Professional Documents
Culture Documents
for Blockchains
Abstract longer have to worry about Sybil attacks [21], there are
Existing Byzantine fault tolerance (BFT) protocols still some other significant challenges.
face significant challenges in the consortium blockchain The blockchain is replicated to each participant, and
scenario. On the one hand, we can make little assump- the key problem is how to reach consensus on these repli-
tions about the reliability and security of the underlying cas. Comparing to traditional distributed transaction sys-
Internet. On the other hand, the applications on consor- tems, the three biggest challenges of a blockchain are:
tium blockchains demand a system as scalable as the Bit- 1) Players are from different organizations without
coin but providing much higher performance, as well as mutual trust. Failures, even Byzantine failures, are com-
provable safety. We present a new BFT protocol, Gosig, mon. Thus, we cannot rely on a small quorum (e.g.,
that combines crypto-based secret leader selection and Chubby [9] or ZooKeeper [27]) for consensus. Instead,
multi-round voting in the protocol layer with implemen- we need Byzantine consensus and allow all players to
tation layer optimizations such as gossip-based message participate, i.e., supporting a consensus group with thou-
propagation. In particular, Gosig guarantees safety even sands of servers.
in a network fully controlled by adversaries, while pro- 2) The system runs on an open Internet. The network
viding provable liveness with easy-to-achieve network can drop/delay communication arbitrarily. Even worse,
connectivity assumption. On a wide area testbed con- as the addresses of the participants are known to all, an
sisting of 140 Amazon EC2 servers spanning 14 cities adversary can easily launch attacks targeting any chosen
on five continents, we show that Gosig can achieve over participant at any time, using techniques like distributed
4,000 transactions per second with less than 1 minute denial-of-service (DDoS) [26, 49]. The adversary can
transaction confirmation time. strategically choose which players to attack, and victims
will remain unavailable until the adversary adaptively
1 Introduction choose to attack others. We call these attacks adaptive
attacks, which strongly threatens the special nodes in a
The rise of cryptocurrencies, such as Bitcoin [43], in- protocol, such as the leaders.
creases the awareness and adoption of the underly- 3) Different from Bitcoin that allows temporary incon-
ing blockchain technology. Blockchain offers a dis- sistency (i.e., a fork), people usually expect a permis-
tributed ledger that serializes and records the transac- sioned chain to provide more traditional transaction se-
tions. Blockchain provides attractive properties such as mantics, i.e., a committed transaction is durable. Also,
full decentralization, offline-verifiability, and most im- applications on a permissioned chain [1] require much
portantly, scalable Byzantine fault tolerance on the In- higher throughput and lower latency than Bitcoin.
ternet. Thus, Blockchain has become popular beyond While there are many Byzantine fault-tolerant (BFT)
cryptocurrencies, expanding into different areas such as protocols, most of them do not sufficiently address these
payment services, logistics, healthcare, and Internet-of- three challenges. For example, PBFT [13] and its suc-
Things (IoT) [8, 54, 48]. cessors [33, 38] and even some Bitcoin variants [23] all
While Bitcoin provides a permissionless protocol, depend on a leader or a small quorum to participate mul-
where everyone can join, we focus on consortium tiple rounds of communications, and thus they are vul-
blockchains (aka permissioned blockchains), where a nerable to adaptive attacks on the leader. Other protocols
participant needs offline authentication to join. It is use- that try to avoid faulty leaders by changing leaders in a
ful in many commercial applications [25]. While we no fixed order [35, 42, 51, 3] cannot avoid adaptive leader
1
attacks, because once the adversaries know who is the 140 nodes, and achieve promising performance results.2
next leader, they can change their target accordingly.
There is a new generation of BFT protocols designed 2 Related Work
to run over the Internet. To avoid adaptive attacks, Al-
gorand [24] hides the leader identity. To improve scal-
Bitcoin and its variants. Permissionless public
ability, ByzCoin[32] combines Proof of Work (PoW)
blockchains like Bitcoin [43], Ethereum [53], PP-
with multi-signature-based PBFT. To tolerate arbitrary
Coin [31] need proof of work (PoW) or proof of stake
network failures, HoneyBadgerBFT[41] adopts asyn-
(PoS) to prevent Sybil attacks. They also need incen-
chronous atomic broadcast [11] and asynchronous com-
tive mechanisms to encourage people to join the public
mon subset (ACS) [4].
network to keep the system safe. Other designs [17, 20]
Unfortunately, as we will detail in Section 3.3, none of try to avoid chain forking but retain the design of PoW
these BFT protocols offer the following properties at the or PoS. We assume consortium blockchains [10, 45, 52],
same time: 1) liveness under adaptive attack, 2) scalabil- and mainly focus on the performance and safety of the
ity to 10,000s of nodes with low latency (15 seconds in system, instead of the other economic aspects.
our simulation) for commitment, and 3) provable safety
Byzantine fault tolerance. The most important fea-
(i.e., no fork at any time) with arbitrary network fail-
ture of a BFT protocol is safety. Unfortunately, many
ure. Also, there is no straightforward way to combine
open source BFT protocols are not safe [12]. There are
the techniques used in these protocols.
two major approaches to design provable BFT agree-
We present Gosig1 , a new BFT protocol for permis-
ment protocols. 1) Using multi-round voting: exam-
sioned blockchains. Gosig can achieve all three proper-
ple systems include PBFT [13] and its successors [33,
ties above, and also provide provable liveness with par-
38, 14]; 2) Using leader-less atomic broadcast: Hon-
tially synchronous network (details in Section 3.2).
eyBadgerBFT [41] and [16, 34]. To prevent malicious
Gosig elects different leaders secretly for every block, leaders from affecting the system, Aardvark [15] use
and it eliminates the leader’s involvement after it pro- performance metrics to trigger view changes and Spin-
poses a block to defend against adaptive attacks on lead- ning [51], Tendermint [35] or others [3, 42] rotates leader
ers. At the implementation level, we use gossip-based roles in a round robin manner. However, there methods
communications to fully exploit the link redundancy on can not avoid adaptive attacks because the leader role is
the Internet while keeping the source safe. Since we known to all in advance, and thus can be muted by at-
need to gather signatures during gossip, we adopt asyn- tacks like DDoS right before it becomes a leader. Gosig
chronous multi-signature [6, 46] to largely reduce the adopts similar voting mechanism like PBFT to get good
network overhead of consensus messages. performance without failure, and keeps safety and live-
We evaluate Gosig on an Amazon EC2-based 140- ness under attacks.
server testbed that spans 14 cities on five continents. We In order to scale the system, many systems adopt
can achieve a throughput of 4,000 tps (transactions per the “hybrid consensus” design [30, 32, 44] that uses a
second) with an average transaction confirmation latency Bitcoin-like protocol to select a small quorum, and use
of 1 minute. Even when 1/4 of the nodes fail, we can another (hopefully faster) BFT protocol to commit trans-
still maintain over 3,500 tps with the same latency. With actions. If adversaries can instantly launch adaptive at-
over 100 participants, it effectively doubles the through- tacks on leaders, it is hard for these protocols to main-
put and reduces the latency by 80% comparing to Honey- tain liveness. Algorand [24] leverages secret leader elec-
BadgerBFT [41], the state-of-the-art protocol that offers tion and quorum member replacement methods to keep
the same level of safety guarantee. Also, using simula- liveness. Gosig lets every player participate in the con-
tions, we show that Gosig is able to scale to 10K nodes. sensus, but combines similar secret leader selection with
In summary, our major contributions are: signature-based voting to prevent such attacks.
