Since July 2018, the Conflux team has been thinkingHow do we deal with Liveness caused by balanced and split attacks?
At that time, Conflux did not distinguish between the development team and the research team, so the exploration of this problem became a regular brainstorming for all the core members of Conflux.
No one can remember how many schemes we put forward and rejected, so we can only rely on the memories of the participants to restore the original context of exploration.
If close at hand, but far away
First, we noticed that both “balanced” and “split” attacks require the attacker to hide many blocks for a long time and then release them selectively as needed.
In fact, for each node, this “old block” that has been hidden for a long time is relatively easy to distinguish from the new block in most cases.
Imagine if you see two newspapers with their dates torn out. One newspaper has news that happened yesterday, and the other is only a few months or even a year old. Is it easy to tell which newspaper is new?
Similarly, if an honest node finds that the block it just received does not reference any other blocks that are relatively new (for example, received within an hour), then there is good reason to suspect that the block it just received was hidden by an attacker for some time (for example, an hour) before broadcasting.
Furthermore, we can speculate that most honest nodes should come to the same conclusion:
This block is abnormal, most likely generated by an attacker.
Ensuring that all honest nodes treat such blocks as illegal blocks limits the number and duration of blocks an attacker can hide, and thus loses the ability to launch “balanced attacks” and “split attacks” by hiding blocks.
However, it is not enough that most honest nodes agree most of the time. How to ensure that all honest nodes agree on every block is the real challenge.
This is an inescapable problem for any scheme that tries to identify and eliminate attacker blocks.
In the original design, we tried to simply set a time threshold x.
If you receive A block A at time T and you receive block B after time T+x, but block B does not reference block A, then block B is an illegal block.
However, this design is very vulnerable because each honest node receives block A and block B at different times. An attacker can cause some nodes to receive block B earlier and others to receive block B later.
If this “earlier/later” happens to place block B on the boundary between legal and illegal, then honest nodes may make inconsistent judgments about the legitimacy of block B.
The whole blockchain network forks.
We tried to fix this by adding patches with various poses, but they all failed. We can’t find a way for each node to make judgments based on its own private information and guarantee that all nodes’ judgments are consistent in all cases.
There is nothing we can do about blocks that have been hidden for a long time, even if we know that they must have been generated by an attacker and that all honest nodes agree with this judgment.
Because there is no guarantee that all nodes’ criteria for “hiding for a long time” will be consistent in all cases. This kind of result, is to let a person very helpless.
2. Seek common ground while reserving differences
Since it is impossible to agree completely, we focus our thinking on how to reduce the adverse effects of “difference”.
Even if the “same” cannot be completely found between honest nodes, as long as the “different” does not affect everyone’s consensus, it will not affect the consistency of transaction execution results.
Having “differences” without affecting consensus is what all PoW consensus mechanisms have been doing. Due to network latency, it takes some time for each block to travel through the network, so it is normal for different nodes to see different blocks.
Conflux’s tree-graph structure does not guarantee that every honest node receives exactly the same block at any time. However, reasonable consensus mechanism design can still ensure that:
All honest nodes agree on the ordering of the confirmed blocks.
Going back to the phase 1 example, assume that an honest node has just received block B, and block B does not refer to the block A it received x minutes ago.
Although the value of this x may be different for different honest nodes, the difference is generally not very long (e.g., more than two minutes) under good network conditions.
Based on the value of x, we assign a weight between 0 and 1 to each block (e.g., Max {1-x/500,0}) : the greater the x value, the greater the suspicion that block B is a malicious block, and the lower its weight in the consensus decision.
As long as the values of X observed by different nodes are not significantly different, the block weights in their eyes should be basically the same.
We try to prove that the “difference” of x values of different honest nodes does not affect the “same” of block sorting. However, this line of thinking actually creates more problems, and solving these problems seems far away.
3 adaptive weight
During the 11-Day holiday in 2018, Long Fan proposed a new plan.
This scheme gives up the idea of “invalidating” the blocks hidden by the attacker to resist the attack, and instead chooses to respond by slowing down the block producing speed of the Conflux when it is attacked.
In this scenario, the worst case scenario would be that the entire network would safely slow down to the level of Bitcoin, while gaining security similar to the Bitcoin protocol.
Further exploring along this idea, we finally determined the basic idea of Conflux guaranteeing survivability:
1. The consensus mechanism is only based on the parent edge and reference edge of each block in the tree graph structure, instead of using “local information” such as block reception time, which may be inconsistent for different nodes.
2. Adjust the block producing speed of Conflux by adjusting the difficulty of mining. When there is no attack, Conflux uses faster block output speed to pursue efficiency. When there is an active attack, Conflux slows down the block speed to ensure security. When the block speed slows down, the block reward should be increased accordingly to ensure the interests of miners.
3. The difficulty of mining cannot be determined by miners themselves, but it is also impossible to switch all honest nodes at the same time. In terms of specific difficulty adjustment mechanics, we still need to use common ground while reserving differences.
Based on the above basic ideas, we finally design the GHAST (Greedy bush-adaptive sub-tree) consensus mechanism that dynamically adjusts the block weights, which solves the defect of the Heaviest chain rule and enables Conflux to enjoy the fast confirmation time under the Heaviest chain rule. At the same time, it has a similar ability to resist active attacks as bitcoin.
There is still some way to go from the basic idea to the design of the GHAST mechanism, which we will cover in the next few installments.