Analyzing BU Mining Protocol Ren Zhang & Bart Preneel - PowerPoint PPT Presentation

On the Necessity of a Prescribed Block Validity Consensus: Analyzing BU Mining Protocol Ren Zhang & Bart Preneel ren.zhang@esat.kuleuven.be bart.preneel@esat.kuleuven.be

What is  A peer-to-peer network of public nodes  Maintaining a public decentralized ledger  Of transactions that transfer value (bitcoin) among its users  Integrity of the ledger is secured by miners  Audit transactions  Use proof-of-work to arrive at consensus about the transactions  Successful miner receives new bitcoins as reward

The Ledger: a Hash Chain of Blocks Bitcoin transactions Block 2 Block 3 Block 1 block chain (200 nonce3 nonce2 nonce1 f f f “small” “small” “small” GB) 0 t2 t1 t3 In every block: new transactions, hash of the previous block, nonce, so that H(tx||prev_hash||nonce)< d 4

Prescribed Block Validity Consensus “orphaned” “fork” time BVC A block is either valid or invalid to all miners Resolve Forks?  Mine on the longest chain  or the first received block during a tie Rewards? Blockchain blocks ; orphaned blocks

(Once) Bitcoin Cannot Scale Transactions per second 2000; 56000 in stress test 256000 (double eleven shopping festival, 2017) 7 in theory, < 4 in practice (1 MB block/10 min) People disagreed on how to fix it

: no Prescribed Block Size What?  “A tool to raise the blocksize limit without splitting the network ” How? “the blocksize limit should never have been a consensus rule in the first place ”  Miners decide the block size limit collectively through a deliberative process Who?  Largest mining power support (40%) until late June, 2017

BU Mining Protocol time ≤ EB block block that the miner tries to mine > EB block block size limit = EB block size limit = 32MB EB  Maximum acceptable block size (of a miner, local) Acceptance Depth  Length of a chain starting with a “> EB” block (in figure: 3) before the miner accepts (local) Sticky Gate  Once AD is reached, opens SG and accepts large blocks until 144 consecutive “ ≤ EB” blocks appear

BU Mining Protocol: Rationale time Emergent Economic factors can Consensus  drive miners to the same EB  which is the actual network capacity Security?  Attacks “ cost the attacker far more than the victim ”

Two Observations BU supporters’  Block validity consensus (BVC) is not different necessary for security security claims  BVC will emerge as the system goes  BVC will be formed/driven by attacks Different  Supporters: compliant & profit-driven incentive  Objectors: arbitrary models

What We Did: Compare BU and Bitcoin Incentive Security BU is secure when BVC will emerge models claims BVC is absent Compliant & Profit-Driven Non-Compliant & Profit-Driven Not meaningful Non-Profit-Driven

Is Consensus Necessary? (Is BU secure when BVC is absent?) Technical  For each incentive model, pick a most famous approach attack, define the attacker’s goal/utility  Evaluate effectiveness of these attacks in a most simple “ BVC absent ” setting: two different EB s, one small attacker  Compute the optimal strategy and the utility of the attacker (math magic, see paper)  Compare results with Bitcoin

Is Consensus Necessary? (Is BU secure when BVC is absent?) The setting:  Three (groups of) miners Alice, Bob, Carol with mining power share 𝛽, 𝛾, 𝛿; 𝛽 + 𝛾 + 𝛿 = 1 , 𝛽 ≤ min{𝛾, 𝛿}  Bob and Carol have the same AD =6, same block size = EB b <EB c  Alice may mine blocks of size EB b , EB c or >EB c , to strategically split Bob and Carol to different chains Example: time (mine EB c block) (when Bob opens SG, mine >EB c block)

What We Did: Compare BU and Bitcoin Incentive Security BU is secure when BVC will emerge models claims BVC is absent Compliant & ? Profit-Driven Non-Compliant & Profit-Driven Not meaningful Non-Profit-Driven

Is Consensus Necessary? Compliant & Profit-Driven Alice Goal To maximize block reward share without deviating from the protocol (no selfish mining, no double-spending) Typical B C B B execution time (AD=3) A C C B Alice orphans two Bob’s blocks by mining an EB c block; relative block reward: 1/8 → 1/6

