A Simple Single Slot Finality Protocol For Ethereum
Francesco D'Amato, Luca Zanolini

TL;DR
This paper introduces a simple, non-blackbox consensus protocol for Ethereum that achieves single slot finality, reducing reorg risks and enabling faster, more secure transaction confirmation.
Contribution
It proposes a novel combination of synchronous and partially synchronous protocols to achieve block finality within a single slot, improving Ethereum's finality efficiency.
Findings
Finalizes one block per slot
Reduces reorg vulnerability
Enables faster transaction confirmation
Abstract
Currently, Gasper, the implemented consensus protocol of Ethereum, takes between 64 and 95 slots to finalize blocks. Because of that, a significant portion of the chain is susceptible to reorgs. The possibility to capture MEV (Maximum Extractable Value) through such reorgs can then disincentivize honestly following the protocol, breaking the desired correspondence of honest and rational behavior. Moreover, the relatively long time to finality forces users to choose between economic security and faster transaction confirmation. This motivates the study of the so-called single slot finality protocols: consensus protocols that finalize a block in each slot and, more importantly, that finalize the block proposed at a given slot within such slot. In this work we propose a simple, non-blackbox protocol that combines a synchronous dynamically available protocol with a partially synchronous…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsDistributed systems and fault tolerance · Advanced Data Storage Technologies · Peer-to-Peer Network Technologies
A Simple Single Slot Finality Protocol For Ethereum
Francesco D’Amato
Ethereum Foundation
Luca Zanolini
Ethereum Foundation
Abstract
Currently, Gasper, the implemented consensus protocol of Ethereum, takes between 64 and 95 slots to finalize blocks. Because of that, a significant portion of the chain is susceptible to reorgs. The possibility to capture MEV (Maximum Extractable Value) through such reorgs can then disincentivize honestly following the protocol, breaking the desired correspondence of honest and rational behavior. Moreover, the relatively long time to finality forces users to choose between economic security and faster transaction confirmation. This motivates the study of the so-called single slot finality protocols: consensus protocols that finalize a block in each slot and, more importantly, that finalize the block proposed at a given slot within such slot.
In this work we propose a simple, non-blackbox protocol that combines a synchronous dynamically available protocol with a partially synchronous finality gadget, resulting in a consensus protocol that can finalize one block per slot, paving the way to single slot finality within Ethereum. Importantly, the protocol we present can finalize the block proposed in a slot, within such slot.
1 Introduction
Traditional Byzantine consensus protocols, such as PBFT [5], are devised in a partial synchronous network model [8], in the sense that they always guarantee safety, but they guarantee liveness only after . In this setting, however, participants in the protocol are fixed, known in advance, and without possibility to go offline.
Dynamic participation (among systems’ participants) has lately become an essential prerequisite for developing permissionless consensus protocols. This concept, initially formalized by Pass and Shi via their sleepy model, [16] encapsulates the ability of a system to handle participants joining or leaving during a protocol execution. In particular, a consensus protocol that preserves safety and liveness while allowing dynamic participation is called dynamically available.
One problem of such protocols, as a result of the CAP theorem [9][11], is that they do not tolerate network partitions; no consensus protocols can both satisfy liveness (under dynamic participation) and safety (under temporary network partitions). Simply put, a consensus protocol (for state-machine replication) cannot produce a single chain that concurrently offers dynamic availability and guarantees transaction finality in case of asynchronous periods or network partitions. Because of that, dynamically available protocols studied so far are focused on a synchronous model [6][12][13].
To overcome this impossibility result, Neu at al. [15] introduce a family of protocols, referred to as ebb-and-flow protocols, which operate under two confirmation rules, and outputting two chains, one a prefix of the other. The first confirmation rule defines what is known as the available chain, which provides liveness under dynamic participation (and synchrony). The second confirmation rule defines the finalized chain, and provides safety even under network partitions. Interestingly, such family of protocols also captures the nature of the Ethereum consensus protocol, Gasper [4], in which the available chain is output by (the confirmation rule of) LMD-GHOST [18], and the finalized chain by the (confirmation rule of the) finality gadget Casper FFG [3]. However, the (original version of) LMD-GHOST is actually not secure [15] even in a context of full-participation.
Motivated by finding a (more secure) alternative to LMD-GHOST, and following the ebb-and-flow approach, D’Amato et al. [6] devise a synchronous dynamically available consensus protocol, Goldfish, that, combined with a generic (partially synchronous) finality gadget, implements an ebb-and-flow protocol. Moreover, Goldfish is reorg resilient: blocks proposed by honest validators are guaranteed inclusion in the chain. However, Goldfish is brittle to temporary asynchrony [7], in the sense that even a single violation of the bound of network delay can lead to a catastrophic failure, jeopardizing the safety of any previously confirmed block, resulting in a protocol that is not practically viable to replace LMD-GHOST in Ethereum. In other words, Goldfish is not asynchrony resilient.
To cope with the problem of Goldfish, D’Amato and Zanolini [7] propose RLMD-GHOST, a provably secure synchronous protocol that does not lose safety during bounded periods of asynchrony and which tolerates a weaker form of dynamic participation, offering a trade-off between dynamic availability and asynchrony resilience. Their protocol results appealing for practical systems, where strict synchrony assumptions might not always hold, contrary to what is generally assumed with standard synchronous protocols.
