29 research outputs found
Everything is a Race and Nakamoto Always Wins
Nakamoto invented the longest chain protocol, and claimed its security by analyzing the private double-spend attack, a race between the adversary and the honest nodes to grow a longer chain. But is it the worst attack? We answer the question in the affirmative for three classes of longest chain protocols, designed for different consensus models: 1) Nakamoto\u27s original Proof-of-Work protocol; 2) Ouroboros and SnowWhite Proof-of-Stake protocols; 3) Chia Proof-of-Space protocol. As a consequence, exact characterization of the maximum tolerable adversary power is obtained for each protocol as a function of the average block time normalized by the network delay. The security analysis of these protocols is performed in a unified manner by a novel method of reducing all attacks to a race between the adversary and the honest nodes
Leaderless Byzantine Fault Tolerant Consensus
Byzantine fault tolerant (BFT) consensus has recently gained much attention
because of its intriguing connection with blockchains. Several state-of-the-art
BFT consensus protocols have been proposed in the age of blockchains such as
Tendermint [5], Pala [9], Streamlet [8], HotStuff [23], and Fast-HotStuff [17].
These protocols are all leader-based (i.e., protocols run in a series of views,
and each view has a delegated node called the leader to coordinate all
consensus decisions). To make progress, leader-based BFT protocols usually rely
on view synchronization, which is an ad-hoc way of rotating the leader and
synchronizing nodes to the same view with the leader for enough overlap time.
However, many studies and system implementations show that existing methods of
view synchronization are complicated and bug-prone [2], [15], [16], [19]. In
this paper, we aim to design a leaderless Byzantine fault tolerant (LBFT)
protocol, in which nodes simply compete to propose blocks (containing a batch
of clients' requests) without the need of explicit coordination through view
synchronization. LBFT also enjoys several other desirable features emphasized
recently by the research community, such as the chain structure, pipelining
techniques, and advanced cryptography [5], [6], [9], [17], [23]. With these
efforts, LBFT can achieve both good performance (e.g., O(n)or O(nlog(n))
message complexity) and prominent simplicity.Comment: 13 page, 4 figure
Safe Permissionless Consensus
Nakamoto\u27s consensus protocol works in a permissionless model, where nodes can join and leave without notice.
However, it guarantees agreement only probabilistically.
Is this weaker guarantee a necessary concession to the severe demands of supporting a permissionless model?
This paper shows that, at least in a benign failure model, it is not. It presents Sandglass, the first permissionless consensus algorithm that guarantees deterministic agreement and termination with probability 1 under general omission failures.
Like Nakamoto, Sandglass adopts a hybrid synchronous communication model, where, at all times, a majority of nodes (though their number is unknown) are correct and synchronously connected, and allows nodes to join and leave at any time
Time-Restricted Double-Spending Attack on PoW-based Blockchains
Numerous blockchain applications are designed with tasks that naturally have
finite durations, and hence, a double-spending attack (DSA) on such blockchain
applications leans towards being conducted within a finite timeframe,
specifically before the completion of their tasks. Furthermore, existing
research suggests that practical attackers typically favor executing a DSA
within a finite timeframe due to their limited computational resources. These
observations serve as the impetus for this paper to investigate a
time-restricted DSA (TR-DSA) model on Proof-of-Work based blockchains. In this
TR-DSA model, an attacker only mines its branch within a finite timeframe, and
the TR-DSA is considered unsuccessful if the attacker's branch fails to surpass
the honest miners' branch when the honest miners' branch has grown by a
specific number of blocks. First, we developed a general closed-form expression
for the success probability of a TR-DSA. This developed probability not only
can assist in evaluating the risk of a DSA on blockchain applications with
timely tasks, but also can enable practical attackers with limited
computational resources to assess the feasibility and expected reward of
launching a TR-DSA. In addition, we provide rigorous proof that the success
probability of a TR-DSA is no greater than that of a time-unrestricted DSA
where the attacker indefinitely mines its branch. This result implies that
blockchain applications with timely tasks are less vulnerable to DSAs than
blockchain applications that provide attackers with an unlimited timeframe for
their attacks. Furthermore, we show that the success probability of a TR-DSA is
always smaller than one even though the attacker controls more than half of the
