Transcription
Draft @ July 01, 2018Mixin NetworkA free and lightning fast peer-to-peer transactional network for digital assets.TECHNICAL WHITE PAPERcontact@mixin.oneSUBJECT TO FURTHER REVIEW AND UPDATE1! of 29!
Draft @ July 01, 2018Contents1. Motivation2. Overview3. Mixin Kernel3.1. Ghost Output3.2. Asynchronous BFT Graph3.3. Punitive PoS3.4. Trusted Execution Environment3.5. Light Witness4. Mixin Domain4.1. Kernel System Calls4.2. Standard Domain Interfaces4.3. Domain Extensions5. Attack Resistance6. Governance7. XIN - The Token8. Conclusioncontact@mixin.one! of 292!
Draft @ July 01, 2018MotivationBitcoin started a new era for financial resourcesmanagement. People have regained the power tomanage their assets by themselves, to monitor how theresources are being distributed, and to rescue theeconomy from the control of the few.Today, both professionals and the general public haveaccepted the idea behind Bitcoin and blockchaintechnology, and the user base of crypto currency isgrowing at a faster and faster pace.Unfortunately, Bitcoin suffers from this fast growingadoption. The most significant problems areinsufficient transaction capacity, slow confirmation andhigh transaction fees.Due to the inflexible highly distributed nature of Bitcoinnetwork, it’s impossible to fix some critical flaws.Rather than fix the original Bitcoin project, most peopleattempt to invent new projects that address differentperceived shortcomings of Bitcoin.Thus Ethereum, Monero, Stellar, Cardano and manynew blockchains have been invented in the past fewyears. Almost all of them attempt to fix the problems ofBitcoin while adding some new features of their own.However, they are unable to rescue or augment thecontact@mixin.one! of 293!
Draft @ July 01, 2018original Bitcoin network, and are neither able tointeroperate with each other.0. Lighting Networkhttps://lightning.networkFortunately, some Bitcoin believers are working onaddressing Bitcoin’s shortcomings, and they haveproposed several excellent solutions. The mostsignificant one is Lighting Network[0], which is amicropayment system built on Bitcoin network withoutrequiring any modifications to Bitcoin code.1. Blockstream Liquidhttps://blockstream.com/liquidAnother interesting solution is the Liquid[1] projectfrom Blockstream, which is a federated and two-waypegged sidechain alongside Bitcoin blockchain.2. Raiden Networkhttps://raiden.networkAll these attempts have put forward the entire Bitcoinnetwork without sacrificing the security and distributednature of the original Bitcoin vision. Similar solutionshave been put forward on Bitcoin competitors, e.g. theRaiden Network[2] on Ethereum.In this paper, we try to propose a solution that canempower all the popular distributed ledgers. We callthis solution Mixin. Mixin is not about creating yetanother crypto currency or a competitor to anydistributed ledgers.Similar to what Lighting Network and Liquid are for theBitcoin blockchain, Mixin is a public distributed ledgerto allow any public distributed ledgers to gain trillionsof TPS, sub second final confirmation, zero transactionfee, enhanced privacy and unlimited extensibility.contact@mixin.one! of 294!
Draft @ July 01, 2018OverviewMixin is composed of a single theoretically permanentKernel, many dynamic Domains and different multipurpose Domain Extensions, to formulate an extendedstar topology.KernelDomainDomain ExtensionThis topology may lead to the concern that Mixin is acentrally controlled network, but that’s not the casebecause of how the Kernel itself works.contact@mixin.one! of 295!
Draft @ July 01, 2018Mixin Kernel is a high performance distributed ledgerand its sole responsibility is to verify assettransactions. That said, the single permanent MixinKernel is also a distributed network just like Bitcoinnetwork as a whole.Although Mixin Kernel verifies asset transactions, itdoesn’t produce any assets. All assets flow through theKernel by Mixin Domains.Each Mixin Domain is also a distributed ledger, whosejob is providing assets to the Mixin Kernel. The assetsmay be those on Bitcoin, Ethereum or any otherblockchains, or even central organizations like banks.While each Mixin Domain is a component to provideassets for Mixin Kernel, the Kernel itself is also acomponent in the Mixin Domain to verify and govern itsassets.Unlike most existing gateway based solutions, MixinKernel and Domains are all public available distributedledgers, with no central authorities.From the Kernel to Domains, the Mixin Network is allabout assets and transactions. The Mixin DomainExtension is where the magic happens, whether forEthereum contracts, EOS contracts, a distributedexchange on somewhat trusted instances, or anythingelse.contact@mixin.one! of 296!