In this work we build upon the work of D’Amato and Zanolini [7], and we devise a protocol that combines RLMD-GHOST with a partially synchronous finality gadget. In particular, we give the following contributions. We devise a secure and reorg-resilient ebb-and-flow protocol [15] as a potential substitute for the current Ethereum consensus protocol, Gasper [4], which can finalize (at most) one block per slot. In particular, our protocol can finalize the block proposed in the current slot, within such slot, paving the way to single slot finality [2] protocols for practical use within Ethereum. Finally, we expand upon the generalized sleepy model [7] introduced by D’Amato and Zanolini[7], adjusting it to accommodate a partially synchronous setting. We refer to the resulting model as the generalized partially synchronous sleepy model. This enhanced model not only extends the original sleepy model, first presented by Pass and Shi [16], but it also introduces stronger and more generalized constraints related to the corruption and sleepiness power of the adversary. Furthermore, our model integrates the concept of partial synchrony, setting it apart from the model proposed by D’Amato and Zanolini [7]. Our security results will be proven within this extended model. The remainder of this work is structured as it follows. In Section 3 we present our system model. Prerequisites for this work are presented in Section 4; we recall RLMD-GHOST as originally presented by D’Amato and Zanolini [7], state its properties, and show a class of protocols, called propose-vote-merge protocols, that groups together (a variant of) LMD-GHOST, (a variant of) Goldfish, and RLMD-GHOST under an unique framework. Protocol specifications are described in Section 5. In particular, we show how to slightly modify RLMD-GHOST to interact with a finality gadget, and then present the full protocol. In Section 6 we formally prove the properties that our protocol satisfy. Finally, in Section 7 we enable our protocol to finalize the block proposed in the current slot through acknowledgments, messages sent by participants in the consensus protocol, but only relevant to external observers. Conclusions are drawn in Section 8.
2 Related works
Pass and Shi [16] introduced the sleepy model of consensus, which models a distributed system where the participants can be either online or offline, meaning their participation is dynamic. This differs from the standard models in the literature that assume honest participants are always online and execute the assigned protocol. Dynamic participation became a key requirement to devise consensus protocols, as it adds a more robustness to systems that allow participants to go offline, while preserving safety and liveness of such dynamically available protocols.
Neu et al [15] introduce the partially synchronous sleepy model and define the objectives of the Ethereum consensus protocol, Gasper [4], through the concept of an ebb-and-flow protocol. A secure ebb-and-flow protocol produces both a dynamically available ledger and a finalized ledger, that is always safe and live after . In the context of Gasper, the dynamically available ledger is defined by LMD-GHOST [18] and the finalized ledger by Casper [3].
However, under a deeper analysis, Neu et al [15] show that LMD-GHOST is not dynamically available, by presenting an attack to its liveness. D’Amato et al. [6] introduce Goldfish, a simplified variant of LMD-GHOST, aiming at solving some problems related to LMD-GHOST [15, 14], that results in a synchronous dynamically available protocol in the partially synchronous sleepy model that, composed with a generic finality gadget, implements an ebb-and-flow protocol. Goldfish however is brittle to temporary asynchrony, in the sense that even a single violation of the bound of network delay can lead to a catastrophic failure, jeopardizing the safety of any previously confirmed block.
D’Amato and Zanolini [7] introduce the generalized sleepy model. This model takes up from the original sleepy model presented by Pass and Shi [16] and extends it with more generalized and stronger constraints in the corruption and sleepiness power of the adversary. This allow to explore a broad space of dynamic participation regimes which fall between complete dynamic participation and no dynamic participation. Moreover, they introduce RLMD-GHOST, a generalization of (variants of) Goldfish and LMD-GHOST, that offers a trade-off between resilience to temporary asynchrony and dynamic availability. RLMD-GHOST represents a middle ground between LMD-GHOST, an asynchrony resilient but not dynamically available protocol, and Goldfish, a dynamically available but not asynchrony resilient protocol. RLMD-GHOST is resilient to bounded asynchrony up to a vote expiry period, and satisfies an appropriate notion of dynamic availability in the generalized sleepy model.
3 Model and Preliminary Notions
3.1 System model
We consider a set of validators that communicate with each other through exchanging messages. Every validator is identified by a unique cryptographic identity and the public keys are common knowledge. Validators are assigned a protocol to follow, consisting of a collection of programs with instructions for all validators. A validator that follows its protocol during an execution is called honest. Each validator has a stake, which we assume to be the same for every validator. If a validator fails to serve the role assigned to it or tries to deliberately deviate from the protocol, i.e., is Byzantine, and a proof of this misbehavior is given, it loses a part of its stake proportional to the severity of the fault ( gets slashed). We assume the existence of a probabilistic poly-time adversary that can choose up to validators to corrupt over an entire protocol execution. Corrupted validators stay corrupted for the remaining duration of the protocol execution, and are thereafter called adversarial. The adversary knows the the internal state of adversarial validators. The adversary is adaptive: it chooses the corruption schedule dynamically, during the protocol execution.
We assume that a best-effort gossip primitive that will reach all validators is available. In a protocol, this primitive is accessed through the events “sending a message through gossip” and “receiving a gossiped message.” Moreover, we assume that messages from honest validator to honest validator are eventually received and cannot be forged. This includes messages sent by Byzantine validators, once they have been received by some honest validator and gossiped around by .
