Pravuil: Global Consensus for a United World

Pravuil 1 is a robust, secure, and scalable consensus protocol for a permissionless blockchain suitable for deployment in an adversarial environment such as the Internet. Pravuil circumvents previous shortcomings of other blockchains: - Bitcoin’s limited adoption problem: as transaction demand grows, payment conﬁrmation times grow much lower than other PoW blockchains - higher transaction security at a lower cost - more decentralisation than other permissionless blockchains - impossibility of full decentralisation and the blockchain scalability trilemma: decentralisation, scalability, and security can be achieved simultaneously -Sybil-resistance for free implementing the social optimum - Pravuil goes beyond the economic limits of Bitcoin or other PoW/PoS blockchains, leading to a more valuable and stable crypto-currency


Introduction
A third generation of blockchains has been developed featuring the latest advances in cryptography and sharding to reach maximum performance and security in Internet settings: they usually make use of advances in BFT-like consensus protocols [GK18, LLS + 21] and collective signatures [RGK19] to obtain 1000s of transactions per second.
In this work, we introduce Pravuil 1, a robust, secure, and scalable consensus protocol for real-world deployments on open, permissionless environments that, unlike other proposals, remains robust to high adversarial power and adaptation while considering rational participants and providing strong consistency (i.e., no forks, forward-security, and instant transactions).Our protocol is also the first to integrate real-world identity on layer 1 as required by current financial regulations, obtaining Sybil-resistance for free: a very useful property considering the electrical waste produced by Bitcoin, its Achilles' heel that this blockchain circumvents for the first time by obviating to pay the Price of Crypto-Anarchy [Cer19].
To achieve the desired goals, we introduce a new consensus protocol in which we prioritise robustness against attackers and censorship-resistance.We then incorporate zero-knowledge Proof-of-Identity [Cer19] while maintaining an open, permissionless node membership mechanism enabling high levels of decentralisation.Finally, we will show a working system of the proposed design in an open-sourced Testnet at https://github.com/Calctopia-OpenSource.

Contributions
In summary, we make the following contributions: • we propose a consensus protocol that remains robust, secure, and scalable among rational participants in an Internet setting • we prove liveness, safety, and censorship-resistance of our new consensus protocol • we discuss the underlying rationale of our design and prove all the advantages that it provides over previous blockchain designs • we provide an open-source implementation running on a Testnet

Related Literature
Previous blockchain designs [GK18, RGK19, BMC + 15, LLS + 21] deal with the different trade-offs of the scalability trilemma (security vs. scalability vs. decentralisation) and they don't usually concern with the economic consequences of their design (e.g., the Price of Crypto-Anarchy) or the legal consequences of the lack of real-world identity as required by recent legislation (FATF's Travel Rule).Previous designs of ByzCoin/OmniLedger/MOTOR ([KKJG + 16, KKJG + 17, KK19]) proposed Proof-of-Work(PoW) as a Sybil-resistance mechanism: although their consensus protocol is more advanced and performant than Bitcoin, they would still pay for the Price of Crypto-Anarchy [Cer19].And although other blockchains (e.g., [DGK + 20]) provide methods to anonymise real-world identities, they fail to incorporate these privacy techniques on their consensus protocol as they keep on using Proof-of-Stake as a Sybil-resistance mechanism, thus they still pay the Price of Crypto-Anarchy [Cer19], suffer from Bitcoin's limited adoption problem [HJS19] and exist within the same economic limits [Bud18].[KK19]: in the next section 4, we extend these protocols to address issues that prevent their deployment in an adversarial environment such as the Internet.

