Bitcoin -- The Miner's Dilemma by Ittay Eyal :: SSRN
Bitcoin -- The Miner's Dilemma by Ittay Eyal :: SSRN
Ittay EYAL Post Doctoral Associate PhD Cornell ...
Ittay Eyal - Home
Information for Ittay Eyal :: Hacking, Distributed
MiniSwap -- A New Hybrid Incentive Model in DeFi
Cryptocurrency exchanges process over $20 billion in trade volume per day. Most of the transactions are going through centralized exchanges, where the users need to fully trust them for managing their assests and transactions. However, the risk of trusting these centralized exchanges has also been seen. For example, QuadrigaCX, which was the largest cryptocurrency exchange in Canada, lost $19 million of their customers' assets . Decentralized Exchanges (DEXes) have been introduced to address this problem -- they allow traders to purchase and sell cryptocurrencies in a peer-to-peer manner, so no involvement of any trusted party is required. Atomic Swap is one of the promising technology for implementing a DEX. While it enables pure peer to peer trading, it also introduces problems such as unfairness and long confirmation latency. While existing work  has provided a solution towards a fair atomic swap protocol, the issue of long confirmation latency is inherent. Another promising direction is leveraging liquidity pools. With liquidity pools, pairs of assets are reserved for trading. For any pair of assets supported by the liquidity pool, traders can exchange their assets without any third party. As traders can only perform the transactions if there are reserved assets, one core problem is how to attract liquidity providers to provide liquidity by reserving assets. It is not difficult to see that incentive [3,4], which has been a key component of all permissionless blockchains, can be equipped to incentivize liqudity providers. However, flawed incentive designs will lead to attacks and other concerns [5-13]. There are two main types of incentive designs, namely "trans-fee mining" and "liquidity mining". They are different from the Proof-of-X mining in blockchains for reaching consensus (a detailed analysis can be found in the survey ). Rather, they are used to incentivise users to join the ecosystem. "Trans-fee mining" was proposed by FCoin in 2018 . With FCoin, each time a transaction is created, 100% of its transaction fee will be returned in FCoin token to the payer as a reward. This is one incentive design to encourage traders to join the system. However, as FCoin may have no value to the trader, FCoin also introduces extra reward to all coin holders -- 80% of the transaction fee in its native currency (such as ETH) will be distributed to all coin holders. So, traders are incentivized to join the system, becoming a holder of FCoin token, and obtaining a share of the transaction fee of every transaction in the FCoin ecosystem. While this had successful attracted traders, it is not sustainable. Rather than charging a trader to perform transactions, FCoin rewards traders. Profit-driven traders will create transactions at full speed to earn FCoin token and the share as a token holder. Indeed, the trading volume of FCoin was the top one among all exchange services, and the daily reward can be as high as 6000 BTC . However, once all coins are minted, then the system would lose liveness as there is not enough supply to be distributed. "Liquidity mining" aims at giving reward to the liquidity providers rather than the traders. There are different ways to implement liquidity mining. Compound  is a famous example of protocols deploying liquidity mining. With Compound, users become a liquidity provider by supply assets to a pool and obtain interests for its contribution (similar to depositing money into a bank). Liquidity providers first reserve some assets in the pool and obtain "cToken" of Compound which entitles the owner to an increasing quantity of the underlying asset. Users can use their "cToken" to borrow different assets available on the Compound and pay some interests to Compund. The borrowers may have some quick gains through the financial games . Both borrowers and liquidity providers can withdraw their asset by trading them back with "cToken". Oners of "cToken" can also manage the business direction and decisions of Compound through weighted voting. The potential concern here is that rich users might be able to take over the control of the system. Uniswap  is another popular DEX deploying liquidity mining. Uniswap incentivizes liquidity providers by giving them a share of the earned transaction fees. In particular, Uniswap changes each transaction a 0.3% fee, where 0.25% will be distributed to the liquidity providers, and 0.05% will go to the Uniswap account. One issue is how to incentivize traders. With Uniswap, traders are incentivized by the potential profit it can gain through the price difference between Uniswap and other exchanges. Uniswap price oracle is based on a constant function market makers [20,21], where the product of the number of reserved tokens is a constant. For example, if Uniswap has a pair of X token A and Y token B, then when a user using X' token A to buy Y' token B, the product of the reserved number of tokens should remain the same, i.e., XY = (X+X')(Y-Y'). The price of Uniswap (V1) is also defined in this way. This allows traders to speculate in the exchange market as the asset price on Uniswap is changed dynamically and is different from other exchanges. This, on the other hand, may have a security risk as the price can be easily manipulated. Uniswap (V2) fixed this problem by taking an accumulated price over a period of time . However, as speculation/manipulation becomes harder, the trading volume may decrease. MiniSwap  introduces a hybrid model (a mixture of "trans-fee mining" and "liquidity mining") to address the above issues. MiniSwap provides three types of rewards. For each trade with transaction fee f ETH in MiniSwap, a number of MiniSwap tokens (called MINI) worth 2f ETH will be minted. A (parameterized) portion of the tokens are given to the trader, and the rest are distribued to the liqudity providers. The transaction fee (f ETH) is used to exchange MINI in the liquidity pool. 50% of the obtained MINI will be distributed to all MINI holders, and the other 50% will be destroyed. In this way, both traders and liquidity providers are incentivized to join the ecosystem. Recall that with FCoin, there is a problem when all coins are minted. MiniSwap has an upper bound (of 500,000 tokens) on the number of tokens can be created every day, and this limit reduces every month until a point where the limit (18,000 tokens) remains unchanged. This guarantees the sustainability of the system as the mining process can last for 100 years. The parameterized ratio of tokens as the reward to the trader and liquidity provider can also strengthen sustainability. It enables the system to dynamically balance the incentive of different parties in the system to make it more sustainable. Overall, the MiniSwap hybrid model has taken the benefit of both "trans-fee mining" model and "liquidity mining" model, while eliminated the potential concerns. Formally defining and analyzing these models, e.g. through the game-theoretic approach , would be an interesting direction. Reference  The Guardian, Cryptocurrency investors locked out of $190m after exchange founder dies, 2019.  Runchao Han, Haoyu Lin, Jiangshan Yu. On the optionality and fairness of Atomic Swaps, ACM Conference on Advances in Financial Technologies, 2019.  Satoshi Nakamoto. 2008. Bitcoin: a peer-to-peer electronic cash system  Jiangshan Yu, David Kozhaya, Jeremie Decouchant, and Paulo Verissimo. Repucoin: your reputation is your power. IEEE Transactions on Computers, 2019.  Joseph Bonneau. Why Buy When You Can Rent? - Bribery Attacks on Bitcoin-Style Consensus. Financial Cryptography and Data Security - International Workshops on BITCOIN, VOTING, and WAHC, 2016.  Yujin Kwon, Hyoungshick Kim, Jinwoo Shin, and Yongdae Kim. Bitcoin vs. Bitcoin Cash: Coexistence or Downfall of Bitcoin Cash, IEEE Symposium on Security and Privacy (SP), 2019.  Kevin Liao and Jonathan Katz. Incentivizing blockchain forks via whale transactions. International Conference on Financial Cryptography and Data Security, 2017.  Ayelet Sapirshtein, Yonatan Sompolinsky, and Aviv Zohar. Optimal Selfish Mining Strategies in Bitcoin. Financial Cryptography and Data Security, 2016.  Ittay Eyal and Emin Gün Sirer. Majority Is Not Enough: Bitcoin Mining Is Vulnerable. Financial Cryptography and Data Security, 2014.  Ittay Eyal. The Miner’s Dilemma. IEEE Symposium on Security and Privacy, 2015.  Miles Carlsten, Harry A. Kalodner, S. Matthew Weinberg, and Arvind Narayanan. On the Instability of Bitcoin Without the Block Reward. ACM SIGSAC Conference on Computer and Communications Security, 2016.  Kartik Nayak, Srijan Kumar, Andrew Miller, and Elaine Shi. Stubborn mining: generalizing selfish mining and combining with an eclipse attack. IEEE European Symposium on Security and Privacy, 2016.  Runchao Han, Zhimei Sui, Jiangshan Yu, Joseph K. Liu, Shiping Chen. Sucker punch makes you richer: Rethinking Proof-of-Work security model, IACR Cryptol. ePrint Arch, 2019.  Christopher Natoli, Jiangshan Yu, Vincent Gramoli, Paulo Jorge Esteves Veríssimo. Deconstructing Blockchains: A Comprehensive Survey on Consensus, Membership and Structure. CoRR abs/1908.08316, 2019.  FCoin, https://www.fcoin.pro  The Block Crypto. Cryptocurrency exchange Fcoin expects to default on as much as $125M of users' bitcoin, 2020.  Compound, https://compound.finance.  Philip Daian, Steven Goldfeder, Tyler Kell, Yunqi Li, Xueyuan Zhao, Iddo Bentov, Lorenz Breidenbach, Ari Juels. Flash Boys 2.0: Frontrunning, Transaction Reordering, and Consensus Instability in Decentralized Exchanges. IEEE Symposium on Security and Privacy, 2020.  Uniswap. https://uniswap.org  Bowen Liu, Pawel Szalachowski. A First Look into DeFi Oracles. CoRR abs/2005.04377, 2020.  Guillermo Angeris, Tarun Chitra. Improved Price Oracles: Constant Function Market Makers, CoRR abs/ 2003.10001, 2020.  Uniswap V2.0 whitepaper. https://uniswap.org/whitepaper.pdf  MiniSwap. https://www.miniswap.org  Ziyao Liu, Nguyen Cong Luong, Wenbo Wang, Dusit Niyato, Ping Wang, Ying-Chang Liang, Dong In Kim. A Survey on Blockchain: A Game Theoretical Perspective. IEEE Access, 2019.
I'm still finding users who are convinced that increasing the block size will centralize Bitcoin. This misinformation is highly pervasive due to Blockstream's censorship and social engineering. Here are some actual references from people who have tested the subject scientifically.
If you fall in this camp, then here are two references for you:
This was in 2016, so it's even outdated:
A new study by the Initiative for CryptoCurrencies and Contracts (IC3) at the Jacobs Technion-Cornell Institute authored by Christian Decker, Ittay Eyal, Andrew Miller and Emin Gün Sirer, among others, found that bitcoin’s blocksize could currently scale up to 4MB without affecting decentralization. -source
"We're looking forward. We're not assuming you're going to run a 5-year-old computer. The purpose of this is to say what can be done with computers today and even tomorrow. Obviously we're not going to be using 1 GB blocks tomorrow. But the fact is that a relatively inexpensive computer today can do so."
My take on it : The goal is not 100mb blocks tomorrow. It's a gradual increase, with technological improvements as we go, that enable scaling without bottlenecks. It has been proven to be done. There are those who spread misinformation on the subject of scaling because they benefit in some way from small blocks.
