ripple_consensus_whitepaper.pdf瑞波共识协议白皮书，官方原版，需要的朋

文件名称: ripple_consensus_whitepaper.pdf

所属分类: 比特币

开发工具:

文件大小: 417kb

下载次数: 0

上传时间: 2019-08-24

提供者: siny****

下载 (417kb)

不能下载？报告错误

详细说明：瑞波共识协议白皮书，官方原版，需要的朋友快快下载吧ledger of that server, but transactions are not con- previous work has included extensions to cases where all sidered final until they have passed through the participants in the network are not known ahead of time, consensus process, at which point the open ledger where the messages are sent asynchronously(there is becomes the last-closed ledger no bound on the amount of time an individual node will take to reach a decision) and where there is a delineation Unique Node List (UNL): Each server, S, main- between the notion of strong and weak consensus tains a unique node list, which is a set of other One pertinent result of previous work on consen servers that s queries when determining consen- sus algorithms is that of Fischer, Lynch, and Patterson sus. Only the votes of the other members of the 1985[4 which proves that in the asynchronous case UNL of s are considered when determining con non-termination is always a possibility for a consen sensus(as opposed to every node on the network) sus algorithm, even with just one faulty process. This Thus the unl represents a subset of the network ntroduces the necessity for time-based heuristics, to which when taken collectively, is"trusted by s ensure convergence (or at least repeated iterations of to not collude in an attempt to defraud the net- non-convergence). We shall describe these heuristics for work.Note that this definition of "trust does not the ripple protocol in section 3 require that each individual member of the UNL The strength of a consensus algorithm is usually be trusted(see section 3.2) measured in terms of the fraction of faulty processes Proposer: Any server can broadcast transactions it can tolerate. It is provable that no solution to the to be included in the consensus process, and every Byzantine Generals problem(which already assumes server attempts to include every valid transaction synchronicity, and known participants) can tolerate more when a new consensus round starts. During the than(n-1/3 byzantine faults, or 33 of the network consensus process, however, only proposals from acting maliciously [2]. This solution does not, however require verifiable authenticity of the messages delivered servers on the unl of a server s are considered between nodes(digital signatures ). If a guarantee on the unforgeability of messages is possible, algorithms ex 2.2 Formalization ist with much higher fault tolerance in the synchronous We use the term nonfaulty to refer to nodes in the net- ase. work that behave honestly and without error. Conversely, Several algorithms with greater complexity have been proposed for Byzantine consensus in the asyn a faulty node is one which experiences errors which may be honest(due to data corruption, implementation er chronous case. FaB Paxos [5] will tolerate(n-1)/5 rors, etc.), or malicious ( Byzantine errors ). We reduce Byzantine failures in a network of n nodes, amounting to a tolerance of up to 20% of nodes in the network the notion of validating a transaction to a simple binary decision problem: each node must decide from the in colluding maliciously. Attiya, Doyev, and Gill [3] in troduce a phase algorithm for the asynchronous case ormation it has been given on the value O or l As in Attiya, Dolev, and Gill, 1984 33], we define which can tolerate(n-1)/4 failures, or up to 25 of consensus according to the following three axioms the network. Lastly, Alchieri et al., 2008 [6] present BFT-CUP, which achieves Byzantine consensus in the (C1): Every nonfaulty node makes a decision in asynchronous case even with unknown participants, with finite time the maximal bound of a tolerance of(n-1)/3 failures, 2.(C2): All nonfaulty nodes reach the same deci- but with additional restrictions on the connectivity of sion value the underlying network 3.(C3):0 and 1 are both possible values for all non- faulty nodes. (This removes the trivial solution 2.4 Formal Consensus Goals in which all nodes decide o or l regardless of the Our goal in this work is to show that the consensus information they have been presented) algorithm utilized by the ripple protocol will achieve consensus at each ledger-close(even if consensus is the 2.3 Existing Consensus Algorithms trivial consensus of all transactions being rejected), and There has been much research done on algorithms that that the trivial consensus will only be reached with a achieve consensus in the face of Byzantine errors. This known probability, even in the face of Byzantine failures Since each node in the network only votes on proposals on a transaction. All transactions that meet this from a trusted set of nodes(the other nodes in its UNL), requirement are applied to the ledger, and that and since each node may have differing UNLS, we also ledger is closed. becoming the new last -closed show that only one consensus will be reached amongst ledger all nodes, regardless of uNL membership This goal is also referred to as preventing a"fork in the network 3.2 Correctness situation in which two disjoint sets of nodes each reach In order to achieve correctness, given a maximal amount consensus independently, and two different last-closed of Byzantine failures, it must be shown that it is im ledgers are observed by nodes on each