Analysis of the Blockchain Protocol in Asynchronous Networks - - PowerPoint PPT Presentation

analysis of the blockchain
SMART_READER_LITE
LIVE PREVIEW

Analysis of the Blockchain Protocol in Asynchronous Networks - - PowerPoint PPT Presentation

Nov 20, 2023 209 likes •641 views

Analysis of the Blockchain Protocol in Asynchronous Networks Rafael Pass Lior Seeman abhi shelat Cornell Tech Uber Northeastern Traditional distributed systems: The Permissioned Model Consistency Liveness Paxos/PBFT The

slide-1
SLIDE 1

Analysis of the Blockchain Protocol in Asynchronous Networks

Rafael Pass Lior Seeman abhi shelat Cornell Tech Uber Northeastern

slide-2
SLIDE 2

Traditional distributed systems:

The “Permissioned” Model

Paxos/PBFT

  • Consistency
  • Liveness
slide-3
SLIDE 3

The “Permissionless” Model: Bitcoin/Blockchain

The Times 03/Jan/2009 Chancellor on brink of second bailout for banks.

slide-4
SLIDE 4

The “Permissionless” Model

The Times 03/Jan/2009 Chancellor on brink of second bailout for banks.

  • Nodes do not know each other a-priori
  • Nodes come and go
  • ANYONE can join
  • No network synchronization
slide-5
SLIDE 5
  • Strong impossibility results known in the “permissionless”

(“unauthenticated”) model [BCLPR05] ○ Consistency is impossible ○ Sybil attacks unavoidable.

■ [BCLPR05] defined “weakened” security model (w/o consistency)

The “Permissionless” Model

slide-6
SLIDE 6

Nakamoto’s Blockchain [Nak’08]

Prevents Sybil attacks with Proofs-of-Work Puzzles [DN’92] Claims blockchain achieves “public ledger” assuming “honest majority of computing power”:

  • Consistency: everyone sees the same history
  • Liveness:

everyone can add new transactions

slide-7
SLIDE 7

Nakamoto’s Blockchain [Nak’08]

Prevents Sybil attacks with Proofs-of-Work Puzzles [DN’92] Claims blockchain achieves “public ledger” assuming “honest majority”

  • Consistency: everyone sees the same history
  • Liveness: everyone can add new transactions

2 amazing aspects:

  • Overcomes permissionless barrier [BCLPR]
  • Overcomes ⅓ barrier even in permissioned setting[

2 amazing aspects:

  • Overcomes permissionless barrier [BCLPR’05]
  • Overcomes ⅓ barrier even in permissioned

setting [LSP’83]

slide-8
SLIDE 8
  • WHAT IS a blockchain?

○ no definition of an “abstract blockchain”

  • Does Nakamoto’s protocol achieve CONSISTENCY?

○ “Specific attacks” don’t work [N’08,GKL’15, SZ’15] ○ 49.1% attack (with 10s network delays) claimed [DW’14]

slide-9
SLIDE 9

What is a blockchain?

slide-10
SLIDE 10

How to build a “blockchain”

slide-11
SLIDE 11

How to build a “blockchain”

jesper➔ abhi: Ƀ50

slide-12
SLIDE 12

How to build a “blockchain”

“Hash function”

H ( , , )

D >

slide-13
SLIDE 13

Search for a puzzle solution

puzzle solution

( , , ) D >

Difficulty

H

slide-14
SLIDE 14

We found a new block

( , , ) D > H

slide-15
SLIDE 15

Best way to find a solution is brute- force search: model H as RO

( , , ) D > H

slide-16
SLIDE 16

Honest nodes only “believe” longest chain

slide-17
SLIDE 17

jesper→ abhi

Jesper wants to erase this transaction

slide-18
SLIDE 18

jesper→ abhi

For Jesper to erase his transaction, he has to find a longer chain

slide-19
SLIDE 19

jesper→ abhi

“If transaction is sufficiently deep, he cannot do this unless he has majority hashpower”

  • [Nak’08]: “simply trying to mine alternative chain fails”
  • [GLK’15]: in synchronous network
  • [SZ’15]: “non-withholding attacks” fail also with Delta-delay

networks

slide-20
SLIDE 20

“If transaction is sufficiently deep, he cannot do this unless he has majority hashpower”

  • [Nak’08]: “simply trying to mine alternative chain fails”
  • [GKL’15]: in synchronous network
  • [SZ’15]: “non-withholding attacks” fail also with Δ-delays

jesper→ abhi

slide-21
SLIDE 21

Blockchain abstraction (a la GKL,KL)

Consistency: Honest nodes agree on all but last k blocks

w/ prob exp(-k)

≤ k unstable ≤ k unstable

slide-22
SLIDE 22

Blockchain abstraction

Consistency: Honest nodes agree on all but last k blocks

w/ prob exp(-k)

≤ k unstable

Future-self consistency

≤ k unstable

slide-23
SLIDE 23

Blockchain abstraction

Consistency: Honest nodes agree on all but last k blocks

w/ prob exp(-k)

Chain quality: Any consecutive k blocks contain “sufficiently many” honest blocks

k

slide-24
SLIDE 24

Blockchain abstraction

Consistency: Honest nodes agree on all but last k blocks

w/ prob exp(-k)

Chain quality: Any consecutive k blocks contain “sufficiently many” honest blocks Chain growth: Chain grows at a steady rate

slide-25
SLIDE 25

Blockchain implies “state machine replication” in the permissionless model

Consistency Chain quality Chain growth

Traditional

“state machine replication”