hash rate in the network. This result alerts attackers that there is still a
risk of failure in launching a TR-DSA even if they amass a majority of the hash
rate in the network.Comment: 13 pages, 8 figures. arXiv admin note: text overlap with
arXiv:2304.0996
STAKESURE: Proof of Stake Mechanisms with Strong Cryptoeconomic Safety
As of July 15, 2023, Ethererum, which is a Proof-of-Stake (PoS) blockchain
[1] has around 410 Billion USD in total assets on chain (popularly referred to
as total-value-locked, TVL) but has only 33 Billion USD worth of ETH staked in
securing the underlying consensus of the chain [2]. A preliminary analysis
might suggest that as the amount staked is far less (11x less) than the value
secured, the Ethereum blockchain is insecure and "over-leveraged" in a purely
cryptoeconomic sense. In this work, we investigate how Ethereum, or, more
generally, any PoS blockchain can be made secure despite this apparent
imbalance. Towards that end, we attempt to formalize a model for analyzing the
cryptoeconomic safety of PoS blockchain, which separately analyzes the
cost-of-corruption, the cost incurred by an attacker, and the
profit-from-corruption, the profit gained by an attacker. We derive sharper
bounds on profit-from-corruption, as well as new confirmation rules that
significantly decrease this upper-bound. We evaluate cost-of-corruption and
profit-from-corruption only from the perspective of attacking safety. Finally,
we present a new "insurance" mechanism, STAKESURE, for allocating the slashed
funds in a PoS system, that has several highly desirable properties: solving
common information problem in existing blockchains, creating a mechanism for
provably safe bridging, and providing the first sharp solution for
automatically adjusting how much economic security is sufficient in a PoS
system. Finally, we show that the system satisfies a notion of strong
cryptoeconomic safety, which guarantees that no honest transactor ever loses
money, and creates a closed system of Karma, which not only ensures that the
attacker suffers a loss of funds but also that the harmed parties are
sufficiently compensated.Comment: 18 pages, 3 figure
Transaction Capacity, Security and Latency in Blockchains
We analyze how secure a block is after the block becomes k-deep, i.e.,
security-latency, for Nakamoto consensus under an exponential network delay
model. We give parameter regimes for which transactions are safe when
sufficiently deep in the chain. We compare our results for Nakamoto consensus
under bounded network delay models and obtain analogous bounds for safety
violation threshold. Next, modeling the blockchain system as a batch service
queue with exponential network delay, we connect the security-latency analysis
to sustainable transaction rate of the queue system. As our model assumes
exponential network delay, batch service queue models give a meaningful
trade-off between transaction capacity, security and latency. As adversary can
attack the queue service to hamper the service process, we consider two
different attacks for adversary. In an extreme scenario, we modify the
selfish-mining attack for this purpose and consider its effect on the
sustainable transaction rate of the queue
Security Analysis of Filecoin's Expected Consensus in the Byzantine vs Honest Model
Filecoin is the largest storage-based open-source blockchain, both by storage
capacity (>11EiB) and market capitalization. This paper provides the first
formal security analysis of Filecoin's consensus (ordering) protocol, Expected
Consensus (EC). Specifically, we show that EC is secure against an arbitrary
adversary that controls a fraction of the total storage for , where is a parameter that corresponds to the expected
number of blocks per round, currently in Filecoin. We then present an
attack, the -split attack, where an adversary splits the honest miners
between multiple chains, and show that it is successful for , thus proving that is the tight
security threshold of EC. This corresponds roughly to an adversary with
of the total storage pledged to the chain. Finally, we propose two improvements
to EC security that would increase this threshold. One of these two fixes is
being implemented as a Filecoin Improvement Proposal (FIP).Comment: AFT 202
Modeling Resources in Permissionless Longest-Chain Total-Order Broadcast
Blockchain protocols implement total-order broadcast in a permissionless setting, where processes can freely join and leave. In such a setting, to safeguard against Sybil attacks, correct processes rely on cryptographic proofs tied to a particular type of resource to make them eligible to order transactions. For example, in the case of Proof-of-Work (PoW), this resource is computation, and the proof is a solution to a computationally hard puzzle. Conversely, in Proof-of-Stake (PoS), the resource corresponds to the number of coins that every process in the system owns, and a secure lottery selects a process for participation proportionally to its coin holdings.
