
<b>finalization share</b> for <math>B</math>.<br />
A finalization share has exactly the same format as a notarization share<br />
(but is tagged in such a way notarization shares<br />
and finalization shares cannot be confused with one another).<br />
Any set of <math>2f+1</math> finalization shares on <math>B</math><br />
may be aggregated together to form a <b>finalization</b> for <math>B</math>,<br />
which has exactly the same format as a notarization.<br />
<br />
One can easily see that the logic for finalizing blocks<br />
implies that the finalization invariant must hold.<br />
Here is a proof:<br />
# Suppose that the number of corrupt parties is exactly <math>f^* \le f < n/3</math>.<br />
# If a block <math>B</math> is finalized, then its finalization must have been supported by a set <math>S</math> of at least <math>n-f-f^*</math> honest replicas (by the security property for aggregate signatures). <br />
# If another block <math>B' \ne B</math> were notarized, then its notarization must have been supported by a set <math>S'</math> of at least <math>n-f-f^*</math> honest replicas (again, by the security property for aggregate signatures).<br />
# The sets <math>S</math> and <math>S'</math> are disjoint (by the finalization logic).<br />
# Therefore, <math>n-f^* \ge |S| + |S'| \ge 2 (n-f-f^*)</math>, which implies <math>n \le 3f</math>, a contradiction.<br />
<br />
<br />
<br />
One consequence of the finalization invariant is the following.<br />
Suppose one replica sees a finalized block <math>B</math> at height <math>h</math><br />
and that another replica sees a finalized block <br />
<math>B'</math> at height <math>h' \le h</math>.<br />
Then the finalization invariant implies that the path in the tree of notarized blocks<br />
ending at <math>B'</math> is a prefix of the path ending at <math>B</math><br />
(if not, then there would be two notarized blocks at height <math>h'</math>,<br />
contradicting the finalization invariant). <br />
Thus, whenever replica sees a finalized block <math>B</math>,<br />
it may view all ancestors of <math>B</math> as being <br />
<b>implicitly finalized</b>, and because of the<br />
finalization invariant, the <b>safety property</b> is<br />
guaranteed to hold for these (explicitly and implicitly) finalized blocks.<br />
<br />
<br />
<br />
==Delay functions==<br />
<br />
The protocol makes use of two <b>delay functions</b>, <br />
<math>\Delta_\textrm{p}</math> and <math>\Delta_\textrm{n}</math>,<br />
which control<br />
the timing of block making and notarization activity.<br />
Both of these functions map the rank of the proposing replica<br />
no a nonnegative delay amount,<br />
and it is assumed that <br />
<math>\Delta_\textrm{p}(r) \le \Delta_\textrm{n}(r)</math><br />
for all <math>r = 0, \ldots, n-1</math>.<br />
The recommended definition of these functions is<br />
<math>\Delta_\textrm{p}(r) = 2 \delta r</math><br />
and<br />
<math>\Delta_\textrm{n}(r) = 2 \delta r + \epsilon</math>,<br />
where <math>\delta</math> is an upper bound on the time to deliver<br />
messages from one honest replica to another,<br />
and <math>\epsilon</math> is a "governor" to keep the<br />
protocol from running too fast.<br />
With these definitions, liveness will be ensured in those<br />
rounds in which (1) the leader is honest, and (2) messages really<br />
are delivered between honest parties within time <math>\delta</math>.<br />
Indeed,<br />
if (1) and (2) both hold in a given round, then the block proposed<br />
by the leader in that round will be finalized.<br />
Let us call this the <b>liveness invariant</b>.<br />
Note that even if (1) or (2) do not hold in a given round, <br />
the protocol is still guaranteed to make progress in the sense<br />
that at least one notarized block will be added to the tree in that round. <br />
Also note that the safety property of the protocol is always <br />
guaranteed.<br />
<br />
==Putting it all together==<br />
<br />
We now describe in more detail how the protocol works;<br />
specifically, we describe more precisely when a replica will<br />
propose a block and when a replica will support the notarization of a block. <br />
A given replica <math>P</math> will record the time at which it <br />
enters a given round <math>h</math>,<br />
which happens when it has obtained (1) some notarization for a <br />
block of height <math>h-1</math>, and (2) the random beacon for<br />
round <math>h</math>.<br />
Since the random beacon for round <math>h</math> has been determined,<br />
<math>P</math> can determine its own rank <math>r_P</math>, as well as the <br />
rank <math>r_Q</math> of each other replica <math>Q</math> <br />
for round <math>h</math>.<br />
<br />
===Block making===<br />
<br />
Replica <math>P</math> will only propose its own block <math>B_P</math><br />
provided (1) at least <math>\Delta_\textrm{p}(r_P)</math> time<br />
units have passed since the beginning of the round,<br />
and (2) there is no <i>better</i> block available to <math>P</math>.<br />
A block is deemed to be <i>better</i> than <math>B_P</math> <br />
if it was proposed by a replica of rank less than <math>r_P</math><br />
that has not been <i>disqualified</i>.<br />
We will discuss <i>disqualification</i> below.<br />
<br />
Note that since <math>P</math> is guaranteed to have a notarized block<br />
of height <math>h-1</math><br />
when it enters round <math>h</math>, it can make its proposed<br />
block a child of this notarized block (or any other <br />
notarized block of height <math>h-1</math> that it may have).<br />
<br />
===Notarization===<br />
<br />
Replica <math>P</math> will support the notarization <br />
of a valid block <math>B_Q</math> proposed by a <br />
non-disqualified replica <math>Q</math> of rank <br />
<math>r_Q</math><br />
provided <br />
(1) at least <math>\Delta_\textrm{n}(r_Q)</math> time<br />
units have passed since the beginning of the round,<br />
and (2) there is no better block available to <math>P</math>.<br />
<br />
===Disqualify or relay===<br />
<br />
<br />
Suppose <math>P</math> sees<br />
of a valid block <math>B_Q</math> proposed by a <br />
non-disqualified replica <math>Q</math> of rank <br />
<math>r_Q < r_P</math><br />
such that<br />
(1) at least <math>\Delta_\textrm{p}(r_Q)</math> time<br />
units have passed since the beginning of the round,<br />
and (2) there is no better block available to <math>P</math>.<br />
At this point in time, <math>P</math> will either <br />
<b>disqualify</b> the replica <math>Q</math> (for the current round)<br />
or <br />
<b>relay</b> the block <math>B_Q</math>. <br />
<br />
Party <math>P</math> will <b>disqualify</b> <math>Q</math> if it<br />
has <i>evidence of inconsistent behavior</i> by <math>Q</math> in this round.<br />
Such evidence consists of either (1) two different block proposals<br />
by <math>Q</math> in this round, or (2) a <i>proof of inconsistent behavior</i><br />
obtained from another replica.<br />
Such a proof of inconsistent behavior is simply a message consisting<br />
of two distinct block proposals from <math>Q</math>.<br />
In either case, <math>P</math> will mark <math>Q</math> as <i>disqualified</i><br />
for the current round, and broadcast to all replicas a proof of inconsistent <br />
behavior. <br />
Note that since block proposals are signed, it is infeasible<br />
to construct a proof of inconsistent behavior against an honest replica.<br />
<br />
If <math>P</math> does not disqualify <math>Q</math>, and has not already<br />
relayed the block <math>B_Q</math>, it will <b>relay</b> <math>B_Q</math>, which<br />
means it will broadcast <math>B_Q</math> to all replicas and mark <br />
<math>B_Q</math> as <i>relayed</i>.</div>VictorShouphttps://icstaging.mywikis.net/w/index.php?title=IC_consensus_layer&diff=244IC consensus layer2021-11-08T18:32:38Z<p>VictorShoup: </p>
<hr />
<div>The job of the consensus layer of the IC is to order transaction requests so that all replicas in a subnet will process <br />
such requests in the same order.<br />
There are many protocols in the literature for this problem.<br />
The IC uses a new consensus protocol, which is described here at a high level. <br />
For more details, see the paper https://eprint.iacr.org/2021/1330 (in particular, Protocol ICC1 in that paper).<br />
<br />
Any secure consensus protocol should guarantee two properties, which (roughly stated) are:<br />
* <b>safety</b>: all replicas in fact agree on the same ordering of transaction requests, and<br />
* <b>liveness</b>: all replicas should make steady progress.<br />
The paper https://eprint.iacr.org/2021/1330 proves that the IC consensus protocol satisfies both of these properties<br />
<br />
The IC consensus protocol is design to be<br />
* extremely simple, and<br />
* robust (performance degrades gracefully when some replicas are malicious).<br />
<br />
As discussed [[The Internet Computer for Computer Scientists|in the introduction]], we assume<br />
* a subnet of <math>n</math> replicas, and<br />
* at most <math>f < n/3</math> of the replicas are faulty.<br />
Faulty replicas may exhibit arbitrary, malicious (i.e., Byzantine) behavior.<br />
To simplify the presentation, we assume here that <math>n=3f+1</math>.<br />
<br />
<br />
We assume that communication is <b>asynchronous</b>, with no <i>a priori</i><br />
bound on the delay of messages sent between replicas.<br />
In fact, the scheduling of message delivery may be completely under adversarial control.<br />
The IC consensus protocol guarantees safety under this very weak communication assumption.<br />
However, to guarantee liveness, we need to assume a form of <b>partial synchrony</b>,<br />
which (roughly stated) says that the network will be periodically <b>timely</b> .<br />
Somewhat more precisely, there exists a bound <math>\Delta</math> such that<br />
periodically all undelivered <br />
messages will be delivered within time <math>\Delta</math>.<br />
The bound <math>\Delta</math> does not have to be known in advance <br />
(the protocol is initialized with a bound, but will dynamically <br />
adapt and increase this bound if it is too small).<br />
Regardless of whether we are assuming an asynchronous<br />
or a partially synchronous network,<br />
we assume that every message sent from one honest<br />
party to another will <i>eventually</i> be delivered.<br />
<br />
Like a number of consensus protocols,<br />
the IC consensus protocol is based in a [[wikipedia:blockchain|blockchain]].<br />
As the protocol progresses, a tree of blocks is grown,<br />
starting from a special <i>genesis block</i> that is the root of the tree.<br />
Each non-genesis block in the tree contains (among other things)<br />
a <i>payload</i>, consisting of a sequence of transaction requests,<br />
and a hash of the block's parent in the tree. <br />
The honest replicas have a consistent view of this tree:<br />
while each replica may have a different, partial view<br />
of this tree, all the replicas have a view of the <i>same</i> tree.<br />
In addition, as the protocol progresses,<br />
there is always a path of <i>finalized</i> blocks in this tree.<br />
Again, the honest replicas have a consistent view of this path:<br />
while each replica may have a different, partial view<br />
of this path, all the parties have a view of the <i>same</i> path.<br />
The transaction requests in the payloads of the blocks along this<br />
path are the ordered transaction requests will be processed by the [[IC execution layer|execution layer]]<br />
of the Internet Computer.<br />
<br />
The protocol proceeds in <b>rounds</b>.<br />
In round <math>h</math> of the protocol,<br />
one or more blocks of <b>height</b> <math>h</math> are added to the tree.<br />
That is, the blocks added in round <math>h</math> are always at a distance<br />
of exactly <math>h</math> from the root.<br />
In each round, a pseudo-random process is used to assign<br />
each replica a unique <b>rank</b>, which is an<br />
integer in the range <math>0,\ldots,h-1</math>.<br />
This is pseudo-random process is implemented using a <b>random beacon</b> (see below).<br />
The party of lowest rank is the <b>leader</b> of that round.<br />
When the leader is honest and the network is timely,<br />
the leader will propose a block, which will be added to the tree;<br />
moreover, this will be the <i>only</i> block added to the tree<br />
in this round and it will extend the finalized path.<br />
If the leader is not honest or the network is not timely,<br />
some other parties of higher rank may also propose blocks,<br />
and also have their blocks added to the tree.<br />
In any case, the logic of the protocol gives highest priority <br />
to the leader's proposed block<br />
and <i>some</i> block or blocks will be added to this tree in this round.<br />
<br />
When the network is timely, <br />
the message complexity in a given round of the IC consensus protocol is <math>O(n^2)</math><br />
with overwhelming probability. <br />
The protocol also enjoys the property known as <b>optimistic responsiveness</b>,<br />
which means that <br />
so long as the leader is honest, the protocol will proceed at the pace<br />
of the actual network delay, rather than some upper bound on<br />
the network delay.<br />
<br />
<br />
To implement the protocol, each replica is associated with a <br />
public key for the [[wikipedia:BLS_digital_signature|BLS signature scheme]], and each replica also holds<br />
the corresponding secret signing key.<br />
The association of replicas to public keys is maintained by the<br />
[[IC network nervous system (NNS)|network nervous system (NNS) of the Internet Computer]].<br />
These BLS signatures will be used to authenticate messages, also called <b>artifacts</b>,<br />
sent by replicas.<br />
The protocol also uses the <b>signature aggregation</b> feature of BLS signatures,<br />
which allows many signatures on the same message to be aggregated into<br />
a compact multi-signature.<br />
FIXME: citation, discussion of rogue key attack mitigation via PoPs.<br />
<br />
==Random Beacon==<br />
<br />
In addition to BLS signatures and multi-signatures as discussed above,<br />
the protocol makes use of a BLS [[wikipedia:Threshold_cryptosystem|threshold signature scheme]] to implement the <br />
above-mentioned <b>random beacon</b>.<br />
The random beacon for height <math>h</math> is a <math>(f+1)</math>-threshold signature<br />
on a message unique to height <math>h</math>. <br />
In each round of the protocol, each replica broadcasts its share of the beacon for<br />
the next round, so that when the next round begins, all replicas should have enough shares<br />
to reconstruct the beacon for that round.<br />
As discussed above, the random beacon at height <math>h</math> is used to <br />
assign a pseudo-random rank to each replica that will be used in round <math>h</math> of the protocol.<br />
Because of the security properties of the threshold signature,<br />
an adversary will not be able to predict the ranking of the replicas more than one round in advance,<br />
and these rankings will effectively be as good as random.<br />
To set up such a threshold signature scheme, the Internet Computer runs a<br />
[[wikipedia:Distributed_key_generation|distributed key generation (DKG)]] protocol.<br />
There are many DKG protocols in the literature.<br />
The Internet Computer implements a new [[non-interactive DKG (NiDKG) protocol]].<br />
<br />
<br />
==Block making==<br />
<br />
Each replica may at different points in time play the role of a <b>block maker</b>.<br />
As a block maker in round <math>h</math>, <br />
the replica proposes a block <math>B</math> of height <math>h</math> <br />
that to be child of a block <math>B'</math> of height <math>h-1</math><br />
in the tree of blocks.<br />
To do this, the block maker first gathers together a <b>payload</b><br />
consisting of all transaction requests it knows about<br />
(but not including those already included in payloads in blocks in the<br />
path through the tree ending at <math>B'</math>).<br />
The block <math>B</math> consists of<br />
* the payload,<br />
* the hash of <math>B'</math>, <br />
* the rank of the block maker,<br />
* the height <math>h</math> of the block.<br />
After forming the block <math>B</math>, the block maker forms<br />
a <b>block proposal</b>, consisting of<br />
* the block <math>B</math>,<br />
* the block maker's identity, and<br />
* the block maker's signature on <math>B</math>.<br />
A block maker will broadcast its block proposal to all other replicas.<br />
<br />
==Notarization==<br />
<br />
A block is only added to the tree of blocks when it becomes <br />
<b>notarized</b>.<br />
For a block to become notarized, <br />
<math>2f+1</math> <br />
distinct replicas must support its notarization.<br />
Given a proposed <math>B</math> at height <math>h</math>,<br />
a replica will verify a number of conditions,<br />
and if these tests pass, the replica will support the notarization of the block<br />
by broadcasting a <b>notarization share</b> for <math>B</math>,<br />
consisting of <br />
* the hash of <math>B</math>,<br />
* the height <math>h</math> of <math>B</math>,<br />
* the identity of the supporting replica, and<br />
* the notarizing replica's signature on a message comprising the hash of <math>B</math> and the height <math>h</math>.<br />
Any set of <math>2f+1</math> notarization shares on <math>B</math><br />
may be aggregated together to form a <br />
<b>notarization</b> for <math>B</math>,<br />
consisting of<br />
* the hash of <math>B</math>,<br />
* the height <math>h</math> of <math>B</math>,<br />
* the set of identities of the <math>2f+1</math> supporting replicas,<br />
* an aggregation of the <math>2f+1</math> signatures on the message comprising the hash of <math>B</math> and the height <math>h</math>.<br />
Each replica will finish round <math>h</math><br />
as soon as it obtains a notarized block of height <math>h</math>,<br />
and will not subsequently notarize any other blocks at height <math>h</math>.<br />
<br />
==Finalization==<br />
<br />
There may be more than one <br />
notarized block at a given height <math>h</math>.<br />
However, if a block is <b>finalized</b>, then we can be sure that there<br />
is no other notarized block at height <math>h</math>. <br />
Let us call this the <b>finalization invariant</b>.<br />
<br />
For a block to become finalized, <br />
<math>2f+1</math> <br />
distinct replicas must support its finalization.<br />
Recall that round <math>h</math> ends for a replica when <br />
it obtains a notarized block <math>B</math> of height <math>h</math>.<br />
At that point in time, such a replica will <br />
check if it supported the notarization of any block at height <math>h</math><br />
other than block <math>B</math>.<br />
If not, the replica will support the finalization of <math>B</math><br />
by broadcasting a <br />
<b>finalization share</b> for <math>B</math>.<br />
A finalization share has exactly the same format as a notarization share<br />
(but is tagged in such a way notarization shares<br />
and finalization shares cannot be confused with one another).<br />
Any set of <math>2f+1</math> finalization shares on <math>B</math><br />
may be aggregated together to form a <b>finalization</b> for <math>B</math>,<br />
which has exactly the same format as a notarization.<br />
<br />
One can easily see that the logic for finalizing blocks<br />
implies that the finalization invariant must hold.<br />
Here is a proof:<br />
# Suppose that the number of corrupt parties is exactly <math>f^* \le f < n/3</math>.<br />
# If a block <math>B</math> is finalized, then its finalization must have been supported by a set <math>S</math> of at least <math>n-f-f^*</math> honest replicas (by the security property for aggregate signatures). <br />
# If another block <math>B' \ne B</math> were notarized, then its notarization must have been supported by a set <math>S'</math> of at least <math>n-f-f^*</math> honest replicas (again, by the security property for aggregate signatures).<br />
# The sets <math>S</math> and <math>S'</math> are disjoint (by the finalization logic).<br />
# Therefore, <math>n-f^* \ge |S| + |S'| \ge 2 (n-f-f^*)</math>, which implies <math>n \le 3f</math>, a contradiction.<br />
<br />
<br />
<br />
One consequence of the finalization invariant is the following.<br />
Suppose one replica sees a finalized block <math>B</math> at height <math>h</math><br />
and that another replica sees a finalized block <br />
<math>B'</math> at height <math>h' \le h</math>.<br />
Then the finalization invariant implies that the path in the tree of notarized blocks<br />
ending at <math>B'</math> is a prefix of the path ending at <math>B</math><br />
(if not, then there would be two notarized blocks at height <math>h'</math>,<br />
contradicting the finalization invariant). <br />
Thus, whenever replica sees a finalized block <math>B</math>,<br />
it may view all ancestors of <math>B</math> as being <br />
<b>implicitly finalized</b>, and because of the<br />
finalization invariant, the <b>safety property</b> is<br />
guaranteed to hold for these (explicitly and implicitly) finalized blocks.</div>VictorShouphttps://icstaging.mywikis.net/w/index.php?title=IC_consensus_layer&diff=232IC consensus layer2021-11-05T21:59:21Z<p>VictorShoup: </p>
<hr />
<div>The job of the consensus layer of the IC is to order transaction requests so that all replicas in a subnet will process <br />
such requests in the same order.<br />
There are many protocols in the literature for this problem.<br />
The IC uses a new consensus protocol, which is described here at a high level. <br />
For more details, see the paper https://eprint.iacr.org/2021/1330 (in particular, Protocol ICC1 in that paper).<br />
<br />
Any secure consensus protocol should guarantee two properties, which (roughly stated) are:<br />
* <b>safety</b>: all replicas in fact agree on the same ordering of transaction requests, and<br />
* <b>liveness</b>: all replicas should make steady progress.<br />
The paper https://eprint.iacr.org/2021/1330 proves that the IC consensus protocol satisfies both of these properties<br />
<br />
The IC consensus protocol is design to be<br />
* extremely simple, and<br />
* robust (performance degrades gracefully when some replicas are malicious).<br />
<br />
As discussed [[The Internet Computer for Computer Scientists|in the introduction]], we assume<br />
* a subnet of <math>n</math> replicas, and<br />
* at most <math>f < n/3</math> of the replicas are faulty.<br />
Faulty replicas may exhibit arbitrary, malicious (i.e., Byzantine) behavior.<br />
To simplify the presentation, we assume here that <math>n=3f+1</math>.<br />
<br />
<br />
We assume that communication is <b>asynchronous</b>, with no <i>a priori</i><br />
bound on the delay of messages sent between replicas.<br />
In fact, the scheduling of message delivery may be completely under adversarial control.<br />
The IC consensus protocol guarantees safety under this very weak communication assumption.<br />
However, to guarantee liveness, we need to assume a form of <b>partial synchrony</b>,<br />
which (roughly stated) says that the network will be periodically <b>timely</b> .<br />
Somewhat more precisely, there exists a bound <math>\Delta</math> such that<br />
periodically all undelivered <br />
messages will be delivered within time <math>\Delta</math>.<br />
The bound <math>\Delta</math> does not have to be known in advance <br />
(the protocol is initialized with a bound, but will dynamically <br />
adapt and increase this bound if it is too small).<br />
Regardless of whether we are assuming an asynchronous<br />
or a partially synchronous network,<br />
we assume that every message sent from one honest<br />
party to another will <i>eventually</i> be delivered.<br />
<br />
Like a number of consensus protocols,<br />
the IC consensus protocol is based in a [[wikipedia:blockchain|blockchain]].<br />
As the protocol progresses, a tree of blocks is grown,<br />
starting from a special <i>genesis block</i> that is the root of the tree.<br />
Each non-genesis block in the tree contains (among other things)<br />
a <i>payload</i>, consisting of a sequence of transaction requests,<br />
and a hash of the block's parent in the tree. <br />
The honest replicas have a consistent view of this tree:<br />
while each replica may have a different, partial view<br />
of this tree, all the replicas have a view of the <i>same</i> tree.<br />
In addition, as the protocol progresses,<br />
there is always a path of <i>finalized</i> blocks in this tree.<br />
Again, the honest replicas have a consistent view of this path:<br />
while each replica may have a different, partial view<br />
of this path, all the parties have a view of the <i>same</i> path.<br />
The transaction requests in the payloads of the blocks along this<br />
path are the ordered transaction requests will be processed by the [[IC execution layer|execution layer]]<br />
of the Internet Computer.<br />
<br />
The protocol proceeds in <b>rounds</b>.<br />
In round <math>h</math> of the protocol,<br />
one or more blocks of <b>height</b> <math>h</math> are added to the tree.<br />
That is, the blocks added in round <math>h</math> are always at a distance<br />
of exactly <math>h</math> from the root.<br />
In each round, a pseudo-random process is used to assign<br />
each replica a unique <b>rank</b>, which is an<br />
integer in the range <math>0,\ldots,h-1</math>.<br />
This is pseudo-random process is implemented using a <b>random beacon</b> (see below).<br />
The party of lowest rank is the <b>leader</b> of that round.<br />
When the leader is honest and the network is timely,<br />
the leader will propose a block, which will be added to the tree;<br />
moreover, this will be the <i>only</i> block added to the tree<br />
in this round and it will extend the finalized path.<br />
If the leader is not honest or the network is not timely,<br />
some other parties of higher rank may also propose blocks,<br />
and also have their blocks added to the tree.<br />
In any case, the logic of the protocol gives highest priority <br />
to the leader's proposed block<br />
and <i>some</i> block or blocks will be added to this tree in this round.<br />
<br />
When the network is timely, <br />
the message complexity in a given round of the IC consensus protocol is <math>O(n^2)</math><br />
with overwhelming probability. <br />
The protocol also enjoys the property known as <b>optimistic responsiveness</b>,<br />
which means that <br />
so long as the leader is honest, the protocol will proceed at the pace<br />
of the actual network delay, rather than some upper bound on<br />
the network delay.<br />
<br />
<br />
To implement the protocol, each replica is associated with a <br />
public key for the [[wikipedia:BLS_digital_signature|BLS signature scheme]], and each replica also holds<br />
the corresponding secret signing key.<br />
The association of replicas to public keys is maintained by the<br />
[[IC network nervous system (NNS)|network nervous system (NNS) of the Internet Computer]].<br />
These BLS signatures will be used to authenticate messages, also called <b>artifacts</b>,<br />
sent by replicas.<br />
The protocol also uses the <b>signature aggregation</b> feature of BLS signatures,<br />
which allows many signatures on the same message to be aggregated into<br />
a compact multi-signature.<br />
FIXME: citation, discussion of rogue key attack mitigation via PoPs.<br />
<br />
<b>Random beacon.</b><br />
In addition to BLS signatures and multi-signatures as discussed above,<br />
the protocol makes use of a BLS [[wikipedia:Threshold_cryptosystem|threshold signature scheme]] to implement the <br />
above-mentioned <b>random beacon</b>.<br />
The random beacon for height <math>h</math> is a <math>(f+1)</math>-threshold signature<br />
on a message unique to height <math>h</math>. <br />
In each round of the protocol, each replica broadcasts its share of the beacon for<br />
the next round, so that when the next round begins, all replicas should have enough shares<br />
to reconstruct the beacon for that round.<br />
As discussed above, the random beacon at height <math>h</math> is used to <br />
assign a pseudo-random rank to each replica that will be used in round <math>h</math> of the protocol.<br />
Because of the security properties of the threshold signature,<br />
an adversary will not be able to predict the ranking of the replicas more than one round in advance,<br />
and these rankings will effectively be as good as random.<br />
To set up such a threshold signature scheme, the Internet Computer runs a<br />
[[wikipedia:Distributed_key_generation|distributed key generation (DKG)]] protocol.<br />
There are many DKG protocols in the literature.<br />
The Internet Computer implements a new [[non-interactive DKG (NiDKG) protocol]].<br />
<br />
<br />
<b>Block making.</b><br />
Each replica may at different points in time play the role of a <b>block maker</b>.<br />
As a block maker in round <math>h</math>, <br />
the replica proposes a block <math>B</math> of height <math>h</math> <br />
that to be child of a block <math>B'</math> of height <math>h-1</math><br />
in the tree of blocks.<br />
To do this, the block maker first gathers together a <b>payload</b><br />
consisting of all transaction requests it knows about<br />
(but not including those already included in payloads in blocks in the<br />
path through the tree ending at <math>B'</math>).<br />
The block <math>B</math> consists of<br />
* the payload,<br />
* the hash of <math>B'</math>, <br />
* the rank of the block maker,<br />
* the height <math>h</math> of the block.<br />
After forming the block <math>B</math>, the block maker forms<br />
a <b>block proposal</b>, consisting of<br />
* the block <math>B</math>,<br />
* the block maker's identity, and<br />
* the block maker's signature on <math>B</math>.<br />
A block maker will broadcast its block proposal to all other replicas.<br />
<br />
<b>Notarization.</b><br />
A block is only added to the tree of blocks when it becomes <br />
<b>notarized</b>.<br />
For a block to become notarized, <br />
<math>2f+1</math> <br />
distinct replicas must support its notarization.<br />
Given a proposed <math>B</math> at height <math>h</math>,<br />
a replica will verify a number of conditions,<br />
and if these tests pass, the replica will support the notarization of the block<br />
by broadcasting a <b>notarization share</b> for <math>B</math>,<br />
consisting of <br />
* the hash of <math>B</math>,<br />
* the height <math>h</math> of <math>B</math>,<br />
* the identity of the supporting replica, and<br />
* the notarizing replica's signature on a message comprising the hash of <math>B</math> and the height <math>h</math>.<br />
Any set of <math>2f+1</math> notarization shares on <math>B</math><br />
may be aggregated together to form a <br />
<b>notarization</b> for <math>B</math>,<br />
consisting of<br />
* the hash of <math>B</math>,<br />
* the height <math>h</math> of <math>B</math>,<br />
* the set of identities of the <math>2f+1</math> supporting replicas,<br />
* an aggregation of the <math>2f+1</math> signatures on the message comprising the hash of <math>B</math> and the height <math>h</math>.<br />
Each replica will finish round <math>h</math><br />
as soon as it obtains a notarized block of height <math>h</math>,<br />
and will not subsequently notarize any other blocks at height <math>h</math>.<br />
<br />
<b>Finalization.</b><br />
There may be more than one <br />
notarized block at a given height <math>h</math>.<br />
However, if a block is <b>finalized</b>, then we can be sure that there<br />
is no other notarized block at height <math>h</math>. <br />
Let us call this the <b>finalization invariant</b>.<br />
<br />
For a block to become finalized, <br />
<math>2f+1</math> <br />
distinct replicas must support its finalization.<br />
Recall that round <math>h</math> ends for a replica when <br />
it obtains a notarized block <math>B</math> of height <math>h</math>.<br />
At that point in time, such a replica will <br />
check if it supported the notarization of any block at height <math>h</math><br />
other than block <math>B</math>.<br />
If not, the replica will support the finalization of <math>B</math><br />
by broadcasting a <br />
<b>finalization share</b> for <math>B</math>.<br />
A finalization share has exactly the same format as a notarization share<br />
(but is tagged in such a way notarization shares<br />
and finalization shares cannot be confused with one another).<br />
Any set of <math>2f+1</math> finalization shares on <math>B</math><br />
may be aggregated together to form a <b>finalization</b> for <math>B</math>,<br />
which has exactly the same format as a notarization.<br />
<br />
One can easily see that the logic for finalizing blocks<br />
implies that the finalization invariant must hold.<br />
Here is a proof:<br />
# Suppose that the number of corrupt parties is exactly <math>f^* \le f < n/3</math>.<br />
# If a block <math>B</math> is finalized, then its finalization must have been supported by a set <math>S</math> of at least <math>n-f-f^*</math> honest replicas (by the security property for aggregate signatures). <br />
# If another block <math>B' \ne B</math> were notarized, then its notarization must have been supported by a set <math>S'</math> of at least <math>n-f-f^*</math> honest replicas (again, by the security property for aggregate signatures).<br />
# The sets <math>S</math> and <math>S'</math> are disjoint (by the finalization logic).<br />
# Therefore, <math>n-f^* \ge |S| + |S'| \ge 2 (n-f-f^*)</math>, which implies <math>n \le 3f</math>, a contradiction.<br />
<br />
<br />
<br />
One consequence of the finalization invariant is the following.<br />
Suppose one replica sees a finalized block <math>B</math> at height <math>h</math><br />
and that another replica sees a finalized block <br />
<math>B'</math> at height <math>h' \le h</math>.<br />
Then the finalization invariant implies that the path in the tree of notarized blocks<br />
ending at <math>B'</math> is a prefix of the path ending at <math>B</math><br />
(if not, then there would be two notarized blocks at height <math>h'</math>,<br />
contradicting the finalization invariant). <br />
Thus, whenever replica sees a finalized block <math>B</math>,<br />
it may view all ancestors of <math>B</math> as being <br />
<b>implicitly finalized</b>, and because of the<br />
finalization invariant, the <b>safety property</b> is<br />
guaranteed to hold for these (explicitly and implicitly) finalized blocks.</div>VictorShouphttps://icstaging.mywikis.net/w/index.php?title=IC_consensus_layer&diff=231IC consensus layer2021-11-05T20:13:32Z<p>VictorShoup: </p>
<hr />
<div>The job of the consensus layer of the IC is to order transaction requests so that all replicas in a subnet will process <br />
such requests in the same order.<br />
There are many protocols in the literature for this problem.<br />
The IC uses a new consensus protocol, which is described here at a high level. <br />
For more details, see the paper https://eprint.iacr.org/2021/1330 (in particular, Protocol ICC1 in that paper).<br />
<br />
Any secure consensus protocol should guarantee two properties, which (roughly stated) are:<br />
* <b>safety</b>: all replicas in fact agree on the same ordering of transaction requests, and<br />
* <b>liveness</b>: all replicas should make steady progress.<br />
The paper https://eprint.iacr.org/2021/1330 proves that the IC consensus protocol satisfies both of these properties<br />
<br />
The IC consensus protocol is design to be<br />
* extremely simple, and<br />
* robust (performance degrades gracefully when some replicas are malicious).<br />
<br />
As discussed [[The Internet Computer for Computer Scientists|in the introduction]], we assume<br />
* a subnet of <math>n</math> replicas, and<br />
* at most <math>f < n/3</math> of the replicas are faulty.<br />
Faulty replicas may exhibit arbitrary, malicious (i.e., Byzantine) behavior.<br />
To simplify the presentation, we assume here that <math>n=3f+1</math>.<br />
<br />
<br />
We assume that communication is <b>asynchronous</b>, with no <i>a priori</i><br />
bound on the delay of messages sent between replicas.<br />
In fact, the scheduling of message delivery may be completely under adversarial control.<br />
The IC consensus protocol guarantees safety under this very weak communication assumption.<br />
However, to guarantee liveness, we need to assume a form of <b>partial synchrony</b>,<br />
which (roughly stated) says that the network will be periodically <b>timely</b> .<br />
Somewhat more precisely, there exists a bound <math>\Delta</math> such that<br />
periodically all undelivered <br />
messages will be delivered within time <math>\Delta</math>.<br />
The bound <math>\Delta</math> does not have to be known in advance <br />
(the protocol is initialized with a bound, but will dynamically <br />
adapt and increase this bound if it is too small).<br />
Regardless of whether we are assuming an asynchronous<br />
or a partially synchronous network,<br />
we assume that every message sent from one honest<br />
party to another will <i>eventually</i> be delivered.<br />
<br />
Like a number of consensus protocols,<br />
the IC consensus protocol is based in a [[wikipedia:blockchain|blockchain]].<br />
As the protocol progresses, a tree of blocks is grown,<br />
starting from a special <i>genesis block</i> that is the root of the tree.<br />
Each non-genesis block in the tree contains (among other things)<br />
a <i>payload</i>, consisting of a sequence of transaction requests,<br />
and a hash of the block's parent in the tree. <br />
The honest replicas have a consistent view of this tree:<br />
while each replica may have a different, partial view<br />
of this tree, all the replicas have a view of the <i>same</i> tree.<br />
In addition, as the protocol progresses,<br />
there is always a path of <i>finalized</i> blocks in this tree.<br />