Consistency Liveness

slide-26
SLIDE 26

Theorem:

For every ρ<1/2, if “mining difficulty” is appropriately set (as a function of the network delay Δ, and total mining power), Nakamoto’s blockchain guarantees:

  • Consistency
  • Chain quality: 1 - ρ/(1-ρ)
  • Chain growth: O(1/Δ)

where ρ adv’s fraction of hashpower, and adv controls the network

slide-27
SLIDE 27

Theorem:

For every ρ<1/3, if “mining difficulty” is appropriately set (as a function of the network delay Δ, and total mining power), Nakamoto’s blockchain guarantees:

  • Consistency
  • Chain quality: 1 - (1/3)/(2/3) = 1/2
  • Chain growth: O(1/Δ)

where ρ adv’s fraction of hashpower, and adv controls the network

slide-28
SLIDE 28

Theorem:

For every ρ<1/2, if “mining difficulty” is appropriately set (as a function of the network delay Δ, and total mining power), Nakamoto’s blockchain guarantees:

  • Consistency
  • Chain quality: 1 - ρ/(1-ρ)
  • Chain growth: O(1/Δ)

where ρ adv’s fraction of hashpower, and adv controls the network

slide-29
SLIDE 29

Theorem:

For every ρ<1/2, if “mining difficulty” is appropriately set (as a function of the network delay Δ, and total mining power), Nakamoto’s blockchain guarantees:

  • Consistency
  • Chain quality: 1 - ρ/(1-ρ)
  • Chain growth: O(1/Δ)

where ρ adv’s fraction of hashpower, and adv controls the network “Blocks are found SLOWER than Δ”

slide-30
SLIDE 30

Theorem:

For every ρ<1/2, if “mining difficulty” is appropriately set (as a function of the network delay Δ, and total mining power), Nakamoto’s blockchain guarantees:

  • Consistency
  • Chain quality: 1 - ρ/(1-ρ)
  • Chain growth: O(1/Δ)

where ρ adv’s fraction of hashpower, and adv controls the network “Blocktime” >> Δ

slide-31
SLIDE 31

When c = 60 (10 min blocktime, 10s network delays) Secure: ρ < 49.57 (contradicts [DW’14]’attack!) Attack: ρ > 49.79

“Appropriately set”

slide-32
SLIDE 32

“Appropriately set”

Mining rate of honest players Mining rate

  • f Adv

Network Delay

slide-33
SLIDE 33

Theorem [Security of Nakamoto]

For every ρ<1/2, if mining difficulty is appropriately set (as a function of the network delay, and total mining power), Nakamoto’s blockchain guarantees a) consistency, b) chain quality 1 - ρ/(1-ρ), and c) Chain growth: O(1/Δ)

Theorem [Blatant attack]:

For every ρ>0, for every mining difficulty, there exists a network delay such that Nakamoto’s blockchain is inconsistent and has 0 chain quality

slide-34
SLIDE 34

Nakamoto’s protocol achieves strong robustness properties:

  • assuming “honest majority of computational power”
  • assuming puzzle difficulty is appropriately set as a

function of network delay Δ

slide-35
SLIDE 35

Nakamoto’s protocol achieves strong robustness properties:

  • assuming “honest majority of computational power”
  • assuming puzzle difficulty is appropriately set as a

function of network delay Δ BUT 1: Blocktime need to be rougly 10 * Δ to handle ⍴> 0.45 ; thus, slow confirmation times

slide-36
SLIDE 36

Nakamoto’s protocol achieves strong robustness properties:

  • assuming “honest majority of computational power”
  • assuming puzzle difficulty is appropriately set as a

function of network delay Δ BUT 1: Blocktime need to be rougly 10 * Δ to handle ⍴> 0.45 ; thus, slow confirmation times BUT 2: not fair, not incentive compatible!

slide-37
SLIDE 37

Follow-up Works

Incentive Compatibility: The Fruit Chain [PS’17]

All use our abstraction of a blockchain, as well as our analysis of Naka

slide-38
SLIDE 38

Follow-up Works

Incentive Compatibility: The Fruit Chain [PS’17] Fast confirmation:

All use our abstraction of a blockchain, as well as our analysis of Naka

slide-39
SLIDE 39

Follow-up Works

Incentive Compatibility: The Fruit Chain [PS’17] Fast confirmation:

  • Assuming 2/3 honesty: Hybrid Consensus [PS’16]

All use our abstraction of a blockchain, as well as our analysis of Naka

slide-40
SLIDE 40

Follow-up Works

Incentive Compatibility: The Fruit Chain [PS’17] Fast confirmation:

  • Assuming 2/3 honesty: Hybrid Consensus [PS’16]
  • Impossible if only 2/3-\eps honest

All use our abstraction of a blockchain, as well as our analysis of Naka

slide-41
SLIDE 41

Follow-up Works

Incentive Compatibility: The Fruit Chain [PS’17] Fast confirmation:

  • Assuming 2/3 honesty: Hybrid Consensus [PS’16]
  • Impossible if only 2/3-\eps honest
  • Optimistically Instant Confirmation: Thunderella [PS’17]

All use our abstraction of a blockchain, as well as our analysis of Naka

slide-42
SLIDE 42

Follow-up Works

Incentive Compatibility: The Fruit Chain [PS’17] Fast confirmation:

  • Assuming 2/3 honesty: Hybrid Consensus [PS’16]
  • Impossible if only 2/3-\eps honest
  • Optimistically Instant Confirmation: Thunderella [PS’17]

All use our abstraction of a blockchain, as well as our analysis of Naka