A. Results

Two main problems of Nakamoto’s “longest-chain rule” are the severely limited scalability and the lack of parallelisability. The lack of parallelisability results in the underlying communication network requiring strong assumptions about synchronicity. We propose a consensus protocol that works efficiently and fast in an asynchronous model and allows a high degree of parallelisation. This is achieved by replacing the “longest-chain rule” with the “heaviest-DAG rule”. As the resulting consensus is not based on a total ordering of the transactions, it enables the transactions to be stream processed. An optimization that becomes more and more relevant in the validation of smart contract updates and optional sharding solutions.

Another disadvantage in blockchains, which is perhaps not so well known, is the need for intermediaries in the form of miners or validators. By enabling leaderless writing access to the ledger we remove this dependency and reduce the system to a dichotomy of fund owners and nodes, where nodes take additional roles akin to validators. Nodes propose new blocks, which contain transactions from fund owners, and append them to the Tangle. Nodes utilise the append process to validate and vote on previous blocks in a highly efficient implicit voting scheme.

We propose a generalisation of the voting power of nodes in form of a generalised weight function. This generalisation allows for a high level of configurability of our protocol, making it adaptable to the needs and security requirements of the system in which it should be implemented, such as permissionless or permissioned.

We introduce an asynchronous leaderless protocol that employs a weight-based voting scheme on the Tangle. In this scheme, the supporters of transactions, which are the nodes, are tracked through implicit votes. The confirmation status of transactions can be determined using threshold criteria. We provide the algorithms for the various core components. More specifically, we describe how the supporter lists are updated through the implicit voting scheme and how nodes should attach their blocks to the Tangle. We provide theorems for the convergence, as well as the liveness and safety of the system. First, given a random, unpredictable influx of blocks, Theorem 1 gives guarantees that the system will converge eventually on a consensus state if an adversary has less than 50% of the weight, however, no safety guarantees are given in this case. Second, we give safety and liveness guarantees by extending the protocol and incorporating the capability to synchronise the nodes at certain intervals with the help of a common coin. The security guarantees for this extended protocol are given in Theorem 2. Finally, we provide an overview of simulation results that display the performance of the protocol.

B. Structure of the Paper

The document is structured as follows. In Section I-C we give an overview of essential aspects relevant to the design of a DLT solution. In Section I-D we provide an overview of other recent DAG-based protocols and highlight the differences to our proposal. Section I-E provides an overview of used symbols, acronyms and glossary. Section II gives an overview of some of the graph-theoretical preliminaries used in this paper. In Section III we provide a basic network setting within which the proposed Sybil protection mechanism operates. Section IV describes the functionality of the Tangle data structure and how it is utilised to confirm blocks. Section V introduces an overview of the Reality-based UTXO Ledger, which forms a central component in our approach that helps with tracking the opinions of honest nodes about conflicting transactions. In Section VI, we describe the voting protocol and confirmation of transactions. In Section VII we define the communication and adversary models and address the liveness and security of the system in Sections VIII and IX. In particular, we show that certain attacks that attempt to create a “metastable” situation, could become problematic under specific circumstances and strong assumptions about the adversary. In Section X we provide a solution to this by introducing a synchronization of nodes at larger time intervals. In Section XI, to showcase the performance of the protocol, we provide results from simulation studies. Finally, we conclude the paper with Section XII, where we describe future research directions.

C. Background

Consensus protocols in general and even DLTs, in particular, are such a large research area that we have to refer to some review articles for a more detailed introduction, e.g. [8], [9], [10]. Although a consensus protocol depends on many different aspects, we focus, in the remaining part of the introduction, on those that are most relevant for the design choices of our proposed protocol.

5) Voting

In our non-linear architecture, each new block references at least two existing blocks. This results in a DAG structure as mentioned above. As with a blockchain, a new block not only votes on its direct references but also on its past cone. Although this is an efficient voting scheme, there is the problem of orphanage or liveness. If a block contains an invalid block in its past cone, it can no longer be voted for and, thus, the contained transaction cannot be included in the ledger. We solve this problem by introducing two different references. The first reference is to the Tangle structure and the second is to the DAG structure originating from the UTXO ledger. The last reference allows voting for transactions that were originally orphaned and also to change previously issued votes. Eventually, both types of votes accumulate in a voting weight, which we call the Approval Weight (AW). The higher this AW the higher the probability that the transaction is eventually included in the ledger. We refer to Figure 1 for an example of the voting mechanism.

FIGURE 1.

Tangle is utilised as a voting layer for nodes to reach a consensus about the outcome of a conflict. Nodes agree on the winner between conflicting transactions $\hat {x}$ and $\hat {y}$ using a leaderless protocol. Different colours represent signatures of different nodes. The number of supporting nodes, shown on the right, increases for transaction $\hat {y}$ with time. The dashed references are so-called transaction references and allow to “rescue” transactions that voted for the “losing part”.

Show All

Generally, the voting mechanism can be applied to any DAG-based data structure with an append process that allows for referencing previous blocks. It requires three main ingredients: the first essential ingredient is a reference scheme that efficiently casts and propagates votes. The second necessary ingredient is the construction of a generalised invariant data structure that allows conflicts to coexist (see Section V). This feature allows to treat transactions “optimistically”; every new incoming transaction is considered “honest” unless it conflicts with another transaction. Consequently, nodes may start to build on top of every new transaction, even though this transaction may turn out to be conflicting. The third ingredient is a voting mechanism, dubbed On Tangle Voting (OTV), that efficiently votes on a possible unbounded number of transactions simultaneously. The efficiency is achieved by maintaining a low block overhead since votes of other nodes can be piggy-backed through the implicit voting mechanism. Also in contrast to classical Byzantine fault tolerance, nodes don’t have to be monitored for activity since the issuance of transactions (casting of votes) is a clear sign of being functional.

D. Related Work on Dag-Based Protocols

We already mentioned various related works in the general introduction. This section focuses on the general architecture and mention previous proposals that use DAGs in the underlying data structures. Blockchain-based protocols rely on a chain or “linearisation” of blocks that create a total order of transactions. These blocks have three purposes: leader election, data transmission and voting for ancestor blocks through the chain structure, see [34]. Each of these aspects can be, individually or combined, addressed through a DAG-based component. The various proposals differ in how and which of these components are replaced by a DAG.

The most common approach is to use a DAG structure for the data transmission. This is the most natural approach since if blocks are created at a high rate compared to their propagation time, many competing or even conflicting blocks are created, leading to frequent bifurcation points of the chain. As this results in a performance loss, a natural proposal is to include not only the “main chain” but also bifurcations using additional references, e.g. [2], [35], [36], [37], [38].

Protocols can also achieve a higher degree of parallelisation of the data transmission or writing access if all participants can write and propose blocks. This concurrent writing access removes considerably performance limitations of traditional blockchains. In blockchains where only a tiny proportion of participants can write to the ledger, and these participants are randomly chosen, e.g. by PoW or PoS, participants need to communicate the set of pending transactions to all their peers. This memory pool is a considerable performance limitation as nodes must broadcast transactions twice. Several interesting proposals allow participants to add concurrent blocks to the ledger and to construct a distributed memory pool in the form of a DAG. In the following, we give two approaches that differ in how consensus is achieved and in the underlying Sybil protection. More specifically the first utilises a permissioned setting, while the second employs a permissionless setting.

In the permissioned setting there is the following interesting line of research. The aim is to construct an atomic broadcast protocol based on a combined encoding of the data transmission history and voting on “leader blocks”. Such protocols allow the network participants to reach a consensus on a total ordering of the received transactions, and this linearised output forms the ledger. The most robust protocols achieve Byzantine fault tolerance in asynchronous settings and reach optimal communication complexity, see Honeybadger [39] and [40]. Improvements are proposed, for example, in Hashgraph [41] and Aleph [42] and more recently in Narwhal [43] based on the encoding of the “communication history” in the form of a DAG. These protocols remove the bottleneck of data dissemination of the classical Nakamoto consensus by decoupling the data dissemination from the consensus finding. Promising improvements for the consensus finding on top of the DAG-based memory pool were recently made in DAG Rider [44] and Bullshark [45]. We also want to mention [46] that analyses and discusses this kind of protocol from a more abstract and general point of view.

There is a common point with our approach to mention here. A DAG structure serves as a “testimony” of the communication among the nodes, and new blocks are used for (implicit) voting on previous blocks. In other words, the DAG is used for the two purposes of data transmission and voting. However, voting is done only over so-called “anchor blocks”, leading to an a posteriori leader election and total ordering of the transactions. Furthermore, and as mentioned above, these DAG-based broadcast protocols are designed for permissioned networks, which leads to similar safety-liveness properties to standard BFT protocols. A difference is, thus, that our protocol is designed for an asynchronous network environment and is not round-based as these proposals above.