1) We propose a new BFT protocol that achieves scal- We use similar methods and adversary models pro-
ability, provable safety and resilient to adaptive attack. posed in Algorand [24]. We adopt the idea of multi-
2) We propose a novel method of combining secret round voting from PBFT and HoneyBadgerBFT [41],
leader selection, random gossip, multi-round voting, and and the idea of multi-signature from ByzCoin [32].
multi-signature into a single BFT protocol in a compati- Gosig combines these incompatible methods in a coher-
ble way. ent protocol and achieves good performance. We com-
3) We provide a real Gosig implementation, evaluate pare the key differences of these protocols in Section 3.3.
it on a real-world geographically distributed testbed with Overlay network and gossip. Most BFT protocols and
1 The
blockchains use broadcast as a communication primitive.
name is a combination of Gossip and Signature aggregation,
two techniques we use. 2 We will opensouce Gosig when the paper is published.
2
To improve broadcast reliability on the Internet, people Here we define safety and liveness of blocks instead
often use application-layer overlay networks. We adopt of transactions for simplicity. We rely on gossip mecha-
techniques like gossip from reliable multicast [5], prob- nisms to ensure that a transaction will reach most play-
abilistic broadcast [22, 29] and other peer-to-peer (P2P) ers, and an honest player will pack the transaction when
networks [28, 50]. Existing P2P networks may tolerate it becomes the leader. Intuitively, the safety condi-
some Byzantine failures, but do not provide convergence tion requires a total order of committed blocks on the
guarantee [37]. By combining network optimizations blockchains at all honest players, meaning there is no
like gossip with a robust protocol layer design, we can fork at any time. The liveness condition says that all
greatly improve both system resilience and availability. honest players will always make progress, i.e., if a trans-
action can reach all honest players, it will eventually be
confirmed. Both conditions are based on certain assump-
3 Problem Definition and Assumptions tions about the system, and we detail them next.
3
Leader Selection Leader Selection
ByzCoin [32] offers excellent scalability by com-
bining PBFT, signature collection and proof-of-work Round r-1 Round r Round r+1
(PoW). However, like PBFT, it loses liveness under adap-
tive attacks given that it is still PBFT-based. Even with- Stage I Stage II
Block proposal Block commitment
out PBFT, its two-phase multi-signature and Bitcoin-
p1 B B
NG [23]-like mechanism that allows elected leaders to P(B)
keep serving are also vulnerable to adaptive attacks. p2 B
Algorand [24] has excellent scalability, and tolerate PR(B)
p3 B
adaptive attack using secret consortium election. How- TC(B)
ever, the safety of its Byzantine Agreement is based on p4
4
block B as “pi Ps B”, and the action that pi sends a TC At the beginning of each round r, each player pi com-
message about a block B as “pi TCs B”. putes her Lr (i), and if the score is less than a leader prob-
ability parameter q, she knows that she is a potential
5.1 Player’s Local State leader of the round. A potential leader can prove to other
players about her leader status with the value SIGi (r, Qh ).
We describe each player as a finite state machine in We define the value as the leader proof for round r, lcri .
Gosig. Each player maintains a local state and decides The process requires no communication among players.
her next actions based on the state and external events The cryptographic sortition algorithm has two good
(receiving a certain message or selected as a leader). properties: 1) the signature SIGi uses pi ’s private key,
The local state on player pi is a 4-tuple si = hBroot , and thus cannot be forged by others; 2) If the hash func-
hroot , Btc , Fi. The tuple contains two types of informa- tion H(·) is perfectly random, the potential leader selec-
tion. The first two values are about the last committed tion is uniformly random. Thus, there is no way for the
block in her local blockchain copy. Broot is the block it- adversary to know who is selected, nor can it change any
self, and hroot is the height of Broot . node’s chance of becoming a leader.
The rest values in si describe the pending block that the Choosing a right q is important. If q is too small, some
player plans to add to her chain at height hroot + 1. Btc is rounds may not have a leader and thus fail to proceed. If
the pending block itself. Btc is non-null if pi has TCed q is too large, there may be many competing potential
Btc . Otherwise, Btc is a null value ε. The last variable F leaders, wasting resources to resolve the conflict. Sim-
characterizes the timeliness of the block of Btc . ilar to Algorand, we set q = 7/N where N is the total
Besides the elements appearing in the tuple, pi also number of players. This q is sufficiently large to reduce
implicitly maintains two variables: croot and ctc . croot is the probability of no-leader rounds to less than 0.1%.
a commitment certificate that proves the validity of Broot , Of course, a faulty node may still become a potential
and ctc is a proposal certificate of Btc . We define both leader. In this case, the worst damage it can cause is to
later in this section. For brevity, we do not explicitly stall the round without affecting the correctness.
include croot and ctc in the si tuple.
When Gosig starts running, a player’s local state is ini-
tialized as si = hBε , 0, ε, 0i. 5.3 Potential Leaders Propose Blocks
When a player pi recognizes that she is a potential leader,
5.2 Leader Selection: The First Step
she needs to decide which block to propose and then gen-
Leader selection is the first step of each round. The erate a proposal message.
objective of this step is to secretly and randomly select Given pi ’s current local state si = hBroot , hroot , Btc , Fi
the potential leaders who are entitled to propose a next (Btc may be ε), she first gathers a list of candidate blocks
block. The greatest challenge is to keep the election re- to propose. If pi finds she has a non-empty Btc , the block
sult unpredictable until the potential leaders have sent out Btc is a good candidate to propose again, and the height
the propose messages (PR message). Otherwise, the ad- stays the same as Btc . Alternatively, she can also con-
versary can attack the leaders beforehand, and thus break struct a new block extending her own chain, at height
the liveness of the system. (hroot + 1). The following procedure defines which block
The cryptographic sortition algorithm. We use a sim- she will propose.
plified version of the cryptographic sortition mechanism To make a proposal valid, a potential leader needs to
from Algorand [24] to select a set of potential leaders. provide a valid certificate c for the proposed block B at
Similarly, we use a number Qh to implement crypto- height h. In addition to serving as a proof of the block
graphic sortition. In Gosig, Qh is recursively defined as validity, c also determines the proposal round r p (B)6 of
the block proposal. The leader decides which candidate
Qh = H(SIGl h (Qh−1 )) (h > 0) (1)
block to propose based on r p (B).
where h is the height of a committed block B5 , H is a We can understand the proposal round as the round
secure hash function shared by all players, l h is defined number when the block is first generated. Intuitively,
as the leader who has proposed the block B (the signer of a block with a larger proposal round is more likely to
the proposal certificate of B), and SIGi (M) is the digital get accepted by peers. Therefore, in Gosig, we stipulate
signature of message M signed with pi ’s private key. that a potential leader should propose the block with the
Based on Qh , we define a player pi ’s leader score largest proposal round among all candidate blocks.
