Simple and easy to understand the solution of blockchain expansion

Original title: "Easy to understand the solution of blockchain expansion"

Original author: Chasey, Buidler DAO Researcher

Every blockchain faces an impossible triangle of decentralization, security and scalability. Among them, decentralization is the biggest advantage of blockchain technology, which needs priority protection; And if you want to build a long-term, sustainable ecology, security is also an extreme element. This has caused the current public chain general low scalability of the status quo.

How to improve the throughput = capacity expansion of blockchain on the premise of balancing decentralization and security is an urgent problem to be solved. In recent years, ETH2.0, as the expansion vision of Ethereum, is still receiving much attention and expectation around the world even after many hops. It can also be seen that capacity expansion has become the group demand of public chain users, and throughput is also one of the indispensable indicators in the analysis and valuation of a block chain. This paper aims to provide a portrait of the entire current blockchain expansion scheme, to help readers understand the basic concept of the expansion scheme more clearly.

Why do you need to expand Capacity?

Before we begin to discuss specific expansion plans, let's first review the role and necessity of expansion.

The nodes on the blockchain are divided into full nodes and light nodes. In order to ensure the integrity and security of transaction data, the whole node needs to store the transaction data of the whole blockchain; Light nodes, on the other hand, only need to store Block headers and verify the transaction by requesting the corresponding Body from all nodes. The more nodes there are, the more decentralized the chain will be, and the more work needs to be processed to reach a consensus, which will have a greater negative impact on throughput. In addition, Bitcoin has a block size cap of 1MB, while Ethereum has a block size cap of around 130KB due to Gas Limit.

Photo source: Blockchair

Because block sizes are limited, miners can't bundle all transactions into the same block, so they prefer to sort transactions by expected revenue (Gas Price) and selectively package them from highest to lowest Price to ensure the highest revenue. This results in long transaction delays with low Gas prices. As the chart below shows, there are about 170,000 transactions on Ethereum every minute waiting to be verified.

Photo source: Etherscan

Currently, bitcoin's throughput is as low as 7TPS (transmission-per-second), while ethereum's throughput is limited to 15 to 20TPS. For the sake of understanding, let's compare this to the throughput of traditional online transactions: PayPal's transaction processing speed is around 200TPS, while VISA's is around 1700TPS, which is quite different.

In addition, the increasing volume of transaction data puts pressure on the storage capacity needed to maintain the blockchain. Currently, the amount of bitcoin stored has exceeded 400GB, YOY 17.4%; Ethereum, on the other hand, is nearly 900GB with an average growth rate of 64.30%.

Photo source: Blockchair

As shown in the figure, the number of transactions occurring on Ethereum every day is more than 1,250,000, and with the gradual popularization of public chain ecology, this number will become larger and larger in the future, and the pressure of throughput is also increasing, so expansion is urgent.

Photo source: YChart

Now that we've read about the importance of capacity expansion, it's time to look at what you can do about it.

Classification of Capacity Expansion Schemes

The illustration below is Handbook of Research on Blockchain Technology (2020). In this paper, we will focus on the part of "Write Performance" in the figure, and explain the current capacity expansion schemes from the on-chain and off-chain perspectives.

Handbook of Research on Blockchain Technology (2020)

On-chain capacity expansion solution

The on-chain expansion scheme refers to the scheme that changes the original chain design to achieve the expansion effect. Blockchain technology can be divided into six layers: consensus layer, network layer, data layer, incentive layer, contract layer, application layer. Among them, the first three are the underlying foundation of blockchain, and also the target of on-chain expansion scheme operation.

1. Consensus layer = BFT; In the hearing; hybrid

Consensus mechanism refers to the process by which each node in the blockchain reaches a consensus on the availability of data and the consistency of the ledger state. Since the consensus mechanism completely determines the whole process from downloading data to packing out blocks, the efficiency of transaction verification depends heavily on the design of the consensus mechanism. The current mainstream consensus mechanism can be divided into BFT consensus, Satoshi Nakamoto consensus and mixed consensus.

BFT class consensus

When it comes to BFT computation, we need to talk about the old Byzantine general problem: The Byzantine Empire (the Eastern Roman Empire) was committed to expanding its territory. In one battle, they tried to send 10 separate armies to encircle the enemy. The enemy could resist up to 5 Byzantine armies. Since each army is positioned at a distance, generals of each army need to reach a consensus of action by sending signals to other armies to attack/retreat (including yourself, if 6 or more signals are received, attack; Otherwise, retreat).

