Abstract
Distributed cryptographic protocols such as Bitcoin and Ethereum use a data structure known as the block chain to synchronize a global log of events between nodes in their network. Blocks, which are batches of updates to the log, reference the parent they are extending, and thus form the structure of a chain. Previous research has shown that the mechanics of the block chain and block propagation are constrained: if blocks are created at a high rate compared to their propagation time in the network, many conflicting blocks are created and performance suffers greatly. As a result of the low block creation rate required to keep the system within safe parameters, transactions take long to securely confirm, and their throughput is greatly limited.
We propose an alternative structure to the chain that allows for operation at much higher rates. Our structure consists of a directed acyclic graph of blocks (the block DAG). The DAG structure is created by allowing blocks to reference multiple predecessors, and allows for more “forgiving” transaction acceptance rules that incorporate transactions even from seemingly conflicting blocks. Thus, larger blocks that take longer to propagate can be tolerated by the system, and transaction volumes can be increased.
Another deficiency of block chain protocols is that they favor more connected nodes that spread their blocks faster—fewer of their blocks conflict. We show that with our system the advantage of such highly connected miners is greatly reduced. On the negative side, attackers that attempt to maliciously reverse transactions can try to use the forgiving nature of the DAG structure to lower the costs of their attacks. We provide a security analysis of the protocol and show that such attempts can be easily countered.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
For the sake of brevity, we do not go into the details of GHOST or of its Ethereum-variant, except where specifically relevant.
- 2.
This is guaranteed only if the attacker has less than 50 % of the computational power in the network.
- 3.
DAGs are already required by GHOST (although for different reasons), and Ethereum’s blocks currently reference parent blocks as well as “uncles” (blocks that share the same parent as their parent). Thus, this modification is quite natural.
- 4.
It is important to note that the algorithm below describes a full traversal. More efficient implementations are possible if a previously traversed DAG is merely being updated (with methods similar to the unspent transaction set used in Bitcoin).
- 5.
The Inclusive algorithm can also handle blocks that have some of their transactions rejected.
- 6.
The total reward can be automatically adjusted to maintain a desired rate of money creation by a process similar to the re-targeting done for difficulty adjustments.
- 7.
This assumption approximates well the situation in the real Bitcoin network, in which transactions propagate quickly relative to blocks.
- 8.
To make this formal some work is needed: Let G(t) be the block DAG which consist of all blocks created up to time t. We require that the underlying chain selection rule F break ties between equally weighted leaves, in some predetermined perhaps arbitrary way. Denote by \(B_t\) the leaf of the main chain F(G(t)). Assume F converges, in the sense that a block in the main chain becomes less likely to be replaced, as time grows: \(B\in F(G(t))\Longrightarrow \lim \limits _{s\rightarrow \infty }\Pr (B\notin F(G(s)))=0\) (longest-chain and GHOST, for instance, satisfy this property). We can thus speak of the eventual- or limit-order “\(\prec \)” on all blocks in the history of the game, defined by \(A\prec A'\) if \(\exists t_0, \forall t>t_0: A\prec _{B_t} A'\) (see the discussion succeeding Algorithm 1 for the definition of \(\prec _{B_t}\)).
- 9.
Note that \(k_{max}\ge b\), and that the existence of a root for \(G_{k_{max}}\) follows from the fact that f’s domain is [0, 1] hence this is also \(f^{-1}\)’s image.
- 10.
Successful manipulations require strong attackers that are either highly connected, or have massive amounts of computational power.
References
Andresen, G.: O(1) block propagation. https://gist.github.com/gavinandresen/e20c3b5a1d4b97f79ac2
Babaioff, M., Dobzinski, S., Oren, S., Zohar, A.: On bitcoin and red balloons. In: The 13th ACM Conference on Electronic Commerce, pp. 56–73. ACM (2012)
Back, A., Corallo, M., Dashjr, L., Friedenbach, M., Maxwell, G., Miller, A., Poelstra, A., Timón, J., Wuille, P.: Enabling blockchain innovations with pegged sidechains (2014)
Bitcoinj: Working with micropayment channels. https://bitcoinj.github.io/working-with-micropayments
Chakrabarti, S., Topolyan, I.: A direct proof of the existence of sequential equilibrium and a backward induction characterization (2010)
Decker, C., Wattenhofer, R.: Information propagation in the bitcoin network. In: 13th IEEE International Conference on Peer-to-Peer Computing (P2P), Trento, Italy, September 2013
Eyal, Ittay, Sirer, Emin Gün: Majority is not enough: bitcoin mining is vulnerable. In: Christin, Nicolas, Safavi-Naini, Reihaneh (eds.) FC 2014. LNCS, vol. 8437, pp. 431–449. Springer, Heidelberg (2014)
Kreps, D.M., Wilson, R.: Sequential equilibria. Econometrica: J. Econometric Soc. 50, 863–894 (1982)
Nakamoto, S.: Bitcoin: a peer-to-peer electronic cash system (2008)
Nisan, N., Roughgarden, T., Tardos, E., Vazirani, V.V.: Algorithmic Game Theory, Chap. 9. Cambridge University Press, Cambridge (2007)
Rosenfeld, M.: Analysis of hashrate-based double spending. arXiv preprint arXiv:1402.2009 (2014)
Sompolinsky, Y., Zohar, A.: Secure high-rate transaction processing in bitcoin. In: Böhme, R., Okamoto, T. (eds.) FC 2015. LNCS, vol 8975, pp. 507–527. Springer, Heidelberg (2015)
Wood, G.: Ethereum: a secure decentralised generalised transaction ledger (2014)
Acknowledgements
The authors were supported in part by the Israel Science Foundation (Grants 616/13, 1773/13 and 1227/12), by the Israel Ministry of Science and Technology (Grant 3-6797), and by the Israel Smart Grid (ISG) Consortium.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Additional Game Theoretic Analysis
A Additional Game Theoretic Analysis
1.1 A.1 Safety Level
As the players’ behavior is unknown and can take different courses, one may be interested in the player’s safety level, namely, the minimal utility he can guarantee himself. In the worst case for the player, the rest of the players choose a strategy which minimizes his utility, and the safety level is his best response to such a scenario.