Draft @ July 01, 2018Mixin KernelThe core of Mixin Network is the Mixin Kernel, a fastasynchronous Byzantine fault tolerant directed acyclicgraph to handle unspent transaction outputs withinlimited Kernel Nodes.Ghost Output0. CryptoNote https://cryptonote.org/whitepaper.pdfMixin Kernel utilizes the UTXO model of Bitcoin tohandle transactions, and CryptoNote[0] one time keyderivation algorithm to improve privacy, since there isno address reuse issue. We call the one time key aGhost Address and the output associated with it aGhost Output.In the algorithm, each private user key is a pair (a, b) oftwo different elliptic curve keys, and the public userkey is the pair (A, B) of two public elliptic curve keysderived from (a, b).When Alice wants to send a payment to Bob, she getsBob’s public user key (A, B) and derives at least threeGhost Addresses with some random data, whichensures at least three different Ghost Outputs will becreated for Bob.The three Ghost Outputs threshold delivers betterprivacy, and also forces the outputs random amounts.contact@mixin.one! of 297!
Draft @ July 01, 2018After deriving the Ghost Addresses, Alice will sign thetransaction with CryptoNote algorithm.CryptoNote transaction signNote that, to improve privacy, Alice is forced to pickrandom UTXOs as the transaction inputs. After thetransaction is signed, Alice sends it to the Mixin Kernel.Only Bob can recognize his transactions due to theGhost Address feature, he can decrypt the outputinformation with his tracing key (a, B).CryptoNote transaction verifycontact@mixin.one! of 298!
Draft @ July 01, 2018If an exchange wants to have a transparent address todisclose all its assets information publicly, it can justpublish its tracing key (a, B) so that everybody canrecognize all its transactions but can’t spend themwithout the secret key b.Asynchronous BFT Graph0. Section XIN - TheToken for detailsEach Mixin Kernel Node is required to pledge 10,000XIN, therefore due to the 500,000 XIN circulatingsupply[0], no more than 50 Kernel Nodes will exist. Toprevent extremely centralized authority, the Kernel canonly be booted with at least 7 Kernel Nodes.The Kernel nodes make up a loose mesh topology, andare responsible for transaction validation andpersistence. Unlike a blockchain, there are no blocks inthe Mixin Kernel, all transactions will be exponentiallybroadcasted as soon as possible.transaction flow when K 20 and b 3contact@mixin.one! of 299!
Draft @ July 01, 2018A typical Mixin Kernel transaction finalization sequencegoes as follows:1.2.3.4.5.contact@mixin.oneWhen Alice’s signed transaction is sent to the MixinKernel with K (7 K 50) nodes, b (b 1)random nodes (A) will receive it.Each node does the same transaction validation.1) Inputs are all unspent.2) Input and output amounts are in valid range.3) Verify the signature of each input.4) The total of input amounts equal to the total ofoutputs.Each node will create a Kernel Snapshot with thevalidated transaction, and the snapshot is the baseunit stored in the Kernel to construct a DAG. Eachsnapshot is composed of:1) The transaction as payload.2) Previous snapshot hash of this node.3) The node signature.The signed snapshot will be broadcasted toanother b random nodes (B) as soon as possible.After received the snapshot and validated with thesame procedure in step 2, a new snapshot will becreated immediately. This snapshot has the samepayload as received snapshot, and the referencedsnapshot hash is a pair of previous snapshot hashin this node and the received snapshot hash.Steps 4 will be repeated until the node learnt thatwether the transaction is approved or rejected byat least 2/3K nodes. Since each snapshotreferenced the parents up until the nodes group A,! of 2910!
