-
Majority is Not Required: A Rational Analysis of the Private Double-Spend Attack from a Sub-Majority Adversary
Authors:
Yanni Georghiades,
Rajesh Mishra,
Karl Kreder,
Sriram Vishwanath
Abstract:
We study the incentives behind double-spend attacks on Nakamoto-style Proof-of-Work cryptocurrencies. In these systems, miners are allowed to choose which transactions to reference with their block, and a common strategy for selecting transactions is to simply choose those with the highest fees. This can be problematic if these transactions originate from an adversary with substantial (but less th…
▽ More
We study the incentives behind double-spend attacks on Nakamoto-style Proof-of-Work cryptocurrencies. In these systems, miners are allowed to choose which transactions to reference with their block, and a common strategy for selecting transactions is to simply choose those with the highest fees. This can be problematic if these transactions originate from an adversary with substantial (but less than 50\%) computational power, as high-value transactions can present an incentive for a rational adversary to attempt a double-spend attack if they expect to profit. The most common mechanism for deterring double-spend attacks is for the recipients of large transactions to wait for additional block confirmations (i.e., to increase the attack cost). We argue that this defense mechanism is not satisfactory, as the security of the system is contingent on the actions of its users. Instead, we propose that defending against double-spend attacks should be the responsibility of the miners; specifically, miners should limit the amount of transaction value they include in a block (i.e., reduce the attack reward). To this end, we model cryptocurrency mining as a mean-field game in which we augment the standard mining reward function to simulate the presence of a rational, double-spending adversary. We design and implement an algorithm which characterizes the behavior of miners at equilibrium, and we show that miners who use the adversary-aware reward function accumulate more wealth than those who do not. We show that the optimal strategy for honest miners is to limit the amount of value transferred by each block such that the adversary's expected profit is 0. Additionally, we examine Bitcoin's resilience to double-spend attacks. Assuming a 6 block confirmation time, we find that an attacker with at least 25% of the network mining power can expect to profit from a double-spend attack.
△ Less
Submitted 12 December, 2023;
originally announced December 2023.
-
Achieving Almost All Blockchain Functionalities with Polylogarithmic Storage
Authors:
Parikshit Hegde,
Robert Streit,
Yanni Georghiades,
Chaya Ganesh,
Sriram Vishwanath
Abstract:
In current blockchain systems, full nodes that perform all of the available functionalities need to store the entire blockchain. In addition to the blockchain, full nodes also store a blockchain-summary, called the \emph{state}, which is used to efficiently verify transactions. With the size of popular blockchains and their states growing rapidly, full nodes require massive storage resources in or…
▽ More
In current blockchain systems, full nodes that perform all of the available functionalities need to store the entire blockchain. In addition to the blockchain, full nodes also store a blockchain-summary, called the \emph{state}, which is used to efficiently verify transactions. With the size of popular blockchains and their states growing rapidly, full nodes require massive storage resources in order to keep up with the scaling. This leads to a tug-of-war between scaling and decentralization since fewer entities can afford expensive resources. We present \emph{hybrid nodes} for proof-of-work (PoW) cryptocurrencies which can validate transactions, validate blocks, validate states, mine, select the main chain, bootstrap new hybrid nodes, and verify payment proofs. With the use of a protocol called \emph{trimming}, hybrid nodes only retain polylogarithmic number of blocks in the chain length in order to represent the proof-of-work of the blockchain. Hybrid nodes are also optimized for the storage of the state with the use of \emph{stateless blockchain} protocols. The lowered storage requirements should enable more entities to join as hybrid nodes and improve the decentralization of the system. We define novel theoretical security models for hybrid nodes and show that they are provably secure. We also show that the storage requirement of hybrid nodes is near-optimal with respect to our security definitions.
△ Less
Submitted 12 July, 2022;
originally announced July 2022.
-
Scalable Multi-Chain Coordination via the Hierarchical Longest Chain Rule
Authors:
Yanni Georghiades,
Karl Kreder,
Jonathan Downing,
Alan Orwick,
Sriram Vishwanath
Abstract:
This paper introduces BlockReduce, a Proof-of-Work (PoW) based blockchain system which achieves high transaction throughput through a hierarchy of merged mined blockchains, each operating in parallel on a partition the overall application state. Most notably, the full PoW available within the network is applied to all blockchains in BlockReduce, and cross-blockchain state transitions are enabled s…
▽ More
This paper introduces BlockReduce, a Proof-of-Work (PoW) based blockchain system which achieves high transaction throughput through a hierarchy of merged mined blockchains, each operating in parallel on a partition the overall application state. Most notably, the full PoW available within the network is applied to all blockchains in BlockReduce, and cross-blockchain state transitions are enabled seamlessly within the core protocol. This paper shows that, given a hierarchy of blockchains and its associated security model, the protocol scales superlinearly in transaction throughput with the number of blockchains operated by the protocol.