Again, the honest replicas have a consistent view of this path:<br />
while each replica may have a different, partial view<br />
of this path, all the parties have a view of the <i>same</i> path.<br />
The transaction requests in the payloads of the blocks along this<br />
path are the ordered transaction requests will be processed by the [[IC execution layer|execution layer]]<br />
of the Internet Computer.<br />
<br />
The protocol proceeds in <b>rounds</b>.<br />
In round <math>h</math> of the protocol,<br />
one or more blocks of <b>height</b> <math>h</math> are added to the tree.<br />
That is, the blocks added in round <math>h</math> are always at a distance<br />
of exactly <math>h</math> from the root.<br />
In each round, a pseudo-random process is used to assign<br />
each replica a unique <b>rank</b>, which is an<br />
integer in the range <math>0,\ldots,h-1</math>.<br />
This is pseudo-random process is implemented using a <b>random beacon</b> (see below).<br />
The party of lowest rank is the <b>leader</b> of that round.<br />
When the leader is honest and the network is timely,<br />
the leader will propose a block, which will be added to the tree;<br />
moreover, this will be the <i>only</i> block added to the tree<br />
in this round and it will extend the finalized path.<br />
If the leader is not honest or the network is not timely,<br />
some other parties of higher rank may also propose blocks,<br />
and also have their blocks added to the tree.<br />
In any case, the logic of the protocol gives highest priority <br />
to the leader's proposed block<br />
and <i>some</i> block or blocks will be added to this tree in this round.<br />
<br />
When the network is timely, <br />
the message complexity in a given round of the IC consensus protocol is <math>O(n^2)</math><br />
with overwhelming probability. <br />
The protocol also enjoys the property known as <b>optimistic responsiveness</b>,<br />
which means that <br />
so long as the leader is honest, the protocol will proceed at the pace<br />
of the actual network delay, rather than some upper bound on<br />
the network delay.<br />
<br />
<br />
To implement the protocol, each replica is associated with a <br />
public key for the [[wikipedia:BLS_digital_signature|BLS signature scheme]], and each replica also holds<br />
the corresponding secret signing key.<br />
The association of replicas to public keys is maintained by the<br />
[[IC network nervous system (NNS)|network nervous system (NNS) of the Internet Computer]].<br />
These BLS signatures will be used to authenticate messages, also called <b>artifacts</b>,<br />
sent by replicas.<br />
The protocol also uses the <b>signature aggregation</b> feature of BLS signatures,<br />
which allows many signatures on the same message to be aggregated into<br />
a compact multi-signature.<br />
FIXME: citation, discussion of rogue key attack mitigation via PoPs.<br />
<br />
<b>Random beacon.</b><br />
In addition to BLS signatures and multi-signatures as discussed above,<br />
the protocol makes use of a BLS [[wikipedia:Threshold_cryptosystem|threshold signature scheme]] to implement the <br />
above-mentioned <b>random beacon</b>.<br />
The random beacon for height <math>h</math> is a <math>(f+1)</math>-threshold signature<br />
on a message unique to height <math>h</math>. <br />
In each round of the protocol, each replica broadcasts its share of the beacon for<br />
the next round, so that when the next round begins, all replicas should have enough shares<br />
to reconstruct the beacon for that round.<br />
As discussed above, the random beacon at height <math>h</math> is used to <br />
assign a pseudo-random rank to each replica that will be used in round <math>h</math> of the protocol.<br />
Because of the security properties of the threshold signature,<br />
an adversary will not be able to predict the ranking of the replicas more than one round in advance,<br />
and these rankings will effectively be as good as random.<br />
To set up such a threshold signature scheme, the Internet Computer runs a<br />
[[wikipedia:Distributed_key_generation|distributed key generation (DKG)]] protocol.<br />
There are many DKG protocols in the literature.<br />
The Internet Computer implements a new [[non-interactive DKG (NiDKG) protocol]].<br />
<br />
<br />
<b>Block making.</b><br />
Each replica may at different points in time play the role of a <b>block maker</b>.<br />
As a block maker in round <math>h</math>, <br />
the replica proposes a block <math>B</math> of height <math>h</math> <br />
that to be child of a block <math>B'</math> of height <math>h-1</math><br />
in the tree of blocks.<br />
To do this, the block maker first gathers together a <b>payload</b><br />
consisting of all transaction requests it knows about<br />
(but not including those already included in payloads in blocks in the<br />
path through the tree ending at <math>B'</math>).<br />
The block <math>B</math> consists of<br />
* the payload,<br />
* the hash of <math>B'</math>, <br />
* the rank of the block maker,<br />
* the height <math>h</math> of the block.<br />
After forming the block <math>B</math>, the block maker forms<br />
a <b>block proposal</b>, consisting of<br />
* the block <math>B</math>,<br />
* the block maker's identity <math>\textit{BMID}</math>, and<br />
* the block maker's signature on <math>B</math>.<br />
A block maker will broadcast its block proposal to all other replicas.<br />
<br />
<b>Notarization.</b><br />
A block is only added to the tree of blocks when it becomes <b>notarized</b>.<br />
For a block to become notarized, it must be notarized by <math>2f+1</math> <br />
distinct replicas.<br />
To notarize a proposed block <math>B</math> at height <math>h</math>, <br />
a replica will verify a number of conditions,<br />
and if these tests pass, the replica will notarize the block<br />
by broadcasting a <b>notarization share</b> for <math>B</math>,<br />
consisting of <br />
* the hash of <math>B</math>,<br />
* the height <math>h</math> of <math>B</math>,<br />
* the identity <math>\textit{NID}</math> of the notarizing replica, and<br />
* the notarizing replica's signature on a message comprising the hash of <math>B</math> and the height <math>h</math>.<br />
Any set of <math>2f+1</math> notarization shares on <math>B</math><br />
may be aggregated together to form a <b>notarization</b> for <math>B</math>,<br />
consisting of<br />
* the hash of <math>B</math>,<br />
* the height <math>h</math> of <math>B</math>,<br />
* a set of <math>2f+1</math> distinct identities <math>NIDSet</math> of the notarizing replicas, and<br />
* an aggregate signature of the notarizing replicas in <math>NIDSet</math> on a message comprising the hash of <math>B</math> and the height <math>h</math>.<br />
Each replica will finish round <math>h</math><br />
as soon as it obtains a notarized block of height <math>h</math>,<br />
and will not subsequently issue any notarization shares at height <math>h</math>.<br />
<br />
<b>Finalization.</b><br />
There may be more than one notarized block at a given height <math>h</math>.<br />
However, if a block is <b>finalized</b>, then we can be sure that there<br />
is no other notarized block at height <math>h</math>. <br />
Let us call this the <b>finalization invariant</b>.<br />
<br />
For a block to become finalized, it must be finalized by <math>2f+1</math> <br />
distinct replicas.<br />
Recall that round <math>h</math> ends for a replica when <br />
it obtains a notarized block <math>B</math> of height <math>h</math>.<br />
At that point in time, such a replica will finalize <math>B</math><br />
by broadcasting a <br />
<b>finalization share</b> for <math>B</math> if it has not previously<br />
notarized any block other than <math>B</math>. <br />
A finalization share has exactly the same format as a notarization<br />
(but are tagged in such a way notarization shares<br />
and finalization shares cannot be confused with one another).<br />
Any set of <math>2f+1</math> finalization shares on <math>B</math><br />
may be aggregated together to form a <b>finalization</b> for <math>B</math>,<br />
which has exactly the same format as a notarization.<br />
<br />
One can easily see that the logic for finalizing blocks<br />
implies that the finalization invariant must hold.<br />
Here is a proof:<br />
# Suppose that the number of corrupt parties is exactly <math>f^* \le f < n/3</math>.<br />
# If a block <math>B</math> is finalized, then it has been finalized by a set <math>S</math> of at least <math>n-f-f^*</math> honest replicas (by the security property for aggregate signatures). <br />
# If another block <math>B' \ne B</math> were notarized, then it has been notarized by a set <math>S'</math> of at least <math>n-f-f^*</math> honest replicas (again, by the security property for aggregate signatures).<br />
# The sets <math>S</math> and <math>S'</math> are disjoint (by the finalization logic).<br />
# Therefore, <math>n-f^* \ge |S| + |S'| \ge 2 (n-f-f^*)</math>, which implies <math>n \le 3f</math>, a contradiction.<br />
<br />
<br />
<br />
One consequence of the finalization invariant is the following.<br />
Suppose one replica sees a block <math>B</math> at height <math>h</math><br />
along with a corresponding finalization for <math>B</math>,<br />
and that another replica sees a block <br />
<math>B'</math> at height <math>h' \le h</math><br />
along with a corresponding finalization for <math>B'</math>.<br />
Then the finalization invariant implies that the path in the tree of notarized blocks<br />
ending at <math>B'</math> is a prefix of the path ending at <math>B</math><br />
(if not, then there would be two notarized blocks at height <math>h'</math>,<br />
contradicting the finalization invariant). <br />
Thus, whenever replica sees a finalization for a block <math>B</math>,<br />
it may view all ancestors of <math>B</math> as being <br />
<b>implicitly finalized</b>, and because of the<br />
finalization invariant, the <b>safety property</b> is<br />
guaranteed to hold for these (explicitly and implicitly) finalized blocks.</div>VictorShouphttps://icstaging.mywikis.net/w/index.php?title=IC_consensus_layer&diff=230IC consensus layer2021-11-05T20:11:41Z<p>VictorShoup: </p>
<hr />
<div>The job of the consensus layer of the IC is to order transaction requests so that all replicas in a subnet will process <br />
such requests in the same order.<br />
There are many protocols in the literature for this problem.<br />
The IC uses a new consensus protocol, which is described here at a high level. <br />
For more details, see the paper https://eprint.iacr.org/2021/1330 (in particular, Protocol ICC1 in that paper).<br />
<br />
Any secure consensus protocol should guarantee two properties, which (roughly stated) are:<br />
* <b>safety</b>: all replicas in fact agree on the same ordering of transaction requests, and<br />
* <b>liveness</b>: all replicas should make steady progress.<br />
The paper https://eprint.iacr.org/2021/1330 proves that the IC consensus protocol satisfies both of these properties<br />
<br />
The IC consensus protocol is design to be<br />
* extremely simple, and<br />
* robust (performance degrades gracefully when some replicas are malicious).<br />
<br />
As discussed [[The Internet Computer for Computer Scientists|in the introduction]], we assume<br />
* a subnet of <math>n</math> replicas, and<br />
* at most <math>f < n/3</math> of the replicas are faulty.<br />
Faulty replicas may exhibit arbitrary, malicious (i.e., Byzantine) behavior.<br />
To simplify the presentation, we assume here that <math>n=3f+1</math>.<br />
<br />
<br />
We assume that communication is <b>asynchronous</b>, with no <i>a priori</i><br />
bound on the delay of messages sent between replicas.<br />
In fact, the scheduling of message delivery may be completely under adversarial control.<br />
The IC consensus protocol guarantees safety under this very weak communication assumption.<br />
However, to guarantee liveness, we need to assume a form of <b>partial synchrony</b>,<br />
which (roughly stated) says that the network will be periodically <b>timely</b> .<br />
Somewhat more precisely, there exists a bound <math>\Delta</math> such that<br />
periodically all undelivered <br />
messages will be delivered within time <math>\Delta</math>.<br />
The bound <math>\Delta</math> does not have to be known in advance <br />
(the protocol is initialized with a bound, but will dynamically <br />
adapt and increase this bound if it is too small).<br />
Regardless of whether we are assuming an asynchronous<br />
or a partially synchronous network,<br />
we assume that every message sent from one honest<br />
party to another will <i>eventually</i> be delivered.<br />
<br />
Like a number of consensus protocols,<br />
the IC consensus protocol is based in a [[wikipedia:blockchain|blockchain]].<br />
As the protocol progresses, a tree of blocks is grown,<br />
starting from a special <i>genesis block</i> that is the root of the tree.<br />
Each non-genesis block in the tree contains (among other things)<br />
a <i>payload</i>, consisting of a sequence of transaction requests,<br />
and a hash of the block's parent in the tree. <br />
The honest replicas have a consistent view of this tree:<br />
while each replica may have a different, partial view<br />
of this tree, all the replicas have a view of the <i>same</i> tree.<br />
In addition, as the protocol progresses,<br />
there is always a path of <i>finalized</i> blocks in this tree.<br />
Again, the honest replicas have a consistent view of this path:<br />
while each replica may have a different, partial view<br />
of this path, all the parties have a view of the <i>same</i> path.<br />
The transaction requests in the payloads of the blocks along this<br />
path are the ordered transaction requests will be processed by the [[IC execution layer|execution layer]]<br />
of the Internet Computer.<br />
<br />
The protocol proceeds in <b>rounds</b>.<br />
In round <math>h</math> of the protocol,<br />
one or more blocks of <b>height</b> <math>h</math> are added to the tree.<br />
That is, the blocks added in round <math>h</math> are always at a distance<br />
of exactly <math>h</math> from the root.<br />
In each round, a pseudo-random process is used to assign<br />
each replica a unique <b>rank</b>, which is an<br />
integer in the range <math>0,\ldots,h-1</math>.<br />
This is pseudo-random process is implemented using a <b>random beacon</b> (see below).<br />
The party of lowest rank is the <b>leader</b> of that round.<br />
When the leader is honest and the network is timely,<br />
the leader will propose a block, which will be added to the tree;<br />
moreover, this will be the <i>only</i> block added to the tree<br />
in this round and it will extend the finalized path.<br />
If the leader is not honest or the network is not timely,<br />
some other parties of higher rank may also propose blocks,<br />
and also have their blocks added to the tree.<br />
In any case, the logic of the protocol gives highest priority <br />
to the leader's proposed block<br />
and <i>some</i> block or blocks will be added to this tree in this round.<br />
<br />
When the network is timely, <br />
the message complexity in a given round of the IC consensus protocol is <math>O(n^2)</math><br />
with overwhelming probability. <br />
The protocol also enjoys the property known as <b>optimistic responsiveness</b>,<br />
which means that <br />
so long as the leader is honest, the protocol will proceed at the pace<br />
of the actual network delay, rather than some upper bound on<br />
the network delay.<br />
<br />
<br />
To implement the protocol, each replica is associated with a <br />
public key for the [[wikipedia:BLS_digital_signature|BLS signature scheme]], and each replica also holds<br />
the corresponding secret signing key.<br />
The association of replicas to public keys is maintained by the<br />
[[IC network nervous system (NNS)|network nervous system (NNS) of the Internet Computer]].<br />
These BLS signatures will be used to authenticate messages, also called <b>artifacts</b>,<br />
sent by replicas.<br />
The protocol also uses the <b>signature aggregation</b> feature of BLS signatures,<br />
which allows many signatures on the same message to be aggregated into<br />
a compact multi-signature.<br />
FIXME: citation, discussion of rogue key attack mitigation via PoPs.<br />
<br />
<b>Random beacon.</b><br />
In addition to BLS signatures and multi-signatures as discussed above,<br />
the protocol makes use of a BLS [[wikipedia:Threshold_cryptosystem|threshold signature scheme]] to implement the <br />
above-mentioned <b>random beacon</b>.<br />
The random beacon for height <math>h</math> is a <math>(f+1)</math>-threshold signature<br />
on a message unique to height <math>h</math>. <br />
In each round of the protocol, each replica broadcasts its share of the beacon for<br />
the next round, so that when the next round begins, all replicas should have enough shares<br />
to reconstruct the beacon for that round.<br />
As discussed above, the random beacon at height <math>h</math> is used to <br />
assign a pseudo-random rank to each replica that will be used in round <math>h</math> of the protocol.<br />
Because of the security properties of the threshold signature,<br />
an adversary will not be able to predict the ranking of the replicas more than one round in advance,<br />
and these rankings will effectively be as good as random.<br />
To set up such a threshold signature scheme, the Internet Computer runs a<br />
[[wikipedia:Distributed_key_generation|distributed key generation (DKG)]] protocol.<br />
There are many DKG protocols in the literature.<br />
The Internet Computer implements a new [[non-interactive DKG (NiDKG) protocol]].<br />
<br />
<br />
<b>Block making.</b><br />
Each replica may at different points in time play the role of a <b>block maker</b>.<br />
As a block maker in round <math>h</math>, <br />
the replica proposes a block <math>B</math> of height <math>h</math> <br />
that to be child of a block <math>B'</math> of height <math>h-1</math><br />
in the tree of blocks.<br />
To do this, the block maker first gathers together a <b>payload</b><br />
consisting of all transaction requests it knows about<br />
(but not including those already included in payloads in blocks in the<br />
path through the tree ending at <math>B'</math>).<br />
The block <math>B</math> consists of<br />
* the payload,<br />
* the hash of <math>B'</math>, <br />
* the rank of the block maker,<br />
* the height <math>h</math> of the block.<br />
After forming the block <math>B</math>, the block maker forms<br />
a <b>block proposal</b>, consisting of<br />
* the block <math>B</math>,<br />
* the block maker's identity <math>\textit{BMID}</math>, and<br />
* the block maker's signature on <math>B</math>.<br />
A block maker will broadcast its block proposal to all other replicas.<br />
<br />
<b>Notarization.</b><br />
A block is only added to the tree of blocks when it becomes <b>notarized</b>.<br />
For a block to become notarized, it must be notarized by <math>2f+1</math> <br />
distinct replicas.<br />
To notarize a proposed block <math>B</math> at height <math>h</math>, <br />
a replica will verify a number of conditions,<br />
and if these tests pass, the replica will notarize the block<br />
by broadcasting a <b>notarization share</b> for <math>B</math>,<br />
consisting of <br />
* the hash of <math>B</math>,<br />
* the height <math>h</math> of <math>B</math>,<br />
* the identity <math>\textit{NID}</math> of the notarizing replica, and<br />
* the notarizing replica's signature on a message comprising the hash of <math>B</math> and the height <math>h</math>.<br />
Any set of <math>2f+1</math> notarization shares on <math>B</math><br />
may be aggregated together to form a <b>notarization</b> for <math>B</math>,<br />
consisting of<br />
* the hash of <math>B</math>,<br />
* the height <math>h</math> of <math>B</math>,<br />
* a set of <math>2f+1</math> distinct identities <math>NIDSet</math> of the notarizing replicas, and<br />
* an aggregate signature of the notarizing replicas in <math>NIDSet</math> on a message comprising the hash of <math>B</math> and the height <math>h</math>.<br />
Each replica will finish round <math>h</math><br />
as soon as it obtains a notarized block of height <math>h</math>,<br />
and will not subsequently issue any notarization shares at height <math>h</math>.<br />
<br />
<b>Finalization.</b><br />
There may be more than one notarized block at a given height <math>h</math>.<br />
However, if a block is <b>finalized</b>, then we can be sure that there<br />
is no other notarized block at height <math>h</math>. <br />
Let us call this the <b>finalization invariant</b>.<br />
<br />
For a block to become finalized, it must be finalized by <math>2f+1</math> <br />
distinct replicas.<br />
Recall that round <math>h</math> ends for a replica when <br />
it obtains a notarized block <math>B</math> of height <math>h</math>.<br />
At that point in time, such a replica will finalize <math>B</math><br />
by broadcasting a <br />
<b>finalization share</b> for <math>B</math> if it has not previously<br />
issued notarized any block other than <math>B</math>. <br />
A finalization share has exactly the same format as a notarization<br />
(but are tagged in such a way notarization shares<br />
and finalization shares cannot be confused with one another).<br />
Any set of <math>2f+1</math> finalization shares on <math>B</math><br />
may be aggregated together to form a <b>finalization</b> for <math>B</math>,<br />
which has exactly the same format as a notarization.<br />
<br />
One can easily see that the logic for finalizing blocks<br />
implies that the finalization invariant must hold.<br />
Here is a proof:<br />
# Suppose that the number of corrupt parties is exactly <math>f^* \le f < n/3</math>.<br />
# If a block <math>B</math> is finalized, then it has been finalized by a set <math>S</math> of at least <math>n-f-f^*</math> honest replicas (by the security property for aggregate signatures). <br />
# If another block <math>B' \ne B</math> were notarized, then it has been notarized by a set <math>S'</math> of at least <math>n-f-f^*</math> honest replicas (again, by the security property for aggregate signatures).<br />
# The sets <math>S</math> and <math>S'</math> are disjoint (by the finalization logic).<br />
# Therefore, <math>n-f^* \ge |S| + |S'| \ge 2 (n-f-f^*)</math>, which implies <math>n \le 3f</math>, a contradiction.<br />
<br />
<br />
<br />
One consequence of the finalization invariant is the following.<br />
Suppose one replica sees a block <math>B</math> at height <math>h</math><br />
along with a corresponding finalization for <math>B</math>,<br />
and that another replica sees a block <br />
<math>B'</math> at height <math>h' \le h</math><br />
along with a corresponding finalization for <math>B'</math>.<br />
Then the finalization invariant implies that the path in the tree of notarized blocks<br />
ending at <math>B'</math> is a prefix of the path ending at <math>B</math><br />
(if not, then there would be two notarized blocks at height <math>h'</math>,<br />
contradicting the finalization invariant). <br />
Thus, whenever replica sees a finalization for a block <math>B</math>,<br />
it may view all ancestors of <math>B</math> as being <br />
<b>implicitly finalized</b>, and because of the<br />
finalization invariant, the <b>safety property</b> is<br />
guaranteed to hold for these (explicitly and implicitly) finalized blocks.</div>VictorShouphttps://icstaging.mywikis.net/w/index.php?title=IC_consensus_layer&diff=180IC consensus layer2021-11-04T22:14:55Z<p>VictorShoup: </p>
<hr />
<div>The job of the consensus layer of the IC is to order transaction requests so that all replicas in a subnet will process <br />
such requests in the same order.<br />
There are many protocols in the literature for this problem.<br />
The IC uses a new consensus protocol, which is described here at a high level. <br />
For more details, see the paper https://eprint.iacr.org/2021/1330 (in particular, Protocol ICC1 in that paper).<br />
<br />
Any secure consensus protocol should guarantee two properties, which (roughly stated) are:<br />
* <b>safety</b>: all replicas in fact agree on the same ordering of transaction requests, and<br />
* <b>liveness</b>: all replicas should make steady progress.<br />
The paper https://eprint.iacr.org/2021/1330 proves that the IC consensus protocol satisfies both of these properties<br />
<br />
The IC consensus protocol is design to be<br />
* extremely simple, and<br />
* robust (performance degrades gracefully when some replicas are malicious).<br />
<br />
As discussed [[The Internet Computer for Computer Scientists|in the introduction]], we assume<br />
* a subnet of <math>n</math> replicas, and<br />
* at most <math>f < n/3</math> of the replicas are faulty.<br />
Faulty replicas may exhibit arbitrary, malicious (i.e., Byzantine) behavior.<br />
To simplify the presentation, we assume here that <math>n=3f+1</math>.<br />
<br />
<br />
We assume that communication is <b>asynchronous</b>, with no <i>a priori</i><br />
bound on the delay of messages sent between replicas.<br />
In fact, the scheduling of message delivery may be completely under adversarial control.<br />
The IC consensus protocol guarantees safety under this very weak communication assumption.<br />
However, to guarantee liveness, we need to assume a form of <b>partial synchrony</b>,<br />
which (roughly stated) says that the network will be periodically <b>timely</b> .<br />
Somewhat more precisely, there exists a bound <math>\Delta</math> such that<br />
periodically all undelivered <br />
messages will be delivered within time <math>\Delta</math>.<br />
The bound <math>\Delta</math> does not have to be known in advance <br />
(the protocol is initialized with a bound, but will dynamically <br />
adapt and increase this bound if it is too small).<br />
Regardless of whether we are assuming an asynchronous<br />
or a partially synchronous network,<br />
we assume that every message sent from one honest<br />
party to another will <i>eventually</i> be delivered.<br />
<br />
Like a number of consensus protocols,<br />
the IC consensus protocol is based in a [[wikipedia:blockchain|blockchain]].<br />
As the protocol progresses, a tree of blocks is grown,<br />
starting from a special <i>genesis block</i> that is the root of the tree.<br />
Each non-genesis block in the tree contains (among other things)<br />
a <i>payload</i>, consisting of a sequence of transaction requests,<br />
and a hash of the block's parent in the tree. <br />
The honest replicas have a consistent view of this tree:<br />
while each replica may have a different, partial view<br />
of this tree, all the replicas have a view of the <i>same</i> tree.<br />
In addition, as the protocol progresses,<br />
there is always a path of <i>finalized</i> blocks in this tree.<br />
Again, the honest replicas have a consistent view of this path:<br />
while each replica may have a different, partial view<br />
of this path, all the parties have a view of the <i>same</i> path.<br />
The transaction requests in the payloads of the blocks along this<br />
path are the ordered transaction requests will be processed by the [[IC execution layer|execution layer]]<br />
of the Internet Computer.<br />
<br />
The protocol proceeds in <b>rounds</b>.<br />
In round <math>h</math> of the protocol,<br />
one or more blocks of <b>height</b> <math>h</math> are added to the tree.<br />
That is, the blocks added in round <math>h</math> are always at a distance<br />
of exactly <math>h</math> from the root.<br />
In each round, a pseudo-random process is used to assign<br />
each replica a unique <b>rank</b>, which is an<br />
integer in the range <math>0,\ldots,h-1</math>.<br />
This is pseudo-random process is implemented using a <b>random beacon</b> (see below).<br />
The party of lowest rank is the <b>leader</b> of that round.<br />
When the leader is honest and the network is timely,<br />
the leader will propose a block, which will be added to the tree;<br />
moreover, this will be the <i>only</i> block added to the tree<br />
in this round and it will extend the finalized path.<br />
If the leader is not honest or the network is not timely,<br />
some other parties of higher rank may also propose blocks,<br />
and also have their blocks added to the tree.<br />
In any case, the logic of the protocol gives highest priority <br />
to the leader's proposed block<br />
and <i>some</i> block or blocks will be added to this tree in this round.<br />
<br />
When the network is timely, <br />
the message complexity in a given round of the IC consensus protocol is <math>O(n^2)</math><br />
with overwhelming probability. <br />
The protocol also enjoys the property known as <b>optimistic responsiveness</b>,<br />
which means that <br />
so long as the leader is honest, the protocol will proceed at the pace<br />
of the actual network delay, rather than some upper bound on<br />
the network delay.<br />
<br />
<br />
To implement the protocol, each replica is associated with a <br />
public key for the [[wikipedia:BLS_digital_signature|BLS signature scheme]], and each replica also holds<br />
the corresponding secret signing key.<br />
The association of replicas to public keys is maintained by the<br />
[[IC network nervous system (NNS)|network nervous system (NNS) of the Internet Computer]].<br />
These BLS signatures will be used to authenticate messages, also called <b>artifacts</b>,<br />
sent by replicas.<br />
The protocol also uses the <b>signature aggregation</b> feature of BLS signatures,<br />
which allows many signatures on the same message to be aggregated into<br />
a compact multi-signature.<br />
FIXME: citation, discussion of rogue key attack mitigation via PoPs.<br />
<br />
<b>Random beacon.</b><br />
In addition to BLS signatures and multi-signatures as discussed above,<br />
the protocol makes use of a BLS [[wikipedia:Threshold_cryptosystem|threshold signature scheme]] to implement the <br />
above-mentioned <b>random beacon</b>.<br />
The random beacon for height <math>h</math> is a <math>(f+1)</math>-threshold signature<br />
on a message unique to height <math>h</math>. <br />
In each round of the protocol, each replica broadcasts its share of the beacon for<br />
the next round, so that when the next round begins, all replicas should have enough shares<br />
to reconstruct the beacon for that round.<br />
As discussed above, the random beacon at height <math>h</math> is used to <br />
assign a pseudo-random rank to each replica that will be used in round <math>h</math> of the protocol.<br />
Because of the security properties of the threshold signature,<br />
an adversary will not be able to predict the ranking of the replicas more than one round in advance,<br />
and these rankings will effectively be as good as random.<br />
To set up such a threshold signature scheme, the Internet Computer runs a<br />
[[wikipedia:Distributed_key_generation|distributed key generation (DKG)]] protocol.<br />
There are many DKG protocols in the literature.<br />
The Internet Computer implements a new [[non-interactive DKG (NiDKG) protocol]].<br />
<br />
<br />
<b>Block making.</b><br />
Each replica may at different points in time play the role of a <b>block maker</b>.<br />
As a block maker in round <math>h</math>, <br />
the replica proposes a block <math>B</math> of height <math>h</math> <br />
that to be child of a block <math>B'</math> of height <math>h-1</math><br />
in the tree of blocks.<br />
To do this, the block maker first gathers together a <b>payload</b><br />
consisting of all transaction requests it knows about<br />
(but not including those already included in payloads in blocks in the<br />
path through the tree ending at <math>B'</math>).<br />
The block <math>B</math> consists of<br />
* the payload,<br />
* the hash of <math>B'</math>, <br />
* the rank of the block maker,<br />
* the height <math>h</math> of the block.<br />
After forming the block <math>B</math>, the block maker forms<br />
a <b>block proposal</b>, consisting of<br />
* the block <math>B</math>,<br />
* the block maker's identity <math>\textit{BMID}</math>, and<br />
* the block maker's signature on <math>B</math>.<br />
A block maker will broadcast its block proposal to all other replicas.<br />
<br />
<b>Notarization.</b><br />
A block is only added to the tree of blocks when it becomes <b>notarized</b>.<br />
For a block to become notarized, it must be notarized by <math>2f+1</math> <br />
distinct replicas.<br />
To notarize a proposed block <math>B</math> at height <math>h</math>, <br />
a replica will verify a number of conditions,<br />
and if these tests pass, the replica will notarize the block<br />
by broadcasting a <b>notarization share</b> for <math>B</math>,<br />
consisting of <br />
* the hash of <math>B</math>,<br />
* the height <math>h</math> of <math>B</math>,<br />
* the identity <math>\textit{NID}</math> of the notarizing replica, and<br />
* the notarizing replica's signature on a message comprising the hash of <math>B</math> and the height <math>h</math>.<br />
Any set of <math>2f+1</math> notarization shares on <math>B</math><br />
may be aggregated together to form a <b>notarization</b> for <math>B</math>,<br />
consisting of<br />
* the hash of <math>B</math>,<br />
* the height <math>h</math> of <math>B</math>,<br />
* a set of <math>2f+1</math> distinct identities <math>NIDSet</math> of the notarizing replicas, and<br />
* an aggregate signature of the notarizing replicas in <math>NIDSet</math> on a message comprising the hash of <math>B</math> and the height <math>h</math>.<br />
Each replica will finish round <math>h</math><br />
as soon as it obtains a notarized block of height <math>h</math>,<br />
and will not subsequently issue any notarization shares at height <math>h</math>.<br />
<br />
<b>Finalization.</b><br />
There may be more than one notarized block at a given height <math>h</math>.<br />
However, if a block is <b>finalized</b>, then we can be sure that there<br />
is no other notarized block at height <math>h</math>. <br />
Let us call this the <b>finalization invariant</b>.<br />
One consequence of the finalization invariant is the following.<br />
Suppose one replica sees a finalized block <math>B</math> at height <math>h</math>,<br />
and that another replica sees a finalized block <br />
<math>B'</math> at height <math>h' \ge h</math>.<br />
Then the finalization invariant implies that the path in the tree of notarized blocks<br />
ending at <math>B</math> is a prefix of the path ending at <math>B</math><br />
(if not, then there would be two notarized blocks at height <math>h</math>,<br />
contradicting the finalization invariant). <br />
<br />
For a block to become finalized, it must be finalized by <math>2f+1</math> <br />
distinct replicas.<br />
Recall that round <math>h</math> ends for a replica when <br />
it obtains a notarized block <math>B</math> of height <math>h</math>.<br />
At that point in time, such a replica will broadcast a <br />
<b>finalization share</b> for <math>B</math> if it has not previously<br />
issued a notarization share for any block other than <math>B</math>. <br />
A finalization share has exactly the same format as a notarization<br />
(but are tagged in such a way notarization shares<br />
and finalization shares cannot be confused with one another).<br />
Any set of <math>2f+1</math> finalization shares on <math>B</math><br />
may be aggregated together to form a <b>finalization</b> for <math>B</math>,<br />
which has exactly the same format as a notarization.<br />
<br />
<!--<br />
One can easily see that the logic for generating finalization shares<br />
implies that the above finalization invariant must hold.<br />
Here is a proof:<br />
# Suppose that block <math>B</math> is finalized but another block <math>B'</math> is also notarized.<br />
# Suppose that the number of corrupt parties is exactly <math>f' \le f</math>.<br />
# Let <math>N</math> be the set of honest replicas that notarized <math>B</math> and let <math>N'</math> be the set of honest replicas that notarized <math>B'</math>.<br />
# By the security properties of aggregate signatures, each of the sets <math>N</math> and <math>N'</math> must have size at least at least <math>(2f+1)-f'</math>.<br />
# A finalization on <math>B</math> means a set <math>S</math> of <math>(2f+1)-f=f+1</math> honest replicas issued a finalization share on <math>B</math> (by the security properties of BLS signature aggregation).<br />
# Each replica in <math>S</math> issued a notarization share on no other block besides <math>B</math>.<br />
--></div>VictorShouphttps://icstaging.mywikis.net/w/index.php?title=IC_consensus_layer&diff=156IC consensus layer2021-11-03T22:05:57Z<p>VictorShoup: </p>
<hr />
<div>The job of the consensus layer of the IC is to order transaction requests so that all replicas in a subnet will process <br />
such requests in the same order.<br />
There are many protocols in the literature for this problem.<br />
The IC uses a new consensus protocol, which is described here at a high level. <br />
For more details, see the paper https://eprint.iacr.org/2021/1330 (in particular, Protocol ICC1 in that paper).<br />
<br />
Any secure consensus protocol should guarantee two properties, which (roughly stated) are:<br />
* <b>safety</b>: all replicas in fact agree on the same ordering of transaction requests, and<br />
* <b>liveness</b>: all replicas should make steady progress.<br />
The paper https://eprint.iacr.org/2021/1330 proves that the IC consensus protocol satisfies both of these properties<br />
<br />
The IC consensus protocol is design to be<br />
* extremely simple, and<br />
* robust (performance degrades gracefully when some replicas are malicious).<br />
<br />
As discussed [[The Internet Computer for Computer Scientists|in the introduction]], we assume<br />
* a subnet of <math>n</math> replicas, and<br />
