Sharding-Based Proof-of-Stake Blockchain Protocols: Key Components & Probabilistic Security Analysis

Blockchain technology has been gaining great interest from a variety of sectors including healthcare, supply chain, and cryptocurrencies. However, Blockchain suffers from a limited ability to scale (i.e., low throughput and high latency). Several solutions have been proposed to tackle this. In particular, sharding has proved to be one of the most promising solutions to Blockchain’s scalability issue. Sharding can be divided into two major categories: (1) Sharding-based Proof-of-Work (PoW) Blockchain protocols, and (2) Sharding-based Proof-of-Stake (PoS) Blockchain protocols. The two categories achieve good performances (i.e., good throughput with a reasonable latency), but raise security issues. This article focuses on the second category. In this paper, we start by introducing the key components of sharding-based PoS Blockchain protocols. We then briefly introduce two consensus mechanisms, namely PoS and practical Byzantine Fault Tolerance (pBFT), and discuss their use and limitations in the context of sharding-based Blockchain protocols. Next, we provide a probabilistic model to analyze the security of these protocols. More specifically, we compute the probability of committing a faulty block and measure the security by computing the number of years to fail. We achieve a number of years to fail of approximately 4000 in a network of 4000 nodes, 10 shards, and a shard resiliency of 33%.


Introduction
With the rise of Bitcoin [1], Blockchain has attracted significant attention from both industry and academia. More specifically, it has been adopted across different industries including healthcare [2,3], finance [4], and the public sector [5]. However, Blockchain suffers from poor scalability [6]. For example, in the case of cryptocurrencies, Bitcoin [1] handles between three and seven transactions per second (tx/s), which is very limited compared to traditional electronic payment systems (e.g., PayPal [7]). Several solutions were proposed to scale Blockchain. In particular, sharding has emerged as a promising solution [6]. Sharding consists of partitioning the network into sub-networks, called shards. All shards work in parallel to enhance the performance of the network. More specifically, each shard processes a sub-set of transactions instead of the entire network processing all the transactions. While sharding considerably improves scalability, it decreases the level of Blockchain security. More specifically, in sharding-based Blockchains, it is easier for a malicious user to attack and conquer a single shard compared to the whole network. This attack is well-known as a shard takeover attack (also referred to as a 1% attack) [8].
Blockchain networks are susceptible to sybil attacks by malicious nodes (called sybil nodes). Several consensus mechanisms (e.g., PoW, PoS, and pBFT) have been proposed to defend against these sybil nodes. Sharding-based Blockchain protocols [6,9] can be classified into two classes: sharding-based PoW and sharding-based PoS Blockchain protocols.
Recently, Hafid et al. [8,10,11] proposed mathematical models to analyze the security of sharding-based PoW protocols. However, to the best of our knowledge, there is no existing work that proposes a probabilistic security analysis of sharding-based PoS Blockchain protocols except an earlier version of this paper, which has been published in [12].
In this paper, we focus on the second category. We start by presenting the key components of these protocols. This article briefly describes PoS and pBFT consensus mechanisms, and discusses their use and limitations in the context of sharding-based Blockchain protocols. Finally, we propose a probabilistic model to analyze the security of these protocols by computing the probability of committing a faulty block. Based on these probabilities, we calculate the number of years to fail for the purpose of quantifying and measuring the security of the network.
The remainder of the paper is organized as follows. Section 2 presents the key components of sharding-based PoS Blockchain protocols and compares these protocols with related Blockchain protocols. Section 3 presents the proposed probabilistic model. Section 4 presents the numerical results and evaluates the proposed model. Section 5 present limitations of the paper and future work. Lastly, concluding remarks are given in Section 6.

Key Components of Sharding-Based PoS Blockchain Protocols
In this section, we cover the main components of shading-based PoS Blockchain protocols and compare these protocols with Bitcoin and sharding-based PoW Blockchain protocols.

