Incentivising Privacy in Cryptocurrencies

Privacy was one of the key points mentioned in Nakamoto's Bitcoin whitepaper, and one of the selling points of Bitcoin in its early stages. In hindsight, however, de-anonymising Bitcoin users turned out to be more feasible than expected. Since then, privacy focused cryptocurrencies such as Zcash and Monero have surfaced. Both of these examples cannot be described as fully successful in their aims, as recent research has shown. Incentives are integral to the security of cryptocurrencies, so it is interesting to investigate whether they could also be aligned with privacy goals. A lack of privacy often results from low user counts, resulting in low anonymity sets. Could users be incentivised to use the privacy preserving implementations of the systems they use? Not only is Zcash much less used than Bitcoin (which it forked from), but most Zcash transactions are simply transparent transactions, rather than the (at least intended to be) privacy-preserving shielded transactions. This paper and poster briefly discusses how incentives could be incorporated into systems like cryptocurrencies with the aim of achieving privacy goals. We take Zcash as example, but the ideas discussed could apply to other privacy-focused cryptocurrencies. This work was presented as a poster at OPERANDI 2018, the poster can be found within this short document

Levels of Decentralization and Trust in Cryptocurrencies: Consensus, Governance and Applications

Since the apparition of Bitcoin, decentralization has become an ideal praised almost religiously. Indeed, removing the need for a central authority prevents many forms of abuse that could be performed by a trusted third party, especially when there are no transparency and accountability mechanisms in place. Decentralization is however a very subtle concept that has limits. In this thesis, we look at the decentralization of blockchains at three different levels. First we look at the consensus protocol, which is the heart of any decentralized system. The Nakamoto protocol, used by Bitcoin, has been shown to induce centralization through the shift to mining pools. Additionally, it is heavily criticized for the enormous amount of energy it requires. We propose a protocol, Fantômette, that incorporates incentives at its core and that consumes much less energy than Bitcoin and other proof-of-work based cryptocurrencies. If the consensus protocol makes it possible to decentralize the enforcement of rules in a cryptocurrency, there is still the question of who decides on the rules. Indeed, if a central authority is able to determine what those rules are then the fact that they are enforced in a decentralized way does not make it a decentralized system. We study the governance structure of Bitcoin and Ethereum by making measurements of their GitHub repositories and providing quantitative ways to compare their level of centralization by using appropriate metrics based on centrality measures. Finally, many applications are now built on top of blockchains. These can also induce or straightforwardly lead to centralization, for example by requiring that users register their identities to comply with regulations. We show how identities can be registered on blockchains in a decentralized and privacy-preserving way

Security Analysis of Filecoin's Expected Consensus in the Byzantine vs Honest Model

Filecoin is the largest storage-based open-source blockchain, both by storage capacity (>11EiB) and market capitalization. This paper provides the first formal security analysis of Filecoin's consensus (ordering) protocol, Expected Consensus (EC). Specifically, we show that EC is secure against an arbitrary adversary that controls a fraction $\beta$ of the total storage for $\beta m< 1- e^{-(1-\beta)m}$, where $m$ is a parameter that corresponds to the expected number of blocks per round, currently $m=5$ in Filecoin. We then present an attack, the $n$-split attack, where an adversary splits the honest miners between multiple chains, and show that it is successful for $\beta m \ge 1- e^{-(1-\beta)m}$, thus proving that $\beta m= 1- e^{-(1-\beta)m}$ is the tight security threshold of EC. This corresponds roughly to an adversary with $20\%$ of the total storage pledged to the chain. Finally, we propose two improvements to EC security that would increase this threshold. One of these two fixes is being implemented as a Filecoin Improvement Proposal (FIP).Comment: AFT 202

Modeling Resources in Permissionless Longest-Chain Total-Order Broadcast

Blockchain protocols implement total-order broadcast in a permissionless setting, where processes can freely join and leave. In such a setting, to safeguard against Sybil attacks, correct processes rely on cryptographic proofs tied to a particular type of resource to make them eligible to order transactions. For example, in the case of Proof-of-Work (PoW), this resource is computation, and the proof is a solution to a computationally hard puzzle. Conversely, in Proof-of-Stake (PoS), the resource corresponds to the number of coins that every process in the system owns, and a secure lottery selects a process for participation proportionally to its coin holdings. Although many resource-based blockchain protocols are formally proven secure in the literature, the existing security proofs fail to demonstrate why particular types of resources cause the blockchain protocols to be vulnerable to distinct classes of attacks. For instance, PoS systems are more vulnerable to long-range attacks, where an adversary corrupts past processes to re-write the history, than PoW and Proof-of-Storage systems. Proof-of-Storage-based and PoS-based protocols are both more susceptible to private double-spending attacks than PoW-based protocols; in this case, an adversary mines its chain in secret without sharing its blocks with the rest of the processes until the end of the attack. In this paper, we formally characterize the properties of resources through an abstraction called resource allocator and give a framework for understanding longest-chain consensus protocols based on different underlying resources. In addition, we use this resource allocator to demonstrate security trade-offs between various resources focusing on well-known attacks (e.g., the long-range attack and nothing-at-stake attacks)