* at most <math>f < n/3</math> of the replicas are faulty.<br />
Faulty replicas may exhibit arbitrary, malicious (i.e., Byzantine) behavior.<br />
To simplify the presentation, we assume here that <math>n=3f+1</math>.<br />
<br />
<br />
We assume that communication is <b>asynchronous</b>, with no <i>a priori</i><br />
bound on the delay of messages sent between replicas.<br />
In fact, the scheduling of message delivery may be completely under adversarial control.<br />
The IC consensus protocol guarantees safety under this very weak communication assumption.<br />
However, to guarantee liveness, we need to assume a form of <b>partial synchrony</b>,<br />
which (roughly stated) says that the network will be periodically <b>timely</b> .<br />
Somewhat more precisely, there exists a bound <math>\Delta</math> such that<br />
periodically all undelivered <br />
messages will be delivered within time <math>\Delta</math>.<br />
The bound <math>\Delta</math> does not have to be known in advance <br />
(the protocol is initialized with a bound, but will dynamically <br />
adapt and increase this bound if it is too small).<br />
Regardless of whether we are assuming an asynchronous<br />
or a partially synchronous network,<br />
we assume that every message sent from one honest<br />
party to another will <i>eventually</i> be delivered.<br />
<br />
Like a number of consensus protocols,<br />
the IC consensus protocol is based in a [[wikipedia:blockchain|blockchain]].<br />
As the protocol progresses, a tree of blocks is grown,<br />
starting from a special <i>genesis block</i> that is the root of the tree.<br />
Each non-genesis block in the tree contains (among other things)<br />
a <i>payload</i>, consisting of a sequence of transaction requests,<br />
and a hash of the block's parent in the tree. <br />
The honest replicas have a consistent view of this tree:<br />
while each replica may have a different, partial view<br />
of this tree, all the replicas have a view of the <i>same</i> tree.<br />
In addition, as the protocol progresses,<br />
there is always a path of <i>finalized</i> blocks in this tree.<br />
Again, the honest replicas have a consistent view of this path:<br />
while each replica may have a different, partial view<br />
of this path, all the parties have a view of the <i>same</i> path.<br />
The transaction requests in the payloads of the blocks along this<br />
path are the ordered transaction requests will be processed by the [[IC execution layer|execution layer]]<br />
of the Internet Computer.<br />
<br />
The protocol proceeds in <b>rounds</b>.<br />
In round <math>h</math> of the protocol,<br />
one or more blocks of <b>height</b> <math>h</math> are added to the tree.<br />
That is, the blocks added in round <math>h</math> are always at a distance<br />
of exactly <math>h</math> from the root.<br />
In each round, a pseudo-random process is used to assign<br />
each replica a unique <b>rank</b>, which is an<br />
integer in the range <math>0,\ldots,h-1</math>.<br />
This is pseudo-random process is implemented using a <b>random beacon</b> (see below).<br />
The party of lowest rank is the <b>leader</b> of that round.<br />
When the leader is honest and the network is timely,<br />
the leader will propose a block, which will be added to the tree;<br />
moreover, this will be the <i>only</i> block added to the tree<br />
in this round and it will extend the finalized path.<br />
If the leader is not honest or the network is not timely,<br />
some other parties of higher rank may also propose blocks,<br />
and also have their blocks added to the tree.<br />
In any case, the logic of the protocol gives highest priority <br />
to the leader's proposed block<br />
and <i>some</i> block or blocks will be added to this tree in this round.<br />
<br />
When the network is timely, <br />
the message complexity in a given round of the IC consensus protocol is <math>O(n^2)</math><br />
with overwhelming probability. <br />
The protocol also enjoys the property known as <b>optimistic responsiveness</b>,<br />
which means that <br />
so long as the leader is honest, the protocol will proceed at the pace<br />
of the actual network delay, rather than some upper bound on<br />
the network delay.<br />
<br />
<br />
To implement the protocol, each replica is associated with a <br />
public key for the [[wikipedia:BLS_digital_signature|BLS signature scheme]], and each replica also holds<br />
the corresponding secret signing key.<br />
The association of replicas to public keys is maintained by the<br />
[[IC network nervous system (NNS)|network nervous system (NNS) of the Internet Computer]].<br />
These BLS signatures will be used to authenticate messages, also called <b>artifacts</b>,<br />
sent by replicas.<br />
The protocol also uses the <b>signature aggregation</b> feature of BLS signatures,<br />
which allows many signatures on the same message to be aggregated into<br />
a compact multi-signature.<br />
FIXME: citation, discussion of rogue key attack mitigation via PoPs.<br />
<br />
<b>Random beacon.</b><br />
In addition to BLS signatures and multi-signatures as discussed above,<br />
the protocol makes use of a BLS [[wikipedia:Threshold_cryptosystem|threshold signature scheme]] to implement the <br />
above-mentioned <b>random beacon</b>.<br />
The random beacon for height <math>h</math> is a <math>(f+1)</math>-threshold signature<br />
on a message unique to height <math>h</math>. <br />
In each round of the protocol, each replica broadcasts its share of the beacon for<br />
the next round, so that when the next round begins, all replicas should have enough shares<br />
to reconstruct the beacon for that round.<br />
As discussed above, the random beacon at height <math>h</math> is used to <br />
assign a pseudo-random rank to each replica that will be used in round <math>h</math> of the protocol.<br />
Because of the security properties of the threshold signature,<br />
an adversary will not be able to predict the ranking of the replicas more than one round in advance,<br />
and these rankings will effectively be as good as random.<br />
To set up such a threshold signature scheme, the Internet Computer runs a<br />
[[wikipedia:Distributed_key_generation|distributed key generation (DKG)]] protocol.<br />
There are many DKG protocols in the literature.<br />
The Internet Computer implements a new [[non-interactive DKG (NiDKG) protocol]].<br />
<br />
<br />
<b>Block making.</b><br />
Each replica may at different points in time play the role of a <b>block maker</b>.<br />
As a block maker in round <math>h</math>, <br />
the replica proposes a block <math>B</math> of height <math>h</math> <br />
that to be child of a block <math>B'</math> of height <math>h-1</math><br />
in the tree of blocks.<br />
To do this, the block maker first gathers together a <b>payload</b><br />
consisting of all transaction requests it knows about<br />
(but not including those already included in payloads in blocks in the<br />
path through the tree ending at <math>B'</math>).<br />
The block <math>B</math> consists of<br />
* the payload,<br />
* the hash of <math>B'</math>, <br />
* the rank of the block maker,<br />
* the height <math>h</math> of the block.<br />
After forming the block <math>B</math>, the block maker forms<br />
a <b>block proposal</b>, consisting of<br />
* the block <math>B</math>,<br />
* the block maker's identity <math>\textit{BMID}</math>, and<br />
* the block maker's signature on <math>B</math>.<br />
A block maker will broadcast its block proposal to all other replicas.<br />
<br />
<b>Notarization.</b><br />
A block is only added to the tree of blocks when it becomes <b>notarized</b>.<br />
For a block to become notarized, it must be notarized by <math>2f+1</math> <br />
distinct replicas.<br />
To notarize a proposed block <math>B</math> at height <math>h</math>, <br />
a replica will verify a number of conditions,<br />
and if these tests pass, the replica will notarize the block<br />
by broadcasting a <b>notarization share</b> for <math>B</math>,<br />
consisting of <br />
* the hash of <math>B</math>,<br />
* the height <math>h</math> of <math>B</math>,<br />
* the identity <math>\textit{NID}</math> of the notarizing replica, and<br />
* the notarizing replica's signature on a message comprising the hash of <math>B</math> and the height <math>h</math>.<br />
Any set of <math>2f+1</math> notarization shares on <math>B</math><br />
may be aggregated together to form a <b>notarization</b> for <math>B</math>,<br />
consisting of<br />
* the hash of <math>B</math>,<br />
* the height <math>h</math> of <math>B</math>,<br />
* a set of <math>2f+1</math> distinct identities <math>NIDSet</math> of the notarizing replicas, and<br />
* an aggregate signature of the notarizing replicas in <math>NIDSet</math> on a message comprising the hash of <math>B</math> and the height <math>h</math>.</div>VictorShouphttps://icstaging.mywikis.net/w/index.php?title=IC_consensus_layer&diff=153IC consensus layer2021-11-02T00:27:34Z<p>VictorShoup: </p>
<hr />
<div>The job of the consensus layer of the IC is to order transaction requests so that all replicas in a subnet will process <br />
such requests in the same order.<br />
There are many protocols in the literature for this problem.<br />
The IC uses a new consensus protocol, which is described here at a high level. <br />
For more details, see the paper https://eprint.iacr.org/2021/1330 (in particular, Protocol ICC1 in that paper).<br />
<br />
Any secure consensus protocol should guarantee two properties, which (roughly stated) are:<br />
* <b>safety</b>: all replicas in fact agree on the same ordering of transaction requests, and<br />
* <b>liveness</b>: all replicas should make steady progress.<br />
The paper https://eprint.iacr.org/2021/1330 proves that the IC consensus protocol satisfies both of these properties<br />
<br />
The IC consensus protocol is design to be<br />
* extremely simple, and<br />
* robust (performance degrades gracefully when some replicas are malicious).<br />
<br />
As discussed [[The Internet Computer for Computer Scientists|in the introduction]], we assume<br />
* a subnet of <math>n</math> replicas, and<br />
* at most <math>f < n/3</math> of the replicas are faulty.<br />
Faulty replicas may exhibit arbitrary, malicious (i.e., Byzantine) behavior.<br />
To simplify the presentation, we assume here that <math>n=3f+1</math>.<br />
<br />
<br />
We assume that communication is <b>asynchronous</b>, with no <i>a priori</i><br />
bound on the delay of messages sent between replicas.<br />
In fact, the scheduling of message delivery may be completely under adversarial control.<br />
The IC consensus protocol guarantees safety under this very weak communication assumption.<br />
However, to guarantee liveness, we need to assume a form of <b>partial synchrony</b>,<br />
which (roughly stated) says that the network will be periodically <b>timely</b> .<br />
Somewhat more precisely, there exists a bound <math>\Delta</math> such that<br />
periodically all undelivered <br />
messages will be delivered within time <math>\Delta</math>.<br />
The bound <math>\Delta</math> does not have to be known in advance <br />
(the protocol is initialized with a bound, but will dynamically <br />
adapt and increase this bound if it is too small).<br />
Regardless of whether we are assuming an asynchronous<br />
or a partially synchronous network,<br />
we assume that every message sent from one honest<br />
party to another will <i>eventually</i> be delivered.<br />
<br />
Like a number of consensus protocols,<br />
the IC consensus protocol is based in a [[wikipedia:blockchain|blockchain]].<br />
As the protocol progresses, a tree of blocks is grown,<br />
starting from a special <i>genesis block</i> that is the root of the tree.<br />
Each non-genesis block in the tree contains (among other things)<br />
a <i>payload</i>, consisting of a sequence of transaction requests,<br />
and a hash of the block's parent in the tree. <br />
The honest replicas have a consistent view of this tree:<br />
while each replica may have a different, partial view<br />
of this tree, all the replicas have a view of the <i>same</i> tree.<br />
In addition, as the protocol progresses,<br />
there is always a path of <i>finalized</i> blocks in this tree.<br />
Again, the honest replicas have a consistent view of this path:<br />
while each replica may have a different, partial view<br />
of this path, all the parties have a view of the <i>same</i> path.<br />
The transaction requests in the payloads of the blocks along this<br />
path are the ordered transaction requests will be processed by the [[IC execution layer|execution layer]]<br />
of the Internet Computer.<br />
<br />
The protocol proceeds in <b>rounds</b>.<br />
In round <math>h</math> of the protocol,<br />
one or more blocks of <b>height</b> <math>h</math> are added to the tree.<br />
That is, the blocks added in round <math>h</math> are always at a distance<br />
of exactly <math>h</math> from the root.<br />
In each round, a pseudo-random process is used to assign<br />
each replica a unique <b>rank</b>, which is an<br />
integer in the range <math>0,\ldots,h-1</math>.<br />
This is pseudo-random process is implemented using a <b>random beacon</b> (see below).<br />
The party of lowest rank is the <b>leader</b> of that round.<br />
When the leader is honest and the network is timely,<br />
the leader will propose a block, which will be added to the tree;<br />
moreover, this will be the <i>only</i> block added to the tree<br />
in this round and it will extend the finalized path.<br />
If the leader is not honest or the network is not timely,<br />
some other parties of higher rank may also propose blocks,<br />
and also have their blocks added to the tree.<br />
In any case, the logic of the protocol gives highest priority <br />
to the leader's proposed block<br />
and <i>some</i> block or blocks will be added to this tree in this round.<br />
<br />
When the network is timely, <br />
the message complexity in a given round of the IC consensus protocol is <math>O(n^2)</math><br />
with overwhelming probability. <br />
The protocol also enjoys the property known as <b>optimistic responsiveness</b>,<br />
which means that <br />
so long as the leader is honest, the protocol will proceed at the pace<br />
of the actual network delay, rather than some upper bound on<br />
the network delay.<br />
<br />
<br />
To implement the protocol, each replica is associated with a <br />
public key for the [[wikipedia:BLS_digital_signature|BLS signature scheme]], and each replica also holds<br />
the corresponding secret signing key.<br />
The association of replicas to public keys is maintained by the<br />
[[IC network nervous system (NNS)|network nervous system (NNS) of the Internet Computer]].<br />
These BLS signatures will be used to authenticate messages, also called <b>artifacts</b>,<br />
sent by replicas.<br />
The protocol also uses the <b>signature aggregation</b> feature of BLS signatures,<br />
which allows many signatures on the same message to be aggregated into<br />
a compact multi-signature.<br />
FIXME: citation, discussion of rogue key attack mitigation via PoPs.<br />
<br />
<b>Random beacon.</b><br />
In addition to BLS signatures and multi-signatures as discussed above,<br />
the protocol makes use of a BLS [[wikipedia:Threshold_cryptosystem|threshold signature scheme]] to implement the <br />
above-mentioned <b>random beacon</b>.<br />
The random beacon for height <math>h</math> is a <math>(f+1)</math>-threshold signature<br />
on a message unique to height <math>h</math>. <br />
In each round of the protocol, each replica broadcasts its share of the beacon for<br />
the next round, so that when the next round begins, all replicas should have enough shares<br />
to reconstruct the beacon for that round.<br />
As discussed above, the random beacon at height <math>h</math> is used to <br />
assign a pseudo-random rank to each replica that will be used in round <math>h</math> of the protocol.<br />
Because of the security properties of the threshold signature,<br />
an adversary will not be able to predict the ranking of the replicas more than one round in advance,<br />
and these rankings will effectively be as good as random.<br />
To set up such a threshold signature scheme, the Internet Computer runs a<br />
[[wikipedia:Distributed_key_generation|distributed key generation (DKG)]] protocol.<br />
There are many DKG protocols in the literature.<br />
The Internet Computer implements a new [[non-interactive DKG (NiDKG) protocol]].<br />
<br />
<br />
<b>Block making.</b><br />
Each replica may at different points in time play the role of a <b>block maker</b>.<br />
As a block maker in round <math>h</math>, <br />
the replica proposes a block <math>B</math> of height <math>h</math> <br />
that to be child of a block <math>B'</math> of height <math>h-1</math><br />
in the tree of blocks.<br />
To do this, the block maker first gathers together a <b>payload</b><br />
consisting of all transaction requests it knows about<br />
(but not including those already included in payloads in blocks in the<br />
path through the tree ending at <math>B'</math>).<br />
The block <math>B</math> consists of<br />
* the payload,<br />
* the hash of <math>B'</math>, <br />
* the rank of the block maker,<br />
* the height <math>h</math> of the block.<br />
After forming the block <math>B</math>, the block maker forms<br />
a <b>block proposal</b>, consisting of<br />
* the block <math>B</math>,<br />
* the block maker's identity <math>\textit{ID}</math>, and<br />
* the block maker's signature on a message comprising <math>B</math> and <math>\textit{ID}</math> (and the [[registry version]] associated with height <math>h</math>). <br />
A block maker will broadcast its block proposal to all other replicas.<br />
<br />
<b>Notarization.</b><br />
A block is only added to the tree of blocks when it becomes <b>notarized</b>.<br />
To become notarized, a block must be approved by <math>2f+1</math> replicas.<br />
To approve a proposed block <math>B</math> at height <math>h</math>, <br />
each replica will verify a number of conditions,<br />
and if these tests pass, the replica will approve the block<br />
and broadcase a <b>notarization share</b> for <math>B</math>,<br />
consisting of <br />
* the hash of <math>B</math>,<br />
* the height <math>h</math> of <math>B</math>,<br />
* the identity <math>\textit{ID}</math> of the approving replica, and<br />
* the approving replica's signature on a message comprising the hash of <math>B</math>, <math>h</math>, and <math>\textit{ID}</math> (and the [[registry version]] associated with height <math>h</math>).</div>VictorShouphttps://icstaging.mywikis.net/w/index.php?title=IC_consensus_layer&diff=84IC consensus layer2021-10-14T16:48:28Z<p>VictorShoup: </p>
<hr />
<div>The job consensus layer of the IC is to order transaction requests so that all replicas in a subnet will process <br />
transaction requests in the same order.<br />
There are many protocols in the literature for this problem.<br />
The IC uses a new consensus protocol, which is described here at a high level. <br />
For more details, see the paper https://eprint.iacr.org/2021/1330 (in particular, Protocol ICC1 in that paper).<br />
<br />
Any secure consensus protocol should guarantee two properties, which (roughly stated) are:<br />
* <b>safety</b>: all replicas in fact agree on the same ordering of transaction requests, and<br />
* <b>liveness</b>: all replicas should make steady progress, <br />
The paper https://eprint.iacr.org/2021/1330 proves that the IC consensus protocol satisfies both of these properties<br />
<br />
The IC consensus protocol is design to be<br />
* extremely simple, and<br />
* robust (performance degrades gracefully when some replicas are malicious).<br />
<br />
As discussed [[The Internet Computer for Computer Scientists|in the introduction]], we assume<br />
* a subnet of <math>n</math> replicas, and<br />
* at most <math>f < n/3</math> of the replicas are faulty.<br />
Faulty replicas may exhibit arbitrary, malicious (i.e., Byzantine) behavior.<br />
To simplify the presentation, we assume here that <math>n=3f+1</math>.<br />
<br />
<br />
We assume that communication is <b>asynchronous</b>, with no <i>a priori</i><br />
bound on the delay of messages sent between replicas.<br />
In fact, the scheduling of message delivery may be completely under adversarial control.<br />
The IC consensus protocol guarantees safety under this very weak communication assumption.<br />
However, to guarantee liveness, we need to assume a form of <b>partial synchrony</b>,<br />
which (roughly stated) says that the network will be <b>timely</b> periodically.<br />
Somewhat more precisely, there exists a bound <math>\Delta</math> such that<br />
periodically all undelivered <br />
messages will be delivered within time <math>\Delta</math>.<br />
The bound <math>\Delta</math> does not have to be known in advance (the protocol can <br />
adapt itself to an unknown <math>\Delta</math> value).<br />
Regardless of whether we are assuming an asynchronous<br />
or partially synchronous network,<br />
we assume that every message sent from one honest<br />
party to another will <i>eventually</i> be delivered.<br />
<br />
Like a number of consensus protocols,<br />
the IC consensus protocol is based in a [[wikipedia:blockchain|blockchain]].<br />
As the protocol progresses, a tree of blocks is grown,<br />
starting from a special <i>genesis block</i> that is the root of the tree.<br />
Each non-genesis block in the tree contains (among other things)<br />
a <i>payload</i>, consisting of a sequence of transaction requests,<br />
and a hash of the block's parent in the tree. <br />
The honest replicas have a consistent view of this tree:<br />
while each replica may have a different, partial view<br />
of this tree, all the replicas have a view of the <i>same</i> tree.<br />
In addition, as the protocol progresses,<br />
there is always a path of <i>finalized</i> blocks in this tree.<br />
Again, the honest replicas have a consistent view of this path:<br />
while each replica may have a different, partial view<br />
of this path, all the parties have a view of the <i>same</i> path.<br />
The transaction requests in the payloads of the blocks along this<br />
path are the ordered transaction requests will be processed by the [[IC execution layer|execution layer]]<br />
of the Internet Computer.<br />
<br />
The protocol proceeds in <b>rounds</b>.<br />
In round <math>h</math> of the protocol,<br />
one or more blocks of <b>height</b> <math>h</math> are added to the tree.<br />
That is, the blocks added in round <math>h</math> are always at a distance<br />
of exactly <math>h</math> from the root.<br />
In each round, a pseudo-random process is used to assign<br />
each replica a unique <b>rank</b>, which is an<br />
integer in the range <math>0,\ldots,</math>.<br />
This is pseudo-random process is implemented using a <b>random beacon</b> (see below).<br />
The party of lowest rank is the <b>leader</b> of that round.<br />
When the leader is honest and the network is timely,<br />
the leader will propose a block, which will be added to the tree;<br />
moreover, this will be the <i>only</i> block added to the tree<br />
and it will extend the finalized path.<br />
If the leader is not honest or the network is not timely,<br />
some other parties of higher rank may also propose blocks,<br />
and also have their blocks added to the tree.<br />
In any case, the logic of the protocol gives highest priority <br />
to the leader's proposed block.<br />
<br />
The message complexity per round of the IC consensus protocol is typically <math>O(n^2)</math>.<br />
The protocol also enjoys the property known as <b>optimistic responsiveness</b>,<br />
which means that <br />
so long as the leader is honest, the protocol will proceed at the pace<br />
of the actual network delay, rather than some upper bound on<br />
the network delay.<br />
<br />
<br />
To implement the protocol, each replica is associated with a <br />
public key for the [[wikipedia:BLS_digital_signature|BLS signature scheme]], and each replica also holds<br />
the corresponding secret signing key.<br />
The association of replicas to public keys is maintained by the<br />
[[IC network nervous system (NNS)|network nervous system (NNS) of the Internet Computer]].<br />
These BLS signatures will be used to authenticate messages, also called <b>artifacts</b>,<br />
sent by replicas.<br />
The protocol also uses the <b>signature aggregation</b> feature of BLS signatures,<br />
which allows many signatures on the same message to be aggregated into<br />
a compact multi-signature.<br />
FIXME: citation, discussion of rogue key attack mitigation.<br />
<br />
<b>Random beacon.</b><br />
In addition to BLS signatures and multi-signatures as discussed above,<br />
the protocol makes use of a BLS [[wikipedia:Threshold_cryptosystem|threshold signature scheme]] to implement the <br />
above-mentioned <b>random beacon</b>.<br />
The random beacon for height <math>h</math> is a <math>(f+1)</math>-threshold signature<br />
on a message unique to height <math>h</math>. <br />
In each round of the protocol, each replica broadcasts its share of the beacon for<br />
the next round, so that when the next round begins, all replicas should have enough shares<br />
to reconstruct the beacon for that round.<br />
As discussed above, the random beacon at height <math>h</math> is used to <br />
assign a pseudo-random rank to each replica that will be used in round <math>h</math> of the protocol.<br />
Because of the security properties of the threshold signature,<br />
an adversary will not be able to predict the ranking of the replicas more than one round in advance,<br />
and these rankings will effectively be as good as random.<br />
To set up such a threshold signature scheme, the Internet Computer runs a<br />
[[wikipedia:Distributed_key_generation|distributed key generation (DKG)]] protocol.<br />
There are many DKG protocols in the literature.<br />
The Internet Computer implements a new [[non-interactive DKG (NiDKG) protocol]].<br />
<br />
<b>Block maker.</b><br />
Each replica may at different points in time play the role of a <b>block maker</b>.<br />
As a block maker in round <math>h</math>, <br />
the replica proposes a block <math>B</math> of height <math>h</math> <br />
that to be child of a block <math>B'</math> of height <math>h-1</math><br />
in the tree of blocks.<br />
To do this, the block maker first gathers together a <b>payload</b><br />
consisting of all transaction requests it knows about<br />
(but not including those already included in payloads in blocks in the<br />
path through the tree ending at <math>B'</math>).<br />
The block <math>B</math> consists of<br />
* the payload,<br />
* the hash of <math>B'</math>, and<br />
* the rank of the block maker.<br />
After forming the block <math>B</math>, the block maker forms<br />
a <b>block proposal</b>, consisting of<br />
* the block <math>B</math>,<br />
* the block maker's identity <math>\textit{ID}</math>, and<br />
* the block maker's signature on <math>B</math> and <math>\textit{ID}</math>.<br />
<br />
XXX</div>VictorShouphttps://icstaging.mywikis.net/w/index.php?title=IC_consensus_layer&diff=79IC consensus layer2021-10-11T18:36:49Z<p>VictorShoup: </p>
<hr />
<div>The job consensus layer of the IC is to order transaction requests so that all replicas in a subnet will process <br />
transaction requests in the same order.<br />
There are many protocols in the literature for this problem.<br />
The IC uses a new consensus protocol, which is described here at a high level. <br />
For more details, see the paper https://eprint.iacr.org/2021/1330 (in particular, Protocol ICC1 in that paper).<br />
<br />
Any secure consensus protocol should guarantee two properties, which (roughly stated) are:<br />
* <b>safety</b>: all replicas in fact agree on the same ordering of transaction requests, and<br />
* <b>liveness</b>: all replicas should make steady progress, <br />
The paper https://eprint.iacr.org/2021/1330 proves that the IC consensus protocol satisfies both of these properties<br />
<br />
The IC consensus protocol is design to be<br />
* extremely simple, and<br />
* robust (performance degrades gracefully when some replicas are malicious).<br />
<br />
As discussed [[The Internet Computer for Computer Scientists|in the introduction]], we assume<br />
* a subnet of <math>n</math> replicas, and<br />
* at most <math>f < n/3</math> of the replicas are faulty.<br />
Faulty replicas may exhibit arbitrary, malicious (i.e., Byzantine) behavior.<br />
To simplify the presentation, we assume here that <math>n=3f+1</math>.<br />
<br />
<br />
We assume that communication is <b>asynchronous</b>, with no <i>a priori</i><br />
bound on the delay of messages sent between replicas.<br />
In fact, the scheduling of message delivery may be completely under adversarial control.<br />
The IC consensus protocol guarantees safety under this very weak communication assumption.<br />
However, to guarantee liveness, we need to assume a form of <b>partial synchrony</b>,<br />
which (roughly stated) says that the network will be <b>timely</b> periodically.<br />
Somewhat more precisely, there exists a bound <math>\Delta</math> such that<br />
periodically all undelivered <br />
messages will be delivered within time <math>\Delta</math>.<br />
The bound <math>\Delta</math> does not have to be known in advance (the protocol can <br />
adapt itself to an unknown <math>\Delta</math> value).<br />
Regardless of whether we are assuming an asynchronous<br />
or partially synchronous network,<br />
we assume that every message sent from one honest<br />
party to another will <i>eventually</i> be delivered.<br />
<br />
Like a number of consensus protocols,<br />
the IC consensus protocol is based in a [[wikipedia:blockchain|blockchain]].<br />
As the protocol progresses, a tree of blocks is grown,<br />
starting from a special <i>genesis block</i> that is the root of the tree.<br />
Each non-genesis block in the tree contains (among other things)<br />
a <i>payload</i>, consisting of a sequence of transaction requests,<br />
and a hash of the block's parent in the tree. <br />
The honest replicas have a consistent view of this tree:<br />
while each replica may have a different, partial view<br />
of this tree, all the replicas have a view of the <i>same</i> tree.<br />
In addition, as the protocol progresses,<br />
there is always a path of <i>finalized</i> blocks in this tree.<br />
Again, the honest replicas have a consistent view of this path:<br />
while each replica may have a different, partial view<br />
of this path, all the parties have a view of the <i>same</i> path.<br />
The transaction requests in the payloads of the blocks along this<br />
path are the ordered transaction requests will be processed by the [[IC execution layer|execution layer]]<br />
of the Internet Computer.<br />
<br />
The protocol proceeds in <b>rounds</b>.<br />
In round <math>h</math> of the protocol,<br />
one or more blocks of <b>height</b> <math>h</math> are added to the tree.<br />
That is, the blocks added in round <math>h</math> are always at a distance<br />
of exactly <math>h</math> from the root.<br />
In each round, a pseudo-random process is used to assign<br />
each replica a unique <b>rank</b>, which is an<br />
integer in the range <math>0,\ldots,</math>.<br />
This is pseudo-random process is implemented using a <b>random beacon</b> (see below).<br />
The party of lowest rank is the <b>leader</b> of that round.<br />
When the leader is honest and the network is timely,<br />
the leader will propose a block, which will be added to the tree;<br />
moreover, this will be the <i>only</i> block added to the tree<br />
and it will extend the finalized path.<br />
If the leader is not honest or the network is not timely,<br />
some other parties of higher rank may also propose blocks,<br />
and also have their blocks added to the tree.<br />
In any case, the logic of the protocol gives highest priority <br />
to the leader's proposed block.<br />
<br />
The message complexity per round of the IC consensus protocol is typically <math>O(n^2)</math>.<br />
The protocol also enjoys the property known as <b>optimistic responsiveness</b>,<br />
which means that <br />
so long as the leader is honest, the protocol will proceed at the pace<br />
of the actual network delay, rather than some upper bound on<br />
the network delay.<br />
<br />
<br />
To implement the protocol, each replica is associated with a <br />
public key for the [[wikipedia:BLS_digital_signature|BLS signature scheme]], and each replica also holds<br />
the corresponding secret signing key.<br />
The association of replicas to public keys is maintained by the<br />
[[IC network nervous system (NNS)|network nervous system (NNS) of the Internet Computer]].<br />
These BLS signatures will be used to authenticate messages, also called <b>artifacts</b>,<br />
sent by replicas.<br />
The protocol also uses the <b>signature aggregation</b> feature of BLS signatures,<br />
which allows many signatures on the same message to be aggregated into<br />
a compact multi-signature.<br />
FIXME: citation, discussion of rogue key attack mitigation.<br />
<br />
<b>Random beacon.</b><br />
In addition to BLS signatures and multi-signatures as discussed above,<br />
the protocol makes use of a BLS [[wikipedia:Threshold_cryptosystem|threshold signature scheme]] to implement the <br />
above-mentioned <b>random beacon</b>.<br />
The random beacon for height <math>h</math> is a <math>(f+1)</math>-threshold signature<br />
on a message unique to height <math>h</math>. <br />
In each round of the protocol, each replica broadcasts its share of the beacon for<br />
the next round, so that when the next round begins, all replicas should have enough shares<br />
to reconstruct the beacon for that round.<br />
As discussed above, the random beacon at height <math>h</math> is used to <br />
assign a pseudo-random rank to each replica that will be used in round <math>h</math> of the protocol.<br />
Because of the security properties of the threshold signature,<br />
an adversary will not be able to predict the ranking of the replicas more than one round in advance,<br />
and these rankings will effectively be as good as random.<br />
To set up such a threshold signature scheme, the Internet Computer runs a<br />
[[wikipedia:Distributed_key_generation|distributed key generation (DKG)]] protocol.<br />
There are many DKG protocols in the literature.<br />
The Internet Computer implements a new [[non-interactive DKG (NiDKG) protocol]].<br />
<br />
<b>Block maker.</b><br />
Each replica may at different points in time play the role of a <b>block maker</b>.<br />
As a block maker in round <math>h</math>, <br />
the replica proposes a block <math>B</math> of height <math>h</math> <br />
that to be child of a block <math>B'</math> of height <math>h-1</math><br />
in the tree of blocks.<br />
To do this, the block maker first gathers together a <b>payload</b><br />
consisting of all transaction requests it knows about<br />
(but not including those already included in payloads in blocks in the<br />
path through the tree ending at <math>B'</math>).<br />
The block <math>B</math> consists of<br />
* the payload,<br />
* the hash of <math>B'</math>, and<br />
* the rank of the block maker.<br />
After forming the block <math>B</math>, the block maker forms<br />
a <b>block proposal</b>, consisting of<br />
* the block <math>B</math>,<br />
* the block maker's identity <math>\textit{ID}</math>, and<br />
* the block maker's signature on <math>B</math> and <math>\textit{ID}</math>.</div>VictorShouphttps://icstaging.mywikis.net/w/index.php?title=IC_consensus_layer&diff=78IC consensus layer2021-10-11T13:43:26Z<p>VictorShoup: </p>
<hr />
<div>The job consensus layer of the IC is to order transaction requests so that all replicas in a subnet will process <br />
transaction requests in the same order.<br />
There are many protocols in the literature for this problem.<br />
The IC uses a new consensus protocol, which is described here at a high level. <br />
For more details, see the paper https://eprint.iacr.org/2021/1330 (in particular, Protocol ICC1 in that paper).<br />
<br />
Any secure consensus protocol should guarantee two properties, which (roughly stated) are:<br />
* <b>safety</b>: all replicas in fact agree on the same ordering of transaction requests, and<br />
* <b>liveness</b>: all replicas should make steady progress, <br />
The paper https://eprint.iacr.org/2021/1330 proves that the IC consensus protocol satisfies both of these properties<br />
<br />
The IC consensus protocol is design to be<br />
* extremely simple, and<br />
* robust (performance degrades gracefully when some replicas are malicious).<br />
<br />
As discussed [[The Internet Computer for Computer Scientists|in the introduction]], we assume<br />
* a subnet of <math>n</math> replicas, and<br />
* at most <math>f < n/3</math> of the replicas are faulty.<br />
Faulty replicas may exhibit arbitrary, malicious (i.e., Byzantine) behavior.<br />
To simplify the presentation, we assume here that <math>n=3f+1</math>.<br />
<br />
<br />
We assume that communication is <b>asynchronous</b>, with no <i>a priori</i><br />
bound on the delay of messages sent between replicas.<br />
In fact, the scheduling of message delivery may be completely under adversarial control.<br />
The IC consensus protocol guarantees safety under this very weak communication assumption.<br />
However, to guarantee liveness, we need to assume a form of <b>partial synchrony</b>,<br />
which (roughly stated) says that the network will be <b>timely</b> periodically.<br />
Somewhat more precisely, there exists a bound <math>\Delta</math> such that<br />
periodically all undelivered <br />
messages will be delivered within time <math>\Delta</math>.<br />