Key Components
In this section, we shed light on the key components of sharding-based PoS Blockchain protocols. More specifically, we focus on Incognito [13] as an example. However, most of the sharding-based PoS Blockchain protocols share the same structure (see Figure 1). The key components of these protocols are: • Validator: A node (can be malicious or honest) that competes to produce and add blocks to the blockchain. • Consensus mechanism: Most of the sharding-based PoS Blockchain protocols use pPFT alongside PoS. PoS is an alternative consensus mechanism to PoW. Unlike PoW, which relies on miners with hash power to solve a mathematical puzzle, PoS relies on validators staking coins. Validators are selected based on the number of coins they stake (e.g., a validator with 10% of the total coins staked, has a 10% probability of adding a block to the blockchain). PoS consists of selecting validators in proportion to their number of coins. Validators are responsible for adding new blocks to Blockchain. pBFT is an algorithm that tolerates Byzantine faults [14]; An algorithm belonging to the Byzantine Fault Tolerance (BFT) class. BFT is the ability of the network to reach a consensus, on some value, even in the case of having some failed and/or malicious nodes in the network. Lamport et al. [15] proved that if we have 3m + 1 correctly working processors, a consensus (agreement on same value) can be reached if at most m processors are faulty; this means that strictly more than two-thirds of the total number of processors should be honest.

Comparison with Related Blockchain Protocols
To demonstrate the advantages and limitations of sharding-based PoS Blockchain protocols, Table 1 shows a comparison of its performance with sharding-based PoW Blockchain protocols and PoS Blockchain protocols. This comparison reflects that sharding-based PoS Blockchain protocols have several good features. Specifically, sharding-based PoS Blockchain protocols have higher transaction throughput, requires less computational power, and in some cases offers higher level of privacy (e.g., Incognito [13]) and lower transactions fees. However, some limitations still remain in sharding-based PoS Blockchain protocols; for example, centralization concerns caused by coinage. Table 1 shows that by using sharding alongside PoS and pBFT consensus mechanisms, we get better performance without the need for high hash computing power. For example, the throughput of Incognito [13] scales out linearly with the number of shards. Specifically, Incognito achieves a significantly higher number of transactions (up to 800 tx/s for only 64 shards; thus, for 100 s of shards, the throughput will be in 1000 s tx/s). Zilliqa [16] handles up to 2800 tx/s [17]. Uses small committee size Centralization concern due to coinage Centralization concern due to coinage Centralization concern due to coinage Incognito [13] claims significantly higher performance compared to other privacy Blockchains (e.g., Nxt [19] and Zcash [20]). Nxt [19] can usually handle less than 10 tx/s while Zcash handles only 6 tx/s.

Probabilistic Model
In this section, we propose a probabilistic model to analyze the security of a shardingbased PoS Blockchain protocols, called Incognito [13].

Notations & Architecture
This section describes the notations and definitions used to represent the proposed probabilistic model as well as the architecture of Incognito [13]. Table 2 shows the notations and symbols that are used throughout the paper.

Definition 1 (Faulty block). A faulty block is a block that contains fraudulent transactions.
Definition 2 (Conquering the Protocol). A protocol is said to be conquered if the malicious nodes succeed in adding a faulty block to the blockchain. Definition 3 (Committee Resiliency of a Shard). The maximum percentage of malicious nodes that the committee of the shard chain can contain while remaining secure. Definition 4 (Committee Resiliency of the Beacon Chain). The maximum percentage of malicious nodes that the committee of the beacon chain can support while remaining secure.  Figure 1 shows the structure/architecture of Incognito [13], a sharding-based PoS Blockchain protocol. The network contains a single beacon chain and ζ shard chains. Each user/node can stake to be a validator either for the beacon chain or for the shard chain (see Figure 1). Shard chains produce blocks in parallel. All shard chains are synchronized by the beacon chain. More specifically, each shard has its own committee, which is randomly assigned by the beacon chain. Each shard chain processes a subset of the transactions submitted to the network. When a shard block is created, the beacon committee verifies the block; if it is valid, it adds the block header to the beacon chain. Otherwise, it drops it and sends the proof to other shards for a vote to slash the misbehaving shard committee. Furthermore, in each epoch, the beacon chain shuffles the committees of the shards to ensure security. For Incognito [13], when a new random number is generated, the beacon chain shuffles the committees; one epoch, for Incognito, corresponds to generating a new random number. This number is generated periodically in a round-robin fashion [13,21].

