An affiliated workshop of The Science of Blockchain Conference 2025
Sponsored by: 
Last three years’ workshops: 2024, 2023, 2022
Andrew Lewis-Pye — London School of Economics
The Pipes Model for Latency and Throughput Analysis
Protocols for State-Machine-Replication (sometimes called `blockchain' protocols) generally make use of rotating leaders to drive consensus. In typical protocols (henceforth called `single-sender' protocols), the leader is a single processor responsible for making and disseminating proposals to others. Since the leader acts as a bottleneck, apparently limiting throughput, a recent line of research has investigated the use of `multi-sender' protocols in which many processors distribute proposals in parallel. Examples include DAG-based protocols such as DAG-Rider, Bullshark, Sailfish, Cordial Miners, Mysticeti, and variants such as Autobahn. However, existing models do not allow for a formal analysis to determine whether these protocols can actually handle higher throughputs than single-sender protocols such as PBFT, Tendermint, and HotStuff.\
In this talk, I’ll discuss recent work in which we describe a very simple model that allows for such an analysis. For any given protocol, the model allows one to calculate latency as a function of network bandwidth, network delays, the number of processors $n$, and the incoming transaction rate. Each protocol has a latency bottleneck: an incoming transaction rate at which latency becomes unbounded over the protocol execution, i.e., a maximum throughput that the protocol can handle without unbounded latency. If one compares single-sender protocols that use pipelining and erasure coding, such as DispersedSimplex, with DAG-based protocols such as Sailfish or Bullshark, the former are seen to have lower latency for a wide range of throughputs, while the benefit of the latter protocols is that they have a latency bottleneck (max throughput) which is higher by a constant factor.
Ben Fisch — Yale University and Espresso Systems
Towards lower latency finality for rollups
Rollups inherit finality from an underlying consensus protocol that maintains availability and total-ordering of abstract data. Sometimes referred to as non-executing consensus, a key aspect is that the nodes participating in this protocol do not need to filter or interpret the data in any way, such as calculating state transitions. As such, nodes do not individually need to receive the data in full. Additionally, most rollups have their own dedicated leader (aka sequencer) in charge of broadcasting txs to consensus nodes. This talk will discuss some approaches to reducing rollup finality times with a responsive BFT-style consensus designed for this setting, without sacrificing scale (number of consensus nodes) or throughput, such as removing a round of voting, star vs point-to-point network configurations, verifiable information dispersal (VID) techniques, and improving on optimistic latency when the number of faults is low (eg, 20%). The discussion is rooted in experiments done on the Espresso Network, a live protocol being used for this purpose today.
Dionysis Zindros — Common Prefix
Pod: An Optimal-Latency, Censorship-Free, and Accountable Generalized Consensus Layer
In this talk, I will present pod, a weaker state-machine replication variant designed with the principal goal of meeting physically-optimal latency of one round-trip from the moment of transaction issuance (from a writing client) to its confirmation (by a reading client). To accomplish this, we must eliminate inter-replica communication. Instead, in a simple construction inspired by web2-era systems such as Certificate Transparency, clients send transactions directly to all replicas, which independently process transactions and append them to local logs. Replicas assign a timestamp to each transaction in their logs. Later on, clients connect to all replicas to retrieve these signed logs and extract transactions (and associated metadata) from them. Necessarily, this construction achieves weaker properties than SMR protocols due to existing lower bounds. In particular, no agreement on order is achieved. I will talk about the weaker safety properties that we achieve, namely that, in good conditions, honest transactions cannot move beyond a bounded "wiggle room" too much. I will also discuss accountability for violations of this weak notion of safety. Lastly, I will mention several engineering considerations inspired by traditional database management system implementations, that balance latency with the burden of maintaining multiple connections.
Lei Yang — MegaETH
SALT: Breaking the I/O Bottleneck for Blockchains with a Scalable Authenticated Key-Value Store
An authenticated key-value store (AKVS) is a key component of a blockchain that not only stores the state as key-value pairs but also provides a way to cryptographically prove the existence and value of a key without revealing the entire dataset. The AKVS is often considered the most critical bottleneck in many high-performance blockchains because common designs, such as the Merkle Patricia Trie (MPT), incur significant random disk I/O when updating their state roots.
To solve this critical bottleneck, we propose SALT (Small Authentication Large Trie), a novel AKVS that is highly memory- and I/O-efficient. For up to 3 billion key-value pairs, SALT's authentication layer requires only a 1 GB memory footprint, and it scales smoothly to tens of billions of items. Thus, SALT can fit entirely in the memory of most modern machines, relieving blockchain nodes of expensive random disk I/Os. In fact, SALT is the first AKVS to scale to tens of billions of items and completely eliminate random disk I/Os during state root updates, all while maintaining its low memory footprint.
Our key insight behind SALT is that existing state tries become space-inefficient as their depth increases. Even when a sub-trie is sparse and contains only a few leaves, these designs still suffer from significant overhead for storing internal nodes (mainly their cryptographic commitments). As a result, we propose to "flatten" these sparse sub-tries using strongly history-independent (SHI) hash tables. This approach yields an elegant state trie design with a shallow, regular structure that can be stored and updated efficiently.
