 Welcome everyone to today's PL Research Seminar. Today is the 19th of April, and we have Shreshao Wang presenting. He's a PhD candidate in the Department of Electrical and Computer Engineering at the University of Illinois, working with Professor Pramudhvi Swannath, and I'm sure I butchered that one as well. His research interests are in decentralized consensus protocols and blockchains. He applies techniques from applied probability, combinatorics, and optimization to provide new algorithmic solutions and analyze the performance and security of new blockchain protocols. Today, he will be presenting his work on Minotaur, a multi-resource blockchain consensus, which is joint work from people all around the globe, at IOHK, the University of Illinois, of course, the University of Seattle, Edinburgh, and Athens. And I believe we also have one of his co-authors, Matthias Fizzi, on the call. So thank you both for joining. And again, thank you all for attending or watching this recording. And yet the floor is yours. Thanks, George, for the introduction. Okay, let's get started. I'm honored to present our recent work, Minotaur Multi-Resources Blockchain Consensus, at the day's PL Research Seminar. Resource-based consensus is the backbone of permissionless blockchains. Participation in such consensus protocol is enabled by proving presentation of a certain type of resource. Usually, this is referred as proof-of-ex mechanism in the literature, including proof-of-work used in Bitcoin and Ethereum, and the proof-of-space stake used in Cardano and Elgrand, and also proof-of-space used in Chia network and the Filecoin. Now, each of these different POX mechanisms have led to different blockchain ecosystems. And it is known that the single resource blockchains are vulnerable to 51% of tax when a person or a group takes control of more than half of all the resource in the network. For example, during the month of August 2020, the Ethereum Classic Network suffered not one but three 51% of tax in one month. And in the literature, the checkpoint ledger was proposed to address the 51% of tax on POW blockchains. It uses a committee to secure POW ledger by regularly issuing checkpoints. And usually the committee checkpointing committee is chosen randomly from the pool of the stakeholders. So the safety of the checkpoint ledger is guaranteed by the safety of the checkpointing protocol. And usually it will be a BFT protocol running by the committee. The checkpointing committee will also provide some kind of checkpoint certificate to the miners and the protocol at the checkpoint ledger will require that the checkpoint certificate must be included in the chain to introduce some extra randomness that will restart the mining game. So in this way, some of the pre-mined private blocks by the adversary will become embedded because they did not acknowledge the checkpoint certificate. So therefore, in the checkpoint ledger, there will always be non-VR ocean quality, even if the honest miner control less than 50% of the mining power. So this guarantees the lifeness of the protocol. Yeah, however, in the checkpoint ledger, the trust is just shifted from POW to POS. The security of the scheme is solely guaranteed by the checkpointing committee, which is a draw from the pool of the stakeholder, but not by the miners. And the question is that if we have such a trust at the checkpointing committee, then why we still need pure doubt reduction? We can just net the checkpointing committee to run permission, the BFT protocol, like for example, a horse staff and it will achieve much higher throughput than the lower latency than the POW blockchain. This leads to a natural question is that can we achieve a fungible combination of different resources? Okay, what do I mean by fungible? I mean that the security of the protocol is guaranteed as long as the honest players control a majority of the combined resources. And let me introduce some notations. At capital M be the number of resources in the system and the beta i be the fraction of adversarial power in the i's resources. And omega i is the weight of the i's resource. And we have the sum of the weight, omega i is equal to one. Then our desired security guarantee can be formulated as in this formula, that is the sum of omega i beta i should be less than one half. And we can check that with this security guarantee, the adversary will be unable to launch a successful attack by commanding like just 51% in only one of the online resources. Like for example, if beta one is greater than one half then this in quality may still hold if the other betas are small. Okay, so in this talk I will first focus on hybrid POW and the POS protocols. And I will use beta W as the fraction of the adversarial mining power and the beta S be the fraction of the adversarial stake. And again, omega will be a weighing parameter between zero and one. And we want to achieve security whenever omega times beta W plus one minus omega times beta S is less than one half. Now, this is also plotted as the right curve in this figure. And if we change the value of omega, then the slope of this curve will be changed but it will always pass through the center point half. Okay, let's simplify the problem a little bit more. I will first consider static setting where the total mining power and the total active stake is fixed and also known to the protocol designer. So in this way we can have a very simple protocol. At the beginning of the protocol we can tune the