The bound <math>\Delta</math> does not have to be known in advance (the protocol can <br />
adapt itself to an unknown <math>\Delta</math> value).<br />
Regardless of whether we are assuming an asynchronous<br />
or partially synchronous network,<br />
we assume that every message sent from one honest<br />
party to another will <i>eventually</i> be delivered.<br />
<br />
Like a number of consensus protocols,<br />
the IC consensus protocol is based in a [[wikipedia:blockchain|blockchain]].<br />
As the protocol progresses, a tree of blocks is grown,<br />
starting from a special <i>genesis block</i> that is the root of the tree.<br />
Each non-genesis block in the tree contains (among other things)<br />
a <i>payload</i>, consisting of a sequence of transaction requests,<br />
and a hash of the block's parent in the tree. <br />
The honest replicas have a consistent view of this tree:<br />
while each replica may have a different, partial view<br />
of this tree, all the replicas have a view of the <i>same</i> tree.<br />
In addition, as the protocol progresses,<br />
there is always a path of <i>finalized</i> blocks in this tree.<br />
Again, the honest replicas have a consistent view of this path:<br />
while each replica may have a different, partial view<br />
of this path, all the parties have a view of the <i>same</i> path.<br />
The transaction requests in the payloads of the blocks along this<br />
path are the ordered transaction requests will be processed by the [[IC execution layer|execution layer]]<br />
of the Internet Computer.<br />
<br />
The protocol proceeds in <b>rounds</b>.<br />
In round <math>h</math> of the protocol,<br />
one or more blocks of <b>height</b> <math>h</math> are added to the tree.<br />
That is, the blocks added in round <math>h</math> are always at a distance<br />
of exactly <math>h</math> from the root.<br />
In each round, a pseudo-random process is used to assign<br />
each replica a unique <b>rank</b>, which is an<br />
integer in the range <math>0,\ldots,</math>.<br />
This is pseudo-random process is implemented using a <b>random beacon</b> (see below).<br />
The party of lowest rank is the <b>leader</b> of that round.<br />
When the leader is honest and the network is timely,<br />
the leader will propose a block, which will be added to the tree;<br />
moreover, this will be the <i>only</i> block added to the tree<br />
and it will extend the finalized path.<br />
If the leader is not honest or the network is not timely,<br />
some other parties of higher rank may also propose blocks,<br />
and also have their blocks added to the tree.<br />
In any case, the logic of the protocol gives highest priority <br />
to the leader's proposed block.<br />
<br />
The message complexity per round of the IC consensus protocol is typically <math>O(n^2)</math>.<br />
The protocol also enjoys the property known as <b>optimistic responsiveness</b>,<br />
which means that <br />
so long as the leader is honest, the protocol will proceed at the pace<br />
of the actual network delay, rather than some upper bound on<br />
the network delay.<br />
<br />
<br />
To implement the protocol, each replica is associated with a <br />
public key for the [[wikipedia:BLS_digital_signature|BLS signature scheme]], and each replica also holds<br />
the corresponding secret signing key.<br />
The association of replicas to public keys is maintained by the<br />
[[IC network nervous system (NNS)|network nervous system (NNS) of the Internet Computer]].<br />
These BLS signatures will be used to authenticate messages, also called <b>artifacts</b>,<br />
sent by replicas.<br />
The protocol also uses the <b>signature aggregation</b> feature of BLS signatures,<br />
which allows many signatures on the same message to be aggregated into<br />
a compact multi-signature.<br />
FIXME: citation, discussion of rogue key attack mitigation.<br />
<br />
<b>Random beacon.</b><br />
In addition to BLS signatures and multi-signatures as discussed above,<br />
the protocol makes use of a BLS [[wikipedia:Threshold_cryptosystem|threshold signature scheme]] to implement the <br />
above-mentioned <b>random beacon</b>.<br />
The random beacon for height <math>h</math> is a <math>(f+1)</math>-threshold signature<br />
on a message unique to height <math>h</math>. <br />
In each round of the protocol, each replica broadcasts its share of the beacon for<br />
the next round, so that when the next round begins, all replicas should have enough shares<br />
to reconstruct the beacon for that round.<br />
As discussed above, the random beacon at height <math>h</math> is used to <br />
assign a pseudo-random rank to each replica that will be used in round <math>h</math> of the protocol.<br />
Because of the security properties of the threshold signature,<br />
an adversary will not be able to predict the ranking of the replicas more than one round in advance,<br />
and these rankings will effectively be as good as random.<br />
To set up such a threshold signature scheme, the Internet Computer runs a<br />
[[wikipedia:Distributed_key_generation|distributed key generation (DKG)]] protocol.<br />
There are many DKG protocols in the literature.<br />
The Internet Computer implements a new [[non-interactive DKG (NiDKG) protocol]].<br />
<br />
<b>Block maker.</b><br />
Each replica may at different points in time play the role of a <b>block maker</b>.<br />
<br />
YYYYY</div>VictorShouphttps://icstaging.mywikis.net/w/index.php?title=The_Internet_Computer_for_Computer_Scientists&diff=77The Internet Computer for Computer Scientists2021-10-08T21:08:40Z<p>VictorShoup: </p>
<hr />
<div>To a first approximation, the IC (Internet Computer) is a network of <br />
[[wikipedia:state machine replication|replicated state machines]].<br />
<br />
Each replicated state machine comprises a <b>subnet</b> of <b>replicas</b>.<br />
Subnets may communicate with one another,<br />
but otherwise they operate (for the most part) independently of each other.<br />
<br />
As in any replicated state machine, a series of <b>transaction requests</b> is processed.<br />
A transaction request may come from either an external client<br />
or from another state machine in the IC.<br />
The replicas in a subnet must run a <b>[[wikipedia:Consensus_(computer_science)|consensus protocol]]</b> to order the<br />
incoming transaction requests, so that each replica processes the transaction requests in the same order.<br />
Each replica processes the transaction requests in the agreed-upon order.<br />
In processing a transaction request, each replica will update its internal <b>state</b> <br />
according to a deterministic function that maps the pair (current state, transaction request) to a new state.<br />
Because all replicas in a subnet process transaction requests in the same order, <br />
their internal states will evolve over time in exactly the same way.<br />
In response to processing a transaction, a subnet may also generate an outgoing message,<br />
which can be sent to either an external client or to another state machine in the IC.<br />
<br />
The reason for using a replicated state machine, rather than just a single state machine,<br />
is to achieve [[wikipedia:fault tolerance|fault tolerance]]: a subnet should continue <br />
to function &mdash; and to function <i>correctly</i> &mdash; even if some replicas are <b>faulty</b>.<br />
Generally in this area, one considers two types of replica failures: <b>crash failure</b> and <br />
<b>[[wikipedia:Byzantine_fault|Byzantine failures]]</b>.<br />
A <b>crash failure</b> occurs when a replica abruptly stops and does not resume. <b>Byzantine failures</b> are failures in which a replica may deviate in an arbitrary way from its prescribed protocol. Moreover, with Byzantine failures, one or possibly several replicas may be directly under the control of a malicious adversary.<br />
Of the two types of failures, Byzantine failures are potentially far more disruptive.<br />
<br />
Protocols for consensus and for implementing replicated state machines typically make assumptions<br />
about <b>how many</b> replicas may be faulty and to <b>to what degree</b> (crash or Byzantine) they may be faulty.<br />
In the IC, the assumption is that if a given subnet has <math>n</math> replicas, then less than <math>n/3</math><br />
of these replicas are faulty and these faults may be Byzantine.<br />
(Note that the different subnets in the IC may have different sizes.)<br />
<br />
Protocols for consensus and for implementing replicated state machines also typically make<br />
assumptions about the <b>communication model</b>, which characterizes the ability of an adversary <br />
to delay the delivery of messages between replicas.<br />
At opposite ends of the spectrum, we have the following models:<br />
* In the <b>synchronous model</b>, there exists some known finite time bound <math>\Delta</math>, such that for any message sent, the adversary can delay its delivery by at most <math>\Delta</math>.<br />
* In the <b>asynchronous model</b>, for any message sent, the adversary can delay its delivery by any finite amount of time, so that there is no bound on the time to deliver a message; however, each message must <b>eventually</b> be delivered.<br />
<br />
<br />
Since the replicas in an IC-subnet are typically distributed around the globe, a synchronous communication model would be highly unrealistic.<br />
In this setting, the most robust model is the asynchronous model.<br />
Unfortunately, there are no known consensus protocols in this model that are truly practical.<br />
So like most other practical Byzantine fault tolerant systems that cannot rely on synchronous communication,<br />
the IC opts for a compromise: a <b>partial synchrony</b> communication model.<br />
Such partial synchrony models can be formulated in various ways.<br />
The partial synchrony assumption used by the IC says, roughly speaking,<br />
that for each subnet, communication among replicas in that subnet is synchronous for short periods of time<br />
every now and then;<br />
moreover, the synchrony bound <math>\Delta</math> does not need to be known in advance.<br />
This partial synchrony assumption is only needed to ensure that the consensus protocol makes progress<br />
(the so-called liveness property) &mdash; it is not needed to ensure correct behavior of consensus<br />
(the so-called safety property), nor is it needed anywhere else in the IC protocol stack.<br />
<br />
Under the assumption of partial synchrony and Byzantine faults, it is known that our bound of <math>f < n/3</math><br />
on the number of faults is optimal.<br />
<br />
Related topics:<br />
* [[IC architecture overview]]<br />
* [[IC canisters]]<br />
* [[IC network nervous system (NNS)]]<br />
* [[IC threshold signatures and distributed key generation]]<br />
* [[IC crossnet communication]]<br />
* [[IC catchup packages]]<br />
* [[IC fault model]]<br />
* [[IC tokens]]</div>VictorShouphttps://icstaging.mywikis.net/w/index.php?title=The_Internet_Computer_for_Computer_Scientists&diff=76The Internet Computer for Computer Scientists2021-10-08T21:08:25Z<p>VictorShoup: </p>
<hr />
<div>To a first approximation, the IC (Internet Computer) is a network of <br />
[[wikipedia:state machine replication|replicated state machines]].<br />
<br />
Each replicated state machine comprises a <b>subnet</b> of <b>replicas</b>.<br />
Subnets may communicate with one another,<br />
but otherwise they operate (for the most part) independently of each other.<br />
<br />
As in any replicated state machine, a series of <b>transaction requests</b> is processed.<br />
A transaction request may come from either an external client<br />
or from another state machine in the IC.<br />
The replicas in a subnet must run a <b>[[wikipedia:Consensus_(computer_science)|consensus protocol]]</b> to order the<br />
incoming transaction requests, so that each replica processes the transaction requests in the same order.<br />
Each replica processes the transaction requests in the agreed-upon order.<br />
In processing a transaction request, each replica will update its internal <b>state</b> <br />
according to a deterministic function that maps the pair (current state, transaction request) to a new state.<br />
Because all replicas in a subnet process transaction requests in the same order, <br />
their internal states will evolve over time in exactly the same way.<br />
In response to processing a transaction, a subnet may also generate an outgoing message,<br />
which can be sent to either an external client or to another state machine in the IC.<br />
<br />
The reason for using a replicated state machine, rather than just a single state machine,<br />
is to achieve [[wikipedia:fault tolerance|fault tolerance]]: a subnet should continue <br />
to function &mdash; and to function <i>correctly</i> &mdash; even if some replicas are <b>faulty</b>.<br />
Generally in this area, one considers two types of replica failures: <b>crash failure</b> and <br />
<b>[[wikipedia:Byzantine_fault|Byzantine failures]]</b>.<br />
A <b>crash failure</b> occurs when a replica abruptly stops and does not resume. <b>Byzantine failures</b> are failures in which a replica may deviate in an arbitrary way from its prescribed protocol. Moreover, with Byzantine failures, one or possibly several replicas may be directly under the control of a malicious adversary.<br />
Of the two types of failures, Byzantine failures are potentially far more disruptive.<br />
<br />
Protocols for consensus and for implementing replicated state machines typically make assumptions<br />
about <b>how many</b> replicas may be faulty and to <b>to what degree</b> (crash or Byzantine) they may be faulty.<br />
In the IC, the assumption is that if a given subnet has <math>n</math> replicas, then less than <math>n/3</math><br />
of these replicas are faulty and these faults may be Byzantine.<br />
(Note that the different subnets in the IC may have different sizes.)<br />
<br />
Protocols for consensus and for implementing replicated state machines also typically make<br />
assumptions about the <b>communication model</b>, which characterizes the ability of an adversary <br />
to delay the delivery of messages between replicas.<br />
At opposite ends of the spectrum, we have the following models:<br />
* In the <b>synchronous model</b>, there exists some known finite time bound <math>\Delta</math>, such that for any message sent, the adversary can delay its delivery by at most <math>\Delta</math>.<br />
* In the <b>asynchronous model</b>, for any message sent, the adversary can delay its delivery by any finite amount of time, so that there is no bound on the time to deliver a message; however, each message must <b>eventually</b> be delivered.<br />
<br />
<br />
Since the replicas in an IC-subnet are typically distributed around the globe, a synchronous communication model would be highly unrealistic.<br />
In this setting, the most robust model is the asynchronous model.<br />
Unfortunately, there are no known consensus protocols in this model that are truly practical.<br />
So like most other practical Byzantine fault tolerant systems that cannot rely on synchronous communication,<br />
the IC opts for a compromise: a <b>partial synchrony</b> communication model.<br />
Such partial synchrony models can be formulated in various ways.<br />
The partial synchrony assumption used by the IC says, roughly speaking,<br />
that for each subnet, communication among replicas in that subnet is synchronous for short periods of time<br />
every now and then;<br />
moreover, the synchrony bound <math>\Delta</math> does not need to be known in advance.<br />
This partial synchrony assumption is only needed to ensure that the consensus protocol makes progress<br />
(the so-called liveness property) &mdash; it is not needed to ensure correct behavior of consensus<br />
(the so-called safety property), nor is it needed anywhere else in the IC protocol stack.<br />
<br />
Under the assumption of partial synchrony and Byzantine faults, it is known that our bound of <math>f < n/3</math><br />
on the number of faults is optimal.<br />
<br />
Related topics:<br />
* [[IC architecture overview]]<br />
* [[IC canisters]]<br />
* [[IC network nervous system (NNS)]]<br />
* [[IC threshold signatures and distributed key generation]]<br />
* [[IC crossnet communication]]<br />
* [[IC catchup packages]]<br />
* [[IC fault model]]<br />
* [[IC tokens]]<br />
<br />
XXX</div>VictorShouphttps://icstaging.mywikis.net/w/index.php?title=IC_consensus_layer&diff=75IC consensus layer2021-10-08T21:01:36Z<p>VictorShoup: </p>
<hr />
<div>The job consensus layer of the IC is to order transaction requests so that all replicas in a subnet will process <br />
transaction requests in the same order.<br />
There are many protocols in the literature for this problem.<br />
The IC uses a new consensus protocol, which is described here at a high level. <br />
For more details, see the paper https://eprint.iacr.org/2021/1330 (in particular, Protocol ICC1 in that paper).<br />
<br />
Any secure consensus protocol should guarantee two properties, which (roughly stated) are:<br />
* <b>safety</b>: all replicas in fact agree on the same ordering of transaction requests, and<br />
* <b>liveness</b>: all replicas should make steady progress, <br />
The paper https://eprint.iacr.org/2021/1330 proves that the IC consensus protocol satisfies both of these properties<br />
<br />
The IC consensus protocol is design to be<br />
* extremely simple, and<br />
* robust (performance degrades gracefully when some replicas are malicious).<br />
<br />
As discussed [[The Internet Computer for Computer Scientists|in the introduction]], we assume<br />
* a subnet of <math>n</math> replicas, and<br />
* at most <math>f < n/3</math> of the replicas are faulty.<br />
Faulty replicas may exhibit arbitrary, malicious (i.e., Byzantine) behavior.<br />
To simplify the presentation, we assume here that <math>n=3f+1</math>.<br />
<br />
<br />
We assume that communication is <b>asynchronous</b>, with no <i>a priori</i><br />
bound on the delay of messages sent between replicas.<br />
In fact, the scheduling of message delivery may be completely under adversarial control.<br />
The IC consensus protocol guarantees safety under this very weak communication assumption.<br />
However, to guarantee liveness, we need to assume a form of <b>partial synchrony</b>,<br />
which (roughly stated) says that the network will be <b>timely</b> periodically.<br />
Somewhat more precisely, there exists a bound <math>\Delta</math> such that<br />
periodically all undelivered <br />
messages will be delivered within time <math>\Delta</math>.<br />
The bound <math>\Delta</math> does not have to be known in advance (the protocol can <br />
adapt itself to an unknown <math>\Delta</math> value).<br />
Regardless of whether we are assuming an asynchronous<br />
or partially synchronous network,<br />
we assume that every message sent from one honest<br />
party to another will <i>eventually</i> be delivered.<br />
<br />
Like a number of consensus protocols,<br />
the IC consensus protocol is based in a [[wikipedia:blockchain|blockchain]].<br />
As the protocol progresses, a tree of blocks is grown,<br />
starting from a special <i>genesis block</i> that is the root of the tree.<br />
Each non-genesis block in the tree contains (among other things)<br />
a <i>payload</i>, consisting of a sequence of transaction requests,<br />
and a hash of the block's parent in the tree. <br />
The honest replicas have a consistent view of this tree:<br />
while each replica may have a different, partial view<br />
of this tree, all the replicas have a view of the <i>same</i> tree.<br />
In addition, as the protocol progresses,<br />
there is always a path of <i>finalized</i> blocks in this tree.<br />
Again, the honest replicas have a consistent view of this path:<br />
while each replica may have a different, partial view<br />
of this path, all the parties have a view of the <i>same</i> path.<br />
The transaction requests in the payloads of the blocks along this<br />
path are the ordered transaction requests will be processed by the [[IC execution layer|execution layer]]<br />
of the Internet Computer.<br />
<br />
The protocol proceeds in <b>rounds</b>.<br />
In round <math>h</math> of the protocol,<br />
one or more blocks of <b>height</b> <math>h</math> are added to the tree.<br />
That is, the blocks added in round <math>h</math> are always at a distance<br />
of exactly <math>h</math> from the root.<br />
In each round, a pseudo-random process is used to assign<br />
each replica a unique <b>rank</b>, which is an<br />
integer in the range <math>0,\ldots,</math>.<br />
This is pseudo-random process is implemented using a <b>random beacon</b> (see below).<br />
The party of lowest rank is the <b>leader</b> of that round.<br />
When the leader is honest and the network is timely,<br />
the leader will propose a block, which will be added to the tree;<br />
moreover, this will be the <i>only</i> block added to the tree<br />
and it will extend the finalized path.<br />
If the leader is not honest or the network is not timely,<br />
some other parties of higher rank may also propose blocks,<br />
and also have their blocks added to the tree.<br />
In any case, the logic of the protocol gives highest priority <br />
to the leader's proposed block.<br />
<br />
The message complexity per round of the IC consensus protocol is typically <math>O(n^2)</math>.<br />
The protocol also enjoys the property known as <b>optimistic responsiveness</b>,<br />
which means that <br />
so long as the leader is honest, the protocol will proceed at the pace<br />
of the actual network delay, rather than some upper bound on<br />
the network delay.<br />
<br />
<br />
To implement the protocol, each replica is associated with a <br />
public key for the [[wikipedia:BLS_digital_signature|BLS signature scheme]], and each replica also holds<br />
the corresponding secret signing key.<br />
The association of replicas to public keys is maintained by the<br />
[[IC network nervous system (NNS)|network nervous system (NNS) of the Internet Computer]].<br />
These BLS signatures will be used to authenticate messages, also called <b>artifacts</b>,<br />
sent by replicas.<br />
The protocol also uses the <b>signature aggregation</b> feature of BLS signatures,<br />
which allows many signatures on the same message to be aggregated into<br />
a compact multi-signature.<br />
FIXME: citation, discussion of rogue key attack mitigation.<br />
<br />
<b>Random beacon.</b><br />
In addition to BLS signatures and multi-signatures as discussed above,<br />
the protocol makes use of a BLS [[wikipedia:Threshold_cryptosystem|threshold signature scheme]] to implement the <br />
above-mentioned <b>random beacon</b>.<br />
The random beacon for height <math>h</math> is a <math>(f+1)</math>-threshold signature<br />
on a message unique to height <math>h</math>. <br />
In each round of the protocol, each replica broadcasts its share of the beacon for<br />
the next round, so that when the next round begins, all replicas should have enough shares<br />
to reconstruct the beacon for that round.<br />
As discussed above, the random beacon at height <math>h</math> is used to <br />
assign a pseudo-random rank to each replica that will be used in round <math>h</math> of the protocol.<br />
Because of the security properties of the threshold signature,<br />
an adversary will not be able to predict the ranking of the replicas more than one round in advance,<br />
and these rankings will effectively be as good as random.<br />
To set up such a threshold signature scheme, the Internet Computer runs a<br />
[[wikipedia:Distributed_key_generation|distributed key generation (DKG)]] protocol.<br />
There are many DKG protocols in the literature.<br />
The Internet Computer implements a new [[non-interactive DKG (NiDKG) protocol]].<br />
<br />
<b>Block maker.</b><br />
Each replica may at different points in time play the role of a <b>block maker</b>.<br />
XXX</div>VictorShouphttps://icstaging.mywikis.net/w/index.php?title=IC_consensus_layer&diff=74IC consensus layer2021-10-08T20:36:47Z<p>VictorShoup: </p>
<hr />
<div>The job consensus layer of the IC is to order transaction requests so that all replicas in a subnet will process <br />
transaction requests in the same order.<br />
There are many protocols in the literature for this problem.<br />
The IC uses a new consensus protocol, which is described here at a high level. <br />
For more details, see the paper https://eprint.iacr.org/2021/1330 (in particular, Protocol ICC1 in that paper).<br />
<br />
Any secure consensus protocol should guarantee two properties, which (roughly stated) are:<br />
* <b>safety</b>: all replicas in fact agree on the same ordering of transaction requests, and<br />
* <b>liveness</b>: all replicas should make steady progress, <br />
The paper https://eprint.iacr.org/2021/1330 proves that the IC consensus protocol satisfies both of these properties<br />
<br />
The IC consensus protocol is design to be<br />
* extremely simple, and<br />
* robust (performance degrades gracefully when some replicas are malicious).<br />
<br />
As discussed [[The Internet Computer for Computer Scientists|in the introduction]], we assume<br />
* a subnet of <math>n</math> replicas, and<br />
* at most <math>f < n/3</math> of the replicas are faulty.<br />
Faulty replicas may exhibit arbitrary, malicious (i.e., Byzantine) behavior.<br />
To simplify the presentation, we assume here that <math>n=3f+1</math>.<br />
<br />
<br />
We assume that communication is <b>asynchronous</b>, with no <i>a priori</i><br />
bound on the delay of messages sent between replicas.<br />
In fact, the scheduling of message delivery may be completely under adversarial control.<br />
The IC consensus protocol guarantees safety under this very weak communication assumption.<br />
However, to guarantee liveness, we need to assume a form of <b>partial synchrony</b>,<br />
which (roughly stated) says that the network will be <b>timely</b> periodically.<br />
Somewhat more precisely, there exists a bound <math>\Delta</math> such that<br />
periodically all undelivered <br />
messages will be delivered within time <math>\Delta</math>.<br />
The bound <math>\Delta</math> does not have to be known in advance (the protocol can <br />
adapt itself to an unknown <math>\Delta</math> value).<br />
Regardless of whether we are assuming an asynchronous<br />
or partially synchronous network,<br />
we assume that every message sent from one honest<br />
party to another will <i>eventually</i> be delivered.<br />
<br />
Like a number of consensus protocols,<br />
the IC consensus protocol is based in a [[wikipedia:blockchain|blockchain]].<br />
As the protocol progresses, a tree of blocks is grown,<br />
starting from a special <i>genesis block</i> that is the root of the tree.<br />
Each non-genesis block in the tree contains (among other things)<br />
a <i>payload</i>, consisting of a sequence of transaction requests,<br />
and a hash of the block's parent in the tree. <br />
The honest replicas have a consistent view of this tree:<br />
while each replica may have a different, partial view<br />
of this tree, all the replicas have a view of the <i>same</i> tree.<br />
In addition, as the protocol progresses,<br />
there is always a path of <i>finalized</i> blocks in this tree.<br />
Again, the honest replicas have a consistent view of this path:<br />
while each replica may have a different, partial view<br />
of this path, all the parties have a view of the <i>same</i> path.<br />
The transaction requests in the payloads of the blocks along this<br />
path are the ordered transaction requests will be processed by the [[IC execution layer|execution layer]]<br />
of the Internet Computer.<br />
<br />
The protocol proceeds in <b>rounds</b>.<br />
In round <math>h</math> of the protocol,<br />
one or more blocks of <b>height</b> <math>h</math> are added to the tree.<br />
That is, the blocks added in round <math>h</math> are always at a distance<br />
of exactly <math>h</math> from the root.<br />
In each round, a pseudo-random process is used to assign<br />
each replica a unique <b>rank</b>, which is an<br />
integer in the range <math>0,\ldots,</math>.<br />
This is pseudo-random process is implemented using a <b>random beacon</b> (see below).<br />
The party of lowest rank is the <b>leader</b> of that round.<br />
When the leader is honest and the network is timely,<br />
the leader will propose a block, which will be added to the tree;<br />
moreover, this will be the <i>only</i> block added to the tree<br />
and it will extend the finalized path.<br />
If the leader is not honest or the network is not timely,<br />
some other parties of higher rank may also propose blocks,<br />
and also have their blocks added to the tree.<br />
In any case, the logic of the protocol gives highest priority <br />
to the leader's proposed block.<br />
<br />
The message complexity per round of the IC consensus protocol is typically <math>O(n^2)</math>.<br />
The protocol also enjoys the property known as <b>optimistic responsiveness</b>,<br />
which means that <br />
so long as the leader is honest, the protocol will proceed at the pace<br />
of the actual network delay, rather than some upper bound on<br />
the network delay.<br />
<br />
<br />
To implement the protocol, each replica is associated with a <br />
public key for the [[wikipedia:BLS_digital_signature|BLS signature scheme]], and each replica also holds<br />
the corresponding secret signing key.<br />
The association of replicas to public keys is maintained by the<br />
[[IC network nervous system (NNS)|network nervous system (NNS) of the Internet Computer]].<br />
These BLS signatures will be used to authenticate messages, also called <b>artifacts</b>,<br />
sent by replicas.<br />
The protocol also uses the <b>signature aggregation</b> feature of BLS signatures,<br />
which allows many signatures on the same message to be aggregated into<br />
a compact multi-signature.<br />
FIXME: citation, discussion of rogue key attack mitigation.<br />
<br />
<b>Random beacon.</b><br />
In addition to BLS signatures and multi-signatures as discussed above,<br />
the protocol makes use of a BLS [[wikipedia:Threshold_cryptosystem|threshold signature scheme]] to implement the <br />
above-mentioned <b>random beacon</b>.<br />
The random beacon for height <math>h</math> is a <math>(f+1)</math>-threshold signature<br />
on a message unique to height <math>h</math>. <br />
In each round of the protocol, each replica broadcasts its share of the beacon for<br />
the next round, so that when the next round begins, all replicas should have enough shares<br />
to reconstruct the beacon for that round.<br />
As discussed above, the random beacon at height <math>h</math> is used to <br />
assign a pseudo-random rank to each replica that will be used in round <math>h</math> of the protocol.<br />
Because of the security properties of the threshold signature,<br />
an adversary will not be able to predict the ranking of the replicas more than one round in advance,<br />
and these rankings will effectively be as good as random.<br />
To set up such a threshold signature scheme, the Internet Computer runs a<br />
[[wikipedia:Distributed_key_generation|distributed key generation (DKG)]] protocol.<br />
There are many DKG protocols in the literature.<br />
The Internet Computer implements a new [[non-interactive DKG (NiDKG) protocol]].<br />
<br />
<b>Block maker.</b><br />
Each replica may at different points in time play the role of a <b>block maker</b>.</div>VictorShouphttps://icstaging.mywikis.net/w/index.php?title=IC_consensus_layer&diff=73IC consensus layer2021-10-08T20:31:22Z<p>VictorShoup: </p>
<hr />
<div>The job consensus layer of the IC is to order transaction requests so that all replicas in a subnet will process <br />
transaction requests in the same order.<br />
There are many protocols in the literature for this problem.<br />
The IC uses a new consensus protocol, which is described here at a high level. <br />
For more details, see the paper https://eprint.iacr.org/2021/1330 (in particular, Protocol ICC1 in that paper).<br />
<br />
Any secure consensus protocol should guarantee two properties, which (roughly stated) are:<br />
* <b>safety</b>: all replicas in fact agree on the same ordering of transaction requests, and<br />
* <b>liveness</b>: all replicas should make steady progress, <br />
The paper https://eprint.iacr.org/2021/1330 proves that the IC consensus protocol satisfies both of these properties<br />
<br />
The IC consensus protocol is design to be<br />
* extremely simple, and<br />
* robust (performance degrades gracefully when some replicas are malicious).<br />
<br />
As discussed [[The Internet Computer for Computer Scientists|in the introduction]], we assume<br />
* a subnet of <math>n</math> replicas, and<br />
* at most <math>f < n/3</math> of the replicas are faulty.<br />
Faulty replicas may exhibit arbitrary, malicious (i.e., Byzantine) behavior.<br />
To simplify the presentation, we assume here that <math>n=3f+1</math>.<br />
<br />
<br />
We assume that communication is <b>asynchronous</b>, with no <i>a priori</i><br />
bound on the delay of messages sent between replicas.<br />
In fact, the scheduling of message delivery may be completely under adversarial control.<br />
The IC consensus protocol guarantees safety under this very weak communication assumption.<br />
However, to guarantee liveness, we need to assume a form of <b>partial synchrony</b>,<br />
which (roughly stated) says that the network will be <b>timely</b> periodically.<br />
Somewhat more precisely, there exists a bound <math>\Delta</math> such that<br />
periodically all undelivered <br />
messages will be delivered within time <math>\Delta</math>.<br />
The bound <math>\Delta</math> does not have to be known in advance (the protocol can <br />
adapt itself to an unknown <math>\Delta</math> value).<br />
Regardless of whether we are assuming an asynchronous<br />
or partially synchronous network,<br />
we assume that every message sent from one honest<br />
party to another will <i>eventually</i> be delivered.<br />
<br />
Like a number of consensus protocols,<br />
the IC consensus protocol is based in a [[wikipedia:blockchain|blockchain]].<br />
As the protocol progresses, a tree of blocks is grown,<br />
starting from a special <i>genesis block</i> that is the root of the tree.<br />
Each non-genesis block in the tree contains (among other things)<br />
a <i>payload</i>, consisting of a sequence of transaction requests,<br />
and a hash of the block's parent in the tree. <br />
The honest replicas have a consistent view of this tree:<br />
while each replica may have a different, partial view<br />
of this tree, all the replicas have a view of the <i>same</i> tree.<br />
In addition, as the protocol progresses,<br />
there is always a path of <i>finalized</i> blocks in this tree.<br />
Again, the honest replicas have a consistent view of this path:<br />
while each replica may have a different, partial view<br />
of this path, all the parties have a view of the <i>same</i> path.<br />
The transaction requests in the payloads of the blocks along this<br />
path are the ordered transaction requests will be processed by the [[IC execution layer|execution layer]]<br />
of the Internet Computer.<br />
<br />
The protocol proceeds in <b>rounds</b>.<br />
In round <math>h</math> of the protocol,<br />
one or more blocks of <b>height</b> <math>h</math> are added to the tree.<br />
That is, the blocks added in round <math>h</math> are always at a distance<br />
of exactly <math>h</math> from the root.<br />
In each round, a pseudo-random process is used to assign<br />
each replica a unique <b>rank</b>, which is an<br />
integer in the range <math>0,\ldots,</math>.<br />
This is pseudo-random process is implemented using a <b>random beacon</b> (see below).<br />
The party of lowest rank is the <b>leader</b> of that round.<br />
When the leader is honest and the network is timely,<br />
the leader will propose a block, which will be added to the tree;<br />
moreover, this will be the <i>only</i> block added to the tree<br />
and it will extend the finalized path.<br />
If the leader is not honest or the network is not timely,<br />
some other parties of higher rank may also propose blocks,<br />
and also have their blocks added to the tree.<br />
In any case, the logic of the protocol gives highest priority <br />
to the leader's proposed block.<br />
<br />
The message complexity per round of the IC consensus protocol is typically <math>O(n^2)</math>.<br />
The protocol also enjoys the property known as <b>optimistic responsiveness</b>,<br />
which means that <br />
so long as the leader is honest, the protocol will proceed at the pace<br />
of the actual network delay, rather than some upper bound on<br />
the network delay.<br />
<br />
<br />
To implement the protocol, each replica is associated with a <br />
public key for the [[wikipedia:BLS_digital_signature|BLS signature scheme]], and each replica also holds<br />
the corresponding secret signing key.<br />
The association of replicas to public keys is maintained by the<br />
[[IC network nervous system (NNS)|network nervous system (NNS) of the Internet Computer]].<br />
These BLS signatures will be used to authenticate messages, also called <b>artifacts</b>,<br />
sent by replicas.<br />
The protocol also uses the <b>signature aggregation</b> feature of BLS signatures,<br />
which allows many signatures on the same message to be aggregated into<br />
a compact multi-signature.<br />
FIXME: citation, discussion of rogue key attack mitigation.<br />
<br />
<b>Random beacon.</b><br />
In addition to BLS signatures and multi-signatures as discussed above,<br />
the protocol makes use of a BLS [[wikipedia:Threshold_cryptosystem|threshold signature scheme]] to implement the <br />
above-mentioned <b>random beacon</b>.<br />
