The Velvet Path to Superlight Blockchain Clients
Aggelos Kiayias, Andrianna Polydouri, Dionysis Zindros
AFT '21
27th September, 2021
Preliminaries
Light clients
Simplified Payment Verification (SPV)
Light clients
SPV protocol
- not efficient enough
- data grow linearly to the size of the chain
Superlight clients
-
logarithmic amount of data to the size of the chain
- Superblock NIPoPoWs
- FlyClient
Superblock NIPoPoWs
H(block) \leq T
- all valid blocks:
- "luckier" μ-level superblocks:
H(block) \leq \dfrac{T}{2^μ}
Superblock NIPoPoWs
Ideal superblock distribution
Superblock NIPoPoWs
Proof contains only some superblock headers...
Superblock NIPoPoWs
Consensus Protocol changes
- interlink data struture in block header
- pointers to every most recent superblock
Consensus Protocol Update
Hard fork
- not backwards compatible
- change block header contents
- unupgraded parties do not accept upgraded blocks and vice versa
- may lead to permanent fork
Soft fork
- backwards compatible
- auxiliary data (possibly) in coinbase transaction
- unupgraded parties accept upgraded blocks but not vice versa
- generally believed as less dangerous
Consensus Protocol Update
Velvet fork
- backwards compatible
- protocol changes come as a recommendation
- e.g. auxiliary data in coinbase transaction
- unupgraded parties accept upgraded blocks and vice versa
- only a minority of miners needs to upgrade
magic!
Our Contributions
Superblocks under Velvet Fork
"Superblocks protocol can be deployed as-is under velvet fork"
Superblocks under Velvet Fork
Is there a way to attack?
False super-pointers could...
- not point to the most recent previous superblock
- point to a block of a fork chain
Superblocks under Velvet Fork
"Thorny" blocks
Is there a way to attack?
Superblocks under Velvet Fork
The Chainsewing Attack
cut-and-paste portions of the honest chain
Superblocks under Velvet Fork
A specific Chainsewing Attack
cut-and-paste portions of the honest chain
skip honest upgraded blocks of attacked level
p \eqsim 0.3
Superblocks under Velvet Fork
The patch
honest miners ignore unupgraded and thorny blocks while updating the interlink
Superblocks under Velvet Fork
Combined Attack
Suppression & Chainsewing
Superblocks under Velvet Fork
Security
velvet honest majority assumption
\dfrac{t}{n_h} < \dfrac{1}{3}
Superblocks under Velvet Fork
Intuition
Superblocks under Velvet Fork
Security
simple chain quality does not suffice!
the adversary may attack only some superblocks...
\dfrac{t}{n_h} < \dfrac{1}{3}
FlyClient under Velvet Fork
Consensus rule update: MMR chain commitments
FlyClient under Velvet Fork
"FlyClient protocol can be deployed as-is under velvet fork"
Combined attack
Suppression & Chainsewing
Thank you!
Questions?
andriannapolyd@gmail.com
Copy of NIPoPoWs under Velvet Fork
By andrian
