Professional Documents
Culture Documents
1
to interact with the Mainnet as ’shards’, using network and processing latencies are not pre-
Rollups [19] to provide extra computational ca- dictable, this problem turned out to be non-
pacity and data storage without compromising trivial: if the message log was a set, and message
on security. Technical details of ParallelChain order didn’t matter, any kind of reliable broad-
Enterprise-and-Mainnet interoperability will be cast would suffice. But message order does mat-
discussed in a separate paper. A summary of ter, and two machines separated by a vast ocean
this paper will be made available in §4.2. could easily receive a pair of messages in the op-
posite order.
2
fered by Barbara Liskov2 and her then-PhD stu- 2.2 Ethereum - the World Computer
dent Miguel Castro in 1999.
For being the first algorithm to solve an ex-
If you have followed so far, it might seem that
tremely general problem in computer science,
the problem of consensus is a settled one. What
Nakamoto Consensus’ initial flagship application,
is then, you might ask, so novel about Bitcoin’s
Bitcoin, seemed disappointingly limited to Wa-
Nakamoto Consensus (Proof-of-Work) [1] algo-
terloo dropout Vitalik Buterin and his collabo-
rithm that justifies it being hailed as a revo-
rators on Ethereum [7]. Limitations of the Bit-
lutionary technology on the cusp of disrupting
coin Script programming language makes it im-
the whole idea of society as we know it? A few
possible for the state machine replicated by the
more technically-inclined observers in the busi-
Bitcoin network to support anything other than
ness community have suggested that Nakamoto
basic financial applications like escrow and in-
Consensus is a solution to the Byzantine Gen-
surance. Prima facie, there is nothing necessary
erals problem [2]. You should know by now
about these limitations in Bitcoin Script. We
that even if it is3 , that fact alone isn’t some-
have been creating and using Turing-complete
thing noteworthy. The full truth is this: since
programming languages since the 1930s. The
all ’classical’ solutions to the Byzantine Generals
key problem with having a public, Turing-complete,
problem (e.g., PBFT) rely on some kind of vot-
replicated state machine is a subtle liveness prob-
ing mechanism, they are vulnerable to Sybil at-
lem: since the Halting Problem is undecidable,
tacks (malicious actors creating many false iden-
there is no easy way to prevent attackers (or
tities to sway votes in their favor) unless they re-
bad programmers) from deadlocking the Bitcoin
strict network membership. Precisely speaking,
network by publishing a Bitcoin Script program
what Nakamoto Consensus is is the first solution
that never terminates. Nakamoto either wasn’t
to the Byzantine Generals problem that works
interested in a global state machine for general
in the fully public, permissionless membership
purpose computing, or gave up trying to solve
model.
the liveness problem and simply constrained Bit-
coin Script to be Turing-incomplete.
The fact that ’mining’ Bitcoin is highly lucra-
tive and BTC is seen by lay-people as an invest-
A major innovation of Ethereum are gas fees,
ment product is a mere side effect of its central
which like mining (which Ethereum also has) can
role in Nakamoto Consensus. Mining works with
be understood as a technical solution with finan-
hash-chaining to create an incentive structure
cial side-effects. Gas limits force long or non-
for mutually-distrusting, anonymous node own-
halting programs to terminate when they run
ers to maintain a globally consistent transaction
out of gas, solving the liveness problem. It also
log, which encodes exactly how much money an
incentivizes application programmers to write
identity controls at any particular block height.
compact, efficient smart contracts, giving the
Bitcoin is not mere e-cash. In the case of Pay-
network a sizeable performance boost at the ex-
Pal, all users of the service needs to trust Pay-
ecution layer. It is hard to understate how much
Pal Holdings, Inc. to maintain its transaction
having a Turing-complete programming language
logs honestly, and resist both the urge to dis-
expands the design space for smart contracts: it
honestly benefit itself and its partners, and the
is a mathematical result that every computation
demand by governments and other powerful in-
expressible in a ’conventional’ programming lan-
stitutions (or individuals) to censor transactions,
guage like C, Java, or Python is also expressible
seize funds, and infringe on privacy rights. With
in Solidity [8]. In theory, applications as dis-
Nakamoto Consensus, Bitcoiners need not trust
parate as escrow, calculating π to an ludicrous
anybody.
level of precision, and Pokémon Emerald can be
developed and run by the Ethereum state ma-
chine.