The random beacon for height <math>h</math> is a <math>(f+1)</math>-threshold signature<br />
on a message unique to height <math>h</math>. <br />
In each round of the protocol, each replica broadcasts its share of the beacon for<br />
the next round, so that when the next round begins, all replicas should have enough shares<br />
to reconstruct the beacon for that round.<br />
As discussed above, the random beacon at height <math>h</math> is used to <br />
assign a pseudo-random rank to each replica that will be used in round <math>h</math> of the protocol.<br />
Because of the security properties of the threshold signature,<br />
an adversary will not be able to predict the ranking of the replicas more than one round in advance,<br />
and these rankings will effectively be as good as random.<br />
To set up such a threshold signature scheme, the Internet Computer runs a<br />
[[wikipedia:Distributed_key_generation|distributed key generation (DKG)]] protocol.<br />
There are many DKG protocols in the literature.<br />
The Internet Computer implements a new [[non-interactive DKG (NiDKG) protocol]].<br />
<br />
XXX</div>VictorShouphttps://icstaging.mywikis.net/w/index.php?title=IC_consensus_layer&diff=72IC consensus layer2021-10-08T20:30:50Z<p>VictorShoup: </p>
<hr />
<div>The job consensus layer of the IC is to order transaction requests so that all replicas in a subnet will process <br />
transaction requests in the same order.<br />
There are many protocols in the literature for this problem.<br />
The IC uses a new consensus protocol, which is described here at a high level. <br />
For more details, see the paper https://eprint.iacr.org/2021/1330 (in particular, Protocol ICC1 in that paper).<br />
<br />
Any secure consensus protocol should guarantee two properties, which (roughly stated) are:<br />
* <b>safety</b>: all replicas in fact agree on the same ordering of transaction requests, and<br />
* <b>liveness</b>: all replicas should make steady progress, <br />
The paper https://eprint.iacr.org/2021/1330 proves that the IC consensus protocol satisfies both of these properties<br />
<br />
The IC consensus protocol is design to be<br />
* extremely simple, and<br />
* robust (performance degrades gracefully when some replicas are malicious).<br />
<br />
As discussed [[The Internet Computer for Computer Scientists|in the introduction]], we assume<br />
* a subnet of <math>n</math> replicas, and<br />
* at most <math>f < n/3</math> of the replicas are faulty.<br />
Faulty replicas may exhibit arbitrary, malicious (i.e., Byzantine) behavior.<br />
To simplify the presentation, we assume here that <math>n=3f+1</math>.<br />
<br />
<br />
We assume that communication is <b>asynchronous</b>, with no <i>a priori</i><br />
bound on the delay of messages sent between replicas.<br />
In fact, the scheduling of message delivery may be completely under adversarial control.<br />
The IC consensus protocol guarantees safety under this very weak communication assumption.<br />
However, to guarantee liveness, we need to assume a form of <b>partial synchrony</b>,<br />
which (roughly stated) says that the network will be <b>timely</b> periodically.<br />
Somewhat more precisely, there exists a bound <math>\Delta</math> such that<br />
periodically all undelivered <br />
messages will be delivered within time <math>\Delta</math>.<br />
The bound <math>\Delta</math> does not have to be known in advance (the protocol can <br />
adapt itself to an unknown <math>\Delta</math> value).<br />
Regardless of whether we are assuming an asynchronous<br />
or partially synchronous network,<br />
we assume that every message sent from one honest<br />
party to another will <i>eventually</i> be delivered.<br />
<br />
Like a number of consensus protocols,<br />
the IC consensus protocol is based in a [[wikipedia:blockchain|blockchain]].<br />
As the protocol progresses, a tree of blocks is grown,<br />
starting from a special <i>genesis block</i> that is the root of the tree.<br />
Each non-genesis block in the tree contains (among other things)<br />
a <i>payload</i>, consisting of a sequence of transaction requests,<br />
and a hash of the block's parent in the tree. <br />
The honest replicas have a consistent view of this tree:<br />
while each replica may have a different, partial view<br />
of this tree, all the replicas have a view of the <i>same</i> tree.<br />
In addition, as the protocol progresses,<br />
there is always a path of <i>finalized</i> blocks in this tree.<br />
Again, the honest replicas have a consistent view of this path:<br />
while each replica may have a different, partial view<br />
of this path, all the parties have a view of the <i>same</i> path.<br />
The transaction requests in the payloads of the blocks along this<br />
path are the ordered transaction requests will be processed by the [[IC execution layer|execution layer]]<br />
of the Internet Computer.<br />
<br />
The protocol proceeds in <b>rounds</b>.<br />
In round <math>h</math> of the protocol,<br />
one or more blocks of <b>height</b> <math>h</math> are added to the tree.<br />
That is, the blocks added in round <math>h</math> are always at a distance<br />
of exactly <math>h</math> from the root.<br />
In each round, a pseudo-random process is used to assign<br />
each replica a unique <b>rank</b>, which is an<br />
integer in the range <math>0,\ldots,</math>.<br />
This is pseudo-random process is implemented using a <b>random beacon</b> (see below).<br />
The party of lowest rank is the <b>leader</b> of that round.<br />
When the leader is honest and the network is timely,<br />
the leader will propose a block, which will be added to the tree;<br />
moreover, this will be the <i>only</i> block added to the tree<br />
and it will extend the finalized path.<br />
If the leader is not honest or the network is not timely,<br />
some other parties of higher rank may also propose blocks,<br />
and also have their blocks added to the tree.<br />
In any case, the logic of the protocol gives highest priority <br />
to the leader's proposed block.<br />
<br />
The message complexity per round of the IC consensus protocol is typically <math>O(n^2)</math>.<br />
The protocol also enjoys the property known as <b>optimistic responsiveness</b>,<br />
which means that <br />
so long as the leader is honest, the protocol will proceed at the pace<br />
of the actual network delay, rather than some upper bound on<br />
the network delay.<br />
<br />
<br />
To implement the protocol, each replica is associated with a <br />
public key for the [[wikipedia:BLS_digital_signature|BLS signature scheme]], and each replica also holds<br />
the corresponding secret signing key.<br />
The association of replicas to public keys is maintained by the<br />
[[IC network nervous system (NNS)|network nervous system (NNS) of the Internet Computer]].<br />
These BLS signatures will be used to authenticate messages, also called <b>artifacts</b>,<br />
sent by replicas.<br />
The protocol also uses the <b>signature aggregation</b> feature of BLS signatures,<br />
which allows many signatures on the same message to be aggregated into<br />
a compact multi-signature.<br />
FIXME: citation, discussion of rogue key attack mitigation.<br />
<br />
<b>Random beacon.</b><br />
In addition to BLS signatures and multi-signatures as discussed above,<br />
the protocol makes use of a BLS [[wikipedia:Threshold_cryptosystem|threshold signature scheme]] to implement the <br />
above-mentioned <b>random beacon</b>.<br />
The random beacon for height <math>h</math> is a <math>(f+1)</math>-threshold signature<br />
on a message unique to height <math>h</math>. <br />
In each round of the protocol, each replica broadcasts its share of the beacon for<br />
the next round, so that when the next round begins, all replicas should have enough shares<br />
to reconstruct the beacon for that round.<br />
As discussed above, the random beacon at height <math>h</math> is used to <br />
assign a pseudo-random rank to each replica that will be used in round <math>h</math> of the protocol.<br />
Because of the security properties of the threshold signature,<br />
an adversary will not be able to predict the ranking of the replicas more than one round in advance,<br />
and these rankings will effectively be as good as random.<br />
To set up such a threshold signature scheme, the Internet Computer runs a<br />
[[wikipedia:Distributed_key_generation|distributed key generation (DKG)]] protocol.<br />
There are many DKG protocols in the literature.<br />
The Internet Computer implements a new [[non-interactive DKG (NiDKG) protocol]].</div>VictorShouphttps://icstaging.mywikis.net/w/index.php?title=IC_consensus_layer&diff=71IC consensus layer2021-10-08T20:11:17Z<p>VictorShoup: </p>
<hr />
<div>The job consensus layer of the IC is to order transaction requests so that all replicas in a subnet will process <br />
transaction requests in the same order.<br />
There are many protocols in the literature for this problem.<br />
The IC uses a new consensus protocol, which is described here at a high level. <br />
For more details, see the paper https://eprint.iacr.org/2021/1330 (in particular, Protocol ICC1 in that paper).<br />
<br />
Any secure consensus protocol should guarantee two properties, which (roughly stated) are:<br />
* <b>safety</b>: all replicas in fact agree on the same ordering of transaction requests, and<br />
* <b>liveness</b>: all replicas should make steady progress, <br />
The paper https://eprint.iacr.org/2021/1330 proves that the IC consensus protocol satisfies both of these properties<br />
<br />
The IC consensus protocol is design to be<br />
* extremely simple, and<br />
* robust (performance degrades gracefully when some replicas are malicious).<br />
<br />
As discussed [[The Internet Computer for Computer Scientists|in the introduction]], we assume<br />
* a subnet of <math>n</math> replicas, and<br />
* at most <math>f < n/3</math> of the replicas are faulty.<br />
Faulty replicas may exhibit arbitrary, malicious (i.e., Byzantine) behavior.<br />
To simplify the presentation, we assume here that <math>n=3f+1</math>.<br />
<br />
<br />
We assume that communication is <b>asynchronous</b>, with no <i>a priori</i><br />
bound on the delay of messages sent between replicas.<br />
In fact, the scheduling of message delivery may be completely under adversarial control.<br />
The IC consensus protocol guarantees safety under this very weak communication assumption.<br />
However, to guarantee liveness, we need to assume a form of <b>partial synchrony</b>,<br />
which (roughly stated) says that the network will be <b>timely</b> periodically.<br />
Somewhat more precisely, there exists a bound <math>\Delta</math> such that<br />
periodically all undelivered <br />
messages will be delivered within time <math>\Delta</math>.<br />
The bound <math>\Delta</math> does not have to be known in advance (the protocol can <br />
adapt itself to an unknown <math>\Delta</math> value).<br />
Regardless of whether we are assuming an asynchronous<br />
or partially synchronous network,<br />
we assume that every message sent from one honest<br />
party to another will <i>eventually</i> be delivered.<br />
<br />
Like a number of consensus protocols,<br />
the IC consensus protocol is based in a [[wikipedia:blockchain|blockchain]].<br />
As the protocol progresses, a tree of blocks is grown,<br />
starting from a special <i>genesis block</i> that is the root of the tree.<br />
Each non-genesis block in the tree contains (among other things)<br />
a <i>payload</i>, consisting of a sequence of transaction requests,<br />
and a hash of the block's parent in the tree. <br />
The honest replicas have a consistent view of this tree:<br />
while each replica may have a different, partial view<br />
of this tree, all the replicas have a view of the <i>same</i> tree.<br />
In addition, as the protocol progresses,<br />
there is always a path of <i>finalized</i> blocks in this tree.<br />
Again, the honest replicas have a consistent view of this path:<br />
while each replica may have a different, partial view<br />
of this path, all the parties have a view of the <i>same</i> path.<br />
The transaction requests in the payloads of the blocks along this<br />
path are the ordered transaction requests will be processed by the [[IC execution layer|execution layer]]<br />
of the Internet Computer.<br />
<br />
The protocol proceeds in <b>rounds</b>.<br />
In round <math>h</math> of the protocol,<br />
one or more blocks of <b>height</b> <math>h</math> are added to the tree.<br />
That is, the blocks added in round <math>h</math> are always at a distance<br />
of exactly <math>h</math> from the root.<br />
In each round, a pseudo-random process is used to assign<br />
each replica a unique <b>rank</b>, which is an<br />
integer in the range <math>0,\ldots,</math>.<br />
This is pseudo-random process is implemented using a <b>random beacon</b> (see below).<br />
The party of lowest rank is the <b>leader</b> of that round.<br />
When the leader is honest and the network is timely,<br />
the leader will propose a block, which will be added to the tree;<br />
moreover, this will be the <i>only</i> block added to the tree<br />
and it will extend the finalized path.<br />
If the leader is not honest or the network is not timely,<br />
some other parties of higher rank may also propose blocks,<br />
and also have their blocks added to the tree.<br />
In any case, the logic of the protocol gives highest priority <br />
to the leader's proposed block.<br />
<br />
The message complexity per round of the IC consensus protocol is typically <math>O(n^2)</math>.<br />
The protocol also enjoys the property known as <b>optimistic responsiveness</b>,<br />
which means that <br />
so long as the leader is honest, the protocol will proceed at the pace<br />
of the actual network delay, rather than some upper bound on<br />
the network delay.<br />
<br />
<br />
To implement the protocol, each replica is associated with a <br />
public key for the [[wikipedia:BLS_digital_signature|BLS signature scheme]], and each replica also holds<br />
the corresponding secret signing key.<br />
The association of replicas to public keys is maintained by the<br />
[[IC network nervous system (NNS)|network nervous system (NNS) of the Internet Computer]].<br />
These BLS signatures will be used to authenticate messages, also called <b>artifacts</b>,<br />
sent by replicas.<br />
The protocol also uses the <b>signature aggregation</b> feature of BLS signatures,<br />
which allows many signatures on the same message to be aggregated into<br />
a compact multi-signature.<br />
FIXME: citation, discussion of rogue key attack mitigation.<br />
<br />
In addition to BLS signatures and multi-signatures as discussed above,<br />
the protocol makes use of a BLS [[wikipedia:Threshold_cryptosystem|threshold signature scheme]] to implement the <br />
above-mentioned <b>random beacon</b>.<br />
The random beacon for height <math>h</math> is a <math>(f+1)</math>-threshold signature<br />
on a message unique to height <math>h</math>. <br />
In each round of the protocol, each replica broadcasts its share of the beacon for<br />
the next round, so that when the next round begins, all replicas should have enough shares<br />
to reconstruct the beacon for that round.<br />
As discussed above, the random beacon at height <math>h</math> is used to <br />
assign a pseudo-random rank to each replica that will be used in round <math>h</math> of the protocol.<br />
Because of the security properties of the threshold signature,<br />
an adversary will not be able to predict the ranking of the replicas more than one round in advance,<br />
and these rankings will effectively be as good as random.<br />
To set up such a threshold signature scheme, the Internet Computer runs a<br />
[[wikipedia:Distributed_key_generation|distributed key generation (DKG)]] protocol.<br />
There are many DKG protocols in the literature.<br />
The Internet Computer implements a new [[non-interactive DKG (NiDKG) protocol]].</div>VictorShouphttps://icstaging.mywikis.net/w/index.php?title=IC_consensus_layer&diff=70IC consensus layer2021-10-08T20:05:52Z<p>VictorShoup: </p>
<hr />
<div>The job consensus layer of the IC is to order transaction requests so that all replicas in a subnet will process <br />
transaction requests in the same order.<br />
There are many protocols in the literature for this problem.<br />
The IC uses a new consensus protocol, which is described here at a high level. <br />
For more details, see the paper https://eprint.iacr.org/2021/1330 (in particular, Protocol ICC1 in that paper).<br />
<br />
Any secure consensus protocol should guarantee two properties, which (roughly stated) are:<br />
* <b>safety</b>: all replicas in fact agree on the same ordering of transaction requests, and<br />
* <b>liveness</b>: all replicas should make steady progress, <br />
The paper https://eprint.iacr.org/2021/1330 proves that the IC consensus protocol satisfies both of these properties<br />
<br />
The IC consensus protocol is design to be<br />
* extremely simple, and<br />
* robust (performance degrades gracefully when some replicas are malicious).<br />
<br />
As discussed [[The Internet Computer for Computer Scientists|in the introduction]], we assume<br />
* a subnet of <math>n</math> replicas, and<br />
* at most <math>f < n/3</math> of the replicas are faulty.<br />
Faulty replicas may exhibit arbitrary, malicious (i.e., Byzantine) behavior.<br />
To simplify the presentation, we assume here that <math>n=3f+1</math>.<br />
<br />
<br />
We assume that communication is <b>asynchronous</b>, with no <i>a priori</i><br />
bound on the delay of messages sent between replicas.<br />
In fact, the scheduling of message delivery may be completely under adversarial control.<br />
The IC consensus protocol guarantees safety under this very weak communication assumption.<br />
However, to guarantee liveness, we need to assume a form of <b>partial synchrony</b>,<br />
which (roughly stated) says that the network will be <b>timely</b> periodically.<br />
Somewhat more precisely, there exists a bound <math>\Delta</math> such that<br />
periodically all undelivered <br />
messages will be delivered within time <math>\Delta</math>.<br />
The bound <math>\Delta</math> does not have to be known in advance (the protocol can <br />
adapt itself to an unknown <math>\Delta</math> value).<br />
Regardless of whether we are assuming an asynchronous<br />
or partially synchronous network,<br />
we assume that every message sent from one honest<br />
party to another will <i>eventually</i> be delivered.<br />
<br />
Like a number of consensus protocols,<br />
the IC consensus protocol is based in a [[wikipedia:blockchain|blockchain]].<br />
As the protocol progresses, a tree of blocks is grown,<br />
starting from a special <i>genesis block</i> that is the root of the tree.<br />
Each non-genesis block in the tree contains (among other things)<br />
a <i>payload</i>, consisting of a sequence of transaction requests,<br />
and a hash of the block's parent in the tree. <br />
The honest replicas have a consistent view of this tree:<br />
while each replica may have a different, partial view<br />
of this tree, all the replicas have a view of the <i>same</i> tree.<br />
In addition, as the protocol progresses,<br />
there is always a path of <i>finalized</i> blocks in this tree.<br />
Again, the honest replicas have a consistent view of this path:<br />
while each replica may have a different, partial view<br />
of this path, all the parties have a view of the <i>same</i> path.<br />
The transaction requests in the payloads of the blocks along this<br />
path are the ordered transaction requests will be processed by the [[IC execution layer|execution layer]]<br />
of the Internet Computer.<br />
<br />
The protocol proceeds in <b>rounds</b>.<br />
In round <math>h</math> of the protocol,<br />
one or more blocks of <b>height</b> <math>h</math> are added to the tree.<br />
That is, the blocks added in round <math>h</math> are always at a distance<br />
of exactly <math>h</math> from the root.<br />
In each round, a pseudo-random process is used to assign<br />
each replica a unique <b>rank</b>, which is an<br />
integer in the range <math>0,\ldots,</math>.<br />
This is pseudo-random process is implemented using a <b>random beacon</b> (see below).<br />
The party of lowest rank is the <b>leader</b> of that round.<br />
When the leader is honest and the network is timely,<br />
the leader will propose a block, which will be added to the tree;<br />
moreover, this will be the <i>only</i> block added to the tree<br />
and it will extend the finalized path.<br />
If the leader is not honest or the network is not timely,<br />
some other parties of higher rank may also propose blocks,<br />
and also have their blocks added to the tree.<br />
In any case, the logic of the protocol gives highest priority <br />
to the leader's proposed block.<br />
<br />
The message complexity per round of the IC consensus protocol is typically <math>O(n^2)</math>.<br />
The protocol also enjoys the property known as <b>optimistic responsiveness</b>,<br />
which means that <br />
so long as the leader is honest, the protocol will proceed at the pace<br />
of the actual network delay, rather than some upper bound on<br />
the network delay.<br />
<br />
<br />
To implement the protocol, each replica is associated with a <br />
public key for the [[wikipedia:BLS_digital_signature|BLS signature scheme]], and each replica also holds<br />
the corresponding secret signing key.<br />
The association of replicas to public keys is maintained by the<br />
[[IC network nervous system (NNS)|network nervous system (NNS) of the Internet Computer]].<br />
These BLS signatures will be used to authenticate messages, also called <b>artifacts</b>,<br />
sent by replicas.<br />
The protocol also uses the <b>signature aggregation</b> feature of BLS signatures,<br />
which allows many signatures on the same message to be aggregated into<br />
a compact multi-signature.<br />
FIXME: citation, discussion of rogue key attack mitigation.<br />
<br />
In addition to BLS signatures and multi-signatures as discussed above,<br />
the protocol makes use of a BLS [[wikipedia:Threshold_cryptosystem|threshold signature scheme]] to implement the <br />
above-mentioned <b>random beacon</b>.<br />
The random beacon for height <math>h</math> is a <math>(f+1)</math>-threshold signature<br />
on a message unique to height <math>h</math>. <br />
In each round of the protocol, each replica broadcasts its share of the beacon for<br />
the next round, so that when the next round begins, all replicas should have enough shares<br />
to reconstruct the beacon for that round.<br />
As discussed above, the random beacon at height <math>h</math> is used to <br />
assign a pseudo-random rank to each replica that will be used in round <math>h</math> of the protocol.<br />
To set up such a threshold signature scheme, the Internet Computer runs a<br />
[[wikipedia:Distributed_key_generation|distributed key generation (DKG)]] protocol.<br />
There are many DKG protocols in the literature.<br />
The Internet Computer implements a new [[non-interactive DKG (NiDKG) protocol]].<br />
<br />
The random beacon at height <math>h</math> is used to derive a pseudo-random permutation on the replicas.<br />
This permutation effectively assigns to each</div>VictorShouphttps://icstaging.mywikis.net/w/index.php?title=IC_consensus_layer&diff=69IC consensus layer2021-10-08T20:05:01Z<p>VictorShoup: </p>
<hr />
<div>The job consensus layer of the IC is to order transaction requests so that all replicas in a subnet will process <br />
transaction requests in the same order.<br />
There are many protocols in the literature for this problem.<br />
The IC uses a new consensus protocol, which is described here at a high level. <br />
For more details, see the paper https://eprint.iacr.org/2021/1330 (in particular, Protocol ICC1 in that paper).<br />
<br />
Any secure consensus protocol should guarantee two properties, which (roughly stated) are:<br />
* <b>safety</b>: all replicas in fact agree on the same ordering of transaction requests, and<br />
* <b>liveness</b>: all replicas should make steady progress, <br />
The paper https://eprint.iacr.org/2021/1330 proves that the IC consensus protocol satisfies both of these properties<br />
<br />
The IC consensus protocol is design to be<br />
* extremely simple, and<br />
* robust (performance degrades gracefully when some replicas are malicious).<br />
<br />
As discussed [[The Internet Computer for Computer Scientists|in the introduction]], we assume<br />
* a subnet of <math>n</math> replicas, and<br />
* at most <math>f < n/3</math> of the replicas are faulty.<br />
Faulty replicas may exhibit arbitrary, malicious (i.e., Byzantine) behavior.<br />
To simplify the presentation, we assume here that <math>n=3f+1</math>.<br />
<br />
<br />
We assume that communication is <b>asynchronous</b>, with no <i>a priori</i><br />
bound on the delay of messages sent between replicas.<br />
In fact, the scheduling of message delivery may be completely under adversarial control.<br />
The IC consensus protocol guarantees safety under this very weak communication assumption.<br />
However, to guarantee liveness, we need to assume a form of <b>partial synchrony</b>,<br />
which (roughly stated) says that the network will be <b>timely</b> periodically.<br />
Somewhat more precisely, there exists a bound <math>\Delta</math> such that<br />
periodically all undelivered <br />
messages will be delivered within time <math>\Delta</math>.<br />
The bound <math>\Delta</math> does not have to be known in advance (the protocol can <br />
adapt itself to an unknown <math>\Delta</math> value).<br />
Regardless of whether we are assuming an asynchronous<br />
or partially synchronous network,<br />
we assume that every message sent from one honest<br />
party to another will <i>eventually</i> be delivered.<br />
<br />
Like a number of consensus protocols,<br />
the IC consensus protocol is based in a [[wikipedia:blockchain|blockchain]].<br />
As the protocol progresses, a tree of blocks is grown,<br />
starting from a special <i>genesis block</i> that is the root of the tree.<br />
Each non-genesis block in the tree contains (among other things)<br />
a <i>payload</i>, consisting of a sequence of transaction requests,<br />
and a hash of the block's parent in the tree. <br />
The honest replicas have a consistent view of this tree:<br />
while each replica may have a different, partial view<br />
of this tree, all the replicas have a view of the <i>same</i> tree.<br />
In addition, as the protocol progresses,<br />
there is always a path of <i>finalized</i> blocks in this tree.<br />
Again, the honest replicas have a consistent view of this path:<br />
while each replica may have a different, partial view<br />
of this path, all the parties have a view of the <i>same</i> path.<br />
The transaction requests in the payloads of the blocks along this<br />
path are the ordered transaction requests will be processed by the [[IC execution layer|execution layer]]<br />
of the Internet Computer.<br />
<br />
The protocol proceeds in <b>rounds</b>.<br />
In round <math>h</math> of the protocol,<br />
one or more blocks of <b>height</b> <math>h</math> are added to the tree.<br />
That is, the blocks added in round <math>h</math> are always at a distance<br />
of exactly <math>h</math> from the root.<br />
In each round, a pseudo-random process is used to assign<br />
each replica a unique <b>rank</b>, which is an<br />
integer in the range <math>0,\ldots,</math>.<br />
This is pseudo-random process is implemented using a <b>random beacon</b> (see below).<br />
The party of lowest rank is the <b>leader</b> of that round.<br />
When the leader is honest and the network is timely,<br />
the leader will propose a block, which will be added to the tree;<br />
moreover, this will be the <i>only</i> block added to the tree<br />
and it will extend the finalized path.<br />
If the leader is not honest or the network is not timely,<br />
some other parties of higher rank may also propose blocks,<br />
and also have their blocks added to the tree.<br />
In any case, the logic of the protocol gives highest priority <br />
to the leader's proposed block.<br />
<br />
The message complexity per round of the IC consensus protocol is typically <math>O(n^2)</math>.<br />
The protocol also enjoys the property known as <b>optimistic responsiveness</b>,<br />
which means that <br />
so long as the leader is honest, the protocol will proceed at the pace<br />
of the actual network delay, rather than some upper bound on<br />
the network delay.<br />
<br />
<br />
To implement the protocol, each replica is associated with a <br />
public key for the [[wikipedia:BLS_digital_signature|BLS signature scheme]], and each replica also holds<br />
the corresponding secret signing key.<br />
The association of replicas to public keys is maintained by the<br />
[[IC network nervous system (NNS)|network nervous system (NNS) of the Internet Computer]].<br />
These BLS signatures will be used to authenticate messages, also called <b>artifacts</b>,<br />
sent by replicas.<br />
The protocol also uses the <b>signature aggregation</b> feature of BLS signatures,<br />
which allows many signatures on the same message to be aggregated into<br />
a compact multi-signature.<br />
FIXME: citation, discussion of rogue key attack mitigation.<br />
<br />
In addition to BLS signatures and multi-signatures as discussed above,<br />
the protocol makes use of a BLS [[wikipedia:Threshold_cryptosystem|threshold signature scheme]] to implement the <br />
above-mentioned <b>random beacon</b>.<br />
The random beacon for height <math>h</math> is a <math>(f+1)</math>-threshold signature<br />
on a message unique to height <math>h</math>. <br />
In each round of the protocol, each replica broadcasts its share of the beacon for<br />
the next round, so that when the next round begins, all replicas should have enough shares<br />
to reconstruct the beacon for that round.<br />
As discussed above, the random beacon at <math>h</math> is used to <br />
assign a pseudo-random rank to each replica that will be used in round <math>h</math> of the protocol.<br />
To set up such a threshold signature scheme, the Internet Computer runs a<br />
[[wikipedia:Distributed_key_generation|distributed key generation (DKG)]] protocol.<br />
There are many DKG protocols in the literature.<br />
The Internet Computer implements a new [[non-interactive DKG (NiDKG) protocol]].<br />
<br />
The random beacon at height <math>h</math> is used to derive a pseudo-random permutation on the replicas.<br />
This permutation effectively assigns to each</div>VictorShouphttps://icstaging.mywikis.net/w/index.php?title=IC_consensus_layer&diff=68IC consensus layer2021-10-08T13:29:25Z<p>VictorShoup: </p>
<hr />
<div>The job consensus layer of the IC is to order transaction requests so that all replicas in a subnet will process <br />
transaction requests in the same order.<br />
There are many protocols in the literature for this problem.<br />
The IC uses a new consensus protocol, which is described here at a high level. <br />
For more details, see the paper https://eprint.iacr.org/2021/1330 (in particular, Protocol ICC1 in that paper).<br />
<br />
Any secure consensus protocol should guarantee three properties, which (roughly stated) are:<br />
* <b>safety</b>: all replicas in fact agree on the same ordering of transaction requests,<br />
* <b>liveness</b>: all replicas should make steady progress, and<br />
* <b>validity</b>: all transaction requests satisfy some (application specific) validity condition.<br />
The paper https://eprint.iacr.org/2021/1330 proves that the IC consensus protocol satisfies all of these properties<br />
<br />
The IC consensus protocol is design to be<br />
* extremely simple, and<br />
* robust (performance degrades gracefully when some replicas are malicious).<br />
<br />
As discussed [[The Internet Computer for Computer Scientists|in the introduction]], we assume<br />
* a subnet of <math>n</math> replicas, and<br />
* at most <math>f < n/3</math> of the replicas are faulty.<br />
Faulty replicas may exhibit arbitrary, malicious (i.e., Byzantine) behavior.<br />
<br />
We assume that communication is <b>asynchronous</b>, with no <i>a priori</i><br />
bound on the delay of messages sent between replicas.<br />
In fact, the scheduling of message delivery may be completely under adversarial control.<br />
The IC consensus protocol guarantees safety under this very weak communication assumption.<br />
However, to guarantee liveness, we need to assume a form of <b>partial synchrony</b>,<br />
which (roughly stated) says that the network will be <b>timely</b> periodically.<br />
Somewhat more precisely, there exists a bound <math>\Delta</math> such that<br />
periodically all undelivered <br />
messages will be delivered within time <math>\Delta</math>.<br />
The bound <math>\Delta</math> does not have to be known in advance (the protocol can <br />
adapt itself to an unknown <math>\Delta</math> value).<br />
Regardless of whether we are assuming an asynchronous<br />
or partially synchronous network,<br />
we assume that every message sent from one honest<br />
party to another will <i>eventually</i> be delivered.<br />
<br />
Like a number of consensus protocols,<br />
the IC consensus protocol is based in a [[wikipedia:blockchain|blockchain]].<br />
As the protocol progresses, a tree of blocks is grown,<br />
starting from a special <i>genesis block</i> that is the root of the tree.<br />
Each non-genesis block in the tree contains (among other things)<br />
a <i>payload</i>, consisting of a sequence of transaction requests,<br />
and a hash of the block's parent in the tree. <br />
The honest replicas have a consistent view of this tree:<br />
while each replica may have a different, partial view<br />
of this tree, all the replicas have a view of the <i>same</i> tree.<br />
In addition, as the protocol progresses,<br />
there is always a path of <i>finalized</i> blocks in this tree.<br />
Again, the honest replicas have a consistent view of this path:<br />
while each replica may have a different, partial view<br />
of this path, all the parties have a view of the <i>same</i> path.<br />
The transaction requests in the payloads of the blocks along this<br />
path are the ordered transaction requests will be processed by the [[IC execution layer|execution layer]]<br />
of the Internet Computer.<br />
<br />
The protocol proceeds in <b>rounds</b>.<br />
In round <math>h</math> of the protocol,<br />
one or more blocks of <b>height</b> <math>h</math> are added to the tree.<br />
That is, the blocks added in round <math>h</math> are always at a distance<br />
of exactly <math>h</math> from the root.<br />
In each round, a [[random beacon]] is used to<br />
generate a random permutation of the <math>n</math> parties,<br />
so as to assign to each party a <b>rank</b>.<br />
The party of lowest rank is the <b>leader</b> of that round.<br />
When the leader is honest and the network is timely,<br />
the leader will propose a block which will be added to the tree.<br />
If the leader is not honest or the network is not timely,<br />
some other parties of higher rank may also propose blocks,<br />
and also have their blocks added to the tree.<br />
In any case, the logic of the protocol gives highest priority <br />
to the leader's proposed block.<br />
<br />
The message complexity per round of the IC consensus protocol is typically <math>O(n^2)</math>.<br />
The protocol also enjoys the property known as <b>optimistic responsiveness</b>,<br />
which means that <br />
so long as the leader is honest, the protocol will proceed at the pace<br />
of the actual network delay, rather than some upper bound on<br />
the network delay.<br />
<br />
<br />
To implement the protocol, each replica is associated with a <br />
public key for the [[wikipedia:BLS_digital_signature|BLS signature scheme]], and each replica also holds<br />
the corresponding secret signing key.<br />
The association of replicas to public keys is maintained by the<br />
[[IC network nervous system (NNS)|network nervous system (NNS) of the Internet Computer]].<br />
These BLS signatures will be used to authenticate messages, also called <b>artifacts</b>,<br />
sent by replicas.<br />
The protocol also uses the <b>signature aggregation</b> feature of BLS signatures,<br />
which allows many signatures on the same message to be aggregated into<br />
a compact multi-signature.<br />
FIXME: citation, discussion of rogue key attack mitigation.<br />
<br />
In addition to BLS signatures and multi-signatures as discussed above,<br />
the protocol makes use of a BLS [[wikipedia:Threshold_cryptosystem|threshold signature scheme]] to implement the <br />
above-mentioned [[random beacon]].<br />
To set up such a threshold signature scheme, the Internet Computer runs a<br />
[[wikipedia:Distributed_key_generation|distributed key generation (DKG)]] protocol.<br />
There are many DKG protocols in the literature.<br />
The Internet Computer implements a new [[non-interactive DKG (NiDKG) protocol]].<br />
<br />
Initialization:<br />
* broadcast a share of the height 1 beacon<br />
* <math>D \gets \emptyset</math> &mdash; ''the set of disqualified parties''<br />
<br />
<br />
For each height <math>h=1, 2, 3, \ldots</math><br />
* wait for <math>f+1</math> shares of the height-<math>h</math> random beacon<br />
* combine these shares to obtain the height-<math>h</math> random beacon<br />
** ''this defines the rank of each replica for height <math>h</math>''<br />
<br />
<br />
TBD: finish writing high-level summary of protocol.<br />
Maybe it is better to write it out more in words than dense pseudocode.</div>VictorShouphttps://icstaging.mywikis.net/w/index.php?title=IC_consensus_layer&diff=67IC consensus layer2021-10-08T13:25:06Z<p>VictorShoup: </p>