Probability Distributions
The main idea behind the sharding solution is to split/divide the network into subsets, called shards. Every single shard processes a subset of transactions rather than the entire network processing all transactions. This idea allows the network to scale (in terms of the number of transactions per second) with the number of shards. However, this technique may compromise the security of the network [8].
Let X be a random variable that represents the number of malicious nodes sampled in the committee of a shard from the validators in that shard. Each of the sampled nodes can be placed in one of 2 distinctive and disjoint groups; honest nodes group or malicious nodes group. Because the committees do not overlap, we have sampling without replacement. Thus, we conclude that X follows the hypergeometric distribution with parameters V, M, and n (it can be written as follows: X ∼ H(V, M, n)).
The probability mass function corresponds to X can be defined as follows [22]: where max(0, n − V ) ≤ ω ≤ min(M, n) and V − M = H.

Lemma 1.
The probability of a shard's committee to commit a faulty block (P) can be expressed as follows: Proof of Lemma 1 results directly from the cumulative hypergeometric distribution [8,11].
Similarly to X, X follows the hypergeometric distribution with parameters V , M , and n .

Lemma 2.
The probability of at least δζ shards committees committing a faulty block (P ) can be computed as follows: Proof of Lemma 2. The minimum number of committees to commit a faulty block is δζ , where ζ is the number of shards. The probability of exactly δζ committees confirm/agree to add a faulty block can be expressed as follows: The probability to commit a faulty block by exactly δζ + 1 committees can be expressed as follows: Similarly, the probability of exactly ζ committees (the entire number of shards in this case) agreeing to add a faulty block can be expressed as follows: A faulty block can be committed if δζ or δζ + 1 or δζ + 2, · · · , or ζ committees agree to add this block. This can be mathematically computed by the sum over all these probabilities and can be expressed as follows: Lemma 3. The probability of the beacon's committee committing a faulty block (P ) can be expressed as follows: Proof of Lemma 3 results directly from the cumulative hypergeometric distribution [8,11].
Theorem 1 (Committing a Faulty Block). The probability of committing a faulty block (P f ) by a given sharding-based PoS Blockchain protocol can be expressed as follows: Proof of Theorem 1. To commit a faulty block, it must be confirmed/verified by at least βn of the shard committee members, by at least γn of the beacon committee members, and by at least δζ of all shards' committees. This can be expressed by the product over the three probabilities (the calculated probabilities in Lemmas 1, 2, and 3).

Years to Fail
To make the measurement of the security more readable, we propose to compute the average number of years to fail (Y f ) based on the calculated failure probability (i.e., the probability of conquering the protocol). This number can be expressed as follows: where P f is the probability of committing (adding) a faulty block to the blockchain and N s is the number of sharding rounds per year (also referred to as the number of epochs per year).

Evaluation Results
In this section, we evaluate the effectiveness of the proposed probabilistic model via numerical simulations.

Simulation Setup
In order to implement the proposed probabilistic model, we make use of a built-in Python library called SciPy. We import hypergeom, a hypergeometric discrete random variable, from the scipy.stats module. Specifically, we use the cdf (i.e., cumulative distribution function) function. We also make use of the math module, which provides access to mathematical functions (e.g., the floor function). For the results plot, we make use of matplotlib.pyplot library.