Although many resource-based blockchain protocols are formally proven secure in the literature, the existing security proofs fail to demonstrate why particular types of resources cause the blockchain protocols to be vulnerable to distinct classes of attacks. For instance, PoS systems are more vulnerable to long-range attacks, where an adversary corrupts past processes to re-write the history, than PoW and Proof-of-Storage systems. Proof-of-Storage-based and PoS-based protocols are both more susceptible to private double-spending attacks than PoW-based protocols; in this case, an adversary mines its chain in secret without sharing its blocks with the rest of the processes until the end of the attack.
In this paper, we formally characterize the properties of resources through an abstraction called resource allocator and give a framework for understanding longest-chain consensus protocols based on different underlying resources. In addition, we use this resource allocator to demonstrate security trade-offs between various resources focusing on well-known attacks (e.g., the long-range attack and nothing-at-stake attacks)
Modeling Resources in Permissionless Longest-chain Total-order Broadcast
Blockchain protocols implement total-order broadcast in a permissionless
setting, where processes can freely join and leave. In such a setting, to
safeguard against Sybil attacks, correct processes rely on cryptographic proofs
tied to a particular type of resource to make them eligible to order
transactions. For example, in the case of Proof-of-Work (PoW), this resource is
computation, and the proof is a solution to a computationally hard puzzle.
Conversely, in Proof-of-Stake (PoS), the resource corresponds to the number of
coins that every process in the system owns, and a secure lottery selects a
process for participation proportionally to its coin holdings.
Although many resource-based blockchain protocols are formally proven secure
in the literature, the existing security proofs fail to demonstrate why
particular types of resources cause the blockchain protocols to be vulnerable
to distinct classes of attacks. For instance, PoS systems are more vulnerable
to long-range attacks, where an adversary corrupts past processes to re-write
the history, than Proof-of-Work and Proof-of-Storage systems.
Proof-of-Storage-based and Proof-of-Stake-based protocols are both more
susceptible to private double-spending attacks than Proof-of-Work-based
protocols; in this case, an adversary mines its chain in secret without sharing
its blocks with the rest of the processes until the end of the attack.
In this paper, we formally characterize the properties of resources through
an abstraction called resource allocator and give a framework for understanding
longest-chain consensus protocols based on different underlying resources. In
addition, we use this resource allocator to demonstrate security trade-offs
between various resources focusing on well-known attacks (e.g., the long-range
attack and nothing-at-stake attacks)
Crystal: Enhancing Blockchain Mining Transparency with Quorum Certificate
Researchers have discovered a series of theoretical attacks against Bitcoin's
Nakamoto consensus; the most damaging ones are selfish mining, double-spending,
and consistency delay attacks. These attacks have one common cause: block
withholding. This paper proposes Crystal, which leverages quorum certificates
to resist block withholding misbehavior. Crystal continuously elects committees
from miners and requires each block to have a quorum certificate, i.e., a set
of signatures issued by members of its committee. Consequently, an attacker has
to publish its blocks to obtain quorum certificates, rendering block
withholding impossible. To build Crystal, we design a novel two-round committee
election in a Sybil-resistant, unpredictable and non-interactive way, and a
reward mechanism to incentivize miners to follow the protocol. Our analysis and
evaluations show that Crystal can significantly mitigate selfish mining and
double-spending attacks. For example, in Bitcoin, an attacker with 30% of the
total computation power will succeed in double-spending attacks with a
probability of 15.6% to break the 6-confirmation rule; however, in Crystal, the
success probability for the same attacker falls to 0.62%. We provide formal
end-to-end safety proofs for Crystal, ensuring no unknown attacks will be
introduced. To the best of our knowledge, Crystal is the first protocol that
prevents selfish mining and double-spending attacks while providing safety
proof.Comment: 17 pages, 9 figure