Draft @ July 01, 2018it’s easy for new nodes to learn that the previoussnapshots are aware of the snapshots. Thisprocedure can avoid lots of redundant works.6. In this procedure, a transaction can be approved orrejected in about K/b 2 rounds on average,considering the typical Kernel size, the latency maybe within a single second with very high probabilityand guaranteed within seconds.Node ASnapshotSnapshotSnapshot referenceSnapshot referenceNode BSnapshotNode BTransactionDue to the asynchronous BFT consensus, doublespend is impossible. Because of the UTXO nature,snapshots order is irrelevant and high concurrency canbe guaranteed in the DAG.Punitive PoSEach Mixin Kernel node takes 10,000 XIN, which isapproximate 2% of the network stake. The Kernel canonly operate with at least 7 nodes joined, or about 15%of the whole network stake.The Kernel BFT consensus is secured by a strictpunitive PoS, if a Kernel Node is determined to be ancontact@mixin.one! of 2911!
Draft @ July 01, 2018attacker, all its collateral will be recycled to the miningpool. The node will be identified as an attacker if it triedto broadcast an obvious double spend snapshot. Asnapshot will be considered obvious when some of itsinputs state have been validated by at least 2/3Knodes.The first time a node sends out an attacking snapshot,its stake won’t be recycled, but it will be flagged by thenetwork as a potential attacker. The Kernel size will betemporally reduced to K - 1, with this reduction invisibleto the potential attacker.All other nodes will still broadcast to the flagged node,but won’t consider its snapshots in stake votes. Iffurther snapshots from the flagged node remainmalicious, the Kernel will sign a snapshot with atransaction that will transfer all the flagged node’scollateral to the mining pool.0. Section Governancefor details1. Trusted ExecutionEnvironment https://en.wikipedia.org/wiki/Trusted execution environment2. Intel SGX tact@mixin.oneThe flagged node will be permanently removed fromthe Kernel and it will have some period to appeal toMixin Kernel Governance[0], which is voted by all XINholders.Trusted Execution EnvironmentMixin Kernel is already an ABFT consensus DAG. Toensure further security, Kernel nodes must run inTrusted Execution Environment[1]. Specifically, Mixinuses Intel SGX[2] as the TEE implementation.! of 2912!
Draft @ July 01, 2018The TEE enforcement ensures three important securityand trust factors in Mixin Kernel.1.0. Section Kernel SystemCalls for detailsAll Kernel nodes should run the same consensusruleset.2. Mixin Kernel will be trusted due to the Intel SGXenclave, even when the Kernel is controlled byseveral earlier Kernel nodes.3. Distributed Domain communications will be muchmore secure.[0]The underlying logic for the TEE security is that IntelSGX is somewhat trusted for the Mixin system.Note that, Mixin Kernel is secure by itself, at least assecure as existing BFT solutions. The mandatory IntelSGX just makes it better.Light WitnessMixin Light node is a simplified payment verification(SPV) node to Mixin Kernel. It typically stores all itsunspent outputs for easy account balance query.If the Light node is a XIN holder, it has the chance toact as a Light Witness. The Light Witness will activelymonitor the Mixin Kernel, and will be scheduled to voteautomatically on the attacker appeals.The Light Witness vote is weighted on their XIN stake.And the vote is mostly on the attacker node’s networkcontact@mixin.one! of 2913!
Draft @ July 01, 2018connectivity state to determine whether the attackerbehavior is caused due to network delay.All the Light Witness votes will be weight calculatedwith the Mixin Kernel Governance votes, to determinethe final attacker appeal. If the appeal fails, the penaltywill be final.The Light Witness is incentivized to do these votesbecause they could get the mining reward if they dosome work for the network itself.contact@mixin.one! of 2914!
Draft @ July 01, 2018Mixin DomainMixin Domain is a distributed ledger to provide assetsfor the Mixin Kernel. The assets may be those onBitcoin, Ethereum or any other blockchains, evencentral organizations like banks.Mixin Kernel, the ABFT DAG.Mixin Domains, the distributed gateway to provide assets for Mixin Kernel.Domain Extensions, could be smart contracts, trusted application, etc.Trusted external sources, e.g. Bitcoin blockchain, bank API.contact@mixin.one! of 2915!