Natacha Crooks — UC Berkeley
Autobahn: High Speed BFT with No Hangovers
Today's practical, high performance Byzantine Fault Tolerant (BFT) consensus protocols operate in the partial synchrony model. However, existing protocols are inefficient when deployments are indeed partially synchronous. They deliver either low latency during fault-free, synchronous periods (good intervals) or robust recovery from events that interrupt progress (blips). At one end, traditional, view-based BFT protocols optimize for latency during good intervals, but, when blips occur, can suffer from performance degradation (hangovers) that can last beyond the return of a good interval. At the other end, modern DAG-based BFT protocols recover more gracefully from blips, but exhibit lackluster latency during good intervals. To close the gap, this work presents Autobahn, a novel high-throughput BFT protocol that offers both low latency and seamless recovery from blips. By combining a highly parallel asynchronous data dissemination layer with a low-latency, partially synchronous consensus mechanism, Autobahn (i) avoids the hangovers incurred by traditional BFT protocols and (ii) matches the throughput of state of the art DAG-based BFT protocols while cutting their latency in half, matching the latency of traditional BFT protocols.
Roger Wattenhofer — Anza and ETH Zurich
Alpenglow: Solana's New Consensus Protocol
What should a modern blockchain protocol look like? In this talk, I will discuss Alpenglow, Solana’s new consensus protocol. Alpenglow features some interesting innovations, such as its new voting protocol, resulting in a fast finalization latency. Alpenglow achieves a low latency by finalizing blocks in a single round of voting if 80% of the stake is participating, and in two rounds if only 60% of the stake is responsive. Alpenglow's “20+20” resilience allows the protocol to operate effectively even under harsh network conditions, tolerating up to 20% adversarial stake and an additional 20% non-responsive stake. Other contributions include a low-variance sampling strategy. My talk will present an overview of Alpenglow, with a focus on the most interesting aspects.
Srivatsan Sridhar — Babylon
Trustless Vaults: Integrating Bitcoin with the Smart Contracts Economy
Bitcoin has a market cap of over $2 trillion, but its limited programmability and limited block space hinder building financial applications. These limitations necessitate moving the application’s computation off-chain (e.g., on another chain). However, to ensure trustless security, Bitcoin must verify transactions executed on another blockchain. This is similar to how Ethereum verifies transactions executed by rollups. However, the two main approaches used in Ethereum, namely, verifying ZK proofs directly on Ethereum, or optimistic verification/naysayer proofs, are respectively impossible and too expensive on Bitcoin due to its programmability constraints. We present a third approach--BitVM3--and demonstrate its minimal on-chain cost. Interestingly, BitVM3 uses garbled circuits--an age-old cryptographic protocol--in a novel use-case. We use BitVM3 to build a trustless Bitcoin vault in which parties can lock up Bitcoin to participate in applications such as lending, trading, and stablecoins, and the rightful owner of the Bitcoin can trustlessly unlock their Bitcoin.
Victor Shoup — Offchain Labs and NYU
Kudzu: Fast and Simple High-Throughput BFT
We present Kudzu, a high-throughput atomic broadcast protocol with an integrated fast path. Our contribution is based on the combination of two lines of work. Firstly, our protocol achieves finality in just two rounds of communication if all but p out of n=3f+2p+1 participating replicas behave correctly, where f is the number of Byzantine faults that are tolerated. Due to the seamless integration of the fast path, even in the presence of more than p faults, our protocol maintains state-of-the-art characteristics. Secondly, our protocol utilizes the bandwidth of participating replicas in a balanced way, alleviating the bottleneck at the leader, and thus enabling high throughput. This is achieved by disseminating blocks using erasure codes. Despite combining a novel set of advantages, Kudzu is remarkably simple: intricacies such as progress certificates, complex view changes, and speculative execution are avoided.
Yu Shen — University of Edinburgh
State Machine Replication Among Strangers, Fast and Self-Sufficient
A number of blockchain protocols aim to realize state machine replication (SMR) in a permissionless setting while guaranteeing fairness (equitable access to its operation according to their computational power) as well as fast settlement (converging to a common view in as few steps as possible). Notably, the Bitcoin blockchain offers a protocol that settles against Byzantine adversaries in polylogarithmic rounds, while fairness only holds in a fail-stop adversarial model (due to the fact that Byzantine behavior can bias access to the state machine in the adversary’s favor).
In this work, we put forth the first Byzantine-resilient protocol solving SMR in the permissionless setting with expected-constant-time behavior for both settlement and fairness. Furthermore, our protocol is self-sufficient in the sense of performing its own time keeping while tolerating an adaptively fluctuating set of parties. This resolves three open questions in the design of proof-of-work-based blockchain protocols.
This is joint work with Juan Garay and Aggelos Kiayias.
David Tse
Room 264, Packard Building
Electrical Engineering Department
350 Jane Stanford Way
Stanford, CA 94305-9515
dntse@stanford.edu
Helen Niu
Room 310, Packard Building
Electrical Engineering Department
350 Jane Stanford Way
Stanford, CA 94305-9515
Tel: (650) 723-8121
Fax: (650) 723-9251
helen.niu@stanford.edu