L (i) at round r as Lr (i) = H(SIGi (r, Qh )), where h is
r
6 More precisely, the proposal round is an attribute of a proposal,
the height of the latest committed block at round r.
which is defined in the next paragraph, rather than of a block. We use
5 Q0 is a random number shared among all players. r p (B) notation for brevity.
5
A proposal certificate c is valid if and only if it signed if X contains at least k distinct players’ signa-
matches one of the following two cases. We also specify tures.
how we compute the proposal round in each case. P message. A prepare message (P message) digitally
0 0
Case 1: c = TCir (Br , h) (r0 < r), where B and h are ex- signs a block. Specifically, Pir (Br , h) means player pi
actly the proposed block and its height, respectively. In signs her vote for the block Br at height h proposed in
this case, r p (B) = r0 ; round r. In short, we say pi prepares or “P”s Br .
0 0
Case 2: c = TCXr (B0r , h − 1) (r0 < r), where X contains TC message. A tentatively-commit message (TC mes-
at least 2 f + 1 different players. In this case, r p (B) = sage) signs a proof of a (2 f + 1)-signed P message.
r0 + 1. Specifically, TCir (Br , h) proves that at least 2 f + 1 play-
Finally, the potential leader pi assembles a proposal ers (including pi ) have Ped the block Br at height h
message (PR message) in the form of PRri (B∗ , h, c, lc) in round r. In short, we say pi tentatively-commits or
containing: 1) the proposed block B∗ , 2) B∗ ’s height h, 3) “TC”s Br .
the proposal certificate c, and 4) the leader proof lc (de- Stage II protocol. Algorithm 1 outlines the expected
fined in Section 5.2). Then pi signs the message with her behavior of an honest player pi in Stage II. We model
private key. Everyone can easily verify the validity of the each pi as a finite state machine with local states listed at
PR message by checking the included block, signatures the beginning of Algorithm 1. It performs actions based
and certificates. on current local state and the incoming messages.
Lines 1 to 7 describe the initialization procedure, in
which pi checks all block proposals she receives in Stage
5.4 Stage I: Block Proposal Broadcast I (by calling the function DecideMsg in Algorithm 2).
After the leader selection step, Gosig enters Stage I: If pi received valid proposals in Stage I, she needs to
block proposal dissemination. The objective of this stage decide which block to prepare (function DecidePMsg in
is to propagate blocks proposed by all potential leaders Algorithm 2). In general, pi prefers a block proposal
to as many honest players as possible. with larger proposal round, as it indicates a more recent
We use the well-known gossip protocol [47] to dissem- block (lines 2.14 to 2.20). Finally, pi chooses exactly
inate messages on the application layer overlay network one block B̄ for height h, and Ps it (line 1.4 and line 1.7,
formed by the same set of players. A player sends/for- respectively).
wards a message to m randomly selected players in each After initialization, the state machine of pi starts to
hop. Parameter m is called the fanout and determines handle incoming messages. Lines 8 to 29 in Algorithm 1
how fast the message propagates. outlines handler routines for these three different mes-
Potential leaders initiate the gossip of their PR mes- sage types. pi only signs messages about the same block
sages. Each honest player, upon receiving a PR mes- that she has Ped (line 1.9 and line 1.21), she can only
sage, will first check its validity, and then forward all TC a block B after she collects at least 2 f + 1 signatures
valid PR messages. Note that there can be more than one from the P message about B, and she can only commit a
valid block proposed in the same round, either because block B after she collects at least 2 f + 1 signatures from
there are multiple potential leaders, or because a mali- the TC messages about B (line 1.13 and 1.25). These
cious leader can propose multiple valid blocks. Players rules ensure the safety of Gosig.
forward all valid blocks in this stage and leave the con-
flict resolution to Stage II. 5.6 Reducing Signature Sizes
At the end of Stage I (after a fixed time interval T1 ), we
expect that most players have seen all block proposals in Gosig protocol requires signatures from over 2/3 of
the round, assuming everything goes well. Nevertheless, the players. To reduce the storage and communica-
Stage II is able to handle all complicated situations. tion overhead of signatures, we adopt the techniques
in [7, 6] to aggregate these signatures into a compact
multi-signature form.
5.5 Stage II: Signature Collection The cryptographic signature of a player pi involves a
hash function H, a generator G, a private key xi , and a
The objective of Stage II is to disseminate signed mes-
public key Vi = Gxi . A player holding the private key xi
sages of players’ votes for the block proposals, in the
can sign a message M by computing Si = H(M)xi , and
hope that honest players can commit a single valid block.
Same as Stage I, we use gossip to propagate all messages. 7 Other players’ signatures are in the received messages.
8 Among all blocks with the largest proposal round in S, B is the
Message types. There are two message types involved block whose proposer has the smallest leader score.
in this stage. Players can collectively sign a message by 9 Note that r (B0 ) is actually the proposal round of the proposal mes-
p
appending their signatures. We say a message MXr is k- sage about B0 , which is not necessarily equal to r p (Btc ).
6
Algorithm 1 Stage II workflow for each player pi . Algorithm 2 Deciding which block to prepare in Stage
Constants: II.
