Disclaimer: I wrote a DFINITY consensus protocol implementation and a Decentralized Exchange (DEX) on top of it. This article is the first part of its white paper. The second part is DEX specific. Please check the white paper if you are interested as well.

Why DFINITY Consensus Protocol

Fast block time and quick time to finalization are crucial for the exchange’s user experience. Binance’s “block time” and “time to finalization” are instant — the result of sound engineering and centralized service. How can a decentralized exchange match the high expectation set by the centralized exchanges?

The slow block time comes from the fact that there are too many block producers. The block time cannot be reduced to very low. Otherwise, there will be too many forks. A simple solution is to delegate the block producing right to a small group, which collectively run a Byzantine fault tolerance (BFT) algorithm to reach consensus. Having selected nodes with special powers introduces centralization risk, exacerbated by the fact that BFT algorithm is interactive so that the group size cannot be too big. DFINITY has a fast block time (1s in their private testnet) but without these centralization risks.

Finalization of the proof of work systems such as Bitcoin is likelihood based — there is always a small probability for reorganization however deep is the block buried. In the DFINITY consensus protocol, a transaction is finalized after three confirmations under normal operation. Normal operation is a likely event that happens when there is only one notarized block produced in the round.

High-Level Overview

Block Proposal and Block Notarization

In DFINITY, every registered node can participate in producing blocks. But at each round, only a subset of the nodes produce the blocks, dramatically alleviates the high block time problem. Additionally, a notarization concept is introduced. Only notarized blocks can be built upon, and only timely published block can be notarized. This means if a node received a proposed block but have not received the block notarization after a period, it can know for sure that the block proposal’s chain is dead. Since without notarization, it can no longer be built upon. A consensus point is reached when there is only a single alive chain/chain prefix.

The notarization process may look similar to a consensus process, but the consensus is reached if precisely one notarized block is produced. Producing multiple notarized blocks is intentionally tolerated, so the consensus can be reached overtime, rather than everyone has to reach consensus before moving on. This is why DFINITY can be so fast.

Random Beacon

Random beacon is another core innovation, it generates one random value at each round, selecting the active random beacon generation group, block proposing group and the notarization group for this round. The random value is derived from the group signature of last round’s random beacon generation group.

This is possible because the BLS threshold signature scheme is used. The t-of-n BLS threshold signature is unique, meaning whichever t signature shares out of the total of n signature shares are used to recover the group signature, the recovered signature will always be the same. Generating random number with threshold signature means that unless the majority of the group collude, no one can know the random number beforehand, and no one can forfeit the protocol knowing that the outcome is not in his favor.

As mathematically proven in the paper, 400 is a group size that provides a very high level of safety confidence. The BLS threshold signature is viable because it’s non-interactive, no multiple rounds of communication are required. Everyone broadcast its signature share, anyone with the threshold number of signature shares can recover the group signature.

Open Participation

The consensus protocol uses a permissioned participation model. Anyone can acquire the permission with the chosen kind of Sybil resistance method. I think it’s most suitable to use the proof of frozen fund as the Sybil resistance method for the decentralized exchange.

Any node can register itself on the blockchain with the proof of frozen fund. But the consensus protocol runs with groups, so new groups should be able to form as a safety requirement. The group public key identifies a group. There is no group secret key. Instead, each group members owns a group secret key share. A Distributed Key Generation (DKG) protocol can be used to generate the group public key and the secret shares without revealing any secret key share. I have implemented a DKG proof of concept in a separate repo.

Other Advantages

There are more advantages especially well suited for exchange such as:

Prefer consistency over availability: if the optic fibers between America and Asia are cut off, the exchange pauses rather than split into two exchanges.

More predictable block time than PoW systems: next block does not come from random guessing.

Eliminates selfish mining and nothing-at-stake attack: blocks cannot be withheld, only timely published can be notarized and built upon.

Hope now you are as interested with this consensus protocol as I am. For details, please refer to the DFINITY consensus paper.