Consensus Through Herding

  • T.-H. Hubert ChanEmail author
  • Rafael Pass
  • Elaine Shi
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11476)


State Machine Replication (SMR) is an important abstraction for a set of nodes to agree on an ever-growing, linearly-ordered log of transactions. In decentralized cryptocurrency applications, we would like to design SMR protocols that (1) resist adaptive corruptions; and (2) achieve small bandwidth and small confirmation time. All past approaches towards constructing SMR fail to achieve either small confirmation time or small bandwidth under adaptive corruptions (without resorting to strong assumptions such as the erasure model or proof-of-work).

We propose a novel paradigm for reaching consensus that departs significantly from classical approaches. Our protocol is inspired by a social phenomenon called herding, where people tend to make choices considered as the social norm. In our consensus protocol, leader election and voting are coalesced into a single (randomized) process: in every round, every node tries to cast a vote for what it views as the most popular item so far: such a voting attempt is not always successful, but rather, successful with a certain probability. Importantly, the probability that the node is elected to vote for v is independent from the probability it is elected to vote for \(v' \ne v\). We will show how to realize such a distributed, randomized election process using appropriate, adaptively secure cryptographic building blocks.

We show that amazingly, not only can this new paradigm achieve consensus (e.g., on a batch of unconfirmed transactions in a cryptocurrency system), but it also allows us to derive the first SMR protocol which, even under adaptive corruptions, requires only polylogarithmically many rounds and polylogarithmically many honest messages to be multicast to confirm each batch of transactions; and importantly, we attain these guarantees under standard cryptographic assumptions.

Supplementary material

480582_1_En_24_MOESM1_ESM.pdf (471 kb)
Supplementary material 1 (pdf 470 KB)


  1. 1.
    Aura - authority round.
  2. 2.
    Abraham, I., et al.: Communication complexity of byzantine agreement, revisited. CoRR, abs/1805.03391 (2018)Google Scholar
  3. 3.
    Abraham, I., Devadas, S., Dolev, D., Nayak, K., Ren, L.: Efficient synchronous byzantine consensus. In: Financial Cryptography (2019)Google Scholar
  4. 4.
    Canetti, R., Eiger, D., Goldwasser, S., Lim, D.-Y.: How to protect yourself without perfect shredding. Cryptology ePrint Archive, Report 2008/291 (2008).
  5. 5.
    Castro, M., Liskov, B.: Practical byzantine fault tolerance. In: OSDI (1999)Google Scholar
  6. 6.
    Chen, J., Micali, S.: Algorand: the efficient and democratic ledger (2016).
  7. 7.
    Daian, P., Pass, R., Shi, E.: Snow white: robustly reconfigurable consensus and applications to provably secure proofs of stake. In: Financial Cryptography (2019). First appeared on Cryptology ePrint Archive, Report 2016/919Google Scholar
  8. 8.
    David, B., Gaži, P., Kiayias, A., Russell, A.: Ouroboros praos: an adaptively-secure, semi-synchronous proof-of-stake blockchain. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10821, pp. 66–98. Springer, Cham (2018). Scholar
  9. 9.
    Dwork, C., Naor, M.: Pricing via processing or combatting junk mail. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 139–147. Springer, Heidelberg (1993). Scholar
  10. 10.
    Feldman, P., Micali, S.: An optimal probabilistic protocol for synchronous byzantine agreement. SIAM J. Comput. 26, 873–933 (1997)MathSciNetCrossRefGoogle Scholar
  11. 11.
    Garay, J., Kiayias, A., Leonardos, N.: The bitcoin backbone protocol: analysis and applications. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 281–310. Springer, Heidelberg (2015). Scholar
  12. 12.
    Groth, J., Ostrovsky, R., Sahai, A.: New techniques for noninteractive zero-knowledge. J. ACM 59(3), 11:1–11:35 (2012)MathSciNetCrossRefGoogle Scholar
  13. 13.
    Hanke, T., Movahedi, M., Williams, D.: Dfinity technology overview series consensus system.
  14. 14.
    Katz, J., Koo, C.-Y.: On expected constant-round protocols for byzantine agreement. J. Comput. Syst. Sci. 75(2), 91–112 (2009)MathSciNetCrossRefGoogle Scholar
  15. 15.
    Kiayias, A., Russell, A.: Ouroboros-BFT: a simple byzantine fault tolerant consensus protocol. Cryptology ePrint Archive, Report 2018/1049 (2018).
  16. 16.
    Kiayias, A., Russell, A., David, B., Oliynykov, R.: Ouroboros: a provably secure proof-of-stake blockchain protocol. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10401, pp. 357–388. Springer, Cham (2017). Scholar
  17. 17.
    Micali, S., Rabin, M., Vadhan, S.: Verifiable random functions. In: FOCS (1999)Google Scholar
  18. 18.
    Micali, S., Vaikuntanathan, V.: Optimal and player-replaceable consensus with an honest majority. MIT CSAIL Technical Report, 2017–004 (2017)Google Scholar
  19. 19.
    Nakamoto, S.: Bitcoin: a peer-to-peer electronic cash system (2008)Google Scholar
  20. 20.
    Pass, R., Seeman, L., Shelat, A.: Analysis of the blockchain protocol in asynchronous networks. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10211, pp. 643–673. Springer, Cham (2017). Scholar
  21. 21.
    Pass, R., Shi, E.: Hybrid consensus: efficient consensus in the permissionless model. In: DISC (2017)Google Scholar
  22. 22.
    Pass, R., Shi, E.: Rethinking large-scale consensus (invited paper). In: CSF (2017)Google Scholar
  23. 23.
    Pass, R., Shi, E.: The sleepy model of consensus. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10625, pp. 380–409. Springer, Cham (2017). Scholar
  24. 24.
    Pass, R., Shi, E.: Rethinking large-scale consensus. IACR Cryptology ePrint Archive 2018:302 (2018)Google Scholar
  25. 25.
    Schneider, F.B.: Implementing fault-tolerant services using the state machine approach: a tutorial. ACM Comput. Surv. 22(4), 299–319 (1990)CrossRefGoogle Scholar
  26. 26.
    Shi, E.: Analysis of deterministic longest-chain protocols.

Copyright information

© International Association for Cryptologic Research 2019

Authors and Affiliations

  1. 1.The University of Hong KongLung Fu ShanHong Kong
  2. 2.Cornell and Thunder ResearchNew YorkUSA

Personalised recommendations