– G: the consensus group of N players 1: function D ECIDE M SG
– r: the current round number 2: if S = φ then . Received no valid proposals
State Variables: 3: return null
– si : pi ’s local state, i.e., hBroot , hroot , Btc , Fi 4: else . Received one or more valid proposals
– S: the set of all valid proposals received in Stage I 5: return D ECIDE PM SG
1: phase ← Init
6: function D ECIDE PM SG
2: msg ← D ECIDE M SG . See Algorithm 2
7: r∗p ← maxB∈S r p (B)
3: if msg 6= null then
8: B ← arg minB j ∈S,r p (B j )=r∗p Lr ( j)8
4: P(B, h) ← msg . B is the block pi votes for
5: phase ← Ped 9: Denote by PR(B, h, c) the proposal message about B
6: XP ← {i} . The players that have Ped B 10: if h = hroot + 1 then
7: Prepare B by gossiping msg 11: if Btc = ε then
12: si ← hBroot , hroot , ε, 0i
8: On receiving a valid PXr 0 (B, h) message Do 13: return Pir (B, h)
9: if phase = Ped and B = B then 14: else
10: XP ← XP ∪ X 0 15: if r p (B) > F then
11: sigP ← signatures of players in XP 7 16: si ← hBroot , hroot , ε, 0i
12: Sign PXrP (B, h) with sigP 17: return Pir (B, h)
13: if PXrP is (2f+1)-signed then 18: else if ∃B0 ∈ S s.t. B0 = Btc and r p (B0 ) ≥ F 9
14: phase ← TCed then
15: XTC ← {i} . The players that have TCed B 19: si ← hBroot , hroot , B0 , r p (B0 )i
16: si ← hBroot , hroot , B, ri 20: return Pir (B0 , h)
17: Tentatively commit B by gossiping TCir (B, h) return null
18: else
19: Forward the signed message PXrP with gossip
by computing aggregate(S1 , S2 ) = (S1 ∗ S2 , nS1 + nS2 ).
20: On receiving a valid TCXr 0 (B, h) message Do
The array n tracks who have signed the message. Every-
21: if phase 6= Init and B = B then
22: XTC ← XTC ∪ X 0
one can verify the multi-signature by checking whether
n [i]
23: sigTC ← signatures of players in XTC e(G, S) = e(∏i Vi S , H(M)).
24: Sign TCXr TC (B, h) with sigTC [40, 6] points out that aggregating signatures of the
25: if phase 6= Ced and TCXr TC is (2f+1)-signed then same message can be vulnerable to chosen-public-key
26: si ← hB, h, ε, 0i attack. This attack can be avoided if the participates
27: Commit B on the local blockchain can prove they have the private key to their announced
28: phase ← Ced public key, either forced by a trusted third party or by
29: Forward the signed message TCXr TC with gossip a zero-knowledge-proof bootstrap process proposed by
[40]. We choose this method because it’s acceptable with
the help of PKI.
others can verify it by checking whether e(G, Si ) is equal Another method proposed in [6] computes H(M +VI )
to e(Vi , H(M)) with a given bilinear map e. To track instead of H(M) so each player signs different messages.
which signatures we have received, we append an inte- Since everyone knows each others’ public keys, the result
ger array n of size N to the signature, and by signing a is still verifiable without increasing the data size. This
message M, a player computes Si = H(M)xi , and incre- method does not involved a trusted third party or online
ments the i-th element of nSi . The combination is the bootstrap process, but it forces the algorithm to compute
signature for aggregation, and we denote this process by the bilinear map N times, instead of one time when the
signi (M) = (Si , nSi ). messages are the same. It can cause the verification time
An important property of the aggregated signature is 100 times slower, and thus can only be adopted when the
that we can put in new signatures in an arbitrary or- number of players in a system is small (less than 200).
der, avoiding the risk of adaptive chosen-player attack The signature aggregation process significantly re-
that Byzcoin[32] faces. Aggregating signatures is sim- duces memory utilization. Although the multi-signature
ply multiplying the BLS signature and adding up the still has size O(N) asymptotically, a 4-byte integer is
array n. Thus, the aggregated signature (aka multi- enough for each element in nS in most cases. With 1,000
signature) is S = H(M)∑i xi ·nS [i] . We denote the pro- players using a 2048-bit signature, naively it takes 256
cess by aggregate(S1 , S2 , ...) = (S, nS ). Let (S1 , nS1 ) and KB to store these signatures, but with aggregation, it re-
(S2 , nS2 ) be two multi-signatures, we can combine them quires only 4256 bytes, or 1/60 of the original size. The
7
optimization is more efficient as the system scales larger. communication problems, an adversary can design at-
For the case when the number of signers is small, the tacks on the system implementations, including: 1) com-
array is sparse and thus easily compressible. putation resource saturation attack, where the adversary
may disseminate a large number of invalid messages to
5.7 Player Recovery from Temporary Fail- the honest players, consuming their CPU cycles for use-
less signature verification, and 2) signature counter over-
ures flow attack, where the adversary may craft valid multi-
In normal cases, blocks and signatures are broadcast to signatures where some counters are close to the maxi-
all players. If a player misses a block in round r due to mum integer, and thus careless signature aggregating of
temporary failures, it can catch up in subsequent rounds honest players may cause an integer overflow resulting
using the following (offline) recovery procedures: in incorrect signatures.
If player pi receives a valid signature of enough sign- Note that both attacks can only cause liveness prob-
ers in round r but fails to receive the block itself, pi will lems, rather than correctness problem. We will describe
check the signature and try to contact someone who has our countermeasures to both attacks in Section 6.
signed the block to retrieve it.
If player pi recovers from an extended crash period 6 Implementation-level Optimization
and/or data loss, it should try to retrieve all lost blocks
and proofs. She can only continue participating in the As we mentioned, Gosig combines protocol level design
protocol after she recovers the entire history. As the com- and implementation level optimizations to achieve high
mitted blocks are offline-verifiable, blocks with valid sig- performance. In this section, we introduce the important
natures from any player are sufficient for recovery. optimizations.
Asynchronous transaction dissemination and hash-
5.8 Security Analysis only blocks. In our protocol, messages only con-
We can prove that Gosig provides safety (as defined in tain hashes of the transactions to reduce message size.
Section 3) in fully asynchronous networks. Adding par- Raw transactions are gossiped among all players asyn-
tial synchrony assumption, it also achieves liveness. We chronously, independent of protocol stages. In the case
only list some key lemmas here and leave the complete that a player does not have the raw transaction data when
proofs in Appendix A and B. she receives the blocks, she retrieves the transactions
from others before she can process the block. In practice,
Lemma 1. If an honest player pi commits a block B at the gossip protocol often does a good job replicating the
height h in round r, no player will ever TC any other transactions, and thus this retrieval finishes fast.
block B0 at any height h0 ≤ h in any later rounds. Continuous gossiping in Stage II voting. As we need
all honest players to receive proposed blocks and oth-
Proof sketch. At least f + 1 honest players will not P
ers’ votes to achieve liveness, we do not limit the fanout.
any blocks whose proposal rounds are no larger than r
Instead, each player continuously sends block or P/TC
(line 14 to 20 in Alg. 2). Therefore, at least f + 1 hon-
messages to random neighbors until the end of the stage.
est players will not P any other block at height h0 ≤ h
However, we do put on a limit of concurrent connections
after round r, proving Lemma 1. And Lemma 1 leads to
to avoid overloading any player, which we set to 5 by
safety, because no block can be committed without hon-
default in our implementation. Section 7.3 provides a
est players signing TC messages.
detailed analysis of the fanout limit.