Abstract Nakamoto's famous blockchain protocol enables achieving consensus in a so-called permissionless setting---anyone can join (or leave) the protocol execution, and the protocol instructions do not depend on the identities of the players. His ingenious protocol prevents ``sybil attacks'' (where an adversary spawns any number of new players) by relying on computational puzzles (a.k.a. ``moderately hard functions') introduced by Dwork and Naor (Crypto'92). Recent work by Garay et al (EuroCrypt'15) and Pass et al (manuscript, 2016) demonstrate that this protocol provably achieves consistency and liveness assuming a) honest players control a majority of the computational power in the network, b) the puzzle-hardness is appropriately set as a function of the maximum network delay and the total computational power of the network, and c) the computational puzzle is modeled as a random oracle. Assuming honest participation, however, is a strong assumption, especially in a setting where honest players are expected to perform a lot of work (to solve the computational puzzles). In Nakamoto's Bitcoin application of the blockchain protocol, players are incentivized to solve these puzzles by receiving rewards for every ``blocks'' (of transactions) they contribute to the blockchain. An elegant work by Eyal and Sirer (FinancialCrypt'14), strengthening and formalizing an earlier attack discussed on the Bitcoin forum, demonstrates that a coalition controlling even a minority fraction of the computational power in the network can gain (close to) 2 times its ``fair share'' of the rewards (and transation fees) by deviating from the protocol instructions. In contrast, in a fair protocol, one would expect that players controlling a ϕϕ fraction of the computational resources to reap a ϕϕ fraction of the rewards. In this work, we present a new blockchain protocol---the FruitChain protocol---which satisfies the same consistency and liveness properties as Nakamoto's protocol (assuming an honest majority of the computing power), and additionally is δδ-approximately fair: with overwhelming probability, any honest set of players controlling a ϕϕ fraction of computational power is guaranteed to get at least a fraction (1−δ)ϕ(1−δ)ϕ of the blocks (and thus rewards) in any Omega(κ/δ)Omega(κ/δ) length segment of the chain (where κκ is the security parameter). As a consequence, if this blockchain protocol is used as the ledger underlying a cryptocurrency system, where rewards and transaction fees are evenly distributed among the miners of blocks in a length kappa segment of the chain, no coalition controlling less than a majority of the computing power can gain more than a factor (1+3δ)(1+3δ) by deviating from the protocol (i.e., honest participation is an n/2n/2-coalition-safe 3δ3δ-Nash equilibrium). Finally, the fruit chain protocol enables decreasing the variance of mining rewards and as such significantly lessens (or even obliterates) the need for mining pools. References [sol] http://www.coinwarz.com/calculators/bitcoin-mining-calculator. [BCL+05] Boaz Barak, Ran Canetti, Yehuda Lindell, Rafael Pass, and Tal Rabin. Secure computation without authentication. In CRYPTO’05, 2005. [BHP+] Iddo Bentov, Yuncong Hu, Rafael Pass, Elaine Shi, and Siqiu Yao. Decentralized pooled mining: An implementation of fruitchain. Manuscript. [BPS16] Iddo Bentov, Rafael Pass, and Elaine Shi. Snow white: Provably secure proofs of stake. Cryptology ePrint Archive, Report 2016/919, 2016. http://eprint.iacr.org/2016/919. [CKWN16] Miles Carlsten, Harry A. Kalodner, S. Matthew Weinberg, and Arvind Narayanan. On the instability of bitcoin without the block reward. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, Vienna, Austria, October 24-28, 2016, pages 154–167, 2016. [DN92] Cynthia Dwork and Moni Naor. Pricing via processing or combatting junk mail. In CRYPTO’92, pages 139–147, 1992. [ES14] Ittay Eyal and Emin G¨un Sirer. Majority is not enough: Bitcoin mining is vulnerable. In Financial Cryptography and Data Security, pages 436–454. Springer, 2014. [GKL15] Juan Garay, Aggelos Kiayias, and Nikos Leonardos. The bitcoin backbone protocol: Analysis and applications. In Advances in Cryptology-EUROCRYPT 2015, pages 281–310. Springer, 2015. 25 [HP15] Joseph Y. Halpern and Rafael Pass. Algorithmic rationality: Game theory with costly computation. J. Economic Theory, 156:246–268, 2015. [KKKT16] Aggelos Kiayias, Elias Koutsoupias, Maria Kyropoulou, and Yiannis Tselekounis. Blockchain mining games. In Proceedings of the 2016 ACM Conference on Economics and Computation, EC ’16, pages 365–382, 2016. [KP15] Aggelos Kiayias and Giorgos Panagiotakos. Speed-security tradeoffs in blockchain protocols, 2015. [KP16] Aggelos Kiayias and Giorgos Panagiotakos. On trees, chains and fast transactions in the blockchain. IACR Cryptology ePrint Archive, 2016:545, 2016. [KRDO16] Aggelos Kiayias, Alexander Russell, Bernardo David, and Roman Oliynykov. Ouroboros: A provably secure proof-of-stake blockchain protocol. Cryptology ePrint Archive, Report 2016/889, 2016. http://eprint.iacr.org/2016/889. [LSZ15] Yoad Lewenberg, Yonatan Sompolinsky, and Aviv Zohar. Inclusive block chain protocols. In Financial Crypto’15, 2015. [mtg10] mtgox. https://bitcointalk.org/index.php?topic=2227.msg29606#msg29606, 2010. [Nak08] Satoshi Nakamoto. Bitcoin: A peer-to-peer electronic cash system, 2008. [NKMS16] Kartik Nayak, Srijan Kumar, Andrew Miller, and Elaine Shi. Stubborn mining: Generalizing selfish mining and combining with an eclipse attack. In IEEE European Symposium on Security and Privacy, EuroS&P 2016, Saarbr¨ucken, Germany, March 21-24, 2016, pages 305–320, 2016. [PSS17] Rafael Pass, Lior Seeman, and Abhi Shelat. Analysis of the blockchain protocol in asynchronous networks. In Eurocrypt, 2017. [PS16] Rafael Pass and Elaine Shi. Hybrid consensus. http://eprint.iacr.org/2016/917, 2016. [SSZ16] Ayelet Sapirshtein, Yonatan Sompolinsky, and Aviv Zohar. Optimal selfish mining strategies in bitcoin. In Financial Crypto’16, 2016. [SZ15] Yonatan Sompolinsky and Aviv Zohar. Secure high-rate transaction processing in bitcoin. In Financial Cryptography and Data Security - 19th International Conference, FC 2015, San Juan, Puerto Rico, January 26-30, 2015, Revised Selected Papers, pages 507–527, 2015.
Abstract The term Nakamoto consensus is generally used to refer to Bitcoin's novel consensus mechanism, by which agreement on its underlying transaction ledger is reached. It is argued that this agreement protocol represents the core innovation behind Bitcoin, because it promises to facilitate the decentralization of trusted third parties. Specifically, Nakamoto consensus seeks to enable mutually distrusting entities with weak pseudonymous identities to reach eventual agreement while the set of participants may change over time. When the Bitcoin white paper was published in late 2008, it lacked a formal analysis of the protocol and the guarantees it claimed to provide. It would take the scientific community several years before first steps towards such a formalization of the Bitcoin protocol and Nakamoto consensus were presented. However, since then the number of works addressing this topic has grown substantially, providing many new and valuable insights. Herein, we present a coherent picture of advancements towards the formalization of Nakamoto consensus, as well as a contextualization in respect to previous research on the agreement problem and fault tolerant distributed computing. Thereby, we outline how Bitcoin's consensus mechanism sets itself apart from previous approaches and where it can provide new impulses and directions to the scientific community. Understanding the core properties and characteristics of Nakamoto consensus is of key importance, not only for assessing the security and reliability of various blockchain systems that are based on the fundamentals of this scheme, but also for designing future systems that aim to fulfill comparable goals. References [AAC+05] Amitanand S Aiyer, Lorenzo Alvisi, Allen Clement, Mike Dahlin, Jean-Philippe Martin, and Carl Porth. Bar fault tolerance for cooperative services. In ACM SIGOPS operating systems review, volume 39, pages 45–58. ACM, 2005. [ABSFG08] Eduardo A Alchieri, Alysson Neves Bessani, Joni Silva Fraga, and Fab´ıola Greve. Byzantine consensus with unknown participants. In Proceedings of the 12th International Conference on Principles of Distributed Systems, pages 22–40. SpringerVerlag, 2008. [AFJ06] Dana Angluin, Michael J Fischer, and Hong Jiang. Stabilizing consensus in mobile networks. In Distributed Computing in Sensor Systems, pages 37–50. Springer, 2006. [AJK05] James Aspnes, Collin Jackson, and Arvind Krishnamurthy. Exposing computationally-challenged byzantine impostors. Department of Computer Science, Yale University, New Haven, CT, Tech. Rep, 2005. [AMN+16] Ittai Abraham, Dahlia Malkhi, Kartik Nayak, Ling Ren, and Alexander Spiegelman. Solidus: An incentive-compatible cryptocurrency based on permissionless byzantine consensus. https://arxiv.org/abs/1612.02916, Dec 2016. Accessed: 2017-02-06. [AS98] Yair Amir and Jonathan Stanton. The spread wide area group communication system. Technical report, TR CNDS-98-4, The Center for Networking and Distributed Systems, The Johns Hopkins University, 1998. [Bag00] Walter Bagehot. The english constitution, volume 3. Kegan Paul, Trench, Trubner, 1900. ¨ [Ban98] Bela Ban. Design and implementation of a reliable group communication toolkit for java, 1998. [BBRTP07] Roberto Baldoni, Marin Bertier, Michel Raynal, and Sara Tucci-Piergiovanni. Looking for a definition of dynamic distributed systems. In International Conference on Parallel Computing Technologies, pages 1–14. Springer, 2007. [Bit] Bitcoin community. Bitcoin-core source code. https://github.com/bitcoin/bitcoin. Accessed: 2015-06-30. [BJ87] Ken Birman and Thomas Joseph. Exploiting virtual synchrony in distributed systems. volume 21. ACM, 1987. [BMC+15] Joseph Bonneau, Andrew Miller, Jeremy Clark, Arvind Narayanan, Joshua A Kroll, and Edward W Felten. Sok: Research perspectives and challenges for bitcoin and cryptocurrencies. In IEEE Symposium on Security and Privacy, 2015. [BO83] Michael Ben-Or. Another advantage of free choice (extended abstract): Completely asynchronous agreement protocols. In Proceedings of the second annual ACM symposium on Principles of distributed computing, pages 27–30. ACM, 1983. [BPS16a] Iddo Bentov, Rafael Pass, and Elaine Shi. The sleepy model of consensus. https://eprint.iacr.org/2016/918.pdf, 2016. Accessed: 2016-11-08. [BPS16b] Iddo Bentov, Rafael Pass, and Elaine Shi. Snow white: Provably secure proofs of stake. https://eprint.iacr.org/2016/919.pdf, 2016. Accessed: 2016-11-08. [BR09] Franc¸ois Bonnet and Michel Raynal. The price of anonymity: Optimal consensus despite asynchrony, crash and anonymity. In Proceedings of the 23rd international conference on Distributed computing, pages 341–355. Springer-Verlag, 2009. [Bre00] EA Brewer. Towards robust distributed systems. abstract. In Proceedings of the Nineteenth Annual ACM Symposium on Principles of Distributed Computing, page 7, 2000. [BSAB+17] Shehar Bano, Alberto Sonnino, Mustafa Al-Bassam, Sarah Azouvi, Patrick McCorry, Sarah Meiklejohn, and George Danezis. Consensus in the age of blockchains. arXiv:1711.03936, 2017. Accessed:2017-12-11. [BT16] Zohir Bouzid and Corentin Travers. Anonymity-preserving failure detectors. In International Symposium on Distributed Computing, pages 173–186. Springer, 2016. [Can00] Ran Canetti. Security and composition of multiparty cryptographic protocols. Journal of CRYPTOLOGY, 13(1):143–202, 2000. [Can01] Ran Canetti. Universally composable security: A new paradigm for cryptographic protocols. In Foundations of Computer Science, 2001. Proceedings. 