The biggest problem the generals face is this: what if there is a traitor in one of the armies and he is deliberately sending the wrong signal? In blockchain, the problem is similar to: the individual nodes in the blockchain reach a consensus by sending information to other nodes, what if there is a traitor node (Byzantine node) in the network, sending the wrong information?

The most famous consensus of BFT is PBFT. Those who are interested in it can refer to the reference [17], which is very simple and easy to understand, so it will not be repeated here. With this kind of consensus, you need to ensure that each functioning node uses the same random number and block algorithm to calculate and generate blocks. When the original ledger is the same, the calculation result is the same, the generated ledger can not be tampered with, permanent public. Since each node needs to synchronize with all other nodes, when the number of nodes is small, the security can be guaranteed while achieving high throughput. As the number of nodes increases, the amount of data to be processed will increase accordingly, resulting in a significant decrease in the speed of processing transactions.

The Satoshi Consensus

The Nakamoto Consensus consists of Proof of Work and Proof of Stake interests. In this section we will explore the throughput performance of each consensus mechanism with DPoS, a variant of PoS.

PoW: Computing power determines the billing rights (and voting rights), and there is no need to set up a mechanism to authorize nodes. In terms of throughput, the biggest problem lies in the slow block production caused by high difficulty. And in order to ensure the consistency of the books, it is necessary to deliberately set up the packaging delay. The delay here refers to the fact that after the miner packs the block, he needs to do at least one more proof-of-work to confirm the candidate block.

PoS: hold the currency to obtain the bookkeeping right and voting right (separate). After packaging the candidate block, the packing node will broadcast it, and the voting node will vote on the candidate block to decide whether to add it to the blockchain. The majority voting system is adopted. Compared with PoW, PoS sacrifices some security due to the introduction of voting mechanism. On the throughput side, latency is extremely low due to fast packaging and no waiting time.

DPoS: Hold money to get voting rights, elect the board of directors and keep the books. At the expense of some decentralization, PoS has higher throughput than PoS.

Mixed consensus

As the name suggests, mixed consensus refers to consensus that combines the advantages of different consensus mechanisms. For example, PoW is used in the main chain to ensure security while PoS is used in the side chain to ensure throughput. Combining PoS and PBFT to reduce the number of nodes to a constant value, thus increasing throughput again, etc.

2. Data layer = block expansion; Reduced data; DAG

In addition to the consensus mechanism, the number of transactions that can be packaged in each block is also closely related to the throughput of the transactions. We can increase blockchain throughput by expanding the block capacity and shrinking the transaction data, or we can directly use the data structure of DAG to process transactions.

Relax/remove block size restrictions

Expanding block capacity allows more transactions to be packed into each block, but at the same time increases block broadcast time, increasing network latency and increasing the risk of hard forks.

Reduce the amount of data stored in a block

The best known of these schemes is Segwit isolation Witness, in which the signed part of the block information and the data used to calculate the transaction ID are managed separately, thereby reducing the transaction information by 60%. As an auxiliary scheme to alleviate the capacity problem, it is effective, but it cannot solve the essential problem.

DAG (Directed Acyclic Graph)

As shown in the figure below, the block chain adopts a chain structure, and its block header can only contain the hash value of one block. The block header of a DAG structure can contain the hash value of multiple blocks. New blocks in the blockchain are added to the end of the chain and cannot be continued from the middle of the chain; A DAG can be continued from a previous block.

Figure source: Russian Blogs

Blockchain is synchronous accounting, nodes need to record the same information at the same time; DAG is asynchronous accounting, and different nodes can record different information at the same time. Therefore, DAG can pack more transactions per unit time and TPS is extremely high. Dag-based protocols are currently available in SPECTRE and PHANTOM.