The following two lemmas prove the liveness under
the partial synchrony assumption. Blacklisting obvious problematic players. While
there is no way to ensure message delivery, if a player
Lemma 2. If in round r, for any honest player pi we have detects an obvious communication problem (connection
si = hBroot , hroot , ε, 0i, then there exists a round r0 > r and failure, timeout etc.) with a peer, she will “blacklist” the
an honest player p j such that p j Ps some block at height peer (i.e. stop sending to it) for a short time period To
h = hroot + 1 in round r0 . (typically half a round time). On subsequent failure with
the same peer, she will additively increase To , until she
Lemma 3. If in round r, there exists some honest player
receives a message from that peer, or successfully retries.
pi with state si = hBroot , hroot , Btc , Fi (Btc 6= ε), then there
This backoff mechanism effectively limits the wasted at-
exists a round r0 > r and an honest player p j such that
tempts to connect to failed nodes.
p j commits a block at height h = hroot + 1 in round r0 .
LIFO processing stack. In Stage II, each node can con-
Attacks beyond the protocol layer. In addition to the currently receive multiple messages with signatures for
adaptive chosen-player attacks and other attacks causing processing (verification + aggregation). Sometimes the
8
messages arrive faster than the server can process them. behavior of our signature collection process. We set
We put them in a last-in-first-out (LIFO) stack, instead the network latency to an exponential distribution with a
of a queue. This is because it is likely that later arriving mean of 300 ms, a typical value for today’s Internet [36],
messages contain more signatures, or sometimes even a and set the bandwidth to 500 KBps, a generous estima-
super-set of signatures in earlier messages. tion after subtracting the bandwidth consumed by con-
Preventing signature overflow. In the aggregated sig- stantly gossiped transactions. We set the packet loss rate
nature described in Section 5.6, we have the array n with to 1% across all links (higher than many Internet links).
N B-bit integers (we have B = 32 as default). An adver- In the simulator, we do not actually verify signatures, but
sary can craft a valid signature so that the element corre- set the signature verification time to be consistent with
sponding to her signature is 2B − 1. This attack prevents the performance we get on AWS t2.medium instances.10
honest players who have this signature from further ag- All faulty players in testbed experiments and simulation
gregating the signature array because otherwise, the ele- simply fail by crashing.
ment will overflow. Key Configuration parameters. There are several
We prevent such attack by restricting the growth of configuration parameters to tune. The most important
the maximum element in n, max, based on the number of ones include the round time T and maximum block size
signers s. On receiving a new message, the player tries max block size. Both are correlated and affect sys-
to aggregate it into her local signature array, and check if tem scalability and performance significantly. We dis-
the result satisfies max ≤ s or log2 (max) < B ∗ s/N. If so, cuss their impacts in Section 7.4.
the player updates her local array; otherwise, she drops We set T = 30 sec (25 seconds for Stage I and 5 sec-
the incoming message. onds for Stage II), and max block size = 8MB. Re-
call that in Gosig we only propagate transaction hashes
(and send actual transactions asynchronously). Given
7 Evaluation
that each transaction hash is 256 bit, a block can contain
We evaluate the performance of Gosig using both simu- at most 250K transactions. With an average transaction
lations and real testbed experiments. size of 250 bytes, the corresponding raw transaction data
for a block is about 62.5MB.
9
140 60
N=140, max_block_size=4MB 6000 N=140, max_block_size=4MB N=140
Throughput (tx / s)
120 N=140, f=35 N=140, f=35 50
5000 N=105
N=140 N=140 40 N=70
Latency (s)
Latency (s)
100 N=105 4000 N=105
N=70 30 N=35
80 N=35 N=70
3000 N=35 20
60 2000 10
400 1000 2000 3000 4000 5000 6000 7000 10000 1000 2000 3000 4000 5000 6000 7000 00 500 1000 1500 2000 2500
Workload (tx / s) Workload (tx / s) Throughput (tx / s)
(a) Latency with varying workload. (b) Throughput with varying workload (c) Latency vs. throughput
Figure 2: Performance under different configurations. (a) and (b) are throughput-optimized. (c) is latency-optimized.
CDF
everyone, causing incomplete rounds and thus reducing 0.4
the effective throughput (aka. goodput). To prevent such 0.2
situation, we limit the max block size as an admission 0.00 1 2 3 4 5
control mechanism, just like most blockchains do. In Time in a stage (s)
fact, the dashed line in Figure 2(b) shows that when lim- Figure 3: CDF for each player’s stage completion times,
iting max block size to 4MB (i.e. 125K transaction using latency-optimized configuration. The error bars are
per block, or 4167 tps), we can sustain the maximum 95% confidence intervals.
throughput even on overloading. Of course, overloading 35
still causes the latency to go up, but there is no difference 30
Default (5) fanout w/o failures
3 fanout w/o failures
Time for Stage II (s)
10
7.3 Scalability 6000
140
5000
Throughput (tx / s)
120
4000 100
Latency (s)
Limited by the resources on the testbed, we evaluate the
scalability on systems larger than 140 nodes using sim- 3000 80
60
ulation. In the simulation, we focus on the completion 2000
40
time of Stage II, because it is the core and most compli- 1000 20
Throughput Latency
0
2MB 4MB 6MB 8MB 0
10MB
cated part of Gosig, while the performance of Stage I is
max block size
no different from other gossip-based systems.
Figure 5: Influence of max block size on the perfor-
Using the default settings, we show the time required
mance.
to complete stage II with 10 to 10,000 players, i.e., all
6000
honest players receives a TC multi-signature signed by Throughput 140
5000
Throughput (tx / s)
120
more than 2/3 players. Figure 4 shows the results using 4000 100
Latency (s)
different combinations of failure modes and optimiza- 3000 80
tions. The key observations are: 60
2000
40
1) To calibrate the simulator, we also reproduce the 1000 20
Latency
testbed results (for up to 140 nodes) in Figure 4. We can 00 10 20 30 40 50 60 700
see that it fits our simulation results quite well. Round time (s)
2) Gosig scales well. Even with 10,000 players, we Figure 6: Influence of round time on the performance.
can still finish Stage II within 15 seconds only. This is
a direct benefit of using gossip-based application overlay
network and asynchronous multi-signature, which fully Max block size. As we have discussed, the parameter
exploits the redundant paths while keeping the band- max block size serves as an admission control mecha-
width consumption small. The time grows faster when nism to avoid overloading the system.
the number of players N is large, because the over- Keeping N = 140 and T = 30s, we vary
head for signature verification increases linearly with N. max block size from 2MB to 10MB, correspond-
But this overhead only becomes significant after the to- ing to 60K to 300K transactions per block, or 2K to 10K
tal number goes beyond 3000, and can be reduces by tps. In each round, we generate workload that equals the
stronger hardwares. max block size. Figure 5 plots the results. The dashed
3) With 10000 players and 1/3 of them being faulty line in Figure 5 shows the ideal case where the system
by crashing, Stage II completion time slowdowns from has infinite capacity.
