Cryptocurrency
with central bank regulations:
the RSCoin framework
Roman Oliynykov,Ph.D., Dr.Habil.,
Arseniy Seroka, Jonn Mostovoy
IOHK
IACR Summer School on Blockchain TechnologiesCorfu, Greece
June 1st, 2016
Roman Oliynykov, Arseniy Seroka, Jonn Mostovoy The RSCoin framework 1 / 41
Outline
Thanks to George Danezis andSarah Meiklejohn, developers of RSCoin, foressentially new approach in architecture ofcryptocurrencies.
Bitcoin open problems and governmentalinterest to Blockchain-based technologiesapplication.
Architecture and general properties of RSCoin.
Haskell implementation of RSCoin.
Open questions of RSCoin.
Proposals for RSCoin further development.
Roman Oliynykov, Arseniy Seroka, Jonn Mostovoy The RSCoin framework 2 / 41
Some open problems for Bitcoin
poor scalability: practically available number of transactionsup to 7 per second; cf: VISA and MasterCard can processtens of thousands transaction per second;
network latency: long time for transaction approval: up totens of minutes or even longer in specific cases;
liquidity limits (still actual in 2016): exchanges which tradebitcoins unable to convert really big amount of bitcoins to thefiat currency;
stability and predictability issues:exponential growth of mining difficulty leads to oligopoly of Bitcoinnetwork control: a very few mining pools may dictate rules for the wholeBitcoin network;a Goldfinger attack: an entity with computational resources over a somethreshold can effectively work against the rest of the Bitcoin network;wasting computational power and energy (up to 1 GW);enormous Bitcoin miner bonus on each transaction (paid by a big numberof newcomers): at least, $3 even on penny-size money transfer (cf.: morethan $600 millions annual miners’ reward in 2015 and not more than 7transactions per second, with 31.5 millions seconds per year).
Roman Oliynykov, Arseniy Seroka, Jonn Mostovoy The RSCoin framework 3 / 41
Governmental interest in
Blockchain-based technologies
https://www.gov.uk/government/uploads/system/
uploads/attachment data/file/492972/gs-16-1-distributed-ledger-technology.pdf
Roman Oliynykov, Arseniy Seroka, Jonn Mostovoy The RSCoin framework 4 / 41
Open problem for traditional decentralized
cryptocurrencies: governmental application
the loss of control over monetary supply;
little to no flexibility for macroeconomic policy;
extreme volatility in their value as currencies.
Roman Oliynykov, Arseniy Seroka, Jonn Mostovoy The RSCoin framework 5 / 41
RSCoin: cryptocurrency framework proposal
for central banks
a central bank is a trusted entity(and the central bank only);
centralization of the monetary supply: every unit of aparticular currency is created by the central bank;
a transparent transaction ledger;
a distributed system for maintaining transaction ledger;
a globally visible monetary supply (and more visibletransactions on shares, derivatives, etc.);
easily scalable solution (to provide necessary amount oftransactions per second).
Proposed in ”Centrally Banked Cryptocurrencies”by George Danezis and Sarah Meiklejohn
Roman Oliynykov, Arseniy Seroka, Jonn Mostovoy The RSCoin framework 6 / 41
Different types of participants in RSCoin
a central bank (the only trusted entity);
mintettes (institutions authorized by a
central bank for validating transactions
for some period of time);
users (senders and receivers of
transactions).
NB: mintettes and users are not trusted and their misbehaviorcan be detected and ultimately held accountable.
Roman Oliynykov, Arseniy Seroka, Jonn Mostovoy The RSCoin framework 7 / 41
Functions of each participant in RSCoin (I)
central bank:
authorization of mintettes for a given period oftime (authorization is accomplished by aPKI-type functionality);
forming higher-level block from lower-levelblocks provided by mintettes;
arbitration procedures (when necessary);
monetary supply for macroeconomic policy.
NB: there is no interaction between the central bank and users.
Roman Oliynykov, Arseniy Seroka, Jonn Mostovoy The RSCoin framework 8 / 41
Functions of each participant in RSCoin (II)
mintette:
transaction certification that for its inputaddresses there is no double-spending (fortransactions provided by users);
verification of transactions with evidence fromother mintettes; including these transactionsinto own lower-level block and providing to theuser evidence that the transaction will beincluded in the higher-level block;
providing lower-level blocks to the central bankfor forming higher-level block.
NB: there is no direct interaction between mintettes, but they havecross-hashing for their lower level blocks.