node-set possible for a fraudulent transaction to be confirmed Lastly we will show that the Ripple protocol can during consensus, unless the number of faulty nodes achieve these goals in the face of(n-1)/5 failures, exceeds that tolerance. The proof of the correctness of which is not the strongest result in the literature. but we the rPCa then follows directly: since a transaction is will also show that the Ripple protocol possesses several only approved if 80% of the UNl of a server agrees other desirable features that greatly enhance its utility. with it, as long as 80%o of the UNl is honest, no fraud ulent transactions will be approved. Thus for a UNL 3. Ripple Consensus Algorithm of n nodes in the network, the consensus protocol will maintain correctness so long as The Ripple Protocol consensus algorithm(RPCA), is applied every few seconds by all nodes, in order to main f≤(n-1)/5 tain the correctness and agreement of the network. Once consensus is reached, the current ledger is considered where f is the number Byzantine failures. In fact, even closed and becomes the last-closed ledger. Assum- in the face of(n-1)/ 5+1 Byzantine failures, correct- ing that the consensus algorithm Is successful, and that ness is still technically maintained. The consensus pro there is no fork in the network. the last-closed ledger cess will fail, but it will still not be possible to confirm a maintained by all nodes in the network will be identical. fraudulent transaction. Indeed it would take(4n+1)/5 Byzantine failures for an incorrect transaction to be con- 3.1 Definition firmed. We call this second bound the bound for weak The RPCa proceeds in rounds. In each round correctness, and the former the bound for strong correct ness Initially, each server takes all valid transactions it It should also be noted that not all fraudulent trans has seen prior to the beginning of the consensus actions pose a threat, even if confirmed during consen round that have not already been applied(these sus. Should a user attempt to double-spend funds in may include new transactions initiated by end- two transactions, for example, even if both transactions users of the server transactions held over from are confirmed during the consensus process, after the a previous consensus process, etc. ) and makes first transaction is applied, the second will fail, as the them public in the form of a list known as the funds are no longer available. This robustness is due to candidate set the fact that transactions are applied deterministically, Each server then amalgamates the candidate sets and that consensus ensures that all nodes in the network of all servers on its UNL, and votes on the veracity are applying the deterministic rules to the same set of transactions of all transactions For a slightly different analysis, let us assume that Transactions that receive more than a minimum the probability that any node will decide to collude and percentage of"yes"votes are passed on to the next join a nefarious cartel is Pc. Then the probability of round. if there is one, while transactions that do correctness is given by p, where not receive enough votes will either be discarded or included in the candidate set for the beginning of the consensus process on the next ledger P e The final round of consensus requires a minimum This probability represents the likelihood that the size percentage of 80% of a server's UNL agreeing of the nefarious cartel will remain below the maximal threshold of Byzantine failures, given Pe. Since this likelihood is a binomial distribution, values of pc greater than 20%o will result in expected cartels of size greater than 20% of the network, thwarting the consensus pro cess. In practice a uNl is not chosen randomly, but rather with the intent to minimize pc. Since nodes are not anonymous but rather cryptographically identifiable, selecting a unl of nodes from a mixture of continents nations, industries, ideologies, etc. will produce values of pc much lower than 20%. As an example, the proba bility of the anti-Defamation League and the westboro Baptist church colluding to defraud the network, is cer tainly much, much smaller than 20%o. Even if the UNL has a relatively large pc, say 15%, the probability of correctness is extremely high even with only 200 nodes in the UNL: 97.890 a graphical representation of how the probability of Figure 2. An example of the connectivity required to incorrectness scales as a function of UNL Size for differ- prevent a fork between two UNL cliques ing values of pc is depicted in Figure 1. Note that here the vertical axis represents the probability of a nefarious prove agreement is given by cartel thwarting consensus, and thus lower values indi- cate greater probability of consensus success. As can be seen in the figure, even with a Pc as high as 10%, the UNL∩UNL≥:max(UML,UNL1)v,(3) probability of consensus being thwarted very quickly This upper bound assumes a clique-like structure of becomes negligible as the unl grows past 100 nodes UNLS. ie, nodes form sets whose UNls contain other nodes in those sets. This upper bound guarantees that 3.3 Agreement no two cliques can reach consensus on conflicting trans To satisfy the agreement requirement, it must be shown actions, since it becomes impossible to reach the 80% that all nonfaulty nodes reach consensus on the same threshold required for consensus. A tighter bound is set of transactions, regardless of