△ Less
Submitted 27 December, 2022; v1 submitted 21 December, 2021;
originally announced December 2021.
-
Who Needs Consensus? A Distributed Monetary System Between Rational Agents via Hearsay
Authors:
Yanni Georghiades,
Robert Streit,
Vijay Garg
Abstract:
We propose a novel distributed monetary system called Hearsay that tolerates both Byzantine and rational behavior without the need for agents to reach consensus on executed transactions. Recent work [5, 10, 15] has shown that distributed monetary systems do not require consensus and can operate using a broadcast primitive with weaker guarantees, such as reliable broadcast. However, these protocols…
▽ More
We propose a novel distributed monetary system called Hearsay that tolerates both Byzantine and rational behavior without the need for agents to reach consensus on executed transactions. Recent work [5, 10, 15] has shown that distributed monetary systems do not require consensus and can operate using a broadcast primitive with weaker guarantees, such as reliable broadcast. However, these protocols assume that some number of agents may be Byzantine and the remaining agents are perfectly correct. For the application of a monetary system in which the agents are real people with economic interests, the assumption that agents are perfectly correct may be too strong. We expand upon this line of thought by weakening the assumption of correctness and instead adopting a fault tolerance model which allows up to $t < \frac{N}{3}$ agents to be Byzantine and the remaining agents to be rational. A rational agent is one which will deviate from the protocol if it is in their own best interest. Under this fault tolerance model, Hearsay implements a monetary system in which all rational agents achieve agreement on executed transactions. Moreover, Hearsay requires only a single broadcast per transaction. In order to incentivize rational agents to behave correctly in Hearsay, agents are rewarded with transaction fees for participation in the protocol and punished for noticeable deviations from the protocol. Additionally, Hearsay uses a novel broadcast primitive called Rational Reliable Broadcast to ensure that agents can broadcast messages under Hearsay's fault tolerance model. Rational Reliable Broadcast achieves equivalent guarantees to Byzantine Reliable Broadcast [7] but can tolerate the presence of rational agents. To show this, we prove that following the Rational Reliable Broadcast protocol constitutes a Nash equilibrium between rational agents and may therefore be of independent interest.
△ Less
Submitted 15 April, 2021;
originally announced April 2021.
-
HashCore: Proof-of-Work Functions for General Purpose Processors
Authors:
Yanni Georghiades,
Steven Flolid,
Sriram Vishwanath
Abstract:
Over the past five years, the rewards associated with mining Proof-of-Work blockchains have increased substantially. As a result, miners are heavily incentivized to design and utilize Application Specific Integrated Circuits (ASICs) that can compute hashes far more efficiently than existing general purpose hardware. Currently, it is difficult for most users to purchase and operate ASICs due to pri…
▽ More
Over the past five years, the rewards associated with mining Proof-of-Work blockchains have increased substantially. As a result, miners are heavily incentivized to design and utilize Application Specific Integrated Circuits (ASICs) that can compute hashes far more efficiently than existing general purpose hardware. Currently, it is difficult for most users to purchase and operate ASICs due to pricing and availability constraints, resulting in a relatively small number of miners with respect to total user base for most popular cryptocurrencies. In this work, we aim to invert the problem of ASIC development by constructing a Proof-of-Work function for which an existing general purpose processor (GPP, such as an x86 IC) is already an optimized ASIC. In doing so, we will ensure that any would-be miner either already owns an ASIC for the Proof-of-Work system they wish to participate in or can attain one at a competitive price with relative ease. In order to achieve this, we present HashCore, a Proof-of-Work function composed of "widgets" generated pseudo-randomly at runtime that each execute a sequence of general purpose processor instructions designed to stress the computational resources of such a GPP. The widgets will be modeled after workloads that GPPs have been optimized for, for example, the SPEC CPU 2017 benchmark suite for x86 ICs, in a technique we refer to as inverted benchmarking. We provide a proof that HashCore is collision-resistant regardless of how the widgets are implemented. We observe that GPP designers/developers essentially create an ASIC for benchmarks such as SPEC CPU 2017. By modeling HashCore after such benchmarks, we create a Proof-of-Work function that can be run most efficiently on a GPP, resulting in a more accessible, competitive, and balanced mining market.
△ Less
Submitted 15 April, 2019; v1 submitted 31 January, 2019;
originally announced February 2019.