Cryptology ePrint Archive: Report 2018/104

PHANTOM: A Scalable BlockDAG Protocol

Yonatan Sompolinsky and Aviv Zohar

Abstract: In 2008 Satoshi Nakamoto invented the basis for what would come to be known as blockchain technology. The core concept of this system is an open and anonymous network of nodes, or miners, which together maintain a public ledger of transactions. The ledger takes the form of a chain of blocks, the blockchain, where each block is a batch of new transactions collected from users.

One primary problem with Satoshi's blockchain is its highly limited scalability. The security of Satoshi's longest chain rule, more generally known as the Bitcoin protocol, requires that all honest nodes be aware of each other's blocks in real time. To this end, the throughput is artificially suppressed so that each block fully propagates before the next one is created, and that no ``orphan blocks'' that fork the chain be created spontaneously. In this paper we present PHANTOM, a protocol for transaction confirmation that is secure under any throughput that the network can support. PHANTOM thus does not suffer from the security-scalability tradeoff which Satoshi's protocol suffers from. PHANTOM utilizes a Directed Acyclic Graph of blocks, aka blockDAG, a generalization of Satoshi's chain which better suits a setup of fast or large blocks. PHANTOM uses a greedy algorithm on the blockDAG to distinguish between blocks mined properly by honest nodes and those mined by non-cooperating nodes that deviated from the DAG mining protocol. Using this distinction, PHANTOM provides a full order on the blockDAG in a way that is eventually agreed upon by all honest nodes.

Category / Keywords: applications / BlockDAG, Cryptocurrency, Consensus Protocols

Date: received 25 Jan 2018, last revised 9 Apr 2018

Contact author: yonatan sompolinsky at mail huji ac il

Available format(s): PDF | BibTeX Citation

Version: 20180409:113704 (All versions of this report)

Short URL: ia.cr/2018/104

Discussion forum: Show discussion | Start new discussion


[ Cryptology ePrint archive ]