Cryptology ePrint Archive: Report 2018/104

PHANTOM and GHOSTDAG: A Scalable Generalization of Nakamoto Consensus

Yonatan Sompolinsky and Shai Wyborski and Aviv Zohar

Abstract: In 2008 Satoshi Nakamoto invented the basis for blockchain-based distributed ledgers. The core concept of this system is an open and anonymous network of nodes, or miners, which together maintain a public ledger of transactions. The ledger takes the form of a chain of blocks, the blockchain, where each block is a batch of new transactions collected from users. One primary problem with Satoshi's blockchain is its highly limited scalability. The security of Satoshi's longest chain rule, more generally known as the Bitcoin protocol, requires that all honest nodes be aware of each other's blocks very soon after the block's creation. To this end, the throughput of the system is artificially suppressed so that each block fully propagates before the next one is created, and that very few ``orphan blocks'' that fork the chain be created spontaneously.

In this paper we present PHANTOM, a proof-of-work based protocol for a permissionless ledger that generalizes Nakamoto's blockchain to a direct acyclic graph of blocks (blockDAG). PHANTOM includes a parameter $k$ that controls the level of tolerance of the protocol to blocks that were created concurrently, which can be set to accommodate higher throughput. It thus avoids the security-scalability tradeoff which Satoshi's protocol suffers from.

PHANTOM solves an optimization problem over the blockDAG to distinguish between blocks mined properly by honest nodes and those created by non-cooperating nodes who chose to deviate from the mining protocol. Using this distinction, PHANTOM provides a robust total order on the blockDAG in a way that is eventually agreed upon by all honest nodes. Implementing PHANTOM requires solving an NP-hard problem, and to avoid this prohibitive computation, we devised an efficient greedy algorithm GHOSTDAG that captures the essence of PHANTOM.

We provide a formal proof of the security of GHOSTDAG, namely, that its ordering of blocks is irreversible up to an exponentially negligible factor. We discuss the properties of GHOSTDAG and how it compares to other DAG based protocols.

Category / Keywords: applications / BlockDAG, Cryptocurrency, Consensus Protocols

Date: received 25 Jan 2018, last revised 2 Feb 2020

Contact author: yonatan sompolinsky at mail huji ac il, shaiw at daglabs com

Available format(s): PDF | BibTeX Citation

Version: 20200202:095456 (All versions of this report)

Short URL: ia.cr/2018/104


[ Cryptology ePrint archive ]