Time is divided into discrete rounds. We consider a partially synchronous model in which validators have synchronized clocks but there is no a priori bound on message delays. However, there is a time (not known by the validators), called global stabilization time (), after which message delays are bounded by rounds. Moreover, we define the notion of slot as a collection of rounds. The adversary can decide for each round which honest validator is awake or asleep at that round [16]. Asleep validators do not execute the protocol and messages for that round are queued and delivered in the first round in which the validator is awake again. Honest validators that become awake at round , before starting to participate in the protocol, must first execute (and terminate) a joining protocol (Section 4), after which they become active. All adversarial validators are always awake, and are not prescribed to follow any protocol. Therefore, we always use active, awake, and asleep to refer to honest validators. As for corruptions, the adversary is adaptive also for sleepiness, i.e., the sleepiness schedule is also chosen dynamically by the adversary. Moreover, there is a time (not known by the validators), called global awake time (), after which all validators are always awake.
We assume that every message has an expiration period [6][7]. More specifically, for a given slot and a constant greater than or equal to [math], the expiration period for slot is the interval . Only messages sent within this time frame influence the behavior of the protocol at slot . Furthermore, during each protocol execution slot, only the most recent messages sent by validators are considered.
We require that, for some fixed parameter , the following condition, referred by D’Amato and Zanolini [7] as -sleepiness at slot , holds for any slot after :
[TABLE]
with , , and are the set of active validators at round , the set of adversarial validators at round , and the set of validators that are active at some point in slots , i.e., (if then ), respectively. Note that . In other words, we require the number of active validators at round to be greater than the number of adversarial validators at round , together with the number of validators that were active at some point between rounds and , but not at round .
Intuitively, this condition is designed to work with a protocol that applies expiration to its messages, with the period set as . The messages taken into consideration at slot originate from slots . Among these, the only messages sent by honest validators that can be relied upon come from . However, unexpired messages from honest validators, who were inactive in slot , could potentially aid the adversary.
Note that our approach diverges from the generalized sleepy model proposed by D’Amato and Zanolini [7]. Specifically, we require that Equation 1 only holds after and we refer to this model as the generalized partially synchronous -sleepy model (or wlog, when the context is clear, as the -sleepy model for short). Finally, we say that an execution in the generalized partially synchronous sleepy model is -compliant if it satisfies -sleepiness (Equation 1).
3.2 Validator internals
View.
A view (at a given round ), denoted by , is a subset of all the messages that a validator has received until . The notion of view is local for the validators. For this reason, when we want to focus the attention on a specific view of a validator , we denote with the view of (at a round ).
Blocks and chains.
Let’s consider two chains, and . We denote if acts as a prefix to . When block is at the end of chain , we refer to it as the head of , and we equate the entire chain with . Therefore, if and is the head of , we also express this as and .
Fork-choice functions.
A fork-choice function is a deterministic function, denoted as . This function, when given a view and a slot as inputs, produces a block . If is a block extending , then equals . The result of is referred to as the head of the canonical chain in , and the chain with as its head is referred to as the canonical chain in . Every validator keeps track of its canonical chain and updates it using , according to its local view. The canonical chain for validator at round is represented as . In this work we will focus our attention on a specific class of fork-choice functions based on [17]. D’Amato and Zanolini [7] characterize a -based fork-choice function by a view filter FIL, which takes as input a view and a slot , and outputs , where is another view such that . Then, , i.e., .
3.3 Security
Security Parameters.
In this work we treat and as the security parameters related to the cryptographic components utilized by the protocol and the protocol’s own security parameter, respectively. We also account for a finite time horizon, represented as , which is polynomial in relation to . An event is said to occur with overwhelming probability if it happens except with probability which is . The properties of cryptographic primitives hold true with a probability of , signifying an overwhelming probability, although we will not explicitly mention this in the subsequent sections of this work.
Confirmed chain.
The protocols we consider always specify a confirmation rule, with whom validators can identify a confirmed prefix of the canonical chain. Alongside the canonical chain, validators then also keep track of a confirmed chain. We refer to the confirmed chain of validator at round as (cf. for the canonical chain).
Definition 1** (Secure protocol [6]).**
We say that a protocol outputting a confirmed chain is secure after time , and has confirmation time 111If the protocol satisfies liveness, then at least one honest proposal is added to the confirmed chain of all active validators every slots. Since honest validators include all transactions they see, this ensures that transactions are confirmed within time (assuming infinite block sizes or manageable transaction volume)., if satisfies:
Safety
For any two rounds , and any two honest validators and (possibly ) at rounds and respectively, either or .
Liveness
For any rounds and , and any honest validator active at round , contains a block proposed by an honest validator at a round .
A protocol satisfies -safety and -liveness if it satisfies safety and liveness, respectively, in the -sleepy model, i.e., in -compliant executions. A protocol satisfies -security if it satisfies -safety and -liveness.
We now recall the definitions of dynamic availability and reorg resilience from [7]. We consider them only under network synchrony, i.e., for , as this is the only setting in which we utilize them. Note that it is customary to only analyze dynamic availability with , when analyzing the behavior of ebb-and-flow protocols.
Definition 2** (Dynamic availability).**
We say that a protocol is -dynamically-available if and only if it satisfies -security with confirmation time when . Moreover, we say that a protocol is dynamically available if it is -dynamically-available, as this corresponds to the usual notion of dynamic availability.
Definition 3** (Reorg resilience).**
An execution with satisfies reorg resilience if any honest proposal from a slot is always in the canonical chain of all active validators at rounds . A protocol is -reorg-resilient if all -compliant executions with satisfy reorg resilience.
