šŸŽ©The Phantom Protocol

In PHANTOM, a miner refers to all blocks in tips(G), where G is the DAG that the miner observes locally at the time the new block is created, rather than extending a single chain. The miner should publish its new block as soon as it is ready. Together, these two guidelines make up PHANTOM's DAG mining protocol.

The aforementioned DAG mining algorithm specifically indicates that both blocks are added to the blockDAG and used as references by all (honest) miners even if two blocks contain conflicting transactions. The main issue is therefore how to restore the blockDAG's consistency. In our system, this is accomplished by making sure all 12 mini blocks which are set 10 seconds apart after reaching the mature difficulty point. Each mini block supports layer 2 block chain which creates a staking block every 1.67 Seconds reducing the transaction time and also increasing the security. These staking blocks point to Mini Block consisting of block reward of 0.3 MET and these then point to the subsequent Mega Block which is created every 2 minutes with block reward of 3 MET and also points to the same previous hash. This is then further verified while creating a MET block. All the previously created Mega and Mini blocks in 10 minutes should point to the previous MET Block and Subsequent MEGA block as well. Approving those who came before them. By achieving consensus on the sequence of blocks, PHANTOM ensures that there is also agreement on the set of allowed transactions.

In essence, Bitcoin may be viewed as an ordering protocol as well, with the longest chain of blocks' worth of transactions coming before those with the shortest chain. However, the protocol underlying Bitcoin is only known to be secure under low block rates.

Unfortunately, the security analysis of existing blockchains is not as general as ours (e.g., their attacker does not take advantage of providing consulting information to different honest parties), while the analysis of METCHAIN does not carry to the setting of GHOST. This is because the GHOST rule is a natural, albeit radical, reformulation of how each miner determines the main chain. In GHOST, miners adopt blocks in the structure of a tree. Note that in both Bitcoin and GHOST one can consider parties collecting all mined blocks in a tree data structure. However, while in Bitcoin the miners would choose the most difficult chain as the main chain, in GHOST, they will determine the chain by greedily following the heaviest observed subtree. This means that for the same subtree, a Bitcoin miner and a GHOST miner may choose a completely different main chain. Furthermore, it means that the difficulty of the main chain of honest parties does not necessarily increase monotonically (it may decrease at times) and thus a fundamental argument (namely that blockchain monotonically increases) that made the analysis of our possible, does not hold anymore.


In contrast to METCHAIN, we propose a new analysis framework for blockchain protocols that focuses on trees of blocks. Due to this system, it can debate random variables on the participant-created block trees. We may describe ideas like a node being d-dominant in our framework, which indicates that the block corresponding to that node would be favored over other sibling nodes by a margin of d based on a particular weight measure. In fact, by demonstrating that Bitcoin and GHOST adhere to the same rule but just for a different weight measure, allows us to unify the description of both.

We then offer the first formal security proof of the GHOST rule for blockchain systems using our framework. In particular, it is demonstrated that GHOST is a reliable transaction ledger that meets liveness and persistence requirements. The new methodology, which is referred to as the fresh block lemma, which condenses the features of the resilient transaction ledger into a single lemma, allows us to obtain this result.

We use the abstraction suggested in METCHAIN for our model. Particularly, synchronous communication is assumed in their environment, known as the q-bounded environment, and each party is permitted q queries to a random oracle. The network includes an anonymous message diffusion mechanism that ensures that each round's messages are delivered by all sincere parties. At the start of the following round, all messages are delivered. It should be noted that the diffusion method is unreliable, meaning that the attacker may deliver messages to only some of the network participants. Additionally, the enemy rushes and adapts. Rushing in this situation allows him to view every honest player's message before choosing his own course of action. Furthermore, they have total control over the sequence in which messages are sent to each player. In terms of computational power, the model assumes that all honest parties have the same amount, whereas the adversary's computational power is inversely correlated with the number of participants it controls.

Since there are n parties altogether, it is presumed that the adversary has power over t of them (honest parties are unaware of any of these conditions). Finding a hash value smaller than a difficulty parameter D results in the discovery of a new block. The likelihood that a single hashing query will result in a solution is given by the formula p=D2 , where p is the hash length. The adversary's total hashing power is equal to pqt, the honest players' total hashing power is f = pqt, and the sum of all three is pqt. The following list includes a number of definitions that will be used frequently.

  1. A round is referred to as: Successful if in this round at least one honest participant computes a solution. If precisely one honest participant computes a solution in this round, it will be considered singularly successful.

  2. . In execution, blocks are called:

    • honest, if mined by an honest party.

    • adversarial, if mined by the adversary.

  3. Some chain notations: By C dk we denote the chain that results by dropping the last k blocks of C. We will say that a chain C 0 extends another chain C if a non-empty prex of C 0 is a su-x of C.

In METCHAIN, a lower bound to the probabilities of two events, that a round is successful or that is uniquely successful (dented above), was established and denoted by Ī³u = Ī±āˆ’Ī± 2. While this bound is sufficient for the setting of small f, here we will need to use a better lower bound to the probability of those events, denoted by Ī³, and with a value approximately Ī±eāˆ’Ī±

Last updated