Hello Yj1190590,

Multiple block creators publish block-approval-blocks for their own created blocks. While they are sent to all the nodes, block-approval-blocks are not stored themselves in the chain, their contents are.

Conflicting block approval is detected by looking at all block-approval-blocks published on the network in the same slots. It is the next block creator's responsibility to check for these conflicts and not use contents of a block-approval-block that contains such a conflict. In addition, the approvers for the next block will also check for these conflicts and would not approve blocks that contains a conflicting approval from the previous slot.

The punishment for a conflicting-approver is that they do not earn approval award since their approvals do not go in the chain.


Once there is >50% stake approval on a successor block, there can only be one and only one predecessor block under the honest majority stake assumption even with network outage. If in case a block cannot receive >50% approval, then no new blocks will get published. Those slots will go empty until a >50% approval is achieved.


The protocol achieves finality after 1 block - not instant finality. PBFT and related protocols that build consensus on transaction level and publish a single block per slot have the real instant finality.

This near instant finality helps with Bribe attack but not with History (aka Costless Simulation) attack. It is because the "finality" is in the short timespans where the stakes of the parties have not changed dramatically. History attack, on the other hand, is powered by dramatic stake changes which can only occur in the longer timespans.

Hope it helps.
Shunsai

Hello Ix,


I am very interested and will read it shortly. Thanks for the link.
Shunsai

Hello Paul,


How about this?

Proof-of-Approval is a stake based protocol where every block is signed by the stake majority and every epoch is signed by almost the entire stake in the system.

Regards,
Shunsai

Hello D5000,


It is an interesting attack scenario, not sure if there is an official name for it, but let's continue calling it, profitable 50+% attack. Stake based and derivative chains are more susceptible to it because, unlike PoW, a large number of blocks can be built in a short time.

The attacker must wait for a certain degree of finality (after his stake transfer transaction is placed in the chain) before launching this attack. The more uncertain a chain's finality is, the harder it is for the attacker since they have to wait longer.

Proof-of-Approval's (v2) features that may help or hurt against this attack are

- (hurt) Near instant finality - the attacker can launch the attack quickly after transferring

- Max stake transfer is limited per block so that entire 50+% stake cannot be transferred in 1 block. If the limit is set to 0.5%of total network stake, it would take the attacker 100 or more blocks to transfer.

- If the attack fork is larger than an epoch (epoch length vs stake transfer amounts are not yet finalized), then epoch approvals in the "real" chain would be larger than that in the attack chain and the real chain wins.

- If the attack fork is smaller than an epoch, the fork determination procedure as currently specified in v2, chooses higher stored approval in the topmost block. This makes such an attack possible.

A limit that has been considered and perhaps should be included in Proof-of-Approval is the max stake transfer per epoch. If that limit is set to something like 25% of stake, then this attack cannot succeed because of epoch approvals.

So, I plan to add stake transfer limit per epoch.
Shunsai

This article explains Proof-of-Approval's defense against History or Costless Simulation attacks.

https://medium.com/@shunsai.takahashi/weak-subjectivity-not-required-fb1c467bc5ad

Hello Paul,


Block approval award is separate from epoch approval in approximately the same amount (over an epoch). For example, let's say
1. 100 blocks in an epoch
2. block approval award 1 coin * approver's network stake fraction
3. epoch approval award 100 coins * approver's network stake fraction

So, if an approver has 10% stake in the network
1. Approving epoch awards 100 * .1 = 10 coins
2. In addition, if they approve 90 blocks in that epoch, they additionally get 90 * 1 * .1 = 9 coins
3. If they also create one or more blocks in the epoch, they get creator awards + transaction fees

Hope it makes is clearer.
Shunsai

Hello Abdulkhaliq123,


Approving blocks provides another very desirable property - finality. In fact, the transactions are stable once a single block has been deposited on it.

Regards,
Shunsai

They should have clarified their fees upfront before the start of the call. What they did is unethical.

You may be better off finding developers on your own from Github :-)

Hello Paul,

There are two different problems that need solving

1. Block approval - where faster is better. If it is slow, the blockchain will have low transaction rate.
2. Defense against History attack - where higher stake participation provides stronger defense. Since some parties will be on slow connections, they may never be able to approve blocks.

Epoch approval solves problem 2.



Yes the currency inflation rate would be higher - about 2x of what without the epoch approval. Determination of the exact reward amount needs additional work. Epoch award needs to be large enough for small stakeholders to feel that participation is worthwhile. Block approval award is mostly expected to go to large stakeholders.



Yes, epoch rewards will result in a large amount of data storage once per epoch. The epoch period does not have to be very small - it can be around 500-1000 slots.

