The Consensus Layer stands at the heart of the DFINITY Internet Computer. It creates a secure source of decentralized randomness that selects the participants of the network to agree on the order of the incoming transactions. The Consensus Layer applies an optimistic protocol that achieves fast finality in the order of seconds and remains secure even in the presence of malicious parties. Having established a finalized order, the transactions can be executed by the DFINITY Hypervisor and the Instructions set layer (Wasm).
The user base of the DFINITY Internet Computer will be diverse and encompass application developers, miners (full-node operators), end-users, and other players in an open participation model.
Building the backbone of the consensus layer, the miners contribute to the network in multiple ways, by creating and notarizing blocks, taking part in randomness generation and relaying consensus-relevant artifacts to their peers.
In contrast to Proof of Work blockchains like Bitcoin, the prospective miners first have to register and obtain a mining identity from the system. Registration is done by a special transaction and requires a stake deposit.
The participant has to lock up a certain amount of DFN tokens which gets paid back at the end of the lock-up period. An identity confers the right and obligation to perform the tasks required by the consensus layer. Mining is incentivized by rewards and in case of non- or underperformance the system applies penalties. While the rewards are funded by transaction fees and the emission of new DFN tokens, penalties are levied on the miner’s stake deposit. The mining identities can be best described as a Proof of Stake at Work, where miners are only doing work that is useful to the network and no “wasteful” computations.
In principle, every mining identity is backed by a fixed amount of stake and has the same power in the consensus algorithm. Miners will thus participate in the system with a different number of identities and have a different overall impact.
For security reasons, a registered identity is not activated immediately, but only after two epochs. While active mining identities can act as block makers without further ado, they have to become part of (threshold) groups to participate in the Random Beacon and block notarization. In the first round of each epoch, the Random Beacon draws multiple sets of 400 members from the entire population of all active mining identities, which then have to perform a Distributed Key Generation (DKG) setup protocol to form groups. At the end of a successful DKG, every participant obtains an individual secret key share. Furthermore, a common group public key is established and registered on the blockchain.
Similar to mining identities, groups become active after two epochs upon registration of the group public key. They expire automatically after a fixed number of epochs. A mining identity will typically be present in multiple different groups throughout its lifetime.
The first block of every epoch is a Key Frame Block (KFB) that contains a summary of all new registrations and de-registrations of groups and mining identities of the previous epoch. By downloading the KFBs, light-client can check the signatures in the block headers against the group public keys from the KFBs without needing access to all blocks.
Each group in DFINITY is composed of 400 members. This group size was chosen to guarantee with a very high probability that more than ½ of its members will honestly follow the protocol, assuming that at least ⅔ of all mining identities are honest. Due to the statistical variance of random sampling, the security assumption for the entire population must be stronger than the required fraction for the sampled groups. As long as the ⅔ honesty assumption holds, the probability of group failures caused by a dishonest majority can be considered as negligible.
As opposed to Bitcoin or Ethereum (in its current version) where Proof of Work is used to randomly select the miner of the next block in proportion to its relative hashing power, systems based on Proof of Stake have to leverage a different source of randomness. This randomness must be unmanipulable and unpredictable in order to guarantee the fairness of the system. No single party should be able to influence the random number generator at will or predict its outcome ahead of time.
Deterministic, Unmanipulable, Unpredictable, Verifiable randomness
To provide these crucial guarantees, DFINITY is using a Random Beacon that is produced jointly by the members of registered groups and acts an unbiasable, verifiable random function (VRF). Since VRFs are usually computationally expensive to set up, the groups that have performed a DKG are reused and can participate in the Random Beacon algorithm multiple times.
The Random Beacon is a simple chain of random numbers (32 Bytes) where each number is the selected group’s BLS threshold signature of the preceding number. The Random Beacon chain does not carry any other payload or data.
ξr — Random Beacon output for round r
Gr — Selected threshold group for round r
A k out of n threshold signature is a scheme which allows any subset of k parties of a group with n members to create a cryptographic signature on an arbitrary piece of data. The joint signature is then valid under the public key corresponding to the group.
