cryptocurrencies and pow distributed consensus
play

Cryptocurrencies and (PoW) Distributed Consensus Ren Zhang & - PDF document

May 24, 2023 •320 likes •584 views

Cryptocurrencies and Distributed May 2019 Consensus Cryptocurrencies and (PoW) Distributed Consensus Ren Zhang & Bart Preneel ren.zhang@esat.kuleuven.be bart.preneel@esat.kuleuven.be 1 Science of Nakamoto Consensus

  1. Cryptocurrencies and Distributed May 2019 Consensus Cryptocurrencies and (PoW) Distributed Consensus Ren Zhang & Bart Preneel ren.zhang@esat.kuleuven.be bart.preneel@esat.kuleuven.be 1 Science of Nakamoto Consensus [Garay-Kiayias-Leonardos’15] [Kiayias-Panagiotakos’15] [Pass-Seeman-Shelat17] • chain growth: chain grows proportionally with the number of time steps • chain quality/blockchain quality/fairness: fraction of blocks proportional to mining power • (blockchain) consistency: agreement among players on blockchain except for last  blocks • liveliness: no transaction censorship 2 1

  2. Cryptocurrencies and Distributed May 2019 Consensus Science of Nakamoto Consensus [PSS17] Rafael Pass, Lior Seeman, and Abhi Shelat. Analysis of the blockchain protocol in asynchronous networks. Eurocrypt‘17 3 Tortoise and Publish or Hares Perish Conflux 4 2

  3. Cryptocurrencies and Distributed May 2019 Consensus 5 ’s Nakamoto Consensus NC  To resolve fork  Longest chain (roughly) if there is one  First-received in a tie  To issue rewards  Main chain blocks receive full rewards  Orphaned blocks receive nothing Key Weakness  imperfect chain quality: a <50% attacker can modify the blockchain with high success rate 6 3

  4. Cryptocurrencies and Distributed May 2019 Consensus 7 Imperfect Chain Quality 👊 3 Attacks Selfish Mining broadcast time attacker block the public time The attacker gains unfair block rewards; rational miners would join the attacker, which damages decentralization 8 4

  5. Cryptocurrencies and Distributed May 2019 Consensus Imperfect Chain Quality 👊 3 Attacks broadcast time Double-spending attacker block Tx: A→B 6 confirmation, B delivers the product the public time Tx: A→A’ The attacker reverses confirmed txs Subversion bounty = minimum double-spending reward to incentivize attack attempts 9 Imperfect Chain Quality 👊 3 Attacks “I do not stand by in the presence of evil” Censorship (feather-forking) the public Threat: I will try to invalidate all time blocks confirming these txs Rational choice: join the attacker in censorship The attacker becomes a de facto owner These 3 attacks are most influential. 10 5

  6. Cryptocurrencies and Distributed May 2019 Consensus Other attacks – out of scope as beyond pure consensus protocol [Bonneau’16]  Renting mining equipment  Bribing miners [Meshkov+’17]  Coin hopping (based on difficulty adjustments) [Eyal’15]  Attacks on mining pools [Kwon+’17] [Carlsten+’16]  If block rewards shrink: claim less transaction fees on fork so miners join for remaining higher [Tsabary+’18] fees 11 Our Evaluation Framework: Four Metrics A protocol claims to be more secure than NC: it either  achieves better chain quality or  resists better against all three attacks:  selfish mining 👊 incentive compatibility (revenue)  double-spending 👊 subversion gain  censorship 👊 censorship susceptibility Byzantine adversaries rather than rational (check [Zhang-P’19] for the math definitions) 12 6

  7. Cryptocurrencies and Distributed May 2019 Consensus ? Candidates  “I can raise the chain quality” Better-chain- quality protocols  UTB: Ethereum PoW, Bitcoin-NG (Aeternity, Waves) [tie breaking rule]  SHTB: DECOR+ (Rootstock)  UDTB: Byzcoin, Omniledger  Publish or Perish  “I don’t need to raise the chain quality, I can defend Attack-resistant against the attacks” protocols  Reward-all (“compensate the losers”): FruitChains, [topology/reward Ethereum PoW, Inclusive, SPECTRE, PHANTOM, … distribution]  Punishment (“fine all suspects”): DECOR+, Bahack’s idea this talk  Reward-lucky (content-based reward): Subchains, Bobtail check [Zhang-P’19] 13 Attack model • Attacker works on a single chain • Ignore transaction fees • Expected block interval identical for all protocols • Zero natural orphan rate (low delay) Longest chain rule + rational attacker: can prove that there are at most two chains: public/attacker 14 7