In the permissionless setting, another route is taken by Prism [34]. This approach explicitly decomposes the three purposes of blocks into three types: proposer blocks, transaction blocks and voter blocks. Having separate transaction blocks allows participants to issue transactions and removes the need for a memory pool. The three types of blocks form a structured DAG that allows a very efficient way to vote on “leader blocks” that eventually give consensus via total ordering. Our approach is orthogonal in that we do not distinguish between different kinds of blocks but that the underlying DAG delivers consensus without an additional tool. In an implementation [47] of Prism, another DAG was used to increase the performance of the execution of the transaction. More precisely, [47] used a scoreboarding technique to execute the (totally) ordered UTXO transactions in parallel. In our approach, we actively construct a DAG, called the Ledger DAG, that encodes the dependencies of the transactions. This DAG is created before reaching consensus and allows tracking dependencies between pending or conflicting transactions. It was demonstrated in [48] that Prism can also support smart contract platforms and that in their implementation, the bottleneck is no longer the consensus but the execution of the smart contracts.

The main difference of our proposal to all the aforementioned protocols is that consensus is found on the heaviest DAG without the need for a “linearisation” using any leader selection. This reduces the purposes of blocks to data transmission and voting.

We want to mention another class of DAG-based and leaderless consensus protocols. However, it is conceptually different from the proposals above and our proposal. In this kind of protocol, e.g. [13], [49], the voting is performed via direct queries between the peers and hence necessities an additional communication layer. A DAG structure is used in Avalanche [13] to “transitively” vote on several blocks at once. We note, however, that the authors of [13] fail to analyze their proposed protocol properly, and the question of whether it has the desired properties remains unclear, e.g. [50, Sec. 2.3].

Finally, let us note that the above is only a selection of previous work on DAG-based DLTs and refer the reader to [10] for a more detailed summary.

E. List of Acronyms and Symbols

For the reader’s convenience, in this section, we summarize important notations and acronyms that are used throughout the paper. Furthermore, in Appendix C we provide a glossary of the terms in use in this paper.

Graph Structures:

We employ several graph structures as a base for the consensus protocol. Table 1 gives an overview of the utilised graphs.

TABLE 1 Overview of DAGs

Definition 1 (DAG):

A directed acyclic graph (DAG) is a directed graph with no directed cycles, i.e. by following the directions of edges, we never form a closed loop.

Definition 2 (Neighbours in a Graph):

Let ${G}=(V,E)$ be a graph. For a vertex $v\in V$ , define the set of neighbours (or ${G}$ -neighbours), written as $N_{V}(v)$ ,3 to be the vertices adjacent to $v$ .

Definition 3 (Parents, Children and Leaves in a DAG):

Let ${D}=(V,E)$ be a DAG. For a vertex $v\in V$ , define the set of parents, written as $\mathrm {par}_{V}\left ({v}\right)$ , to be the set of vertices $u\in V$ such that $(v,u)\in E$ . Similarly, we define the set of children, written as $\mathrm {child}_{V}\left ({v}\right)$ , to be the set of vertices $u\in V$ such that $(u,v)\in E$ . A vertex $v\in V$ with in-degree zero is called a leaf.

Definition 4 (Partial Order Induced by a DAG):

Let ${D}=(V,E)$ be a DAG. We write $u\le _{V} v$ for some $u,v\in V$ if and only if there exists a directed path from $u$ to $v$ , i.e. there are some vertices $w_{0}=u,w_{1},\ldots,w_{s-1},w_{s}=v$ such that $(w_{i-1},w_{i})\in E$ for all $i\in [s]$ . Furthermore, we note $u< _{V}v$ if $u\le _{V} v$ and $u \neq v$ .

Definition 5 (Minimal subDAG Induced by a Set of Vertices):

Let ${D}=(V,E)$ be a DAG. For a subset of vertices $S\subseteq V$ , we define the minimal subDAG of ${D}$ induced by $S$ to be the DAG ${D'}=(V',E')$ whose vertex set is $V'=S$ and there is an edge $(v,u)\in E'$ if and only if $u,v\in S$ , $v< _{V}u$ and there is no $w\in S\setminus \{u,v\}$ such that $v< _{V} w < _{V}u$ .

Definition 6 (Maximal and Minimal Elements):

Let ${D}=(V,E)$ be a DAG and let $\le _{V}$ be the partial order induced by ${D}$ . For a subset of vertices $S\subseteq V$ , an element $u\in S$ is called ${D}$ -maximal (${D}$ -minimal) in $S$ if there is no $v\in S\setminus \{u\}$ such that $u\le _{V} v$ ($v\le _{V} u$ ). Define $\max _{V}\left ({S}\right)$ and $\min _{V}\left ({S}\right)$ to be the set of ${D}$ -maximal and, respectively, ${D}$ -minimal elements in $S$ .

Definition 7 (Future and Past Cones):

Let ${D}=(V,E)$ be a DAG. For $x\in V$ , define the past cone of $x$ in ${D}$ , written as $\mathrm {cone}_{V}^{(p)}\left ({x}\right)$ to be the set of all vertices $y\in V$ such that $x\le _{V} y$ . Similarly, define the future cone of $x$ in ${D}$ , written as $\mathrm {cone}_{V}^{(f)}\left ({x}\right)$ to be the set of all vertices $y\in V$ such that $y\le _{V} x$ .

Definition 8 (Past-Closed Sets):

Let ${D}=(V,E)$ be a DAG. A subset $S\subset V$ is called ${D}$ -past-closed if and only if for every $u\in S$ , the past cone $\mathrm {cone}_{V}^{(p)}\left ({u}\right)$ is contained in $S$ .

A. Network

The network participants in the DLT are called nodes, and we denote the set of all nodes by $\mathcal {N}:=\{1,\ldots, N\}$ , where $N$ is the total number of nodes. A priori, different nodes may have different perceptions of the set of nodes. For example, in a permissionless setting, for a node to join the network, the knowledge of a single node entrance point is sufficient. For the sake of a better presentation, we assume that every node is aware of every other node. Nodes directly communicate with a subset of other nodes, i.e. its neighbours, via bidirectional channels. Thus, together all nodes create a peer-to-peer (P2P) overlay network. Nodes use public-key cryptography for their identification. Their unique node ID is derived from the public key, and all their blocks are signed with their private keys.

In contrast to other DLTs, where nodes can be divided into separate functional classes, we assume all nodes behave in the same way. Specifically, all nodes have two main roles. First, they propagate specific blocks through the network by receiving and sending these from and to their neighbours. Second, by creating new blocks and appending them to the data structure, nodes implicitly vote on the state of the previous blocks and their contained transactions; this procedure is called On Tangle Voting (OTV), see Section VI. For the voting part, we assume a scarce resource, see Section III-B. This resource endows every node with a certain weight that is used for the implicit voting procedure.

B. Sybil Protection

A common problem in permissionless distributed systems is that it is easy to spawn a significant number of nodes, also known as the Sybil attack. Thus, any critical component must ensure that the action of nodes is limited, otherwise, it would be trivial for an attacker to gain a disproportionately large influence and corrupt the protocol.

To limit or prevent Sybil attacks, we assume that each node can be associated with a particular reputation or weight attributing them an equivalent proportion of voting power in the applied voting mechanism.

The above weight function plays a crucial role in the validation process, see Sections IV-D–​VI-D.

A common way to implement such a weight is the so-called resource testing, where each identity has to prove the ownership of specific difficult-to-obtain resources. Since in the cryptocurrency world, users own a certain amount of a scarce resource, i.e. tokens, a practical Sybil protection mechanism can be based on proving the ownership of tokens and, thus, a certain amount of collateral.

Another way of implementing the weights is through delegation methods. The owners of source tokens, from which the weights are derived, can then delegate these weights to any node of their choosing. This brings several key advantages. For example, fund owners can delegate weight to nodes that provide good service or revoke it when the node does not behave as expected, thus enabling the implementation of a “reputation” system. In the extreme case, this even allows decoupling the weights from the token distribution and incorporate real-world trust models.

Generally, the weight distribution in our system may change over time due to changes in the weights or inevitable churns (nodes join and leave). Due to the asynchronous nature of the protocol, the perception of the weights may then differ from node to node. The protocol design considers this effect and allows a certain divergence in the weight vector. This tolerance to different perceptions provides for some additional features of the protocol. However, a more detailed discussion of a divergence in the nodes’ view on the weight vector is out of the scope of this paper. Thus, for simplicity, we make the following assumption.

C. Writing Access

The distributed nature of the protocol and the Byzantine environment within which it operates puts several constraints on the writing access. These constraints are even more critical for our protocol since it is not leader-based and does not rely on the intermediary of miners and block creators. Similar to [51] we require the following conditions:

1. Consistency: if a block that is issued by an honest node is written to the (distributed) database by one honest node, it should eventually be written by all honest nodes.

2. Fairness: given a weight function and a maximum bandwidth, nodes can issue blocks at a rate proportional to their weight.

3. Security: the above constraints are guaranteed in a Byzantine environment.

Consequently, the protocol should ensure that in congested scenarios only a limited amount of blocks are propagated, i.e. the block rate is capped by a certain throughput. Furthermore, this should happen fairly. These requirements prevent nodes from becoming overloaded and from inconsistencies in the ledger being created. In principle, this could be enabled through fees and PoW, or more novel alternatives as the access control algorithm presented in [51].

For the safe operation of the consensus mechanism, we assume the availability of such a mechanism. The required tool should provide guarantees on the constraints mentioned above. We make the following assumption.