2
Also a Turing Awardee, for her work on abstraction
and Programming Languages. The key words are in theory. In reality, the most
popular applications on the Ethereum network
3
Strictly speaking, since blocks in Bitcoin are never
truly final, Nakamoto Consensus is not BFT. Practi- are, like the applications on the Bitcoin net-
cally, however, finality is almost certainly guaranteed
after 5-6 blocks. work, financial applications. People can spec-
3
ulate about the reasons, but two likely explana- bership (ala Bitcoin) as the primary desirable as-
tions are: 1. The transaction fees of the Ethereum pect of decentralization. This has a major design
network are just too high to justify applications consequence: it allows us to use energy-efficient,
that are not (potentially) financially lucrative, fast, ’classical’ BFT consensus algorithms instead
and 2. The Ethereum state machine is too slow. of Nakamoto Consensus or even epochal PoS
ParallelChain Mainnet attempts to solve both as used in Tendermint-based systems like Cos-
problems. mos. As a result, a modest ParallelChain Main-
net network can achieve much higher throughput
and lower latency than the fastest ’traditional’
2.3 ’Nobody cares about blockchain networks, with the corollary that the
decentralization’ - or, the comeback network can remain profitable for its members
of classical BFT even whilst exacting very low transaction fees
from its users.
Vitalik Buterin identified a set of tradeoffs in An empirically verifiable fact that supports our
blockchain design that he calls the Blockchain stance on 2. is that the vast majority of people
Trilemma. The three properties in the Trilemma, do not subscribe to the strong crypto-anarchist
taken directly from [9], are: vision of governmentless or nearly-governmentless
society. Public dissatisfaction with currently rul-
• Scalability: the chain can process more ing governments and successful corporations should
transactions than a single regular node (think: be seen as an indictment of said governments
a consumer laptop) can verify. and corporations, and not the idea of govern-
• Decentralization: the chain can run with- ment, central banks, and ’trusted third-parties’
out any trust dependencies on a small group wholesale. Additionally, even if the intentions
of large centralized actors. This is typi- behind permissionless decentralization is noble
cally interpreted to mean that there should (and we have no reason to doubt that it is),
not be any trust (or even honest-majority it is becoming common knowledge that public
assumption) of a set of nodes that you can- blockchain networks are much more centralized
not join with just a consumer laptop. than they might seem on the surface [21] [22].
• Security: the chain can resist a large per-
centage of participating nodes trying to at- In contrast with traditional blockchains, Paral-
tack it (ideally 50%; anything above 25% lelChain Mainnet is intended to be deployed to
is fine, 5% is definitely not fine). form networks with a large, stable, and ’Know
Your Customer’-ed (KYCed) validator member-
As with most other industries competing in free ship. In case some validators decide to collude
markets, it is unlikely that one blockchain net- to fool the network, ParallelBFT, our sharded
work will be conceived that pareto dominates BFT consensus protocol based on HotStuff [11]
all other blockchain networks. The most pes- prevents them from succeeding and records ev-
simistic interpretation of the Trilemma is that idence of their malicious actions. Key to the
any blockchain system needs to make unpleas- incentive structure buttressing our network’s se-
ant compromises with at least one of the prop- curity is real-life accountability; unlike in Bitcoin
erties. More optimistic interpretations claim ei- or Ethereum where nodes are anonymous, val-
ther that: 1. Near/medium-term innovations idators in ParallelChain Mainnet are identified
will enable blockchain networks that are max- and thus liable to legal and social penalties. In
imally scalable, decentralized, and secure, or 2. the grand scheme of things, what ParallelChain
Some of the properties in the Trilemma are over- Mainnet provides is a technological framework
rated, and do not bring significant value to a to connect together a large number of identi-
blockchain network. fied parties with orthogonal real-life interests,
’pooling together’ the trust people have in each
We are optimistic on both counts. On 1., we be- individual party in order to maintain a global,
lieve that L2 sharding, designed properly, will al- Turing-complete smart contract platform.