14.97 seconds to 19.53 seconds. The robustness of The actual throughput of the system is around 4,000
the protocol comes from the gossip mechanism and the tps, as we presented in Section 7.2.1. We can see
order-independent signature aggregation algorithm. that for a max block size smaller than 4MB, the ac-
4) A small gossip fanout, i.e., the number of outbound tual throughput increases with the max block size and
connections, can fit most environments. A large fanout roughly follows the ideal line. At around 4,000 tps, the
(like 20 in Figure 4) will saturate the network and cause system saturates. If the max block size is significantly
higher latency due to queueing effects. Although a small larger than what the system can handle, the throughput
fanout may not fully utilize the network when the system decreases because some rounds will end before the play-
has fewer players, the cost is not significant since most ers can fully propagate the blocks.
time of a round is allocated to stage I. Round time T vs. throughput. Given a round time T ,
it is easy to calculate the expected transaction commit
7.4 Configuration Parameters latency when the system is under a normal workload,
which is 1.5T . A latency significantly larger than this
As we have seen in Section 7.2.1 and 7.2.2, value indicates system overloading.
max block size and round time T affect system per- Here we experimentally find the maximum throughput
formance significantly. we can obtain under different T s, without overloading
With N players, the max block size is proportional the system. Of course, because of the global clock syn-
to three parameters [17, 47]: 1) log1 N , 2) round time T , chronization error ∆ and message propagation latency,
and 3) the network bandwidth. That means, in order to we require T be at least 10 seconds.
increase the number of nodes from 100 to 10,000, we Figure 6 plots both the throughput and latency under
need to either decrease the max block size by half or different T settings. We verify that we are able to keep
double the round time T given a fixed bandwidth. the latency very close to the expected latency of 1.5T .
In the remaining of the section, we experimentally We observe that choosing a small T significantly reduces
evaluate their impacts using all 140 nodes in the testbed. the maximum throughput. The throughput even drops
11
super-linearly as T gets smaller than 30 seconds. This [7] B ONEH , D., LYNN , B., AND S HACHAM , H. Short signatures
is because when T and max block size are both small, from the weil pairing. In International Conference on the Theory
and Application of Cryptology and Information Security (2001),
the network setup overhead becomes non-negligible, fur- Springer, pp. 514–532.
ther reducing the number of block transfers we can com-
[8] B ONNEAU , J., M ILLER , A., C LARK , J., NARAYANAN , A.,
plete during the round. Fortunately, a T of 40 seconds K ROLL , J. A., AND F ELTEN , E. W. Research perspectives on
already supports the max throughput in a 140-node sys- bitcoin and second-generation cryptocurrencies. In IEEE Sympo-
tem, still much faster than existing solutions. sium on Security and Privacy. IEEE (2015).
[9] B URROWS , M. The chubby lock service for loosely-coupled dis-
tributed systems. In Proceedings of the 7th symposium on Oper-
8 Conclusion and Future Work ating systems design and implementation (2006), USENIX Asso-
ciation, pp. 335–350.
There are two types of approaches to build scalable [10] C ACHIN , C. Architecture of the hyperledger blockchain fab-
blockchain systems: Some focus on theoretically prov- ric. In Workshop on Distributed Cryptocurrencies and Consensus
Ledgers (2016).
able protocols (e.g. HoneyBadgerBFT) even with
[11] C ACHIN , C., K URSAWE , K., P ETZOLD , F., AND S HOUP, V.
high performance overhead, and others adopt best-effort Secure and efficient asynchronous broadcast protocols. In Annual
hacks and hope it works most of the time (e.g. Bitcoin). International Cryptology Conference (2001), Springer, pp. 524–
We believe there should be a middle ground: we insist 541.
on a system with provable safety under a very strong [12] C ACHIN , C., AND V UKOLI Ć , M. Blockchains consensus proto-
adversary assumption, while adopting the best-effort ap- cols in the wild. arXiv preprint arXiv:1707.01873 (2017).
proaches to increase the probability of staying alive. We [13] C ASTRO , M., L ISKOV, B., ET AL . Practical byzantine fault tol-
use Gosig to demonstrate such a system. At the proto- erance. In OSDI (1999), vol. 99, pp. 173–186.
col level, using cryto-based secrete leader election and [14] C LEMENT, A., K APRITSOS , M., L EE , S., WANG , Y., A LVISI ,
L., DAHLIN , M., AND R ICHE , T. Upright cluster services. In
multi-round signature-based voting, we can guarantee
Proceedings of the ACM SIGOPS 22nd symposium on Operating
safety, and by adding the partial synchrony assumption, systems principles (2009), ACM, pp. 277–290.
we can also prove liveness. At the same time, we adopt [15] C LEMENT, A., W ONG , E. L., A LVISI , L., DAHLIN , M., AND
implementation-level techniques such as gossiping, fail- M ARCHETTI , M. Making byzantine fault tolerant systems toler-
ure discovery and asynchronous signature verification to ate byzantine faults. In NSDI (2009), vol. 9, pp. 153–168.
increase the probability of liveness. With evaluations on [16] C RISTIAN , F., AGHILI , H., S TRONG , R., AND D OLEV, D.
a real 140-server wide-area network, we show that Gosig Atomic broadcast: From simple message diffusion to byzantine
agreement. Information and Computation 118, 1 (1995), 158–
both scales well and provides high performance. 179.
As the next steps, we want to extend the protocol to
[17] C ROMAN , K., D ECKER , C., E YAL , I., G ENCER , A. E., J UELS ,
allow players to join/exit. We also want to explore the A., KOSBA , A., M ILLER , A., S AXENA , P., S HI , E., S IRER ,
approaches of integrating Gosig with other data-center- E. G., ET AL . On scaling decentralized blockchains. In Interna-
focused protocols to create a hybrid protocol, further im- tional Conference on Financial Cryptography and Data Security
(2016), Springer, pp. 106–125.
proving its performance.
[18] D E C ARO , A., AND I OVINO , V. Jpbc benchmark. http://gas.
dia.unisa.it/projects/jpbc/benchmark.html, 2011.