<hr />
<div>The job consensus layer of the IC is to order transaction requests so that all replicas in a subnet will process <br />
transaction requests in the same order.<br />
There are many protocols in the literature for this problem.<br />
The IC uses a new consensus protocol, which is described here at a high level. <br />
For more details, see the paper [https://eprint.iacr.org/2021/1330] (in particular, Protocol ICC1 in that paper).<br />
<br />
Any secure consensus protocol should guarantee three properties, which (roughly stated) are:<br />
* <b>safety</b>: all replicas in fact agree on the same ordering of transaction requests,<br />
* <b>liveness</b>: all replicas should make steady progress, and<br />
* <b>validity</b>: all transaction requests satisfy some (application specific) validity condition.<br />
The paper [https://eprint.iacr.org/2021/1330] proves that the IC consensus protocol satisfies all of these properties<br />
<br />
The IC consensus protocol is design to be<br />
* extremely simple, and<br />
* robust (performance degrades gracefully when some replicas are malicious).<br />
<br />
As discussed [[The Internet Computer for Computer Scientists|in the introduction]], we assume<br />
* a subnet of <math>n</math> replicas, and<br />
* at most <math>f < n/3</math> of the replicas are faulty.<br />
Faulty replicas may exhibit arbitrary, malicious (i.e., Byzantine) behavior.<br />
<br />
We assume that communication is <b>asynchronous</b>, with no <i>a priori</i><br />
bound on the delay of messages sent between replicas.<br />
In fact, the scheduling of message delivery may be completely under adversarial control.<br />
The IC consensus protocol guarantees safety under this very weak communication assumption.<br />
However, to guarantee liveness, we need to assume a form of <b>partial synchrony</b>,<br />
which (roughly stated) says that the network will be <b>timely</b> periodically.<br />
Somewhat more precisely, there exists a bound <math>\Delta</math> such that<br />
periodically all undelivered <br />
messages will be delivered within time <math>\Delta</math>.<br />
The bound <math>\Delta</math> does not have to be known in advance (the protocol can <br />
adapt itself to an unknown <math>\Delta</math> value).<br />
Regardless of whether we are assuming an asynchronous<br />
or partially synchronous network,<br />
we assume that every message sent from one honest<br />
party to another will <i>eventually</i> be delivered.<br />
<br />
Like a number of consensus protocols,<br />
the IC consensus protocol is based in a [[wikipedia:blockchain|blockchain]].<br />
As the protocol progresses, a tree of blocks is grown,<br />
starting from a special <i>genesis block</i> that is the root of the tree.<br />
Each non-genesis block in the tree contains (among other things)<br />
a <i>payload</i>, consisting of a sequence of transaction requests,<br />
and a hash of the block's parent in the tree. <br />
The honest replicas have a consistent view of this tree:<br />
while each replica may have a different, partial view<br />
of this tree, all the replicas have a view of the <i>same</i> tree.<br />
In addition, as the protocol progresses,<br />
there is always a path of <i>finalized</i> blocks in this tree.<br />
Again, the honest replicas have a consistent view of this path:<br />
while each replica may have a different, partial view<br />
of this path, all the parties have a view of the <i>same</i> path.<br />
The transaction requests in the payloads of the blocks along this<br />
path are the ordered transaction requests will be processed by the [[IC execution layer|execution layer]]<br />
of the Internet Computer.<br />
<br />
The protocol proceeds in <b>rounds</b>.<br />
In round <math>h</math> of the protocol,<br />
one or more blocks of <b>height</b> <math>h</math> are added to the tree.<br />
That is, the blocks added in round <math>h</math> are always at a distance<br />
of exactly <math>h</math> from the root.<br />
In each round, a [[random beacon]] is used to<br />
generate a random permutation of the <math>n</math> parties,<br />
so as to assign to each party a <b>rank</b>.<br />
The party of lowest rank is the <b>leader</b> of that round.<br />
When the leader is honest and the network is timely,<br />
the leader will propose a block which will be added to the tree.<br />
If the leader is not honest or the network is not timely,<br />
some other parties of higher rank may also propose blocks,<br />
and also have their blocks added to the tree.<br />
In any case, the logic of the protocol gives highest priority <br />
to the leader's proposed block.<br />
<br />
The message complexity per round of the IC consensus protocol is typically <math>O(n^2)</math>.<br />
The protocol also enjoys the property known as <b>optimistic responsiveness</b>,<br />
which means that <br />
so long as the leader is honest, the protocol will proceed at the pace<br />
of the actual network delay, rather than some upper bound on<br />
the network delay.<br />
<br />
<br />
To implement the protocol, each replica is associated with a <br />
public key for the [[wikipedia:BLS_digital_signature|BLS signature scheme]], and each replica also holds<br />
the corresponding secret signing key.<br />
The association of replicas to public keys is maintained by the<br />
[[IC network nervous system (NNS)|network nervous system (NNS) of the Internet Computer]].<br />
These BLS signatures will be used to authenticate messages, also called <b>artifacts</b>,<br />
sent by replicas.<br />
The protocol also uses the <b>signature aggregation</b> feature of BLS signatures,<br />
which allows many signatures on the same message to be aggregated into<br />
a compact multi-signature.<br />
FIXME: citation, discussion of rogue key attack mitigation.<br />
<br />
In addition to BLS signatures and multi-signatures as discussed above,<br />
the protocol makes use of a BLS [[wikipedia:Threshold_cryptosystem|threshold signature scheme]] to implement the <br />
above-mentioned [[random beacon]].<br />
To set up such a threshold signature scheme, the Internet Computer runs a<br />
[[wikipedia:Distributed_key_generation|distributed key generation (DKG)]] protocol.<br />
There are many DKG protocols in the literature.<br />
The Internet Computer implements a new [[non-interactive DKG (NiDKG) protocol]].<br />
<br />
Initialization:<br />
* broadcast a share of the height 1 beacon<br />
* <math>D \gets \emptyset</math> &mdash; ''the set of disqualified parties''<br />
<br />
<br />
For each height <math>h=1, 2, 3, \ldots</math><br />
* wait for <math>f+1</math> shares of the height-<math>h</math> random beacon<br />
* combine these shares to obtain the height-<math>h</math> random beacon<br />
** ''this defines the rank of each replica for height <math>h</math>''<br />
<br />
<br />
TBD: finish writing high-level summary of protocol.<br />
Maybe it is better to write it out more in words than dense pseudocode.</div>VictorShouphttps://icstaging.mywikis.net/w/index.php?title=IC_consensus_layer&diff=66IC consensus layer2021-10-08T13:24:37Z<p>VictorShoup: </p>
<hr />
<div>The job consensus layer of the IC is to order transaction requests so that all replicas in a subnet will process <br />
transaction requests in the same order.<br />
There are many protocols in the literature for this problem.<br />
The IC uses a new consensus protocol, which is described here at a high level. <br />
For more details, see the paper https://eprint.iacr.org/2021/1330 (in particular, Protocol ICC1 in that paper).<br />
<br />
Any secure consensus protocol should guarantee three properties, which (roughly stated) are:<br />
* <b>safety</b>: all replicas in fact agree on the same ordering of transaction requests,<br />
* <b>liveness</b>: all replicas should make steady progress, and<br />
* <b>validity</b>: all transaction requests satisfy some (application specific) validity condition.<br />
The paper https://eprint.iacr.org/2021/1330 proves that the IC consensus protocol satisfies all of these properties<br />
<br />
The IC consensus protocol is design to be<br />
* extremely simple, and<br />
* robust (performance degrades gracefully when some replicas are malicious).<br />
<br />
As discussed [[The Internet Computer for Computer Scientists|in the introduction]], we assume<br />
* a subnet of <math>n</math> replicas, and<br />
* at most <math>f < n/3</math> of the replicas are faulty.<br />
Faulty replicas may exhibit arbitrary, malicious (i.e., Byzantine) behavior.<br />
<br />
We assume that communication is <b>asynchronous</b>, with no <i>a priori</i><br />
bound on the delay of messages sent between replicas.<br />
In fact, the scheduling of message delivery may be completely under adversarial control.<br />
The IC consensus protocol guarantees safety under this very weak communication assumption.<br />
However, to guarantee liveness, we need to assume a form of <b>partial synchrony</b>,<br />
which (roughly stated) says that the network will be <b>timely</b> periodically.<br />
Somewhat more precisely, there exists a bound <math>\Delta</math> such that<br />
periodically all undelivered <br />
messages will be delivered within time <math>\Delta</math>.<br />
The bound <math>\Delta</math> does not have to be known in advance (the protocol can <br />
adapt itself to an unknown <math>\Delta</math> value).<br />
Regardless of whether we are assuming an asynchronous<br />
or partially synchronous network,<br />
we assume that every message sent from one honest<br />
party to another will <i>eventually</i> be delivered.<br />
<br />
Like a number of consensus protocols,<br />
the IC consensus protocol is based in a [[wikipedia:blockchain|blockchain]].<br />
As the protocol progresses, a tree of blocks is grown,<br />
starting from a special <i>genesis block</i> that is the root of the tree.<br />
Each non-genesis block in the tree contains (among other things)<br />
a <i>payload</i>, consisting of a sequence of transaction requests,<br />
and a hash of the block's parent in the tree. <br />
The honest replicas have a consistent view of this tree:<br />
while each replica may have a different, partial view<br />
of this tree, all the replicas have a view of the <i>same</i> tree.<br />
In addition, as the protocol progresses,<br />
there is always a path of <i>finalized</i> blocks in this tree.<br />
Again, the honest replicas have a consistent view of this path:<br />
while each replica may have a different, partial view<br />
of this path, all the parties have a view of the <i>same</i> path.<br />
The transaction requests in the payloads of the blocks along this<br />
path are the ordered transaction requests will be processed by the [[IC execution layer|execution layer]]<br />
of the Internet Computer.<br />
<br />
The protocol proceeds in <b>rounds</b>.<br />
In round <math>h</math> of the protocol,<br />
one or more blocks of <b>height</b> <math>h</math> are added to the tree.<br />
That is, the blocks added in round <math>h</math> are always at a distance<br />
of exactly <math>h</math> from the root.<br />
In each round, a [[random beacon]] is used to<br />
generate a random permutation of the <math>n</math> parties,<br />
so as to assign to each party a <b>rank</b>.<br />
The party of lowest rank is the <b>leader</b> of that round.<br />
When the leader is honest and the network is timely,<br />
the leader will propose a block which will be added to the tree.<br />
If the leader is not honest or the network is not timely,<br />
some other parties of higher rank may also propose blocks,<br />
and also have their blocks added to the tree.<br />
In any case, the logic of the protocol gives highest priority <br />
to the leader's proposed block.<br />
<br />
The message complexity per round of the IC consensus protocol is typically <math>O(n^2)</math>.<br />
The protocol also enjoys the property known as <b>optimistic responsiveness</b>,<br />
which means that <br />
so long as the leader is honest, the protocol will proceed at the pace<br />
of the actual network delay, rather than some upper bound on<br />
the network delay.<br />
<br />
<br />
To implement the protocol, each replica is associated with a <br />
public key for the [[wikipedia:BLS_digital_signature|BLS signature scheme]], and each replica also holds<br />
the corresponding secret signing key.<br />
The association of replicas to public keys is maintained by the<br />
[[IC network nervous system (NNS)|network nervous system (NNS) of the Internet Computer]].<br />
These BLS signatures will be used to authenticate messages, also called <b>artifacts</b>,<br />
sent by replicas.<br />
The protocol also uses the <b>signature aggregation</b> feature of BLS signatures,<br />
which allows many signatures on the same message to be aggregated into<br />
a compact multi-signature.<br />
FIXME: citation, discussion of rogue key attack mitigation.<br />
<br />
In addition to BLS signatures and multi-signatures as discussed above,<br />
the protocol makes use of a BLS [[wikipedia:Threshold_cryptosystem|threshold signature scheme]] to implement the <br />
above-mentioned [[random beacon]].<br />
To set up such a threshold signature scheme, the Internet Computer runs a<br />
[[wikipedia:Distributed_key_generation|distributed key generation (DKG)]] protocol.<br />
There are many DKG protocols in the literature.<br />
The Internet Computer implements a new [[non-interactive DKG (NiDKG) protocol]].<br />
<br />
Initialization:<br />
* broadcast a share of the height 1 beacon<br />
* <math>D \gets \emptyset</math> &mdash; ''the set of disqualified parties''<br />
<br />
<br />
For each height <math>h=1, 2, 3, \ldots</math><br />
* wait for <math>f+1</math> shares of the height-<math>h</math> random beacon<br />
* combine these shares to obtain the height-<math>h</math> random beacon<br />
** ''this defines the rank of each replica for height <math>h</math>''<br />
<br />
<br />
TBD: finish writing high-level summary of protocol.<br />
Maybe it is better to write it out more in words than dense pseudocode.</div>VictorShouphttps://icstaging.mywikis.net/w/index.php?title=IC_consensus_layer&diff=65IC consensus layer2021-10-07T21:03:19Z<p>VictorShoup: </p>
<hr />
<div>The job consensus layer of the IC is to order transaction requests so that all replicas in a subnet will process <br />
transaction requests in the same order.<br />
There are many protocols in the literature for this problem.<br />
The IC uses a new consensus protocol, which is described here at a high level. <br />
For more details, see the paper https://eprint.iacr.org/2021/1330 (in particular, Protocol ICC1 in that paper).<br />
<br />
Any secure consensus protocol should guarantee two properties, which (roughly stated) are:<br />
* <b>safety</b>: all replicas in fact agree on the same ordering of transaction requests, and<br />
* <b>liveness</b>: all replicas should make steady progress.<br />
<br />
The IC consensus protocol is design to be<br />
* extremely simple, and<br />
* robust (performance degrades gracefully when some replicas are malicious).<br />
<br />
As discussed [[The Internet Computer for Computer Scientists|in the introduction]], we assume<br />
* a subnet of <math>n</math> replicas, and<br />
* at most <math>f < n/3</math> of the replicas are faulty.<br />
Faulty replicas may exhibit arbitrary, malicious (i.e., Byzantine) behavior.<br />
<br />
We assume that communication is <b>asynchronous</b>, with no <i>a priori</i><br />
bound on the delay of messages sent between replicas.<br />
In fact, the scheduling of message delivery may be completely under adversarial control.<br />
The IC consensus protocol guarantees safety under this very weak communication assumption.<br />
However, to guarantee liveness, we need to assume a form of <b>partial synchrony</b>,<br />
which (roughly stated) says that the network will be <b>timely</b> periodically.<br />
Somewhat more precisely, there exists a bound <math>\Delta</math> such that<br />
periodically all undelivered <br />
messages will be delivered within time <math>\Delta</math>.<br />
The bound <math>\Delta</math> does not have to be known in advance (the protocol can <br />
adapt itself to an unknown <math>\Delta</math> value).<br />
Regardless of whether we are assuming an asynchronous<br />
or partially synchronous network,<br />
we assume that every message sent from one honest<br />
party to another will <i>eventually</i> be delivered.<br />
<br />
Like a number of consensus protocols,<br />
the IC consensus protocol is based in a [[wikipedia:blockchain|blockchain]].<br />
As the protocol progresses, a tree of blocks is grown,<br />
starting from a special <i>genesis block</i> that is the root of the tree.<br />
Each non-genesis block in the tree contains (among other things)<br />
a <i>payload</i>, consisting of a sequence of transaction requests,<br />
and a hash of the block's parent in the tree. <br />
The honest replicas have a consistent view of this tree:<br />
while each replica may have a different, partial view<br />
of this tree, all the replicas have a view of the <i>same</i> tree.<br />
In addition, as the protocol progresses,<br />
there is always a path of <i>finalized</i> blocks in this tree.<br />
Again, the honest replicas have a consistent view of this path:<br />
while each replica may have a different, partial view<br />
of this path, all the parties have a view of the <i>same</i> path.<br />
The transaction requests in the payloads of the blocks along this<br />
path are the ordered transaction requests will be processed by the [[IC execution layer|execution layer]]<br />
of the Internet Computer.<br />
<br />
The protocol proceeds in <b>rounds</b>.<br />
In round <math>h</math> of the protocol,<br />
one or more blocks of <b>height</b> <math>h</math> are added to the tree.<br />
That is, the blocks added in round <math>h</math> are always at a distance<br />
of exactly <math>h</math> from the root.<br />
In each round, a [[random beacon]] is used to<br />
generate a random permutation of the <math>n</math> parties,<br />
so as to assign to each party a <b>rank</b>.<br />
The party of lowest rank is the <b>leader</b> of that round.<br />
When the leader is honest and the network is timely,<br />
the leader will propose a block which will be added to the tree.<br />
If the leader is not honest or the network is not timely,<br />
some other parties of higher rank may also propose blocks,<br />
and also have their blocks added to the tree.<br />
In any case, the logic of the protocol gives highest priority <br />
to the leader's proposed block.<br />
<br />
The message complexity per round of the IC consensus protocol is typically <math>O(n^2)</math>.<br />
The protocol also enjoys the property known as <b>optimistic responsiveness</b>,<br />
which means that <br />
so long as the leader is honest, the protocol will proceed at the pace<br />
of the actual network delay, rather than some upper bound on<br />
the network delay.<br />
<br />
<br />
To implement the protocol, each replica is associated with a <br />
public key for the [[wikipedia:BLS_digital_signature|BLS signature scheme]], and each replica also holds<br />
the corresponding secret signing key.<br />
The association of replicas to public keys is maintained by the<br />
[[IC network nervous system (NNS)|network nervous system (NNS) of the Internet Computer]].<br />
These BLS signatures will be used to authenticate messages, also called <b>artifacts</b>,<br />
sent by replicas.<br />
The protocol also uses the <b>signature aggregation</b> feature of BLS signatures,<br />
which allows many signatures on the same message to be aggregated into<br />
a compact multi-signature.<br />
FIXME: citation, discussion of rogue key attack mitigation.<br />
<br />
In addition to BLS signatures and multi-signatures as discussed above,<br />
the protocol makes use of a BLS [[wikipedia:Threshold_cryptosystem|threshold signature scheme]] to implement the <br />
above-mentioned [[random beacon]].<br />
To set up such a threshold signature scheme, the Internet Computer runs a<br />
[[wikipedia:Distributed_key_generation|distributed key generation (DKG)]] protocol.<br />
There are many DKG protocols in the literature.<br />
The Internet Computer implements a new [[non-interactive DKG (NiDKG) protocol]].<br />
<br />
Initialization:<br />
* broadcast a share of the height 1 beacon<br />
* <math>D \gets \emptyset</math> &mdash; ''the set of disqualified parties''<br />
<br />
<br />
For each height <math>h=1, 2, 3, \ldots</math><br />
* wait for <math>f+1</math> shares of the height-<math>h</math> random beacon<br />
* combine these shares to obtain the height-<math>h</math> random beacon<br />
** ''this defines the rank of each replica for height <math>h</math>''<br />
<br />
<br />
TBD: finish writing high-level summary of protocol.<br />
Maybe it is better to write it out more in words than dense pseudocode.</div>VictorShouphttps://icstaging.mywikis.net/w/index.php?title=IC_consensus_layer&diff=64IC consensus layer2021-10-07T21:01:04Z<p>VictorShoup: </p>
<hr />
<div>The job consensus layer of the IC is to order transaction requests so that all replicas in a subnet will process <br />
transaction requests in the same order.<br />
There are many protocols in the literature for this problem.<br />
The IC uses a new consensus protocol, which is described here at a high level. <br />
For more details, see the paper https://eprint.iacr.org/2021/1330 (in particular, Protocol ICC1 in that paper).<br />
<br />
Any secure consensus protocol should guarantee two properties, which (roughly stated) are:<br />
* <b>safety</b>: all replicas in fact agree on the same ordering of transaction requests, and<br />
* <b>liveness</b>: all replicas should make steady progress.<br />
<br />
The IC consensus protocol is design to be<br />
* extremely simple, and<br />
* robust (performance degrades gracefully when some replicas are malicious).<br />
<br />
As discussed [[The Internet Computer for Computer Scientists|in the introduction]], we assume<br />
* a subnet of <math>n</math> replicas, and<br />
* at most <math>f < n/3</math> of the replicas are faulty.<br />
Faulty replicas may exhibit arbitrary, malicious (i.e., Byzantine) behavior.<br />
<br />
We assume that communication is <b>asynchronous</b>, with no <i>a priori</i><br />
bound on the delay of messages sent between replicas.<br />
In fact, the scheduling of message delivery may be completely under adversarial control.<br />
The IC consensus protocol guarantees safety under this very weak communication assumption.<br />
However, to guarantee liveness, we need to assume a form of <b>partial synchrony</b>,<br />
which (roughly stated) says that the network will be <b>timely</b> periodically.<br />
Somewhat more precisely, there exists a bound <math>\Delta</math> such that<br />
periodically all undelivered <br />
messages will be delivered within time <math>\Delta</math>.<br />
The bound <math>\Delta</math> does not have to be known in advance (the protocol can <br />
adapt itself to an unknown <math>\Delta</math> value).<br />
Regardless of whether we are assuming an asynchronous<br />
or partially synchronous network,<br />
we assume that every message sent from one honest<br />
party to another will <i>eventually</i> be delivered.<br />
<br />
Like a number of consensus protocols,<br />
the IC consensus protocol is based in a [[wikipedia:blockchain|blockchain]].<br />
As the protocol progresses, a tree of blocks is grown,<br />
starting from a special <i>genesis block</i> that is the root of the tree.<br />
Each non-genesis block in the tree contains (among other things)<br />
a <i>payload</i>, consisting of a sequence of transaction requests,<br />
and a hash of the block's parent in the tree. <br />
The honest replicas have a consistent view of this tree:<br />
while each replica may have a different, partial view<br />
of this tree, all the replicas have a view of the <i>same</i> tree.<br />
In addition, as the protocol progresses,<br />
there is always a path of <i>finalized</i> blocks in this tree.<br />
Again, the honest replicas have a consistent view of this path:<br />
while each replica may have a different, partial view<br />
of this path, all the parties have a view of the <i>same</i> path.<br />
The transaction requests in the payloads of the blocks along this<br />
path are the ordered transaction requests will be processed by the [[IC execution layer|execution layer]]<br />
of the Internet Computer.<br />
<br />
The protocol proceeds in <b>rounds</b>.<br />
In round <math>h</math> of the protocol,<br />
one or more blocks of <b>height</b> <math>h</math> are added to the tree.<br />
That is, the blocks added in round <math>h</math> are always at a distance<br />
of exactly <math>h</math> from the root.<br />
In each round, a [[random beacon]] is used to<br />
generate a random permutation of the <math>n</math> parties,<br />
so as to assign to each party a <b>rank</b>.<br />
The party of lowest rank is the <b>leader</b> of that round.<br />
When the leader is honest and the network is timely,<br />
the leader will propose a block which will be added to the tree.<br />
If the leader is not honest or the network is not timely,<br />
some other parties of higher rank may also propose blocks,<br />
and also have their blocks added to the tree.<br />
In any case, the logic of the protocol gives highest priority <br />
to the leader's proposed block.<br />
<br />
The message complexity per round of the IC consensus protocol is typically <math>O(n^2)</math>.<br />
The protocol also enjoys the property known as <b>optimistic responsiveness</b>,<br />
which means that <br />
so long as the leader is honest, the protocol will proceed at the pace<br />
of the actual network delay, rather than some upper bound on<br />
the network delay.<br />
<br />
<br />
To implement the protocol, each replica is associated with a <br />
public key for the [[wikipedia:BLS_digital_signature|BLS signature scheme]], and each replica also holds<br />
the corresponding secret signing key.<br />
The association of replicas to public keys is maintained by the<br />
[[IC network nervous system (NNS)|network nervous system (NNS) of the Internet Computer]].<br />
These BLS signatures will be used to authenticate messages, also called <b>artifacts</b>,<br />
sent by replicas.<br />
The protocol also uses the <b>signature aggregation</b> feature of BLS signatures,<br />
which allows many signatures on the same message to be aggregated into<br />
a compact multi-signature.<br />
FIXME: citation, discussion of rogue key attack mitigation.<br />
<br />
In addition to BLS signatures and multi-signatures as discussed above,<br />
the protocol makes use of a BLS [[wikipedia:Threshold_cryptosystem|threshold signature scheme]] to implement the <br />
above-mentioned [[random beacon]].<br />
To set up such a threshold signature scheme, the Internet Computer runs a<br />
[[wikipedia:Distributed_key_generation|distributed key generation (DKG)]] protocol.<br />
There are many DKG protocols in the literature.<br />
The Internet Computer implements a new [[non-interactive DKG (NiDKG) protocol]].<br />
<br />
Initialization:<br />
* broadcast a share of the height 1 beacon<br />
* <math>D \gets \emptyset</math> &mdash; ''the set of disqualified parties''<br />
<br />
<br />
For each height <math>h=1, 2, 3, \ldots</math><br />
* wait for <math>f+1</math> shares of the height-<math>h</math> random beacon<br />
* combine these shares to obtain the height-<math>h</math> random beacon<br />
** ''this defines the rank of each replica for height <math>h</math>''<br />
<br />
<br />
TBD: finish writing high-level summary of protocol</div>VictorShouphttps://icstaging.mywikis.net/w/index.php?title=IC_consensus_layer&diff=63IC consensus layer2021-10-07T20:44:31Z<p>VictorShoup: </p>
<hr />
<div>The job consensus layer of the IC is to order transaction requests so that all replicas in a subnet will process <br />
transaction requests in the same order.<br />
There are many protocols in the literature for this problem.<br />
The IC uses a new consensus protocol, which is described here at a high level. <br />
For more details, see the paper https://eprint.iacr.org/2021/1330 (in particular, Protocol ICC1 in that paper).<br />
<br />
Any secure consensus protocol should guarantee two properties, which (roughly stated) are:<br />
* <b>safety</b>: all replicas in fact agree on the same ordering of transaction requests, and<br />
* <b>liveness</b>: all replicas should make steady progress.<br />
<br />
The IC consensus protocol is design to be<br />
* extremely simple, and<br />
* robust (performance degrades gracefully when some replicas are malicious).<br />
<br />
As discussed [[The Internet Computer for Computer Scientists|in the introduction]], we assume<br />
* a subnet of <math>n</math> replicas, and<br />
* at most <math>f < n/3</math> of the replicas are faulty.<br />
Faulty replicas may exhibit arbitrary, malicious (i.e., Byzantine) behavior.<br />
<br />
We assume that communication is <b>asynchronous</b>, with no <i>a priori</i><br />
bound on the delay of messages sent between replicas.<br />
In fact, the scheduling of message delivery may be completely under adversarial control.<br />
The IC consensus protocol guarantees safety under this very weak communication assumption.<br />
However, to guarantee liveness, we need to assume a form of <b>partial synchrony</b>,<br />
which (roughly stated) says that the network will be <b>timely</b> periodically.<br />
Somewhat more precisely, there exists a bound <math>\Delta</math> such that<br />
periodically all undelivered <br />
messages will be delivered within time <math>\Delta</math>.<br />
The bound <math>\Delta</math> does not have to be known in advance (the protocol can <br />
adapt itself to an unknown <math>\Delta</math> value).<br />
Regardless of whether we are assuming an asynchronous<br />
or partially synchronous network,<br />
we assume that every message sent from one honest<br />
party to another will <i>eventually</i> be delivered.<br />
<br />
Like a number of consensus protocols,<br />
the IC consensus protocol is based in a [[wikipedia:blockchain|blockchain]].<br />
As the protocol progresses, a tree of blocks is grown,<br />
starting from a special <i>genesis block</i> that is the root of the tree.<br />
Each non-genesis block in the tree contains (among other things)<br />
a <i>payload</i>, consisting of a sequence of transaction requests,<br />
and a hash of the block's parent in the tree. <br />
The honest replicas have a consistent view of this tree:<br />
while each replica may have a different, partial view<br />
of this tree, all the replicas have a view of the <i>same</i> tree.<br />
In addition, as the protocol progresses,<br />
there is always a path of <i>finalized</i> blocks in this tree.<br />
Again, the honest replicas have a consistent view of this path:<br />
while each replica may have a different, partial view<br />
of this path, all the parties have a view of the <i>same</i> path.<br />
The transaction requests in the payloads of the blocks along this<br />
path are the ordered transaction requests will be processed by the [[IC execution layer|execution layer]]<br />
of the Internet Computer.<br />
<br />
The protocol proceeds in <b>rounds</b>.<br />
In round <math>h</math> of the protocol,<br />
one or more blocks of <b>height</b> <math>h</math> are added to the tree.<br />
That is, the blocks added in round <math>h</math> are always at a distance<br />
of exactly <math>h</math> from the root.<br />
In each round, a [[random beacon]] is used to<br />
generate a random permutation of the <math>n</math> parties,<br />
so as to assign to each party a <b>rank</b>.<br />
The party of lowest rank is the <b>leader</b> of that round.<br />
When the leader is honest and the network is timely,<br />
the leader will propose a block which will be added to the tree.<br />
If the leader is not honest or the network is not timely,<br />
some other parties of higher rank may also propose blocks,<br />
and also have their blocks added to the tree.<br />
In any case, the logic of the protocol gives highest priority <br />
to the leader's proposed block.<br />
<br />
The message complexity per round of the IC consensus protocol is typically <math>O(n^2)</math>.<br />
The protocol also enjoys the property known as <b>optimistic responsiveness</b>,<br />
which means that <br />
so long as the leader is honest, the protocol will proceed at the pace<br />
of the actual network delay, rather than some upper bound on<br />
the network delay.<br />
<br />
<br />
To implement the protocol, each replica is associated with a <br />
public key for the [[wikipedia:BLS_digital_signature|BLS signature scheme]], and each replica also holds<br />
the corresponding secret signing key.<br />
The association of replicas to public keys is maintained by the<br />
[[IC network nervous system (NNS)|network nervous system (NNS) of the Internet Computer]].<br />
These BLS signatures will be used to authenticate messages, also called <b>artifacts</b>,<br />
sent by replicas.<br />
The protocol also uses the <b>signature aggregation</b> feature of BLS signatures,<br />
which allows many signatures on the same message to be aggregated into<br />
a compact multi-signature.<br />
FIXME: citation, discussion of rogue key attack mitigation.<br />
<br />
In addition to BLS signatures and multi-signatures as discussed above,<br />
the protocol makes use of a BLS [[wikipedia:Threshold_cryptosystem|threshold signature scheme]] to implement the <br />
above-mentioned [[random beacon]].<br />
To set up such a threshold signature scheme, the Internet Computer runs a<br />
[[wikipedia:Distributed_key_generation|distributed key generation (DKG)]] protocol.<br />
There are many DKG protocols in the literature.<br />
The Internet Computer implements a new [[non-interactive DKG (NiDKG) protocol]].<br />
<br />
Initialization:<br />
* broadcast a share of the height 1 beacon<br />
* <math>D \gets \emptyset</math> &mdash; ''the set of disqualified parties''<br />
<br />
<br />
For each height <math>h=1, 2, 3, \ldots</math><br />
* wait for <math>f+1</math> shares of the height-<math>h</math> random beacon<br />
* combine these shares to obtain the height-<math>h</math> random beacon<br />
** ''this defines the rank of each replica''<br />
<br />
<br />
TBD: finish writing high-level summary of protocol</div>VictorShouphttps://icstaging.mywikis.net/w/index.php?title=IC_consensus_layer&diff=62IC consensus layer2021-10-07T20:43:44Z<p>VictorShoup: </p>
<hr />
<div>The job consensus layer of the IC is to order transaction requests so that all replicas in a subnet will process <br />
transaction requests in the same order.<br />
There are many protocols in the literature for this problem.<br />
The IC uses a new consensus protocol, which is described here at a high level. <br />
For more details, see the paper https://eprint.iacr.org/2021/1330 (in particular, Protocol ICC1 in that paper).<br />
<br />
Any secure consensus protocol should guarantee two properties, which (roughly stated) are:<br />
* <b>safety</b>: all replicas in fact agree on the same ordering of transaction requests, and<br />
* <b>liveness</b>: all replicas should make steady progress.<br />
<br />
The IC consensus protocol is design to be<br />
* extremely simple, and<br />
* robust (performance degrades gracefully when some replicas are malicious).<br />
<br />
As discussed [[The Internet Computer for Computer Scientists|in the introduction]], we assume<br />
* a subnet of <math>n</math> replicas, and<br />
* at most <math>f < n/3</math> of the replicas are faulty.<br />
Faulty replicas may exhibit arbitrary, malicious (i.e., Byzantine) behavior.<br />
<br />
We assume that communication is <b>asynchronous</b>, with no <i>a priori</i><br />
bound on the delay of messages sent between replicas.<br />
In fact, the scheduling of message delivery may be completely under adversarial control.<br />
The IC consensus protocol guarantees safety under this very weak communication assumption.<br />
However, to guarantee liveness, we need to assume a form of <b>partial synchrony</b>,<br />
which (roughly stated) says that the network will be <b>timely</b> periodically.<br />
Somewhat more precisely, there exists a bound <math>\Delta</math> such that<br />
periodically all undelivered <br />
messages will be delivered within time <math>\Delta</math>.<br />
The bound <math>\Delta</math> does not have to be known in advance (the protocol can <br />
adapt itself to an unknown <math>\Delta</math> value).<br />
Regardless of whether we are assuming an asynchronous<br />
or partially synchronous network,<br />
we assume that every message sent from one honest<br />
party to another will <i>eventually</i> be delivered.<br />
<br />
Like a number of consensus protocols,<br />
the IC consensus protocol is based in a [[wikipedia:blockchain|blockchain]].<br />
As the protocol progresses, a tree of blocks is grown,<br />
starting from a special <i>genesis block</i> that is the root of the tree.<br />
Each non-genesis block in the tree contains (among other things)<br />
a <i>payload</i>, consisting of a sequence of transaction requests,<br />
and a hash of the block's parent in the tree. <br />
The honest replicas have a consistent view of this tree:<br />
while each replica may have a different, partial view<br />
of this tree, all the replicas have a view of the <i>same</i> tree.<br />
In addition, as the protocol progresses,<br />
there is always a path of <i>finalized</i> blocks in this tree.<br />
Again, the honest replicas have a consistent view of this path:<br />
while each replica may have a different, partial view<br />
of this path, all the parties have a view of the <i>same</i> path.<br />
The transaction requests in the payloads of the blocks along this<br />
path are the ordered transaction requests will be processed by the [[IC execution layer|execution layer]]<br />
of the Internet Computer.<br />
<br />
The protocol proceeds in <b>rounds</b>.<br />