Modeling Resources in Permissionless Longest-chain Total-order Broadcast

Blockchain protocols implement total-order broadcast in a permissionless setting, where processes can freely join and leave. In such a setting, to safeguard against Sybil attacks, correct processes rely on cryptographic proofs tied to a particular type of resource to make them eligible to order transactions. For example, in the case of Proof-of-Work (PoW), this resource is computation, and the proof is a solution to a computationally hard puzzle. Conversely, in Proof-of-Stake (PoS), the resource corresponds to the number of coins that every process in the system owns, and a secure lottery selects a process for participation proportionally to its coin holdings. Although many resource-based blockchain protocols are formally proven secure in the literature, the existing security proofs fail to demonstrate why particular types of resources cause the blockchain protocols to be vulnerable to distinct classes of attacks. For instance, PoS systems are more vulnerable to long-range attacks, where an adversary corrupts past processes to re-write the history, than Proof-of-Work and Proof-of-Storage systems. Proof-of-Storage-based and Proof-of-Stake-based protocols are both more susceptible to private double-spending attacks than Proof-of-Work-based protocols; in this case, an adversary mines its chain in secret without sharing its blocks with the rest of the processes until the end of the attack. In this paper, we formally characterize the properties of resources through an abstraction called resource allocator and give a framework for understanding longest-chain consensus protocols based on different underlying resources. In addition, we use this resource allocator to demonstrate security trade-offs between various resources focusing on well-known attacks (e.g., the long-range attack and nothing-at-stake attacks)

Winkle: Foiling Long-Range Attacks in Proof-of-Stake Systems

Winkle protects any validator-based byzantine fault tolerant consensus mechanisms, such as those used in modern Proof-of-Stake blockchains, against long-range attacks where old validators’ signature keys get compromised. Winkle is a decentralized secondary layer of client-based validation, where a client includes a single additional field into a transaction that they sign: a hash of the previously sequenced block. The block that gets a threshold of signatures (confirmations) weighted by clients’ coins is called a “confirmed” checkpoint. We show that under plausible and flexible security assumptions about clients the confirmed checkpoints can not be equivocated. We discuss how client key rotation increases security, how to accommodate for coins’ minting and how delegation allows for faster checkpoints. We evaluate checkpoint latency experimentally using Bitcoin and Ethereum transaction graphs, with and without delegation of stake

Private Attacks in Longest Chain Proof-of-stake Protocols with Single Secret Leader Elections

Single Secret Leader Elections have recently been proposed as an improved leader election mechanism for proof-of-stake (PoS) blockchains. However, the security gain they provide has not been quantified. In this work, we present a comparison of PoS longest-chain protocols that are based on Single Secret Leader Elections (SSLE) - that elect exactly one leader per round - versus those based on Probabilistic Leader Elections (PLE) - where one leader is elected on expectation. Our analysis shows that when considering the private attack - the worst attack on longest-chain protocols [14] - the security gained from using SSLE is substantial: the settlement time is decreased by ~ 25% for a 33% or 25% adversary. Furthermore, when considering grinding attacks, we find that the security threshold is increased by 10% (from 0.26 in the PLE case to 0.36 in the SSLE case) and the settlement time is decreased by roughly 70% for a 20% adversary in the SSLE case

Base Fee Manipulation In Ethereum's EIP-1559 Transaction Fee Mechanism

In 2021 Ethereum adjusted the transaction pricing mechanism by implementing EIP-1559, which introduces the base fee - a fixed network fee per block that is burned and adjusted dynamically in accordance with network demand. The authors of the Ethereum Improvement Proposal (EIP) noted that a miner with more than 50% of the mining power might have an incentive to deviate from the honest mining strategy. Instead, such a miner could propose a series of empty blocks to increase its future rewards. In this paper, we generalize this attack and show that under rational player behavior, deviating from the honest strategy can be profitable for a miner with less than 50% of the mining power. Further, even when miners do not collaborate, it is rational for smaller mining power miners to join the attack