Regards,
Shunsai

Created new thread for the updated paper since it may fix some previous problems but may have created some new ones.
Thread https://bitcointalk.org/index.php?topic=3913439.0

Regards,
Shunsai

Hello,

Article: https://medium.com/@shunsai.takahashi/proof-of-approval-a-better-blockchain-consensus-protocol-b19a55dc331b
Paper: https://github.com/Takanium/doc/blob/master/research/proof-of-approval.pdf (Updated June 9, 2018)

The previous version of this paper was discussed here https://bitcointalk.org/index.php?topic=3125137.0. This version builds upon the previous version and (to my understanding) fixes flaws that were pointed out. It achieves:

• Defense against attacks known as Costless Simulation, History or Long Range - much stronger than Weak Subjectivity https://blog.ethereum.org/2014/11/25/proof-stake-learned-love-weak-subjectivity/.
• Defense against Nothing at Stake attack.
• As before, does not consume physical resources.
• As before, achieves near instant finality.
• Updated reward system that rewards approvers.
• Updated creator selection (previous version didn't have any) to reduce number of proposed blocks in a slot and prevent network from being bogged down.
• Added attacks defense discussion.
• Added glossary for easier reading.

This article explains how Proof-of-Approval defends against History or Costless Simulation attack https://medium.com/@shunsai.takahashi/weak-subjectivity-not-required-fb1c467bc5ad .
Looking forward to your feedback.

Regards,
Shunsai

Hello Aliashraf,

I believe I have a good solution to this History attack (aka Costless Simulation attack) issue. While most PoS systems are relying on the so called "Weak Subjectivity" solution, this solution is purely objective. I am writing it up now and will post it here soon for everyone's review. I can't overstate the value of the feedback provided in this forum. Thanks everyone!

Regards,
Shunsai

Hello Slava79,


Comparing Proof-of-Approval with Tendermint

1. Tendermint is a PBFT (http://pmg.csail.mit.edu/papers/osdi99.pdf) like algorithm where all nodes together agree on transactions and their order that would be put in a block. Therefore, all nodes together come up with a single block to be inserted in the blockchain. In Proof-of-Approval, just like Bitcoin, individual nodes bundle transactions on their own and the network chooses one of those bundles.

2. The "validators" in Tendermint volunteer to put some of their money as collateral that will earn them rewards but could also be confiscated. Validators are similar to those in Casper the Finality Gadget of Ethereum (https://arxiv.org/pdf/1710.09437.pdf). This article compares the two https://blog.cosmos.network/consensus-compare-casper-vs-tendermint-6df154ad56ae.

3. Tendermint a single "proposer" who proposes the blocks. The proposer is selected by some process from the validators in round robin.

4. Tendermint transactions achieve instant finality while Proof-of-Approval takes 1 block to finality.

5. Tendermint is likely to have less "liveness" than a block creating protocol like Bitcoin or Proof-of-Approval.

6. The amount need to takeover Tendermint is 1/3 of the collateral amount while the amount to takeover Proof-of-Approval blockchain would be almost half (just under half) of the value of the blockchain.

Regards,
Shunsai

Hello Bonzenboss,

You are 100% correct that the testing with implementation is required. It turns out that even that isn't sufficient since an adversary will keep his/her attack vectors hidden till the blockchain actually succeeds when the attacks can earn him/her maximum profit. I think a peer review (what's being conducted here) can bring out many issues that a testing without serious adversarial attacks may not find.


Permission - A party (node) needs some kind of authorization before it can join the protocol execution. In permissionless environment (e.g. Bitcoin), any party can download code and start a computer to join the protocol execution.

Adversary - A party or a group of parties that are trying to take unfair advantage of the blockchain e.g. spending the same coins multiple times. Such adversarial actions are called "attacks" and blockchains should be able to deter them.

Adversary tolerance -  Power of the adversary's attacks increases as he/she accumulates more and more of the resource critical to the blockchain. For Bitcoin, this resource is mining power. For Proof-of-Approval, this resource is the stake in the network. Adversary tolerance is the maximum amount of adversarial power a blockchain can deter.

Regards,
Shunsai

Hello Paul,


You are correct in pointing out an issue here which must be solved. I'd describe the issue slightly differently even without any single party holding a quorum stake.

An adversary buys empty private keys (with zero current stake) that once upon a time did hold a quorum stake in the blockchain. That adversary can start rewriting blocks from the time the keys did hold the quorum stake to the present - completely rewriting all the transactions.

I do need to think about this problem. Thanks for pointing it out.