BU is Not Incentive Compatible Compliant & Profit-Driven Alice Alice 10%, Bob 45%, Carol 45% Results (optimal Strategy) Alice’s expected relative block reward

What We Did: Compare BU and Bitcoin Incentive Security BU is secure when BVC will emerge models claims BVC is absent Compliant & Profit-Driven Non-Compliant ? & Profit-Driven Not meaningful Non-Profit-Driven

Is Consensus Necessary? Non-Compliant & Profit-Driven Alice Goal to maximize block reward + double-spending reward Typical C B 1 B B A 2 time execution A 1 C C C C C Alice bought something on B 1 , the transaction is accepted at A 2 ; note that Alice mines a block A 2 on Bob’s chain to help it reach 4* confirmations *: to simplify the comparison

Double-Spending is Easier and More Profitable Non-Compliant & Profit-Driven Alice Results (optimal Alice’s Strategy, DS expected mining+DS reward = block reward/10min reward × 10) (in block reward)

What We Did: Compare BU and Bitcoin Incentive Security BU is secure when BVC will emerge models claims BVC is absent Compliant & Profit-Driven Non-Compliant & Profit-Driven Not meaningful Non-Profit-Driven ?

Is Consensus Necessary? Non-Profit-Driven Alice Goal to orphan as many Bob and Carol’s blocks as possible with the least number of Alice’s blocks Typical B C B B B B execution time A C C Alice orphans two Carol’s blocks with only one block

“Cost the Attacker Far More Than the Victim” Non-Profit-Driven Alice Results (optimal strategy, 𝛽 = Expected # of Bob and Carol’s 1% ) blocks orphaned by each Alice’s block

What We Did: Compare BU and Bitcoin Incentive Security BU is secure when BVC will emerge models claims BVC is absent Compliant & Profit-Driven Non-Compliant & Profit-Driven Not meaningful Non-Profit-Driven

Will BVC Emerge on the Run? The block size increasing game: moving closer to reality Definition  Every miner has a maximum profitable block size (MPB); if most blocks >MPB, the miner is forced to leave the game  Miners with large MPBs might form a coalition to raise the block size and kick others out; succeed if the coalition controls >50% mining power  Rewards are shared among those who survive till the end

BU May Damage Decentralization The block size increasing game: moving closer to reality Termination State (MPB 1 <MPB 2 <MPB 3 <MPB 4 ) In most initial settings, the block size will be raised

Results Summary No, new attack vectors in BU weakens Bitcoin’s BU secure when security within all three incentive models BVC is absent?  BVC will not emerge in most occasions Will BVC emerge?  Even when a BVC is reached and all miners are compliant, the BVC is very fragile  Strong miners have both the incentive and the ability to break BVC, raise the block size for higher reward share

Larger Blocks Mean ↓ fees ->  ↑ txs: hard to quantify  ↑ percentage of small txs: hard to quantify ↑ (small) txs -> For public nodes:  ↑ bandwidth, ↑ bandwidth/byte  ↑ verification cost, ↑ memory for UTXO Do we really want to find out via trial-and-error? What if strong miners don’t listen?

Reflection on Governance Rule setting Execution In Bitcoin Block validity rules prescribed by Decentralized developers (according to some) construction of the blockchain In BU Block validity rules dynamically In favor of big miners decided by big miners (if they are rational)

Response by BU Supporters Our work “does not take miners’ interest in a healthy network into consideration ” Malicious  Destruction of Coiledcoin miners exist …  Double spending on Krypton Including you  BU miners were planning to “attack” Bitcoin once they would achieve 75% Attacks can be  Bribery attack need not be against the miner’s profitable interests

Miners Changed Their Mind? Our paper

We Are All Jon Snow Is Prescribed Maybe not: BVC  Prove that the system is secure against 51% indispensable? attacker On consensus  Definition of decentralization, consensus protocol  Evaluation of consensus protocol security  Design principles/elements, e.g., timestamp