Assumptions
In this work, we assume the following model and definitions: Definition 1. (Strongly-consistent broadcast [RC06]).A protocol for strong consistent broadcast satisfies the following conditions except with negligible probability: • Termination: If a correct party strongly-consistent broadcasts m with tag ID, then all correct parties eventually strongly-consistent deliver m with tag ID.
• Agreement: If two correct parties P i and P j strongly-consistent deliver m and m with tag ID, respectively, then m = m .
• Integrity: Every correct party strongly-consistent delivers at most one payload m with tag ID.Moreover, if the sender P s is correct, then m was previously strongly-consistent broadcast by P s with tag ID.
• Transferability: After a correct party has strongly-consistent delivered m with tag ID, it can generate a string M ID such that any correct party that has not strongly-consistent delivered message with tag ID is able to strongly-consistent deliver some message immediately upon processing M ID .
• Strong unforgeability: For any ID, it is computationally infeasible to generate a value M that is accepted as valid by the validation algorithm for completing ID unless n − 2t correct parties have initialised instance ID and actively participated in the protocol.
Definition 2. (Partial synchronous model [DDS83,DLS88]).In a partially synchronous network, there is a known bound ∆ and an unknown Global Stabilisation Time (GST), such that after GST, all transmissions between honest nodes arrive within time ∆.
Definition 3. (n=3f+1 [FLM86]).The proportion of malicious nodes that an adversary controls accounts for no more than 1 /3 of the whole shard.The rest of the nodes are rational, that is, maximisers of their transaction rewards.
Definition 4. (Round-adaptive adversary [PS16]).We assume a mildlyadaptive, computationally bounded adversary that chooses which nodes to corrupt at the end of every consensus round and has control over them at the end of the next round.
Definition 5. (Strong Consistency [KKJG + 16]).The generation of each block is deterministic and instant, with the following features: • There is no fork in a blockchain.By running a distributed consensus algorithm, state machine replication is achieved.
• Transactions are confirmed almost instantly.Whenever a transaction is written into a block, the transaction is regarded as valid.
• Transactions are tamper-proof (forward security).Whenever a transaction is written to a blockchain, the transaction and block cannot be tampered with and the block will remain on the chain at all times.
• Any node can join or leave at any time.
• The number of participating nodes varies at any time and is unpredictable.Pravuil improves over previous works by using another source of randomness, drand [DRA21a], and by incorporating zero-knowledge Proof-of-Identity [Cer19] as a Sybil-resistance mechanism into the first layer of the consensus protocol.

Goals
To sum up, Pravuil has the following goals: • Robustness: the consensus round can only be disrupted by controlling the leader node.
• Scalability: the protocol performs well among hundreds of nodes (n = 600).
• Fairness: the malicious leader can only be elected with a probability equal to the percentage of malicious nodes in the system (i.e., the adversary cannot always control the leader).
We detail the extensions over a previous BFT protocol such as ByzCoin/MOTOR in order to obtain an improved blockchain-consensus algorithm.

Rotating Leader
View-change protocols assume a predetermined schedule of leaders, making them susceptible to adversaries that compromise the next f leaders.
To prevent this attack, our blockchain uses drand [DRA21a]: an efficient randomness beacon daemon that utilises bilinear pairing-based cryptography, t-of-n distributed key generation, and threshold BLS [BLS01] signatures to generate publicly-verifiable, unbiasable, unpredictable, highly-available, distributed randomness at fixed time intervals.As described in its online specification [DRA21c], drand uses the BLS12-381 curve, the Feldman [Fel87] Verifiable Secret Sharing protocol and the Joint Feldman protocol [GJKR99] for DKG generation; using threshold BLS signatures as a source of randomness is proven secure [GLOW20] according to its security model [DRA21b].
Proof.The unpredictability property follows from the unforgeability of the BLS [BLS01] signing algorithm, and the unbiasability property follows from the deterministic nature of the BLS [BLS01] signing algorithm.The leader of view v is determined by the outcomes of drand's public service, and all the nodes can publicly-verify its election when needed.Thus, the adversary cannot predict nor bias the leader election, preventing the adversary from breaking liveness.
Theorem 11. (Safety / Censorship-resistance).A round-adaptive adversary cannot always control the consensus decision.
Proof.As the leader election is unpredictable (theorem 10), the adversary can only hope that one of its randomly compromised nodes gets chosen.Given that is the probability that the adversary controls d consecutive leaders, the adversary cannot control the leader forever since thus the adversary always controls the consensus decision.

Zero-Knowledge Proof-of-Identity
In a previous work, we introduced zero-knowledge Proof-of-Identity [Cer19] for biometric passports [ICA21] and electronic identity cards to permissionless blockchains in order to remove the inefficiencies of Sybil-resistant mechanisms such as Proof-of-Work [Nak09] and Proof-of-Stake [KN12].Additionally, attacks [RMD + 20, AAM21] on PoW sharded permissionless blockchains are prevented with zk-PoI: an identity will be the same on all the shards, and the attacker can't mine new identities for different shards as it's possible on PoW blockchains.
Although some could consider the latest zero-knowledge implementations fast enough, their implementations are still too experimental for production.For the first release, we will use the SGX implementation based on mutual attestation, which works as follows (more details on the original paper [Cer19]):

Discussion
In this section, we discuss the economic rationale underpinning the unique features of this blockchain design that helps it to overcome previous shortcomings and achieve an improved blockchain tailored to real-world settings according to the experiences from the last decade (e.g., Bitcoin [Nak09]).