42nd IEEE Symposium on, pages 136–145. IEEE, 2001. [CFN90] David Chaum, Amos Fiat, and Moni Naor. Untraceable electronic cash. In Proceedings on Advances in cryptology, pages 319–327. Springer-Verlag New York, Inc., 1990. [CGR07] Tushar D Chandra, Robert Griesemer, and Joshua Redstone. Paxos made live: an engineering perspective. In Proceedings of the twenty-sixth annual ACM symposium on Principles of distributed computing, pages 398–407. ACM, 2007. [CGR11] Christian Cachin, Rachid Guerraoui, and Luis Rodrigues. Introduction to reliable and secure distributed programming. Springer Science & Business Media, 2011. [CKS00] Christian Cachin, Klaus Kursawe, and Victor Shoup. Random oracles in constantinople: Practical asynchronous byzantine agreement using cryptography. In Proceedings of the nineteenth annual ACM symposium on Principles of distributed computing, pages 123–132. ACM, 2000. [CL+99] Miguel Castro, Barbara Liskov, et al. Practical byzantine fault tolerance. In OSDI, volume 99, pages 173–186, 1999. [CL02] Miguel Castro and Barbara Liskov. Practical byzantine fault tolerance and proactive recovery. ACM Transactions on Computer Systems (TOCS), 20(4):398–461, 2002. [CNV04] Miguel Correia, Nuno Ferreira Neves, and Paulo Verissimo. How to tolerate half less one byzantine nodes in practical distributed systems. In Reliable Distributed Systems, 2004. Proceedings of the 23rd IEEE International Symposium on, pages 174–183. IEEE, 2004. [Coo09] J. L. Coolidge. The gambler’s ruin. Annals of Mathematics, 10(4):181–192, 1909. [Cri91] Flaviu Cristian. Reaching agreement on processor-group membrship in synchronous distributed systems. Distributed Computing, 4(4):175–187, 1991. [CT96] Tushar Deepak Chandra and Sam Toueg. Unreliable failure detectors for reliable distributed systems. volume 43, pages 225–267. ACM, 1996. [CV17] Christian Cachin and Marko Vukolic. Blockchain con- ´sensus protocols in the wild. arXiv:1707.01873, 2017. Accessed:2017-09-26. [CVL10] Miguel Correia, Giuliana S Veronese, and Lau Cheuk Lung. Asynchronous byzantine consensus with 2f+ 1 processes. In Proceedings of the 2010 ACM symposium on applied computing, pages 475–480. ACM, 2010. [CVNV11] Miguel Correia, Giuliana Santos Veronese, Nuno Ferreira Neves, and Paulo Verissimo. Byzantine consensus in asynchronous message-passing systems: a survey. volume 2, pages 141–161. Inderscience Publishers, 2011. [CWA+09] Allen Clement, Edmund L Wong, Lorenzo Alvisi, Michael Dahlin, and Mirco Marchetti. Making byzantine fault tolerant systems tolerate byzantine faults. In NSDI, volume 9, pages 153–168, 2009. [DDS87] Danny Dolev, Cynthia Dwork, and Larry Stockmeyer. On the minimal synchronism needed for distributed consensus. volume 34, pages 77–97. ACM, 1987. [Dei] Wei Dei. b-money. http://www.weidai.com/bmoney.txt. Accessed on 03/03/2017. [DGFGK10] Carole Delporte-Gallet, Hugues Fauconnier, Rachid Guerraoui, and Anne-Marie Kermarrec. Brief announcement: Byzantine agreement with homonyms. In Proceedings of the twentysecond annual ACM symposium on Parallelism in algorithms and architectures, pages 74–75. ACM, 2010. [DGG02] Assia Doudou, Benoˆıt Garbinato, and Rachid Guerraoui. Encapsulating failure detection: From crash to byzantine failures. In International Conference on Reliable Software Technologies, pages 24–50. Springer, 2002. [DGKR17] Bernardo David, Peter Gazi, Aggelos Kiayias, and Alexan- ˇder Russell. Ouroboros praos: An adaptively-secure, semisynchronous proof-of-stake protocol. Cryptology ePrint Archive, Report 2017/573, 2017. Accessed: 2017-06-29. [DLP+86] Danny Dolev, Nancy A Lynch, Shlomit S Pinter, Eugene W Stark, and William E Weihl. Reaching approximate agreement in the presence of faults. volume 33, pages 499–516. ACM, 1986. [DLS88] Cynthia Dwork, Nancy Lynch, and Larry Stockmeyer. Consensus in the presence of partial synchrony. volume 35, pages 288–323. ACM, 1988. [DN92] Cynthia Dwork and Moni Naor. Pricing via processing or combatting junk mail. In Annual International Cryptology Conference, pages 139–147. Springer, 1992. [Dol81] Danny Dolev. Unanimity in an unknown and unreliable environment. In Foundations of Computer Science, 1981. SFCS’81. 22nd Annual Symposium on, pages 159–168. IEEE, 1981. [Dou02] John R Douceur. The sybil attack. In International Workshop on Peer-to-Peer Systems, pages 251–260. Springer, 2002. [DSU04] Xavier Defago, Andr ´ e Schiper, and P ´ eter Urb ´ an. Total order ´ broadcast and multicast algorithms: Taxonomy and survey. ACM Computing Surveys (CSUR), 36(4):372–421, 2004. [DW13] Christian Decker and Roger Wattenhofer. Information propagation in the bitcoin network. In Peer-to-Peer Computing (P2P), 2013 IEEE Thirteenth International Conference on, pages 1–10. IEEE, 2013. [EGSvR16] Ittay Eyal, Adem Efe Gencer, Emin Gun Sirer, and Robbert van Renesse. Bitcoin-ng: A scalable blockchain protocol. In 13th USENIX Security Symposium on Networked Systems Design and Implementation (NSDI’16). USENIX Association, Mar 2016. [ES14] Ittay Eyal and Emin Gun Sirer. Majority is not enough: Bitcoin ¨ mining is vulnerable. In Financial Cryptography and Data Security, pages 436–454. Springer, 2014. [Fin04] Hal Finney. Reusable proofs of work (rpow). http://web.archive.org/web/20071222072154/http://rpow.net/, 2004. Accessed: 2016-04-31. [Fis83] Michael J Fischer. The consensus problem in unreliable distributed systems (a brief survey). In International Conference on Fundamentals of Computation Theory, pages 127–140. Springer, 1983. [FL82] Michael J FISCHER and Nancy A LYNCH. A lower bound for the time to assure interactive consistency. volume 14, Jun 1982. [FLP85] Michael J Fischer, Nancy A Lynch, and Michael S Paterson. Impossibility of distributed consensus with one faulty process. volume 32, pages 374–382. ACM, 1985. [Fuz08] Rachele Fuzzati. A formal approach to fault tolerant distributed consensus. PhD thesis, EPFL, 2008. [GHM+17] Yossi Gilad, Rotem Hemo, Silvio Micali, Georgios Vlachos, and Nickolai Zeldovich. Algorand: Scaling byzantine agreements for cryptocurrencies. Cryptology ePrint Archive, Report 2017/454, 2017. Accessed: 2017-06-29. [GKL15] Juan Garay, Aggelos Kiayias, and Nikos Leonardos. The bitcoin backbone protocol: Analysis and applications. In Advances in Cryptology-EUROCRYPT 2015, pages 281–310. Springer, 2015. [GKL16] Juan A. Garay, Aggelos Kiayias, and Nikos Leonardos. The bitcoin backbone protocol with chains of variable difficulty. http://eprint.iacr.org/2016/1048.pdf, 2016. Accessed: 2017-02-06. [GKP17] Juan A. Garay, Aggelos Kiayias, and Giorgos Panagiotakos. Proofs of work for blockchain protocols. Cryptology ePrint Archive, Report 2017/775, 2017. http://eprint.iacr.org/2017/775. [GKQV10] Rachid Guerraoui, Nikola Knezevi ˇ c, Vivien Qu ´ ema, and Marko ´ Vukolic. The next 700 bft protocols. In ´ Proceedings of the 5th European conference on Computer systems, pages 363–376. ACM, 2010. [GKTZ12] Adam Groce, Jonathan Katz, Aishwarya Thiruvengadam, and Vassilis Zikas. Byzantine agreement with a rational adversary. pages 561–572. Springer, 2012. [GKW+16] Arthur Gervais, Ghassan O Karame, Karl Wust, Vasileios ¨ Glykantzis, Hubert Ritzdorf, and Srdjan Capkun. On the security and performance of proof of work blockchains. https://eprint.iacr.org/2016/555.pdf, 2016. Accessed: 2016-08-10. [GL02] Seth Gilbert and Nancy Lynch. Brewer’s conjecture and the feasibility of consistent, available, partition-tolerant web services. volume 33, pages 51–59. ACM, 2002. [GRKC15] Arthur Gervais, Hubert Ritzdorf, Ghassan O Karame, and Srdjan Capkun. Tampering with the delivery of blocks and transactions in bitcoin. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pages 692–705. ACM, 2015. [Her88] Maurice P Herlihy. Impossibility and universality results for wait-free synchronization. In Proceedings of the seventh annual ACM Symposium on Principles of distributed computing, pages 276–290. ACM, 1988. [Her91] Maurice Herlihy. Wait-free synchronization. ACM Transactions on Programming Languages and Systems (TOPLAS), 13(1):124–149, 1991. [HKZG15] Ethan Heilman, Alison Kendler, Aviv Zohar, and Sharon Goldberg. Eclipse attacks on bitcoin’s peer-to-peer network. In 24th USENIX Security Symposium (USENIX Security 15), pages 129–144, 2015. [Hoe07] Jaap-Henk Hoepman. Distributed double spending prevention. In Security Protocols Workshop, pages 152–165. Springer, 2007. [HT94] Vassos Hadzilacos and Sam Toueg. A modular approach to fault-tolerant broadcasts and related problems. Cornell University Technical Report 94-1425, 1994. [IT08] Hideaki Ishii and Roberto Tempo. Las vegas randomized algorithms in distributed consensus problems. In 2008 American Control Conference, pages 2579–2584. IEEE, 2008. [JB99] Ari Juels and John G Brainard. Client puzzles: A cryptographic countermeasure against connection depletion attacks. In NDSS, volume 99, pages 151–165, 1999. [KMMS01] Kim Potter Kihlstrom, Louise E Moser, and P Michael MelliarSmith. The securering group communication system. ACM Transactions on Information and System Security (TISSEC), 4(4):371–406, 2001. [KMMS03] Kim Potter Kihlstrom, Louise E Moser, and P Michael MelliarSmith. Byzantine fault detectors for solving consensus. volume 46, pages 16–35. Br Computer Soc, 2003. [KMTZ13] Jonathan Katz, Ueli Maurer, Bjorn Tackmann, and Vassilis ¨ Zikas. Universally composable synchronous computation. In TCC, volume 7785, pages 477–498. Springer, 2013. [KP15] Aggelos Kiayias and Giorgos Panagiotakos. Speed-security tradeoff s in blockchain protocols. https://eprint.iacr.org/2015/1019.pdf, Oct 2015. Accessed: 2016-10-17. [KP16] Aggelos Kiayias and Giorgos Panagiotakos. On trees, chains and fast transactions in the blockchain. http://eprint.iacr.org/2016/545.pdf, 2016. Accessed: 2017-02-06. [KRDO16] Aggelos Kiayias, Alexander Russell, Bernardo David, and Roman Oliynykov. Ouroboros: A provably secure proof-of-stake blockchain protocol. https://pdfs.semanticscholar.org/1c14/549f7ba7d6a000d79a7d12255eb11113e6fa.pdf, 2016. Accessed: 2017-02-20. [Lam84] Leslie Lamport. Using time instead of timeout for fault-tolerant distributed systems. volume 6, pages 254–280. ACM, 1984. [Lam98] Leslie Lamport. The part-time parliament. volume 16, pages 133–169. ACM, 1998. [LCW+06] Harry C Li, Allen Clement, Edmund L Wong, Jeff Napper, Indrajit Roy, Lorenzo Alvisi, and Michael Dahlin. Bar gossip. In Proceedings of the 7th symposium on Operating systems design and implementation, pages 191–204. USENIX Association, 2006. [LSM06] Brian Neil Levine, Clay Shields, and N Boris Margolin. A survey of solutions to the sybil attack. University of Massachusetts Amherst, Amherst, MA, 7, 2006. [LSP82] Leslie Lamport, Robert Shostak, and Marshall Pease. The byzantine generals problem. volume 4, pages 382–401. ACM, 1982. [LSZ15] Yoad Lewenberg, Yonatan Sompolinsky, and Aviv Zohar. Inclusive block chain protocols. In Financial Cryptography and Data Security, pages 528–547. Springer, 2015. [LTKS15] Loi Luu, Jason Teutsch, Raghav Kulkarni, and Prateek Saxena. Demystifying incentives in the consensus computer. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pages 706–719. ACM, 2015. [Lyn96] Nancy A Lynch. Distributed algorithms. Morgan Kaufmann, 1996. [Mic16] Silvio Micali. Algorand: The efficient and democratic ledger. http://arxiv.org/abs/1607.01341, 2016. Accessed: 2017-02-09. [Mic17] Silvio Micali. Byzantine agreement, made trivial. https://people.csail.mit.edu/silvio/SelectedApr 2017. Accessed:2018-02-21. [MJ14] A Miller and LaViola JJ. Anonymous byzantine consensus from moderately-hard puzzles: A model for bitcoin. https://socrates1024.s3.amazonaws.com/consensus.pdf, 2014. Accessed: 2016-03-09. [MMRT03] Dahlia Malkhi, Michael Merritt, Michael K Reiter, and Gadi Taubenfeld. Objects shared by byzantine processes. volume 16, pages 37–48. Springer, 2003. [MPR01] Hugo Miranda, Alexandre Pinto, and Luıs Rodrigues. Appia, a flexible protocol kernel supporting multiple coordinated channels. In Distributed Computing Systems, 2001. 21st International Conference on., pages 707–710. IEEE, 2001. [MR97] Dahlia Malkhi and Michael Reiter. Unreliable intrusion detection in distributed computations. In Computer Security Foundations Workshop, 1997. Proceedings., 10th, pages 116–124. IEEE, 1997. [MRT00] Achour Mostefaoui, Michel Raynal, and Fred´ eric Tronel. From ´ binary consensus to multivalued consensus in asynchronous message-passing systems. Information Processing Letters, 73(5-6):207–212, 2000. [MXC+16] Andrew Miller, Yu Xia, Kyle Croman, Elaine Shi, and Dawn Song. The honey badger of bft protocols. https://eprint.iacr.org/2016/199.pdf, 2016. Accessed: 2017-01-10. [Nak08a] Satoshi Nakamoto. Bitcoin: A peer-to-peer electronic cash system. https://bitcoin.org/bitcoin.pdf, Dec 2008. Accessed: 2015-07-01. [Nak08b] Satoshi Nakamoto. Bitcoin p2p e-cash paper, 2008. [Nar16] Narayanan, Arvind and Bonneau, Joseph and Felten, Edward and Miller, Andrew and Goldfeder, Steven. Bitcoin and cryptocurrency technologies. https://d28rh4a8wq0iu5.cloudfront.net/bitcointech/readings/princeton bitcoin book.pdf?a=1, 2016. Accessed: 2016-03-29. [Nei94] Gil Neiger. Distributed consensus revisited. Information processing letters, 49(4):195–201, 1994. [NG16] Christopher Natoli and Vincent Gramoli. The blockchain anomaly. In Network Computing and Applications (NCA), 2016 IEEE 15th International Symposium on, pages 310–317. IEEE, 2016. [NKMS16] Kartik Nayak, Srijan Kumar, Andrew Miller, and Elaine Shi. Stubborn mining: Generalizing selfish mining and combining with an eclipse attack. In 1st IEEE European Symposium on Security and Privacy, 2016. IEEE, 2016. [PS16a] Rafael Pass and Elaine Shi. Fruitchains: A fair blockchain. http://eprint.iacr.org/2016/916.pdf, 2016. Accessed: 2016-11-08. [PS16b] Rafael Pass and Elaine Shi. Hybrid consensus: Scalable permissionless consensus. https://eprint.iacr.org/2016/917.pdf, Sep 2016. Accessed: 2016-10-17. [PS17] Rafael Pass and Elaine Shi. Thunderella: Blockchains with optimistic instant confirmation. Cryptology ePrint Archive, Report 2017/913, 2017. Accessed:2017-09-26. [PSL80] Marshall Pease, Robert Shostak, and Leslie Lamport. Reaching agreement in the presence of faults. volume 27, pages 228–234. ACM, 1980. [PSs16] Rafael Pass, Lior Seeman, and abhi shelat. Analysis of the blockchain protocol in asynchronous networks. http://eprint.iacr.org/2016/454.pdf, 2016. Accessed: 2016-08-01. [Rab83] Michael O Rabin. Randomized byzantine generals. In Foundations of Computer Science, 1983., 24th Annual Symposium on, pages 403–409. IEEE, 1983. [Rei96] Michael K Reiter. A secure group membership protocol. volume 22, page 31, 1996. [Ric93] Aleta M Ricciardi. The group membership problem in asynchronous systems. PhD thesis, Cornell University, 1993. [Ros14] M. Rosenfeld. Analysis of hashrate-based double spending. http://arxiv.org/abs/1402.2009, 2014. Accessed: 2016-03-09. [RSW96] Ronald L Rivest, Adi Shamir, and David A Wagner. Time-lock puzzles and timed-release crypto. 