In the previous article of the technical paper review series, we explored FastFabric, Understanding FastFabric: How to scale Hyperledger transactions per second
In this article, we’ll review the hybrid consensus algorithm – LOKI, which is a privacy oriented blockchain system, which was built on top of Monero source code. Loki uses a hybrid proof of work/proof of service system offers a unique way to financially incentivise the operation of full nodes. There are lots of innovative features that loki brings in for a secure private communication.
The paper broadly has 9 section in it which are as follows-
We would be combining some of these sections and would be providing just the summary and relevant information of each section. We would be skipping the Governance part from the paper as it only contains how the network maintenance, funding and voting happens. The blog just focuses on the technical features of it.
As discussed in the introduction section the platform uses Monero as the core network. Monero is an evolution of the famous CryptoNote protocol which is the core logic behind all the privacy oriented, top in the market cryptocurrencies. CryptoNote protocol is based on ring signature, stealth addresses, and RingCT, these cryptographic functionalities help it to build confidential transactions, that hide the user details from users.
For the Loki ecosystem to maintain privacy, it is important to not only provide a medium of exchange that underpins the internal economy but to also minimise the risk of temporal analysis when interactions occur across Loki’s independent layers. For example, when engaging in layer-one transactional services, users should never lose the privacy guarantees they receive from the second-layer and vice versa.
The network makes use of ring signatures to obfuscate the true history of transaction outputs. Ring signatures will be mandatory for all Loki transactions (excluding block reward transactions), and uniquely, a fixed ring-size of ten is enforced on the blockchain.
The network makes use of stealth addresses to ensure that the true public key of the receiver is never linked to their transaction. Every time a Loki transaction is sent, a one-time stealth address is created and the funds are sent to this address. Using a Diffie-Hellman key exchange, the receiver of the transaction is able to calculate a private spend key for this stealth address, thereby taking ownership of the funds without having to reveal their true public address . Stealth addresses provide protection to receivers of transactions and are a core privacy feature in blockchain.
RingCT was first proposed by the Monero Research Lab as a way to obfuscate transaction amounts . Current deployments of RingCT use range proofs, which leverage Pedersen commitments to prove that the amount of a transaction being sent is between 0 and 264 . This range ensures that only non-negative amounts of currency are sent, without revealing the actual amount sent in the transaction. Recently a number of cryptocurrencies have proposed implementing bulletproofs as a replacement to traditional range proofs in RingCT because of the significant reduction in transaction size
The network uses a hybrid consensus algorithm- one for block creation and the other for incentivising the network users.
As mentioned above the service node layers are responsible for the interaction with the core network and hence the incentivising mechanism is programmed at this layer. This follows a consensus called proof service which is a mutated version of the proof of stake.
As mentioned above in the Consensus section the block creation is done through the proof of work. Miners collect and write transactions into blocks and collect fees for doing so. The rewards are split up into 3 parts.
The service nodes are an integral part of the network most of its scalability comes through an incentivised node called service node. To operate a Service Node, an operator time-locks a significant amount of Loki and provides a minimum level of bandwidth and storage to the network. Node operators receive a portion of the block reward from each block.
The specification of block creation are as follows –
To register as a service node the operator needs to do a time locked amount on to the network which unlocks only after a minimum of 21,600 blocks which is roughly 30 days.
The core network is the part where the anonymity and the network protocols comes into play.The basic anonymity is achieved through onion routing. The network uses a low latency onion network protocol to achieve this. This network acts as a decentralised overlay network. Users can connect to individual Service Nodes and create bidirectional paths for packets to be routed through. The network can be used to access internally hosted services called SNApps.The system has a hybrid mixnet solution for this and uses a combination of Tor and I2p to achieve this
The famous onion routing mixnet called tor is used here. Tor is the overlay network that provides high privacy to all the available networks. It is maintained by the tor foundation. Any one can run a tor node , installing the tor node would connect to the default ten tor nodes in the system and a file called consensus is shared with them.This will have information regarding all the nodes in the network.Based on the network bandwidth, the incoming node is assigned to the roles relays, guard nodes, or exit nodes.
This technique is considered centralised due to the 10 authority nodes which is the core of the system.In 2014 there was a threat to the network which resulted in the taking down of 5 out of 10 nodes. Cannot transmit udp protocol resulting in application deficiency such as Voip and RTC
I2P takes a different approach to mixnet architecture, maintaining a higher level of trust agility by referring to a Distributed Hashing Table (DHT) to ascertain the network state instead of trusted directory authorities. I2P also allows for both TCP and UDP traffic, supporting a larger scope of protocol interactions. I2P differs from Tor in that it offers a packet-switched (rather than circuit-switched) network. Instead of establishing a single longer-term tunnel which all traffic travels through, I2P establishes multiple paths that each packet being communicated can use to take a different route through the network. This gives I2P the ability to transparently route around network congestion and node failures.
| I2P uses 2048 bit ElGamal, which makes encryption and decryption slow in contrast to elliptic curve operations.
I2P lacks formal support for exit nodes, meaning the majority of traffic on the network is accessing internally hosted websites, called Eepsites. This has greatly reduced the ability for the I2P network to reach users whose main purpose for using anonymising networks is to access the wider internet.