The BLS signature scheme used in the Random Beacon is the only practical scheme that offers all properties that are crucial to create randomness in an efficient and unbiasable way. Firstly, it provides a DKG protocol for setting up threshold groups (group public key and private key shares) without the help of a trusted party. Secondly, it provides the properties of uniqueness and non-interactivity. While “uniqueness” means that the group’s signature is always identical, no matter which subset of k members contributes to it, “non-interactivity” allows anyone that collects k signature shares to aggregate them into one, unique signature. A threshold group signature can thus be created in a single round of one-way communication.
As every signature share created by a member can be verified against the group public key, invalid signatures can be sorted out from aggregation. The latest output of the Random Beacon randomly selects from the list of active groups a group that becomes the committee responsible to create the next number by threshold-signing the current output.
The blockchain is a chain of blocks where each block contains a hash reference to the previous block.
Blocks carry payloads (transaction data) and they can be identified by their height, i.e. their position in the blockchain. The system evolves in rounds such that overall there is a one-to-one correspondence between round number and the height of a block. However, the mining identities individually advance to the next round based on events, which due to network asynchrony will not be in sync across all identities.
For each height, the mining identities are ranked in a random order that is derived deterministically from the output of the Random Beacon for that height. A weight is then assigned to block proposals based on the mining identity’s rank such that blocks from clients at the top of the list receive a higher weight. This is called the Probabilistic Slot Protocol (PSP).
Block proposers give favor to the “heaviest” chain in terms of accumulated block weight, and try to build their blocks on top of the heaviest valid chain. Only notarized blocks can be built upon (see below “Notarization Layer”). Blocks referencing an unnotarized block are thus invalid.
Together with block notarization, the ranking provided by PSP allows for a constant block time and prevents race conditions between the miners.
Traditional blockchains typically only offer probabilistic transaction finality. With every confirmation by a subsequent block appended to the chain, the likelihood of a transaction being reverted decreases statistically, without ever reaching 0.
DFINITY, on the other hand, provides deterministic transaction finality as a system-wide consensus that a given transaction has been irreversibly executed. Finality is rapidly achieved within 3-5 seconds by a novel technique of block notarization.
A notarization is a threshold signature under a block created jointly by a group of mining identities, similarly to the Random Beacon signatures. Only notarized blocks can be included in a chain, while blocks that remain unnotarized (forks) quickly die out.
It is important to emphasize that notarization does not imply finality because it is possible for more than one block to get notarized at a given height. This is explicitly tolerated and an important difference to other Proof of Stake proposals that apply full Byzantine agreement at every block. Notarization can be seen as optimistic consensus because it will frequently be the case that only one block gets notarized. In such situations, a transaction is final after two notarized confirmations (including the block that contains the transaction) plus a network traversal time. See Theorem 9.20 in our white paper.
A mining identity enters a new round when it receives a valid block notarization, i.e. an aggregated threshold signature under a block. Immediately after starting the round, the members of the current committee (selected by the Random Beacon) create and send their Random Beacon shares to everyone. Once a mining identity has collected enough valid shares, it builds the threshold signature and broadcast it to the network. The new beacon output defines the ranked list of block proposers and the respective weights of their blocks according to the PSP (see “Blockchain layer”). It also selects a new committee that will be responsible for the next round.
To achieve near-instant finality, the mining identities and groups run a protocol called “Threshold relay”
Blocks can be created immediately after reception of the beacon output. On the other hand, the members of the committee wait a period called BlockTime after entering the round, before they proceed to threshold-sign the block with the highest weight. During that waiting period, each (honest) committee member collects all block proposals for the current round and eventually creates a signature share on the heaviest block according to its own individual view. The members keep threshold-signing incoming blocks with larger weights even after the expiration of BlockTime as long as they have not received a valid notarization on any block of the round. Once that happens, the committee terminates its operation and goes to sleep until it gets selected by the Random Beacon again.
A committee thus has two consecutive tasks: It first collectively signs the current randomness right after entering the round and, after waiting BlockTime, also signs (notarizes) the heaviest block. Since activity is relayed from one group to the next, we call the mechanism "threshold relay”.
Mining identities broadcast valid block proposals, notary and random beacon signatures, as well as signature shares according to a relay policy set forth in Definition 9.4. of our white paper.
The blockchain and the Random Beacon chain progress in lockstep, which means that the protocol alternates between extending the blockchain and extending the random beacon chain.