Overcoming Bitcoin's Limited Adoption Problem
In a recent paper [HJS19], it is shown that a PoW payments blockchain (i.e., Bitcoin) cannot simultaneously sustain a large volume of transactions and a non-negligible market share: Proposition 12. (Adoption Problem [HJS19]).Adoption decreases as demand rises (i.e., the adoption rate of a network, c * , decreases in N ).Moreover, the blockchain faces limited adoption, The previous propositions expose that the lack of widespread adoption constitutes an intrinsic property of PoW payments blockchains: as transaction demands grow, fees increase endogenously.Attracted by this growth, more nodes join the validation process, expanding the network size and thus protracting the consensus process and generating increased payment confirmation times: only users insensitive to wait times would transact in equilibrium, and limited adoption arises.Moreover, this limitation cannot be overcome as it's rooted in physics (i.e., network delay).
As pointed out by the previous proposition, centralised blockchains overcome the limited adoption problem: for example, permissioned blockchains that remain secure on an open, adversarial network such as the blockchain proposed in this paper, enabling lower payment confirmation times when omitting PoW's artificial supply constraint , Proposition 14. (Lower Payment Confirmation Times [HJS19]).For any PoW protocol, there exists a permissioned blockchain that remains secure on an open, adversarial network (i.e., Pravuil), which induces (weakly) lower payment confirmation times.

Obtaining Higher Transaction Security At A Lower Cost
In another recent paper [BH21], it is shown that permissioned blockchains have a higher level of transaction safety than a permissionless blockchain, independent of the block reward and the current exchange rate of the crypto-currency.For a PoW permissionless blockchain, let R be the block reward in the corresponding crypto-currency, x the associated exchange rate to fiat currency, w the block maturation rate (e.g., for Bitcoin, R = 6, 25; x = $60.000;w = 100), f be the probability of detecting that blocks have been replaced, and β pl be the value above which transactions are not safe, Note that 51% attacks are becoming more common, specially for purely financial reasons [SSVK20].For a permissioned blockchain, let P i be the punishment applied to each node i if it participates in an attack,τ ∈ [0, 1] be the probability that nodes that participated in an attack will be punished, and β P be the value above which transactions are not safe, with B being the set of N nodes with the lowest P i .Typical punishments include confiscating all the funds deposited on the blockchain and banning them from the blockchain, among others.

Proposition 16. ([BH21]
).A permissioned blockchain that is safe in an open, adversarial environment (i.e., Pravuil) has a higher level of maximum value for transaction safety than a PoW permissionless blockchain if Even with small values of τ will result in higher safety for larger transactions than PoW permissionless blockchains: Proposition 17. ([BH21]).For τ > 0 and high enough P i 's, a permissioned blockchain that is safe in an open, adversarial environment (i.e., Pravuil) is more resilient than PoW permissionless blockchains whenever Ultimately, the cost of providing incentives to the validating nodes not to participate in potential attacks (i.e., validating incentives such as block rewards) will be lower for permissioned blockchains.

Proposition 18. ([BH21]
). Suppose that β pl > 0 and β p > 0, then at equilibrium the validator incentives in the permissioned blockchain that is safe in an open, adversarial environment (i.e., Pravuil) are lower than for the PoW permissionless.
According to the model of this paper, in order to increase the transaction safety, we only need to need increase: • τ , a probability that reflects user's trust in the system • P i , a penalty that could also include legal action In general, the mere existence of credible penalties P i with positive probability τ is enough for the system to remain secure, without needing to exert punishments in the case of rational attackers.Additionally, note that these parameters are not economic parameters of the system, unlike the parameters for PoW permissionless blockchains.

An Empirical Approach to Blockchain Design
Motivated by the abstract analysis from the previous sub-section 5.2, we use the numerical comparisons between crypto-currencies from the paper [GAR18]  Using two-samples t-tests assuming unequal variances, we compare the following means between permissionless and permissioned blockchains, remarking that they are statistically significant: • Cost: permissionless blockchains are costlier (2.83) than permissioned blockchains (4.84).Please note that a higher cost score means that the blockchain is considered to have better costs (i.e., lower costs), and the ranking obtained from this cost score must be reversed to be useful in the next rankings.
It's clear from the empirical data that permissionless blockchains are considered worse than permissioned blockchains when considering cost, performance and security.