A. Blocks

The protocol’s goal is to replicate certain content between the nodes in the network reliably. For example, this content could be the atomic updates of balances of fund owners.

This content is wrapped into an object that we call block. A node that would like to initiate the addition of certain content to the Tangle across the network assembles such a block, which includes the content, $k$ references to previous blocks and the signature of the node (see Figure 2). We call the process of assembling and initial broadcasting the issuance of a block. Each node that receives a new block forwards it to its neighbours.

FIGURE 2.

Simplified block layout with a transaction as content. The fund owner provides the node with the transaction. The node wraps the transaction into a block and signs the block.

Show All

The issuing node obtains the content through a service-client relationship with the issuer of the content, which can be facilitated through an application programming interface (API) call. Alternatively, the node itself may also be the issuer of the content. An essential application for the content is the transfer of funds, i.e. the consumption and creation of outputs. We call this type of content a transaction. In this paper, for the sake of presentation, we will assume that each block contains exactly one transaction in its payload. However, in general, blocks are not limited to this use case.

As blocks will also be used to propagate votes, keeping track of the issuing nodes is crucial.

B. The Tangle

The Tangle is a data structure built in accordance with the following rule as stated in the original paper [3] of the Tangle: “In order to issue a [block],5 a node chooses two other [blocks] to approve”.

More generally, we modify this by allowing a block to reference up to $k$ existing blocks. The data structure takes the form of a DAG, where the blocks correspond to the vertices, and the references form the edges.

Let us define this data structure more formally. We denote the set of blocks by $\mathcal {T}$ . There is a special block, called the genesis and denoted by $\rho $ . This block does not contain any references. Any other block has to directly refer to at least two (not necessarily distinct) blocks. Thereby, the reference relationship can be encoded into a DAG.

Using the notation from Section II, we write $\le _{ \mathcal {T}}$ to denote the partial order on the set of blocks induced by $D_{ \mathcal {T}}$ . For a block $x\in \mathcal {T} $ , the Tangle past and future cone of $x$ are denoted as $\mathrm {cone}_{ \mathcal {T}}^{(p)}\left ({x}\right)$ and $\mathrm {cone}_{ \mathcal {T}}^{(f)}\left ({x}\right)$ , respectively. The parents and children of $x$ are written as $\mathrm {par}_{ \mathcal {T}}\left ({x}\right)$ and $\mathrm {child}_{ \mathcal {T}}\left ({x}\right)$ . If $x< _{ \mathcal {T}} y$ we say that block $x$ approves or references block $y$ . Specifically, if $x\in \mathrm {child}_{ \mathcal {T}}\left ({y}\right)$ , then $x$ directly references $y$ ; if $x\not \in \mathrm {child}_{ \mathcal {T}}\left ({y}\right)$ and $x< _{ \mathcal {T}}$ , then $x$ indirectly references $y$ . A leaf in the Tangle DAG is said to be a tip.

FIGURE 3.

Future and past cones of a block $x$ in the Tangle.

Show All

C. Local Tangles

Due to the distributed nature of the network, nodes can receive blocks at differing times or even out of order. The time at which a node first receives a block is called arrival time.

Blocks can also be lost during their broadcast. While, generally, this could be problematic, the Tangle DAG allows for an elegant solution to remedy the loss by a process called solidification. If a node receives a block for which the parents are unknown, it requests the missing block from its peers. Upon receipt of the missing parent block, the past cone is now complete (unless their parents are missing - in which case the node has to repeat this procedure recursively). Once a block’s past cone is completed, the node flags the block as solid. The time of solidification of a block $x$ in node $i$ is denoted by $\tau _{s,i}(x)$ . We only consider blocks included in the Tangle after they are flagged solid.

As a consequence of the above, we can argue that there is no such thing as one Tangle in the network, as every node may have a different perception of it. Hence, at time $t$ a node $i$ is aware only of the block $x$ that satisfy $\tau _{s,i}(x)\leq t$ . We denote by $\mathcal {T}_{i,t}$ and $D_{ \mathcal {T}_{i,t}}$ the local perception of the block set and the Tangle DAG perceived from node $i$ at (local) time $t$ . Past and future cones then are also given in their local forms $\mathrm {cone}_{ \mathcal {T}_{i,t}}^{(f)}\left ({x}\right)$ and $\mathrm {cone}_{ \mathcal {T}_{i,t}}^{(p)}\left ({x}\right)$ . We omit subscripts and simply write $D_{ \mathcal {T}}= D_{ \mathcal {T}_{i,t}}$ if the dependence on $i$ and $t$ is clear from the context.

D. Witness Weight and Weighted Local Tangles

In the original Tangle whitepaper [3] the cumulative weight of a block plays a crucial role in the consensus finding. This cumulative weight is the number of blocks referencing a given block. In case of a conflict, nodes follow the part of the Tangle that contains the largest cumulative weight.

We adopt this fundamental idea to the setting where each node carries some weight. In this way, the nodes’ weight replaces the PoW in the block creation as a Sybil protection mechanism. The nodes’ signature in each block links the issuing node to the block (see Section IV-A). Thus, a node can be associated with the set of blocks on the Tangle issued by that node, and the node’s weight can be mapped to the blocks.

FIGURE 4.

Tangle DAG, where the issuing node of a block can be identified with a unique colour shown in the bottom of the block. The colors of the supporters of blocks $x,y,z$ are depicted in the top-right corners.

Show All

We proceed with two trivial statements saying that the WWs of blocks are monotonically increasing toward the genesis and the WW of a block can only grow over time.

A more delicate analysis of the growth of the WW under certain assumptions is provided in Section IV-F.

E. Confirmation Rule for Blocks

The block stream is controlled by the writing access control, see Section III-C. A priori, this control alone may not be sufficient to guarantee that all nodes see all blocks in the network. However, to guarantee the safety of the system, nodes must have consensus on which blocks should permanently be accepted in the data set $\mathcal {T}$ , otherwise, inconsistencies between the nodes could arise. If such a consensus is achieved, we consider a block confirmed. Furthermore, to maintain consistency in the data structure $D_{ \mathcal {T}}$ , a block $x$ can only be confirmed if all blocks in $\mathrm {cone}_{ \mathcal {T}}^{(p)}\left ({x}\right)$ are confirmed.

Tools that provide information about the confirmation status of blocks, with specific safety and liveness considerations, are generally referred to as confirmation rule. We design such a tool based on the concept of WWs of the blocks. The WW allows the nodes and users to create their subjective confirmation criterion. The larger the WW of a block, the higher the probability that the block will be in the ledger forever. This idea is similar to the “depth” of a transaction in a blockchain. Therefore, the actual confirmation criterion may depend on the protocol environment and the underlying use case.

Once a block is confirmed for a node, it remains confirmed forever. This irreversibility of the confirmation status places some strong requirements on the convergence of this status. More specifically, once a single node reaches the threshold for a given block, all nodes should reach this threshold eventually with a very high probability.

In an honest scenario, this assumption can be easily satisfied since a high WW also represents that a large proportion of nodes have “seen” a given block and issued a block approving it. If the default tip selection algorithm is suitably chosen and followed by sufficiently many nodes all nodes will attach blocks eventually to the future cone of that block with a very high probability (for more details, see Section IV-F). In Section VIII we discuss the liveness and safety of the protocol in detail.

F. Growth of Witness Weight

In this section, we model the block issuance and discuss the growth of the WW and its dependencies on the protocol environment.

We consider the following assumption.

To develop a heuristic for the WW we use the following approach. We assume that there is an “omniscient observer”, that is instantly aware of all blocks issued by all nodes. The observer’s perception of the state may differ from the perception of a given node, however, these differences have no substantial influence on the heuristic result. We refer to [52], [53] where this method has already been proven to lead to good heuristics. This view is reflected in the notation by omitting the index $i$ . For instance, $\mathcal {T}_{t}$ denotes the set of blocks perceived by this omniscient observer at time $t$ and $\mathbf {WW}_{t}(x)$ denotes the corresponding WW of a block $x$ at time $t$ .

Let $x$ be a block issued at time $t_{0}$ and denote by $E_{i}(\delta,x)$ the event that node $i$ issues a block in the time interval $[t_{0},t_{0}+ \delta]$ in the future cone of $x$ . We write $\mathbf {1}\{E_{i}(\delta,x)\}$ for the indicator function of this event; it is equal to 1 if the event occurred and 0 otherwise.