  8. Cryptocurrencies and Distributed May 2019 Consensus MDP-based Method [Saphirstein-Sompolinsky-Zohar, FC’16] Define the attacker’s utility according to the security metric 1. of interest Model the consensus protocol as a Markov decision 2. process (MDP) Compute the attacker’s optimal strategies and their 3. maximum utilities in various settings 15 MDP description S: State space A: Action space P: Stochastic transition matrix R: Reward matrix 16 8

  9. Cryptocurrencies and Distributed May 2019 Consensus MDP: Action space A for Bitcoin a length of attacker’s chain after last fork h blocks of honest miner’s chain after last fork Adopt: attack accepts honest network chain; discard a attacker blocks Override: attacker publishes his blocks to form longest chain (a > h) Match: most recent block was published by honest miners; attacker publishes a block to create a tie Wait: attacker keeps mining 17 MDP: State space for Bitcoin (a, h, fork) a length of attacker’s chain after last fork h blocks of honest miner’s chain after last fork fork: relevant: previous state was of form (a, h-1, *) (a  h, match is feasible) irrelevant: previous state was of form (a-1, h, *) match not feasible active: honest network is already split due to a match 18 9

  10. Cryptocurrencies and Distributed May 2019 Consensus MDP: Transition and reward matrices Prob.  Initial state is (1,0,irrelevant) Prob. 1-  Initial state is (0,1,irrelevant) Reward: (accepted attacker blocks, accepted honest blocks) 19 MDP challenges Objective function is non-linear Can only solve for finite state space (size 10 7 ): simplified attack strategies: bounds estimate truncation error 20 10

  11. Cryptocurrencies and Distributed May 2019 Consensus MDP-based Method Define the attacker’s utility according to the security metric of 1. interest Model the consensus protocol as a Markov decision process 2. (MDP) Compute the attacker’s optimal strategies and their maximum 3. utilities in various settings Compare the utilities with NC, find out when they are 4. better/worse Check the respective strategies, find out why 5. 21 Results 22 11

  12. Cryptocurrencies and Distributed May 2019 Consensus Cows Are Not Round in Reality Do not equate the security of a consensus protocol with its cryptocurrency  Many real-world factors affect the attack difficulty (e.g., 51% attack against ETC vs. against Bitcoin)  Several systems introduce extra protection after we started this work 23 😁 better Simplified “Better-Chain-Quality” Results 😖 it depends 😠 worse Chain “Better-chain-quality” Protocol Quality 😠 (omitted here, check Uniform tie-breaking Ethereum PoW, Bitcoin-NG (Aeternity, the paper) Waves) Smallest-hash tie-breaking ? DECOR+ (Rootstock) Unpredictable deterministic tie- ? breaking DÉCOR+LAMI, Byzcoin, Omniledger 😖 (omitted here, check Publish or perish the paper) 24 12

  13. Cryptocurrencies and Distributed May 2019 Consensus Better-Chain-Quality: SHTB & UDTB  = fraction of nodes to B which attacker can send blocks first (in case of a tie) the public A Smallest hash tie-  Compare H(A) and H(B): break the tie with the smallest breaking (SHTB) hash regardless of which one is received first  Compare, e.g., F K (A ⨁ B, A) and F K (A ⨁ B, B): Unpredictable deterministic tie- break the tie with a deterministic PRF regardless of breaking (UDTB) which one is received first NC, γ=0.5  First received tie-breaking; when two chains broadcast simultaneously, choose randomly 25 Chain Quality of Better-Chain-Quality Ranking NC, 𝛿 = 0.5 > UDTB > SHTB Why is NC, 𝛿 = the compliant 0.5 better than miners’ blocks UDTB? the attacker’s blocks time Why does SHTB perform so bad? 𝛽 = 0.02 Hash=40/100 Hash=1/100 26 13