Underlying all applications for Service Nodes is an anonymous routing protocol, which defines the way each Service Node communicates with its peers. Loki proposes a new routing protocol called LLARP which is designed as a hybrid between Tor and I2P to provide additional desirable properties versus any existing routing protocol. LLARP is built specifically to run on top of the Loki Service Nodes network and all LLARP optimisations consider this architecture. To understand the goals of LLARP, it is best to conduct an analysis of existing routing protocols and consider how LLARP improves upon them.
Similar to the investment that miners make into hardware, each Service Node operator
freezes Loki coins when they begin to operate a Service Node. This frozen capital serves two purposes.
Messenger: Highly Secure messaging System which would be a decentralised, end-to-end encrypted private message system. There are two different approaches for sending messages in the system.
Online messaging uses higher bandwidth communication and messages are not stored in the service nodes .Once Alice knows Bob’s public key, she assumes he is online and tries to create a path to him. Alice does this by querying the DHT of any Service Node and obtains any introduction set that corresponds with Bob’s public key. In LLARP, introduction sets list the introducers that each user maintains. It is through these introducers that paths can be established. With Bob’s introducer, Alice now chooses three random Service Nodes to act as intermediary hops between her origin and her destination (Bob’s introducer). A path has now been established, through which Alice and Bob can transmit messages. If correctly authenticated, and using OTR, Alice and Bob can now communicate while maintaining a high-level of privacy.
If Alice fails to receive a response from Bob, she can then initiate the offline messaging process. Offline routing uses a modified version of Postal Services over Swarm (PSS). Swarms are logical groupings of Service Nodes, based both on their public keys and the hash of the block that their staking transaction first appeared in. Each swarm has a swarmID and consists of nine nodes. To send a message to Bob, Alice can use his public key to calculate which swarm Bob belongs to. With this information, Alice can anonymously route a message through the network to a random Service Node in that swarm. When a Service Node receives a unique message destined for its swarm, it must distribute that message to the other eight nodes in the swarm. All nodes are additionally required to store messages for their allocated Time-to-live (TTL). When Bob comes online, he can query any two nodes in his swarm for messages he can decrypt. Offline messaging is protected from spamming with a small proof-of-work that is attached to each message.
The Loki team has done a pretty good job in addressing the privacy and security concerns that might arise in the network. Following are some of them-
Like other CryptoNote coins, Loki does not have a fixed block size. Instead, the block
size changes over time, growing to include more transactions as the network reaches higher transaction throughput. The Loki block size scales by observing the median block size over the last 100 blocks and slowly retargets the maximum size of any new blocks accordingly.
In cryptography, a ring signature is a type of digital signature that can be performed by any member of a group of users that each have keys. Therefore, a message signed with a ring signature is endorsed by someone in a particular group of people. In our case, these are used to hide real outputs among others in a given transaction. The size of a ring signature refers to how many mixins are used to construct the ring. Monero currently has an enforced minimum ring signature size of seven, with six mixins used alongside the real unspent output in a transaction
There was an interesting study by the Monero labs in which they conducted experiments with differing ring signature size. It was found that higher ring-sizes reduce the timeframe in which a malicious attacker who owned a large number of unspent outputs would be able to perform effective analysis of transactions.
Loki improves on monero by statically enforcing ring-sizes, and setting the ring-size to ten. Statically setting the maximum ring-size protects users who construct
rings with more than nine mixins and setting the ring-size minimum to ten more effectively prevents an attacker who owns a large number of outputs from discerning the true outputs spent in a ring signature
ASICS are special types of chips which are designed to do a particular task. In the context of mining, ASICs are used to compute specific hashing algorithms. They pose a risk to decentralisation because they outpace all other mining methods, are manufactured by specific companies, have very limited distribution channels due to the specialised nature of the hardware, and they require significant capital costs to develop and operate profitably.The network uses a Crypto Night Heavy to protect ASIC operation against the proof of work algorithm
To prevent both attacks, the network requires that a short proof-of-work be attached when both messages and paths are created. For messages, this proof-of-work is calculated as a Blake2b hash of the message. For path creation, the proof-of-work is sent along with the request for a node to be included in the path building process. To ensure scalability and accessibility for mobile users, the proof-of-work difficulty requirement is fixed based on the Time-to-live (TTL) of the message or the path, and not based on global network activity
Deep packet inspection (DPI), aims to investigate the structuring of each individual packet that passes through a firewall, and selectively drop or block packets that appear to relate to a particular service
Much work has been done to design systems which evade DPI. Users can leverage types of pluggable transports which alter the signature of each packet aiming to appear as normal unblocked traffic. IP blocking is generally avoided by running domain fronting bridges which will encrypt traffic as HTTPS requests to unblocked services like Azure or Cloudflare. Once they reach the unblocked service, the bridge will forward the request to the desired location. In the case of domain fronting, it becomes difficult for a state level actor to prevent the flow of all traffic to popular bridges without causing significant disruption to the general usage of the internet.
The Loki project is a really intriguing project in the blockchain space. Although in the beta stage, they are doing a remarkable job in addressing a lot of the privacy concerns and chain analysis that de-anonymise the network transactions. The core element which is the service node is built in C++ and acts as a wrapper to the secure monero core. There are definitely some additional features like smart contracting and easy tokenization which are missing in the platform as of now, and it would be interesting to see if they can bring those features to the Loki network.
We have not mentioned the Governance part of the white paper in this section, Please refer to the original white paper if you are interested in it.