References [19] D E C ARO , A., AND I OVINO , V. jpbc: Java pairing based
cryptography. In Proceedings of the 16th IEEE Symposium on
[1] Hyperledger consensus. https://github.com/
Computers and Communications, ISCC 2011 (Kerkyra, Corfu,
diegomasini/hyperledger-fabric/blob/master/docs/
Greece, June 28 - July 1, 2011), IEEE, pp. 850–855.
FAQ/consensus FAQ.md, 2016.
[20] D ECKER , C., S EIDEL , J., AND WATTENHOFER , R. Bitcoin
[2] grpc-java. https://github.com/grpc/grpc-java, 2017. meets strong consistency. In Proceedings of the 17th Inter-
[3] A IYER , A. S., A LVISI , L., C LEMENT, A., DAHLIN , M., M AR - national Conference on Distributed Computing and Networking
TIN , J.-P., AND P ORTH , C. Bar fault tolerance for coopera- (2016), ACM, p. 13.
tive services. In ACM SIGOPS operating systems review (2005), [21] D OUCEUR , J. R. The sybil attack. In International Workshop on
vol. 39, ACM, pp. 45–58. Peer-to-Peer Systems (2002), Springer, pp. 251–260.
[4] B EN -O R , M., K ELMER , B., AND R ABIN , T. Asynchronous se- [22] E UGSTER , P. T., G UERRAOUI , R., H ANDURUKANDE , S. B.,
cure computations with optimal resilience. In Proceedings of the KOUZNETSOV, P., AND K ERMARREC , A.-M. Lightweight
thirteenth annual ACM symposium on Principles of distributed probabilistic broadcast. ACM Transactions on Computer Systems
computing (1994), ACM, pp. 183–192. (TOCS) 21, 4 (2003), 341–374.
[5] B IRMAN , K. P., H AYDEN , M., O ZKASAP, O., X IAO , Z., [23] E YAL , I., G ENCER , A. E., S IRER , E. G., AND VAN R ENESSE ,
B UDIU , M., AND M INSKY, Y. Bimodal multicast. ACM Trans- R. Bitcoin-ng: A scalable blockchain protocol. In 13th USENIX
actions on Computer Systems (TOCS) 17, 2 (1999), 41–88. Symposium on Networked Systems Design and Implementation
[6] B ONEH , D., G ENTRY, C., LYNN , B., AND S HACHAM , H. Ag- (NSDI 16) (2016), USENIX Association, pp. 45–59.
gregate and verifiably encrypted signatures from bilinear maps. [24] G ILAD , Y., H EMO , R., M ICALI , S., V LACHOS , G., AND Z EL -
In International Conference on the Theory and Applications of DOVICH , N. Algorand: Scaling byzantine agreements for cryp-
Cryptographic Techniques (2003), Springer, pp. 416–432. tocurrencies. SOSP 2017.
12
[25] G UO , Y., AND L IANG , C. Blockchain application and outlook [43] NAKAMOTO , S. Bitcoin: A peer-to-peer electronic cash system,
in the banking industry. Financial Innovation 2, 1 (2016), 24. 2008.
[26] H IGGINS , S. Bitcoin mining pools targeted in wave of ddos [44] PASS , R., AND S HI , E. Hybrid consensus: Efficient consen-
attacks. https://www.coindesk.com/bitcoin-mining- sus in the permissionless model. In LIPIcs-Leibniz International
pools-ddos-attacks/, 2015. Proceedings in Informatics (2017), vol. 91, Schloss Dagstuhl-
[27] H UNT, P., KONAR , M., J UNQUEIRA , F. P., AND R EED , B. Leibniz-Zentrum fuer Informatik.
Zookeeper: Wait-free coordination for internet-scale systems. In [45] S WANSON , T. Consensus-as-a-service: a brief report on the
USENIX annual technical conference (2010), vol. 8, Boston, MA, emergence of permissioned, distributed ledger systems. Report,
USA, p. 9. available online, Apr (2015).
[28] K ARP, R., S CHINDELHAUER , C., S HENKER , S., AND VOCK - [46] S YTA , E., TAMAS , I., V ISHER , D., W OLINSKY, D. I., J O -
ING , B. Randomized rumor spreading. In Foundations of Com- VANOVIC , P., G ASSER , L., G AILLY, N., K HOFFI , I., AND
puter Science, 2000. Proceedings. 41st Annual Symposium on F ORD , B. Keeping authorities “honest or bust” with decentral-
(2000), IEEE, pp. 565–574. ized witness cosigning. In Security and Privacy (SP), 2016 IEEE
[29] K ERMARREC , A.-M., M ASSOULI É , L., AND G ANESH , A. J. Symposium on (2016), IEEE, pp. 526–545.
Probabilistic reliable dissemination in large-scale systems. IEEE [47] T ERRY, D. B., D EMERS , A. J., G REENE , D. H., H AUSER ,
Transactions on Parallel and Distributed systems 14, 3 (2003), C., I RISH , W., L ARSON , J., S HENKER , S., S TURGIS , H. E.,
248–258. AND S WINEHART, D. C. Epidemic algorithms for replicated
[30] K IAYIAS , A., RUSSELL , A., DAVID , B., AND O LIYNYKOV, database maintenance. Acm Sigops Operating Systems Review
R. Ouroboros: A provably secure proof-of-stake blockchain pro- 22, 1 (1988), 8–32.
tocol. In Annual International Cryptology Conference (2017), [48] T SCHORSCH , F., AND S CHEUERMANN , B. Bitcoin and beyond:
Springer, pp. 357–388. A technical survey on decentralized digital currencies. IEEE
[31] K ING , S., AND NADAL , S. Ppcoin: Peer-to-peer crypto-currency Communications Surveys & Tutorials 18, 3 (2016), 2084–2123.
with proof-of-stake. self-published paper, August 19 (2012). [49] VASEK , M., T HORNTON , M., AND M OORE , T. Empirical anal-
[32] KOGIAS , E. K., J OVANOVIC , P., G AILLY, N., K HOFFI , I., ysis of denial-of-service attacks in the bitcoin ecosystem. In In-
G ASSER , L., AND F ORD , B. Enhancing bitcoin security and ternational Conference on Financial Cryptography and Data Se-
performance with strong consistency via collective signing. In curity (2014), Springer, pp. 57–71.
25th USENIX Security Symposium (USENIX Security 16) (2016), [50] V ENKATARAMAN , V., YOSHIDA , K., AND F RANCIS , P.