low blockchains to scale somewhat in the medium-
term. On 2., we believe that users do not see
complete anonymity and permissionless mem-
4
3 Basic design 3.2 Layered architecture
Early on in the design process, we defined a set • Application layer: smart contracts writ-
of properties that we deem any useful public4 ten and deployed on the network by users
smart contract platform must have, even before (including non-validators operators), and
optimizing for the properties in the Blockchain the client (desktop, mobile, web, embed-
Trilemma: ded, etc.) software that invokes those smart
contracts.
• Local log immutability: the software • Execution layer: a program (ParallelChain
running on validators should be programmed Engine) that runs smart contracts in re-
such that it can only append to its blockchained sponse to client requests in an isolated en-
transaction log. Optimally, the software vironment to control or outright prevent
should also have the ability to detect tam- their access of sensitive OS functions like
pering of its local blockchain files. networking and file system, and abstracts
• Consistency: different validatorss’ trans- their access to state.
action logs must not diverge. If a smart • Data layer: a program (ParallelChain DB)
contract platform uses a leader-follower model, that writes the blockchain into a valida-
these should communicate using a proto- tors’s filesystem and maintains a ’stable
col that is resistant to Byzantine faults. state cache’: a disk-oriented key-value store5
Consistency failures are precursor to dou- that reflects the replicated state machine’s
ble spending attacks. state at a particular block height.
• Validity: validity is an application-layer • Consensus layer: a library that imple-
concept. A transaction is valid if and only ments a consensus algorithm (ParallelBFT
if its read and write sets are generated by in the case of ParallelChain Mainnet, and
a smart contract invocation on a ’correct’ Paxos in the case of ParallelChain Enter-
world state. As Ethereum Classic advo- prise) that is used by the data layer process
cates say: code is law. to keep the blockchain consistent in honest
• Liveness: the network should be able to replicas.
make progress with minimal downtime, even
in the face of DoS attacks and frequent As alluded to earlier, a major difference between
membership changes. ParallelChain Enterprise and ParallelChain Main-
net is that the latter maintains a separate Par-
Additionally, since we designed ParallelChain Main- allelBFT process for consensus, whereas the for-
net concurrently with the XPLL token, we also mer offloads consensus duties to the state cache
agreed on the principle of generality: process (ParallelChain DB S).
5
Figure 1: The Layered Architecture of ParallelChain Mainnet and ParallelChain Enterprise
The user compiles their smart contract into WASM exposed to it by the ParallelChain Enterprise-
bytecode (.wasm) on their local machine, then mart Contract API.
deploys the bytecode to the ParallelChain net-
work using the ParallelChain CLI. deploying a To improve execution times, PChain optimisti-
smart contract is a transaction on the world state cally executes all invocations within a block in
(§3.4) that includes a Set() on a key in a re- parallel, merging their read and write sets af-
served key range. The user provides ParallelChain ter the fact using Optimistic Concurrency Con-
CLI with a network-unique address and version trol [?]. In workloads with low key-contention,
number for the smart contract. Version num- the kind of which today’s deployed blockchain
bers are monotonically increasing positive inte- networks face, this improves throughput signifi-
gers without ’gaps’. cantly.
