Bobtail: Improved Blockchain Security With Low-Variance Mining - - PowerPoint PPT Presentation

Bobtail: Improved Blockchain Security With Low-Variance Mining

GEORGE BISSIAS BRIAN LEVINE

UNIVERSITY OF MASSACHUSETTS AMHERST

Compressed Review of Blockchains

BLOCK ENTRY 1 ENTRY 2 . . . ENTRY N

▸ We focus on public / open blockchains

that use proof-of-work (PoW)

▸ Decentralized and distributed ledgers ▸ Ledger comprises set of transactions ▸ Financial, logistical, legal, … ▸ PoW: not the only approach, but most

popular and relatively easy to analyze

B 1 BTC A

Incentive for block proposal

BOBTAIL

Proof-of-Work Mining Basics

▸ Miners repeatedly hash block header ▸ Hashes are within ▸ A block is mined when hash falls

below

▸ Block time is function of hash rate

(seconds)

▸ Convention is to extend longest chain

[0,S] t T h

HASH BLOCK HEADER BLOCK

t v

T

h

BLOCK Transactions

BOBTAIL

Mining is a Lottery

▸ Miners “draw” numbers

until they cross threshold 5

BOBTAIL

Mining is a Lottery

▸ Miners “draw” numbers

until they cross threshold 5

▸ Each draw “costs” a hash

17

BOBTAIL

Mining is a Lottery

▸ Miners “draw” numbers

until they cross threshold 5

▸ Each draw “costs” a hash

17 42

BOBTAIL

Mining is a Lottery

▸ Miners “draw” numbers

until they cross threshold 5

▸ Each draw “costs” a hash ▸ First to cross threshold wins ▸ Winner receives a reward

and proposes a block 17 42

. . .

3

BOBTAIL

Mining is a Lottery

▸ Miners “draw” numbers

until they cross threshold 5

▸ Each draw “costs” a hash ▸ First to cross threshold wins ▸ Winner receives a reward

and proposes a block

▸ Game repeats

. . . . . . . . .

BOBTAIL

Mining statistics

▸ Time to draw below threshold

is approximately

▸ 20% miner expects to take 4

times as long to mine a block as

• thers

Expon (

T q )

20% 80%

5 4 T

5T

q p

5 4 T

(Individual) (Others)

BOBTAIL

Double-spending Attack

▸ Alice trades car for 1 BTC ▸ Transaction appears in block 1 ▸ Assumes majority are mining

chain

▸ Alice knows about law of large

numbers

▸ Goods are released only once

payment has “confirmations”

z

1 …

Alice (merchant) Bob (attacker)

Transaction

B 1 BTC A

z

BOBTAIL

Double-spending Attack

▸ Bob steals goods if red chain

grows longer than blue

▸ Relies on high variance of the

exponential distribution

▸ Goods worth more than cost

• f attack?

1 … 1

Alice (merchant) Bob (attacker)

Transaction

B 1 BTC A

2

Transaction

B 1 BTC B′

z

BOBTAIL

Attack Success Probability

▸ Attacker needs to get ahead

by at least one block sometime after the first blocks

▸ Even a 20% miner has 5%

chance of winning after 6 blocks

z

k = 1 0.0% 10.0% 20.0% 30.0% 40.0% 50.0% 60.0% 70.0% 80.0% 90.0%

. of succcessful doublespend

1 3 5 7 9 11

Embargo Period z

attacker mining power

0.1 0.2 0.3 0.4 0.45

BOBTAIL

Bobtail Protocol Details

▸ Assemble a block containing transactions ▸ Hash header as usual to generate

“proofs”

▸ Disseminate proofs that are “low enough”

to neighbors

▸ Maintain queue of lowest proofs ▸ Assemble proofs whose mean is below ▸ Each proof miner receives reward

k k t

tk

1 k ∑

i

pi

T

PROOF BLOCK

h

BLOCK

. . .

PROOF BLOCK

h

p1 p2 p5 p3 p4 p1 p2 p3 p4 p5

BOBTAIL

New Lottery: Bobtail

▸ Miners draw numbers until

the average of any 2 cross threshold 5

BOBTAIL

New Lottery: Bobtail

9

▸ Miners draw numbers until

the average of any 2 cross threshold 5

▸ Each draw still “costs” a hash

BOBTAIL

New Lottery: Bobtail

3 9

▸ Miners draw numbers until

the average of any 2 cross threshold 5

▸ Each draw still “costs” a hash

BOBTAIL

New Lottery: Bobtail

3 9 12

. . .

▸ Miners draw numbers until

the average of any 2 cross threshold 5

▸ Each draw still “costs” a hash

BOBTAIL

New Lottery: Bobtail

▸ Miners draw numbers until

the average of any 2 cross threshold 5

▸ Each draw still “costs” a hash ▸ First 2 to cross threshold win ▸ Winners receive a reward

and lowest proposes a block 3 9 12 6

. . .

3

BOBTAIL

Impact on Doublespend Attack Efficacy

▸ Status quo (Bitcoin) ▸ 20% attacker succeeds

approximately 5% of the time after 6 confirmations

▸ Bobtail with k=20 ▸ 20% attacker succeeds less than

1% of the time with just 2 confirmations

attacker mining power

0.1 0.2 0.3 0.4 0.45

k = 1 0.0% 10.0% 20.0% 30.0% 40.0% 50.0% 60.0% 70.0% 80.0% 90.0%

. of succcessful doublespend

1 3 5 7 9 11

Embargo Period z

1 3 5 7 9 11 k = 20

BOBTAIL

Relative Statistics

▸ Mining time with Bobtail for fixed target : ▸ Expected value increases by ▸ Variance increases by ▸ When expected times are aligned: ▸ ▸ Relative variance

t k + 1 2 (k + 1)(2k + 1) 6k tk = k + 1 2 t O(1/k)

5 10 15 20 25 30 35 40 45 50 55 60 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% 5 10 15 20 25 30 35 40

Ethereum (seconds per block) Bitcoin (minutes per block) CDF k

1 10 20 40 5

BOBTAIL

What is the Cost?

▸ Size of meta data increases by

160B

k ⋅

BOBTAIL

What is the Cost?

▸ Size of meta data increases by

160B

▸ Increased network overhead ▸ Mitigated by not sending proofs in the “tail” ▸ Graphene can be used to reduce redundancy

k ⋅

Gamma shape k Don’t send Send

BOBTAIL

What is the Cost?

▸ Size of meta data increases by

160B

▸ Increased network overhead ▸ New attacks must be considered ▸ Proof withholding ▸ Denial-of-Service (DoS)

k ⋅

Summary

▸ Mining process is akin to a lottery ▸ We can skew statistics in favor of honest majority ▸ This greatly mitigates fundamental attacks ▸ Doublespend susceptibility reduced by orders of magnitude ▸ Primary cost is increased network and block overhead