Draft @ July 01, 2018Kernel System CallsMixin Kernel offers some system calls to communicatewith Domains, and it’s the only way the Kernel andDomains can exchange state. The system calls aredefined as standard JSON-RPC interfaces.JSON-RPC is a stateless, light-weight remoteprocedure call (RPC) protocol. It is transport agnosticin that the concepts can be used within the sameprocess, over sockets, over HTTP, or in many variousmessage passing environments. It uses JSON (RFC4627) as data format.Currently Mixin Kernel only implements the standardHTTPS transport for the protocol, and the availablecalls are listed below.kernel registerDomainRegister the domain and waiting for the Kernel approvalto connect. The call can also update the domain nodes.The registered domain will be forced to form a XINstake based network between the domain nodes andthe Kernel as a whole.The domain registration is a governance behavior, andshould relate to the domain nodes XIN stake. In thefuture, we hope to implement a more automatic domainmanagement policy in Mixin Kernel. The upgrade policyshould always be governed by all Kernel Nodes and XINholders.contact@mixin.one! of 2916!
Draft @ July 01, 2018Parameters1. UUID - A unique UUID that represents the domainamong all other domains.2. Array - Array of domain nodes’ transparent publickeys.params: g - Indicate the registration request state, thevalue is one of invalid, pending, denied, andapproved.Note that, all Kernel System Calls should be forwardedto b known Kernel Nodes to ensure delivery.Standard Domain InterfacesA domain can only be registered to the Mixin Kernel if itimplements all the Standard Domain Interfaces.domain getKeyDerivationFunctionGet the domain specific asset key derivation function,which is one of some key derivation methods in MixinKernel, and could be upgraded with governance.The supported methods may also be extended to somesandboxed VM languages such as solidity.contact@mixin.one! of 2917!
Draft @ July 01, 2018Parameters1. UUID - The global unique asset ID in the wholeMixin Network.params: sObject - The function name and parameters.1. method: String - The function name, one of thepredefined derivation function names in Kernel.2. params: Array - The parameters should be usedrelative to the method.domain associatePublicKeyAssociate a Mixin public key to the domain for an assetsupported by the domain. The public key and domainasset association is the magic that will associate anexternal asset to the Mixin Kernel.After public key associated with an asset, it will get anasset specific public key, e.g. Bitcoin public key.Whenever the Bitcoin blockchain has an output to thispublic key, the domain will create a transaction to theMixin public key.This works because the Mixin Kernel and the MixinDomain is also a Proof of Stake network. Besides theXIN collateral, there are also additional Intel SGXenforcement for all related functions.contact@mixin.one! of 2918!
Draft @ July 01, 2018After the domain create the asset transaction to thepublic key, the asset will be locked by both the MixinKernel and Mixin Domain. This result in a correspondingasset lightning transaction in Mixin Kernel.Parameters1. String - The Mixin public key.2. UUID - Unique asset ID within the whole 848c4eaffd33915653b472d900f47d11722058”, String - The asset specific public key associated withthe Mixin public key.domain unlockAssetUnlock the asset and transfer out to external sources,this is similar to the withdrawal action on a crypto assetexchange.The operation to unlock is somewhat similar to theassociate function, it must be signed by both the MixinKernel and Mixin Domain to make it a valid snapshotacceptable by the network.Parameters1. UUID - Unique asset ID within the whole MixinNetwork.contact@mixin.one! of 2919!