For $t= t_{0}+\delta $ , the WW of block $x$ perceived by the omniscient observer satisfies \begin{equation*} \mathbf {WW}_{t}(x) = \sum _{i=1}^{N} \mathbf {w}(i) \mathbf {1}\{E_{i}(\delta,x)\}.\tag{3}\end{equation*} View Source\begin{equation*} \mathbf {WW}_{t}(x) = \sum _{i=1}^{N} \mathbf {w}(i) \mathbf {1}\{E_{i}(\delta,x)\}.\tag{3}\end{equation*} Node $i$ issues blocks with rate $\lambda \mathbf {w} (i)$ and, thus, we have that \begin{equation*} \mathbb {P}(E_{i}(\delta,x)) \leq 1- \exp (- \delta \lambda \mathbf {w}(i)).\tag{4}\end{equation*} View Source\begin{equation*} \mathbb {P}(E_{i}(\delta,x)) \leq 1- \exp (- \delta \lambda \mathbf {w}(i)).\tag{4}\end{equation*} Note that the equality does not necessarily hold since not all new incoming blocks have to witness block $x$ . Taking the expectation in Equation (3) and applying Inequality (4) we obtain \begin{equation*} \mathbb {E}[\mathbf {WW}_{t}(x)] \leq \sum _{i=1}^{N} \mathbf {w}(i) \left ({1- \exp (- \delta \lambda \mathbf {w}(i))}\right).\tag{5}\end{equation*} View Source\begin{equation*} \mathbb {E}[\mathbf {WW}_{t}(x)] \leq \sum _{i=1}^{N} \mathbf {w}(i) \left ({1- \exp (- \delta \lambda \mathbf {w}(i))}\right).\tag{5}\end{equation*}

The formula given in (3) holds in the very general setting. For the analysis of the protocol, it is, however, important to consider a specific weight distribution. Probably the most appropriate modelings of weight distributions rely on universality phenomena. The most famous example of this universality phenomenon is the central limit theorem. While the central limit theorem is suited to describe statistics where values are of the same order of magnitude, it is not appropriate to model more heterogeneous situations where the values might differ in several orders of magnitude. These heterogeneous situations are frequently described by a Zipf law and appear in many fields; e.g. city populations, internet traffic data, the formation of P2P communities, company sizes, and science citations. We refer to [54] for a brief introduction and more references, and to [55], [56], and [57] for the appearance of Zipf’s law on the internet, computer networks, and DLTs.

We consider a situation with $N$ elements or nodes. Zipf’s law predicts that the (normalised) weight of the node of rank $r$ is given by \begin{equation*} \mathbf {w}(r) = \frac {r^{-s}}{ \sum _{j = 1}^{N} j^{-s}},\tag{6}\end{equation*} View Source\begin{equation*} \mathbf {w}(r) = \frac {r^{-s}}{ \sum _{j = 1}^{N} j^{-s}},\tag{6}\end{equation*} where $s\in [0,\infty)$ is the Zipf parameter. Since the weights $\mathbf {w}(\cdot)$ in (6) only depends on two parameters, $s$ and $N$ , this provides a convenient model to investigate the performance of the protocol in a wide range of network situations. For instance, a homogeneous network with $N$ nodes having equal weight can be modeled by choosing $s = 0$ . With increasing value of $s$ the network becomes increasingly centralised.

FIGURE 5.

Growth of the issued WW in Example 3 with 1000 blocks per second. We see the different behaviour for 100 nodes (left), 1000 nodes (middle) and 10.000 nodes (right). The growth depends essentially on the chosen Zipf parameter $s$ (in colour) and the number of nodes.

Show All

G. Estimates on Time to Confirmation

As discussed in Section IV-E, a confirmation rule is essential for many use cases, and time to confirmation (TTC) is undoubtedly a vital performance measure of every consensus protocol. As a thorough analysis of the TTC is out of the scope of this paper, we give a first “heuristic” upper bound in this section.

In the remainder of this section, we omit index $i\in \mathcal {N} $ since the provided analysis is relevant to all nodes. We divide the TTC into two periods. During the first period, we wait for the confluence time $\tau _{c}=\tau _{c}(x)$ until a given block $x$ is contained in the past cone of (almost) all current tips. During the second period, the issuance time $\tau _{iss}$ , we let the WW grow until it reaches the threshold $\theta $ . The TTC $\tau _{f}$ is then bounded above by \begin{equation*} \tau _{f} \leq \tau _{c} + \tau _{iss}.\tag{8}\end{equation*} View Source\begin{equation*} \tau _{f} \leq \tau _{c} + \tau _{iss}.\tag{8}\end{equation*} Estimates for $\tau _{iss}$ are obtained from (3) and this formula can be simplified for specific choices of the weights (see Example 5).

FIGURE 6.

Illustration of the Tangle to display the confluence time and issuance time. The colours in the bottom of the blocks represents the issuing nodes with significant weight. We demonstrate the colours of the “heavy” supporters of block $x$ on the right after each time period. The dashed blocks correspond to blocks that are not in the future cone of $x$ .

Show All

With some additional assumptions, we can obtain estimates for the confluence time $\tau _{c}$ similarly to [3]. Our first assumption is that the delay between block creation and the moment that other nodes in the network receive this block is constant.

As mentioned in Section IV-C, there is no “objective Tangle,” and every node has its own perception. Nevertheless, previous work [52] showed that the approximation made in this section leads to reasonable approximations for some quantitative properties of the Tangle, such as the number of tips and confluence times. For this reason, we omit the subscript “$i$ ” and work with a unique objective Tangle in this section. Similar to [3] we assume the number of tips to be in a stationary regime.

Using Assumptions 3, 4, and 5 we follow the heuristics described in [3, Sec. 3]. A first observation is that at any given time $t$ there are on average $\lambda h$ hidden tips, those blocks that have been issued after $t-h$ but are not yet visible to the network. As in [3] we assume that typically there are $r$ revealed tips, those that have been attached before $t-h$ but are still tips. Hence, we can write the total (average) number of tips as $L_{0}=r+\lambda h$ . By Assumption 5 we consider that the number of tips $L(t)$ is roughly stationary. This implies that since $\lambda h$ tips join the tip pool, during the same time, roughly $\lambda h$ blocks that have been tips at time $t-h$ became referenced and are no longer tips. Hence, the tip pool of size $L_{0}$ can be divided into $r$ revealed tips and $\lambda h$ blocks that are no longer tips. This division leads to the crucial observation that a new block (with $k$ parents) approves on average $k r / (r+\lambda h)$ (revealed) tips. Moreover, in the stationary situation where the tip pool size $L_{0}$ stays approximately constant, the mean number of chosen tips should be equal to 1; otherwise, the number of tips would change. Solving $k r / (r+\lambda h)=1$ leads to \begin{equation*} L_{0} = L_{0}^{(k)} = \frac { k \lambda h}{k-1}.\tag{9}\end{equation*} View Source\begin{equation*} L_{0} = L_{0}^{(k)} = \frac { k \lambda h}{k-1}.\tag{9}\end{equation*} This result, predicted in [3], has been confirmed through simulation studies in [53] and [52] and theoretical results in [58].

A first consequence of (9) is that, if $L_{0}$ is large, the expected time for a block to be approved for the first time is approximately \begin{equation*} h+L_{0}/(k\lambda)=h+ \frac {h}{(k-1)}.\tag{10}\end{equation*} View Source\begin{equation*} h+L_{0}/(k\lambda)=h+ \frac {h}{(k-1)}.\tag{10}\end{equation*} The size of the tip pool is naturally linked to the growth of the WW of a given block; the larger the tip pool the slower the growth of the WW.

We can proceed similar to [3] to obtain that \begin{equation*} \tau _{c} \approx \frac {h}{W\left ({\frac {(k-1)^{2}}{k} }\right)} \left ({\log L_{0} + \log \varepsilon }\right),\tag{11}\end{equation*} View Source\begin{equation*} \tau _{c} \approx \frac {h}{W\left ({\frac {(k-1)^{2}}{k} }\right)} \left ({\log L_{0} + \log \varepsilon }\right),\tag{11}\end{equation*} where log denotes the natural logarithm function and $W$ is the principal branch of the Lambert $W$ -function, which is defined as the inverse function to $z=we^{w}$ , i.e. $w=W(z)$ . For large $k$ , we can use the approximation \begin{equation*} W\left ({\frac {(k-1)^{2}}{k} }\right)\approx 2 \log (k-1) - \log k \approx \log k\end{equation*} View Source\begin{equation*} W\left ({\frac {(k-1)^{2}}{k} }\right)\approx 2 \log (k-1) - \log k \approx \log k\end{equation*} and, hence, obtain \begin{equation*} \tau _{c} \approx \frac {h}{\log k} \log (L_{0}) \approx \frac {1}{\log k} h \log (\lambda h).\tag{12}\end{equation*} View Source\begin{equation*} \tau _{c} \approx \frac {h}{\log k} \log (L_{0}) \approx \frac {1}{\log k} h \log (\lambda h).\tag{12}\end{equation*} In Section A, we will give more details on the derivation of the confluence time.

A. UTXO Model and Transactions

In the Unspent Transaction Output (UTXO) model transactions specify the outputs of previous transactions as inputs and spend them by creating new outputs.

Thus, a transaction consists of a list of inputs and a list of outputs, see Figure 2. Note that outputs must be unique. The uniqueness is typically achieved by creating the output ID with the involvement of a hash function. For example, the output ID could be the concatenation of the index of an output and the hash of a transaction’s content. Every output represents a specific amount of the underlying cryptocurrency. The value of all inputs, i.e. spent outputs, must equal the value of all outputs of a transaction. With each output comes a declaration by whom and under which conditions it can be spent. Under unlock conditions, e.g. a signature proving ownership of a given input’s address, the transaction issuer is allowed to spend the inputs. We refer to Figure 2 for a general transaction layout.

As said in Section IV-A, blocks contain transactions in their payload. Hereafter, we write $\hat {x}$ to denote the transaction contained in the payload of a block $x$ .