Definition 4** (Accountable safety).**
We say that a protocol has accountable safety with resilience if, upon a safety violation, it is possible to identify at least responsible participants. In particular, it is possible to collect evidence from sufficiently many honest participants and generate a cryptographic proof that identifies adversarial participants as protocol violators. Such proof cannot falsely accuse any honest participant that followed the protocol correctly. Finally, we also say that a chain is -accountable if the protocol outputting it has accountable safety with resilience . If a protocol outputs multiple chains , we say that is -accountable if is, where is the protocol which runs and outputs only .
Ebb-and-flow protocols.
Neu et al. [15] propose a protocol with two confirmation rules that outputs two chains, one that provides liveness under dynamic participation (and synchrony), and one that provides accountable safety even under network partitions. This protocol is called ebb-and-flow protocol. We present a generalization of it, in the -sleepy model.
Definition 5** (-secure ebb-and-flow protocol).**
A -secure ebb-and-flow protocol outputs an available chain that is -dynamically-available if , and a finalized (and accountable) chain that, if is always safe and is live after . Moreover, for each honest validator and for every round , is a prefix of .
4 Propose-vote-merge protocols
The aim of this work is to present a secure ebb-and-flow [15] protocol that can finalize (at most) one block per slot and, in particular, that can finalize within slot the block proposed in . This is achieved by revisiting the propose-vote-merge protocol RLMD-GHOST introduced by D’Amato and Zanolini [7] as the basis for our protocol implementation. Propose-vote-merge protocols proceed in slots consisting of rounds222D’Amato and Zanolini [7] implement RLMD-GHOST with fast confirmation with (Appendix B [7]). However, we will consider , following the approach taken by D’Amato et al. [6] when presenting Goldfish with fast confirmation. We will show how RLMD-GHOST with fast confirmation can be changed into its variant with in Section 5 while presenting our protocol., each having a proposer , chosen through a proposer selection mechanism among the set of validators. In particular, at the beginning of each slot , the proposer proposes a block . Then, all active validators (also referred as voters) vote after rounds. Every validator has a buffer , a collection of messages received from other validators, and a view , used to make consensus decisions, which admits messages from the buffer only at specific points in time.
Propose-vote-merge protocols are defined through a deterministic fork-choice function , which is used by honest proposers and voters to decide how to propose and vote, respectively, based on their view at the round in which they are performing those actions. It is moreover used as the basis of a confirmation rule (Section 5.2), which defines the output of the protocol, and thus with respect to which the security of the protocol is defined. In the case of RLMD-GHOST, its fork-choice function considers the last (non equivocating) messages sent by validators that are not older than slots (for an expiration period ), in order to make protocol’s decisions. In particular, the filter function removes all but the latest messages within the expiry period for slot , from non-equivocating validators, i.e., . Here, removes all but the latest votes of every validator (possibly more than one) from and outputs the resulting view, i.e., it implements the latest message (LMD) rule, removes all votes from slots from and outputs the resulting view, and removes all votes by equivocating validators in [1], i.e., validators for which contains multiple, equivocating, votes for some slot .
A propose-vote-merge protocol proceeds in three phases:
propose: In this phase, which starts at the beginning of a slot, the proposer merges its view with its buffer , i.e., , and sets . Then, runs the fork-choice function with inputs its view and slot , obtaining the head of the chain . Proposer extends with a new block , and updates its canonical chain accordingly, setting . Finally, it broadcasts the message [propose, , , , ].
vote: Here, every validator that receives a proposal message [propose, , , , ] from merges its view with the proposed view , by setting . Then, it broadcasts votes for some blocks based on its view. We omit, for the moment, for which blocks a validator votes: it will become clear once we present the full protocol.
merge: In this phase, every validator merges its view with its buffer, i.e., , and sets .
The merge phase, along with all other operations involving views and buffers discussed in the previous section, are implemented using the view-merge technique [6][7][10]. The idea behind the view-merge technique involves synchronizing the views of all honest validators with the view of the proposer for a specific slot before the validators broadcast their votes in that slot.
D’Amato et al. [6] introduce the notion of active validators333Observe that D’Amato et al. [6] actually refer to awake validators to indicate what we call active, and to dreamy validators to indicate what we call awake (but not active).: awake validators that have terminated a joining protocol at a round , described as it follows. Assuming a propose-vote-merge protocol proceeding in slots of rounds, when an honest validator wakes up at some round , it immediately receives all the messages that were sent while it was asleep, and it adds them into its buffer , without actively participating in the protocol yet. All new messages which are received are also added to the buffer . Validator then waits for the next view-merge opportunity, at round , in order to merge its buffer into its view . At this point, starts executing the protocol. From this point on, validator becomes active, until either corrupted or put to sleep by the adversary. We consider such a joining protocol when describing our propose-vote-merge protocol.
5 Protocol specification
5.1 Data structures
We consider five message types: propose, block, checkpoint, head-vote, and ffg-vote. We make no distinctions between network-level representation of blocks and votes, and their representation in a validator’s view, i.e., there is no difference between block and *-vote messages and blocks and votes, and we usually just refer to the latter. We describe the objects as tuples (data-type, ) with their data type as a tag, but in practice mostly refer to them without the tag. We use dot notation to refer to the fields. For the tag, we do so simply with , for the other fields we use the generic names specified in the object descriptions below, to access the different fields, e.g., is the slot of block . In the following, is a slot and a validator.