The SPECTRE protocol defends against attacks by voting

As shown in the figure below, when the contents recorded in block X and block Y are in conflict, the same information X as that recorded in block X will be recorded in blocks 6-8 after block X; Blocks 9 to 11 record the same information Y as block Y; Block 12 can be traced back to both blocks X and Y, so it will record the same result as the previous round of voting (inside the dotted line), which is X; Blocks 1-5 will vote according to the voting situation of the blocks with their block information recorded. Since there are many blocks with X recorded, blocks 1-5 will vote for block X. Since the malicious block is not associated with the honest block until the attack is initiated, with SPECTRE, conflicting transactions can be excluded as long as there are more honest nodes. The problem is that it only works for general transactions, and since there is no way to sort all transactions linearly by time, it is impossible to run a smart contract. The PHANTOM protocol solves this problem.

Source: An Overview of SPECTRE

The PHANTOM council will first select the honest blocks by vote and topologically rank the honest blocks

Before understanding the screening method, it is necessary to understand the bifurcation coefficient K = the number of bifurcations (for example, forking is not allowed in the blockchain, so k is 0) and the GHOSTDAG algorithm = to select the longest chain as the main chain and form a subset S by tracing the historical blocks, and the blocks in this set are all honest blocks by default. After that, for each block, it verifies whether the intersection of the unconnected block and subset S is less than or equal to k. If it is less than or equal to k, it is judged as an honest block and added to subset S.

Photo source: An Overview of PHANTOM

The following figure (k=3) illustrates for example: Suppose we now need to judge the authenticity of block I. The blocks derived from block I include blocks K, M, O, P, and R, and the blocks traceable through block I include blocks C, D, and the original block. At this time, the blocks unrelated to block I are blocks B, E, F, H, J, L, N, Q, S, T, U, among which the intersection with subset S is blocks B, F, J, which is equal to k, so block I is judged to be the honest block.

Source: PHANTOM: A Scalable BlockDAG Protocol

The sort uses topological sort: first the block without traceable block is taken as original block 0, then the block without traceable block is continued as block 1 among the blocks excluding block 0, and so on.

Photo source: Kappo's Blog

Currently used & NBSP; The DAG structure has a high degree of project centralization, so it will not be discussed in more depth here. For DAG interested family members can search DAGLabs for learning.

3. Network layer = Fragment

Sharding refers to the splitting of an account into parts that are managed by different groups of nodes. Through the implementation of state sharding, each node needs to process less transaction data, which can not only improve the transaction processing speed, but also relatively reduce the performance demand for nodes, so that the threshold to participate in mining is lowered and the degree of decentralization is strengthened.

If Sharding is Great, Demystifyingthe Technical Properties

Sharding 1.0

The original idea for state sharding is to add n=64 data fragment blobs to the beacon chain, with N verification nodes broadcasting their own data fragment blobs per epoch and the committee confirming the authenticity and availability of the data. The verified BLOBs are added to the execution chain. The mechanism of reassigning the verifier corresponding to each fragment chain after each epoch leads to the delay of data synchronization after the fragment chain switch.

In addition, there are four problems with this approach: there is no guarantee that every block on the beacon chain has written all the transaction data required by the shard; Cannot globally check all shards; Verifying nodes may result in liveness failure; Combined with PoS, as long as the money is enough and the control nodes are enough, it is easier to control the committee. This mechanism presents an opportunity for MEVs in the context of lower ETH issuance rates and centralized validation.

DankSharding

To circumvent the risks in Sharding1.0, DankSharding proposes two key points: all blobs will be added to the beacon block; Each committee member processes only a subset of the fragmented data, and all beacon data and fragmented data can be examined together.

Specifically, the core mechanism of Danksharding is divided into three parts:

Data availability sampling: The coders use RS codes for redundant transmission to reduce the verification pressure on nodes, while using KZG polynomial commitment to ensure correct coding. In addition, the RS code is extended by two bits by splitting the data block again and recombining the different data block fragments to reduce the threshold of full-node data reconstruction, so as to reduce the centralization degree.

Separation of blockers and packers: the whole node is divided into two roles: blockers and packers. The blockers with low configuration are responsible for decentralized selection of packers and get the bidding of packers, while packers with high configuration and performance obtain the billing right of packers through bidding, so as to solve the value allocation problem of MEV.

Anti-censorship List: The blocker specifies a list of legitimate transactions, and the packager verifies that he has seen the list and includes the transactions in the list in the package, thus preventing the packager from intentionally ignoring the legitimate transactions.