1996. [Sch90] Fred B Schneider. Implementing fault-tolerant services using the state machine approach: A tutorial. volume 22, pages 299–319. ACM, 1990. [SLZ16] Yonatan Sompolinsky, Yoad Lewenberg, and Aviv Zohar. Spectre: A fast and scalable cryptocurrency protocol. Cryptology ePrint Archive, Report 2016/1159, 2016. Accessed: 2017-02-20. [SSZ15] Ayelet Sapirshtein, Yonatan Sompolinsky, and Aviv Zohar. Optimal selfish mining strategies in bitcoin. http://arxiv.org/pdf/1507.06183.pdf, 2015. Accessed: 2016-08-22. [SW16] David Stolz and Roger Wattenhofer. Byzantine agreement with median validity. In LIPIcs-Leibniz International Proceedings in Informatics, volume 46. Schloss Dagstuhl-Leibniz-Zentrum fuer Informatik, 2016. [Swa15] Tim Swanson. Consensus-as-a-service: a brief report on the emergence of permissioned, distributed ledger systems. http://www.ofnumbers.com/wp-content/uploads/2015/04/Permissioned-distributed-ledgers.pdf, Apr 2015. Accessed: 2017-10-03. [SZ13] Yonatan Sompolinsky and Aviv Zohar. Accelerating bitcoin’s transaction processing. fast money grows on trees, not chains, 2013. [SZ16] Yonatan Sompolinsky and Aviv Zohar. Bitcoin’s security model revisited. http://arxiv.org/pdf/1605.09193, 2016. Accessed: 2016-07-04. [Sza14] Nick Szabo. The dawn of trustworthy computing. http://unenumerated.blogspot.co.at/2014/12/the-dawn-of-trustworthy-computing.html, 2014. Accessed: 2017-12-01. [TS16] Florian Tschorsch and Bjorn Scheuermann. Bitcoin and ¨ beyond: A technical survey on decentralized digital currencies. In IEEE Communications Surveys Tutorials, volume PP, pages 1–1, 2016. [VCB+13] Giuliana Santos Veronese, Miguel Correia, Alysson Neves Bessani, Lau Cheuk Lung, and Paulo Verissimo. Efficient byzantine fault-tolerance. volume 62, pages 16–30. IEEE, 2013. [Ver03] Paulo Ver´ıssimo. Uncertainty and predictability: Can they be reconciled? In Future Directions in Distributed Computing, pages 108–113. Springer, 2003. [Vuk15] Marko Vukolic. The quest for scalable blockchain fabric: ´ Proof-of-work vs. bft replication. In International Workshop on Open Problems in Network Security, pages 112–125. Springer, 2015. [Vuk16] Marko Vukolic. Eventually returning to strong consistency. https://pdfs.semanticscholar.org/a6a1/b70305b27c556aac779fb65429db9c2e1ef2.pdf, 2016. Accessed: 2016-08-10. [XWS+17] Xiwei Xu, Ingo Weber, Mark Staples, Liming Zhu, Jan Bosch, Len Bass, Cesare Pautasso, and Paul Rimba. A taxonomy of blockchain-based systems for architecture design. In Software Architecture (ICSA), 2017 IEEE International Conference on , pages 243–252. IEEE, 2017. [YHKC+16] Jesse Yli-Huumo, Deokyoon Ko, Sujin Choi, Sooyong Park, and Kari Smolander. Where is current research on blockchain technology? – a systematic review. volume 11, page e0163477. Public Library of Science, 2016. [ZP17] Ren Zhang and Bart Preneel. On the necessity of a prescribed block validity consensus: Analyzing bitcoin unlimited mining protocol. http://eprint.iacr.org/2017/686, 2017. Accessed: 2017-07-20.
Abstract Cryptocurrencies, based on and led by Bitcoin, have shown promise as infrastructure for pseudonymous online payments, cheap remittance, trustless digital asset exchange, and smart contracts. However, Bitcoin-derived blockchain protocols have inherent scalability limits that trade-off between throughput and latency and withhold the realization of this potential.This paper presents Bitcoin-NG, a new blockchain protocol designed to scale. Based on Bitcoin's blockchain protocol, Bitcoin-NG is Byzantine fault tolerant, is robust to extreme churn, and shares the same trust model obviating qualitative changes to the ecosystem.In addition to Bitcoin-NG, we introduce several novel metrics of interest in quantifying the security and efficiency of Bitcoin-like blockchain protocols. We implement Bitcoin-NG and perform large-scale experiments at 15% the size of the operational Bitcoin system, using unchanged clients of both protocols. These experiments demonstrate that Bitcoin-NG scales optimally, with bandwidth limited only by the capacity of the individual nodes and latency limited only by the propagation time of the network. References  Andresen, G. O(1) block propagation. https://gist.github.com/gavinandresen/#file-blockpropagation-md, retrieved July. 2015.  Aspnes, J. Randomized protocols for asynchronous consensus. Distributed Computing 16, 2-3 (2003), 165–175.  Back, A., Corallo, M., Dashjr, L., Friedenbach, M., Maxwell, G., Miller, A., Poelstra, A., Timn, J., and Wuille, P. Enabling blockchain innovations with pegged sidechains. http://cs.umd.edu/projects/coinscope/coinscope.pdf, 2014.  Bamert, T., Decker, C., Elsen, L., Wattenhofer, R., and Welten, S. Have a snack, pay with Bitcoins. In Peer-to-Peer Computing (P2P), 2013 IEEE Thirteenth International Conference on (2013), IEEE, pp. 1–5.  Bellare, M., and Rogaway, P. Random oracles are practical: A paradigm for designing efficient protocols. In Proceedings of the 1st ACM conference on Computer and communications security (1993), ACM, pp. 62–73.  Bitcoin community. Bitcoin source. https://github.com/bitcoin/bitcoin, retrieved Mar. 2015.  Bitcoin community. Protocol rules. https://en.bitcoin.it/wiki/Protocol_rules, retrieved Sep. 2013.  Bitcoin community. Protocol specification. https://en.bitcoin.it/wiki/Protocol_specification, retrieved Sep. 2013.  BlockTrail. BlockTrail API. https://www.blocktrail.com/api/docs#api_data, retrieved Sep. 2015.  Bonneau, J., Miller, A., Clark, J., Narayanan, A., Kroll, J. A., and Felten, E. W. Research perspectives on Bitcoin and second-generation cryptocurrencies. In Symposium on Security and Privacy (San Jose, CA, USA, 2015), IEEE.  Buterin, V. Slasher: A punitive proof-of-stake algorithm. https://blog.ethereum.org/2014/01/15/slasher-a-punitive-proof-of-stake-algorithm/, January 2015.  CNNMoney Staff. The Ashley Madison hack...in 2 minutes. http://money.cnn.com/2015/08/24/technology/ashley-madison-hack-in-2-minutes/, retrieved Sep. 2015.  CoinDesk. Bitcoin venture capital. http://www.coindesk.com/bitcoin-venture-capital/, retrieved Sep. 2015.  Colored Coins Project. Colored Coins. http://coloredcoins.org/, retrieved Sep. 2015.  Corallo, M. High-speed Bitcoin relay network. http://sourceforge.net/p/bitcoin/mailman/message/31604935/, November 2013.  Decker, C., and Wattenhofer, R. Information propagation in the Bitcoin network. In IEEE P2P (Trento, Italy, 2013).  Decker, C., and Wattenhofer, R. A fast and scalable payment network with Bitcoin Duplex Micropayment Channels. In Stabilization, Safety, and Security of Distributed Systems - 17th International Symposium, SSS 2015, Edmonton, AB, Canada, August 18-21, 2015, Proceedings (2015), Springer, pp. 3–18.  Dwork, C., Lynch, N. A., and Stockmeyer, L. J. Consensus in the presence of partial synchrony. J. ACM 35, 2 (1988), 288–323.  Eyal, I., Birman, K., and van Renesse, R. Cache serializability: Reducing inconsistency in edge transactions. In 35th IEEE International Conference on Distributed Computing Systems, ICDCS 2015, Columbus, OH, USA, June 29 - July 2, 2015 (2015), pp. 686–695.  Eyal, I., and Sirer, E. G. Bitcoin is broken. http://hackingdistributed.com/2013/11/04/bitcoin-is-broken/, 2013.  Eyal, I., and Sirer, E. G. Majority is not enough: Bitcoin mining is vulnerable. In Financial Cryptography and Data Security (Barbados, 2014).  Garay, J. A., Kiayias, A., and Leonardos, N. The Bitcoin backbone protocol: Analysis and applications. In Advances in Cryptology - EUROCRYPT 2015 - 34th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Sofia, Bulgaria, April 26-30, 2015, Proceedings, Part II (2015), pp. 281–310.  Garcia-Molina, H. Elections in a distributed computing system. Computers, IEEE Transactions on 100, 1 (1982), 48–59.  Hearn, M., and Spilman, J. Rapidly-adjusted (micro)payments to a pre-determined party. https://en.bitcoin.it/wiki/Contract, retrieved Sep. 2015.  Heilman, E., Kendler, A., Zohar, A., and Goldberg, S. Eclipse attacks on Bitcoin’s peerto-peer network. In 24th USENIX Security Symposium, USENIX Security 15, Washington, D.C., USA, August 12-14, 2015. (2015), pp. 129–144.  Kosba, A., Miller, A., Shi, E., Wen, Z., and Papamanthou, C. Hawk: The blockchain model of cryptography and privacy-preserving smart contracts. Cryptology ePrint Archive, Report 2015/675, 2015. http://eprint.iacr.org/.  Kroll, J. A., Davey, I. C., and Felten, E. W. The economics of Bitcoin mining or, Bitcoin in the presence of adversaries. In Workshop on the Economics of Information Security (2013).  Lamport, L. Using time instead of timeout for fault-tolerant distributed systems. ACM Transactions on Programming Languages and Systems 6, 2 (Apr. 1984), 254–280.  Le Lann, G. Distributed systems-towards a formal approach. In IFIP Congress (1977), vol. 7, Toronto, pp. 155–160.  Lewenberg, Y., Sompolinsky, Y., and Zohar, A. Inclusive block chain protocols. In Financial Cryptography (Puerto Rico, 2015).  Litecoin Project. Litecoin, open source P2P digital currency. https://litecoin.org, retrieved Nov. 2014.  Meiklejohn, S., Pomarole, M., Jordan, G., Levchenko, K., McCoy, D., Voelker, G. M., and Savage, S. A fistful of bitcoins: characterizing payments among men with no names. In Proceedings of the 2013 Internet Measurement Conference, IMC 2013, Barcelona, Spain, October 23-25, 2013 (2013), pp. 127–140.  Miller, A., and Jansen, R. Shadow-Bitcoin: Scalable simulation via direct execution of multithreaded applications. IACR Cryptology ePrint Archive 2015 (2015), 469.  Miller, A., and Jr., L. J. J. Anonymous Byzantine consensus from moderately-hard puzzles: A model for Bitcoin. https://socrates1024.s3.amazonaws.com/consensus.pdf, 2009.  Miller, A., Litton, J., Pachulski, A., Gupta, N., Levin, D., Spring, N., and Bhattacharjee, B. Preprint: Discovering Bitcoins public topology and influential nodes. http://cs.umd.edu/projects/coinscope/coinscope.pdf, 2015.  Moraru, I., Andersen, D. G., and Kaminsky, M. Egalitarian Paxos. In ACM Symposium on Operating Systems Principles (2012).  Nakamoto, S. Bitcoin: A peer-to-peer electronic cash system. http://www.bitcoin.org/ bitcoin.pdf, 2008.  Nayak, K., Kumar, S., Miller, A., and Shi, E. Stubborn mining: Generalizing selfish mining and combining with an eclipse attack. IACR Cryptology ePrint Archive 2015 (2015), 796.  Pazmino, J. E., and da Silva Rodrigues, C. K. ˜ Simply dividing a Bitcoin network node may reduce transaction verification time. The SIJ Transactions on Computer Networks and Communication Engineering (CNCE) 3, 2 (February 2015), 17–21.  Pease, M. C., Shostak, R. E., and Lamport, L. Reaching agreement in the presence of faults. J. ACM 27, 2 (1980), 228–234.  Peck, M. E. Adam Back says the Bitcoin fork is a coup. http://spectrum.ieee.org/tech-talk/computing/networks/the-bitcoin-for-is-a-coup, Aug 2015.  Poon, J., and Dryja, T. The Bitcoin Lightning Network. http://lightning.network/lightning-network.pdf, February 2015. Draft 0.5.  Sapirshtein, A., Sompolinsky, Y., and Zohar, A. Optimal selfish mining strategies in Bitcoin. CoRR abs/1507.06183 (2015).  Schneider, F. B. Implementing fault-tolerant services using the state machine approach: A tutorial. ACM Computing Surveys 22, 4 (Dec. 1990), 299–319.  Sompolinsky, Y., and Zohar, A. Accelerating Bitcoin’s transaction processing. fast money grows on trees, not chains. In Financial Cryptography (Puerto Rico, 2015).  Sompolinsky, Y., and Zohar, A. Secure high-rate transaction processing in Bitcoin. In Financial Cryptography and Data Security - 19th International Conference, FC 2015, San Juan, Puerto Rico, January 26-30, 2015, Revised Selected Papers (2015), pp. 507–527.  Stathakopoulou, C. A faster Bitcoin network. Tech. rep., ETH, Z¨urich, January 2015. Semester Thesis, supervised by C. Decker and R. Wattenhofer.  Swanson, E. Bitcoin mining calculator. http://www.alloscomp.com/bitcoin/calculator, retrieved Sep. 2013.  The Ethereum community. Ethereum white paper. https://github.com/ethereum/wiki/wiki/White-Paper, retrieved July. 2015.  Wikipedia. List of cryptocurrencies. https://en.wikipedia.org/wiki/List_of_cryptocurrencies, retrieved Oct. 2013.