In round <math>h</math> of the protocol,<br />
one or more blocks of <b>height</b> <math>h</math> are added to the tree.<br />
That is, the blocks added in round <math>h</math> are always at a distance<br />
of exactly <math>h</math> from the root.<br />
In each round, a [[random beacon]] is used to<br />
generate a random permutation of the <math>n</math> parties,<br />
so as to assign to each party a <b>rank</b>.<br />
The party of lowest rank is the <b>leader</b> of that round.<br />
When the leader is honest and the network is timely,<br />
the leader will propose a block which will be added to the tree.<br />
If the leader is not honest or the network is not timely,<br />
some other parties of higher rank may also propose blocks,<br />
and also have their blocks added to the tree.<br />
In any case, the logic of the protocol gives highest priority <br />
to the leader's proposed block.<br />
<br />
The message complexity per round of the IC consensus protocol is typically <math>O(n^2)</math>.<br />
The protocol also enjoys the property known as <b>optimistic responsiveness</b>,<br />
which means that <br />
so long as the leader is honest, the protocol will proceed at the pace<br />
of the actual network delay, rather than some upper bound on<br />
the network delay.<br />
<br />
<br />
To implement the protocol, each replica is associated with a <br />
public key for the [[wikipedia:BLS_digital_signature|BLS signature scheme]], and each replica also holds<br />
the corresponding secret signing key.<br />
The association of replicas to public keys is maintained by the<br />
[[IC network nervous system (NNS)|network nervous system (NNS) of the Internet Computer]].<br />
These BLS signatures will be used to authenticate messages, also called <b>artifacts</b>,<br />
sent by replicas.<br />
The protocol also uses the <b>signature aggregation</b> feature of BLS signatures,<br />
which allows many signatures on the same message to be aggregated into<br />
a compact multi-signature.<br />
FIXME: citation, discussion of rogue key attack mitigation.<br />
<br />
In addition to BLS signatures and multi-signatures as discussed above,<br />
the protocol makes use of a BLS [[wikipedia:Threshold_cryptosystem|threshold signature scheme]] to implement the <br />
above-mentioned [[random beacon]].<br />
To set up such a threshold signature scheme, the Internet Computer runs a<br />
[[wikipedia:Distributed_key_generation|distributed key generation (DKG)]] protocol.<br />
There are many DKG protocols in the literature.<br />
The Internet Computer implements a new [[non-interactive DKG (NiDKG) protocol]].<br />
<br />
Initialization:<br />
* broadcast a share of the height 1 beacon<br />
* <math>D \gets \emptyset</math> &mdash; ''the set of disqualified parties''<br />
<br />
<br />
For each height <math>h=1, 2, 3, \ldots</math><br />
* wait for <math>f+1</math> shares of the height-<math>h</math> random beacon<br />
* combine these shares to obtain the height-<math>h</math> random beacon<br />
** ''this defines the rank of each replica''</div>VictorShouphttps://icstaging.mywikis.net/w/index.php?title=IC_consensus_layer&diff=61IC consensus layer2021-10-07T20:39:32Z<p>VictorShoup: </p>
<hr />
<div>The job consensus layer of the IC is to order transaction requests so that all replicas in a subnet will process <br />
transaction requests in the same order.<br />
There are many protocols in the literature for this problem.<br />
The IC uses a new consensus protocol, which is described here at a high level. <br />
For more details, see the paper https://eprint.iacr.org/2021/1330 (in particular, Protocol ICC1 in that paper).<br />
<br />
Any secure consensus protocol should guarantee two properties, which (roughly stated) are:<br />
* <b>safety</b>: all replicas in fact agree on the same ordering of transaction requests, and<br />
* <b>liveness</b>: all replicas should make steady progress.<br />
<br />
The IC consensus protocol is design to be<br />
* extremely simple, and<br />
* robust (performance degrades gracefully when some replicas are malicious).<br />
<br />
As discussed [[The Internet Computer for Computer Scientists|in the introduction]], we assume<br />
* a subnet of <math>n</math> replicas, and<br />
* at most <math>f < n/3</math> of the replicas are faulty.<br />
Faulty replicas may exhibit arbitrary, malicious (i.e., Byzantine) behavior.<br />
<br />
We assume that communication is <b>asynchronous</b>, with no <i>a priori</i><br />
bound on the delay of messages sent between replicas.<br />
In fact, the scheduling of message delivery may be completely under adversarial control.<br />
The IC consensus protocol guarantees safety under this very weak communication assumption.<br />
However, to guarantee liveness, we need to assume a form of <b>partial synchrony</b>,<br />
which (roughly stated) says that the network will be <b>timely</b> periodically.<br />
Somewhat more precisely, there exists a bound <math>\Delta</math> such that<br />
periodically all undelivered <br />
messages will be delivered within time <math>\Delta</math>.<br />
The bound <math>\Delta</math> does not have to be known in advance (the protocol can <br />
adapt itself to an unknown <math>\Delta</math> value).<br />
Regardless of whether we are assuming an asynchronous<br />
or partially synchronous network,<br />
we assume that every message sent from one honest<br />
party to another will <i>eventually</i> be delivered.<br />
<br />
Like a number of consensus protocols,<br />
the IC consensus protocol is based in a [[wikipedia:blockchain|blockchain]].<br />
As the protocol progresses, a tree of blocks is grown,<br />
starting from a special <i>genesis block</i> that is the root of the tree.<br />
Each non-genesis block in the tree contains (among other things)<br />
a <i>payload</i>, consisting of a sequence of transaction requests,<br />
and a hash of the block's parent in the tree. <br />
The honest replicas have a consistent view of this tree:<br />
while each replica may have a different, partial view<br />
of this tree, all the replicas have a view of the <i>same</i> tree.<br />
In addition, as the protocol progresses,<br />
there is always a path of <i>finalized</i> blocks in this tree.<br />
Again, the honest replicas have a consistent view of this path:<br />
while each replica may have a different, partial view<br />
of this path, all the parties have a view of the <i>same</i> path.<br />
The transaction requests in the payloads of the blocks along this<br />
path are the ordered transaction requests will be processed by the [[IC execution layer|execution layer]]<br />
of the Internet Computer.<br />
<br />
The protocol proceeds in <b>rounds</b>.<br />
In round <math>h</math> of the protocol,<br />
one or more blocks of <b>height</b> <math>h</math> are added to the tree.<br />
That is, the blocks added in round <math>h</math> are always at a distance<br />
of exactly <math>h</math> from the root.<br />
In each round, a [[random beacon]] is used to<br />
generate a random permutation of the <math>n</math> parties,<br />
so as to assign to each party a <b>rank</b>.<br />
The party of lowest rank is the <b>leader</b> of that round.<br />
When the leader is honest and the network is timely,<br />
the leader will propose a block which will be added to the tree.<br />
If the leader is not honest or the network is not timely,<br />
some other parties of higher rank may also propose blocks,<br />
and also have their blocks added to the tree.<br />
In any case, the logic of the protocol gives highest priority <br />
to the leader's proposed block.<br />
<br />
The message complexity per round of the IC consensus protocol is typically <math>O(n^2)</math>.<br />
The protocol also enjoys the property known as <b>optimistic responsiveness</b>,<br />
which means that <br />
so long as the leader is honest, the protocol will proceed at the pace<br />
of the actual network delay, rather than some upper bound on<br />
the network delay.<br />
<br />
<br />
To implement the protocol, each replica is associated with a <br />
public key for the [[wikipedia:BLS_digital_signature|BLS signature scheme]], and each replica also holds<br />
the corresponding secret signing key.<br />
The association of replicas to public keys is maintained by the<br />
[[IC network nervous system (NNS)|network nervous system (NNS) of the Internet Computer]].<br />
These BLS signatures will be used to authenticate messages, also called <b>artifacts</b>,<br />
sent by replicas.<br />
The protocol also uses the <b>signature aggregation</b> feature of BLS signatures,<br />
which allows many signatures on the same message to be aggregated into<br />
a compact multi-signature.<br />
FIXME: citation, discussion of rogue key attack mitigation.<br />
<br />
In addition to BLS signatures and multi-signatures as discussed above,<br />
the protocol makes use of a BLS [[wikipedia:Threshold_cryptosystem|threshold signature scheme]] to implement the <br />
above-mentioned [[random beacon]].<br />
To set up such a threshold signature scheme, the Internet Computer runs a<br />
[[wikipedia:Distributed_key_generation|distributed key generation (DKG)]] protocol.<br />
There are many DKG protocols in the literature.<br />
The Internet Computer implements a new [[non-interactive DKG (NiDKG) protocol]].<br />
<br />
Initialization:<br />
* broadcast a share of the height 1 beacon<br />
* <math>D \gets \emptyset</math> &mdash; the set of disqualified parties<br />
<br />
<br />
For each height <math>h=1, 2, 3, \ldots</math></div>VictorShouphttps://icstaging.mywikis.net/w/index.php?title=IC_consensus_layer&diff=60IC consensus layer2021-10-07T20:37:28Z<p>VictorShoup: </p>
<hr />
<div>The job consensus layer of the IC is to order transaction requests so that all replicas in a subnet will process <br />
transaction requests in the same order.<br />
There are many protocols in the literature for this problem.<br />
The IC uses a new consensus protocol, which is described here at a high level. <br />
For more details, see the paper https://eprint.iacr.org/2021/1330 (in particular, Protocol ICC1 in that paper).<br />
<br />
Any secure consensus protocol should guarantee two properties, which (roughly stated) are:<br />
* <b>safety</b>: all replicas in fact agree on the same ordering of transaction requests, and<br />
* <b>liveness</b>: all replicas should make steady progress.<br />
<br />
The IC consensus protocol is design to be<br />
* extremely simple, and<br />
* robust (performance degrades gracefully when some replicas are malicious).<br />
<br />
As discussed [[The Internet Computer for Computer Scientists|in the introduction]], we assume<br />
* a subnet of <math>n</math> replicas, and<br />
* at most <math>f < n/3</math> of the replicas are faulty.<br />
Faulty replicas may exhibit arbitrary, malicious (i.e., Byzantine) behavior.<br />
<br />
We assume that communication is <b>asynchronous</b>, with no <i>a priori</i><br />
bound on the delay of messages sent between replicas.<br />
In fact, the scheduling of message delivery may be completely under adversarial control.<br />
The IC consensus protocol guarantees safety under this very weak communication assumption.<br />
However, to guarantee liveness, we need to assume a form of <b>partial synchrony</b>,<br />
which (roughly stated) says that the network will be <b>timely</b> periodically.<br />
Somewhat more precisely, there exists a bound <math>\Delta</math> such that<br />
periodically all undelivered <br />
messages will be delivered within time <math>\Delta</math>.<br />
The bound <math>\Delta</math> does not have to be known in advance (the protocol can <br />
adapt itself to an unknown <math>\Delta</math> value).<br />
Regardless of whether we are assuming an asynchronous<br />
or partially synchronous network,<br />
we assume that every message sent from one honest<br />
party to another will <i>eventually</i> be delivered.<br />
<br />
Like a number of consensus protocols,<br />
the IC consensus protocol is based in a [[wikipedia:blockchain|blockchain]].<br />
As the protocol progresses, a tree of blocks is grown,<br />
starting from a special <i>genesis block</i> that is the root of the tree.<br />
Each non-genesis block in the tree contains (among other things)<br />
a <i>payload</i>, consisting of a sequence of transaction requests,<br />
and a hash of the block's parent in the tree. <br />
The honest replicas have a consistent view of this tree:<br />
while each replica may have a different, partial view<br />
of this tree, all the replicas have a view of the <i>same</i> tree.<br />
In addition, as the protocol progresses,<br />
there is always a path of <i>finalized</i> blocks in this tree.<br />
Again, the honest replicas have a consistent view of this path:<br />
while each replica may have a different, partial view<br />
of this path, all the parties have a view of the <i>same</i> path.<br />
The transaction requests in the payloads of the blocks along this<br />
path are the ordered transaction requests will be processed by the [[IC execution layer|execution layer]]<br />
of the Internet Computer.<br />
<br />
The protocol proceeds in <b>rounds</b>.<br />
In round <math>h</math> of the protocol,<br />
one or more blocks of <b>height</b> <math>h</math> are added to the tree.<br />
That is, the blocks added in round <math>h</math> are always at a distance<br />
of exactly <math>h</math> from the root.<br />
In each round, a [[random beacon]] is used to<br />
generate a random permutation of the <math>n</math> parties,<br />
so as to assign to each party a <b>rank</b>.<br />
The party of lowest rank is the <b>leader</b> of that round.<br />
When the leader is honest and the network is timely,<br />
the leader will propose a block which will be added to the tree.<br />
If the leader is not honest or the network is not timely,<br />
some other parties of higher rank may also propose blocks,<br />
and also have their blocks added to the tree.<br />
In any case, the logic of the protocol gives highest priority <br />
to the leader's proposed block.<br />
<br />
The message complexity per round of the IC consensus protocol is typically <math>O(n^2)</math>.<br />
The protocol also enjoys the property known as <b>optimistic responsiveness</b>,<br />
which means that <br />
so long as the leader is honest, the protocol will proceed at the pace<br />
of the actual network delay, rather than some upper bound on<br />
the network delay.<br />
<br />
<br />
To implement the protocol, each replica is associated with a <br />
public key for the [[wikipedia:BLS_digital_signature|BLS signature scheme]], and each replica also holds<br />
the corresponding secret signing key.<br />
The association of replicas to public keys is maintained by the<br />
[[IC network nervous system (NNS)|network nervous system (NNS) of the Internet Computer]].<br />
These BLS signatures will be used to authenticate messages, also called <b>artifacts</b>,<br />
sent by replicas.<br />
The protocol also uses the <b>signature aggregation</b> feature of BLS signatures,<br />
which allows many signatures on the same message to be aggregated into<br />
a compact multi-signature.<br />
FIXME: citation, discussion of rogue key attack mitigation.<br />
<br />
In addition to BLS signatures and multi-signatures as discussed above,<br />
the protocol makes use of a BLS [[wikipedia:Threshold_cryptosystem|threshold signature scheme]] to implement the <br />
above-mentioned [[random beacon]].<br />
To set up such a threshold signature scheme, the Internet Computer runs a<br />
[[wikipedia:Distributed_key_generation|distributed key generation (DKG)]] protocol.<br />
There are many DKG protocols in the literature.<br />
The Internet Computer implements a new [[non-interactive DKG (NiDKG) protocol]].<br />
<br />
Initialization:<br />
* broadcast a share of the height 1 beacon<br />
* initialize the set of disqualified parties to <math>\emptyset</math></div>VictorShouphttps://icstaging.mywikis.net/w/index.php?title=IC_consensus_layer&diff=59IC consensus layer2021-10-07T20:34:46Z<p>VictorShoup: </p>
<hr />
<div>The job consensus layer of the IC is to order transaction requests so that all replicas in a subnet will process <br />
transaction requests in the same order.<br />
There are many protocols in the literature for this problem.<br />
The IC uses a new consensus protocol, which is described here at a high level. <br />
For more details, see the paper https://eprint.iacr.org/2021/1330 (in particular, Protocol ICC1 in that paper).<br />
<br />
Any secure consensus protocol should guarantee two properties, which (roughly stated) are:<br />
* <b>safety</b>: all replicas in fact agree on the same ordering of transaction requests, and<br />
* <b>liveness</b>: all replicas should make steady progress.<br />
<br />
The IC consensus protocol is design to be<br />
* extremely simple, and<br />
* robust (performance degrades gracefully when some replicas are malicious).<br />
<br />
As discussed [[The Internet Computer for Computer Scientists|in the introduction]], we assume<br />
* a subnet of <math>n</math> replicas, and<br />
* at most <math>f < n/3</math> of the replicas are faulty.<br />
Faulty replicas may exhibit arbitrary, malicious (i.e., Byzantine) behavior.<br />
<br />
We assume that communication is <b>asynchronous</b>, with no <i>a priori</i><br />
bound on the delay of messages sent between replicas.<br />
In fact, the scheduling of message delivery may be completely under adversarial control.<br />
The IC consensus protocol guarantees safety under this very weak communication assumption.<br />
However, to guarantee liveness, we need to assume a form of <b>partial synchrony</b>,<br />
which (roughly stated) says that the network will be <b>timely</b> periodically.<br />
Somewhat more precisely, there exists a bound <math>\Delta</math> such that<br />
periodically all undelivered <br />
messages will be delivered within time <math>\Delta</math>.<br />
The bound <math>\Delta</math> does not have to be known in advance (the protocol can <br />
adapt itself to an unknown <math>\Delta</math> value).<br />
Regardless of whether we are assuming an asynchronous<br />
or partially synchronous network,<br />
we assume that every message sent from one honest<br />
party to another will <i>eventually</i> be delivered.<br />
<br />
Like a number of consensus protocols,<br />
the IC consensus protocol is based in a [[wikipedia:blockchain|blockchain]].<br />
As the protocol progresses, a tree of blocks is grown,<br />
starting from a special <i>genesis block</i> that is the root of the tree.<br />
Each non-genesis block in the tree contains (among other things)<br />
a <i>payload</i>, consisting of a sequence of transaction requests,<br />
and a hash of the block's parent in the tree. <br />
The honest replicas have a consistent view of this tree:<br />
while each replica may have a different, partial view<br />
of this tree, all the replicas have a view of the <i>same</i> tree.<br />
In addition, as the protocol progresses,<br />
there is always a path of <i>finalized</i> blocks in this tree.<br />
Again, the honest replicas have a consistent view of this path:<br />
while each replica may have a different, partial view<br />
of this path, all the parties have a view of the <i>same</i> path.<br />
The transaction requests in the payloads of the blocks along this<br />
path are the ordered transaction requests will be processed by the [[IC execution layer|execution layer]]<br />
of the Internet Computer.<br />
<br />
The protocol proceeds in <b>rounds</b>.<br />
In round <math>h</math> of the protocol,<br />
one or more blocks of <b>height</b> <math>h</math> are added to the tree.<br />
That is, the blocks added in round <math>h</math> are always at a distance<br />
of exactly <math>h</math> from the root.<br />
In each round, a [[random beacon]] is used to<br />
generate a random permutation of the <math>n</math> parties,<br />
so as to assign to each party a <b>rank</b>.<br />
The party of lowest rank is the <b>leader</b> of that round.<br />
When the leader is honest and the network is timely,<br />
the leader will propose a block which will be added to the tree.<br />
If the leader is not honest or the network is not timely,<br />
some other parties of higher rank may also propose blocks,<br />
and also have their blocks added to the tree.<br />
In any case, the logic of the protocol gives highest priority <br />
to the leader's proposed block.<br />
<br />
The message complexity per round of the IC consensus protocol is typically <math>O(n^2)</math>.<br />
The protocol also enjoys the property known as <b>optimistic responsiveness</b>,<br />
which means that <br />
so long as the leader is honest, the protocol will proceed at the pace<br />
of the actual network delay, rather than some upper bound on<br />
the network delay.<br />
<br />
<br />
To implement the protocol, each replica is associated with a <br />
public key for the [[wikipedia:BLS_digital_signature|BLS signature scheme]], and each replica also holds<br />
the corresponding secret signing key.<br />
The association of replicas to public keys is maintained by the<br />
[[IC network nervous system (NNS)|network nervous system (NNS) of the Internet Computer]].<br />
These BLS signatures will be used to authenticate messages, also called <b>artifacts</b>,<br />
sent by replicas.<br />
The protocol also uses the <b>signature aggregation</b> feature of BLS signatures,<br />
which allows many signatures on the same message to be aggregated into<br />
a compact multi-signature.<br />
FIXME: citation, discussion of rogue key attack mitigation.<br />
<br />
In addition to BLS signatures and multi-signatures as discussed above,<br />
the protocol makes use of a BLS [[wikipedia:Threshold_cryptosystem|threshold signature scheme]] to implement the <br />
above-mentioned [[random beacon]].<br />
To set up such a threshold signature scheme, the Internet Computer runs a<br />
[[wikipedia:Distributed_key_generation|distributed key generation (DKG)]] protocol.<br />
There are many DKG protocols in the literature.<br />
The Internet Computer implements a new [[non-interactive DKG (NiDKG) protocol]].<br />
<br />
<ol><br />
<li> step<br />
</ol></div>VictorShouphttps://icstaging.mywikis.net/w/index.php?title=IC_consensus_layer&diff=58IC consensus layer2021-10-07T20:25:50Z<p>VictorShoup: </p>
<hr />
<div>The job consensus layer of the IC is to order transaction requests so that all replicas in a subnet will process <br />
transaction requests in the same order.<br />
There are many protocols in the literature for this problem.<br />
The IC uses a new consensus protocol, which is described here at a high level. <br />
For more details, see the paper https://eprint.iacr.org/2021/1330 (in particular, Protocol ICC1 in that paper).<br />
<br />
Any secure consensus protocol should guarantee two properties, which (roughly stated) are:<br />
* <b>safety</b>: all replicas in fact agree on the same ordering of transaction requests, and<br />
* <b>liveness</b>: all replicas should make steady progress.<br />
<br />
The IC consensus protocol is design to be<br />
* extremely simple, and<br />
* robust (performance degrades gracefully when some replicas are malicious).<br />
<br />
As discussed [[The Internet Computer for Computer Scientists|in the introduction]], we assume<br />
* a subnet of <math>n</math> replicas, and<br />
* at most <math>f < n/3</math> of the replicas are faulty.<br />
Faulty replicas may exhibit arbitrary, malicious (i.e., Byzantine) behavior.<br />
<br />
We assume that communication is <b>asynchronous</b>, with no <i>a priori</i><br />
bound on the delay of messages sent between replicas.<br />
In fact, the scheduling of message delivery may be completely under adversarial control.<br />
The IC consensus protocol guarantees safety under this very weak communication assumption.<br />
However, to guarantee liveness, we need to assume a form of <b>partial synchrony</b>,<br />
which (roughly stated) says that the network will be <b>timely</b> periodically.<br />
Somewhat more precisely, there exists a bound <math>\Delta</math> such that<br />
periodically all undelivered <br />
messages will be delivered within time <math>\Delta</math>.<br />
The bound <math>\Delta</math> does not have to be known in advance (the protocol can <br />
adapt itself to an unknown <math>\Delta</math> value).<br />
Regardless of whether we are assuming an asynchronous<br />
or partially synchronous network,<br />
we assume that every message sent from one honest<br />
party to another will <i>eventually</i> be delivered.<br />
<br />
Like a number of consensus protocols,<br />
the IC consensus protocol is based in a [[wikipedia:blockchain|blockchain]].<br />
As the protocol progresses, a tree of blocks is grown,<br />
starting from a special <i>genesis block</i> that is the root of the tree.<br />
Each non-genesis block in the tree contains (among other things)<br />
a <i>payload</i>, consisting of a sequence of transaction requests,<br />
and a hash of the block's parent in the tree. <br />
The honest replicas have a consistent view of this tree:<br />
while each replica may have a different, partial view<br />
of this tree, all the replicas have a view of the <i>same</i> tree.<br />
In addition, as the protocol progresses,<br />
there is always a path of <i>finalized</i> blocks in this tree.<br />
Again, the honest replicas have a consistent view of this path:<br />
while each replica may have a different, partial view<br />
of this path, all the parties have a view of the <i>same</i> path.<br />
The transaction requests in the payloads of the blocks along this<br />
path are the ordered transaction requests will be processed by the [[IC execution layer|execution layer]]<br />
of the Internet Computer.<br />
<br />
The protocol proceeds in <b>rounds</b>.<br />
In round <math>h</math> of the protocol,<br />
one or more blocks of <b>height</b> <math>h</math> are added to the tree.<br />
That is, the blocks added in round <math>h</math> are always at a distance<br />
of exactly <math>h</math> from the root.<br />
In each round, a [[random beacon]] is used to<br />
generate a random permutation of the <math>n</math> parties,<br />
so as to assign to each party a <b>rank</b>.<br />
The party of lowest rank is the <b>leader</b> of that round.<br />
When the leader is honest and the network is timely,<br />
the leader will propose a block which will be added to the tree.<br />
If the leader is not honest or the network is not timely,<br />
some other parties of higher rank may also propose blocks,<br />
and also have their blocks added to the tree.<br />
In any case, the logic of the protocol gives highest priority <br />
to the leader's proposed block.<br />
<br />
The message complexity per round of the IC consensus protocol is typically <math>O(n^2)</math>.<br />
The protocol also enjoys the property known as <b>optimistic responsiveness</b>,<br />
which means that <br />
so long as the leader is honest, the protocol will proceed at the pace<br />
of the actual network delay, rather than some upper bound on<br />
the network delay.<br />
<br />
<br />
To implement the protocol, each replica is associated with a <br />
public key for the [[wikipedia:BLS_digital_signature|BLS signature scheme]], and each replica also holds<br />
the corresponding secret signing key.<br />
The association of replicas to public keys is maintained by the<br />
[[IC network nervous system (NNS)|network nervous system (NNS) of the Internet Computer]].<br />
These BLS signatures will be used to authenticate messages, also called <b>artifacts</b>,<br />
sent by replicas.<br />
The protocol also uses the <b>signature aggregation</b> feature of BLS signatures,<br />
which allows many signatures on the same message to be aggregated into<br />
a compact multi-signature.<br />
FIXME: citation, discussion of rogue key attack mitigation.<br />
<br />
In addition to BLS signatures and multi-signatures as discussed above,<br />
the protocol makes use of a BLS [[wikipedia:Threshold_cryptosystem|threshold signature scheme]] to implement the <br />
above-mentioned [[random beacon]].<br />
To set up such a threshold signature scheme, the Internet Computer runs a<br />
[[wikipedia:Distributed_key_generation|distributed key generation (DKG)]] protocol.<br />
There are many DKG protocols in the literature.<br />
The Internet Computer implements a new [[non-interactive DKG (NiDKG) protocol]].</div>VictorShouphttps://icstaging.mywikis.net/w/index.php?title=IC_consensus_layer&diff=57IC consensus layer2021-10-07T20:06:24Z<p>VictorShoup: </p>
<hr />
<div>The job consensus layer of the IC is to order transaction requests so that all replicas in a subnet will process <br />
transaction requests in the same order.<br />
There are many protocols in the literature for this problem.<br />
The IC uses a new consensus protocol, which is described here at a high level. <br />
For more details, see the paper https://eprint.iacr.org/2021/1330 (in particular, Protocol ICC1 in that paper).<br />
<br />
Any secure consensus protocol should guarantee two properties, which (roughly stated) are:<br />
* <b>safety</b>: all replicas in fact agree on the same ordering of transaction requests, and<br />
* <b>liveness</b>: all replicas should make steady progress.<br />
<br />
The IC consensus protocol is design to be<br />
* extremely simple, and<br />
* robust (performance degrades gracefully when some replicas are malicious).<br />
<br />
As discussed [[The Internet Computer for Computer Scientists|in the introduction]], we assume<br />
* a subnet of <math>n</math> replicas, and<br />
* at most <math>f < n/3</math> of the replicas are faulty.<br />
Faulty replicas may exhibit arbitrary, malicious (i.e., Byzantine) behavior.<br />
<br />
We assume that communication is <b>asynchronous</b>, with no <i>a priori</i><br />
bound on the delay of messages sent between replicas.<br />
In fact, the scheduling of message delivery may be completely under adversarial control.<br />
The IC consensus protocol guarantees safety under this very weak communication assumption.<br />
However, to guarantee liveness, we need to assume a form of <b>partial synchrony</b>,<br />
which (roughly stated) says that the network will be <b>timely</b> periodically.<br />
Somewhat more precisely, there exists a bound <math>\Delta</math> such that<br />
periodically all undelivered <br />
messages will be delivered within time <math>\Delta</math>.<br />
The bound <math>\Delta</math> does not have to be known in advance (the protocol can <br />
adapt itself to an unknown <math>\Delta</math> value).<br />
Regardless of whether we are assuming an asynchronous<br />
or partially synchronous network,<br />
we assume that every message sent from one honest<br />
party to another will <i>eventually</i> be delivered.<br />
<br />
Like a number of consensus protocols,<br />
the IC consensus protocol is based in a [[wikipedia:blockchain|blockchain]].<br />
As the protocol progresses, a tree of blocks is grown,<br />
starting from a special <i>genesis block</i> that is the root of the tree.<br />
Each non-genesis block in the tree contains (among other things)<br />
a <i>payload</i>, consisting of a sequence of transaction requests,<br />
and a hash of the block's parent in the tree. <br />
The honest replicas have a consistent view of this tree:<br />
while each replica may have a different, partial view<br />
of this tree, all the replicas have a view of the <i>same</i> tree.<br />
In addition, as the protocol progresses,<br />
there is always a path of <i>finalized</i> blocks in this tree.<br />
Again, the honest replicas have a consistent view of this path:<br />
while each replica may have a different, partial view<br />
of this path, all the parties have a view of the <i>same</i> path.<br />
The transaction requests in the payloads of the blocks along this<br />
path are the ordered transaction requests will be processed by the [[IC execution layer|execution layer]]<br />
of the Internet Computer.<br />
<br />
The protocol proceeds in <b>rounds</b>.<br />
In round <math>h</math> of the protocol,<br />
one or more blocks of <b>height</b> <math>h</math> are added to the tree.<br />
That is, the blocks added in round <math>h</math> are always at a distance<br />
of exactly <math>h</math> from the root.<br />
In each round, a [[random beacon]] is used to<br />
generate a random permutation of the <math>n</math> parties,<br />
so as to assign to each party a <b>rank</b>.<br />
The party of lowest rank is the <b>leader</b> of that round.<br />
When the leader is honest and the network is timely,<br />
the leader will propose a block which will be added to the tree.<br />
If the leader is not honest or the network is not timely,<br />
some other parties of higher rank may also propose blocks,<br />
and also have their blocks added to the tree.<br />
In any case, the logic of the protocol gives highest priority <br />
to the leader's proposed block.<br />
<br />
To implement the protocol, each replica is associated with a <br />
public key for the [[wikipedia:BLS_digital_signature|BLS signature scheme]], and each replica also holds<br />
the corresponding secret signing key.<br />
The association of replicas to public keys is maintained by the<br />
[[IC network nervous system (NNS)|network nervous system (NNS) of the Internet Computer]].<br />
These BLS signatures will be used to authenticate messages, also called <b>artifacts</b>,<br />
sent by replicas.<br />
The protocol also uses the <b>signature aggregation</b> feature of BLS signatures,<br />
which allows many signatures on the same message to be aggregated into<br />
a compact multi-signature.<br />
FIXME: citation, discussion of rogue key attack mitigation.<br />
<br />
In addition to BLS signatures and multi-signatures as discussed above,<br />
the protocol makes use of a BLS [[wikipedia:Threshold_cryptosystem|threshold signature scheme]] to implement the <br />
above-mentioned [[random beacon]].<br />
To set up such a threshold signature scheme, the Internet Computer runs a<br />
[[wikipedia:Distributed_key_generation|distributed key generation (DKG)]] protocol.<br />
There are many DKG protocols in the literature.<br />
The Internet Computer implements a new [[non-interactive DKG (NiDKG) protocol]].</div>VictorShouphttps://icstaging.mywikis.net/w/index.php?title=IC_consensus_layer&diff=56IC consensus layer2021-10-07T20:02:30Z<p>VictorShoup: </p>
<hr />
<div>The job consensus layer of the IC is to order transaction requests so that all replicas in a subnet will process <br />
transaction requests in the same order.<br />
There are many protocols in the literature for this problem.<br />
The IC uses a new consensus protocol, which is described here at a high level. <br />
For more details, see the paper https://eprint.iacr.org/2021/1330 (in particular, Protocol ICC1 in that paper).<br />
<br />
Any secure consensus protocol should guarantee two properties, which (roughly stated) are:<br />
* <b>safety</b>: all replicas in fact agree on the same ordering of transaction requests, and<br />
* <b>liveness</b>: all replicas should make steady progress.<br />
<br />
The IC consensus protocol is design to be<br />
* extremely simple, and<br />
* robust (performance degrades gracefully when some replicas are malicious).<br />
<br />
As discussed [[The Internet Computer for Computer Scientists|in the introduction]], we assume<br />
* a subnet of <math>n</math> replicas, and<br />
* at most <math>f < n/3</math> of the replicas are faulty.<br />
Faulty replicas may exhibit arbitrary, malicious (i.e., Byzantine) behavior.<br />
<br />
We assume that communication is <b>asynchronous</b>, with no <i>a priori</i><br />
bound on the delay of messages sent between replicas.<br />
In fact, the scheduling of message delivery may be completely under adversarial control.<br />
The IC consensus protocol guarantees safety under this very weak communication assumption.<br />
However, to guarantee liveness, we need to assume a form of <b>partial synchrony</b>,<br />
which (roughly stated) says that the network will be <b>timely</b> periodically.<br />
Somewhat more precisely, there exists a bound <math>\Delta</math> such that<br />
periodically all undelivered <br />
messages will be delivered within time <math>\Delta</math>.<br />
The bound <math>\Delta</math> does not have to be known in advance (the protocol can <br />
adapt itself to an unknown <math>\Delta</math> value).<br />
Regardless of whether we are assuming an asynchronous<br />
or partially synchronous network,<br />
we assume that every message sent from one honest<br />
party to another will <i>eventually</i> be delivered.<br />
<br />
Like a number of consensus protocols,<br />
the IC consensus protocol is based in a [[wikipedia:blockchain|blockchain]].<br />
As the protocol progresses, a tree of blocks is grown,<br />
starting from a special <i>genesis block</i> that is the root of the tree.<br />
Each non-genesis block in the tree contains (among other things)<br />
a <i>payload</i>, consisting of a sequence of transaction requests,<br />
and a hash of the block's parent in the tree. <br />
The honest replicas have a consistent view of this tree:<br />
while each replica may have a different, partial view<br />
of this tree, all the replicas have a view of the <i>same</i> tree.<br />
In addition, as the protocol progresses,<br />
there is always a path of <i>finalized</i> blocks in this tree.<br />
Again, the honest replicas have a consistent view of this path:<br />
while each replica may have a different, partial view<br />
of this path, all the parties have a view of the <i>same</i> path.<br />
The transaction requests in the payloads of the blocks along this<br />
path are the ordered transaction requests will be processed by the [[IC execution layer|execution layer]]<br />
of the Internet Computer.<br />
<br />
The protocol proceeds in <b>rounds</b>.<br />
In round <math>h</math> of the protocol,<br />
one or more blocks of <b>height</b> <math>h</math> are added to the tree.<br />