Draft @ July 01, 20182. String - External asset specific public key.3. String - The amount of asset to unlock.4. String - The fee for external source transaction.params: doFCiwaoUN4grnhPCoDWxWLcY6ZT68V”, “12.345678”,“0.0005”]ReturnsString - The external sources transaction identifier,e.g. transaction hash.The above three Domain Interfaces are mandatory forall domains to be approved by the Kernel. Theycommunicate through the Intel SGX trusted transportlayer, and all encrypted private keys are securelyduplicated in all Kernel Nodes and Domain Nodes.Domain ExtensionsWith a transaction only purpose Mixin Kernel, and MixinDomains as assets provider and gateway to externalblockchains or any other sources, Mixin has becomethe most sophistic and high performance distributedledger to almost all digital assets.However, people need smart contracts, which havebeen made popular by Ethereum. We allow Extensionsto Mixin Domains, something similar to smart contractbut with higher robustness, capability andperformance.contact@mixin.one! of 2920!
Draft @ July 01, 2018Domain Extensions are programs running in the DomainVirtual Machine secured by the Secure Enclave in IntelSGX, a popular and secure Trusted ExecutionEnvironment.Due to the possibility to run the “smart contract” in asingle computation unit, Domain Extensions canachieve many goals which are almost impossible insomething similar to Ethereum.1.Much higher performance and lower latency whichis only limited by the hardware.2. Non-deterministic transactions, e.g. trustablerandom number.3. Interact directly with trusted external sources.Besides these trusted applications, it’s also possible torun other popular distributed VM, e.g. Ethereum orEOS.contact@mixin.one! of 2921!
Draft @ July 01, 2018Attack ResistanceDue to the PoS and distributed nature of both Kerneland Domain Nodes, and enforcement by Intel SGX, thekeys are almost guaranteed to be safe from leaks.Because of the highly distributed key duplication andsecret sharing mechanism, the encrypted private keysare also guaranteed to be safe from loss.Ideally, each asset should have many differentdistributed domains, these domains are governed bythe Kernel and securely enforced by Intel SGX.The associated keys can only be accessed from wherethey were generated in the Domain, further improvingthe degree of protection.The Kernel will balance the assets in different Domainsconstantly to further prevent the asset loss in the eventof an almost impossible private key leak or loss indifferent domains.We will prove that Mixin is safe for digital assets againstdifferent possible attack vectors.To simplify the explanation, only Bitcoin will be used asa sample.contact@mixin.one! of 2922!
Draft @ July 01, 2018Key AssociationKey association is the first step to grant a Mixin publickey with Bitcoin access.Every Mixin public key Mpub will have a Bitcoin publickey Bpub associated, how this association occurs and ismanaged determines the key safety.Bpub is the public derivation of Bitcoin private key Bpriv,so how Bpriv is generated defines the Bpub correctness.Bpriv is generated purely by the Mixin Domain itself,and it will transfer part of it to the Kernel to keep it by(t-n)-threshold secret sharing scheme. If the domain istrustable in this procedure, the association isabsolutely secure.Intel SGX will enforce the domain trustworthiness, andeven when Intel SGX itself is not safe, which is almostimpossible, the following parts in this paper will provethat the Bitcoin asset will also be secure in Mixin.Deposit AttackDeposit is the action when external assets flow intoMixin Kernel, this is the first step when some BTC joinsMixin.Since key association is proved secure, and all MixinDomains are governed by Mixin Kernel, if some BTCcontact@mixin.one! of !2923
Draft @ July 01, 2018successfully submitted to the Kernel, it will beguaranteed to the correct Mpub.All Bitcoin deposits will also require a large enoughdomain finality threshold, e.g. there must be at least 12Bitcoin confirmations before the system accept theasset.In this way the system has enough time to detectfraudulent domain action and will punish it without anyBitcoin loss.The domain mandatory Intel SGX requirements willimprove this further.Fraudulent Domain or Key LeakThe Mixin Kernel constantly balances the assets acrossall Domains according to their behavior and collateralamount. If a domain is compromised or hacked, theleaked key will only cause partial Bitcoin loss.Also, Intel SGX will prevent fraudulent Domains fromexisting and keep hackers away in most cases.Further more, Kernel and Domains will always loadmost Bitcoin into a multi signature Bmpub, this is almostimpossible get hacked, especially when correctly andtransparently distributed.contact@mixin.one! of !2924
Draft @ July 01, 2018Damaged Domain or Key LossJust like the fraud domain issue, domain damage or keyloss will only affect a few Bitcoin assets.Since Mixin Governance will ensure the Domain iscorrectly implemented as a distributed system, it’salmost impossible to have the domain damaged as awhole.Compare to ExchangeExchanges or other kinds of central managed Bitcoinsolutions typically store most BTC in their cold storage.Cold storage refers to private keys which are neverexposed to the Internet and managed by severalpeople in the same firm.In terms of security, if both Mixin and Exchangesimplement the solutions correctly without any bugs,Mixin should be considered much safer and trustable.,because Mixin multi-signature Bmpub is guaranteed tobe managed by many different parties that areunknown to each other, while exchanges have theirkeys kept by their own people who are much moreeasily capable of colluding.Hackers aside, exchanges may have the chance tosteal the money by themselves. This is much harder oreven impossible on Mixin.contact@mixin.one! of 2925!