Abstract Transaction throughput, confirmation latency and confirmation reliability are fundamental performance measures of any blockchain system in addition to its security. In a decentralized setting, these measures are limited by two underlying physical network attributes: communication capacity and speed-of-light propagation delay. Existing systems operate far away from these physical limits. In this work we introduce Prism, a new proof-of-work blockchain protocol, which can achieve 1) security against up to 50% adversarial hashing power; 2) optimal throughput up to the capacity C of the network; 3) confirmation latency for honest transactions proportional to the propagation delay D, with confirmation error probability exponentially small in CD ; 4) eventual total ordering of all transactions. Our approach to the design of this protocol is based on deconstructing the blockchain into its basic functionalities and systematically scaling up these functionalities to approach their physical limits. References
Alex de Vries. Bitcoin’s growing energy problem. Joule, 2(5):801–805, 2018.
C. Decker and R. Wattenhofer. Information propagation in the bitcoin network. In IEEE P2P 2013 Proceedings, pages 1–10, Sept 2013.
Ittay Eyal, Adem Efe Gencer, Emin G¨un Sirer, and Robbert Van Renesse. Bitcoinng: A scalable blockchain protocol. In NSDI, pages 45–59, 2016.
Ittay Eyal and Emin G¨un Sirer. Majority is not enough: Bitcoin mining is vulnerable. Communications of the ACM, 61(7):95–102, 2018.
Juan Garay, Aggelos Kiayias, and Nikos Leonardos. The bitcoin backbone protocol: Analysis and applications. In Annual International Conference on the Theory and Applications of Cryptographic Techniques, pages 281–310. Springer, 2015.
Dina Katabi, Mark Handley, and Charlie Rohrs. Congestion control for high bandwidth-delay product networks. ACM SIGCOMM computer communication review, 32(4):89–102, 2002.
Aggelos Kiayias, Alexander Russell, Bernardo David, and Roman Oliynykov. Ouroboros: A provably secure proof-of-stake blockchain protocol. In Annual International Cryptology Conference, pages 357–388. Springer, 2017.
Uri Klarman, Soumya Basu, Aleksandar Kuzmanovic, and Emin G¨un Sirer. bloxroute: A scalable trustless blockchain distribution network whitepaper.
Yoad Lewenberg, Yoram Bachrach, Yonatan Sompolinsky, Aviv Zohar, and Jeffrey S Rosenschein. Bitcoin mining pools: A cooperative game theoretic analysis. In Proceedings of the 2015 International Conference on Autonomous Agents and Multiagent Systems, pages 919–927. International Foundation for Autonomous Agents and Multiagent Systems, 2015.
Yoad Lewenberg, Yonatan Sompolinsky, and Aviv Zohar. Inclusive block chain protocols. In International Conference on Financial Cryptography and Data Security, pages 528–547. Springer, 2015.
Chenxing Li, Peilun Li, Wei Xu, Fan Long, and Andrew Chi-chih Yao. Scaling nakamoto consensus to thousands of transactions per second. arXiv preprint arXiv:1805.03870, 2018.
Wenting Li, S´ebastien Andreina, Jens-Matthias Bohli, and Ghassan Karame. Securing proof-of-stake blockchain protocols. In Data Privacy Management, Cryptocurrencies and Blockchain Technology, pages 297–315. Springer, 2017.
Satoshi Nakamoto. Bitcoin: A peer-to-peer electronic cash system. 2008.
Christopher Natoli and Vincent Gramoli. The balance attack against proof-of-work blockchains: The r3 testbed as an example. arXiv preprint arXiv:1612.09426, 2016.
Kartik Nayak, Srijan Kumar, Andrew Miller, and Elaine Shi. Stubborn mining: Generalizing selfish mining and combining with an eclipse attack. In Security and Privacy (EuroS&P), 2016 IEEE European Symposium on, pages 305–320. IEEE, 2016.
Rafael Pass, Lior Seeman, and Abhi Shelat. Analysis of the blockchain protocol in asynchronous networks. In Annual International Conference on the Theory and Applications of Cryptographic Techniques, pages 643–673. Springer, 2017.
Rafael Pass and Elaine Shi. Fruitchains: A fair blockchain. In Proceedings of the ACM Symposium on Principles of Distributed Computing. ACM, 2017.
Rafael Pass and Elaine Shi. Hybrid consensus: Efficient consensus in the permissionless model. In LIPIcs-Leibniz International Proceedings in Informatics, volume 91. Schloss Dagstuhl-Leibniz-Zentrum fuer Informatik, 2017.
Rafael Pass and Elaine Shi. Thunderella: Blockchains with optimistic instant confirmation. In Annual International Conference on the Theory and Applications of Cryptographic Techniques, pages 3–33. Springer, 2018.
Peter R Rizun. Subchains: A technique to scale bitcoin and improve the user experience. Ledger, 1:38–52, 2016.
Ayelet Sapirshtein, Yonatan Sompolinsky, and Aviv Zohar. Optimal selfish mining strategies in bitcoin. In International Conference on Financial Cryptography and Data Security, pages 515–532. Springer, 2016.
Y Sompolinsky and A Zohar. Phantom: A scalable blockdag protocol, 2018.
Yonatan Sompolinsky, Yoad Lewenberg, and Aviv Zohar. Spectre: A fast and scalable cryptocurrency protocol. IACR Cryptology ePrint Archive, 2016:1159, 2016.
Yonatan Sompolinsky and Aviv Zohar. Secure high-rate transaction processing in bitcoin. In International Conference on Financial Cryptography and Data Security, pages 507–527. Springer, 2015.
Abstract Blockchain systems are designed to produce blocks at a constant average rate. The most popular systems currently employ a Proof of Work (PoW) algorithm as a means of creating these blocks. Bitcoin produces, on average, one block every 10 minutes. An unfortunate limitation of all deployed PoW blockchain systems is that the time between blocks has high variance. For example, 5% of the time, Bitcoin's inter-block time is at least 40 minutes. This variance impedes the consistent flow of validated transactions through the system. We propose an alternative process for PoW-based block discovery that results in an inter-block time with significantly lower variance. Our algorithm, called Bobtail, generalizes the current algorithm by comparing the mean of the k lowest order statistics to a target. We show that the variance of inter-block times decreases as k increases. If our approach were applied to Bitcoin, about 80% of blocks would be found within 7 to 12 minutes, and nearly every block would be found within 5 to 18 minutes; the average inter-block time would remain at 10 minutes. Further, we show that low-variance mining significantly thwarts doublespend and selfish mining attacks. For Bitcoin and Ethereum currently (k=1), an attacker with 40% of the mining power will succeed with 30% probability when the merchant sets up an embargo of 8 blocks; however, when k>=20, the probability of success falls to less than 1%. Similarly, for Bitcoin and Ethereum currently, a selfish miner with 40% of the mining power will claim about 66% of blocks; however, when k>=5, the same miner will find that selfish mining is less successful than honest mining. The cost of our approach is a larger block header. References  Bitcoin cash. https://www.bitcoincash.org/.  Litecoin. https://litecoin.org/.  Ethash. https://github.com/ethereum/wiki/wiki/Ethash, Aug 3 2017.  Martin Abadi, Mike Burrows, Mark Manasse, and Ted Wobber. Moderately hard, memory-bound functions. ACM Trans. Internet Technol., 5(2):299–327, May 2005.  Tuomas Aura, Pekka Nikander, and Jussipekka Leiwo. Dos-resistant authentication with client puzzles. In Revised Papers from the 8th International Workshop on Security Protocols, pages 170–177, 2001.  Adam Back. Hashcash - Amortizable Publicly Auditable CostFunctions, 2002.  Iddo Bentov, Ariel Gabizon, and Alex Mizrahi. Cryptocurrencies without proof of work. In International Conference on Financial Cryptography and Data Security, pages 142–157. Springer, 2016.  Iddo Bentov, Charles Lee, Alex Mizrahi, and Meni Rosenfeld. Proof of Activity: Extending Bitcoin’s Proof of Work via Proof of Stake [Extended Abstract] y. ACM SIGMETRICS Performance Evaluation Review, 42(3):34–37, 2014.  Bobtails. https://en.wikipedia.org/wiki/Natural_bobtail.  Xavier Boyen, Christopher Carr, and Thomas Haines. BlockchainFree Cryptocurrencies: A Framework for Truly Decentralised Fast Transactions. Cryptology ePrint Archive, Report 2016/871, Sept 2016. http://eprint.iacr.org/2016/871.  George Casella and Roger L. Berger. Statistical inference. Brooks Cole, Pacific Grove, CA, 2002.  Liqun Chen and Wenbo Mao. An auditable metering scheme for web advertisement applications. Information Security, pages 475–485, 2001.  F. Coelho. An (Almost) Constant-Effort Solution- Verification Proofof-Work Protocol Based on Merkle Trees. In Progress in Cryptology – AFRICACRYPT, pages 80–93, June 2008.  Drew Dean and Adam Stubblefield. Using client puzzles to protect tls. In Proceedings of the 10th Conference on USENIX Security Symposium - Volume 10, SSYM’01, Berkeley, CA, USA, 2001. USENIX Association.  J. Douceur. The Sybil Attack. In Proc. Intl Wkshp on Peer-to-Peer Systems (IPTPS), March 2002.  Cynthia Dwork and Moni Naor. Pricing via processing or combatting junk mail. In In 12th Annual International Cryptology Conference, pages 139–147, 1992.  Ethereum Homestead Documentation. http://ethdocs.org/en/latest/.  Ittay Eyal, Adem Efe Gencer, Emin Gun Sirer, and Robbert Van Renesse. Bitcoin-ng: A scalable blockchain protocol. In 13th USENIX Symposium on Networked Systems Design and Implementation (NSDI 16), pages 45–59, Santa Clara, CA, 2016. USENIX Association.  Ittay Eyal and Emin Gün Sirer. Majority is not enough: Bitcoin mining is vulnerable. In International conference on financial cryptography and data security, pages 436–454. Springer, 2014.  M. Franklin and D. Malkhi. Auditable metering with ligthweigth security. In Proc. Financial Cryptography, pages 151–160, 1997.  Arthur Gervais, Ghassan O. Karame, Karl Wust, Vasileios Glykantzis, Hubert Ritzdorf, and Srdjan Capkun. On the Security and Performance of Proof of Work Blockchains. https://eprint.iacr.org/2016/555, 2016.  Bogdan Groza and Bogdan Warinschi. Cryptographic puzzles and dos resilience, revisited. Des. Codes Cryptography, 73(1):177–207, October 2014.  Markus Jakobsson and Ari Juels. Proofs of Work and Bread Pudding Protocols. In Proc. Conference on Secure Information Networks: Communications and Multimedia Security, pages 258–272, 1999.  A. Juels and J. Brainard. Client puzzles: A cryptographic countermeasure against connection depletion attacks. In Proc. Networks and Distributed Security Systems, pages 151–165, 1999.  Ben Laurie and Richard Clayton. “Proof-of-work" proves not to work; version 0.2. In Proc. Workshop on Economics and Information Security, 2004.  Andrew Miller, Ari Juels, Elaine Shi, Bryan Parno, and Jonathan Katz. Permacoin: Repurposing bitcoin work for data preservation. In Proc. IEEE Security and Privacy, pages 475–490, 2014.  Satoshi Nakamoto. Bitcoin: A Peer-to-Peer Electronic Cash System, May 2009.  A. Pinar Ozisik and Brian Neil Levine. An Explanation of Nakamoto’s Analysis of Double-spend Attacks. Technical Report arXiv:1701.03977, University of Massachusetts, Amherst, MA, January 2017.  Ayelet Sapirshtein, Yonatan Sompolinsky, and Aviv Zohar. Optimal Selfish Mining Strategies in Bitcoin. https://arxiv.org/pdf/1507.06183.pdf, July 2015.  XiaoFeng Wang and Michael K. Reiter. Defending against denial-ofservice attacks with puzzle auctions. In Proceedings of the 2003 IEEE Symposium on Security and Privacy, SP ’03, pages 78–, Washington, DC, USA, 2003. IEEE Computer Society
Selfish Mining and Reactive Miners: The debate we need to have but haven't yet
Whether selfish mining is a threat to bitcoin has been a hot topic. However, the debate over it has barely touched on one of the most important points regarding it. I'm going to bring up this point and I'd like to see some healthy discourse regarding it. First, lets start with a simple explanation of selfish mining: For those not in the know, selfish mining is when a miner after finding a block hides it from the other miners to get a "head start" on the next block. So when the selfish miner (SM) finds the block at height N, he hides it and starts working on the next block at height N+1. The honest miner (HM) doesn't know that the block at height N has been found so he continues to work on it. If the SM finds the block at N+1 before the HM finds the block at N, the SM gets two block rewards. If the HM finds the block at N before the SM finds the block at N+1, the SM reveals his hidden block at N to compete in a propagation race with HM's block at N. This strategy was first detailed by Ittay Eyal and Emin Gun Sirer in the paper here: https://www.cs.cornell.edu/~ie53/publications/btcProcFC.pdf Make no mistake, the authors of this paper think this is a real threat to bitcoin, you can see right in the abstract that they call for a "practical modification to the Bitcoin protocol that protects Bitcoin" from selfish mining. When other miners do not react to somebody employing a SM strategy it has been mathematically proven that selfish mining increases profits for the selfish miner after the difficulty adjustment has occured. This is clear-cut and needs not be debated. The important question to ask is what happens when other miners react? Peter Rizun has been outspoken regarding the SM strategy and defending the Ittay Eyal and Emin Gun Sirer paper so I will quote him and hope he joins us in discussion of this. I will now quote Rizun:
Whether the selfish mining attack is a practical attack is debatable. For example, in order for the strategy to turn a profit, the selfish miner must maintain the attack for a length of time to allow network difficulty to reset and hope that during that time other miners don't retaliate by adopting similar strategies.