Roman Oliynykov, Arseniy Seroka, Jonn Mostovoy The RSCoin framework 9 / 41
Functions of each participant in RSCoin (III)
user:
requesting evidence of double-spending
absence from sender’s mintettes;
sending that evedence to receiver’s
mintettes and obtaining confirmation that
the transaction will be included in the
higher-level block;
Users’ transactions are divided between mintettes into ”shards”,
each transactions is served by several mintettes.
Roman Oliynykov, Arseniy Seroka, Jonn Mostovoy The RSCoin framework 10 / 41
Simplified model of RSCoin transactions
Roman Oliynykov, Arseniy Seroka, Jonn Mostovoy The RSCoin framework 11 / 41
Including only valid transactions in the next block
each (honest) mintette verifies all transactionsprovided by user; only valid transactions will beincluded to its lower-level block;
a central bank receives cross-hashed lower-levelblocks from mintettes and forms higher-levelblock;
each user has the evidence from the mintette(s)(with digital signature) that the transaction willbe included in the higher-level block.
Roman Oliynykov, Arseniy Seroka, Jonn Mostovoy The RSCoin framework 12 / 41
Incentivizing mintettes for active participation
reward fees for transactions;
special coin generation transactions (cf.: blockmining reward in Bitcoin) allowed by a centralbank.
Roman Oliynykov, Arseniy Seroka, Jonn Mostovoy The RSCoin framework 13 / 41
Key integrity properties
no double-spending;
non-repudiable sealing;
timed personal audits;
universal audits;
exposed inactivity.
Roman Oliynykov, Arseniy Seroka, Jonn Mostovoy The RSCoin framework 14 / 41
Consensus parties for each transaction
a user;
mintettes of input (sender) address;
mintettes of output (receiver) address;
the central bank.
NB: consensus is reached by some subsets of mintettes withthe central bank arbitration(not by the whole network like in Bitcoin)
Roman Oliynykov, Arseniy Seroka, Jonn Mostovoy The RSCoin framework 15 / 41
General properties of RSCoin
a framework that allows any central bank to deploytheir own cryptocurrency;
full control over monetary supply, its visibility forthe central bankmore visible transactions on shares, derivatives, etc.;
scalability and fast transaction approval: addingmintettes allows linear scaling; simulation by authors ofthe paper gives that 30 mintettes process approx. 2000trans/sec (cf. 7 trans/sec for Bitcoin);
no wasted resources (electricity, etc.) with proof-of-work;
the central bank is always assumed to be honest;
a cross-hashed transaction low-level ledgers frommintettes;it may be invisible to users (or visible if it is allowed bythe central bank);
Roman Oliynykov, Arseniy Seroka, Jonn Mostovoy The RSCoin framework 16 / 41
Haskell implementation of RSCoin
Roman Oliynykov, Arseniy Seroka, Jonn Mostovoy The RSCoin framework 17 / 41
Current implementation
Followed by Dr. Danezis and Dr. Meiklejohn work
Close to paper as much as possible
Implemented everything from scratch
Haskell as programming language
Roman Oliynykov, Arseniy Seroka, Jonn Mostovoy The RSCoin framework 18 / 41
Why haskell?
Industrial applicability
Ease of implementation of academic papers
Strong guarantees during the compilation
QuickCheck as testing framework
authored by Dr. Hughesgeneric testing of distributed systems by KonstantinIvanov of ITMO University with help of David Turner
Roman Oliynykov, Arseniy Seroka, Jonn Mostovoy The RSCoin framework 19 / 41
Codebase
Open: https://github.com/input-output-hk/rscoin-haskell
≈ 900 commits, 6 contributors
Clean
Hackable
Decoupled
Roman Oliynykov, Arseniy Seroka, Jonn Mostovoy The RSCoin framework 20 / 41
Implementation details (technologies)
MsgPack-RPC for communication
debuggable binary protocolour team developed a patch
Blake2b for hashing
ED25519 for signing
acid-state as persistence layer
conduit as streaming data processing
Roman Oliynykov, Arseniy Seroka, Jonn Mostovoy The RSCoin framework 21 / 41
Performance
Benchmarking, profiling, tuning, tweaking, etc.
Roman Oliynykov, Arseniy Seroka, Jonn Mostovoy The RSCoin framework 22 / 41
Performance pitfalls
Networking (lots of communication due to protocol)
Haskell-related (immutability, GC)
IO (database)
Threads (context switches, locks)
Roman Oliynykov, Arseniy Seroka, Jonn Mostovoy The RSCoin framework 23 / 41
Approach (1 / 2)
Tuning GC with right RTS options
Persistence almost as fast as memory-based
Fast libraries (text, bytestring, unordered-containers,vector, pqueue, etc.)