Achieving More Decentralisation Than Other Permissionless Blockchains
In yet another recent publication [BHMB21], it is noticed that permissioned blockchains could achieve more decentralisation than permissionless blockchains: real-world permissionless blockchains are quite centralised [GBE + 18], as there aren't formal checks for the underlying centralisation.
In order to obtain a more decentralised permissioned blockchain that is safe in an open, adversarial network (i.e., Pravuil), the node admission/gatekeeping function must be decentralised and opened: precisely, this ideal state is achieved with our zero-knowledge Proof-of-Identity [Cer19], as previously explained in sub-section 4.3.

Overcoming The Scalability Trilemma
The scalability trilemma postulates that a blockchain system can only at most have two of the following three properties: decentralisation, scalability, and security.In Pravuil, decentralisation, scalability, and security can be achieved simultaneously: • Decentralisation: as discussed in the previous sub-section 5.4, Pravuil can be more decentralised than other permissionless blockchains by using zero-knowledge Proof-of-Identity, as previously explained in sub-section 4.3.It also circumvents the impossibility of full decentralisation [Cer19].
• Scalability: Pravuil inherits the scalable Rotating-Subleader (RS) communication pattern from MOTOR [KK19], specifically created to avoid the communication bottleneck experienced by classic BFT protocol when run over limited bandwidth networks.
• Security: Pravuil is secure as previously proved in theorem 10 and theorem 11.

Obviating the Price Of Crypto-Anarchy of PoW/PoS Crypto-currencies
In a previous paper [Cer19], it was pointed out that the most cost-efficient Sybilresistant mechanism is the one provided by a trusted national PKI infrastructure [Dou02] and a centralised social planner would prefer the use of National Identity Cards and/or ePassports in order to minimise costs: instead, permissionless blockchains are paying very high costs by using PoW/PoS as Sybil-resistant mechanisms.The Price of Crypto-Anarchy compares the ratio between the worst Nash equilibrium of the congestion game defined by PoW blockchains and the optimal centralised solution, quantifying the costs of the selfish behaviour of miners.
Definition. (#26 from [Cer19]).Let N ashCongestedEquil ⊆ S be the set of strategies given as the solution of the optimisation problem of Theorem 25 from [Cer19], then the Price of Crypto-Anarchy is given by the following ratio: Price of Crypto-Anarchy = max s∈N ashCongestedEquil Cost (s) Cost (zk-PoI) In practice, the real-world costs of Zero-Knowledge Proof-of-Identity are almost zero as the identity infrastructure is subsidised by governments.However, the situation for PoW/PoS blockchains is quite the opposite: • PoW blockchains: in 2018, Bitcoin, Ethereum, Litecoin and Monero consumed an average of 17, 7, 7 and 14 MJ to generate one US$ [KT18], and in 2021 Bitcoin may be consuming as much energy as all data centers globally [Dig21,dV21] at 100-130 TWh per year.Holders of crypto-currency ultimately experience the Price of Crypto-Anarchy as inflation from mining rewards, see next  • PoS blockchains: in theory, the costs are identical to the cost of PoW schemes, except that instead of electrical resources and mining chips, it takes the form of illiquid financial resources [GG19] and in practice, Proof-of-Stake is not strictly better than Proof-of-Work as the distribution of the market shares between both technologies has been shown to be indistinguishable (Appendix 3, [EAK + 17]).
Bitcoin miners have earned a total of $26.75B as of April 2021: it's not necessary to pay so much for Sybil resistance, instead, miners could be paid for other tasks (e.g., transaction fees).As previously discussed, obtaining Sybil-resistance for free is not only the key to overcome Bitcoin's limited adoption problem (section 5.1) and to achieve more decentralisation than other permissionless blockchains (section 5.4), but also to go beyond the economic limits of Bitcoin as discussed in the next section 5.7.

Beyond the Economic Limits of Bitcoin
In a paper about the economic limits of Bitcoin [Bud18], it is pointed out that Bitcoin is prohibitively expensive to run because the recurring, "flow", payments to miners for running the blockchain (particularly, the cost of PoW mining) must be large relative to the one-off, "stock", benefits of attacking it.Let V attack be the expected payoff to the attacker, P block be the block reward to the miner and α representing the duration of the attack net of block rewards, then placing serious economic constraints to the practicality and scalability of the Bitcoin blockchain, a problem that seems intrinsic to any anonymous, decentralised blockchain protocol.Consequently, the author poses the open question of finding another approach to generating anonymous, decentralised trust in a public ledger that is less economically expensive: indeed, the technical solution hereby presented4.3 that incorporates zero-knowledge Proof-of-Identity [Cer19] is the technology that is both "scarce and non-repurposable", affordable and not susceptible to sabotage attacks that could cause a collapse in the economic value of the blockchain that the author of [Bud18] would seem meritorious to close said open question.
A more recent paper [GG19] continues the previous economic analysis [Bud18], extending it to PoS and permissioned settings.For the permissionless PoS setting, it finds that the costs are identical to the cost of PoW schemes, except that instead of electrical resources and mining chips, it takes the form of illiquid financial resources; however, zk-PoI [Cer19] is free.For the permissioned case concerning this paper, if the block reward is set exogenously, it finds that a permissioned blockchain would have lower costs than permissionless PoW or PoS blockchains in the economic model of [Bud18].