mining targets of the POW blocks and the POS blocks such that the miners will mine POW block with great omega times F and the stakeholder will generate POS blocks with rates one minus omega F. Yeah, M is just a total mining rate of all the blocks but then we can be like 10 minutes per block like in Bitcoin. And then in this simple protocol the POW and the POS mining will just occur in parallel. Whichever miners or stake holders succeed first it just go ahead and it contains the long distance which accepts both type of blocks. Yeah, compared with a pure and proof of stake protocol for example, all of those POWs the adversary in this simple protocol has strictly smaller action space because it cannot equivocate with the pure output blocks. So the security of this simple protocol directly follow the security of POS long distance protocol. However, this is only true in the static setting but how about the dynamic setting? Particularly we are interested in the variable mining power case. Before moving on to the variable mining power case I'd like to point out that a key requirement of practical POW block chance is to adapt the immense variation in mining power. For example, the mining power of Bitcoin increased exponentially by an astonishing factor of 10 to the power of 14 during its decade of deployment. Therefore, we have to consider the dynamic setting for our protocol to be practical. Okay, come back to the simple protocol to support variable mining power. We can try an epoch based mining target adjustment rule just like in Bitcoin. For example, as shown in this figure that capital D is the duration of an epoch and the last one with the number of POW blocks and the last small d be the desired POW interblock time. For example, this parameter in Bitcoin are like the capital D is about two weeks and the small n is 2,000 and the 16 blocks per epoch and the interblock time is 10 minutes per block. So then we can adjust the mining target of the POW blocks by comparing the duration of the last epoch with the desired duration of an epoch as written in this formula. And also we learn from the static setting that to guarantee security for each epoch the ratio of the total block rates of POW blocks and the POW blocks must be a constant omega by one minus omega. Yeah, but unfortunately, this ratio is controlled by the adversary because the adversary can always decide to hide or release its POW blocks. And the inaccurate POW mining target adjustment could lead to a different way in payment of omega than the desired one. And more importantly, the value of omega is unknown to the honest player because they don't know the mining power of the adversary. So for example, it is possible that we want to achieve a security curve as shown as presented in the writing line. But after the difficulty adjustment, the actual omega is presented by the blue line. Then as long as the adversarial power force in the yellow region, which is below the right curve, but above the blue curve, then the protocol will be, it's simple protocol will be insecure. And therefore, this simple idea of simply mixing POW and the POW blocks does not work in the dynamic setting. To achieve fungible security in the dynamic setting, we propose Minotone. At a high level, the online POW protocol can be black boxed. The Minotone can be built on a epoch-based the POW long chain protocol. For example, we can use the Arboros series of protocols or Snow White. An important notation in Minotone is that we define the notion of virtual stake as a combination of the actual stake and the work stake. So the actual stake is contributed by the tokens in the system. And the work stake is contributed by the POW mining. I will explain this in detail later. And the Minotone, the main chain blocks are scheduled by means of the virtual stake instead of using the actual stake distribution like in the POW protocol. Okay, before moving to the details of Minotone, I will first give a brief description of the POW long chain protocols. Take Arboros prowls as an example. In Arboros prowls, the time is divided into fixed length epochs. And in each epoch, we will have a random list that will be used to do the POS lottery. We will use this random list to select a group of blog proposers in the epoch one from the pool of the stakeholder. And then in the first epoch, the random list R0 is just hard-coded in the Genesis block. Then at the beginning of the second epoch, we will calculate a new random random list R1, which is a function of the block hatch in epoch zero. Then again, we will use this new random list to draw another group of blog proposers from the stakeholders. And then they will produce blocks for the epoch two. And this process repeats for other epochs. Okay, following the underlying POS protocol, Minotaur also has fixed the time epochs. And the POS blocks in Minotaur are main chain blocks, but they are scheduled by means of the virtual stake. And the POW blocks, they are not on the main chain, but they are referred or picked by the POS blocks. And this is similar to the full chain structure, the POW blocks in Minotaur are rules hung in on the main chain. Okay, next I will explain how to calculate the virtual stake. In each epoch, the total virtual stake will always be the sum of the total actual stake and the sum of the total work stake. And remember that the total actual stake is just a total token supply in the network. And then for each epoch, we set the total work stake as W, such that omega