Cryptology ePrint Archive: Report 2021/628

The Availability-Accountability Dilemma and its Resolution via Accountability Gadgets

Joachim Neu and Ertem Nusret Tas and David Tse

Abstract: Byzantine fault tolerant (BFT) consensus protocols are traditionally developed to support reliable distributed computing. For applications where the protocol participants are economic agents, recent works highlighted the importance of accountability: the ability to identify participants who provably violate the protocol. We propose to evaluate the security of an accountable protocol in terms of its liveness resilience, the minimum number of Byzantine nodes when liveness is violated, and its accountable safety resilience, the minimum number of accountable Byzantine nodes when safety is violated. We characterize the optimal tradeoffs between these two resiliences in different network environments, and identify an availability-accountability dilemma: in an environment with dynamic participation, no protocol can simultaneously be accountably-safe and live. We provide a resolution to this dilemma by constructing an optimally-resilient accountability gadget to checkpoint a longest chain protocol, such that the full ledger is live under dynamic participation and the checkpointed prefix ledger is accountable. Our accountability gadget construction is black-box and can use any BFT protocol which is accountable under static participation. Using HotStuff as the black box, we implemented our construction as a protocol for the Ethereum 2.0 beacon chain, and our Internet-scale experiments with more than 4000 nodes show that the protocol can achieve the required scalability and has better latency than the current solution Gasper, while having the advantage of being provably secure. To contrast, we demonstrate a new attack on Gasper.

Category / Keywords: cryptographic protocols / blockchain, consensus

Date: received 12 May 2021

Contact author: jneu at stanford edu, nusret@stanford edu, dntse@stanford edu

Available format(s): PDF | BibTeX Citation

Version: 20210517:063203 (All versions of this report)

Short URL: ia.cr/2021/628


[ Cryptology ePrint archive ]