Since the blockchain is fully replicated, every Sometimes, smart contract logic needs to ’hook’
validator receives a copy of the smart contract into the consensus layer. Two use-cases that
bytecode. Internally, ParallelChain Engine puts we came across when we designed XPLL were:
deployed bytecode through a round of platform- 1. Getting the current proposer’s address using
dependent compilation (Using [Wasmer]’s LLVM ProposerAddr() during smart contract invoca-
backend) and caches the resulting binaries to tion, who is entitled to the XPLL transaction
speed up smart contract startup and execution fee, and 2. Adding and removing nodes from
times. the network. The ParallelChain Enterprisemart
Contract API provides functions for these use-
The ParallelChain Engine process uses Wasmer cases whose implementations are wrappers for
as a secure, deterministic runtime for smart con- functions in the consensus layer. Typically, net-
tracts. WASM executes by default in a browser- work administration actions like 2. should not
like sandbox, with no access to system calls and, be undertaken unilaterally. The API for these
by extension, networking, the filesystem, etc. functions (and other functions with global side-
This property is essential for any system that effects) require that the caller passes a quorum
accepts and runs untrusted code. The only func- (2/3) of signatures from validators that autho-
tions with external side-effects a ParallelChain rizes the specific action to be carried out. Smart
Mainnet smart contract can execute are those contracts implement voting logic themselves.
6
3.4 Blockchain and state cache Field name Data type Remarks
scName string
The state cache in a single ParallelChain Main- scVer string
net validators is a single-node (non-distributed) Passed as a pa-
ParallelChain DB instance. Even though Par- rameter to the
allelChain DB consists mostly of a fast disk- input string invoked smart
oriented database (RocksDB), we refer to it as a contract’s Handle
’cache’ to make clear the fact that the ultimate function
authority about the world state of the replicated invokerAddr [64]byte
state machine at a particular block height is The number of
the blockchain. Strictly speaking, maintaining invocations the
an up-to-date snapshot of the world state in a invoker has added
database is just an optimization to speed up nonce uint64 to the blockchain;
reads. prevents invo-
cation replay
In the interest of clarity, we make a distinction attacks
between two primitive concepts before specify- ed25519 signature
ing the Block data format: over above fields
invokerSig [64]byte generated using
Invocation: An execution layer concept, i.e., the invoker’s
invoking a smart contract. Generally speaking, private key
smart contracts can be categorized into: 1. State-
less smart contracts, whose runtime behavior Table 1: Invocation data format
is totally determined by the invoker’s identity
(most obviously their public address) and the the ParallelChain Enterprise blockchain is ex-
input argument passed in with the call, and 2. actly an ordered list of transactions, without any
Stateful smart contracts, whose runtime behav- information about the smart contract invoca-
ior is determined by the world state at a particu- tion that produced it. This deviation from the
lar block height and invocation index in addition ParallelChain Enterprise design is made neces-
to the aforementioned factors. sary by the need for ParallelChain Mainnet to
provide users with validity (§3.1) guarantees in
Transaction: A data layer concept. Stateful a network membership model much more chal-
smart contracts interact with world state using lenging than that targeted by ParallelChain En-
the Get() and Set() methods exposed by the terprise. Barring immature cryptographic tech-
Smart Contract SDK. A transaction is a 2-tuple niques such as ZK proofs, the only way a node
(readSet, writeSet): readSet an unordered set of operator can be certain that a transaction is
of Gets, and writeSet an unordered set of Sets. valid is to play for themselves the smart con-
A smart contract invocation produces exactly tract invocation that the network claims had
one transaction. produced the transaction.
The blockchain that a ParallelChain Mainnet When a smart contract running in an execution
network collectively maintains is an ordered list container exits, ParallelChain Engine calls the
of invocations, not transactions. The world state Commit() function in the ParallelChain DB API.
at a particular block height h and invocation in-
dex i is defined as the world state constructed There are no surprises in the block data format,
by playing (i.e., executing) smart contract invo- which consists mostly of an ordered list of trans-
cations one-by-one and in order from the genesis actions and the metadata fields typically asso-
block until and inclusive of the i-th invocation ciated with blockchains. The most significant
in block h. Table 1 specifies the Invocation data deviation from the norm is the inclusion of a
format. proposerAddr field.