Let us define the transactions and ledger model more formally. We follow the approach of [59].

The UTXO ledger starts at the so-called genesis which contains outputs and no inputs. We emphasize that we use the same term for the ultimate predecessor of all blocks and all transactions. Recall that the genesis-block is written as $\rho $ , whereas the genesis-transaction will be denoted as $\hat { \rho }$ .

Typically every output can be consumed by at most one transaction and, hence, the value of all unspent outputs is conserved overall. Specifically, in the standard conflict-free UTXO model, the ledger can not contain a so-called double spend, i.e. two transactions that consume the same output of a transaction.

In the following section, we alleviate this conflict-free restriction and allow the Ledger to contain conflicting transactions.

B. Reality-Based Ledger

In this section, we propose an augmented version of the standard conflict-free UTXO ledger model that allows containing double spends. We suggest different structures that can be used for tracking conflicting transactions without the need for consensus.

First, we explain how the transactions and their in- and outputs result in a DAG structure. The information contained in the Ledger DAG is split into the Conflict Graph, which keeps track of the conflicting transactions only. Then we introduce the concept of branches. A branch forms a possible non-conflicting state of the ledger. We will then derive a concept, called a reality, which allows us to reduce $\mathcal {L}$ to a maximal subset of transactions that yield a conflict-free (Reality-based) ledger.

We refer to Appendix B, where we demonstrate this graph together with many other core concepts. Using the notation from Section II, we write $\le _{ \mathcal {L}}$ to denote the partial order on the set of transactions induced by $D_{ \mathcal {L}}$ . The past cone of a transaction $\hat {x}$ is denoted by $\mathrm {cone}_{ \mathcal {L}}^{(p)}\left ({\hat {x}}\right)$ , i.e. transaction $\hat {x}$ spends value directly or indirectly from transactions in $\mathrm {cone}_{ \mathcal {L}}^{(p)}\left ({\hat {x}}\right)\setminus \{ \hat {x}\}$ .

Typically, the addition of transactions to this type of data structure is such that only transactions, which create no conflict with any previously recorded transactions are allowed to be added, i.e. the Ledger DAG is conflict-free. However, this requires a consensus mechanism that pre-selects transactions.

Now we introduce a new design for a ledger, where this constraint is replaced by a relaxed one – namely, a new transaction $\hat {x}$ can be added to the ledger if $\mathrm {in}(x)$ are references to outputs which are not already consumed in $\mathrm {cone}_{ \mathcal {L}}^{(p)}\left ({\hat {x}}\right) \setminus \{ \hat {x}\}$ . In the following, we provide an overview of some of the most important concepts of the proposed solution that allows conflicting transactions to co-exist. Thereby, we start with a formal definition of conflicts and conflicting transactions.

The interrelations between conflicts can be encoded with the help of the Conflict DAG and the Conflict Graph.

We can group transactions based on whether they conflict with each other or not.

We further specialise conflict-free sets and introduce the notion of branches.

We now introduce the concept of a reality which can be defined as a maximal possible branch or, equivalently, a maximal independent set in the Conflict Graph. In other words, a reality aggregates the maximal number of conflicts while preserving non-conflicting nature.

Next, we describe the notion of the maximal contained branch of a given transaction which consists of the set of conflicting transactions in the past cone of the given transaction.

We note that there could not be two maximal branches in the ledger past cone of a transaction. Indeed, the past cone of any transaction is conflict-free and, thus, if there would be two maximal branches, we could consider the union of two branches, which has to be also a branch.

Recall that a maximal contained branch of a transaction from the $R$ -ledger is a subset of $R$ . Thus, the past cones of any two transactions are conflict-free and so is the $R$ -ledger.

C. Reality Selection Algorithm

To issue new blocks and validate transactions, each node in the network has to choose a conflict-free part of the ledger that it prefers. For this purpose, it suffices for a node to choose a preferred reality. Once a reality $R$ is chosen, the node can make different operations on the $R$ -ledger.

There could be different ways to choose the preferred reality. We provide a natural reality selection algorithm that takes as an input the Conflict Graph and an abstract weight function $\mathbf {w}: \mathcal {C}\to [{0,1}]$ satisfying two properties:

1. monotonicity: for any two conflicts $x, y\in \mathcal {C} $ such that $x \le _{ \mathcal {C}} y$ , it holds that \begin{equation*} \mathbf {w} (x) \le \mathbf {w}(y);\end{equation*} View Source\begin{equation*} \mathbf {w} (x) \le \mathbf {w}(y);\end{equation*}

2. consistency: let $x_{1},\ldots, x_{s}$ be pairwise conflicting conflicts.7 Then it holds that \begin{equation*} \sum _{i=1}^{s}\mathbf {w}(x_{i}) \le 1.\end{equation*} View Source\begin{equation*} \sum _{i=1}^{s}\mathbf {w}(x_{i}) \le 1.\end{equation*}

In Algorithm 1 we describe the proposed procedure. In this algorithm, we initialize $R$ as the genesis and $U$ as the set of conflicts. Then we iteratively construct a subset $R$ of conflicts and prune transactions conflicting with $R$ from $U$ . Specifically, we add a conflict to $R$ if this conflict is not conflicting with this set and attains the highest value of the weight function among all $D_{ \mathcal {C}}$ -maximal elements that remain in $U$ . By construction, Algorithm 1 leads to a maximal independent set in the Conflict Graph or a reality. The number of iterations in the while-loop is bounded by $| \mathcal {C}|$ and the number of $G_{ \mathcal {C}}$ -neighbours is also bounded by $| \mathcal {C}|$ . Thus, it is possible to implement this algorithm with complexity $O(| \mathcal {C}|^{2})$ .

Algorithm 1:

Reality Selection in Conflict Graph

Show All

We refer to Appendix B, where we apply the algorithm as part of an illustrated example.

A. Extension of Witness Weight and Liveness Problems

In Section IV we introduced the Witness Weight, which is a metric used for the confirmation of blocks. In this section, we seek a similar tool for the confirmation of transactions.

The Witness Weight has the property that it is monotonically increasing since it expresses the percentage of the weight that has witnessed a block’s existence. The situation is different for transactions where we want to leverage the node’s weight to decide between conflicting transactions. To ensure liveness, nodes must have the possibility to change their votes and withdraw their weights from the approval weight of a given transaction.8 However, changing the opinions might imply that blocks that reference (and vote for) blocks with rejected transactions might never be confirmed.

This situation creates a negative incentive to reference new tips. More precisely, nodes may be incentivized to either reference only blocks from trusted entities, tips of a certain age, or in the worst case, ancient and already confirmed blocks. The last behaviour may eventually lead to no new blocks being confirmed anymore.

The problems above were until now a significant concern of DAG-based consensus protocols, e.g. [3]. We propose to solve these by using the Reality-based Ledger and extending the reference scheme.

B. Immutable DAGs

Blocks are the primary information carriers of the network, i.e. they contain transactions and express the opinion of the issuing nodes. The references in the blocks, together with the signature of the nodes and the unlock proofs for the inputs, form two immutable data structures, similar to a blockchain.

First, the Tangle $D_{ \mathcal {T}}$ is constructed on the set of blocks $\mathcal {T}$ . The interrelations are defined by the references contained in the blocks, which are selected and signed by the issuing nodes (for more details, see Section IV).

Second, the Ledger DAG $D_{ \mathcal {L}}$ is constructed on the set of transactions $\mathcal {L}$ . Their interrelations are defined by the consumption of inputs, which are the outputs of previous transactions. The consumption and creation of outputs are cryptographically verified by the signature of the fund owner (for more details, see Section V).

For nodes to objectively agree on a partial order of events, we require the following assumption.

In other words, we have the natural assumption that the spending of the output should happen in the future cones the blocks “creating” these outputs.

C. Voting and Voting Dag

As a consequence of Lemma 3 both, the Tangle and the Ledger DAG, are suitable for nodes to express their opinions about which transactions they prefer among any conflicting transactions. More specifically by creating and attaching new blocks, nodes have an implicit way of voting for the “preferred” branches and conflicts. Let us define this more precisely.

We utilise the references contained in a block, which constitute the edges of the Tangle, see Section IV, to express a node’s opinion. As by Definition 10 a reference contains two fields: $r_{x}$ , which is a reference to block $x$ and $v$ , which is the value of a label. We call the label $v$ the vote type that can take values in $\{v_{\mathcal {T}}, v_{\mathcal {L}}\}$ . This label gives additional meaning to the reference to $x$ in the Tangle and defines the following two specialised references.

To overcome the liveness issues described in Section VI-A we additionally add a reference that bypasses the block and directly addresses the contained transaction.

FIGURE 7.

Inheritance of branches: we consider two potential blocks $y$ and $y'$ that contain the same transaction $\hat {y}$ , but have either a transaction, or a message reference to block $x$ . Thus, a node can vote in two ways. Specifically, block can approve a previous block via a transaction reference or a block reference, and inherit the branch of the referenced transaction or the referenced block, respectively.

Show All

We define a data structure that combines the two immutable data structures in Section VI-B into one single DAG used for propagating the votes.