This is the crux of the debate, is the knowledge that other miners will retaliate by adopting a SM strategy too enough of a disincentive to stop selfish mining in the first place or do we need a protocol change? I posit this question to the community, and most notably Peter Rizun as he has been engaged in this subject. Ping: peter__r
I was reading an article on CoinDesk, and saw this: At its core, bitcoin is about giving users better control of their money. Often called "programmable money", bitcoin has scripts that limit how future bitcoin transactions can be spent (and that control variables like who can spend them). One such script ensures the correct person is spending the bitcoin by checking if the correct signature was used before unlocking and sending the funds. This week, Blockstream core tech developer Russell O'Connor revealed he's been testing a couple of new scripts on an Elements Alpha sidechain (which is pegged to the bitcoin testnet) that could add new functionality. Called "covenants", the new style of scripts potentially opens up possibilities for how bitcoin users can control, or restrict, spending of their money — possibly for their protection. (This is an idea that was previously explored by researchers Malte Möser, Ittay Eyal, and Emin Gun Sirer). One use case for these scripts is to help users rein in their coins in the case of a hack (an all too common occurrence in bitcoin). When asked what he thinks of the new covenant work, Eyal said it was potentially a boon to bitcoin users who may be worried about losing their bitcoins or otherwise having them compromised or stolen. Eyal told CoinDesk: "It's also going to increase user-side security in a way that's invaluable." Extending bitcoin's scripts The idea is notable as a script that can limit how bitcoins can be spent hasn't been implemented in bitcoin before, a fact noted by Eyal. In particular, there are two new covenant scripts that Blockstream explored, each of which take parameters and outputs whether the script is valid, or whether or not the transaction is currently spendable based on its restrictions. It's worth noting that bitcoin’s scripting system is currently quite simple for security's sake. There aren't limitless rules in bitcoin right now because new additions can be potentially dangerous and developers note that they take time to test. This is where sidechains may come in handy, although they are not yet pinned to the main blockchain. Bitcoin startup Blockstream has been working on these interoperable blockchains for experimenting with new features that could potentially be added to bitcoin since June of last year, and this is an example of how these new chains can be used to test new features. These new proposed opcodes may work as the foundations for new functionalities, ones that could even come to help stop bitcoin exchanges and users from losing stolen funds. Use cases But while Blockstream is running with the idea, it began with researchers at Cornell. In February, researchers Malte Möser, Ittay Eyal and Emin Gun Sirer proposed the idea of bitcoin vaults (implemented with their own version of covenants) where users could pull bitcoin back in the case of a hack. (It then gained new life following the hack on Bitfinex, in which the exchange lost nearly 120,000 BTC). "If the attacker can't gain control of the money, it takes away the motivation for stealing it in the first place," Eyal explained. But he noted that these two requirements are often conflicting: if a user creates new keys to avoid losing them, that means it's easier for them to be stolen. Meanwhile, if you create a smaller number of total keys, it's easier to lose them. While Blockstream tested vaults as a potential use case, there might be other future uses for the covenant scripts, including lending. The idea seems to have been dormant for a while and developers were debating its viability even just a couple of months ago. But these sidechain tests might mean a step towards implementation. And while covenants and vaults had drawn some skepticism before (Peter Todd has questioned whether such a functionality should be built in the infrastructure layer of the code at Scaling Bitcoin), there seems to be optimism that it could work. When asked if the new scripts were safe, Bitcoin Core developer Greg Maxwell responded: "Trivially so if implemented correctly." Has this type of functionality been explored, or will be explored by Ethereum development team?
Abstract We initiate the study of quantum races, games where two or more quantum computers compete to solve a computational problem. While the problem of dueling algorithms has been studied for classical deterministic algorithms, the quantum case presents additional sources of uncertainty for the players. The foremost among these is that players do not know if they have solved the problem until they measure their quantum state. This question of `when to measure?' presents a very interesting strategic problem. We develop a game-theoretic model of a multiplayer quantum race, and find an approximate Nash equilibrium where all players play the same strategy. In the two-party case, we further show that this strategy is nearly optimal in terms of payoff among all symmetric Nash equilibria. A key role in our analysis of quantum races is played by a more tractable version of the game where there is no payout on a tie; for such races we completely characterize the Nash equilibria in the two-party case. One application of our results is to the stability of the Bitcoin protocol when mining is done by quantum computers. Bitcoin mining is a race to solve a computational search problem, with the winner gaining the right to create a new block. Our results inform the strategies that eventual quantum miners should use, and also indicate that the collision probability---the probability that two miners find a new block at the same time---would not be too high in the case of quantum miners. Such collisions are undesirable as they lead to forking of the Bitcoin blockchain. References [ABL+17] Divesh Aggarwal, Gavin Brennen, Troy Lee, Miklos Santha, and Marco Tomamichel. Quantum attacks on Bitcoin and how to prevent against them. Technical Report arXiv:1710.10377, arXiv, 2017. [Bac02] Adam Back. Hashcash—a denial of service counter-measure, 2002. Available at: http://www.hashcash.org/papers/hashcash.pdf. [Bit18] Bitmain. Bitmain Antminer S9. https://shop.bitmain.com/antminer_s9_asic_bitcoin_miner.html, 2018. Accessed 2018-02-16. [BK17] Alex Biryukov and Dmitry Khovratovich. Equihash: Asymmetric proof-of-work based on the generalized birthday problem. Ledger, 2:1–30, 2017. [But13] Vitalik Buterin. Bitcoin is not quantum safe, and how we can fix it when needed. https://bitcoinmagazine.com/articles/bitcoin-is-not-quantum-safe-and-how-we-can-fix-1375242150/, 2013. [CL99] Miguel Castro and Barbara Liskov. Practical byzantine fault tolerance. In Third Symposium on Operating Systems Design and Implementation, 1999. [DH08] Catalin Dohotaru and Peter Høyer. Exact quantum lower bound for grover’s problem. Technical Report arXiv:0810.3647, arXiv, 2008. [Dor60] William S. Dorn. Duality in quadratic programming. Quarterly of applied mathematics, 18(2):155–162, 1960. [EGS14] Ittay Eyal and Emin G¨un Sirer. Majority is not enough: Bitcoin mining is vulnerable. In 18th International Conference on Financial Cryptography and Data Security, 2014. [GKW+16] Arthur Gervais, Ghassan Karame, Karl W¨ust, Vasileios Glykantzis, Hubert Ritzdorf, and Srdjan Capkun. On the security and performance of proof of work blockchains. In Proceedings of the 2016 ACM SIGSAC Conference on Compute and Communications Security (CCS’16), pages 3–16, 2016. [Gro96] Lov K. Grover. A fast quantum mechanical algorithm for database search. In Proceedings of the Twenty-eighth Annual ACM Symposium on Theory of Computing, STOC ’96, pages 212–219, New York, NY, USA, 1996. ACM. [IKL+11] Nicole Immorlica, Adam Tauman Kalai, Brendan Lucier, Ankur Moitra, Andrew Postlewaite, and Moshe Tennenholtz. Dueling algorithms. In Proceedings of the forty-third annual ACM symposium on theory of computing (STOC’11), pages 215–224, 2011. [KRDO17] Aggelos Kiayias, Alexander Russell, Bernardo David, and Roman Oliynykov. Ouroboros: A provably secure proof-of-stake blockchain protocol. In CRYPTO, pages 357–388, 2017. [MS64] Olvi L. Mangasarian and H. Stone. Two-person nonzero-sum games and quadratic programming. Journal of mathematical analysis and applications, 9:348–355, 1964. [Nak09] Satoshi Nakamoto. Bitcoin: A peer-to-peer electronic cash system, 2009. Available at: http://www.bitcoin.org/pdf. [Nas51] John F. Nash. Non-cooperative games. Annals of Mathematics, 54(2):286–295, 1951. [Sat18] Or Sattath. On the insecurity of quantum Bitcoin mining. Technical Report arXiv:1804.08118, arXiv, 2018. Appeared in QCRYPT 2018.
Abstract In this position paper, we initiate a systematic treatment of reaching consensus in a permissionless network. We prove several simple but hopefully insightful lower bounds that demonstrate exactly why reaching consensus in a permissionless setting is fundamentally more difficult than the classical, permissioned setting. We then present a simplified proof of Nakamoto's blockchain which we recommend for pedagogical purposes. Finally, we survey recent results including how to avoid well-known painpoints in permissionless consensus, and how to apply core ideas behind blockchains to solve consensus in the classical, permissioned setting and meanwhile achieve new properties that are not attained by classical approaches. References  http://www.btproof.site/.  Lightning network. https://lightning.network/.  Marcin Andrychowicz and Stefan Dziembowski. Pow-based distributed cryptography with no trusted setup. In CRYPTO, pages 379–399, 2015.  Hagit Attiya, Cynthia Dwork, Nancy Lynch, and Larry Stockmeyer. Bounds on the time to reach agreement in the presence of timing uncertainty. J. ACM, 41(1):122–152, 1994.  Simon Barber, Xavier Boyen, Elaine Shi, and Ersin Uzun. Bitter to betterhow to make bitcoin a better currency. In Financial cryptography and data security, pages 399–414. Springer, 2012.  Iddo Bentov and Ranjit Kumaresan. How to Use Bitcoin to Design Fair Protocols. In CRYPTO, 2014.  Miguel Castro and Barbara Liskov. Practical byzantine fault tolerance. In OSDI, 1999.  T-H. Hubert Chan, Naomi Ephraim, Antonio Marcedone, Andrew Morgan, Rafael Pass, and Elaine Shi. Blockchain with varying number of players. Manuscript, 2017.  Jing Chen and Silvio Micali. Algorand: The efficient and democratic ledger. https://arxiv.org/abs/1607.01341, 2016.  Sophia Yakoubov Conner Fromknecht, Dragos Velicanu. A decentralized public key infrastructure with identity retention. Cryptology ePrint Archive, Report 2014/803, 2014. http://eprint.iacr.org/2014/803.  Kyle Croman, Christian Decker, Ittay Eyal, Adem Efe Gencer, Ari Juels, Ahmed Kosba, Andrew Miller, Prateek Saxena, Elaine Shi, Emin Gun Sirer, Dawn Song, and Roger Wattenhofer. On scaling decentralized blockchains (a position paper). In Bitcoin Workshop, 2016.  Phil Daian, Rafael Pass, and Elaine Shi. Snow white: Robustly reconfigurable consensus and applications to provably secure proofs of stake. Cryptology ePrint Archive, Report 2016/919, 2016.  Danny Dolev and H. Raymond Strong. Authenticated algorithms for byzantine agreement. Siam Journal on Computing - SIAMCOMP, 12(4):656–666, 1983.  Cynthia Dwork, Nancy Lynch, and Larry Stockmeyer. Consensus in the presence of partial synchrony. J. ACM, 1988.  Cynthia Dwork and Moni Naor. Pricing via processing or combatting junk mail. In CRYPTO, 1992.  Ittay Eyal and Emin Gun Sirer. Majority is not enough: Bitcoin mining is vulnerable. In FC, 2014.  Michael J. Fischer, Nancy A. Lynch, and Michael Merritt. Easy impossibility proofs for distributed consensus problems. In PODC, 1985.  Juan A. Garay, Aggelos Kiayias, and Nikos Leonardos. The bitcoin backbone protocol with chains of variable difficulty. Cryptology ePrint Archive, 2016/1048.  Juan A. Garay, Aggelos Kiayias, and Nikos Leonardos. The bitcoin backbone protocol: Analysis and applications. In Eurocrypt, 2015.  Jonathan Katz, Andrew Miller, and Elaine Shi. Pseudonymous secure computation from timelock puzzles. IACR Cryptology ePrint Archive, 2014:857, 2014.  Aggelos Kiayias, Alexander Russell, Bernardo David, and Roman Oliynykov. Ouroboros: A provably secure proof-of-stake blockchain protocol. In Crypto, 2017.  Leslie Lamport. The weak byzantine generals problem. J. ACM, 30(3):668–676, 1983.  Leslie Lamport. Fast paxos. Distributed Computing, 19(2):79–103, 2006.  Litecoin - Open source P2P digital currency. http://litecoin.org/.  Andreas Loibl. Namecoin. namecoin.info, 2014.  Satoshi Nakamoto. Bitcoin: A peer-to-peer electronic cash system. 2008.  Rafael Pass and abhi shelat. Micropayments for peer-to-peer currencies. In ACM CCS, 2015.  Rafael Pass, Lior Seeman, and Abhi Shelat. Analysis of the blockchain protocol in asynchronous networks. In Eurocrypt, 2017.  Rafael Pass and Elaine Shi. Fruitchains: A fair blockchain. In PODC, 2017.  Rafael Pass and Elaine Shi. Hybrid consensus: Efficient consensus in the permissionless model. In DISC, 2017.  Rafael Pass and Elaine Shi. The sleepy model of consensus. In Asiacrypt, 2017.  Rafael Pass and Elaine Shi. Thunderella: Blockchains with optimistic instant confirmation. In Eurocrypt, 2018.  Sylvia Ratnasamy, Paul Francis, Mark Handley, Richard Karp, and Scott Shenker. A scalable content-addressable network. SIGCOMM Comput. Commun. Rev., 31(4):161–172, August 2001.  Antony Rowstron and Peter Druschel. Pastry: Scalable, decentralized object location, and routing for large-scale peer-to-peer systems. In Middleware, pages 329–350, 2001.  Yonatan Sompolinsky and Aviv Zohar. Secure high-rate transaction processing in bitcoin. In Financial Cryptography, 2015.  Ion Stoica, Robert Morris, David Karger, M. Frans Kaashoek, and Hari Balakrishnan. Chord: A Scalable Peer-to-peer Lookup Service for Internet Applications. In SIGCOMM, 2001.  Gavin Wood. Ethereum: A secure decentralized transaction ledger. http://gavwood.com/paper.pdf, 2014.