Draft @ July 01, 2018Further, since exchanges are almost all closed sourcesystems, they often have bugs which are notdiscovered until a hack occurs.Since Mixin is transparent, the code is open to all usersand developers to review and improve, in the same waythat Linux is thought to be more secure than Windows,Mixin should rapidly become more secure than anyclosed source exchanges.contact@mixin.one! of 2926!
Draft @ July 01, 2018GovernanceWe try our best to make Mixin Network simply workwithout any heavy-handed governance, but there arestill situations that may require intervention.XIN is the only stake to determine how the governancework on all the Mixin problems. The vectors that can bevoted to governance are listed.1.2.3.4.5.contact@mixin.oneAmount of Kernel Node penalty, mainly assessedwhen double spend, or fraudulent assets aredetected.Asset and Domain registration, determine whichassets are to be added to the Mixin Kernel. Thismay be programmed automatically in the future.External asset assurance, e.g. how to recover whenBitcoin forks after the domain finality threshold.Kernel development and upgrade. Determine somepolicy in the Mixin Kernel specification and upgradeprocedure.Community development, vote on communityissues if critical.! of 2927!
Draft @ July 01, 2018XIN - The TokenXIN is the sole token used by many services in Mixin,including full node collateral, DApp creation and APIcalls.To join the network as a full node, one must pledge atleast 10,000 XIN token to establish initial trust.Every new act of DApp creation will have a one-timecost in XIN, the amount of which is determined by theresources the DApp claims to consume. The Mixin APIcalls from DApps may cost some XIN well, dependingon the call type and count.All XIN penalties and fees charged by the network willbe recycled to the mining pool.1,000,000 permanent total XIN token is issued to theworld at one time, and 400,000 of them have beensuccessfully distributed to holders from 25/11/2017 to25/12/2017 with rate 20 EOS/XIN.50,000 XIN have been distributed to early MixinMessenger adopters. 50,000 XIN are reserved for thedevelopment team.The remaining 500,000 XIN will be the incentives for allMixin full nodes and light nodes.contact@mixin.one! of 2928!
Draft @ July 01, 2018ConclusionWe have proposed the Mixin Network as a multi-layerdistributed network. The core layer (Mixin Kernel) is ahighly distributed transactional network designedaccording to the ABFT directed acyclic graph. TheMixin Domains layer is quite extensible without anyoverhead to the Mixin Kernel performance.We also have a thorough security proof that whenmanaging external blockchain assets, Mixin is securefor daily usage compared to almost any existing coldstorage solutions.The most important thing is that Mixin isn’t inventingany new things, and all technologies described in thispaper have been used as modules in existing matureprojects.The Mixin Messenger app has proved that this paper isfeasible to be implemented in real world, unlike mostother projects that have beautiful new theories but noevidence that their work can actually be implementedin the real world.contact@mixin.one! of 2929!
Punitive PoS Each Mixin Kernel node takes 10,000 XIN, which is approximate 2% of the network stake. The Kernel can only operate with at least 7 nodes joined, or about 15% of the whole network stake. The Kernel BFT consensus is secured by a strict punitive PoS, if a Kernel Node is determined to be an contact@mixin.one !11 of !29 Snapshot Transaction