That is, the blocks added in round <math>h</math> are always at a distance<br />
of exactly <math>h</math> from the root.<br />
In each round, a [[random beacon]] is used to<br />
generate a random permutation of the <math>n</math> parties,<br />
so as to assign to each party a <b>rank</b>.<br />
The party of lowest rank is the <b>leader</b> of that round.<br />
When the leader is honest and the network is timely,<br />
the leader will propose a block which will be added to the tree.<br />
If the leader is not honest or the network is not timely,<br />
some other parties of higher rank may also propose blocks,<br />
and also have their blocks added to the tree.<br />
In any case, the logic of the protocol gives highest priority <br />
to the leader's proposed block.<br />
<br />
To implement the protocol, each replica is associated with a <br />
public key for the [[wikipedia:BLS_digital_signature|BLS signature scheme]], and each replica also holds<br />
the corresponding secret signing key.<br />
The association of replicas to public keys is maintained by the<br />
[[IC network nervous system (NNS)|network nervous system (NNS) of the Internet Computer]].<br />
These BLS signatures will be used to authenticate messages, also called <b>artifacts</b>,<br />
sent by replicas.<br />
The protocol also uses the <b>signature aggregation</b> feature of BLS signatures,<br />
which allows many signatures on the same message to be aggregated into<br />
a compact multisignatire.<br />
FIXME: citation, discussion of rogue key attack mitigation.<br />
<br />
In addition to BLS signatures and multisignatures as discussed above,<br />
the protocol makes use of a BLS [[wikipedia:Threshold_cryptosystem|threshold signature scheme]] to implement the <br />
above-mentioned [[random beacon]].<br />
To set up such a threshold signature scheme, the Internet Computer runs a<br />
[[wikipedia:Distributed_key_generation|distributed key generation (DKG)]] protocol.<br />
There are many DKG protocols in the literature.<br />
The Internet Computer implements a new [[non-interactive DKG (NiDKG) protocol]].</div>VictorShouphttps://icstaging.mywikis.net/w/index.php?title=IC_consensus_layer&diff=55IC consensus layer2021-10-07T20:00:40Z<p>VictorShoup: </p>
<hr />
<div>The job consensus layer of the IC is to order transaction requests so that all replicas in a subnet will process <br />
transaction requests in the same order.<br />
There are many protocols in the literature for this problem.<br />
The IC uses a new consensus protocol, which is described here at a high level. <br />
For more details, see the paper https://eprint.iacr.org/2021/1330 (in particular, Protocol ICC1 in that paper).<br />
<br />
Any secure consensus protocol should guarantee two properties, which (roughly stated) are:<br />
* <b>safety</b>: all replicas in fact agree on the same ordering of transaction requests, and<br />
* <b>liveness</b>: all replicas should make steady progress.<br />
<br />
The IC consensus protocol is design to be<br />
* extremely simple, and<br />
* robust (performance degrades gracefully when some replicas are malicious).<br />
<br />
As discussed [[The Internet Computer for Computer Scientists|in the introduction]], we assume<br />
* a subnet of <math>n</math> replicas, and<br />
* at most <math>f < n/3</math> of the replicas are faulty.<br />
Faulty replicas may exhibit arbitrary, malicious (i.e., Byzantine) behavior.<br />
<br />
We assume that communication is <b>asynchronous</b>, with no <i>a priori</i><br />
bound on the delay of messages sent between replicas.<br />
In fact, the scheduling of message delivery may be completely under adversarial control.<br />
The IC consensus protocol guarantees safety under this very weak communication assumption.<br />
However, to guarantee liveness, we need to assume a form of <b>partial synchrony</b>,<br />
which (roughly stated) says that the network will be <b>timely</b> periodically.<br />
Somewhat more precisely, there exists a bound <math>\Delta</math> such that<br />
periodically all undelivered <br />
messages will be delivered within time <math>\Delta</math>.<br />
The bound <math>\Delta</math> does not have to be known in advance (the protocol can <br />
adapt itself to an unknown <math>\Delta</math> value).<br />
Regardless of whether we are assuming an asynchronous<br />
or partially synchronous network,<br />
we assume that every message sent from one honest<br />
party to another will <i>eventually</i> be delivered.<br />
<br />
Like a number of consensus protocols,<br />
the IC consensus protocol is based in a [[wikipedia:blockchain|blockchain]].<br />
As the protocol progresses, a tree of blocks is grown,<br />
starting from a special <i>genesis block</i> that is the root of the tree.<br />
Each non-genesis block in the tree contains (among other things)<br />
a <i>payload</i>, consisting of a sequence of transaction requests,<br />
and a hash of the block's parent in the tree. <br />
The honest replicas have a consistent view of this tree:<br />
while each replica may have a different, partial view<br />
of this tree, all the replicas have a view of the <i>same</i> tree.<br />
In addition, as the protocol progresses,<br />
there is always a path of <i>finalized</i> blocks in this tree.<br />
Again, the honest replicas have a consistent view of this path:<br />
while each replica may have a different, partial view<br />
of this path, all the parties have a view of the <i>same</i> path.<br />
The transaction requests in the payloads of the blocks along this<br />
path are the ordered transaction requests will be processed by the [[IC execution layer|execution layer]]<br />
of the Internet Computer.<br />
<br />
The protocol proceeds in <b>rounds</b>.<br />
In round <math>h</math> of the protocol,<br />
one or more blocks of <b>height</b> <math>h</math> are added to the tree.<br />
That is, the blocks added in round <math>h</math> are always at a distance<br />
of exactly <math>h</math> from the root.<br />
In each round, a [[random beacon]] is used to<br />
generate a random permutation of the <math>n</math> parties,<br />
so as to assign to each party a <b>rank</b>.<br />
The party of lowest rank is the <b>leader</b> of that round.<br />
When the leader is honest and the network is timely,<br />
the leader will propose a block which will be added to the tree.<br />
If the leader is not honest or the network is not timely,<br />
some other parties of higher rank may also propose blocks,<br />
and also have their blocks added to the tree.<br />
In any case, the logic of the protocol gives highest priority <br />
to the leader's proposed block.<br />
<br />
To implement the protocol, each replica is associated with a <br />
public key for the [[wikipedia:BLS_digital_signature|BLS signature scheme]], and each replica also holds<br />
the corresponding secret signing key.<br />
The association of replicas to public keys is maintained by the<br />
[[IC network nervous system (NNS)|network nervous system (NNS) of the Internet Computer]].<br />
These BLS signatures will be used to authenticate messages, also called <b>artifacts</b>,<br />
sent by replicas.<br />
The protocol also uses the <b>signature aggregation</b> feature of BLS signatures,<br />
which allows many signatures on the same message to be aggregated into<br />
a compact multisignatire.<br />
FIXME: citation, discussion of rogue key attack mitigation.<br />
<br />
In addition to BLS signatures and multisignatures as discussed above,<br />
the protocol makes use of a BLS [[wikipedia:Threshold_cryptosystem|threshold signature scheme]] to implement the <br />
above-mentioned [[random beacon]].<br />
To set up such a threshold signature scheme, the Internet Computer runs a<br />
[[wikipedia:Distributed_key_generation|distributed key generation (DKG)]] protocol.</div>VictorShouphttps://icstaging.mywikis.net/w/index.php?title=IC_consensus_layer&diff=54IC consensus layer2021-10-07T19:57:17Z<p>VictorShoup: </p>
<hr />
<div>The job consensus layer of the IC is to order transaction requests so that all replicas in a subnet will process <br />
transaction requests in the same order.<br />
There are many protocols in the literature for this problem.<br />
The IC uses a new consensus protocol, which is described here at a high level. <br />
For more details, see the paper https://eprint.iacr.org/2021/1330 (in particular, Protocol ICC1 in that paper).<br />
<br />
Any secure consensus protocol should guarantee two properties, which (roughly stated) are:<br />
* <b>safety</b>: all replicas in fact agree on the same ordering of transaction requests, and<br />
* <b>liveness</b>: all replicas should make steady progress.<br />
<br />
The IC consensus protocol is design to be<br />
* extremely simple, and<br />
* robust (performance degrades gracefully when some replicas are malicious).<br />
<br />
As discussed [[The Internet Computer for Computer Scientists|in the introduction]], we assume<br />
* a subnet of <math>n</math> replicas, and<br />
* at most <math>f < n/3</math> of the replicas are faulty.<br />
Faulty replicas may exhibit arbitrary, malicious (i.e., Byzantine) behavior.<br />
<br />
We assume that communication is <b>asynchronous</b>, with no <i>a priori</i><br />
bound on the delay of messages sent between replicas.<br />
In fact, the scheduling of message delivery may be completely under adversarial control.<br />
The IC consensus protocol guarantees safety under this very weak communication assumption.<br />
However, to guarantee liveness, we need to assume a form of <b>partial synchrony</b>,<br />
which (roughly stated) says that the network will be <b>timely</b> periodically.<br />
Somewhat more precisely, there exists a bound <math>\Delta</math> such that<br />
periodically all undelivered <br />
messages will be delivered within time <math>\Delta</math>.<br />
The bound <math>\Delta</math> does not have to be known in advance (the protocol can <br />
adapt itself to an unknown <math>\Delta</math> value).<br />
Regardless of whether we are assuming an asynchronous<br />
or partially synchronous network,<br />
we assume that every message sent from one honest<br />
party to another will <i>eventually</i> be delivered.<br />
<br />
Like a number of consensus protocols,<br />
the IC consensus protocol is based in a [[wikipedia:blockchain|blockchain]].<br />
As the protocol progresses, a tree of blocks is grown,<br />
starting from a special <i>genesis block</i> that is the root of the tree.<br />
Each non-genesis block in the tree contains (among other things)<br />
a <i>payload</i>, consisting of a sequence of transaction requests,<br />
and a hash of the block's parent in the tree. <br />
The honest replicas have a consistent view of this tree:<br />
while each replica may have a different, partial view<br />
of this tree, all the replicas have a view of the <i>same</i> tree.<br />
In addition, as the protocol progresses,<br />
there is always a path of <i>finalized</i> blocks in this tree.<br />
Again, the honest replicas have a consistent view of this path:<br />
while each replica may have a different, partial view<br />
of this path, all the parties have a view of the <i>same</i> path.<br />
The transaction requests in the payloads of the blocks along this<br />
path are the ordered transaction requests will be processed by the [[IC execution layer|execution layer]]<br />
of the Internet Computer.<br />
<br />
The protocol proceeds in <b>rounds</b>.<br />
In round <math>h</math> of the protocol,<br />
one or more blocks of <b>height</b> <math>h</math> are added to the tree.<br />
That is, the blocks added in round <math>h</math> are always at a distance<br />
of exactly <math>h</math> from the root.<br />
In each round, a [[random beacon]] is used to<br />
generate a random permutation of the <math>n</math> parties,<br />
so as to assign to each party a <b>rank</b>.<br />
The party of lowest rank is the <b>leader</b> of that round.<br />
When the leader is honest and the network is timely,<br />
the leader will propose a block which will be added to the tree.<br />
If the leader is not honest or the network is not timely,<br />
some other parties of higher rank may also propose blocks,<br />
and also have their blocks added to the tree.<br />
In any case, the logic of the protocol gives highest priority <br />
to the leader's proposed block.<br />
<br />
To implement the protocol, each replica is associated with a <br />
public key for the [[wikipedia:BLS_digital_signature|BLS signature scheme]], and each replica also holds<br />
the corresponding secret signing key.<br />
The association of replicas to public keys is maintained by the<br />
[[IC network nervous system (NNS)|network nervous system (NNS) of the Internet Computer]].<br />
These BLS signatures will be used to authenticate messages, also called <b>artifacts</b>,<br />
sent by replicas.<br />
The protocol also uses the <b>signature aggregation</b> feature of BLS signatures,<br />
which allows many signatures on the same message to be aggregated into<br />
a compact multisignatire.<br />
FIXME: citation, discussion of rogue key attack mitigation.<br />
<br />
In addition to BLS signatures and multisignatures as discussed above,<br />
the protocol makes use of a BLS threshold signature scheme to implement the <br />
above-mentioned [[random beacon]].</div>VictorShouphttps://icstaging.mywikis.net/w/index.php?title=IC_consensus_layer&diff=53IC consensus layer2021-10-07T19:49:06Z<p>VictorShoup: </p>
<hr />
<div>The job consensus layer of the IC is to order transaction requests so that all replicas in a subnet will process <br />
transaction requests in the same order.<br />
There are many protocols in the literature for this problem.<br />
The IC uses a new consensus protocol, which is described here at a high level. <br />
For more details, see the paper https://eprint.iacr.org/2021/1330 (in particular, Protocol ICC1 in that paper).<br />
<br />
Any secure consensus protocol should guarantee two properties, which (roughly stated) are:<br />
* <b>safety</b>: all replicas in fact agree on the same ordering of transaction requests, and<br />
* <b>liveness</b>: all replicas should make steady progress.<br />
<br />
The IC consensus protocol is design to be<br />
* extremely simple, and<br />
* robust (performance degrades gracefully when some replicas are malicious).<br />
<br />
As discussed [[The Internet Computer for Computer Scientists|in the introduction]], we assume<br />
* a subnet of <math>n</math> replicas, and<br />
* at most <math>f < n/3</math> of the replicas are faulty.<br />
Faulty replicas may exhibit arbitrary, malicious (i.e., Byzantine) behavior.<br />
<br />
We assume that communication is <b>asynchronous</b>, with no <i>a priori</i><br />
bound on the delay of messages sent between replicas.<br />
In fact, the scheduling of message delivery may be completely under adversarial control.<br />
The IC consensus protocol guarantees safety under this very weak communication assumption.<br />
However, to guarantee liveness, we need to assume a form of <b>partial synchrony</b>,<br />
which (roughly stated) says that the network will be <b>timely</b> periodically.<br />
Somewhat more precisely, there exists a bound <math>\Delta</math> such that<br />
periodically all undelivered <br />
messages will be delivered within time <math>\Delta</math>.<br />
The bound <math>\Delta</math> does not have to be known in advance (the protocol can <br />
adapt itself to an unknown <math>\Delta</math> value).<br />
Regardless of whether we are assuming an asynchronous<br />
or partially synchronous network,<br />
we assume that every message sent from one honest<br />
party to another will <i>eventually</i> be delivered.<br />
<br />
Like a number of consensus protocols,<br />
the IC consensus protocol is based in a [[wikipedia:blockchain|blockchain]].<br />
As the protocol progresses, a tree of blocks is grown,<br />
starting from a special <i>genesis block</i> that is the root of the tree.<br />
Each non-genesis block in the tree contains (among other things)<br />
a <i>payload</i>, consisting of a sequence of transaction requests,<br />
and a hash of the block's parent in the tree. <br />
The honest replicas have a consistent view of this tree:<br />
while each replica may have a different, partial view<br />
of this tree, all the replicas have a view of the <i>same</i> tree.<br />
In addition, as the protocol progresses,<br />
there is always a path of <i>finalized</i> blocks in this tree.<br />
Again, the honest replicas have a consistent view of this path:<br />
while each replica may have a different, partial view<br />
of this path, all the parties have a view of the <i>same</i> path.<br />
The transaction requests in the payloads of the blocks along this<br />
path are the ordered transaction requests will be processed by the [[IC execution layer|execution layer]]<br />
of the Internet Computer.<br />
<br />
The protocol proceeds in <b>rounds</b>.<br />
In round <math>h</math> of the protocol,<br />
one or more blocks of <b>height</b> <math>h</math> are added to the tree.<br />
That is, the blocks added in round <math>h</math> are always at a distance<br />
of exactly <math>h</math> from the root.<br />
In each round, a [[random beacon]] is used to<br />
generate a random permutation of the <math>n</math> parties,<br />
so as to assign to each party a <b>rank</b>.<br />
The party of lowest rank is the <b>leader</b> of that round.<br />
When the leader is honest and the network is timely,<br />
the leader will propose a block which will be added to the tree.<br />
If the leader is not honest or the network is not timely,<br />
some other parties of higher rank may also propose blocks,<br />
and also have their blocks added to the tree.<br />
In any case, the logic of the protocol gives highest priority <br />
to the leader's proposed block.<br />
<br />
To implement the protocol, each replica is associated with a <br />
public key for the [[wikipedia:BLS_digital_signature|BLS signature scheme]], and each replica also holds<br />
the corresponding secret signing key.<br />
The association of replicas to public keys is maintained by the<br />
[[IC network nervous system (NNS)|network nervous system (NNS) of the Internet Computer]].<br />
These BLS signatures will be used to authenticate messages, also called <b>artifacts</b>,<br />
sent by replicas.<br />
The protocol also uses the <b>signature aggregation</b> feature of BLS signatures,<br />
which allows many signatures on the same message to be aggregated into<br />
a compact multisignatire.<br />
FIXME: citation, discussion of rogue key attack mitigation.</div>VictorShouphttps://icstaging.mywikis.net/w/index.php?title=IC_consensus_layer&diff=52IC consensus layer2021-10-07T19:42:39Z<p>VictorShoup: </p>
<hr />
<div>The job consensus layer of the IC is to order transaction requests so that all replicas in a subnet will process <br />
transaction requests in the same order.<br />
There are many protocols in the literature for this problem.<br />
The IC uses a new consensus protocol, which is described here at a high level. <br />
For more details, see the paper https://eprint.iacr.org/2021/1330 (in particular, Protocol ICC1 in that paper).<br />
<br />
Any secure consensus protocol should guarantee two properties, which (roughly stated) are:<br />
* <b>safety</b>: all replicas in fact agree on the same ordering of transaction requests, and<br />
* <b>liveness</b>: all replicas should make steady progress.<br />
<br />
The IC consensus protocol is design to be<br />
* extremely simple, and<br />
* robust (performance degrades gracefully when some replicas are malicious).<br />
<br />
As discussed [[The Internet Computer for Computer Scientists|in the introduction]], we assume<br />
* a subnet of <math>n</math> replicas, and<br />
* at most <math>f < n/3</math> of the replicas are faulty.<br />
Faulty replicas may exhibit arbitrary, malicious (i.e., Byzantine) behavior.<br />
<br />
We assume that communication is <b>asynchronous</b>, with no <i>a priori</i><br />
bound on the delay of messages sent between replicas.<br />
In fact, the scheduling of message delivery may be completely under adversarial control.<br />
The IC consensus protocol guarantees safety under this very weak communication assumption.<br />
However, to guarantee liveness, we need to assume a form of <b>partial synchrony</b>,<br />
which (roughly stated) says that the network will be <b>timely</b> periodically.<br />
Somewhat more precisely, there exists a bound <math>\Delta</math> such that<br />
periodically all undelivered <br />
messages will be delivered within time <math>\Delta</math>.<br />
The bound <math>\Delta</math> does not have to be known in advance (the protocol can <br />
adapt itself to an unknown <math>\Delta</math> value).<br />
Regardless of whether we are assuming an asynchronous<br />
or partially synchronous network,<br />
we assume that every message sent from one honest<br />
party to another will <i>eventually</i> be delivered.<br />
<br />
Like a number of consensus protocols,<br />
the IC consensus protocol is based in a [[wikipedia:blockchain|blockchain]].<br />
As the protocol progresses, a tree of blocks is grown,<br />
starting from a special <i>genesis block</i> that is the root of the tree.<br />
Each non-genesis block in the tree contains (among other things)<br />
a <i>payload</i>, consisting of a sequence of transaction requests,<br />
and a hash of the block's parent in the tree. <br />
The honest replicas have a consistent view of this tree:<br />
while each replica may have a different, partial view<br />
of this tree, all the replicas have a view of the <i>same</i> tree.<br />
In addition, as the protocol progresses,<br />
there is always a path of <i>finalized</i> blocks in this tree.<br />
Again, the honest replicas have a consistent view of this path:<br />
while each replica may have a different, partial view<br />
of this path, all the parties have a view of the <i>same</i> path.<br />
The transaction requests in the payloads of the blocks along this<br />
path are the ordered transaction requests will be processed by the [[IC execution layer|execution layer]]<br />
of the Internet Computer.<br />
<br />
The protocol proceeds in <b>rounds</b>.<br />
In round <math>h</math> of the protocol,<br />
one or more blocks of <b>height</b> <math>h</math> are added to the tree.<br />
That is, the blocks added in round <math>h</math> are always at a distance<br />
of exactly <math>h</math> from the root.<br />
In each round, a [[random beacon]] is used to<br />
generate a random permutation of the <math>n</math> parties,<br />
so as to assign to each party a <b>rank</b>.<br />
The party of lowest rank is the <b>leader</b> of that round.<br />
When the leader is honest and the network is timely,<br />
the leader will propose a block which will be added to the tree.<br />
If the leader is not honest or the network is not timely,<br />
some other parties of higher rank may also propose blocks,<br />
and also have their blocks added to the tree.<br />
In any case, the logic of the protocol gives highest priority <br />
to the leader's proposed block.<br />
<br />
To implement the protocol, each replica is associated with a <br />
public key for the [[wikipedia:BLS_digital_signature|BLS signature scheme]], and each replica also holds<br />
the corresponding secret signing key.<br />
The association of replicas to public keys is maintained by the<br />
[[IC network nervous system (NNS)|network nervous system (NNS) of the Internet Computer]].</div>VictorShouphttps://icstaging.mywikis.net/w/index.php?title=IC_consensus_layer&diff=51IC consensus layer2021-10-07T19:35:21Z<p>VictorShoup: </p>
<hr />
<div>The job consensus layer of the IC is to order transaction requests so that all replicas in a subnet will process <br />
transaction requests in the same order.<br />
There are many protocols in the literature for this problem.<br />
The IC uses a new consensus protocol, which is described here at a high level. <br />
For more details, see the paper https://eprint.iacr.org/2021/1330 (in particular, Protocol ICC1 in that paper).<br />
<br />
Any secure consensus protocol should guarantee two properties, which (roughly stated) are:<br />
* <b>safety</b>: all replicas in fact agree on the same ordering of transaction requests, and<br />
* <b>liveness</b>: all replicas should make steady progress.<br />
<br />
The IC consensus protocol is design to be<br />
* extremely simple, and<br />
* robust (performance degrades gracefully when some replicas are malicious).<br />
<br />
As discussed [[The Internet Computer for Computer Scientists|in the introduction]], we assume<br />
* a subnet of <math>n</math> replicas, and<br />
* at most <math>f < n/3</math> of the replicas are faulty.<br />
Faulty replicas may exhibit arbitrary, malicious (i.e., Byzantine) behavior.<br />
<br />
We assume that communication is <b>asynchronous</b>, with no <i>a priori</i><br />
bound on the delay of messages sent between replicas.<br />
In fact, the scheduling of message delivery may be completely under adversarial control.<br />
The IC consensus protocol guarantees safety under this very weak communication assumption.<br />
However, to guarantee liveness, we need to assume a form of <b>partial synchrony</b>,<br />
which (roughly stated) says that there exists a bound <math>\Delta</math><br />
such that from time to time, <br />
messages will be delivered within time <math>\Delta</math>.<br />
The bound <math>\Delta</math> does not have to be known in advance (the protocol can <br />
adapt itself to an unknown <math>\Delta</math> value).<br />
Regardless of whether we are assuming an asynchronous<br />
or partially synchronous network,<br />
we assume that every message sent from one honest<br />
party to another will <i>eventually</i> be delivered.<br />
<br />
Like a number of consensus protocols,<br />
the IC consensus protocol is based in a [[wikipedia:blockchain|blockchain]].<br />
As the protocol progresses, a tree of blocks is grown,<br />
starting from a special <i>genesis block</i> that is the root of the tree.<br />
Each non-genesis block in the tree contains (among other things)<br />
a <i>payload</i>, consisting of a sequence of transaction requests,<br />
and a hash of the block's parent in the tree. <br />
The honest replicas have a consistent view of this tree:<br />
while each replica may have a different, partial view<br />
of this tree, all the replicas have a view of the <i>same</i> tree.<br />
In addition, as the protocol progresses,<br />
there is always a path of <i>finalized</i> blocks in this tree.<br />
Again, the honest replicas have a consistent view of this path:<br />
while each replica may have a different, partial view<br />
of this path, all the parties have a view of the <i>same</i> path.<br />
The transaction requests in the payloads of the blocks along this<br />
path are the ordered transaction requests will be processed by the [[IC execution layer|execution layer]]<br />
of the Internet Computer.<br />
<br />
The protocol proceeds in <b>rounds</b>.<br />
In round <math>h</math> of the protocol,<br />
one or more blocks of <b>height</b> <math>h</math> are added to the tree.<br />
That is, the blocks added in round <math>h</math> are always at a distance<br />
of exactly <math>h</math> from the root.<br />
In each round, a [[random beacon]] is used to<br />
generate a random permutation of the <math>n</math> parties,<br />
so as to assign to each party a <b>rank</b>.<br />
The party of lowest rank is the <b>leader</b> of that round.<br />
When the leader is honest and the network is timely,<br />
the leader will propose a block which will be added to the tree.<br />
If the leader is not honest or the network is not timely,<br />
some other parties of higher rank may also propose blocks,<br />
and also have their blocks added to the tree.<br />
In any case, the logic of the protocol gives highest priority <br />
to the leader's proposed block.<br />
<br />
To implement the protocol, each replica is associated with a <br />
public key for the [[wikipedia:BLS_digital_signature|BLS signature scheme]], and each replica also holds<br />
the corresponding secret signing key.<br />
The association of replicas to public keys is maintained by the<br />
[[IC network nervous system (NNS)|network nervous system (NNS) of the Internet Computer]].</div>VictorShouphttps://icstaging.mywikis.net/w/index.php?title=IC_consensus_layer&diff=50IC consensus layer2021-10-07T19:34:17Z<p>VictorShoup: </p>
<hr />
<div>The job consensus layer of the IC is to order transaction requests so that all replicas in a subnet will process <br />
transaction requests in the same order.<br />
There are many protocols in the literature for this problem.<br />
The IC uses a new consensus protocol, which is described here at a high level. <br />
For more details, see the paper https://eprint.iacr.org/2021/1330 (in particular, Protocol ICC1 in that paper).<br />
<br />
Any secure consensus protocol should guarantee two properties, which (roughly stated) are:<br />
* <b>safety</b>: all replicas in fact agree on the same ordering of transaction requests, and<br />
* <b>liveness</b>: all replicas should make steady progress.<br />
<br />
The IC consensus protocol is design to be<br />
* extremely simple, and<br />
* robust (performance degrades gracefully when some replicas are malicious).<br />
<br />
As discussed [[The Internet Computer for Computer Scientists|in the introduction]], we assume<br />
* a subnet of <math>n</math> replicas, and<br />
* at most <math>f < n/3</math> of the replicas are faulty.<br />
Faulty replicas may exhibit arbitrary, malicious (i.e., Byzantine) behavior.<br />
<br />
We assume that communication is <b>asynchronous</b>, with no <i>a priori</i><br />
bound on the delay of messages sent between replicas.<br />
In fact, the scheduling of message delivery may be completely under adversarial control.<br />
The IC consensus protocol guarantees safety under this very weak communication assumption.<br />
However, to guarantee liveness, we need to assume a form of <b>partial synchrony</b>,<br />
which (roughly stated) says that there exists a bound <math>\Delta</math><br />
such that from time to time, <br />
messages will be delivered within time <math>\Delta</math>.<br />
The bound <math>\Delta</math> does not have to be known in advance (the protocol can <br />
adapt itself to an unknown <math>\Delta</math> value).<br />
Regardless of whether we are assuming an asynchronous<br />
or partially synchronous network,<br />
we assume that every message sent from one honest<br />
party to another will <i>eventually</i> be delivered.<br />
<br />
Like a number of consensus protocols,<br />
the IC consensus protocol is based in a [[wikipedia:blockchain|blockchain]].<br />
As the protocol progresses, a tree of blocks is grown,<br />
starting from a special <i>genesis block</i> that is the root of the tree.<br />
Each non-genesis block in the tree contains (among other things)<br />
a <i>payload</i>, consisting of a sequence of transaction requests,<br />
and a hash of the block's parent in the tree. <br />
The honest replicas have a consistent view of this tree:<br />
while each replica may have a different, partial view<br />
of this tree, all the replicas have a view of the <i>same</i> tree.<br />
In addition, as the protocol progresses,<br />
there is always a path of <i>finalized</i> blocks in this tree.<br />
Again, the honest replicas have a consistent view of this path:<br />
while each replica may have a different, partial view<br />
of this path, all the parties have a view of the <i>same</i> path.<br />
The transaction requests in the payloads of the blocks along this<br />
path are the ordered transaction requests will be processed by the [[IC execution layer|execution layer]]<br />
of the Internet Computer.<br />
<br />
The protocol proceeds in <i>rounds</i>.<br />
In round <math>h</math> of the protocol,<br />
one or more blocks of height <math>h</math> are added to the tree.<br />
That is, the blocks added in round <math>h</math> are always at a distance<br />
of exactly <math>h</math> from the root.<br />
In each round, a [[random beacon]] is used to<br />
generate a random permutation of the <math>n</math> parties,<br />
so as to assign to each party a <i>rank</i>.<br />
The party of lowest rank is the <i>leader</i> of that round.<br />
When the leader is honest and the network is timely,<br />
the leader will propose a block which will be added to the tree.<br />
If the leader is not honest or the network is not timely,<br />
some other parties of higher rank may also propose blocks,<br />
and also have their blocks added to the tree.<br />
In any case, the logic of the protocol gives highest priority <br />
to the leader's proposed block.<br />
<br />
To implement the protocol, each replica is associated with a <br />
public key for the [[wikipedia:BLS_digital_signature|BLS signature scheme]], and each replica also holds<br />
the corresponding secret signing key.<br />
The association of replicas to public keys is maintained by the<br />
[[IC network nervous system (NNS)|network nervous system (NNS) of the Internet Computer]].</div>VictorShouphttps://icstaging.mywikis.net/w/index.php?title=IC_consensus_layer&diff=49IC consensus layer2021-10-07T19:32:59Z<p>VictorShoup: </p>
<hr />
<div>The job consensus layer of the IC is to order transaction requests so that all replicas in a subnet will process <br />
transaction requests in the same order.<br />
There are many protocols in the literature for this problem.<br />
The IC uses a new consensus protocol, which is described here at a high level. <br />
For more details, see the paper https://eprint.iacr.org/2021/1330 (in particular, Protocol ICC1 in that paper).<br />
<br />
Any secure consensus protocol should guarantee two properties, which (roughly stated) are:<br />
* <b>safety</b>: all replicas in fact agree on the same ordering of transaction requests, and<br />
* <b>liveness</b>: all replicas should make steady progress.<br />
<br />
The IC consensus protocol is design to be<br />
* extremely simple, and<br />
* robust (performance degrades gracefully when some replicas are malicious).<br />
<br />
As discussed [[The Internet Computer for Computer Scientists|in the introduction]], we assume<br />
* a subnet of <math>n</math> replicas, and<br />
* at most <math>f < n/3</math> of the replicas are faulty.<br />
Faulty replicas may exhibit arbitrary, malicious (i.e., Byzantine) behavior.<br />
<br />
We assume that communication is <b>asynchronous</b>, with no <i>a priori</i><br />
bound on the delay of messages sent between replicas.<br />
In fact, the scheduling of message delivery may be completely under adversarial control.<br />
The IC consensus protocol guarantees safety under this very weak communication assumption.<br />
However, to guarantee liveness, we need to assume a form of <b>partial synchrony</b>,<br />
which (roughly stated) says that there exists a bound <math>\Delta</math><br />
such that from time to time, <br />
messages will be delivered within time <math>\Delta</math>.<br />
The bound <math>\Delta</math> does not have to be known in advance (the protocol can <br />
adapt itself to an unknown <math>\Delta</math> value).<br />
Regardless of whether we are assuming an asynchronous<br />
or partially synchronous network,<br />
we assume that every message sent from one honest<br />
party to another will <i>eventually</i> be delivered.<br />
<br />
Like a number of consensus protocols,<br />
the IC consensus protocol is based in a [[wikipedia:blockchain|blockchain]].<br />
As the protocol progresses, a tree of blocks is grown,<br />
starting from a special <i>genesis block</i> that is the root of the tree.<br />
Each non-genesis block in the tree contains (among other things)<br />
a <i>payload</i>, consisting of a sequence of transaction requests,<br />
and a hash of the block's parent in the tree. <br />
The honest replicas have a consistent view of this tree:<br />
while each replica may have a different, partial view<br />
of this tree, all the replicas have a view of the <i>same</i> tree.<br />
In addition, as the protocol progresses,<br />
there is always a path of <i>finalized</i> blocks in this tree.<br />
Again, the honest replicas have a consistent view of this path:<br />
while each replica may have a different, partial view<br />
of this path, all the parties have a view of the <i>same</i> path.<br />
The transaction requests in the payloads of the blocks along this<br />
path are the ordered transaction requests will be processed by the [[IC execution layer|execution layer]]<br />
of the Internet Computer.<br />
<br />
The protocol proceeds in <i>rounds</i>.<br />
In round <math>h</math> of the protocol,<br />
one or more blocks of height <math>h</math> are added to the tree.<br />
That is, the blocks added in round <math>h</math> are always at a distance<br />
of exactly <math>h</math> from the root.<br />
In each round, a [[random beacon]] is used to<br />
generate a random permutation of the <math>n</math> parties,<br />
so as to assign to each party a <i>rank</i>.<br />
The party of lowest rank is the <i>leader</i> of that round.<br />
When the leader is honest and the network is timely,<br />
the leader will propose a block which will be added to the tree.<br />
If the leader is not honest or the network is not timely,<br />
some other parties of higher rank may also propose blocks,<br />
and also have their blocks added to the tree.<br />
In any case, the logic of the protocol gives highest priority <br />
to the leader's proposed block.<br />
<br />
To implement the protocol, each replica is associated with a <br />
public key for the BLS signature scheme, and each replica also holds<br />
the corresponding secret signing key.<br />
The association of replicas to public keys is maintained by the<br />
[[IC network nervous system (NNS)|network nervous system (NNS) of the Internet Computer]].</div>VictorShoup