Strictness
Roman Oliynykov, Arseniy Seroka, Jonn Mostovoy The RSCoin framework 24 / 41
Profiling tools
Compiler and RTS options
ghc-prof-flamegraph & FlameGraph
ThreadScope for OS threads
ghc-events-analyze for green threads
criterion for pure functions
strace
Roman Oliynykov, Arseniy Seroka, Jonn Mostovoy The RSCoin framework 26 / 41
Benchmark conditions and results (1)
Serokell version:1 computer, 4 cores
1 bank
1 mintette
2 users (2000transaction total)
760 TPS (transactions persecond)
Paper (Danezis)version:
Amazon EC2t2.microinstances
25 users
5-30 mintettes
9 mintettes: ≈ 760 TPS1 mintette: ≈ 400 TPS
Roman Oliynykov, Arseniy Seroka, Jonn Mostovoy The RSCoin framework 27 / 41
Further development of RSCoin
Roman Oliynykov, Arseniy Seroka, Jonn Mostovoy The RSCoin framework 28 / 41
Open questions of RSCoin (I)
1 Mintettes incentive procedure for fair fee distribution.The need to take into account mintettes activity both from input
and output shards, with condition of unreliable (delayed) physical
network and possibly of users’ software dishonest behaviour.
2 Mintette incentive for their investments to infrastructurefor providing better service.Building own reliable data center with reserved high-speed internet
channels, etc. should definitely give possibility to maximize
mintette profit.
Roman Oliynykov, Arseniy Seroka, Jonn Mostovoy The RSCoin framework 29 / 41
Open questions of RSCoin (II)
3 Potentially long time between the periods for a high-levelblock generation by the central bank.Merging all lower-level blocks from mintettes requires removal
many duplicated records of transactions, that needs many
sequential operations and cannot be fully run in parallel.
4 Variants for further increasing attack complexity ofdouble-spent transactions.As in RSCoin there are no transaction ledger forks and network
votes for selection one of them, a double-spent transaction, if it
appears, may be removed by administrative means of the central
bank only. Complexity of such attacks may be additionally
increased (comparing to the current model where the majority of
some shard mintettes are dishonest ones).
Roman Oliynykov, Arseniy Seroka, Jonn Mostovoy The RSCoin framework 30 / 41
Potential weaknesses of the RSCoin current version
(the worst case scenario)
The system may not have its best performance.There is no principal advantage for mintettes which invest into
infrastructure.
Not clearly defined procedure for mintette rewards mightlead to (being presented as network transport problems):
user’s software may infiltrate competitive mintettesreplies, decreasing their income (in case when user’ssoftware implemented by a company affiliated with somemintette).
Problems with transparent investigation of mentionedcases.Presence of dishonest officials in the central bank might help to
hide unfair competition.
Roman Oliynykov, Arseniy Seroka, Jonn Mostovoy The RSCoin framework 31 / 41
Proposed further features for RSCoin
Mintette rewards clear procedure with possibility fortransparent control of the competition fairness (notinvolving administrative requests to the bank, etc.)Additional info needed to check the competition fairness should be
automatically included to the ledger.
Transparent transaction ledger obligatory available to allmintettes.For the current version of RSCoin, the central bank may share
UTXO for specific shards only (not revealing high-level blocks), and
it will be enough to have normal work of the system.
High-level block is produced by mintettes.For a rather long period involving millions of transactions, merging
of lower-level blocks by the central bank may require significant
time, delaying the next period.
Roman Oliynykov, Arseniy Seroka, Jonn Mostovoy The RSCoin framework 32 / 41
Proposal for further RSCoin development
High-level block is formed by mintettes (based onRSCoin-like and BitShares-like procedure) and only signedby the central bank.The system becomes transparent (mintettes have access to the
transaction ledger in any case) and a new period is not delayed by
the bank due lower-level blocks merging procedure.
Introducing mintette ”veto” on transactions.As all mintettes are authorized by the bank and may be penalized
by it, such a feature increases attack complexity for double-spent
transaction be included in the high-level block.
User software includes mintettes replies obligatorypreserving their order.This feature allows to select the fastest mintettes to get addtional
reward. If users’ software returns list of incorrect order, it can be
easily revealed by simple analysis.
