Exclusive: Blockchain Trilemma Solved? Secrets Revealed by Turing Award Winner's Algorand
Blockchain trilemma was initially expressed by Vitalik Buterin, founder of Ethereum, which is claimed to be unfeasible in achieving scalability, decentralization, and security simultaneously in a blockchain.
There are numerous blockchain project teams attempting to address the blockchain trilemma, and the Turing Award-winning team Algorand is one promising candidate. We have the pleasure to speak with Jing Chen, Chief Scientist of Algorand, on how Algorand attempts to solve the blockchain trilemma with its Byzantine agreement. She also explains why Algorand is non-forkable and the restrictions on Algorand’s adversary model!
1. Blockchain trilemma has been a headache for project teams in the public blockchain. How Algorand can solve the blockchain trilemma?
The alleged “trilemma” says that among three important properties - decentralization, scalability and security, a public blockchain can hope to achieve just two of them, at most. This is not a mathematically-proven impossibility. Rather, it is used to emphasize the difficulty of achieving all three simultaneously. We believe it’s important for a public chain to achieve all three, and the Algorand blockchain does just that.
Decentralization is made possible by Algorand’s permissionless, pure proof-of-stake consensus protocol. A user does not need permission to join the system or participate in the consensus, so no central control is present at the entry phase. A participating user’s voting power in the consensus protocol is directly proportional to their number of tokens, and having multiple users accumulate their tokens to one account does not increase their joint voting power at all. This eliminates the need to form “mining pools”. Moreover, the cost for a user to run a node in the system is very low, and a user doesn’t need specialized hardware in order to participate. This makes the system friendly to “small” users and helps with decentralization.
The key to scalability lies in Algorand’s Byzantine agreement. Its safety does not rely on preset lower-bounds on how fast blocks should be generated (e.g., 10 minutes, 5 minutes, etc). Blocks can be generated as fast as messages can be propagated in the network. In typical cases, only one voting step is needed before a block can be certified, and it only takes a few seconds to generate a block. No computational resources are wasted solving cryptographic puzzles, making the system cost-efficient. For every block, only a small committee is selected to vote, and the size of the committee stays almost unchanged as the number of users and nodes grow in the system, making the system scalable to any number of users. What’s more, Algorand’s novel cryptographic self-selection technique ensures that no direct communication is needed among the selected committee members themselves, reducing the system’s communication cost and making it scalable to global crossing-continent networks. Cryptographic self-selection is also a key technology for the security of Algorand’s blockchain, as discussed below.
Indeed, Algorand’s Byzantine agreement is designed based on first principles rather than heuristics, and its security is proved via rigorous mathematical analysis. Cryptographic self-selection ensures that no one knows who is selected to vote for a block until after a selected user sends out his voting message. Thus an attacker doesn’t know who to target beforehand. After seeing a user’s voting message, an attacker realizes that this user is selected. However, even if the attacker can corrupt this user at this point, it’s too late because their voting message is already propagated to the network. The voting committee is re-selected every step, and corrupting selected users doesn’t make the attacker better off in the future than corrupting un-selected users.
Moreover, forward security (also referred to as forwarding secrecy) is important in a system that lasts for a long time and generates blocks continuously one after another. An attacker may try to corrupt users who were in charge of voting for an earlier block, “go back in time” and have these users generate a different block in that same round, thus creating a fork. Ephemeral keys are used in Algorand blockchain against such attacks and ensure forward security. Each voting message in the protocol is signed using a voting key that is deleted after its job is done, thus the name “ephemeral”. With this method, even in the future, if an attacker manages to corrupt all users that were in the system in an earlier round, they do not have their voting keys to generate any block that is different from the existing ones.
It’s worth pointing out that, achieving security without requiring liveness is trivial and meaningless ---users simply do not generate any blocks and the system is perfectly secure. The Algorand blockchain achieves both security and liveness against a very powerful adversary. We’ll get to the adversary model in a later question.
2. It is said that Algorand’s blockchain is non-forkable. Can you elaborate on how it happens?
In Algorand’s consensus protocol, when selecting committee members for generating a block in a given round, the selection rules and parameters are designed in such a way that, if one block has accumulated enough votes from committee members, then no other block for the same round will accumulate enough votes. This is true even when the attacker was the one who proposed the blocks, even when the attacker managed to partition the network ---splitting users into several disconnected groups and fully controlling the communication among them. In such cases, after a block has been generated (that is, gotten enough votes from proper committee members), honest users may not immediately realize this fact. However, the messages that they have seen tell them that this particular block “may have” gotten enough votes and that they should not vote on any other block. Therefore, no two blocks from the same round will both accumulate enough votes. This holds true even when the network is partitioned for an indefinite amount of time and no one knows when it will be resolved. Nonetheless, Algorand’s blockchain doesn’t fork and users’ balances remain secure.
Again, both safety and liveness are needed for a blockchain. Algorand’s Byzantine agreement not only doesn’t fork, it also guarantees liveness when the network is not partitioned and recovers liveness after a network partition is resolved.
3. What are the restrictions on Algorand’s adversary model?
The Algorand blockchain is secure against a very powerful adversary, who can corrupt any specific user they choose, fully control the behavior of that corrupted user, and perfectly coordinate the behavior of all corrupted users. For example, malicious behavior includes but is not limited to - signing contradicting voting messages, double-spending, sending their messages only to specific users at specific times, inaction, etc. It is required that an adversary does not control more than 1/3 of the total stakes participating in the consensus protocol.
4. In Algorand, bad actors will not be punished as there is math to show that wrongdoing is not costly to the system. Can you elaborate on the math?
As mentioned earlier, Algorand’s consensus protocol is secure against an adversary who controls no more than 1/3 of the total stakes. The core techniques have been discussed in earlier questions (e.g., #1 and #2).
5. Transaction per second (TPS) is often used to measure the scalability of the public blockchain. What are the technological breakthroughs for Algorand to achieve high TPS?
Algorand’s scalability is made possible by a combination of cryptographic techniques and its efficient Byzantine agreement. See #1 for more details.
Part 2 of the interview is coming up, stay tuned!