Regards,
Shunsai

Hello Fresheneesz,


Comparing Proof-of-Approval with 2-hop Blockchain (2-hop)
1. 2-hop uses PoW consuming resources (in addition to PoS), Proof-of-Approval has no PoW.
2. 2-hop's alternate blocks are different, one is from PoW and the next is from PoS. All Proof-of-Approval blocks are the same (but each block has 2 parts to it).
3. In 2-hop, during PoS round, the network choose one stakeholder for PoS block. In Proof-of-Approval any (or all) stakeholders approve blocks.
4. In 2-hop, fork selection is based on the longest PoW chain. In Proof-of-Approval fork selection is based on a better approval score.
5. Proof-of-Approval has 1 block finality. 2-hop's finality properties seem to be similar to PoW chains. The analysis here is more difficult since neither PoS nor PoW can be analyzed independent of each other. The PoS part of the analysis matches Cardano's Ouroboros (https://eprint.iacr.org/2016/889.pdf) static case. Since the static case isn't a reality (stakes will change during chain's lifetime), it is unclear if the PoS does add any additional security to the chain.

Hope this comparison helps.
Regards,
Shunsai

Hello fresheneesz,

Node A is allowed to not approve another node's (say B's) blocks. That also means that B is allowed to not approve A's blocks. It works both ways. To detect if it is intentional or just network, point-to-point ping and bandwidth can be measured to guess number of blocks that should have reached within the time-slot.


Yes, block approval should be incentivized. I am working on it.

Thanks,
Shunsai

Hello Aliashraf,

I choose Proof-of-Approval name simply because it implies to have something to do with approvals. I could have chosen "Takahashi Protocol" name (similar to Ripple Protocol or Ouroborous) but that name wouldn't have told the reader anything other than the creator is named Takahashi.


Protocols that use "older" stakes (stakes from many blocks ago) are susceptible to bootstrap poisoning attack. In this protocol, since the stake used is at the current block, I have not been able to come up with a successful bootstrap poisoning attack scenario.


Multiple people have mentioned it and I am analyzing giving rewards for approvals.


The reason the crypto world is focused on consensus is because in absence of a good protocol, all other blockchain properties are compromised. Bitcoin is said to have breakeven of $8050 due to its resource consumption requirement just to achieve consensus. Therefore, blockchains need to be solve consensus to actually achieve that we all know they can.


Game theory and pure mathematics - just the way I like it


Here I'd differ from you a bit - I do feel that a good consensus protocol (that works and doesn't consume resources) is needed for blockchain success - not just as price of token but their actual impact on the world.

Thanks for your comments,
Shunsai

Hello Fresheneesz,

Yes, the goals are to
1. Improve security by achieving near 50% adversarial stake tolerance. Near 50% tolerance would offer deterrence even more than the corresponding mining power. Only Cardano achieves that (not counting TON because I have no knowledge of their protocol).
2. Improve finality. The fact that Ethereum is trying to get Casper FFG shows how important finality is (although Casper FFG only improves tolerance to long-range attacks). Cardano's finality degrades continuously with rising adversarial stake.
3. Reduce cost. AFAIK, Bitcoin's breakeven (cost of mining vs its price) is around $8050. That's a lot of expense for the node owners.


Thanks for pointing it out - I had not seen that before. I will definitely offer comparison even if they are simply superior


In order to be fully robust, the fork selection has to work on all conditions that may be produce in normal operation. It is not a detriment that the fork selection actually works even beyond those conditions. It's just a good design practice to design for more than needed (within cost constraints of course).


Traffic can be a problem but only the headers (which are few hundred bytes) are being transmitted. Still, a node would need to validate the blocks of headers it receives (after downloading full blocks). Having a smaller time-slot (as opposed to larger) will reduce the number of headers received by a node (assuming the software's low level code simply drops headers received in mismatched time-slots). An adversarial ddos attack may look like network fragmentation and may prevent blocks from being added to chain temporarily.


Yes, and there may be a need to reward block approvals. I will work on adding block approval rewards. They can be added to approval-block since the content-block has already been created.


Nodes are allowed to rank in any order they choose. The time is just the default order built into the software.


Good point, I will add glossary.

Thanks,
Shunsai

Hello Monsterer2,


Any single person owning (or colluding with) a quorum (majority) stake is a problem because that person (or colluders) can rewrite the chain as they choose. This situation is essentially the same as an adversary owning a quorum stake which is the limit of the protocol.



My assumption, which could be wrong, is
1. Stakeholders will approve (through approval message) more than one blocks or risk blockchain failure or being blacklisted by other node members.
2. Stakeholders will try to rank more candidate blocks created by other higher stakeholders lower in order to gain advantage in block creation.

Of course, these are just assumptions and need to be proven in real life. Perhaps some coins should be given for approving a winning block in order of their ranking of the block. I am open to suggestions here. In the meantime I will analyze the if incentivizing block approval does have the desired effect.

Thanks for pointing it out - this is exactly what I am looking for from this forum.
Shunsai