Roman Oliynykov, Arseniy Seroka, Jonn Mostovoy The RSCoin framework 33 / 41
High-level block is formed by mintettes
It is introduced another layer of mintettes forming high-levelblock.Output (receiver) mintettes on confirming user’s transaction notonly include it into their lower-level block, but also spread itamong the shard of ”high-level” mintettes (like users do).Such a ”high-level” mintette:
having enough confirmations for a consensus among output(receiver) mintettes, send the transaction to the current”witness” mintette for including into the high-level block(obligatory preserving confirmation list order);
being a ”witness” in its turn, collect transactions from othermintettes and form a high-level block (in predefined order,like in BitShares), spreading the new block among othermintettes;
The central bank just take transactions from high-level block (skippingreplies from sender and receiver mintettes, etc.) and signs such a block.
Roman Oliynykov, Arseniy Seroka, Jonn Mostovoy The RSCoin framework 34 / 41
Advantages of forming high-levels block by
mintettes
The system running improved cryptocurrency:
has obligatory transparency for ”high-level” mintettes inall cases, they need all transactions, which, in turn, havea lot of additional info from users and mintettes;the fair competition may be easily verified by any ”high-level”
mintette;
remains easily scalable;
may produce high-level blocks with required frequency(e.g., 1 per second);
does not lead to delays from the central bank betweenperiods.
Roman Oliynykov, Arseniy Seroka, Jonn Mostovoy The RSCoin framework 35 / 41
Introducing mintette ”veto” on transactions
All mintettes are authorized by the bank and required to havehonest behaviour.
A single contradiction among mintettes meansmisbehaviour (not processing the last block for UTXOupdate) or attempt to work against rules by somemintette(s).
A transaction with at least one ”veto” vote is blocked,and send to the central bank for the investigation forpenalizing dishonest participants and rewarding honest.
Application of RSCoin by commercial companies mayadditionally include security deposits from mintettes forpenalizing and assurance policy.
Roman Oliynykov, Arseniy Seroka, Jonn Mostovoy The RSCoin framework 36 / 41
Advantages of mintette ”veto” on transactions
Attack difficulty of double-spent transaction to beincluded in high-level block increases.
An attacker must create a transaction where
a majority of mintettes are dishonest (to the rest ofhonest it is not sent);such a statistics where there are a few confirmations fromsender mintettes may be additionally verified by receivermintette as suspicious, that also increases attackdifficulty;attacker must also take into account the majority of receiver shard;
or
all sender mintettes are dishonest;the number of collaborating dishonest mintettets increases as the
attack difficulty.
Roman Oliynykov, Arseniy Seroka, Jonn Mostovoy The RSCoin framework 37 / 41
User software includes mintettes replies obligatory
preserving their order
The fastest mintettes will statistically appear to be first inmost transactions.
The central bank pays additional bonus to mintettes whichfaster serve users (e.g., to 33% of the fastest mintettes).
It creates an incentive for mintettes to invest into theirinfrastructure for providing better service.
Dishonest user software can be easily revealed by analyzingstatistics in transaction ledger (by comparing replies fromdifferent user software clients working at the same networkprovider).
The same principle is also applied to output mintettes.
Roman Oliynykov, Arseniy Seroka, Jonn Mostovoy The RSCoin framework 38 / 41
Advantages of obligatory preserving order of
mintettes replies
mintette incentive to create the best infrastructurefor fastest processing of users’ requests (the central bankreward);
combined with transparent transaction ledger, it allowsverification of competition fairness to anyparticipant (”high-level” mintette);
dishonest users’ software is easily revealed bystatistical analysis of the ledger, as well as to collect thedirect evidence by analysis of input and output traffic.
Roman Oliynykov, Arseniy Seroka, Jonn Mostovoy The RSCoin framework 39 / 41
Additional properties of RSCoin with implemented
proposals
Mintettes’ incentive to invest to infrastructure forproviding the best service.
Transparent fee distribution among mintettes, easilyverifiable by any participant (”high-level” mintettes).The central bank dictates its rules, but every participantmay verify if everyone follows them, not depending onofficial investigation by the bank.
High-speed of high-level block production, remaininghighly-scalable.
No significant delay before starting a new period by thecentral bank.
Increased difficulty of double-spending attacks.
All key integrity properties of the current version of RSCoinremain valid.
Roman Oliynykov, Arseniy Seroka, Jonn Mostovoy The RSCoin framework 40 / 41
Top Related