Nonoutsourceable Scratch-Off Puzzles to Discourage Bitcoin Mining Coalitions

An implicit goal of Bitcoin's reward structure is to diffuse network influence over a diverse, decentralized population of individual participants. Indeed, Bitcoin's security claims rely on no single entity wielding a sufficiently large portion of the network's overall computational power. Unfortunately, rather than participating independently, most Bitcoin miners join coalitions called mining pools in which a central pool administrator largely directs the pool's activity, leading to a consolidation of power. Recently, the largest mining pool has accounted for more than half of network's total mining capacity. Relatedly, "hosted mining" service providers offer their clients the benefit of economies-of-scale, tempting them away from independent participation. We argue that the prevalence of mining coalitions is due to a limitation of the Bitcoin proof-of-work puzzle -- specifically, that it affords an effective mechanism for enforcing cooperation in a coalition. We present several definitions and constructions for "nonoutsourceable" puzzles that thwart such enforcement mechanisms, thereby deterring coalitions. We also provide an implementation and benchmark results for our schemes to show they are practical.

[1]  David Chaum,et al.  Blind Signatures for Untraceable Payments , 1982, CRYPTO.

[2]  Amos Fiat,et al.  Untraceable Electronic Cash , 1990, CRYPTO.

[3]  J. Quiggin ON THE OPTIMAL DESIGN OF LOTTERIES , 1991 .

[4]  Moni Naor,et al.  Pricing via Processing or Combatting Junk Mail , 1992, CRYPTO.

[5]  Valtteri Niemi,et al.  How to Prevent Buying of Votes in Computer Elections , 1994, ASIACRYPT.

[6]  Josh Benaloh Receipt-Free Secret-Ballot Elections , 1994, STOC 1994.

[7]  Josh Benaloh,et al.  Receipt-free secret-ballot elections (extended abstract) , 1994, STOC '94.

[8]  Ari Juels,et al.  $evwu Dfw , 1998 .

[9]  Mihir Bellare,et al.  DHAES: An Encryption Scheme Based on the Diffie-Hellman Problem , 1999, IACR Cryptol. ePrint Arch..

[10]  Colin Boyd,et al.  Advances in Cryptology - ASIACRYPT 2001 , 2001 .

[11]  E. Oster Are All Lotteries Regressive? Evidence from the Powerball , 2004, National Tax Journal.

[12]  Ben Laurie,et al.  “ Proof-of-Work ” Proves Not to Work version 0 . 2 , 2004 .

[13]  M. Jackson,et al.  Vote Buying , 2004 .

[14]  Exposing Computationally-Challenged Byzantine Impostors , 2005 .

[15]  Jongsung Kim,et al.  Related-Key Rectangle Attack on the Full SHACAL-1 , 2006, Selected Areas in Cryptography.

[16]  Bogdan Warinschi,et al.  Security Notions and Generic Constructions for Client Puzzles , 2009, ASIACRYPT.

[17]  Joseph Bonneau,et al.  What's in a Name? , 2010, Financial Cryptography.

[18]  Meni Rosenfeld,et al.  Analysis of Bitcoin Pooled Mining Reward Systems , 2011, ArXiv.

[19]  Colin Boyd,et al.  Stronger Difficulty Notions for Client Puzzles and Denial-of-Service-Resistant Protocols , 2011, CT-RSA.

[20]  Elaine Shi,et al.  Bitter to Better - How to Make Bitcoin a Better Currency , 2012, Financial Cryptography.

[21]  Craig Gentry,et al.  Quadratic Span Programs and Succinct NIZKs without PCPs , 2013, IACR Cryptol. ePrint Arch..

[22]  Craig Gentry,et al.  Pinocchio: Nearly Practical Verifiable Computation , 2013, 2013 IEEE Symposium on Security and Privacy.

[23]  George Danezis,et al.  Pinocchio coin: building zerocoin from a succinct pairing-based proof system , 2013, PETShop '13.

[24]  Benjamin Braun,et al.  Resolving the conflict between generality and plausibility in verified computation , 2013, EuroSys '13.

[25]  Matthew Green,et al.  Zerocoin: Anonymous Distributed E-Cash from Bitcoin , 2013, 2013 IEEE Symposium on Security and Privacy.

[26]  Joshua A. Kroll,et al.  The Economics of Bitcoin Mining, or Bitcoin in the Presence of Adversaries , 2013 .

[27]  Jeremy Clark,et al.  Mixcoin: Anonymity for Bitcoin with Accountable Mixes , 2014, Financial Cryptography.

[28]  Pieter Wuille,et al.  Enabling Blockchain Innovations with Pegged Sidechains , 2014 .

[29]  Eli Ben-Sasson,et al.  Zerocash: Decentralized Anonymous Payments from Bitcoin , 2014, 2014 IEEE Symposium on Security and Privacy.

[30]  Jean-Sébastien Coron,et al.  Scale-Invariant Fully Homomorphic Encryption over the Integers , 2014, Public Key Cryptography.

[31]  Joseph J. LaViola,et al.  Byzantine Consensus from Moderately-Hard Puzzles : A Model for Bitcoin , 2014 .

[32]  Emin Gün Sirer,et al.  Majority Is Not Enough: Bitcoin Mining Is Vulnerable , 2014, Financial Cryptography.

[33]  Eli Ben-Sasson,et al.  Succinct Non-Interactive Zero Knowledge for a von Neumann Architecture , 2014, USENIX Security Symposium.

[34]  Bogdan Warinschi,et al.  Cryptographic puzzles and DoS resilience, revisited , 2014, Des. Codes Cryptogr..

[35]  John Tromp,et al.  Cuckoo Cycle: a memory-hard proof-of-work system , 2014, IACR Cryptol. ePrint Arch..

[36]  Elaine Shi,et al.  Permacoin: Repurposing Bitcoin Work for Data Preservation , 2014, 2014 IEEE Symposium on Security and Privacy.

[37]  Yoad Lewenberg,et al.  Inclusive Block Chain Protocols , 2015, Financial Cryptography.

[38]  Aviv Zohar,et al.  Secure High-Rate Transaction Processing in Bitcoin , 2015, Financial Cryptography.

[39]  Bryan Parno A Note on the Unsoundness of vnTinyRAM's SNARK , 2015, IACR Cryptol. ePrint Arch..

[40]  Aggelos Kiayias,et al.  The Bitcoin Backbone Protocol: Analysis and Applications , 2015, EUROCRYPT.

[41]  Simon Josefsson,et al.  The scrypt Password-Based Key Derivation Function , 2016, RFC.