their UNLs. Since possible when indirect edges between UNLs are taken the unls for each server can be different, agreement into account as well. For example. if the structure of the is not inherently guaranteed by the correctness proof. network is not clique-like a fork becomes much more For example, if there are no restrictions on the member- difficult to achieve. due to the greater entanglement of ship of the UNL, and the size of the unl is not larger the uNls of all nodes than 0.2*ntotal where ntotal is the number of nodes in It is interesting to note that no assumptions are made the entire network, then a fork is possible. This is 1l- about the nature of the intersecting nodes. The intersec- lustrated by a simple example ( depicted in figure 2): tion of two uNls may include faulty nodes. but so long imagine two cliques within the UNL graph, each larger as the size of the intersection is larger than the bound than 0.2+ n,otal. By cliques, we mean a set of nodes required to guarantee agreement, and the total number where each node's UNL is the selfsame set of nodes. of faulty nodes is less than the bound required to satisfy Because these two cliques do not share any members, strong correctness, then both correctness and agreement it is possible for each to achieve a correct consensus will be achieved. That is to say, agreement is dependent independently of each other, violating agreement. If solely on the size of the intersection of nodes, not on the the connectivity of the two cliques surpasses 0.2+ ntotal, size of the intersection of nonfaulty nodes then a fork is no longer possible, as disagreement be tween the cliques would prevent consensus from being 3.4 Utility reached at the 80%agreement threshold that is required. While many components of utility are subjective, one that is indeed provable is convergence: that the consen- An upper bound on the connectivity required to sus process will terminate in finite time ■p。=0. 0.15 p=0.10 p=0.05 0.1 10 170 IL Size Figure 1. Probability of a nefarious cartel being able to thwart consensus as a function of the size of the UNL, for different values of pc, the probability that any member of the UNL will decide to collude with others. Here, lower values indicate a higher probability of consensus success 3.4.1 Convergence Since the consensus algorithm itself is deterministic We define convergence as the point in which the rPCa nd has a preset number of rounds, t, before consensus is terminated. and the current set of transactions are de reaches consensus with strong correctness on the ledger and that ledger then becomes the last-closed ledger. note clared approved or not-approved(even if at this point that while technically weak correctness still represents no transactions have more than the 80%o required agree ment, and the consensus is only the trivial consensus) convergence of the algorithm, it is only convergence in the limiting factor for the termination of the algorithm the trivial case, as proposition C3 is violated, and no transactions will ever be confirmed. from the results is the communication latency between nodes. In order to bound this quantity, the response-time of nodes is above, we know that strong correctness is always achiev monitored, and nodes who's latency grows larger than able in the face of up to(n-1)/ 5 Byzantine failures, and that only one consensus will be achieved in the a preset bound b are removed from all UNLs. While entire network so long as the uNl-connectedness con this guarantees that consensus will terminate with an dition is met equation 3). All that remains is to show upper bound of tb, it is important to note that the bounds that when both of these conditions are met consensus is described for correctness and agreement above must reached in finite time be met by the final UNL, after all nodes that will be dropped have been dropped. If the conditions hold for validation,, in which they do not process or vote the initial uNls for all nodes but then some nodes are on transactions, but declare that are still partic dropped from the network due to latency the correctness ipating in the consensus process, as opposed to and agreement guarantees do not automatically hold but a different consensus process on a disconnected must be satisfied by the new set of uNls subnetwork 3. 4.2 Heuristics and Procedures While it would be possible to apply the rpca in As mentioned above, a latency bound heuristic is en just one round of consensus, utility can be gained forced on all nodes in the ripple network to guarantee through multiple rounds, each with an increas- that the consensus algorithm will converge. In addi- ing minimum-required percentage of agreement tion, there are a few other heuristics and procedures that before the final round with an 80 %o requirement provide utility to the rPca These rounds allow for detection of latent nodes e There is a mandatory 2 second window for all in the case that a few such nodes are creating a nodes to propose their initial candidate sets in bottleneck in the transaction rate of the network each round of consensus. While this does intro These nodes will be able to initiall ep u ur- duce a lower bound of 2 seconds to each consen- ing the lower-requirement rounds but fall behind sus round it also guarantees that all nodes with and be identified as the threshold increases. In the reasonable latency will have the ability to partici case of one round of