13 research outputs found
Incentivising Privacy in Cryptocurrencies
Privacy was one of the key points mentioned in Nakamoto's Bitcoin whitepaper,
and one of the selling points of Bitcoin in its early stages. In hindsight,
however, de-anonymising Bitcoin users turned out to be more feasible than
expected. Since then, privacy focused cryptocurrencies such as Zcash and Monero
have surfaced. Both of these examples cannot be described as fully successful
in their aims, as recent research has shown. Incentives are integral to the
security of cryptocurrencies, so it is interesting to investigate whether they
could also be aligned with privacy goals. A lack of privacy often results from
low user counts, resulting in low anonymity sets. Could users be incentivised
to use the privacy preserving implementations of the systems they use? Not only
is Zcash much less used than Bitcoin (which it forked from), but most Zcash
transactions are simply transparent transactions, rather than the (at least
intended to be) privacy-preserving shielded transactions. This paper and poster
briefly discusses how incentives could be incorporated into systems like
cryptocurrencies with the aim of achieving privacy goals. We take Zcash as
example, but the ideas discussed could apply to other privacy-focused
cryptocurrencies. This work was presented as a poster at OPERANDI 2018, the
poster can be found within this short document
Levels of Decentralization and Trust in Cryptocurrencies: Consensus, Governance and Applications
Since the apparition of Bitcoin, decentralization has become an ideal praised almost religiously. Indeed, removing the need for a central authority prevents many forms of abuse that could be performed by a trusted third party, especially when there are no transparency and accountability mechanisms in place. Decentralization is however a very subtle concept that has limits. In this thesis, we look at the decentralization of blockchains at three different levels. First we look at the consensus protocol, which is the heart of any decentralized system. The Nakamoto protocol, used by Bitcoin, has been shown to induce centralization through the shift to mining pools. Additionally, it is heavily criticized for the enormous amount of energy it requires. We propose a protocol, FantĂ´mette, that incorporates incentives at its core and that consumes much less energy than Bitcoin and other proof-of-work based cryptocurrencies. If the consensus protocol makes it possible to decentralize the enforcement of rules in a cryptocurrency, there is still the question of who decides on the rules. Indeed, if a central authority is able to determine what those rules are then the fact that they are enforced in a decentralized way does not make it a decentralized system. We study the governance structure of Bitcoin and Ethereum by making measurements of their GitHub repositories and providing quantitative ways to compare their level of centralization by using appropriate metrics based on centrality measures. Finally, many applications are now built on top of blockchains. These can also induce or straightforwardly lead to centralization, for example by requiring that users register their identities to comply with regulations. We show how identities can be registered on blockchains in a decentralized and privacy-preserving way
Security Analysis of Filecoin's Expected Consensus in the Byzantine vs Honest Model
Filecoin is the largest storage-based open-source blockchain, both by storage
capacity (>11EiB) and market capitalization. This paper provides the first
formal security analysis of Filecoin's consensus (ordering) protocol, Expected
Consensus (EC). Specifically, we show that EC is secure against an arbitrary
adversary that controls a fraction of the total storage for , where is a parameter that corresponds to the expected
number of blocks per round, currently in Filecoin. We then present an
attack, the -split attack, where an adversary splits the honest miners
between multiple chains, and show that it is successful for , thus proving that is the tight
security threshold of EC. This corresponds roughly to an adversary with
of the total storage pledged to the chain. Finally, we propose two improvements
to EC security that would increase this threshold. One of these two fixes is
being implemented as a Filecoin Improvement Proposal (FIP).Comment: AFT 202
Modeling Resources in Permissionless Longest-Chain Total-Order Broadcast
Blockchain protocols implement total-order broadcast in a permissionless setting, where processes can freely join and leave. In such a setting, to safeguard against Sybil attacks, correct processes rely on cryptographic proofs tied to a particular type of resource to make them eligible to order transactions. For example, in the case of Proof-of-Work (PoW), this resource is computation, and the proof is a solution to a computationally hard puzzle. Conversely, in Proof-of-Stake (PoS), the resource corresponds to the number of coins that every process in the system owns, and a secure lottery selects a process for participation proportionally to its coin holdings.
Although many resource-based blockchain protocols are formally proven secure in the literature, the existing security proofs fail to demonstrate why particular types of resources cause the blockchain protocols to be vulnerable to distinct classes of attacks. For instance, PoS systems are more vulnerable to long-range attacks, where an adversary corrupts past processes to re-write the history, than PoW and Proof-of-Storage systems. Proof-of-Storage-based and PoS-based protocols are both more susceptible to private double-spending attacks than PoW-based protocols; in this case, an adversary mines its chain in secret without sharing its blocks with the rest of the processes until the end of the attack.
