Elastico requires a small committee size (about 100 parties) to limit the overhead of running PBFT
in each committee. Unfortunately, this increases the failure probability of the protocol significantly
and, using a simple analysis (see [42]), this probability can be as high as 0.97 after only six epochs,
rendering the protocol completely insecure in practice; (3) The randomness used in each epoch of
Elastico can be biased by an adversary, and hence, compromise the committee selection process and
even allow malicious nodes to precompute PoW puzzles; (4) Elastico requires a trusted setup for
generating an initial common randomness that is revealed to all parties at the same time; (5) While
Elastico allows each party to only verify a subset of transactions, it still has to broadcast all blocks
to all parties and requires every party to store the entire ledger; (6) Finally, Elastico can only tol-
erate up to a 1/4 fraction faulty parties even with a high failure probability. Elastico requires this
low resiliency bound to allow practical committee sizes.
2.2.3 OmniLedger
In a more recent work, Kokoris-Kogias et al. [42] propose OmniLedger, a sharding-based distributed
ledger protocol that attempts to fix some of the issues of Elastico. Assuming a slowly-adaptive
adversary that can corrupt up to a 1/4 fraction of the nodes at the beginning of each epoch, the
protocol runs a global reconfiguration protocol at every epoch (about once a day) to allow new
participants to join the protocol.
The protocol generates identities and assigns participants to committees using a slow iden-
tity blockchain protocol that assumes synchronous channels. A fresh randomness is generated in
each epoch using a bias-resistant random generation protocol that relies on a verifiable random
function (VRF) [51] for unpredictable leader election in a way similar to the lottery algorithm
of Algorand [50]. The consensus protocol assumes partially-synchronous channels to achieve fast
consensus using a variant of ByzCoin [41], where the epoch randomness is further used to divide a
committee into smaller groups. The ByzCoin’s design is known to have several security/performance
issues [56, 4], notably that it falls back to all-to-all communication in the Byzantine setting. Unfor-
tunately, due to incomplete (and changing) specification of the new scheme, it is unclear how the
new scheme used in OmniLedger can address these issues.
Furthermore, there are several challenges that OmniLedger leaves unsolved: (1) Similar to Elas-
tico, OmniLedger can only tolerate t < n/4 corruptions. In fact, the protocol can only achieve low
latency (less than 10 seconds) when t < n/8; (2) OmniLedger’s consensus protocol requires O(n)
per-node communication as each committee has to gossip multiple messages to all n nodes for each
block of transaction; (3) OmniLedger requires a trusted setup to generate an initial unpredictable
configuration to “seed” the VRF in the first epoch. Trivial algorithms for generating such a common
seed require Ω(n
2
) bits of communication; (4) OmniLedger requires the user to participate actively
in cross-shard transactions which is often a strong assumption for typically light-weight users; (5)
Finally, OmniLedger seems vulnerable to denial-of-service (DoS) attacks by a malicious user who
can lock arbitrary transactions leveraging the atomic cross-shard protocol.
When t < n/4, OmniLedger can achieve a high throughput (i.e., more than 500 tx/sec) only when
an optimistic trust-but-verify approach is used to trade-off between throughput and transaction
confirmation latency. In this approach, a set of optimistic validators process transactions quickly
providing provisional commitments that are later verified by a set of core validators. While such
an approach seems useful for special scenarios such as micropayments to quickly process low-stake
small transactions, it can be considered as a high-risk approach in regular payments, especially
due to the lack of financial liability mechanisms in today’s decentralized systems. Nevertheless,
any blockchain protocol (including Bitcoin’s) has a transaction confirmation latency that has to be
considered in practice to limit the transaction risk.
8