Plasma

Plasma is a framework for the design of child chains. Konstantopoulos describes a Plasma child chain as a “non-custodial sidechain.” This definition dictates that: 1) the side chain can’t steal your funds and 2) the side chain can’t prevent you from claiming your funds. This is accomplished by the use of a trustless (or, almost trustless, as we shall see soon!) two-way peg. A more precise definition of a child chain is: a “trustless side chain borrowing security from its parent chain through periodic commitments.”

The two-way peg has been the single biggest challenge in designing side chains with minimal trust assumptions. The forward peg (parent chain → side chain) is trivial to implement: simply lock funds into a contract on the parent chain. The backward peg (side chain → parent chain), however, is the root cause of the problems, as the side chain is “easier” to attack/manipulate than the parent chain. Several methods have been proposed to resolve this (list non-exhaustive):

Only support a one-way peg. This prevents anyone on the side chain from being malicious and stealing funds on the parent chain. This design is currently being suggested for the beacon chain in Ethereum 2.0, whereby ETH is burned on the parent chain (the PoW Ethereum chain) and simultaneously minted on the side chain (the PoS beacon chain) as BETH, with no way of doing the reverse. Use a federated peg. In this scheme, one or usually more operators control the backward peg process through a multisignature scheme. In other words, the operators decide when funds can be unlocked on the parent chain. Unfortunately, this scheme results in the side chain effectively being custodial, federated side chains are for all intents and purposes isomorphic to centralized exchanges. Enter: Plasma (the topic of half of this post)! Plasma allows for an almost trustless two-way peg, specifically the reverse peg of assets from the child chain back to the parent chain. It accomplishes this through the use of an exit game, which makes use of fraud proofs implicitly or explicitly, relying on variations of challenges that must be issued within a given timeout.

Note that contrary to popular belief, Plasma on its own does not enable low-latency transactions, only increased throughput through optimistic commitments of many transactions as a single hash on the Ethereum chain. Indeed, the latency of child-chain transactions can be considered higher than those of the parent chain without any channel-like features to reduce this.

Caveats

As with all layer-2 schemes that rely on fraud proofs rather than validity proofs, there is a trust assumption on an honest majority of block producers on the parent chain. A majority of miners (in a PoW chain) can censor transactions: in the case of fraud proofs, if challenges are censored, then funds can be stolen. This is why Plasma isn’t completely trustless or completely non-custodial, and indeed this is a fundamental caveat of the child chain design.

The State of Plasma

Continuing on from this previous post on the state of Plasma as of September 2018, let’s see how Plasma has advanced in the past 6 months.

Plasma Cash (March 2018) is a variant of Plasma that uses a non-fungible, channel-like data model, as opposed to Plasma MVP (January 2018), which uses a fungible UTXO data model similar to Bitcoin. Unlike payment channel networks, Plasma Cash allows users to join the network to send and receive coins without making an on-chain transaction. Unfortunately, also unlike payment channel networks, this is accomplished by requiring an ever-growing coin history to be passed around when a coin is transacted, and to be kept as a proof of coin ownership. This history grows linearly with the number of Plasma chain blocks.

Plasma Prime (October 2018) was the next major milestone in Plasma research. It uses RSA accumulators for Plasma Cash coin history compression, first proposed to be used in a blockchain context for UTXO batching on Bitcoin. An in-depth explainer of RSA accumulators has been graciously written by Konstantopoulos here, and a technical talk by Bünz here. At a high level, accumulators are a fixed-size integer that can prove membership or non-membership of set elements identified by unique prime numbers, and on which we can perform addition and removal operations. This serves to make the previously-linear coin history in Plasma Cash fixed size, regardless of the number of Plasma blocks!

Plasma Group, publicly announced in January 2019, is a new non-profit group that is doing fundamental research and development of Plasma. They began by releasing a specification for a Plasma Cashflow chain. This resolves the issue of coin fragmentation found in Plasma Cash, but does not resolve the coin history size problem. Most recently, they released a design for general-purpose Plasma using predicates. The gist of this “plapp” design is that a singular Plasma chain can execute state transitions from contracts deployed on the parent Ethereum chain. This means developers no longer need to spin up their own Plasma network (including writing complex p2p clients, etc.) to make use of Plasma’s scaling benefits, but can instead simply deploy a predicate contract onto Ethereum.

Loom Network has been using a Plasma Cash chain operated using Delegated Proof-of-Stake called PlasmaChain (note that contrary to the title of the article, staking is only used to provide operator liveness, not secure the network). This doesn’t provide any novel research contributions, but does show how an early iteration Plasma can be leveraged for small real-world applications.

OmiseGO released an alpha of their Plasma MoreVP implementation, dubbed Ari, on Rinkeby. Hoard used this network to demonstrate a game at ETHDenver called PlasmaDog.

Future Work

The mass exit problem for MVP-style child chains has resulted in research in that direction grinding to a halt. At a high level, MVP-style Plasma chains rely on users full validating the Plasma chain and exiting when an invalid block is produced by the operator, or the operator withholds a block. Exits are performed on the parent chain (Ethereum) and the currently-best devised exit schemes are linear in the number of exits. Under adversarial conditions, the safe cumulative throughput of all Plasma MVP-style chains running on Ethereum is upper bounded by the exit throughput of the Ethereum chain itself. As a result of this problem, the majority of Plasma research has shifted towards Plasma Cash and its derivatives.

For Plasma Cash variants, major work has been done on reducing the asymptotic growth of the coin history. Using RSA accumulators, as in Plasma Prime, is not without drawbacks: 1) RSA accumulators require a trusted setup — how decentralized trusted setups are is a point of contention across the cryptocurrency space , and 2) compact and efficiently-verifiable proofs using RSA accumulators is still the subject of ongoing research.

Me: “Did you implement an RSA accumulator in 10 lines of code?” dev:

See Also (non-exhaustive)