So far we described how references between blocks are given additional meaning to construct the voting DAG. This DAG allows nodes to express their opinions, recursively. Following Definition 7 we define $\mathrm {cone}_{ \mathcal {V}}^{(p)}\left ({x}\right)$ as the voting past cone of block or transaction $x$ in the Voting DAG.

FIGURE 8.

Illustration of how the Voting DAG is assembled from the Tangle and the Ledger DAG. By creating a transaction reference to block $z$ , the vote of block $x$ avoids vertices $z,y, \hat {y}$ shown in grey.

Show All

We can also describe the voting past cone in terms of a recursive equation.

The Reality-based Ledger introduces the concept of branches, see Section V. The consumption of more than one output from different branches creates a new branch, which is the union of the branches of the consumed outputs. Now we extend this concept to blocks, which can combine branches by voting for previous blocks or transactions. More precisely we can relate a given reference in a block with a branch. The branch of the block is then defined as follows.

Recall Definition 27 that introduces the maximal contained branch of a transaction $\hat {x}$ , written as $\mathrm {branch}^{(p)}_{ \mathcal {L}}(\hat {x})$ . Using Proposition 1, we relate the voting branch of block $x$ and the maximal contained branch of transaction $\hat {x}$ in the following statement.

We can associate a given block $x$ with a branch $B_ {\mathcal {T}}= \mathrm {branch}^{(p)}_{ \mathcal {V}}(x)$ . Furthermore, the content of $x$ , which is a transaction $\hat {x}$ , also can be associated with a branch $B_{\mathcal {L}}= \mathrm {branch}^{(p)}_{ \mathcal {V}}(\hat {x})$ . Due to Lemma 3 we have that $B_ {\mathcal {L}}\subseteq B_ {\mathcal {T}}$ . Since a node may change its opinion about a conflict and vote for a conflicting transaction to $\hat {x}$ , the vote is only valid from the point-of-view of the referencing block $y$ . A later change of the node’s vote is possible by issuing another block that votes for a conflicting transaction to $\hat {x}$ .

D. Approval Weight and Confirmation Rule for Transactions

Nodes must be able to track the progress of the acceptance of a transaction. We extend the concepts of Witness Weight, introduced in Section IV-D, to the Approval Weight (AW) of transactions. The objective is then to define a parameterisable confirmation condition for transactions similar to the one discussed for blocks in Section IV-E.

Clearly, the AW describes the percentage of the network approving a given transaction.

The supporter of transactions can be updated using propagation of the supporter information through the voting DAG. More precisely on arrival of a block $x$ we traverse $\mathrm {cone}_{ \mathcal {V}}^{(p)}\left ({x}\right)$ . We propose Algorithm 2 to update transactions supporters when a new block is processed. The AWs are then updated using Equation (14).

Algorithm 2:

Updating Transaction Supporters When New Block Arrives

Show All

Similar to Definition 14 we define the confirmation of a transaction. We will use subscripts $i$ and $t$ such as $\mathbf {AW}_{i,t}$ if we talk about the perception of the $i$ th node at moment $t$ .

We also define the AW of a branch, which will form the base for the algorithm in the next section. The supporters of a branch are equal to the intersection of the supporters of the conflicts in the branch. More formally we have the following.

E. Tip Selection Algorithm

The consensus protocol relies substantially on an implicit voting mechanism. Nodes express their opinions and votes by choosing the references in their newly issued blocks. The process that determines the references is called the Tip Selection Algorithm (TSA) and is discussed in this section.

With every block, a node can vote on which parts of the Tangle and the Ledger DAG it prefers by using block or transaction references. The preferred parts of the Tangle and the Ledger DAG are defined by the preferred reality. Following the algorithm described in Section V-C, a node $i$ at moment $t$ keeps its preferred reality $R=R_{i,t}$ up to date.

We now describe a tip selection mechanism that considers both block and transaction votes. Note that due to Lemma 3 the Ledger DAG induces a partial order consistent with the one induced by the Tangle and, thus, voting on the Ledger DAG allows expressing a more selective, albeit less efficient vote than on the Tangle.

Let us define some reality-dependent tip sets on the Tangle DAG and the Ledger DAG.

Denote by $\mathbf {T}_{{ \mathcal {T}}}(R)\subset \mathcal {T}$ the tips in the Tangle DAG whose Tangle past cones contain only transactions in reality $R$ . More precisely, for any $x\in \mathbf {T} _{{ \mathcal {T}}}(R)$ , there is no $y\in \mathrm {cone}_{ \mathcal {T}}^{(p)}\left ({x}\right)$ such that $\hat {y}\in \mathcal {C} \setminus R$ .

Denote by $\mathbf {T}_{{ \mathcal {L}}}(R) \subset \mathcal {L} $ the tips in the Ledger DAG whose past cones contain conflicts from $R$ only. In other words, it holds that for any $\hat {x}\in \mathbf {T} _{{ \mathcal {L}}}(R)$ , there is no $\hat {y}\in \mathrm {cone}_{ \mathcal {L}}^{(p)}\left ({\hat {x}}\right)$ such that $\hat {y}\in \mathcal {C} \setminus R$ . A node should apply the following tip selection and reference setting.

Algorithm 3:

Uniform Random Tip Selection Restricted on Reality R

Show All

We refer to Appendix B, where we demonstrate this algorithm as part of an illustrated example.

A node may have voted previously for a branch that is no longer its preferred branch. It has therefore to change its vote. With the above tip selection nodes are allowed to vote for branches they previously did not “prefer” (by voting for a conflicting transaction) and vote “against” branches they previously voted for. Every node must therefore keep the supporters for each branch and their AW up to date. An important consequence is that the AW of certain branches may increase in time while for others it may decrease in time.

The addition of the transaction vote demonstrates that solutions for the Tip Selection Algorithm can be found that mitigate or reduce liveness issues and that transactions eventually will be considered for tip selection. Thus, in the following, we work under the following assumption.

We also refer to Section XII for a more detailed discussion.

A. Communication Model

The participating nodes communicate over a peer-to-peer (P2P) protocol or network. In this P2P protocol, nodes send their signed blocks to their neighbouring peers. Neighbours forward blocks from other nodes in the overlay network only if they have verified its validity; if a transaction is invalid, the propagation stops. The transmission of a block between two nodes is done by sending a package containing the block.

There are three basic (or classic) models for the P2P communication between the nodes: the synchronous model, the asynchronous model, and the partial synchronous model, e.g. see [16] and [20].

In the synchronous model, there exists some known finite time bound $\Delta $ by which an adversary can delay the delivery of a package. In the asynchronous model, an adversary can delay the delivery of a package by an unknown finite amount of time. There is no bound on the time to deliver a block but each package must eventually be delivered. In the partial synchronous model, we assume that there is some finite unknown upper bound $\Delta $ on block delivery. This bound is not known in advance and can be chosen by the adversary.

A partially synchronous system can be seen as initially asynchronous that becomes eventually synchronous. The time at which the system becomes synchronous is called the Global Stabilisation Time (GST).

We also consider a probabilistic synchronous model, see [49]. In this model we assume that for every $\varepsilon > 0$ and $\delta \in [{0,1}]$ , a proportion $\delta $ of the blocks is delivered within a bounded (and known) time $\Delta =\Delta (\varepsilon, \delta)$ , that depends on $\varepsilon $ and $\delta $ , with probability of at least $1-\varepsilon $ . The probabilistic synchronous model is similar to the asynchronous model with crash failure faults, see [20].

The specific implementations for a consensus mechanism depend heavily on the underlying synchronicity assumption. It also seems appropriate to distinguish between consensus protocols that find consensus on one data set and consensus protocols that find consensus on a growing number of decisions. The latter allows to “strengthen the synchronicity” between the nodes if the data are related by references.

B. The Tangle, Solidification, and Synchronicity

The references that form the Tangle are essential for the consistency of information every node has. Consider that a package propagates to only part of the network, e.g. lost during some of the propagation processes on the communication layer. However, nodes that have received the block start building on it and gossip their blocks to the network. These new blocks contain references to the partially missing block. Since nodes must know the past cone of any block to have a complete Tangle history from that blocks’ point of view, we use a mechanism called the solidification process. In this mechanism, nodes that receive a given block only process it if its past cone is complete or, otherwise, ask their peers for the missing referenced block (for more details, see Section IV-C). In other words, the solidification process is a mechanism to recover lost blocks and, hence, strengthens the “synchronicity” of the communication model. We think that this, to some extent, supports the assumption that all blocks are delivered within a bound time $\Delta $ with high probability.

C. Adversary Model

We distinguish between three types of nodes: honest, faulty, and malicious. Honest nodes follow the protocol, faulty nodes are not working properly (e.g. not sending any transactions), and malicious nodes are trying to disturb the protocol by not following the rules actively. In most scenarios, we assume that the malicious nodes are controlled by an abstract entity that we call the attacker. We assume that the attackers are computationally limited and cannot break the signature schemes or the cryptographic hash functions involved. However, we assume that the attacker is omniscient and “knows immediately” about all state changes of the honest nodes.

In classic consensus protocols, the communication model already covers the adversary behaviours, as delaying blocks is essentially the only way an attacker can influence the system. This is no longer true for our consensus protocol. Here, adversarial strategies can be divided into two main categories: attacks on the protocol level and attacks on the voting layer.

