Bobtail: Improved Blockchain Security With Low-Variance Mining - PowerPoint PPT Presentation

Bobtail: Improved Blockchain Security With Low-Variance Mining GEORGE BISSIAS BRIAN LEVINE UNIVERSITY OF MASSACHUSETTS AMHERST

Incentive for Compressed Review of Blockchains block proposal ▸ We focus on public / open blockchains BLOCK that use proof-of-work (PoW) ▸ Decentralized and distributed ledgers ▸ Ledger comprises set of transactions ▸ Financial, logistical, legal, … B 1 BTC A ENTRY 1 ▸ PoW: not the only approach, but most ENTRY 2 . popular and relatively easy to analyze . . ENTRY N

BOBTAIL Transactions Proof-of-Work Mining Basics ▸ Miners repeatedly hash block header ▸ Hashes are within [0, S ] BLOCK HEADER BLOCK ▸ A block is mined when hash falls h below t ▸ Block time is function of hash rate t T h v HASH (seconds) T ▸ Convention is to extend longest chain BLOCK

BOBTAIL Mining is a Lottery ▸ Miners “draw” numbers until they cross threshold 5

BOBTAIL Mining is a Lottery ▸ Miners “draw” numbers until they cross threshold 5 17 ▸ Each draw “costs” a hash

BOBTAIL Mining is a Lottery ▸ Miners “draw” numbers until they cross threshold 5 17 42 ▸ Each draw “costs” a hash

BOBTAIL Mining is a Lottery . . . ▸ Miners “draw” numbers until they cross threshold 5 17 42 3 ▸ Each draw “costs” a hash ▸ First to cross threshold wins ▸ Winner receives a reward and proposes a block

BOBTAIL Mining is a Lottery . . ▸ Miners “draw” numbers until they cross threshold 5 ▸ Each draw “costs” a hash . . ▸ First to cross threshold wins ▸ Winner receives a reward . . . and proposes a block ▸ Game repeats . .

BOBTAIL Mining statistics 5 T ▸ Time to draw below threshold Expon ( 5 5 q ) T 4 T 4 T is approximately ▸ 20% miner expects to take 4 times as long to mine a block as q (Individual) 20% others p (Others) 80%

BOBTAIL Bob (attacker) Double-spending Attack Transaction B 1 BTC A ▸ Alice trades car for 1 BTC ▸ Transaction appears in block 1 1 ▸ Assumes majority are mining chain ▸ Alice knows about law of large … numbers ▸ Goods are released only once z payment has “confirmations” z Alice (merchant)

BOBTAIL Bob (attacker) Double-spending Attack Transaction Transaction B 1 BTC A B 1 BTC B ′ � ▸ Bob steals goods if red chain grows longer than blue 1 ▸ Relies on high variance of the 1 exponential distribution ▸ Goods worth more than cost … of attack? 2 z Alice (merchant)

BOBTAIL Attack Success Probability attacker mining power 0.1 0.2 0.3 0.4 0.45 ▸ Attacker needs to get ahead k = 1 by at least one block 90.0% sometime after the first z 80.0% blocks 70.0% 60.0% ▸ Even a 20% miner has 5% 50.0% . of succcessful doublespend 40.0% chance of winning after 6 30.0% blocks 20.0% 10.0% 0.0% 1 3 5 7 9 11 Embargo Period z

BOBTAIL BLOCK BLOCK Bobtail Protocol Details h h ▸ Assemble a block containing transactions p5 . . . p4 p2 PROOF PROOF ▸ Hash header as usual to generate p3 p1 “proofs” ▸ Disseminate proofs that are “low enough” p5 to neighbors p4 1 k ∑ p i t k p3 ▸ Maintain queue of lowest proofs k p2 i p1 ▸ Assemble proofs whose mean is below k t T ▸ Each proof miner receives reward BLOCK

BOBTAIL New Lottery: Bobtail ▸ Miners draw numbers until the average of any 2 cross threshold 5

BOBTAIL New Lottery: Bobtail ▸ Miners draw numbers until the average of any 2 cross 9 threshold 5 ▸ Each draw still “costs” a hash

BOBTAIL New Lottery: Bobtail ▸ Miners draw numbers until the average of any 2 cross 3 9 threshold 5 ▸ Each draw still “costs” a hash

BOBTAIL New Lottery: Bobtail . . . ▸ Miners draw numbers until the average of any 2 cross 3 9 12 threshold 5 ▸ Each draw still “costs” a hash

BOBTAIL New Lottery: Bobtail . . . ▸ Miners draw numbers until the average of any 2 cross 3 9 12 6 threshold 5 ▸ Each draw still “costs” a hash ▸ First 2 to cross threshold win ▸ Winners receive a reward 3 and lowest proposes a block

BOBTAIL Impact on Doublespend Attack Efficacy attacker mining power 0.1 0.2 0.3 0.4 0.45 ▸ Status quo (Bitcoin) k = 1 k = 20 ▸ 20% attacker succeeds 90.0% 80.0% approximately 5% of the time 70.0% after 6 confirmations 60.0% 50.0% . of succcessful doublespend 40.0% ▸ Bobtail with k=20 30.0% 20.0% ▸ 20% attacker succeeds less than 10.0% 0.0% 1% of the time with just 2 1 3 5 7 9 11 1 3 5 7 9 11 Embargo Period z confirmations

BOBTAIL Relative Statistics ▸ Mining time with Bobtail for fixed target : Ethereum (seconds per block) t 0 5 10 15 20 25 30 35 40 45 50 55 60 100% k + 1 ▸ Expected value increases by 90% 2 80% 70% ( k + 1)(2 k + 1) ▸ Variance increases by k 60% 6 k CDF 1 50% 10 40% ▸ When expected times are aligned: 20 30% 40 t k = k + 1 20% 5 t ▸ 10% 2 0% 0 5 10 15 20 25 30 35 40 ▸ Relative variance O (1/ k ) Bitcoin (minutes per block)

BOBTAIL What is the Cost? ▸ Size of meta data increases by 160B k ⋅

BOBTAIL What is the Cost? Gamma shape k ▸ Size of meta data increases by 160B k ⋅ Send Don’t send ▸ Increased network overhead ▸ Mitigated by not sending proofs in the “tail” ▸ Graphene can be used to reduce redundancy

BOBTAIL What is the Cost? ▸ Size of meta data increases by 160B k ⋅ ▸ Increased network overhead ▸ New attacks must be considered ▸ Proof withholding ▸ Denial-of-Service (DoS)

Summary ▸ Mining process is akin to a lottery ▸ We can skew statistics in favor of honest majority ▸ This greatly mitigates fundamental attacks ▸ Doublespend susceptibility reduced by orders of magnitude ▸ Primary cost is increased network and block overhead