Results and Analysis
In Figure 2, we assume a network with N = 2000 nodes, V = 200, V = 400, ζ = 8, r = r = 0.5. We chose these values for r and r to make the results more readable. However, we can use other values (e.g., Incognito [13] values). Figure 2 illustrates how the committee size of the shard impacts its failure probability P as well as the failure probability of all shards P and the relationship between the committee size of the beacon chain and its failure probability P . In particular, Figure 2a shows the probability of a shard to commit a faulty block versus the size of the committee. We observe that the probability P decreases when the size of the committee increases. More specifically, we observe that the probability corresponding to R = 0.2 (i.e., 20% of malicious nodes in each shard) decreases rapidly compared to those of R = 0.25 and R = 0.3; this can be explained by the small percentage of malicious nodes. In other words as the percentage of malicious nodes decreases, so does the probability. Figure 2b shows the probability of all shards committing a faulty block versus the size of the committee. We observe that the probability P decreases when the size of the committee increases. Similarly, as the percentage of malicious nodes slightly increases in the shard, the probability of committing a faulty block increases. Figure 2c shows the probability of the beacon chain to commit a faulty block (P ) versus the size committee of the beacon chain (n ). We also observe that the probability P decreases when the size of the committee increases. More specifically, we observe that the probability corresponding to R = 0.2 (i.e., 20% of malicious nodes in the beacon chain) decreases sharply compared to those of R = 0.25 and R = 0.3. In Figure 3, we assume a network with 2000 nodes, V = 200, V = 400, ζ = 8, n = 100. Figure 3a shows the probability of conquering the protocol when varying the committee size of the shard. We observe that as the committee size of the shard increases the probability of conquering the protocol decreases. Figure 3b shows the number of years to fail (Y f ) versus the committee size of the shard. We observe that when the committee size of the shard increases, the number of years to fail increases as well.   Table 3 shows the probability of conquering the chain (i.e., the probability of committing a faulty block; it is calculated based on Theorem 1) for different percentages of malicious nodes in the shards as well as in the beacon chain. Moreover, Table 3 shows the number of years to fail corresponding to these probabilities. We observe that as the percentage of malicious nodes increases the number of years to fail decreases. More specifically, we observe that the probability of conquering the chain is extremely low even with 20% of the malicious nodes in each shard as well as in the beacon chain. This achieves good security, reaching about 1.74E + 17 years to fail.  Table 4 shows the trade-off between the values of n and n that provide certain target value of years to fail. We consider a network with 2000 nodes, V = 200, V = 400, ζ = 8, R = R = 0.3, and δ = r = r = 0.33. To reach a level of security corresponding to 2500 years to fail, you should set n to 95 and n to 150 or n to 85 and n to 145. However, you should adjust the values of n and n carefully to reach the desired target. Similarly, if you have a network with 4000 nodes, V = 300, V = 1000, ζ = 10, R = R = 0.3, and δ = r = r = 0.33 and set years to fail to as 4000, we can achieve it by setting n to 100 and n to 250 or n to 122 and n to 130. It is evident that there are different possibilities and combinations of the values of n and n . However, you should adjust these values (n and n ) carefully to reach the desired target (the desired number of years to fail (Y f )). Finally, we conclude that by adjusting the committee size of the shard as well as the committee size of the beacon chain, we can protect sharded Blockchain systems (based on PoS) against malicious nodes (e.g., Sybil nodes).

Limitations of the Paper and Future Work
Our study has some limitations, including the fact that the proposed probabilistic model is similar to that of Incognito [13]. However, each sharding-based PoS Blockchain protocol bears a specific structure, which is slightly different from other sharding-based PoS Blockchain protocols (e.g., Harmony [17]). Furthermore, this study does not provide an in-depth literature review of sharding-based PoS Blockchain protocols since the objective was to provide a brief and simple presentation of the key components of these protocols. The aim of doing so was to prepare the readers to understand how we can deal with the security analysis of these protocols using probability distributions.
Future works will focus on analyzing the security of novel types of sharding-based Blockchain protocols including DankSharding by Ethereum [23], Shardus [24] and probabilistic analysis of cross-shard transactions.

Conclusions
In this paper, we first illustrate the key components of sharding-based PoS Blockchain protocols. Next, we discuss two consensus mechanisms, PoS and pBFT. We also address the security of Incognito, a sharding-based PoS Blockchain protocol. In particular, we provide a probabilistic model to compute the probability of committing a faulty block. Based on this probability, we compute the number of years to fail. Furthermore, this article depicts that we can control the number of years to fail by adjusting the size of the shard as well as the size of the beacon committee. Our future work includes the computation of the failure probability across shard transactions.