  14. Cryptocurrencies and Distributed May 2019 Consensus Simplified “Better-Chain-Quality” Results 27 😁 better Simplified “Better-Chain-Quality” Results 😖 it depends 😠 worse Chain “Better-chain-quality” Protocol Quality Ethereum PoW, Bitcoin-NG (Aeternity, Waves) 😠 Uniform tie-breaking 😠 Smallest-hash tie-breaking DECOR+ (Rootstock) 😠 Unpredictable deterministic tie-breaking DECOR+LAMI, Byzcoin, Omniledger 😖 Publish or perish 28 14

  15. Cryptocurrencies and Distributed May 2019 Consensus Better-Chain-Quality Protocols: General Results  No protocol achieves the ideal chain quality when the attacker mining power 𝛽 > 1/4  No protocol performs better than NC, 𝛿 = 0 for all 𝛽 Why?  The protocols cannot distinguish between honest/attacker blocks Why can’t they?  Information asymmetry: the attacker acts on all info; compliant miners do not Why don’t they?  Inconsistent assumptions: (try to be) asynchronous, acting on limited public info 29 😁 better “Attack-Resistant” Results 😖 it depends 😠 worse “Attack-resistant” Incentive Censorship Subversion gain Protocol compatibility susceptibility Reward-all ? ? ? 👊 FruitChains Punishment ? ? ? 👊 Reward-splitting Reward-lucky ? ? ? 👊 Subchains 30 15

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Cryptocurrencies Outline and Distributed Electronic payments Consensus Secure transactions

Cryptocurrencies Outline and Distributed Electronic payments Consensus Secure transactions

Cryptocurrencies and Distributed Consensus May 2019 Cryptocurrencies Outline and Distributed Electronic payments Consensus Secure transactions Secure execution: contracts PROF. DR. IR. BART PRENEEL COSIC KU LEUVEN, BELGIUM AND IMEC

248 views • 21 slides
Distributed Algorithms (PhD course) Consensus SARDAR MUHAMMAD SULAMAN Consensus The

Distributed Algorithms (PhD course) Consensus SARDAR MUHAMMAD SULAMAN Consensus The

Distributed Algorithms (PhD course) Consensus SARDAR MUHAMMAD SULAMAN Consensus The processes use consensus to agree on a common value out of values they initially propose Reaching consensus is one of the most fundamental problems in

591 views • 38 slides
Implementing Distributed Consensus Dan Ldtke What? My hobby project of learning about

Implementing Distributed Consensus Dan Ldtke What? My hobby project of learning about

Implementing Distributed Consensus Dan Ldtke What? My hobby project of learning about Distributed Consensus I implemented a Paxos variant in Go and learned a lot about reaching consensus A fine selection of some of the

944 views • 73 slides
Consensus in Distributed Systems Course: Distributed Computing Faculty: Dr. Rajendra Prasath

Consensus in Distributed Systems Course: Distributed Computing Faculty: Dr. Rajendra Prasath

Consensus in Distributed Systems Course: Distributed Computing Faculty: Dr. Rajendra Prasath Spring 2019 About this topic This course covers various concepts in Consensus in Distributed Systems. We will also focus on the essential aspects of

553 views • 38 slides
Consensus in Distributed Systems Jeff Chase Duke University Consensus P 1 P 1 v 1 d 1

Consensus in Distributed Systems Jeff Chase Duke University Consensus P 1 P 1 v 1 d 1

Consensus in Distributed Systems Jeff Chase Duke University Consensus P 1 P 1 v 1 d 1 Unreliable Consensus multicast algorithm P 2 P 3 P 2 P 3 v 2 d 2 v 3 d 3 Step 1 Step 2 Propose. Decide. Generalizes to N nodes/processes.