Blocks and checkpoints.
A block is a tuple , where is a block body, i.e., the protocol-specific content of the block444For simplicity, we omit a reference to the parent block.. A checkpoint is a tuple , where is a block and .
Votes.
A head vote is a tuple [head-vote, , , ], where is a block. An FFG vote is a tuple [ffg-vote, , , ], where are checkpoints, , and . We refer to the two checkpoints as source and target, respectively, and to FFG votes as links between source and target. When is clear from context, we also write for the whole vote, e.g., we say that casts a vote.
Proposals.
A proposal is a tuple [propose, , , , ] where is a block and a view. We refer to as a proposed view.
Gossip behavior.
Votes and blocks are gossiped at any time, regardless of whether they are received directly or as part of another message. For example, a validator receiving a vote also gossips the block that it contains, and a validator receiving a proposal also gossips the blocks and votes contained in the proposed view. Finally, a proposal from slot is gossiped only during the first rounds of slot .
5.2 Confirmation rule
A confirmation rule allows validators to identify a confirmed prefix of the canonical chain, for which safety properties hold, and which is therefore used to define the output of the protocol. Since the protocol we are going to present outputs two chains, the available chain and the finalized chain , we have two confirmation rules. One is finality, which we introduce in Section 5.3, and defines . The other confirmation rule, defining , is the one adopted by RLMD-GHOST, in its variant supporting fast confirmation555With some minor changes, as RLMD-GHOST still has rounds per slots, by requiring an optimistic assumption on network latency in order for fast confirmations to be live.. It is itself essentially split in two rules, a slow -deep confirmation rule, which is live also under dynamic participation, and a fast optimistic rule, requiring honest validators to be awake, i.e., a stronger assumption than just compliance. Both rules are employed at round , and is updated to the highest block confirmed by either one, so that liveness of only necessitates liveness of one of the two rules. In particular, -compliance is sufficient for liveness. On the other end, safety of requires both rules to be safe.
5.3 FFG component
As mentioned above, a propose-vote-merge protocol is characterized by a fork-choice function that identifies for every slot the current head of the canonical chain for a given validator. Moreover, we described two kind of votes that a validator executes in the vote phase: a head-vote, used to vote for the head of the canonical chain, i.e., the output of the fork-choice function evaluated at the current slot, and an ffg-vote, used by the FFG-component of our protocol666The component of our protocol that outputs is almost identical to Casper [3], the friendly finality gadget (FFG) adopted by the Ethereum consensus protocol Gasper [4]. This is the reason why we decided to use the FFG terminology already accepted within the Ethereum ecosystem..
The FFG component of our protocol aims at finalizing one block per slot by counting ffg-votes cast at a given slot.
Justification.
We say that a set of distinct FFG votes is a supermajority link between and . We say that a checkpoint is justified if there is a chain of supermajority links (, . In particular, is justified. Finally, we say that a block is justified if there exists a justified checkpoint with .
Slashing.
The slashing rules are the same as in Casper FFG. Validator is slashable (see Section 3) for two distinct FFG votes and , if either: (Equivocation) or (Surround voting) .
Latest justified checkpoint and block.
A checkpoint is justified in a view if contains the chain of supermajority links justifying it. We refer to the justified checkpoint of highest slot in as the latest justified checkpoint in , or , and to as the latest justified block in , or . Ties are broken arbitrarily (the occurrence of a tie implies that validators are slashable for equivocation). For brevity, we also use to refer to , the latest justified checkpoint in the view of validator .
Finality.
A checkpoint is finalized if it is justified and there exists a supermajority link with . A block is finalized if there exists a finalized checkpoint with .
5.4 Voting
Fork-choice.
Similarly to Gasper [4], we adopt an hybrid justification-respecting fork-choice, namely , building upon [7] fork-choice function. starts from , the latest justified block in , instead of , and then proceeds as , i.e., it runs using the view filtered by . Formally, we can define it by using another view filter, , i.e., . outputs , where filters out blocks in that conflict with . In other words, it filters out branches which do not contain , so is guaranteed to be canonical.
Voting rules.
Consider a validator voting at slot . Head votes work exactly as in RLMD-GHOST, or any propose-vote-merge protocol, i.e., validators vote for the output of their fork-choice: when it is time to vote, validator casts vote [head-vote, ]. FFG votes always use the latest justified checkpoint as source. The target block is the highest confirmed descendant of the latest justified block, or the latest justified block itself if there is none. The target checkpoint is then , with being the height of block , and the FFG vote of is [ffg-vote, ], voting for the link .
5.5 Protocol execution
Our protocol is implemented in Algorithm 2 and it works as it follows. Note that the Propose and Head-vote phases are exactly as in a generic propose-vote-merge protocol (see Section 4). Moreover, a slot in our protocol begins at round . At any time, the finalized chain of validator just consists of the finalized blocks according to its view , so we omit explicit updates to in the following.
Propose: At round , proposer merges its view with its buffer , i.e., , and sets . Then, runs the fork-choice function with inputs its view and slot , obtaining the head of the chain . Proposer extends with a new block , and updates its canonical chain accordingly, by setting . Finally, it broadcasts the proposal [propose, , , , ].