Abstract We make several contributions that quantify the real-time hash rate and therefore the consensus of a blockchain. We show that by using only the hash value of blocks, we can estimate and measure the hash rate of all miners or individual miners, with quanti able accuracy. We apply our techniques to the Ethereum and Bitcoin blockchains; our solution applies to any proof-of-work-based blockchain that relies on a numeric target for the validation of blocks. We also show that if miners regularly broadcast status reports of their partial proof-of- work, the hash rate estimates are signi cantly more accurate at a cost of slightly higher bandwidth. Whether using only the blockchain, or the additional information in status reports, merchants can use our techniques to quantify in real-time the threat of double-spend attacks. References  2015. The Bitcoin Lightning Network: Scalable Off-Chain Instant Payments. https://lightning.network/lightning-network-paper.pdf. (July 2015).  2016. Gnosis. https://www.gnosis.pm. (November 2016).  Asaph Azaria, Ariel Ekblaw, Thiago Vieira, and Andrew Lippman. 2016. "MedRec: Using Blockchain for Medical Data Access and Permission Management. In Proc. Intl. Conf. on Open and Big Data. 25–30.  Adam Back, Matt Corallo, Luke Dashjr, Mark Friedenbach, Gregory Maxwell, Andrew Miller, Andrew Poelstra, Jorge Timón, and Pieter Wuille. 2014. Enabling Blockchain Innovations with Pegged Sidechains. Technical report. (Oct 22 2014).  Simon Barber, Xavier Boyen, Elaine Shi, and Ersin Uzun. 2012. Bitter to better—how to make bitcoin a better currency. In International Conference on Financial Cryptography and Data Security. Springer, 399–414.  Bryan Bishop. 2015. bitcoin-dev mailling list: Weak block thoughts... https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2015-Septembe011158.html. (Sep 2015).  bitcoin 2015. Confirmation. https://en.bitcoin.it/wiki/Confirmation. (February 2015).  Joseph Bonneau. 2015. How long does it take for a Bitcoin transaction to be confirmed? https://coincenter.org/2015/11/what-does-it-meanfor-a-bitcoin-transaction-to-be-confirmed/. (November 2015).  J. Bonneau, A. Miller, J. Clark, A. Narayanan, J.A. Kroll, and E.W. Felten. 2015. SoK: Research Perspectives and Challenges for Bitcoin and Cryptocurrencies. In IEEE S&P. 104–121. http://doi.org/10.1109/ SP.2015.14  George Casella and Roger L. Berger. 2002. Statistical inference. Brooks Cole, Pacific Grove, CA. http://opac.inria.frecord=b1134456  Kyle Croman et al. 2016. On Scaling Decentralized Blockchains . In Workshop on Bitcoin and Blockchain Research.  Digix. 2017. https://www.dgx.io/. (Last retrieved June 2017).  DigixDAO. 2017. https://www.dgx.io/dgd/. (Last retrieved June 2017).  J. Douceur. 2002. The Sybil Attack. In Proc. Intl Wkshp on Peer-to-Peer Systems (IPTPS).  Bradley Efron. 1982. The jackknife, the bootstrap and other resampling plans. Society for industrial and applied mathematics (SIAM).  Ethash. 2017. https://github.com/ethereum/wiki/wiki/Ethash. (Last retrieved June 2017).  ethereum. Ethereum Homestead Documentation. http://ethdocs.org/en/latest/. (????).  Etheria. 2017. http://etheria.world. (Last retrieved June 2017).  Ittay Eyal and Emin Gün Sirer. 2014. Majority is not enough: Bitcoin mining is vulnerable. Financial Cryptography (2014), 436–454. http://doi.org/10.1007/978-3-662-45472-5_28  William Feller. 1968. An Introduction to Probability Theory and its Applications: Volume I. Vol. 3. John Wiley & Sons London-New YorkSydney-Toronto.  Juan Garay, Aggelos Kiayias, and Nikos Leonardos. 2015. The bitcoin backbone protocol: Analysis and applications. In Annual International Conference on the Theory and Applications of Cryptographic Techniques. Springer, 281–310.  Arthur Gervais, Ghassan O. Karame, Karl Wust, Vasileios Glykantzis, Hubert Ritzdorf, and Srdjan Capkun. 2016. On the Security and Performance of Proof of Work Blockchains. https://eprint.iacr.org/2016/555. (2016).  Hashcash. 2017. https://en.bitcoin.it/wiki/Hashcash. (Last retrieved June 2017).  Ethan Heilman, Leen Alshenibr, Foteini Baldimtsi, Alessandra Scafuro, and Sharon Goldberg. 2017. TumbleBit: An untrusted Bitcoincompatible anonymous payment hub. In Proc. ISOC Network and Distributed System Security Symposium (NDSS).  Svante Janson. 2014. Tail Bounds for Sums of Geometric and Exponential Variable. Technical Report. Uppsala University.  Litecoin. 2017. https://litecoin.org. (Last retrieved June 2017).  Satoshi Nakamoto. 2009. Bitcoin: A Peer-to-Peer Electronic Cash System. https://bitcoin.org/bitcoin.pdf. (May 2009).  A. Pinar Ozisik, Gavin Andresen, George Bissias, Amir Houmansadr, and Brian Neil Levine. 2016. A Secure, Efficient, and Transparent Network Architecture for Bitcoin. Technical Report UM-CS-2016-006. University of Massachusetts, Amherst, MA. https://web.cs.umass.edu/publication/details.php?id=2417  Meni Rosenfeld. 2012. Analysis of hashrate-based double-spending. https://bitcoil.co.il/Doublespend.pdf. (December 2012).  Ayelet Sapirshtein, Yonatan Sompolinsky, and Aviv Zohar. 2015. Optimal Selfish Mining Strategies in Bitcoin. https://arxiv.org/pdf/1507.06183.pdf. (July 2015).  Eli Ben Sasson, Alessandro Chiesa, Christina Garman, Matthew Green, Ian Miers, Eran Tromer, and Madars Virza. 2014. Zerocash: Decentralized Anonymous Payments from Bitcoin. In IEEE S&P. 459–474. http://dx.doi.org/10.1109/SP.2014.36  Yonatan Sompolinsky and Aviv Zohar. 2015. Secure high-rate transaction processing in Bitcoin. Financial Cryptography and Data Security (2015). http://doi.org/10.1007/978-3-662-47854-7_32  Yonatan Sompolinsky and Aviv Zohar. 2016. Bitcoin’s Security Model Revisited. https://arxiv.org/abs/1605.09193. (May 2016).  F. Tschorsch and B. Scheuermann. 2016. Bitcoin and Beyond: A Technical Survey on Decentralized Digital Currencies. IEEE Communications Surveys Tutorials PP, 99 (2016), 1–1. https://doi.org/10.1109/COMST. 2016.2535718  Marko Vukolić. 2015. The quest for scalable blockchain fabric: Proof-ofwork vs. BFT replication. In International Workshop on Open Problems in Network Security. Springer, 112–125.
Hi All, I made a little code to simulate a selfish mine according to the paper of Eyal and Gün Sirer : "Majority is not Enough : Bitcoin Mining is Vulnerable". Regards
#Code inspired by #Majority is not Enough: Bitcoin Mining is Vulnerable #of Ittay Eyal and Emin Gun Sirer import random def Simulate(alpha,gamma,N): #This function simulate the selfish miners strategy. #It returns the proportion of blocks in the longest chain #which belongs to the selfish miners. state=0 LongestChainLength=0 NumberOfSelfishMineBlock=0 #A round begin when the state=0 and finish when we return to it for i in xrange(N): r=random.random() if state==0: #Initial State. #The selfish miners have 0 hidden block. if r<=alpha: #The selfish miners found a block. #They don't publish it. state=1 else: #The honest miners found a block. #The round is finished : the honest miners found 1 block # and the selfish miners found 0 block. LongestChainLength+=1 state=0 elif state==1: #There is one hidden block in the pocket of the selfish miners. if r<=alpha: #The selfish miners found a new block. #It remains hidden. #The selfish miners are now two blocks ahead. #The two blocks are hidden. state=2 n=2 else: state=-1 elif state==-1: #It's the state 0' in the paper of Eyal and Gun Sirer #The honest miners found a block. #So the selfish miners publish their hidden block. #The blockchain is forked with one block in each fork. if r<=alpha: #the selfish miners found a block in their fork. #The round is finished : Selfish miners won 2 blocks and the honest miners 0. NumberOfSelfishMineBlock+=2 LongestChainLength+=2 state=0 elif r<=alpha+(1-alpha)*gamma: #The honest miners found a block in the fork of the selfish miners. #The round is finished : Selfish miners won 1 blocks and the honest miners 1. NumberOfSelfishMineBlock+=1 LongestChainLength+=2 state=0 else: #The honest miners found a block in their fork. #The round is finished : Selfish miners won 0 blocks and the honest miners 2. NumberOfSelfishMineBlock+=0 LongestChainLength+=2 state=0 elif state==2: #The selfish miners have 2 hidden blocks in their pocket. if r<=alpha: #The selfish miners found a new hidden block n+=1 state=3 else: #The honest miners found a block. #The selfish miners are only one block ahead of the honest miners, #So they publish their chain which is of length n. #The round is finished : Selfish miners won n blocks and the honest miners 0. LongestChainLength+=n NumberOfSelfishMineBlock+=n state=0 elif state>2: if r<=alpha: #The selfish miners found a new hidden block n+=1 state+=1 else: #The honest miners found a block #The selfish miners publish one of their hidden block # and are losing one point in the run. state-=1 return float(NumberOfSelfishMineBlock)/LongestChainLength def main(): alpha=0.35 gamma=0.5 Nsimu=10**7 print "Theoretical probability :",(alpha*(1-alpha)**2*(4*alpha+gamma*(1-2*alpha))-alpha**3)/(1-alpha*(1+(2-alpha)*alpha)) print "Simulated probability :",Simulate(alpha,gamma,Nsimu) main()
Bitcoin-NG whitepaper. | Emin Gün Sirer | Oct 14 2015
Emin Gün Sirer on Oct 14 2015: Hi everyone, We just released the whitepaper describing Bitcoin-NG, a new technique for addressing some of the scalability challenges faced by Bitcoin. Surprisingly, Bitcoin-NG can simultaneously increase throughput while reducing latency, and do so without impacting Bitcoin's open architecture or changing its trust model. This post illustrates the core technique:
Fitting NG on top of the current Bitcoin blockchain is future work that we think is quite possible. NG is compatible with both Bitcoin as is, as well as Blockstream-like sidechains, and we currently are not planning to compete commercially with either technology -- we see NG as being complementary to both efforts. This is pure science, published and shared with the community to advance the state of blockchains and to help them reach throughputs and latencies required of cutting edge fintech applications. Perhaps it can be adopted, or perhaps it can provide the spark of inspiration for someone else to come up with even better solutions. We would be delighted to hear your feedback.