334 views • 10 slides
1 What makes consensus hard? Fischer, Lynch and Patterson Fundamentally, the issue revolves

1 What makes consensus hard? Fischer, Lynch and Patterson Fundamentally, the issue revolves

Consensus a classic problem Consensus, impossibility Consensus abstraction underlies many results and Paxos distributed systems and protocols N processes They start execution with inputs { 0,1} Ken Birman Asynchronous,

255 views • 8 slides
Distributed Systems CS425/ECE428 03/06/2020 Todays agenda Consensus Consensus in

Distributed Systems CS425/ECE428 03/06/2020 Todays agenda Consensus Consensus in

Distributed Systems CS425/ECE428 03/06/2020 Todays agenda Consensus Consensus in synchronous systems Chapter 15.4 Impossibility of consensus in asynchronous systems Impossibility of Distributed Consensus with One Faulty

714 views • 40 slides
Distributed Algorithms (PhD course) Consensus SARDAR MUHAMMAD SULAMAN Consensus (Recapitulation)

Distributed Algorithms (PhD course) Consensus SARDAR MUHAMMAD SULAMAN Consensus (Recapitulation)

Distributed Algorithms (PhD course) Consensus SARDAR MUHAMMAD SULAMAN Consensus (Recapitulation) A consensus abstraction is specified in terms of two events: 1. Propose ( propose | v ) Each process has an initial value v that it proposes

636 views • 45 slides
Cryptocurrencies bitcoin, blockchain &amp; beyond Roger Wattenhofer ETH Zurich Distributed

Cryptocurrencies bitcoin, blockchain &amp; beyond Roger Wattenhofer ETH Zurich Distributed

Cryptocurrencies bitcoin, blockchain &amp; beyond Roger Wattenhofer ETH Zurich Distributed Computing Group Cryptocurrencies What is Bitcoin? = + + Technology The Bank of Bitcoin The Bank of Bitcoin User Balance A 2 B 5 C 8

1.25k views • 104 slides
Incentives in cryptocurrencies Joseph Bonneau Recap: Bitcoin miners Bitcoin depends on miners to:

Incentives in cryptocurrencies Joseph Bonneau Recap: Bitcoin miners Bitcoin depends on miners to:

ECRYPT Workshop on Cryptocurrencies Incentives in cryptocurrencies Joseph Bonneau Recap: Bitcoin miners Bitcoin depends on miners to: Store and broadcast the block chain Validate new transactions Vote (by hash power) on consensus

939 views • 68 slides
CONSENSUS Fall 2012 Ken Birman Consensus a classic problem Consensus abstraction underlies

CONSENSUS Fall 2012 Ken Birman Consensus a classic problem Consensus abstraction underlies

IMPOSSIBILITY OF CONSENSUS Fall 2012 Ken Birman Consensus a classic problem Consensus abstraction underlies many distributed systems and protocols N processes They start execution with inputs {0,1} Asynchronous,

511 views • 35 slides
Who Am I? Secure Identity Registration on Distributed Ledgers Sarah Azouvi Mustafa Al-Bassam

Who Am I? Secure Identity Registration on Distributed Ledgers Sarah Azouvi Mustafa Al-Bassam

Who Am I? Secure Identity Registration on Distributed Ledgers Sarah Azouvi Mustafa Al-Bassam Sarah Meiklejohn (University College London) 1 Cryptocurrencies 2 Cryptocurrencies Pseudonyms 2 Cryptocurrencies Pseudonyms tx(pk A pk B ) 2

719 views • 43 slides
Consensus and Dissent or: Meta - Consensus Consensus about what we have consensus

Consensus and Dissent or: Meta - Consensus Consensus about what we have consensus

Consensus and Dissent or: Meta - Consensus Consensus about what we have consensus on Building on Bitcoin Lisboa, Portugal -- 4 July 2018 Paul Sztorc Twitter: @truthcoin paul@tierion.com 16C8 1597 E76E 86E6 C01E F037 AA4B 3330

619 views • 37 slides
Keeping RAFT Afloat Cloud Scale Distributed Consensus Philip Haynes YOW! Data September 2016

Keeping RAFT Afloat Cloud Scale Distributed Consensus Philip Haynes YOW! Data September 2016

Keeping RAFT Afloat Cloud Scale Distributed Consensus Philip Haynes YOW! Data September 2016 ThreatMetrix Confidential Information Do Not Copy or Distribute Without Express Written Permission CONSENSUS? To the general public, consensus

347 views • 22 slides
Distributed Consensus with Process Failures Paulo S ergio Almeida Distributed Systems Group

Distributed Consensus with Process Failures Paulo S ergio Almeida Distributed Systems Group

Distributed Consensus with Process Failures Paulo S ergio Almeida Distributed Systems Group Departamento de Inform atica Universidade do Minho 2007/2008 2007 Paulo S c ergio Almeida Distributed Consensus with Process Failures 1