Proto-Danksharding/EIP-4844

DankSharding's mechanism is difficult to implement, and as a phased scheme, EIP-4844 appeared. In EIP-4844, a time-sensitive BLOb is introduced, which is similar to a portable hard disk. After being written to the main network, the blob only exists for a period of time and is then destroyed. In the design of the EIP-4844, the KZG polynomial commitment is also introduced to ensure forward compatibility in the subsequent DankSharding implementation.

Off-chain capacity expansion solution

Under chain expansion scheme, refers to the premise of not changing the original chain structure, through transactions outside the main network to reduce the processing pressure of the main network. There are mainly three types: state channel, off-chain computation, and multi-chain. For the convenience of understanding, side chains and sub-chains are all included in the multi-chain scheme.

State of the channel

State channel refers to the locking of a portion of a blockchain state (opening a channel) between certain participants, for example, through multiple signings. For state transitions occurring in the channel, the status is updated off-chain with the consent of all participants. Confirm the final status and broadcast to the main chain. Since only the final state needs to be broadcast, using state channels to deal with trivial mutual transactions can effectively reduce the number of transactions broadcast on the main chain and reduce the transaction delay. In addition, each participant can interact with other participants who do not have an open channel through the mediation: if there is a channel between Alice and Bob and a channel between Bob and Carol, Alice can interact with Carol through Bob without opening another channel. State channels have low transparency and typically apply only to frequent transactions that occur between specific participants.

Photo source: EthHub

2. Off-chain calculation

Off-chain computing is intended to increase on-chain throughput by moving off-chain functionality beyond validation. It mainly needs to ensure security and privacy. The specific operation modes can be divided into four types: verifiable off-chain computing, "enclave" off-chain computing, off-chain secure multi-party computing and incentive-driven off-chain computing.

Source: Blockchain-based Reputation Systems: Implementation Challenges and Mitigation

Verifiable under-chain calculations: ZK-snarks, Bulletproofs, Zk-Starks

The prover below the chain will chain the calculation results, and the verification by the prover on the chain.

"Enclave" type chain under calculation: Enigma, Ekiden

Create a Trusted Execution Environment (TEE) on a blockchain node and presuppose a data interface for computation. TEE acts as a black box, which can effectively protect data privacy and realize plaintext data operation at the same time, and improve computing efficiency.

Off-chain secure multi-party computation

The data is split and distributed to each node. The node calculates the state change according to the current state of the blockchain and the data obtained by each node, and then combines the calculated data of each node to obtain the complete calculated data. Nodes need to compute less data and are more efficient.

Excitation driven chain calculation

The solver calculates the transaction data and pledges the margin while announcing the results. The verifier checks the solver's result, and if an error is found, it can pledge the deposit and initiate on-chain arbitration, and the correct party will receive the commission fee paid by the user.

  3. Outer chain = side chain; Rollup

External chain refers to the creation of a new blockchain outside the main chain, and transfer a part of the transaction processing (such as calculation and storage) to the new blockchain by cross-chain execution, and broadcast the results to the main chain, so as to improve the processing efficiency of the main chain.

Side chain

Side chain is a blockchain that is completely independent of the main chain. It projects assets from the main chain to the side chain by locking + casting/destruction, and completes the whole process of transaction processing and storage on the side chain. The security of side chains depends entirely on their own nodes and consensus mechanisms. It can be divided into anchor side chain and federated side chain (adding multi-sign addresses between main chain and side chain for verifying transactions to reduce latency).

Photo source: EthHub

Rollup

The difference between Rollup and side chain is that it only processes transactions on the sub-chain and the data is still stored on the main network, so it can improve the transaction processing efficiency and enjoy the data security of the main network. Rollup can be divided into four types based on data availability and transaction validation:

Proof of fraud (detection of invalid transactions) + off-chain DA (security -, expansion effect +) = Plasma

Plasma needs to create a smart contract on the main chain with hash state transition rules written on the child chain to connect the main chain to the child chain (grandchild chain, great-grandchild chain...). Its expansion mechanism similar to state channels, main chain by reducing the need to processing and preservation of trade to improve throughput, but the outside of the main chain established between participants is not a specific channel, but a common consensus mechanism independently new blocks, chain, chain need to regularly submit to the intelligence on the main chain contract status updates, in 7 days pass question period (optimistic that In order to ensure transaction security), write the block state into the main chain.