In this paper, we formally characterize the properties of resources through an abstraction called resource allocator and give a framework for understanding longest-chain consensus protocols based on different underlying resources. In addition, we use this resource allocator to demonstrate security trade-offs between various resources focusing on well-known attacks (e.g., the long-range attack and nothing-at-stake attacks)
Modeling Resources in Permissionless Longest-chain Total-order Broadcast
Blockchain protocols implement total-order broadcast in a permissionless
setting, where processes can freely join and leave. In such a setting, to
safeguard against Sybil attacks, correct processes rely on cryptographic proofs
tied to a particular type of resource to make them eligible to order
transactions. For example, in the case of Proof-of-Work (PoW), this resource is
computation, and the proof is a solution to a computationally hard puzzle.
Conversely, in Proof-of-Stake (PoS), the resource corresponds to the number of
coins that every process in the system owns, and a secure lottery selects a
process for participation proportionally to its coin holdings.
Although many resource-based blockchain protocols are formally proven secure
in the literature, the existing security proofs fail to demonstrate why
particular types of resources cause the blockchain protocols to be vulnerable
to distinct classes of attacks. For instance, PoS systems are more vulnerable
to long-range attacks, where an adversary corrupts past processes to re-write
the history, than Proof-of-Work and Proof-of-Storage systems.
Proof-of-Storage-based and Proof-of-Stake-based protocols are both more
susceptible to private double-spending attacks than Proof-of-Work-based
protocols; in this case, an adversary mines its chain in secret without sharing
its blocks with the rest of the processes until the end of the attack.
In this paper, we formally characterize the properties of resources through
an abstraction called resource allocator and give a framework for understanding
longest-chain consensus protocols based on different underlying resources. In
addition, we use this resource allocator to demonstrate security trade-offs
between various resources focusing on well-known attacks (e.g., the long-range
attack and nothing-at-stake attacks)
Winkle: Foiling Long-Range Attacks in Proof-of-Stake Systems
Winkle protects any validator-based byzantine fault tolerant consensus mechanisms, such as those used in modern Proof-of-Stake blockchains, against long-range attacks where old validatorsâ signature keys get compromised. Winkle is a decentralized secondary layer of client-based validation, where a client includes a single additional field into a transaction that they sign: a hash of the previously sequenced block. The block that gets a threshold of signatures (confirmations) weighted by clientsâ coins is called a âconfirmedâ checkpoint. We show that under plausible and flexible security assumptions about clients the confirmed checkpoints can not be equivocated. We discuss how client key rotation increases security, how to accommodate for coinsâ minting and how delegation allows for faster checkpoints. We evaluate checkpoint latency experimentally using Bitcoin and Ethereum transaction graphs, with and without delegation of stake
Private Attacks in Longest Chain Proof-of-stake Protocols with Single Secret Leader Elections
Single Secret Leader Elections have recently been proposed as an improved leader election mechanism for proof-of-stake (PoS) blockchains. However, the security gain they provide has not been quantified. In this work, we present a comparison of PoS longest-chain protocols that are based on Single Secret Leader Elections (SSLE) - that elect exactly one leader per round - versus those based on Probabilistic Leader Elections (PLE) - where one leader is elected on expectation. Our analysis shows that when considering the private attack - the worst attack on longest-chain protocols [14] - the security gained from using SSLE is substantial: the settlement time is decreased by ~ 25% for a 33% or 25% adversary. Furthermore, when considering grinding attacks, we find that the security threshold is increased by 10% (from 0.26 in the PLE case to 0.36 in the SSLE case) and the settlement time is decreased by roughly 70% for a 20% adversary in the SSLE case
Base Fee Manipulation In Ethereum's EIP-1559 Transaction Fee Mechanism
In 2021 Ethereum adjusted the transaction pricing mechanism by implementing
EIP-1559, which introduces the base fee - a fixed network fee per block that is
burned and adjusted dynamically in accordance with network demand. The authors
of the Ethereum Improvement Proposal (EIP) noted that a miner with more than
50% of the mining power might have an incentive to deviate from the honest
mining strategy. Instead, such a miner could propose a series of empty blocks
to increase its future rewards.
In this paper, we generalize this attack and show that under rational player
behavior, deviating from the honest strategy can be profitable for a miner with
less than 50% of the mining power. Further, even when miners do not
collaborate, it is rational for smaller mining power miners to join the attack