7
Figure 2: Chained HotStuff commit flow. Image
source: [11]
8
Figure 3: Consensus throughput comparison. Figure 4: Consensus latency comparison. Image
Image source: [13] source: [13]
Chaining has a dramatic impact on throughput: Several other consensus protocols were consid-
chained HotStuff has a theoretical throughput ered and rejected during the design of Paral-
of 4x that of non-chained HotStuff, achieving lelChain Mainnet. Zyzzyva [14] has high through-
an amortized commit latency of 1 commit per put and low latency but was recently found to
message delay. The trade-off is that actual com- be vulnerable to sophisticated attacks [15]. Ten-
mit latency from the point the primary starts dermint [12] is battle-tested in high-traffic net-
transmitting a PREPARE message is 4 (instead works (e.g., Cosmos), but is pareto dominated
of PBFT’s 3, or SBFT’s 1). HotStuff’s 4-phase by chained HotStuff [13] on every metric but la-
commit flow is illustrated in Figure 2. tency6 . CFT algorithms (like Paxos [5], used
in ParallelChain Enterprise) are not suitable for
View changes are part of the commit flow. the Byzantine failure model. Figures 3 and 4
compare the performance and scalability char-
Unlike other PBFT-family protocols with com- acteristics of HotStuff compared to some of the
plex view-change messages outside of the com- mentioned algorithms.
mit flow that are quadratic in the number of
messages, HotStuff’s homogeneous phases allow As mentioned previously, ParallelBFT incorpo-
it to deterministically switch to a new leader af- rates numerous optimizations over and above
ter every commit with no additional messages. the core HotStuff protocol in order to squeeze
PBFT-family algorithms that use the ’stable leader’ every extra bit of performance. Two major op-
paradigm are vulnerable to long-running trans- timizations are:
action censorship attacks, because even though
a malicious leader cannot by itself challenge the Consensus on hashes
safety properties of the algorithm, they can refuse
to send out PREPARE messages for selected Instead of passing around a complete block in all
transactions (e.g., a government preventing a four stages of consensus (in HotStuff), we could
political enemy from transferring their funds to instead pass around a cryptographic hash of the
collaborators). It is difficult for honest follow- block for in the latter 3 stages. Consensus on
ers to detect censorship and trigger a VIEW- hashes is a common optimization for BFT SMR
CHANGE, since the faulty leader might oth- algorithms that has been known since at least
erwise be sending out PREPARE messages for [6].
other transactions. With HotStuff, faulty lead-
ers can only censor transactions for a single block Early execution
before they are replaced by another (hopefully
honest) leader. Quickly rotating leaders also In vanilla HotStuff, intra-cluster network and
allows us to quickly and easily detect if a val-
idators has gone offline, which could be made a 6
A near-term development goal of the Tendermint Core
slashable offence to create an incentive structure implementation is to design a chained Tendermint.
that promotes higher network uptime. We are looking forward to benchmarking it when it
becomes available.
9
compute resource usage is minimal whilst the step number 5 becomes step number 2, and the
consensus leader waits for enough invocations client has to poll the network regularly to check
to be packed into a block, and then suffer sud- if the invocation was committed into the blockchain.
den spikes when the leader broadcasts a PRE- Moderately-sized ParallelChain Mainnet networks
PARE message, and when a block gets commit- should be able to achieve small enough invoca-
ted (both events happen every consensus phase tion latencies that we expect most applications
in chained HotStuff). This is clearly less than to pass in false.
ideal.
We can pipeline network and compute usage by 4.2 Invocation flow with sharding
having the leader broadcast valid requests to val-
idators as they come, and have the latter exe-
cute the invocations and play the transactions Previous versions of this paper included a sec-
they generate on its world state, with the op- tion on sharding. We have decided that this
timistic expectation that these transactions will topic, which spans between ParallelChain Main-
eventually by committed at a later phase. If net and ParallelChain Enterprise and involves
they end up not being committed (e.g., due to close integration between the two systems, war-
node failures), we roll back. This optimization rants a separate paper by itself. We will update
is combined with consensus on hashes to avoid this paper with a summary of said paper in the
sending the entire block in any of the four stages. future. Stay tuned!