It combines the advantages of state channel and side chain. In the state channel mode, if new participants need to be added, a new channel needs to be re-opened on the chain, while Plasma does not. The state channel requires the consent of all participants to synchronize the state to the backbone, while Plasma does not. The state channel only keeps the final state, and the state transition of Plasma is recorded completely on the sub-chain. The state transition on the side chain will directly affect the state on the main chain. Therefore, the security of its assets depends on the side chain itself, while Plasma does not, and its security depends on the main chain.

The main problems facing the Plasma mechanism are as follows: the sub-chain nodes need to keep a large amount of transaction data on the sub-chain; The node must be online.

Source: Plasma: An Innovative Framework to Scale Ethereum

Proof of validity (reasoning transaction is valid) + on-chain DA (security +, expansion effect -) = ZK-rollup

ZkRollup can effectively improve Plasma issues. Since zkRollup and Validium in this part both use zero-knowledge proof as the verification mechanism, the concept of zero-knowledge proof is briefly described in this part. Zero-knowledge proof refers to that when proving a proposition to others to be true, no other information is provided except the proposition to be true. For example, if A uses A zero-knowledge proof to prove to B that he is an adult, B will not know A's birthday, only the fact that A is an adult. In zkRollup, zkSNARK is used to verify a large number of transactions. After determining the validity of these transactions, it is only necessary to upload a zero-knowledge proof to the main network to prove that these transactions are valid. This greatly compresses the amount of data, allowing the transaction data to be written to the main network.

ZkRollup also faces some problems: zero-knowledge proof is computationally difficult; It takes trust in the beginning; Poor versatility

Proof of validity (reasoning transaction is effective) + off-chain DA (security -, expansion effect +) = Validium

Validium also uses zero-knowledge proofs to ensure the validity of its trading information and the availability of off-chain data. The only difference from zkRollup is that it puts data availability off-chain, which allows Validium to have higher throughput, but with the consequence that the data availability manager can modify the Merklized state slightly so that users can't transfer money. As shown below, if d3 is modified, the owner of d1 will not be able to obtain information about node m, which is necessary to prove ownership of his account. After zkRollup came along, Validium basically lost its competitiveness completely.

Photo source: Validium And The Layer 2

Fraud proof (detecting invalid transactions) + on-chain DA (security +, expansion effect -) = Optimistic Rollup

Optimistic Rollup is an upgraded version of Plasma and can solve the problem of zkRollup generality. The transaction information submitted by the default node is correct. After submitting the transaction information to the main network, there will be a 7-day challenge period for others to check the correctness of the transaction. Unlike Plasma, the transaction data is written onto the chain; Unlike zkRollup, zero-knowledge proofs are not used. Optimistic Rollup sacrifices part of the throughput while neutralizing the other two rollups.

Photo source: ethereum.org

Summary and future prospects

Because of the existence of impossible triangle, doomed to not have perfect expansion program, need to weigh the cost of each program.   Personally, because the cost of on-chain expansion is higher (including hard fork and technical difficulty), it is more difficult to achieve, in general, it will still be based on the off-chain expansion scheme.

In the current off-chain capacity expansion solutions, Rollups maintains its security advantages. However, while the Rollups can significantly release L1 throughput, the speed at which L2 packaged data can be sent back to L1 is limited by the size of the Ethereum block. At present, the storage capacity of a block of Ethereum is about 100kB, and the data packaged by Rollups that can be processed within a minute is less than 500kb. Besides receiving the packaged data, the main network also needs to process the original transaction information on L1, which leads to the throughput bottleneck of the off-chain expansion scheme.

Fortunately, different schemes can be combined: in the on-chain scheme, the idea of DankSharding can significantly reduce the workload and data download of verification nodes by using sampling verification and RS coding, and solve the problem of transaction processing speed. It is expected that it can complement Rollup after implementation. Optimistic Rollup cost is mainly the cost of writing to the main network in the current Rollups, which is most suitable for ProtoDanksharding, which can reduce the cost. Therefore, in my opinion, Optimistic Rollup on the chain and ProtoDankSharding on the chain will be the best choice in the near future (if the EIP-4844 is successfully implemented).

The original link

欢迎加入律动 BlockBeats 官方社群：

Telegram 订阅群：https://t.me/theblockbeats

Telegram 交流群：https://t.me/BlockBeats_App

Twitter 官方账号：https://twitter.com/BlockBeatsAsia