Head-vote: In rounds , a validator , upon receiving a proposal message (propose, , , , ) from , merges its view with the proposed view by setting . At round , even if no proposal is received, validator updates its canonical chain by setting , and casts the head vote (head-vote, , , ).
Confirm: At round , a validator selects for fast confirmation the highest canonical block such that contains votes from slot for descendants of , from distinct validators. It then updates its confirmed chain to the highest between and , the -deep prefix of its canonical chain, as long as this does not result in updating to some prefix of it (we do not needlessly revert confirmations).
ffg-vote: At round , after updating , a validator casts the FFG vote (ffg-vote, , , ), where
Merge: At round , every validator merges its view with its buffer, i.e., , and sets .
6 Analysis
Algorithm 2 works in the generalized partially synchronous sleepy model, and is in particular a -secure ebb-and-flow protocol, if we strengthen -compliance to require that less than validators are ever slashable for equivocation, for reasons that will be explained shortly. For , we show in Section 6.1 that, if the execution is -compliant in this stronger sense, then all the properties of RLMD-GHOST [7] keep holding. In Section 6.2 we show that the finalized chain is -accountable, and thus always safe if . Moreover, if , is live after .
Before proceeding with the analysis under synchrony and partial synchrony, we state without proof the view-merge property, which follows from the usage of the view-merge technique, since it enables proposers to synchronize the view of honest voters with theirs. It corresponds to Lemma 2 as presented by D’Amato and Zanolini [7], with an addition regarding synchronization of the latest justified checkpoint.
Lemma 1**.**
Suppose that is a slot with an (honest) active proposer and that network synchrony holds in rounds . Say the proposed block is , and the latest justified checkpoint in the view of the proposer is . Then, at round , all active validators broadcast a head-vote for the honest proposal of slot . Moreover, for any such active validator .
6.1 Synchrony
Throughout this part of the analysis, we assume that , and that validators are ever slashable for equivocation, by which here we mean signing multiple head-votes for a single slot, rather than violating . In other words, we are not concerned about equivocation with ffg-votes, but rather with head-votes, which can similarly be declared a slashable offense. Observe that, in RLMD-GHOST with fast confirmations (Appendix B [7]), this assumption is strictly needed for safety (and only for clients which use fast confirmations), but for example not for reorg resilience or liveness, because fast confirmations do not affect the canonical chain. On the other hand, the protocol we present here utilizes confirmations as a prerequisite for justification, and justification does affect the canonical chain, since filters out branches conflicting with the latest justified block. Therefore, we require that validators are ever slashable for equivocation for all of the properties which we are going to prove. As already mentioned, to avoid stating it repeatedly, we further restrict -compliant executions to those executions in which the assumption holds.
Our single slot finality protocol implemented in Algorithm 2 uses the fork-choice function, dealing with checkpoints and justifications. However, one could implement it using also different fork-choice functions. In particular, we show that by substituting with (with equal expiration period ), i.e., if we ignore justifications and consider the vanilla fork-choice function introduced by D’Amato and Zanolini [7], then the resulting protocol is equivalent to the RLMD-GHOST protocol with fast confirmation (Appendix B [7]). This because FFG votes have no effect at all, and as such it is -reorg-resilient, and -dynamically-available. Moreover, the following two results about fast confirmations (Appendix B [7]) also apply.
Theorem 1** (Reorg resilience of fast confirmations).**
Let us consider an -compliant execution with . A block fast confirmed by an honest validator at a slot is always in the canonical chain of all active validators at rounds .
Theorem 2** (Liveness of fast confirmations).**
An honest proposal from a slot in which is fast confirmed by all active validators at round .
We show that, under synchrony, i.e., with , these properties are preserved by our justification-respecting protocol, which uses instead. To do so, we show that for every -compliant execution, Algorithm 2 using and Algorithm 2 using are equivalent, i.e., the sequence of outputs of Algorithm 2 is the same regardless of which fork-choice function is used. All properties of Algorithm 2 with in such -compliant executions then also apply to Algorithm 2 with . In particular, it is also -reorg-resilient and -dynamically-available, and it also satisfies reorg resilience and liveness of fast confirmations, i.e., Theorems 1 and Theorem 2 hold.
Theorem 3** (Execution equivalence).**
Let us consider an -compliant execution with and with Algorithm 2 using . Furthermore, let us consider the same execution, with the same adversarial strategy and randomness, with Algorithm 2 using . The sequence of outputs of the two algorithms correspond exactly.
Proof.
Since the only difference between the two protocols is the fork-choice function , the sequences of outputs correspond as long as the outputs of and obtained by active validators are always the same in the two executions. is used only twice in Algorithm 2, in Line 2 for proposing, and in Lines 2-2, with the same input, for broadcasting a head-vote. We are going to prove by induction that the canonical chain of an active validator at any voting round is the same in both executions. Since Line 2 sets , and this value is the same as in Line 2, we only need to show that the fork-choice output in Line 2 coincides in the two executions as well. In Line 2, an honest validator uses the fork-choice output to construct their head-votes, so head-votes correspond in both executions. Moreover, the view-merge property applies in both executions, so honestly proposed blocks correspond to the honest head-votes from their slot. Therefore, head-votes coinciding in the two executions implies that honestly proposed blocks coincide as well. Since honestly proposed blocks extend the output of the fork-choice at Line 2, this output is then also the same in both executions, completing the proof. We now carry out the induction.
Induction hypothesis: At any slot and for , coincides in both executions, for any active validator .