consensus, it may be the case pate in the consensus process that so few transactions pass the 80% threshold that even slow nodes can keep up, lowering the As the votes are recorded in the ledger for each transaction rate of the entire network round of consensus, nodes can be flagged and removed from the network for some common 4. Simulation Code easily-identifiable malicious behaviors. These in- clude nodes that vote No on every transaction The provided simulation code demonstrates a round of and nodes that consistently propose transactions RPCA, with parameterizable features(the number of which are not validated by consensus nodes in the network, the number of malicious nodes, la- tency of messages, etc. The simulator begins in perfect e A curated default UNL is provided to all users, disagreement (half of the nodes in the network initially which is chosen to minimize pc, described in sec- propose"yes,, while the other half propose"no"), then tion 3. 2. While users can and should select their proceeds with the consensus process, showing at each own UNLS. this default list of nodes guarantees stage the number of yes/no votes in the network as nodes that even naive users will participate in a consen- adjust their proposals based upon the proposals of their sus process that achieves correctness and agree- UNL members. Once the 80% threshold is reached, ment with extremely high probability consensus is achieved. We encourage the reader to ex periment with different values of the constants defined at A network split detection algorithm is also em- the beginning of"Sim. cpp, in order to become familiar ployed to avoid a fork in the network. While with the consensus process under different conditions the consensus algorithm certifies that the transad tions on the last-closed ledger are correct, it does not prohibit the possibility of more than one last 5. Discussion closed ledger existing on different subsections of We have described the rPCa, which satisfies the con- the network with poor connectivity. To try and ditions of correctness, agreement, and utility which we identify if such a split has occurred, each node have outlined above. The result is that the ripple pro monitors the size of the active members of its tocol is able to process secure and reliable transactions UNL. If this size suddenly drops below a preset in a matter of seconds: the length of time required for threshold, it is possible that a split has occurred. one round of consensus to complete. These transactions In order to prevent a false positive in the case are provably secure up to the bounds outlined in sec where a large section of a UNL has temporary tion 3, which, while not the strongest available in the latency, nodes are allowed to publish a "partial literature for Asynchronous Byzantine consensus, do allow for rapid convergence and flexibility in network 4 Fischer, Michael J, Nancy A. Lynch, and Michael membership When taken together, these qualities allow S Paterson. " Impossibility of distributed consensus the Ripple network to function as a fast and low-cost with one faulty process Journal of the ACm (jacm global payment network with well-understood security 32.2(1985): 374-382 and reliability properties 5I Martin, J-P, and Lorenzo Alvisi. "Fast byzan While we have shown that the ripple protocol is tine consensus. Dependable and Secure Computing provably secure so long as the bounds described in equa IEEE Transactions on 3.3(2006): 202-215 tions I and 3 are met, it is worth noting that these are [61 Alchieri, Eduardo aP, et al. "byzantine consensus maximal bounds, and in practice the network may be secure under significantly less stringent conditions. It with unknown participants "Principles of Distributed is also important to recognize, however, that satisfying ystems. Springer Berlin Heidelberg, 2008. 22-40 these bounds is not inherent to the rpca itself. but rather requires management of the UNLs of all users The default uNL provided to all users is already suffi cient, but should a user make changes to the uNL, it must be done with knowledge of the above bounds. In addition, some monitoring of the global network struc ture is required in order to ensure that the bound in equation 3 is met, and that agreement will always be satisfied We believe the RPCa represents a significant step forward for distributed payment systems, as the le latency allows for many types of financial transactions previously made diffic cult or even impossible with other higher latency consensus methods 6. Acknowledgments Ripple labs would like to acknowledge all of the peo ple involved in the development of the Ripple Protocol consensus algorithm. Specifically, Arthur Britto, for his work on transaction sets Jed Mccaleb, for the original Ripple protocol consensus concept, and David Schwartz for his work on the "failure to agree is agreement to de fer aspect of consensus Ripple labs would also like to acknowledge Noah Youngs for his efforts in preparin and reviewing this paper References Nakamoto, Satoshi.Bitcoin: A peer-to-peer elec- tronic cash system Consulted 1. 2012(2008): 28 Lamport leslie. Robert shostak, and marshall Pease.“ The Byzantine generals problem”ACM Transactions on Programming Languages and Sys- tems( TOPLAS)4.3(1982):382-401. 31 Attiya, C, D. Dolev, and J. Gill. "Asynchronous Byzantine Agreement. Proc. 3rd. Annual ACM Symposium on principles of distributed computing 1984

(系统自动生成,下载前可以参看下载内容)