Algorand, Dfinity and Ouroboros Praos (although Dfinity is the project name, there is nothing wrong with calling it * * * algorithm here) have attracted more attention recently. They are all designed based on VRF (verifiable random function) and can be compared and studied. There are many versions of Algorand, which of the following refers to? 1607.05438+0341v 9, which is temporarily called algrand' (the author has the latest version of algrand, which corrects several problems mentioned below, please refer to this article).
I. VRF * * *
The meaning of VRF is easy to understand-it is used to complete the random selection of people (groups). Therefore, the return value of VRF should be as unpredictable as possible. Let's first look at how Algorand' and Dfinity's routines are done: generally speaking, the previous random number (the initial random number is given by the protocol) is combined with a variable representing the height and turn, signed with a private key (or signed first and then combined), and finally hashed to get the latest random number. The random number generated in this way is easy to be verified by others to conform to the algorithm, thus obtaining "V"; Moreover, the return value of hash is randomly distributed, so "R" is guaranteed. In this process, in order to reduce the possibility of manipulating the results, there are two points to be noted: a) The signature algorithm should be unique, that is, the same piece of information is signed with the same private key, and only one legal signature can be verified-ordinary asymmetric encryption and decryption algorithms generally do not have this attribute, such as SM2. If the signature algorithm used does not have this unique attribute, there will be room for repeatedly trying to sign to pick out the most favorable one when generating new random numbers, which will reduce security. B) Avoid taking the data of the current block as one of the sources of randomness when generating new random numbers, such as referencing the merkle root value of the transaction list of this block. Because this will give the block main space to try to change the order of packaging transactions, package different transactions, and generate the most favorable new random number. When designing and testing a new * * * recognition algorithm, we should pay special attention to the above two points.
Check how the return result of VRF should be used. In the current usage, the return result of VRF can be used to complete the selection of public or private nodes or node groups. Take Dfinity as an example, which uses mod operation to uniquely and publicly determine a group. "Algorand" and "Ouroboros Praos" are examples of private choices. The general routine is to sign and hash the latest return value of VRF with variables such as rounds. If the hash value is less than a certain threshold, the node can know that it is privately selected. This method is likely to be more stable in the case of a large number of network nodes, otherwise the number of lucky people will fluctuate greatly, which will affect the performance of the protocol, including empty blocks and forks.
Secondly, briefly comment on Algorand's version of the strong synchronization hypothesis.
Private selection provides a strong ability to resist fixed-point attacks, but for any lucky person, the total number of lucky people is unpredictable, which brings difficulties to the design of subsequent identification algorithms and the optimization of blockchain. Algorand'' adopts the assumption of strong synchronous network (the * * * identification algorithm under the assumption of synchronous network is of course easier to do), and requires to know the upper limit of network message propagation time in advance: to complete the network propagation to a fixed proportion of users within a fixed time. For example, you should know that the message of 1KB can spread 95% of the whole network in 1 second, while the message of 1MB takes 1.5 minutes to spread 95% of the whole network. But how to choose this transmission upper limit? Multiply the statistical results of a period of time by a coefficient through empirical statistics? It can only be said that "it feels ok", but if it is to be rigorous and secure, Algorand'' algorithm should supplement the proof that in the case of DDOS or Internet congestion, the algorithm can still ensure security even if the message propagation is seriously out of limit-however, this proof is missing. In contrast, Ouroboros Praos publicly admitted that the Ouroboros protocol designed under the assumption of synchronous network would make mistakes under the condition of asynchronous network, so it made Ouroboros Praos again. The new Algorand admits that when the network is weakly synchronized, it will reach * * * knowledge on different blocks (the bifurcation can be solved when the network is strongly synchronized later), which can be used for reference.