times the total actual stake is the same as one minus omega times the total work stake. So in each epoch, the ratio of the total actual stake and the total work stake is a constant. And then the work stakes will be distributed to the miners according to their contribution in the past epochs. And the work stake distribution in epoch E is the same as the distribution of POW blocks mined in epoch E minus two. And note that we have a one epoch gap here because the work stake should be determined prior to the randomness used for PLF lottery. And remember that in all of our other protocols, the new randomness for this new epoch is calculated as a function of the block hash in last epoch. So the randomness is draw from somewhere here, but the work stake distribution is draw from the epoch E minus two. Otherwise, if we don't have this one epoch gap, then the miners can grant on the public keys to send the work stake to their favorite keys. And this is very similar to the stake grinding attack in PLS. Yeah, and the mine at all can easily support a variable mining power. We can use mining difficulty adjustment rule similar to Bitcoin. And for example, we can compare the actual number of POW blocks mined in one epoch with the expected number. And just to point out that this is not that critical to the security of mine at all, but we still want to keep the POW block rate reasonable. For example, if the POW block rate is too large, then it may exceed the network capacity. And on the other hand, if the block rate is too small, then we will have a very high variance in the work stake assignment. This means that we can no longer assign the work stake fairly to the miners. This figure shows the security region of Minotone together with a few harder hybrid POW-POS protocols. And the Minotone with omega equal to one half is presented as the right line. And in the paper, we also prove that Minotone achieves the optimal security. By optimal, we mean that this region bounded by the right curve can no longer be enlarged anymore. And earlier, we also mentioned the protocol called checkpoint and legend. It is secure as long as you have the only majority in the total stake. So the security region is bounded by this right line, this horizontal line. And actually the checkpoint and legend also has optimal security, but it is not fungible in the sense that there's no trade-off between the trust in the stake and the trust in the work. And in the literature, there is also a hybrid protocol called two-hop blockchain, which is presented as the right line here. And the two-hop blockchain claims to be secure on the majority of the adversarial mining power. So it can also survive the 51% mining attack. However, their security group still requires an honest majority in the stake. So the security region of the two-hop blockchain is not optimal. And also in the literature, there are many other hybrid protocols categorized as the finality gadgets. Well, they try to build a finality there on the top of a POW blockchain and they try to bring some extra properties such as finality and accountability to the POW blockchain. And usually in these protocols, they will need an honest majority or even honest supermajority in both the stake and the work. Okay, now let me provide a proof sketch of minus on security. And not that there's no work stake defining the first two epochs. So in the first two epochs, we will use the initial stake as the virtual stake. So we will need an honest majority assumption in the initial stake distribution and apply the overall security argument that we will have security of the main chain in the first two epochs. And then follow the flow chain argument that we can have a fairness of the POW blocks in epochs one and two. Here fairness, we mean that the miner with like half a fraction of mining power will contribute half a fraction of POW blocks. And not that here, we cannot directly use the fairness argument proof in the original footage and protocol as they assume the static setting and also an honest majority in the total mining power. But here in our paper, we managed to prove it in the dynamic setting and also when there's no honest majority in mining power. The fairness guarantee combined with our major assumption that omega times beta W plus one minus omega beta S that's the one half, we can have the honest majority in the virtual stake in epochs three and a four. Then again, apply overall security argument that we can have the security of the main chain in epochs three and a four. And the analysis goes on and we can prove security for all the time. But in minus on the way in parameter omega can actually can also be changed over time. For example, omega can omega E, we can have omega E in the east epoch. For example, if we want to change omega E from one half to two fifths at the beginning of epoch E zero plus one, then okay, remember that we have a one epoch gap when operating the work stake. So we will need the adversarial power to be bounded by the right line before and in epoch E zero minus one. And similarly, we will need the adversarial power to be bounded by the blue line in and after epoch E zero minus one. And especially during the epoch E zero minus one, the adversarial power needs to be bounded by both of the lines. But as long as the omega E zero plus one does not differ too much from the omega E zero. So this restriction on the adversarial adversarial is still reasonable. Yeah, we remarked that the function omega E may be