D. Configuration Graph and Schedule

How events in distributed systems are triggered depends on some external causes that are often referred to as the environment. We follow [60] and model this environment using the abstraction of a scheduler.

To this end, we consider a communication network on which all communications between the nodes are carried out. These networks are often referred to as P2P networks. We model them using a directed graph whose vertex set is the set of participating nodes. There is a directed edge from $i$ to $j$ , if node $i$ can send packages directly to node $j$ .

We assume this graph to be connected. Along the directed edges of this graph packages are exchanged by the nodes. In our case these packages contain blocks.

Essentially a node $i$ does the following once it receives a package $e$ from node $j$ . It checks if the block $x$ that is contained in the package $e$ was already treated. If this is the case, the node’s status remains unchanged, and no new package is issued. If the block is new, the node checks its validity and adds the block to its local Tangle. If applicable, it updates the supporters of branches and conflicts and, if the transaction contained in the block is conflicting, adds a new conflict to the set of conflict. After this step, the node forwards the block in new packages to all its neighbours from which the node has not received the block.

A node may also create blocks. Once it creates a block $x$ , it attaches $x$ to its local Tangle. Then, it creates a package $e$ containing block $x$ and sends copies of this package to all of its neighbours.10

FIGURE 9.

Illustration of a network of 6 nodes. Packages $u,w,x,y,z$ are send along directed edges representing communication channels.

Show All

Every node keeps a local version of the Tangle $D_{ \mathcal {T}_{i}}$ that we consider as the (local) configuration $\omega _{i}$ of node $i$ . For ease of presentation, we consider the following simplified version of the OTV that does not keep track of where the actual blocks are attached in the Tangle but only keeps track of the supporters of the branches or conflicts. The (local) state space is therefore given by $\mathcal {Q}= \underbrace {2^{ \mathcal {N}}\times \ldots \times 2^{ \mathcal {N}}}_{| \mathcal {C}|}$ , where $\mathcal {C}$ is a fixed set of conflicts and $2^{ \mathcal {N}}$ is the set of all possible subsets of $\mathcal {N}=\{1,\ldots, N\}$ .

We interpret the packages a node $i$ receives as input assignments with values in the space of all packages $\mathcal {M}$ . Each input assignment $e$ yields an update of the current configuration, and each configuration $\omega _{i}$ leads to an output assignment. We therefore consider two functions \begin{equation*} I(e, \omega _{i}): \mathcal {M}\times \mathcal {Q}\mapsto \mathcal {Q},\end{equation*} View Source\begin{equation*} I(e, \omega _{i}): \mathcal {M}\times \mathcal {Q}\mapsto \mathcal {Q},\end{equation*} and \begin{equation*} O(\omega _{i}): \mathcal {Q}\mapsto \mathcal {M}^{| \mathcal {N}_{i}|-1},\end{equation*} View Source\begin{equation*} O(\omega _{i}): \mathcal {Q}\mapsto \mathcal {M}^{| \mathcal {N}_{i}|-1},\end{equation*} where $\mathcal {N}_{i}$ are the neighbours of node $i$ in the communication graph $G$ . A node $i$ runs an algorithm $\mathbf {A}= (I, O)$ that reacts to incoming packages by updating its internal state $\omega _{i}$ and eventual sending outgoing packages indicating its state update. We also consider the configuration of the whole system that takes values $\overline {\omega }=\{\omega _{1},..,\omega _{N}\} \in \mathcal {Q} ^{N}$ . The corresponding algorithm is denoted by $\overline { \mathbf {A}}$ .

The creation of blocks uses randomness (by design) through the TSA. Moreover, issuing times of blocks may depend on the interactions of the node with the environment of our system. For this reason, we model the time between two successive blocks of one given node by random variables. oreover, the latency between packages of two given nodes is described by random variables. This randomness turns our protocol into a random protocol, and the randomness is described by the probability measure $\mathbb {P}$ . As we consider a simplified model and are only interested in the supporters of given branches, the randomness enters only in the “time components” of the packages or edges. Consequently, edges become random variables.

In the following, we assume that honest nodes only issue valid packages.

The relation $\leftrightarrow $ defines an equivalence relation on the set of configurations.

The closed communication classes play a vital role as they describe the outcome of the protocol. Let $R\in \mathcal {B} $ be a reality. Then the configuration with $\mathrm {sprt}_{ \mathcal {L}_{i}}(R)= \mathcal {N}$ for all $i\in \mathcal {N} $ is a closed class. Let us note here that we are still assuming all nodes to be honest and behave according to the protocol.

We make a crucial assumption about the communication layer.

There are two immediate consequences of Lemma 4.

The above definitions can naturally extend to models that distinguish between honest and adversary nodes. We assume that adversary nodes do not have to follow the algorithm $\mathbf {A}$ but can produce messaging voting for non-preferred realities. On the communication level, adversary nodes may be more potent than honest nodes, i.e. issuing blocks more frequently, and may delay the relaying of honest packages. Nevertheless, we assume that Assumption 8 holds for all honest and malicious nodes. We say that the protocol reaches a consensus state if all honest nodes eventually prefer the same reality. Let us denote by $\mathcal {N}_{h}$ and $\mathcal {N}_{a}$ the set of honest and malicious nodes. In analogy to the above, we obtain the following result.

Remark 15:

In general, one requires in addition that the consensus protocol satisfies integrity. Integrity requires that the eventual outcome of the consensus protocol was initially proposed by at least one node. Since in OTV honest nodes always pick a maximal branch, the integrity property is satisfied once the protocol terminates.

A. Non-Conflicting Transactions

Liveness of a non-conflicting transaction is the property that it will eventually be included in the ledger state. In the strongest form, it means that every non-conflicting transaction will be confirmed, see Definitions 14 and 37. Therefore, the security threshold for liveness is at most a proportion $(1-\theta)$ of the weight, as an attacker or faulty nodes holding a proportion $(1-\theta)$ can stop the confirmation by not issuing any blocks anymore.

Liveness is inherently linked with the TSA and the orphanage problem. We assume the following Assumption on the TSA11 and we refer to Section VI-A for a discussion.

Some discussion on the validity of the stationary tip pool size assumption is appropriate. This kind of assumption was also made throughout Section IV-G as Assumption 5. Let us review this assumption in the light of the communication and the adversary model.

An attacker can delay blocks with honest transactions such that the network delay $h$ increases. This, in turn, will inflate the tip pool size and the time to confirmation [61]. In the asynchronous model, this could lead to memory overflow of the nodes or halt confirmation of certain transactions. While this attack is theoretically possible in this model, it is more of a theoretical interest than a practical issue. We also want to note here that nodes do have an efficient way to “synchronize” their perceptions of the Tangle due to the solidification process; see Section VII-B.

On the Tangle layer, the “worst-case scenario” seems to be the following. The adversary issues blocks, referencing already referenced blocks, not removing any tips from the tip pool. Under the assumption that nodes can issue blocks proportionally to their weight, we obtain that $q/(1-q)$ malicious blocks are issued for each honest block. Honest nodes can increase the number of references to keep the Tangle width stationary. More precisely, it is sufficient that the honest nodes’ blocks, on average, remove $K:=(q/(1-q))+1$ tips. In other words, we can choose the number of references $k>K$ to guarantee robustness against this attack. For instance, $q=1/2$ leads to $K=2$ .

B. Conflicting Transactions

Theoretical results on the liveness and safety of conflicting transactions rely heavily on the assumptions of the underlying communication and adversary model. Moreover, the analysis of the OTV protocol is complex: it requires modeling of the networking part, modeling of the weight distribution, and various (even an infinite number of) adversarial strategies. The following section shows that an adversary can hinder consensus finding in specific situations or edge cases. However, we want to emphasize that this interference only influences the liveness of conflicting transactions and that an appropriate TSA guarantees liveness of non-conflicting transactions; see Proposition 3. In Section X, we add a feature to the protocol that allows us to obtain theoretical results on the liveness of conflicting transactions.

A. Communication Level

We start with an example where an attacker does not take part directly in the voting but only controls the schedule of the honest nodes’ blocks. Let us point out that the attacker does not need to control any weight in this scenario.

The first adversary attack is dubbed a metastability attack since it tries to keep the honest nodes in an undecided situation. We refer to [50] for more details and analysis of these kinds of attacks. On a conceptual level, these kinds of attacks exploit a situation where the system is kept in a roughly symmetric condition between two incompatible options. Once the symmetric scenario is broken, nodes likely converge quickly on one of the options.

FIGURE 10.

Illustration of Example 11. Nodes are voting for transaction $\hat {x}$ (blue) or $\hat {y}$ (orange). Each node ends up with the opposite opinion it started with, thus, creating a deadlock.

Show All

B. Voting Level

In this section, we describe situations, where an attacker can successfully interfere in the consensus finding by using the voting layer. We do not need conditions to control communication between honest nodes but relatively strong assumptions about the adversary’s ability to issue new blocks and reliably forward them to the honest nodes.