556 views • 31 slides
Bitcoin and Nakamoto Consensus Distributed Systems, Spring 2020 Nikita Borisov Topics for Today

Bitcoin and Nakamoto Consensus Distributed Systems, Spring 2020 Nikita Borisov Topics for Today

Bitcoin and Nakamoto Consensus Distributed Systems, Spring 2020 Nikita Borisov Topics for Today Replicated State Machines and Log Consensus Bitcoin Consensus approach Transaction broadcast MP2 overview Announcements

358 views • 31 slides
Taxation &amp; Developm ent Henrik Kleven Professor, London School of Economics Co-Director, IGC

Taxation &amp; Developm ent Henrik Kleven Professor, London School of Economics Co-Director, IGC

Taxation &amp; Developm ent Henrik Kleven Professor, London School of Economics Co-Director, IGC State Capabilities Programme Asim I Khwaja Professor, Harvard Kennedy School Co-Lead Academic, IGC Pakistan I GC Grow th W eek 2 0 1 4 Outline

398 views • 35 slides
Banking industry update Primatics Financial Risk and Finance Banking Industry Event, May 12, 2015

Banking industry update Primatics Financial Risk and Finance Banking Industry Event, May 12, 2015

Banking industry update Primatics Financial Risk and Finance Banking Industry Event, May 12, 2015 Chicago, Ill. This document is confidential and is intended solely for the use and information of the SNL Financial and the individual, group,

580 views • 31 slides
2021 Unified Transportation Program Development Texas Transportation Commission 2021 Unified

2021 Unified Transportation Program Development Texas Transportation Commission 2021 Unified

2021 Unified Transportation Program Development Texas Transportation Commission 2021 Unified Transportation Program Development June 25, 2020 June 25, 2020 Unified Transportation Program Purpose Despite its importance to TxDOT as a

291 views • 12 slides
Tax Cuts for Whom? Heterogeneous Effects of Income Tax Changes on Growth &amp; Employment Owen

Tax Cuts for Whom? Heterogeneous Effects of Income Tax Changes on Growth &amp; Employment Owen

Tax Cuts for Whom? Heterogeneous Effects of Income Tax Changes on Growth &amp; Employment Owen Zidar University of California, Berkeley All UC Group - Huntington Library Conference April 6, 2013 1 Variation in Tax Policy &amp; Structure of

303 views • 29 slides
Using Network Analysis to Understand Public Health Delivery Systems &amp; Population Health

Using Network Analysis to Understand Public Health Delivery Systems &amp; Population Health

Using Network Analysis to Understand Public Health Delivery Systems &amp; Population Health Improvement Glen Mays, PhD, MPH University of Kentucky glen.mays@uky.edu systemsforaction.org AcademyHealth Annual Research Meeting Boston, MA

723 views • 28 slides
ISPA December 15 th , 2014 ISPA and the WG SP strategy From fragmented approaches to harmonized

ISPA December 15 th , 2014 ISPA and the WG SP strategy From fragmented approaches to harmonized

Inter-agency SP assessment ISPA December 15 th , 2014 ISPA and the WG SP strategy From fragmented approaches to harmonized systems Interagency SP ASPIRE assessments (ISPA) What do How do we we know move to about SP harmonized systems?

643 views • 24 slides
Consumer Challenge Panel Consumer Challenge Panel National Consumer Roundtable on Energy Angela

Consumer Challenge Panel Consumer Challenge Panel National Consumer Roundtable on Energy Angela

Consumer Challenge Panel Consumer Challenge Panel National Consumer Roundtable on Energy Angela Bourke - 8 March 2013 1 Outline of presentation Consumer challenge concept Ofgem and Ofwat experience Australian context

391 views • 20 slides
Burning assets for a sustainable future Climate finance and divestment from stranded assets in

Burning assets for a sustainable future Climate finance and divestment from stranded assets in

Burning assets for a sustainable future Climate finance and divestment from stranded assets in the context of the NDCs and the Sustainable Development Goals Daniel Huppmann, David McCollum, Wenji Zhou, Volker Krey, Keywan Riahi IAEE

173 views • 16 slides

More recommend