decided by the protocol designer. So it can be hard coded in the Genesis block, but the players can also reach an agreement of chance to update the value of omega by doing a sort of work. Okay, we point out that such flexible way in between the work and the stake is very useful in practice. So it's known that the PLS blockchains are very easy to launch. For example, we can use many existing techniques such as proof of burn, initial coin offering and L drop. In contrast, the boost driving of a PLW block chain is challenging as the new system would start off relatively small total mining power and it does be vulnerable to the 51% attacks. So the Minotone can be launched as a pure proof of stake product, blockchain and then later transit into a pure proof of work blockchain by changing omega from zero to one gradually. Yeah, I have presented Minotone as a hybrid PLW PLS protocol so far, but it can also be generalized to multiple resources. Let M be the number of different resources that we can have than the PLW blocks in the Minotone can be replaced by different types of resource blocks. And we can distribute omega i fraction of the virtual state according to the distribution of the is type of resource blocks. And again, the sum of the omega i is equal to one. This is similar to how we distribute the work stake in the hybrid PLW PLS version of Minotone. And also the actual state is not required to be one of the M resources because we can just assign zero weight to the actual stake. Then the multi resources Minotone will be secure as long as the sum of omega i beta i is less than one half and this is also all visualized in the picture on the right. As an application, the multi resource Minotone can be used to combine different type of works. For example, the further resource in Minotone can be work using SHA-256 which is the hash function used in Bitcoin. And the second resource can be work using Etash which is the hash function used in Ethereum. And the third resource can be the actual stake in the system. And again, this can be possibly assigned with zero weight. So we will have a pure, poor work protocol. And in this way, we can have more robust PLW blockchains. For example, we can assign higher weight to the more decentralized work. And in this case, it will be work with using Etash and all we can assign higher weight to the more costly work. So in this way, it will make it more advanced to attack the protocol. Okay, to demonstrate the validity of Minotone, we also implemented full-stack prototype client in 6,000. And we also implemented several active attacks on our prototype. Yeah, the first attack is the sales remaining attack while a sales remaining with hold is mined blocks and the release them later at appropriate time to take the place of an honest blocks in the longest chain. And from this table, we reported the chain quality or the fraction of honest PLW blocks of three different protocols, Bitcoin, full-stack and Minotone. And the final table, we can see that Bitcoin is indeed vulnerable to the sales remaining attack, meaning that the attacker has more fraction of PLW blocks in the main chain and that's more block rewards in Bitcoin than its fraction of mining power, particularly when beta W is larger than one half. And the full chain only resists the sales remaining attack when beta W is less than one half. And meanwhile in Minotone, the attacker can only have beta W fraction or the total PLW blocks, no matter how much mining power it has, like even when beta W is greater than one half. So this fairness guarantee is a key property in Minotone. It shows that we can distribute the work thick fairly among the miners. But the second attack is the private chain attack. Well, an attacker tries to probably generate and alternate the chain faster than the public ownership to displace a confirmed block. And this heat map reports the longest fork that the attacker can maintain during the attack in three different protocols, Minotone, Bitcoin and the overalls plows. And we observe that as long as beta W plus beta S is less than one, the attacker can only succeed with very short private chain. And even when either beta S or beta W is close to one and the overalls plows and the Bitcoin will need beta S less than one half and the beta W less than one half respectively. And also this is the normal result from their security analysis. Also this result is also in line with our security proof on Minotone. Okay, at the summary, today I present the Minotone as the multi resource blockchain protocol. So it is a black box construction construction on the top of POS long chain protocol. And Minotone continuously samples the active resource power to provide a fair change between the state and the non-state resources. For example, the work or space. And Minotone also has provable and provable and the fungible security. And also we have a prototype implemented in Rust. But I think that's conclude my presentation today. Yeah, thank you for your time. Thank you again for presenting and thank you for attending. This is part of a broader series of talks that protocol web organizes for the benefits of the community. The recordings are on YouTube and we do publish a schedule of future talks on our GitHub repository. Also you may want to go to our website and register for our mailing list if you want to receive notice of upcoming talks. So again, thank you so much to our speakers. Thank you to all of those watching and we'll see you again next time.