Even though we temporarily agree that Algorand's algorithm can solve the above problems by setting a larger upper limit of propagation time, we can see that this algorithm lacks a very good feature: responsiveness. This feature means that if a protocol is designed to work under a larger upper limit of propagation time delta, but if the actual propagation time is a smaller delta, then the actual progress of the protocol will only be related to DELTA, and this protocol is called reactive. It would be ideal to combine the * * * identification algorithm with the assumption of synchronous network-for safety, the upper limit can be set very large, but the execution speed of the protocol is only related to the network conditions at that time. "Argelander" does not have this feature. On average, Algorand' needs 1 1 rounds of message transmission to complete * * * knowledge. If every round is to be safe, it will take a long time to complete the knowledge, and the throughput of a single partition will not be too high. Of course, architecture design involves many trade-offs. Finally, to evaluate whether an algorithm is good or not, it is still necessary to return to the initial heart-what is the goal to be achieved. The above analysis only attempts to objectively point out several little-known inherent characteristics of Algorand algorithm for readers to evaluate themselves.
Thirdly, the scalability of Dfinity is briefly reviewed.
The practice of private election and taking office immediately also brings great challenges to the system division. Dfinity must be fragmented, so we must face the challenge directly. The problem of scalability is very complicated. To solve this problem completely, we need to consider the scalability of network, storage and calculation. At present, most blockchain 3.0 projects only focus on the fragmentation and scalability of computing, ignoring the other two, so they cannot achieve ideal expansion. Due to the limitation of network bandwidth of public chain nodes, it is usually difficult to quickly copy the data needed to calculate contracts from one node to another, so even if VRF is used to select nodes that come and go from time to time, storage nodes cannot be as elegant as the wind. There are several obvious choices: all nodes store all data, and different nodes statically allocate different partitions to store them. The former has poor scalability. For the latter, if the outgoing node floats, the outgoing node needs to complete the contract operation, which means that the performance of remote storage round-trip access based on P2P network will drop sharply. Dynamically determined partitioned nodes only complete sorting, computing power and storage bundling, and provide scalability through static partitioning, which may be a reasonable response. However, the most hateful thing is the word "however"-even so, there is still pressure on the storage and network in the system: the transactions to be packaged submitted by the end users. The bandwidth of common public chain (regardless of EOS) is limited. If the transactions submitted by users to be packaged must be widely distributed throughout the network, how much TPS can the existing network bandwidth provide? If the output node is a static partition or is known to the public at least some time in advance, there is still room for manoeuvre; If outgoing nodes are so erratic, and only these nodes know it until the last minute, it seems that the most direct response of both users and outgoing node candidates is to flood the whole network and save all the transactions to be packaged, so that bandwidth and storage still become system bottlenecks.
So what we encounter here is essentially a safe, extensible and decentralized impossible trinity.
Fourth, a brief comment on the Viper Praos.
The works of BM?· serpent have been widely circulated. Of course, BM is obviously wrong. For example, viper's DPOS refers to "dynamic [stack distribution] POS" instead of BM's entrusted POS, but its comments on Pareto distribution are worth pondering. If we have a closer look at Ouroboros Praos, we can find that the security assumption and security certificate of the protocol completely ignore the factors of economic game, so the eloquent proof is likely to miss the direction that really needs protection-after all, the blood flowing in the veins of POS/DPOS protocol has always been based on economic game and human nature. The most obvious example is the implementation method of forward secure signature. The current design of the protocol requires every good node to delete the used private key voluntarily and safely, without considering how the nearly zero private key storage cost faces the temptation of bribery attacks. However, this is worth considering. Apart from formal proof, Ouroboros Praos itself does not have many protocol features worthy of attention. Generally speaking, it uses VRF lottery combined with POS algorithm to formally prove some security assumptions, and its attitude is very commendable.
Verb (abbreviation of verb) abstract
These algorithms are very creative and worth learning. At the same time, after reading the partition technology disclosed by CASPER of Ethereum, the author's experience is that the competition of blockchain 3.0 has just begun. Judging from the technical route of the Ethereum team, their technical considerations and choices are more profound and comprehensive than many teams that claim to surpass Ethereum. If we really want to surpass the Ethereum, we must first understand the Ethereum.
By the way, thank Dr. Qiu Weiwei for his contribution to this article!