More Valuable and Stable Crypto-currencies
A review of previous literature in economic research reveals the following interesting facts regarding the intricate relationship between PoW mining (i.e., hashrate, electricity and/or equipment costs) and crypto-currency prices: • There is a positive relationship between mining hashrate and price [GPB + 15, Hay16]: the causality is primarily unidirectional going from the price to the hashrate [FK20], although mining incidents and political shocks that affect mining also negatively impact prices.
• Bitcoin's security is sensitive (elastic) to mining rewards and costs, although temporary mining cost and price shocks do not affect the long-run blockchain security [CdKR21]: a 1% permanent increase in the mining reward increases the underlying blockchain security by 1.38% to 1.85% in the long-run; positive shocks to electricity prices in China have a negative impact on the hashrate in the short-run; a 1% increase in the efficiency of mining equipment increases the computing capacity between 0.23% and 0.83% in the long-run; in the short-run mining competition intensity has a statistically positive impact leading to expansion of mining capacity, but in the long-run, the relationship is reversed.
• High fixed mining rewards are the source of the instability to reach an equilibrium between miners and users [Iyi18]; instead, mining rewards should be adjusted dynamically.
• The production of crypto-currency by miners is jointly determined with the price used by consumers [PB18]: the equilibrium price depends on both consumer preferences (i.e., price increases with the average value of censorship aversion, and current and future size of the network) and the industrial organisation of the mining market (i.e., price increases with the number of miners and decreases with the marginal cost of mining).Pricesecurity spirals amplify demand and supply shocks: for example, a sudden demand shock provoked by a government banning the crypto-currency in a country would lead to price drops, itself leading to miners decreasing hashrate, further decreasing prices and the feedback loop continuing until a new equilibrium is reached in multiple rounds.In other words, Bitcoin's security model embeds price volatility amplification.
• In a PoW blockchain, it's impossible to simultaneously achieve all the three following goals [Pag20]: maximise crypto-currency price, blockchain's security, and social welfare.
Similar results can be found for PoS blockchains because they are substituting electricity and mining costs for illiquid and volatile financial resources [GG19].
In general, the interdependencies can be described graphically as the following cycles and spirals:  However, we break most of the previous interdependencies and spirals with our strongly-consistent blockchain with free Sybil-resistance: • blockchain and transaction security are independent of blockchain mining capacity, mining costs and rewards, and price: once a transaction is instantly committed, it's committed forever.
• there aren't price-security spirals for demand and supply shocks: changes in prices do not lead to changes in security.
• as blockchain's security is independent of price, it's possible to maximise crypto-currency price and social welfare.
Ultimately, our blockchain design leads to more valuable and stable cryptocurrencies.

Implementation
Pravuil has a Testnet deployed with a working implementation consisting of: • a blockchain layer in Go and Java, invoking drand [DRA21a] as described in this paper 4.2.
• zero-knowledge Proof-of-Identity [Cer19] in Python and C.
All the code will be open-sourced at https://github.com/Calctopia-OpenSource,including future developments.

Conclusion
In this work, we presented Pravuil, an improvement over previous blockchains that is suitable for real-world deployment in adversarial networks such as the Internet.Pravuil achieves this feat by: • unpredictably rotating leaders using drand [DRA21a] to defend against adversaries and censorship attacks: drand is an Internet service that generates publicly-verifiable, unbiasable, unpredictable, highly-available, distributed randomness at fixed time intervals.
• using for the first time zero-knowledge Proof-of-Identity [Cer19] as a Sybilresistance mechanism to overcome Bitcoin's limited adoption problem [HJS19] and to go beyond the economic limits of Bitcoin [Bud18], delivering more decentralisation than other permissionless blockchains [BHMB21].
• based on the design of a blockchain layer that scales-out with strong consistency prioritising robustness over scalability.

Figure 4
Figure 4.1: Simplified overview of mutual attestation protocol.