4.1 Invocation flow in the normal case We have introduced ParallelChain Mainnet. A
smart contract platform that makes a set of trade-
offs to achieve a set of desirable characteristics
Figure 5 describes at a high level how code ex- (accountability, high throughput, low latency)
ecution jumps between machines and processes that we believe suits it for ’real world’ deploy-
in the handling of a single smart contract invo- ment. ParallelChain Mainnet will be continu-
cation. A brief rundown of the stages: ously refined, and possibly expanded. We will
update this document accordingly to reflect lat-
1. Client app uses the Client SDK to make a est developments.
gRPC-on-UDS call to Engine.
2. Engine passes invocations (again, using gRPC)
to ParallelBFT, which decides when to pack
References
a block.
3. A consensus round is triggered.
4. Once a block is committed, the gRPC call [1] Nakamoto, S. (2009). Bitcoin: A Peer-
in step 2 returns. Engine executes the in- to-Peer Electronic Cash System. https://
vocations in the block one-by-one by load- bitcoin.org/bitcoin.pdf
ing the smart contract binary into the ex-
ecution container process and calling its [2] Marc, A. (2014, Jan 21). Why Bit-
main() function. coin Matters. Dealbook - The New York
5. Engine passes the Transaction struct gen- Times. https://dealbook.nytimes.com/
erated by the invocation execution into DB 2014/01/21/why-bitcoin-matters/
F to be committed into the state cache.
6. Engine responds to the Client SDK gRPC [3] Lamport, L. (1978). Time, Clocks, and the
call. Ordering of Events in a Distributed System.
Communications of the ACM 21(7), July
The Invoke() function exposed by the ClientSDK 1978. https://dl.acm.org/doi/10.1145/
accepts a blocking parameter. If true is passed, 359545.359563
10
Figure 5: Invocation flow. Dashed orange boxes represent process boundaries.
[4] Lamport, L., Shostak, R., Pease, M. talik Buterin’s Website. https://vitalik.
(1982). The Byzantine Generals Prob- ca/general/2021/04/07/sharding.html
lem. ACM Transactions on Programming
Languages and Systems (TOPLAS), 1982, [10] Zhou, J., Miller, A., Sears, R., et al. (2021).
p. 382-401. https://dl.acm.org/doi/10. FoundationDB: A Distributed Unbundled
1145/357172.357176 Transactional Key Value Store. ACM
Special Interest group on Management
[5] Lamport, L. (1998). The Part-Time of Data (SIGMOD), 2021. https://www.
Parliament. ACM Transactions on Com- foundationdb.org/files/fdb-paper.pdf
puter Systems (TOCS), 1998, p. 133-169.
https://lamport.azurewebsites.net/ [11] Yin, M., Malkhi, D., Reiter, M., et al.
pubs/lamport-paxos.pdf (2019). HotStuff: BFT Consensus with Lin-
earity and Responsiveness. ACM Sympo-
[6] Castro, M., Liskov, B. (1999). Practi- sium on Principles of Distributed Comput-
cal Byzantine Fault Tolerance. Usenix ing (POCD), 2019. https://dl.acm.org/
Symposium on Operating Systems De- doi/10.1145/3293611.3331591
sign and Implementation, 1999. https:
//www.usenix.org/conference/osdi-99/ [12] Buchman, E., Kwon, J., Milosevic, Z.
practical-byzantine-fault-tolerance (2018). The latest gossip on BFT consen-
sus. https://arxiv.org/abs/1807.04938
[7] Buterin, V. (2013). Ethereum Whitepaper.
https://ethereum.org/en/whitepaper/ [13] Alqahtani, S., Demirbas, M. (2021). Bottle-
necks in Blockchain Consensus Protocols.
[8] Copeland, J. (2017). The Church-Turing https://arxiv.org/abs/2103.04234
Thesis. Stanford Encyclopedia of Phi-
losophy. https://plato.stanford.edu/ [14] Kotla, R., Lorenzo, A., Dahlin, et al.
entries/church-turing/ (2007). Zyzzyva: Speculative Byzantine
Fault Tolerance. ACM Symposium on Op-
[9] Buterin, V. (2021). Why sharding is great: erating Systems Principles (SOSP), 2007.
demystifying the technical properties. Vi- http://www.cs.cornell.edu/lorenzo/
11
papers/kotla07Zyzzyva.pdf
12