USENIX Association, pp. 279–296. Chunkyspread: Heterogeneous unstructured tree-based peer-to-
[33] KOTLA , R., A LVISI , L., DAHLIN , M., C LEMENT, A., AND peer multicast. In Network Protocols, 2006. ICNP’06. Proceed-
W ONG , E. Zyzzyva: Speculative byzantine fault tolerance. In ings of the 2006 14th IEEE International Conference on (2006),
ACM SIGOPS Operating Systems Review (2007), vol. 41, ACM, IEEE, pp. 2–11.
pp. 45–58. [51] V ERONESE , G. S., C ORREIA , M., B ESSANI , A. N., AND
[34] K URSAWE , K., AND S HOUP, V. Optimistic asynchronous atomic L UNG , L. C. Spin one’s wheels? byzantine fault tolerance
broadcast. In International Colloquium on Automata, Languages, with a spinning primary. In Reliable Distributed Systems, 2009.
and Programming (2005), Springer, pp. 204–215. SRDS’09. 28th IEEE International Symposium on (2009), IEEE,
pp. 135–144.
[35] K WON , J. Tendermint: Consensus without mining. Draft v. 0.6,
fall (2014). [52] V UKOLI Ć , M. The quest for scalable blockchain fabric: Proof-
[36] L EDLIE , J., G ARDNER , P., AND S ELTZER , M. I. Network co- of-work vs. bft replication. In International Workshop on Open
ordinates in the wild. In NSDI (2007), vol. 7, pp. 299–311. Problems in Network Security (2015), Springer, pp. 112–125.
[37] L I , H. C., C LEMENT, A., W ONG , E. L., NAPPER , J., ROY, I., [53] W OOD , G. Ethereum: A secure decentralised generalised trans-
A LVISI , L., AND DAHLIN , M. Bar gossip. In Proceedings of action ledger. Ethereum Project Yellow Paper 151 (2014).
the 7th Symposium on Operating Systems Design and Implemen- [54] Z HENG , Z., X IE , S., DAI , H.-N., AND WANG , H. Blockchain
tation (Berkeley, CA, USA, 2006), OSDI ’06, USENIX Associa- challenges and opportunities: A survey. International Journal of
tion, pp. 191–204. Web and Grid Services (2017).
[38] L IU , S., C ACHIN , C., Q U ÉMA , V., AND V UKOLI Ć , M. Xft:
Practical fault tolerance beyond crashes. CoRR, abs/1502.05831
(2015).
A Safety
[39] LYNN , B. On the implementation of pairing-based cryptogra- Lemma A.1. If an honest player pi commits a block B at height h in
phy. The Department of Computer Science and the Committee on round r, no player will ever TC any other block B0 at any height h0 ≤ h
Graduate Studies of Stanford University (2007). in any later rounds.
[40] M ICALI , S., O HTA , K., AND R EYZIN , L. Accountable-
subgroup multisignatures. In Proceedings of the 8th ACM confer- Proof. An honest player i commits a block B with a height of h
ence on Computer and Communications Security (2001), ACM, means that at least 2f+1 players have TCed B in round r, so at least
pp. 245–254. f+1 honest players have TCed B in round r. Those who commit the
block B successfully will reject all messages for blocks of a height no
[41] M ILLER , A., X IA , Y., C ROMAN , K., S HI , E., AND S ONG , D. higher than h, so we only consider the case where they fail to commit
The honey badger of bft protocols. In Proceedings of the 2016 the block B.
ACM SIGSAC Conference on Computer and Communications Se- There is no other block proposed before round r whose proposal
curity (2016), ACM, pp. 31–42. round is larger than r. These f+1 honest players should have set their
[42] M ILOSEVIC , Z., B IELY, M., AND S CHIPER , A. Bounded de- local F = r according to line 16 in Algorithm 1, so they will not P any
lay in byzantine-tolerant state machine replication. In Reliable blocks proposed before round r.
Distributed Systems (SRDS), 2013 IEEE 32nd International Sym- Also, these f+1 honest player will not send TC message for any
posium on (2013), IEEE, pp. 61–70. block of height less than h after round r, because they have committed
13
the same block of height h − 1. Thus, no block of height less than h can player from propagation since gossip peers are also secretly randomly
be committed after round r, meaning no one is able to propose a new chosen.
valid block with a height of h0 ≤ h and with a proposal round larger We base our proof on a partially synchronous network assumption.
than r after round r. And when the network is synchronous, a transaction will fail to reach
The only case left is that there can be more than one valid block all honest players in a finite time with negligible probability. If there
proposed in round r, whose proposal rounds are the same with B’s. In are always blocks packed by honest players committed, all transactions
this case, by Algorithm 1, the f + 1 honest players who have Ped B in will be confirmed eventually.
round r will not P any other round-r block any more, so no other blocks
proposed in round-r can be TCed, which requires P messages from at Lemma B.1. For any round r, there exists a round r0 > r and an honest
least f + 1 honest players. player p j such that p j commits some block at height h = hroot + 1 in
To sum up, at least f+1 honest players will not P any other block round r0 .
with a height of h0 ≤ h after round r, and thus no one can TC any other
block with a height of h0 ≤ h after round r, which requires at least 2f+1
P messages. Proof. Without losing generality, we assume that at round r, the last
committed Broot is the same for all honest players.
Lemma A.2. If an honest player pi commits a block B at height h in (Case 1) No player has TCed. Because the network will become
round r, no player will ever commit any other block B0 at any height synchronous infinitely, there exists a round where an honest player be-
h0 ≤ h in any later rounds. comes the potential leader with the least leader score and the network
is synchronous. In this round, the proposal round of the block proposed
Proof. By Lemma A.1, we get that no one can TC any new block with by this honest leader is equal to the local freshness F of all honest play-
a height of h0 ≤ h after round r, so no honest player can commit any ers, so it will be prepared and committed by all honest players.
block with a height of h0 ≤ h after round r, as he cannot collect enough (Case 2) Some player has TCed. Because at most one block can
TC messages. be TCed in a round, if two players TCed different blocks, these two
players will have different local F. Thus, all players with the largest
Theorem 1. Gosig protocol achieves safety. F will always have the same B p , meaning if any of them becomes the
leader in a synchronous round, this B p will be prepared by all honest
Proof. Any committed block will be prepared by at least f+1 honest players and committed. Similar to Case 1, because the network will
players. Since honest players will only P valid blocks, condition (1) of become synchronous infinitely, there exists a round where an honest
safety is true. player with the largest F becomes the potential leader with the least
Condition (2) of safety can be directly proved by Lemma A.2. leader score and the network is synchronous, so its B p can be proposed,
prepared and committed.
To sum up, the lemma is proved.
B Liveness
Theorem 2. Gosig protocol achieves liveness.
Since our potential leaders are elected secretly, the adversaries can not
prevent honest players from becoming potential leaders of the least
leader score, and can not prevent the block proposed by such an honest Proof. By Lemma B.1, the theorem is easily proved.
14