Base case: In rounds , the two executions are exactly the same, because the only justified checkpoint is , so . Therefore, the statement holds for .
Inductive step: Suppose now that the statement holds for , and consider round . Consider an active validator with view at round , and latest justified block . Let be minimal such that there exists a justified checkpoint , i.e., slot is the first slot in which block was justified. The supermajority link with target contains at least one FFG vote from an honest validator . By minimality of , could not have been already justified in the view of when broadcasting an FFG vote at slot . Therefore, by Lines 2-2 of Algorithm 2, it must be the case that at round , i.e., that it had been confirmed by . If it was fast confirmed at a slot , then, in the execution with , Theorem 1 implies that for all active validators at any round , and so in particular that , since . If instead at round , i.e., is confirmed by due to being -deep in its canonical chain, then with overwhelming probability there exists a pivot slot (Lemma 3 [7]), with proposed block . In the execution with , -reorg-resilience then implies that for all active validators at any round . In particular, at round , and . The former implies , since , and we then have .
Anyway, regardless of how has been confirmed by , we have . Therefore, , which in turn implies . Therefore, after updates its canonical chain at round by setting , with dependent on the execution, is the same in both executions. ∎
6.2 Partial synchrony
Throughout this section we assume that . First, we prove that the finalized chain is accountably safe, exactly as done in Casper [3]. Then, we show that honest proposals made after are justified within their proposal slot, which implies liveness of the finalized chain.
Theorem 4** (Accountable safety).**
The finalized chain is accountably safe, i.e., two conflicting finalized blocks imply that at least adversarial validators can be detected to have violated either or .
Proof.
We assume throughout that there are no double justifications, i.e., there are no checkpoints with , and we refer to this as the non-equivocation assumption. If that’s not the case, clearly validators are slashable for violating . Consider two conflicting finalized blocks and . By definition, there are also finalized checkpoints and with , . Say is finalized by the chain of supermajority links (, , with , and by the chain (, , with . Let , and . By the non-equivocation assumption, , and without loss of generality we take . Let , so , and by minimality of . By the non-equivocation assumption, implies that . We then have , contradicting that and are conflicting. Therefore, as well. Similarly, . Therefore, we have , i.e., . The intersection of the two sets of voters of the supermajority links and contains at least validators, which are then slashable for violating . ∎
Lemma 2**.**
If an honest proposer proposes a block at a slot after , and the latest justified checkpoint in the view of the proposer is , then the checkpoint is justified in all honest views at round , by supermajority link .
Proof.
Since is after , all honest validators are awake since at least round , so at slot they have completed the joining protocol and are active. Moreover, the view-merge property (Lemma 1) applies to all of them. Consider now an honest validator . By the view-merge property, validator broadcasts a head-vote for at round . Also by the view-merge property, at round , but does not change until round , since does not. Therefore, at round . By that round, all honest head-votes for are received by all honest validators, including . Since also , fast confirms , and thus broadcasts an FFG vote . All honest validators receive such votes by round , and merge them into their view then. Therefore, checkpoint is justified in all honest views at that round. ∎
Theorem 5** (Liveness).**
Consider two consecutive slots and with honest proposers after . The block proposed at slot is finalized at the end of slot .
Proof.
By Lemma 2, checkpoint is justified in all honest views at round . Since at the beginning of slot there cannot be any justified checkpoint with slot , and there cannot be any other justified checkpoint with slot , is therefore the latest justified block in the view of the proposer of slot . is then canonical in its view, and it proposes a block which extends . Again by Lemma 2, is justified in all honest views at round , by the supermajority link . Therefore, is finalized in all honest views. ∎
7 Single slot finality
The protocol implemented in Algorithm 2 is a an -secure ebb-and-flow protocol which (at best) finalizes a block in every slot, but it does not achieve single slot finality, i.e., it cannot finalize a proposal within its proposal slot. At best, it lags behind by one slot, finalizing a proposal from slot at the end of slot . A straightforward extension of our protocol which achieves single slot finality is one with rounds per slot, allowing for an additional FFG voting phase. This would be very costly in Ethereum, for two reasons. First, it would in practice significantly increase the slot time, because each voting round requires aggregating hundreds of thousands (if not millions) of BLS signatures, likely requiring a lengthier multi-step aggregation process. Moreover, it would be expensive in terms of bandwidth consumption and computation, because such votes would have to all be gossiped and verified by each validator, costly even if already aggregated. For these reasons, we describe here an alternative way to enhance to protocol for the purpose of achieving single slot finality, without suffering from the drawbacks just described. We introduce a new type of message, acknowledgment, and a new slashing condition alongside it. Acknowledgments do not influence the protocol in any way, except in case of slashing, and are mainly intended to be consumed by external observers which want to have the earliest possible finality guarantees. Therefore, they do not need to be gossiped to and verified by all validators. They can then simply be gossiped in smaller sub-networks (similar to the attestation subnets which Ethereum employs today), requiring limited bandwidth and verification resources. If an observer wants to have faster finality guarantees than they could have by simply following the chain or listening to the global gossip, they can opt to participate in all such sub-networks, and collect all acknowledgments. As doing so is permissionless, it can also be expected that aggregate acknowledgments, or equivalent proofs, might become available through some other channels.
Acknowledgment.
