Nakamoto's famous blockchain protocol enables achieving consensus in a so-called permissionless setting---anyone can join (or leave) the protocol execution, and the protocol instructions do not depend on the identities of the players. His ingenious protocol prevents "sybil attacks" (where an adversary spawns any number of new players) by relying on computational puzzles (a.k.a. "moderately hard functions") introduced by Dwork and Naor (Crypto'92). Recent work by Garay et al (EuroCrypt'15) and Pass et al (manuscript, 2016) demonstrate that this protocol provably achieves consistency and liveness assuming a) honest players control a majority of the computational power in the network, b) the puzzle-hardness is appropriately set as a function of the maximum network delay and the total computational power of the network, and c) the computational puzzle is modeled as a random oracle. Assuming honest participation, however, is a strong assumption, especially in a setting where honest players are expected to perform a lot of work (to solve the computational puzzles). In Nakamoto's Bitcoin application of the blockchain protocol, players are incentivized to solve these puzzles by receiving rewards for every "block" (of transactions) they contribute to the blockchain. An elegant work by Eyal and Sirer (FinancialCrypt'14), strengthening and formalizing an earlier attack discussed on the Bitcoin forum, demonstrates that a coalition controlling even a minority fraction of the computational power in the network can gain (close to) 2 times its "fair share" of the rewards (and transaction fees) by deviating from the protocol instructions. In contrast, in a fair protocol, one would expect that players controlling a φ fraction of the computational resources to reap a φ fraction of the rewards. We present a new blockchain protocol---the FruitChain protocol---which satisfies the same consistency and liveness properties as Nakamoto's protocol (assuming an honest majority of the computing power), and additionally is δ-approximately fair: with overwhelming probability, any honest set of players controlling a φ fraction of computational power is guaranteed to get at least a fraction (1-δ)φ of the blocks (and thus rewards) in any Ω(κ/δ) length segment of the chain (where κ is the security parameter). Consequently, if this blockchain protocol is used as the ledger underlying a cryptocurrency system, where rewards and transaction fees are evenly distributed among the miners of blocks in a length κ segment of the chain, no coalition controlling less than a majority of the computing power can gain more than a factor (1+3δ) by deviating from the protocol (i.e., honest participation is an n/2-coalition-safe 3δ-Nash equilibrium). Finally, the FruitChain protocol enables decreasing the variance of mining rewards and as such significantly lessens (or even obliterates) the need for mining pools.
[1]
Emin Gün Sirer,et al.
Majority is not enough
,
2013,
Financial Cryptography.
[2]
Aviv Zohar,et al.
Secure High-Rate Transaction Processing in Bitcoin
,
2015,
Financial Cryptography.
[3]
Yehuda Lindell,et al.
Secure Computation Without Authentication
,
2005,
Journal of Cryptology.
[4]
Aggelos Kiayias,et al.
Blockchain Mining Games
,
2016,
EC.
[5]
Elaine Shi,et al.
Snow White: Provably Secure Proofs of Stake
,
2016,
IACR Cryptol. ePrint Arch..
[6]
Aggelos Kiayias,et al.
Edinburgh Research Explorer On Trees, Chains and Fast Transactions in the Blockchain
,
2017
.
[7]
S. Matthew Weinberg,et al.
On the Instability of Bitcoin Without the Block Reward
,
2016,
CCS.
[8]
Yoad Lewenberg,et al.
Inclusive Block Chain Protocols
,
2015,
Financial Cryptography.
[9]
Vincent Conitzer,et al.
Proceedings of the 2016 ACM Conference on Economics and Computation
,
2016,
EC.
[10]
Moni Naor,et al.
Pricing via Processing or Combatting Junk Mail
,
1992,
CRYPTO.
[11]
Stefan Katzenbeisser,et al.
Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security
,
2016,
CCS.
[12]
Aggelos Kiayias,et al.
Speed-Security Tradeoffs in Blockchain Protocols
,
2015,
IACR Cryptol. ePrint Arch..
[13]
Aggelos Kiayias,et al.
The Bitcoin Backbone Protocol: Analysis and Applications
,
2015,
EUROCRYPT.
[14]
Joseph Y. Halpern,et al.
2 A Computational Game-Theoretic Framework 2 . 1 Bayesian Games
,
2008
.
[15]
Kartik Nayak,et al.
Stubborn Mining: Generalizing Selfish Mining and Combining with an Eclipse Attack
,
2016,
2016 IEEE European Symposium on Security and Privacy (EuroS&P).
[16]
Abhi Shelat,et al.
Analysis of the Blockchain Protocol in Asynchronous Networks
,
2017,
EUROCRYPT.
[17]
Aggelos Kiayias,et al.
Ouroboros: A Provably Secure Proof-of-Stake Blockchain Protocol
,
2017,
CRYPTO.
[18]
Aviv Zohar,et al.
Optimal Selfish Mining Strategies in Bitcoin
,
2015,
Financial Cryptography.