CALL FOR PAPERS International Workshop on Cryptocurrencies and Blockchain Technology - CBT'18
CALL FOR PAPERS International Workshop on
Cryptocurrencies and Blockchain Technology - CBT'18 In conjunction with ESORICS http://www.cbtworkshop.org/ September 7-8, 2018 Barcelona, (Catalonia)
Since the appearance of Bitcoin in 2009, a plethora of new cryptocurrencies and other blockchain based systems have been deployed with different success. While some of them are slightly different copies of Bitcoin, other ones propose interesting improvements or new usages of the underlying blockchain technology. However, the novelty of such technologies is often tied with rapid developments and proof-of-concept software, and rigorous scientific analyses of the proposed systems are often skipped. This workshop aims to provide a forum for researchers in this area to carefully analyze current systems and propose new ones in order to create a scientific background for a solid development of new cryptocurrencies and blockchain technology systems. IMPORTANT DATES Submission Deadline: June 18, 2018 Author Notification: July 10, 2018 Camera Ready: July 25, 2018 TOPICS The main topics include (but are not limited to):
Anonymity and privacy in cryptocurrencies. Cryptocurrency based trust systems. Security analysis of existing cryptocurrencies. Formal threat models in cryptocurrency systems. Improvement proposals for existing cryptocurrencies. P2P network cryptocurrencies analysis. Private transactions in blockchain based systems. Consensus mechanisms: proof-of-work, proof of stake, proof of burn, proof-of-useful-work. New usages of the blockchain technology. Scalability solutions for blockchain systems. Smart contracts.
SUBMISSION Submitted papers must be original and not submitted for publication elsewhere. Authors are invited to submit their manuscripts following the LNCS Proceedings Manuscript style. Papers are limited to 16 pages (full papers), or 8 pages (short papers) including references and appendices, and can be submitted as PDF via the CBT 2018 submission site: https://easychair.org/conferences/?conf=cbt2018 Accepted conference papers will be published by Springer in the LNCS collection. At least one author of each accepted paper is required to register and present their work at the workshop; otherwise the paper will not be included in the proceedings. PROGRAM COMMITEE PC Chairs: Joaquín García-Alfaro, Institut Minnes-Télécom, France Email: joaquin.garcia_alfaro [at] telecom-sudparis [dot] eu Jordi Herrera-Joancomartí, Universitat Autònoma de Barcelona, Catalonia Email: jordi.herrera [at] uab [dot] cat PC Members: Rainer Böhme - Universität Innsbruck (Austria) Joseph Bonneau - NYU (USA) Jeremy Clark - Concordia University (Canada) Ittay Eyal - Technion (Israel) Joaquín García-Alfaro - IMT (France) Hannes Hartenstein - KIT (Germany) Akira Kanaoka - Toho university (Japan) Ghassan Karame - NEC Research (Germany) Shin'ichiro Matsuo - Georgetown University (USA) Patrick McCorry - UCL (UK) Sarah Meiklenjohn - UCL (UK) Andrew Miller - University of Illinois, Urbana-Champaign (USA) Pedro Moreno Sanchez - Purdue university (USA) Jose Luis Muñoz Tapia - UPC (Catalonia) Guillermo Navarro - UAB (Catalonia) Cristina Pérez-Solà - UAB (Catalonia) Tim Ruffing - Saarland University (Germany) Roger Wattenhofer - ETH (Switzerland) Aviv Zohar - The Hebrew University (Israel)
We need to fix the block withholding attack | Peter Todd | Dec 19 2015
Peter Todd on Dec 19 2015: At the recent Scaling Bitcoin conference in Hong Kong we had a chatham house rules workshop session attending by representitives of a super majority of the Bitcoin hashing power. One of the issues raised by the pools present was block withholding attacks, which they said are a real issue for them. In particular, pools are receiving legitimate threats by bad actors threatening to use block withholding attacks against them. Pools offering their services to the general public without anti-privacy Know-Your-Customer have little defense against such attacks, which in turn is a threat to the decentralization of hashing power: without pools only fairly large hashing power installations are profitable as variance is a very real business expense. P2Pool is often brought up as a replacement for pools, but it itself is still relatively vulnerable to block withholding, and in any case has many other vulnerabilities and technical issues that has prevented widespread adoption of P2Pool. Fixing block withholding is relatively simple, but (so far) requires a SPV-visible hardfork. (Luke-Jr's two-stage target mechanism) We should do this hard-fork in conjunction with any blocksize increase, which will have the desirable side effect of clearly show consent by the entire ecosystem, SPV clients included. Note that Ittay Eyal and Emin Gun Sirer have argued(1) that block witholding attacks are a good thing, as in their model they can be used by small pools against larger pools, disincentivising large pools. However this argument is academic and not applicable to the real world, as a much simpler defense against block withholding attacks is to use anti-privacy KYC and the legal system combined with the variety of withholding detection mechanisms only practical for large pools. Equally, large hashing power installations - a dangerous thing for decentralization - have no block withholding attack vulnerabilities. 1) http://hackingdistributed.com/2014/12/03/the-miners-dilemma/ 'peter'[:-1]@petertodd.org 00000000000000000188b6321da7feae60d74c7b0becbdab3b1a0bd57f10947d -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 650 bytes Desc: Digital signature URL: http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20151219/8c0d100a/attachment.sig original: http://lists.linuxfoundation.org/pipermail/bitcoin-dev/2015-Decembe012046.html
How to preserve the value of coins after a fork. | Emin Gün Sirer | Dec 30 2015
Emin Gün Sirer on Dec 30 2015: Ittay Eyal and I just put together a writeup that we're informally calling Bitcoin-United for preserving the value of coins following a permanent fork: http://hackingdistributed.com/2015/12/30/technique-to-unite-bitcoin-factions/ Half of the core idea is to eliminate double-spends (where someone spends a UTXO on chain A and the same UTXO on chain B, at separate merchants) by placing transactions from A on chain B, and by taking the intersection of transactions on chain A and chain B when considering whether a payment has been received. The other half of the core idea is to enable minting of new coins and collection of mining fees on both chains, while preserving the 21M maximum. This is achieved by creating a one-to-one correspondence between coins on one chain with coins on the other. Given the level of the audience here, I'm keeping the description quite terse. Much more detail and discussion is at the link above, as well as the assumptions that need to hold for Bitcoin-United. The high bit is that, with a few modest assumptions, it is possible to create a cohesive coin in the aftermath of a fork, even if the core devs are split, and even if one of the forks is (in the worst case) completely non-cooperative. Bitcoin-United is a trick to create a cohesive coin even when there is no consensus at the lowest level. Bitcoin-United opens up a lot of new, mostly game-theoretic questions: what happens to native clients who prefer A or B? What will happen to the value of native-A or native-B coins? And so on. We're actively working on these questions and more, but we wanted to share the Bitcoin-United idea, mainly to receive feedback, and partly to provide some hope about future consensus to the community. It turns out that it is possible to craft consensus at the network level even when there isn't one at the developer level. Happy New Year, and may 2016 be united,
NOTE: Seems I am a bit confused (again) about the algorithms... I really need to quit my day job so I can get into the code deeper! Forgive me if this has been published, but I haven't found it, though I have looked. Work keeps me from looking really hard. The claim in this pdf of the paper by Ittay Eyal and Emin Gun Sirer of Department of Computer Science, Cornell University is that Bitcoin is broken. They outline a "selfish mining algorithm". But the key to its ultimate advantage is to mine on a secret blockchain, that gets released at certain points. And that this advantage would pull into the selfish pool other miners that want that advantage. The flaw? Well, nobody joining the pool HAS TO KEEP THE SECRET BLOCKCHAIN SECRET. So say a mole miner in the selfish pool is willing to reveal the "secret blocks" to harm the selfish pool. And note that the mole doesn't have to reveal themselves (they might send the "secret blocks" to someone else to post). So basically the mole in the selfish mining pool can selectively reveal the "secret" blocks when it is to the advantage of the rest of the network, and let the selfish pool waste their time when it isn't to the advantage of the rest of the network. How many moles does the honest network need to blow up the selfish algorithm? ONE. BOOM. This algorithm is dead. At best it might improve the odds for a very very very large fully controlled pool. But any pool that uses independent miners to join and contribute hashing power cannot use this algorithm to improve anything. Left here. Not going to delete a post other people have commented on
Meet fellow cryptocurrency miners in the real world this October in Vegas! Share experiences, best practices, new ways of achieving greater profitability and source innovative and cost-effective solutions to your toughest mining issues and challenges.
HASHERS UNITED 9th October - Registration, Networking and Welcome Drinks 10-11th October 2014 - Main Conference Tuscany Hotel and Casino, Las Vegas The first global conference for cryptocurrency mining www.HashersUnited.com Hashers United brings together professionals, hobbyists and vendors from within mining and throughout the wider cryptocurrency sector. You can expect over 35 workshops and sessions, and more than 25 speakers, including Vitalik Buterin (founder Ethereum) and Charlie Lee (creator Litecoin), specially selected for their expertise and commitment to mining and cryptocurrencies. Full programme launch soon! Confirmed speakers so far include:
Vitalik Buterin, Founder, Ethereum
Charlie Lee, Creator, Litecoin
Poramin Insom, Developer, Vertcoin
Marshall Long, Executive Technical Director, Final Hash
Phil Maher, Mastercoin
Michael D Carter, Host, BitsBeTrippin
Stephen L Reed, Founder, Bitcoin Co-operative Proof of Work Project
Ittay Eyal, Cornell University
Robert W. Woods, Tax Attorney, Wood LLP and Contributor, Forbes
Tyson Cross, Tax Attorney, Bitcoin Tax Solutions
Hass McCook, Principal Consultant, ProjectRestart
www.HashersUnited.com Produced By Final Hash Final Hash is a mining contract company. It allows people to purchase or lease computer power so they don’t have to own equipment to mine cryptocurrencies. The company offers cryptocurrency enthusiasts with an affordable way to be involved in this exciting, emerging sector. The company’s partners are well respected in the cryptocurrency community which is how they came to conceive Hashers United. They wanted to find a way in which miners could meet and learn from one another, improve their knowledge on critical issues and help progress the cryptocurrency industry in a positive manner. All of this is to be achieved in a welcoming environment where novices and specialists alike can mingle and exchange ideas and expertise. www.finalhash.com
Bitcoin flaw could let group take control of currency
Bitcoin has an inherent flaw that could allow a powerful few to wrest control of the now-decentralized currency. All it would take is a group of cheaters. That's according to a research paper released Monday by Cornell University post-doctoral fellow Ittay Eyal and Professor Emin Gün Sirer. Bitcoin is broken. And not just superficially so, but fundamentally, at the core protocol level. We're not talking about a simple buffer overflow here, or even a badly designed API that can be easily patched; instead, the problem is intrinsic to the entire way Bitcoin works. All other cryptocurrencies and schemes based on the same Bitcoin idea, including Litecoin, Namecoin, and any of the other few dozen Bitcoin-inspired currencies, are broken as well.
Link to CNN Money article Link to more in-depth article This is not 51% attack, but an attack by selfish mining pools (above 25% hashing power) that withhold announcing found blocks to the network and thus get ahead in the "race" along the blockchain. Expect flash crash as new investors might get spooked and cash out. Exploit should get fixed though in new Bitcoin client update.
Eyal? Senior Lecturer (Assistant Prof.), EE, Technion. Associate Director, Initiative For Cryptocurrencies & Contracts. [email protected] @ittayeyal +972-4-829-4710 Zoom Meyer 960, Haifa, Israel My research focuses on the security and scalability of distributed systems, in particular blockchain protocols and trusted execution environments. I have previously worked on distributed storage ... Itay Tsabary, Alexander Spiegelman, Ittay Eyal. If you know two things about cryptocurrencies like Bitcoin, one of them is probably that they expend power. Ittay Eyal. About Me: A post-doc in the Systems and Networking Group in the Department of Computer Science in Cornell. My research focuses on the security and scalability of distributed systems, in particular blockchain protocols and trusted execution environments. I have previously worked on distributed storage algorithms and data aggregation in sensor networks. My professional page. Me on ... Ittay Eyal. Cornell University and Initiative for CryptoCurrencies & Contracts, Robert Escriva. Cornell University, Ari Juels. Cornell Tech, Jacobs Institute and Initiative for CryptoCurrencies & Contracts, Robbert Van Renesse. Cornell University and Initiative for CryptoCurrencies & Contracts The Bitcoin digital currency . Skip to main content. Download This Paper. Open PDF in Browser. Add Paper to My Library. Share: Permalink. Using the URL or DOI link below will ensure access to this page indefinitely . Copy URL. Copy URL. Bitcoin -- The Miner's Dilemma. SWIFT Institute Working Paper No. 2014-006. 16 Pages Posted: 22 May 2015. See all articles by Ittay Eyal Ittay Eyal. Cornell ...
Cornell Researchers: Bitcoin Not as Decentralized as ...
In this episode, we talk to Emin Gun Sirer and Ittay Eyal from Cornell University regarding Bitcoin NG; a next generation Bitcoin blockchain design that addresses some protocol based limitations ... Fan Zhang, Ittay Eyal, and Robert Escriva, Cornell University; Ari Juels, Cornell Tech; Robbert van Renesse, Cornell University Blockchains show promise as potential infrastructure for financial ... Invited Talk by Ittay Eyal (Technion) Abstract: The security of blockchain-based systems relies critically on correctly incentivizing the miners. This talk will review two recent results on ... Have you ever wondered what Bitcoin "Double Spending" and "Selfish Mining" are? These are the best explanations I've seen. Complete with diagrams. Full, original presentation: https://youtu.be ... Gossip Room est une communauté sur les réseaux sociaux, créée il y a 7 ans, qui regroupe aujourd’hui des millions de passionnés d’actualité TV, people, série...