An acknowledgment is a tuple , where is a checkpoint with . We also refer to this as an acknowledgment of . A supermajority acknowledgment of is a set of distinct acknowledgments of . At round , after merging the buffer , validator broadcasts the acknowledgment if , i.e., if has been justified in the current slot. An observer which receives a supermajority acknowledgment of a justified checkpoint may consider to be finalized.
Slashing rule for finality voting.
When validator broadcasts an acknowledgment of , it acknowledges that, at the end of slot , it knows about being justified. Since the FFG voting rules prescribe that the source of an FFG vote should be the latest known justified checkpoint, subsequent FFG votes with a source whose slot is constitute a provable violation, which is analogous to surround voting. Accordingly, we formulate a third slashing rule, which ensures that finality via a supermajority acknowledgment is accountably safe. In particular, validator is slashable for an FFG vote and an acknowledgment , if they satisfy , i.e., . In other words, the link surrounds the acknowledged checkpoint.
Theorem 6** (Accountable safety with acknowledgments).**
The finalized chain is accountably safe even when it is updated via acknowledgments as well, i.e., two conflicting finalized checkpoints imply that more than adversarial validators can be detected to have violated , , or .
Proof.
The proof largely follows that of Theorem 4. We again consider two conflicting finalized blocks and , and corresponding finalized checkpoints and . Regardless of whether finalization is through a supermajority link or a supermajority acknowledgment, and have to be justified, by chains of supermajority links (, and (, . Let , and . By the non-equivocation assumption considered in Theorem 4, we again have , and without loss of generality we take . As before, we let , so , and by minimality of . Moreover, also by the non-equivocation assumption, . If is finalized through a supermajority link, the proof of Theorem 4 already shows that at least validators must have violated , and it is still applicable here because it does not use the last supermajority link in the chain finalizing (which may or may not exist here). If instead is finalized through a supermajority acknowledgment, i.e., there are acknowledgments of , then at least validators have violated , because . ∎
Theorem 7** (Single Slot Finality).**
An honest proposal from a slot after is finalized in round by a supermajority acknowledgment.
Proof.
Say the honestly proposed block is . By Lemma 2, checkpoint is justified in all honest views at round . Therefore, all honest validators broadcast an acknowledgment of . Any observer which listens for acknowledgments would receive all such messages by rounds , and thus possesses a supermajority acknowledgment of . Such observer may then consider , and thus also , to be finalized. ∎
8 Conclusions
In this work, we have made significant strides towards realizing a secure and reorg-resilient ebb-and-flow protocol that has the potential to replace Ethereum’s current consensus protocol, Gasper. We have provided a comprehensive analysis and modifications to D’Amato and Zanolini’s RLMD-GHOST protocol, integrating it with a partially synchronous finality gadget. In particular, our protocol introduces a novel approach for achieving single slot finality.
Another significant contribution of our work lies in the expansion of the generalized sleepy model introduced by D’Amato and Zanolini. Our generalized partially synchronous sleepy model introduces stronger constraints related to the adversary’s corruption and sleepiness power and incorporates the concept of partial synchrony. This extension not only enhances the original model but also provides a generalized framework suitable for a wider array of practical scenarios.
However, despite the security guarantees of our protocol, we acknowledge that it is not (yet) practical for real-world implementation. This challenge is due to the current structure of Ethereum, which employs a large pool of validators. Requiring every validator to vote at each slot would necessitate extensive message exchanges – a process that is far from optimal given the scale of Ethereum’s network. Therefore, while our current findings represent a crucial stride towards an improved consensus protocol, they also highlight the need for additional research. Specifically, we need to focus on how we can refine the voting mechanism to better manage and aggregate the messages involved in this process.
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[1] Aditya Asgaonkar. Remove equivocating validators from fork choice consideration. URL: https://github.com/ethereum/consensus-specs/pull/2845 .
- 2[2] Vitalik Buterin. Paths toward single-slot finality, 2023. URL: https://notes.ethereum.org/@vbuterin/single_slot_finality .
- 3[3] Vitalik Buterin and Virgil Griffith. Casper the friendly finality gadget. Co RR , abs/1710.09437, 2017. URL: http://arxiv.org/abs/1710.09437 , ar Xiv:1710.09437 .
- 4[4] Vitalik Buterin, Diego Hernandez, Thor Kamphefner, Khiem Pham, Zhi Qiao, Danny Ryan, Juhyeok Sin, Ying Wang, and Yan X Zhang. Combining GHOST and Casper. 2020.
- 5[5] Miguel Castro and Barbara Liskov. Practical byzantine fault tolerance. In Margo I. Seltzer and Paul J. Leach, editors, Proceedings of the Third USENIX Symposium on Operating Systems Design and Implementation (OSDI), New Orleans, Louisiana, USA, February 22-25, 1999 , pages 173–186. USENIX Association, 1999.
- 6[6] Francesco D’Amato, Joachim Neu, Ertem Nusret Tas, and David Tse. No more attacks on proof-of-stake ethereum? Co RR , abs/2209.03255, 2022. URL: https://doi.org/10.48550/ar Xiv.2209.03255 . · doi ↗
- 7[7] Francesco D’Amato and Luca Zanolini. Recent latest message driven ghost: Balancing dynamic availability with asynchrony resilience, 2023. URL: https://arxiv.org/abs/2302.11326 .
- 8[8] Cynthia Dwork, Nancy A. Lynch, and Larry J. Stockmeyer. Consensus in the presence of partial synchrony. J. ACM , 35(2):288–323, 1988.