We consider an even number $N_{h}$ of honest nodes and three malicious nodes, and where each node holds the same weight. We say if a node votes for $\hat {x}$ or $\hat {y}$ it is in set $X$ and $Y$ , respectively. The protocol starts with ${}^{1}/{}_{2}N_{h}$ honest nodes initially voting for $\hat {x}$ and ${}^{1}/{}_{2} N_{h}$ honest nodes voting for $\hat {y}$ . We refer to Figure 11 for an illustration. Next, the adversary votes for $\hat {x}$ (with all three nodes), resulting in a vote of $|X|/|Y| = \left({{}^{1}/{}_{2}N_{h}+3}\right) / \left({{}^{1}/{}_{2}N_{h}}\right)$ . Nodes in $X$ will continue to vote in favour of $\hat {x}$ . On the other hand, an honest node in $Y$ will eventually change its vote and issue a transaction in favor of $\hat {x}$ , thus, changing from set $Y$ to $X$ . Now, before any other honest nodes can express their vote, the attacker switches its vote to $\hat {y}$ . Hence, in total we have $|X|/|Y| = \left({{}^{1}/{}_{2}N_{h} + 1}\right) / \left({{}^{1}/{}_{2}N_{h}+2}\right)$ . Honest nodes will now vote for $\hat {y}$ . However, as soon as a node from $X$ changes its vote, the resulting situation is symmetric to the initial condition. Thus, the adversary can repeat this ad infinitum.

FIGURE 11.

Illustration of Example 12. Nodes are voting for transaction $\hat {x}$ (blue) or $\hat {y}$ (orange).

Show All

FIGURE 12.

Different epochs in the synchronisation.

Show All

The next example, the Bait-and-Switch Attack, depends less on the adversaries issuance rate but requires a higher amount of weight.

C. Communication and Voting Level

In the previous sections, we presented examples of how an adversary can harm the liveness of conflicting transactions. The attacker strategies required either substantial control of the communication layer or a high issuance rate combined with considerable weight. In this section, we prove an impossibility result for safety that involves an attack strategy that uses both levels.

We have the following “negative” result.

The above proof indicates that the attacker needs very strong control over the communication layer to conduct such an attack. Nevertheless, it gives a reasonable theoretical security threshold for the protocol’s safety. All the more since we can prove safety under the assumption $q < \theta -0.5$ in Section X.

D. Realistic Conditions

The above examples illustrate that the two dimensions, namely the communication and voting level, may interact either in favor of the attacker or in favor of the robustness of the protocol. In all cases, it seems that the attacker needs excellent control of the communication layer of the protocol. Randomness or uncertainty on the communication layer may interfere with the adversary strategy and finally lead to convergence of the honest nodes’ opinions.

We conjecture that these strong assumptions are not met in most reasonable real-world scenarios and that the attacks that rely solely on the communication level are hard to perform in practice.

With a completely random schedule of packages, the system will eventually converge to a consensus state in situations where an attacker controls not more than half of the total weight, see Theorem 1. However, this convergence time can be impracticably long for real-world applications and it is possible that safety (for the confirmation) can be broken as shown by Lemma 5. The theoretical treatment of the inherent randomness of real-world implementation systems is at best in an early state, and a quantification or even its control seems currently out of reach. We refer to [60] for a theoretical approach to describe the entropy related to the scheduling of the transactions.

The following section proposes a more sophisticated variation that allows a more straightforward theoretical treatment and provides the “optimal” safety thresholds.

Assumption 9:

We make the following assumptions:

1. Every block from an honest node is received by another honest node during time $\mathbf {d}= \mathbf {d}(\varepsilon)$ with probability of at least $1-\varepsilon $ . The constant $\varepsilon >0$ can be chosen arbitrarily small. The events for each block are independent of each other.

2. The adversary controls a proportion $q$ of the weight. The adversary might have an influence on the schedule of the blocks to the extent of 9.1.

3. The set of conflicts $\mathcal {C}$ is fixed and does not vary in time. All nodes perceive the same $\mathcal {C}$ .

4. There exists a dRNG that publishes a random variable every $\mathcal {D}$ unit of times. The random variable is uniformly distributed on the interval $[0.5, \theta]$ , where $\theta $ is the confirmation threshold; see Section IV-E. This value is received (independently) by every given node before time $\mathbf {d}$ (in every epoch) with a probability of at least $1-\varepsilon $ .

5. Honest nodes of cumulative weight of at least $\theta $ issue blocks expressing support for their preferred reality12 at least every $\mathcal {D}/2$ time units with a probability of at least $1-\varepsilon $ .

Proposition 4:

The resulting set $R$ in Algorithm 4 is a reality.

Lemma 6:

Assume that the honest nodes have the same perceptions on the honest AWs. Then, for all $i$ , $1\le i \le N_{h}$ , it holds that \begin{equation*} \mathbf {AW}_{i,t}(c) \in I_{t}(c).\tag{21}\end{equation*} View Source\begin{equation*} \mathbf {AW}_{i,t}(c) \in I_{t}(c).\tag{21}\end{equation*}

Definition 48 (Convergence to a Consensus State):

We say that the protocol converges to a consensus state if and only if there exist some reality $R$ and some (random) time $T$ such that \begin{equation*} \mathbf {AW}_{i,t} (R) > \theta,\quad \forall i\in \{1,\ldots, N_{h}\}, \forall t>T.\tag{22}\end{equation*} View Source\begin{equation*} \mathbf {AW}_{i,t} (R) > \theta,\quad \forall i\in \{1,\ldots, N_{h}\}, \forall t>T.\tag{22}\end{equation*}

Remark 18:

Definition 48 is similar to the definition of a consensus state; see Definition 45. While it describes the asymptotic behaviour of the protocol, it delivers not a practicable criterion for confirmation.15 A “confirmation rule”, as in Definition 15, however, is always susceptible to possible “re-orgs”16 of the ledger state; see also Lemma 5. Quantifying the probabilities that such re-orgs happen depends on the precise communication and adversarial models and is out of this paper’s scope.

Theorem 2 (Liveness and Safety - Synchronisation):

Let \begin{equation*} q< \min \left \{{1-\theta, \theta - \tfrac {1}2}\right \}\end{equation*} View Source\begin{equation*} q< \min \left \{{1-\theta, \theta - \tfrac {1}2}\right \}\end{equation*} be the weight of the adversary. Then, under Assumption 9, the protocol (described by Algorithm 5) converges to a consensus state.

Case A:

$\mathbf {AW}^{(h)}(c^{\ast}) >0.5$ . The support of the random threshold does lie above 0.5; see also Figure 13. More, precisely, the probability $\xi _{A}$ that every node will include this conflict in its preferred reality (using Algorithm 4) satisfies $\xi _{A} > \mathbf {AW}^{(h)}(c^{\ast}) - 0.5>0$ . All conflicts that conflict with $c^{\ast}$ , i.e. the neighbours in the Conflict Graph $N_{ \mathcal {C}}(c^{\ast})$ , are not preferred. Note here, that since every honest node might have a different perception of the actual AWs, it may run Algorithm 4 in a different “order”. However, as no two neighbours in the Conflict Graph can have more than 0.5 of the honest AW, the algorithm treats all “A cases“ before the following case.

Case B:

$\mathbf {AW}^{(h)}(c^{\ast}) \leq 0.5$ . In this case, all conflicts in $c^{\ast} \cup N_{ \mathcal {C}}(c^{\ast})$ have an honest AW of less than 0.5. (This is because, in Algorithm 4, nodes treat conflicts in the order of “decreasing AW”.) Since $q< \theta - 0.5$ , with a positive probability $\xi _{B}$ none of these conflicts will have AWs above the threshold $X_{2}$ and none of them will be added to the preferred reality in the first while-loop of Algorithm 4.

We now remove the conflicts $c^{\ast} \cup N_{ \mathcal {C}}(c^{\ast}) $ from the set $U$ and continue this procedure until the set $U$ is the empty set. We set $\xi = \min \{\xi _{A}, \xi _{B}\}$ . Let $K$ be the size of the largest maximal independent set in the Conflict Graph. Eventually, with a positive probability of at least $\xi ^{K}$ the nodes agree on the preferred conflicts originating from case A. The nodes have to fill up the maximal branch with the second while-loop in Algorithm 4. Since they agree on the value of $X_{2}$ they also agree on the preferred reality.

Altogether, with a positive probability of at least $p(\varepsilon) \cdot \xi ^{K}$ all honest nodes vote for the same reality during the next epoch of length $\mathcal {D}$ . If this happens, an AW of more than $\theta $ is obtained in the next epoch. Otherwise, we repeat this procedure until it is satisfied. The number of epochs necessary follows a geometric random variable.

Remark 19:

The above proof offers a possibility to estimate the “consensus time” $T$ . In fact, its expectation is bounded above by $\mathcal {D}\cdot (1 + (p(\varepsilon) \cdot \xi ^{K})^{-1})$ . This quantitative analysis is one main difference to Theorem 1, where no bounds on the “consensus time” are obtained. Another crucial difference is that Theorem 2 does not require assumptions on the randomness of the packages and issuance as in Assumption 8.

Remark 20:

The assumption that the set of conflicts is fixed reduces to the assumption that the set of conflicts is bounded during the run-time of the protocol. The results, therefore, also apply to sets of conflicts that may evolve over time. However, the quantitative bounds in the proof get worse for larger sets of conflicts.