Formally, player i’s safety level is the solution to the zero-sum game, where i is the max-player while the rest of the network acts as his united adversary min-player. The following theorem provides the player with a marginal probability over his memory buffer, which serves as his maxmin strategy for the single-shot game at time t.
Theorem 7
Denote player i’s memory buffer by \(w_1,\ldots ,w_m\) (sorted in descending order of their fees) at a time in which it was able to create a block. Denote \(\delta := 2\cdot \max _j\{d_{i,j}\}\cdot (\lambda -\lambda _i)\), and for all \(q\in \left[ 0,1\right] ^{m}\) define \(f(q):=\sum _{k=1}^{m}q_{k}\cdot \left( w_{k}e^{-\delta }\sum _{l=0}^{\left\lceil \frac{k}{b}\right\rceil -1}\frac{\delta ^{l}}{l!}\right) \). Let \(q^*\) be the solution of the next linear program: \(\max f(q) \text { s.t. } \forall k<m: \ q_{k}w_{k}\ge q_{k+1}w_{k+1} \ ; \ \forall k: \ 0\le q_{k}\le 1 \ ; \ \sum _{k=1}^{m}q_{k}=b.\) Then i’s utility from \(q^*\) is at least \(f(q^*)\), regardless of the strategy profile of the other players.
The idea behind the proof is to construct a game in which player i chooses transactions for his blocks, while the rest attempt to choose the very same transactions. In the worst case scenario for the player, his rivals correlate their blocks’ contents so as to maximize collisions with i’s blocks. Another worst case assumption is that the delay between the players and i is maximal. Refer to the full version of the paper for a formal construction and proof of the theorem.
1.2 A.2 An Optimal Strategy
The performance of any solution of the game, including those considered thus far, should be compared to the optimal setup. If players would play cooperatively, so as to try and maximize the system’s performance, then all blocks would contain unique transactions, with the top most fees available. Formally, if n blocks were created by the network during some long time period T, then the system’s hypothetical optimal performance, OPT(T), is defined as the sum of the top \(n\cdot b\) transactions created within T (this is not necessarily feasible, as high transactions may not be available to early blocks).
Recall that transactions arrive at a rate of \(\eta \). Their values are drawn according to some probability vector \({\varvec{r}}\), and we denote by R the corresponding CDF. The rate at which transactions are embedded in the DAG is denoted \(\lambda _{out}:= b\cdot \lambda \) (it is the hypothetical optimal throughput).
We define a threshold below which transactions are totally ignored by the players: \(v_{thresh}=R^{-1}(1-\frac{\lambda _{out}}{\eta })\). This threshold defines a cutoff,\(\theta :=\{j : v_j>v_{thresh}\}\). We claim that if players choose transactions above this cutoff, uniformly, then the resulting social welfare, which is the throughput weighed according to fees, would coincide with OPT(T), as T goes to infinity. We denote the described strategy by UCO (Uniform above CutOff), and by UCO(T) the total weighed throughput achieved by applying UCO up to T.
Proposition 8
Assume nodes have an unlimited memory buffer. Let T be some time window, and denote by n(T) the number of blocks that were created by that time. Then, \(\lim \limits _{T\rightarrow \infty } \frac{1}{n(T)}\cdot \mathbb {E}[OPT(T)] = \lim \limits _{T\rightarrow \infty } \frac{1}{n(T)}\cdot \mathbb {E}[UCO(T)],\) where the expectation is taken over all random events in the network and in the realization of UCO.
The intuition behind the result is that choosing a cutoff as we have prescribed implies that the incoming and outgoing rates of transactions to the buffer are equal. Thus, results from queueing theory show that the expected size of the buffer is infinite, and miners always have enough transactions above the cutoff to include in blocks. In particular, for large enough memory buffers, there are effectively no collisions between different blocks, and the transactions in blocks are unique. This surprising result is achieved at a cost: transactions have long expected waiting times for their authorization.
Rights and permissions
Copyright information
© 2015 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Lewenberg, Y., Sompolinsky, Y., Zohar, A. (2015). Inclusive Block Chain Protocols. In: Böhme, R., Okamoto, T. (eds) Financial Cryptography and Data Security. FC 2015. Lecture Notes in Computer Science(), vol 8975. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-47854-7_33
Download citation
DOI: https://doi.org/10.1007/978-3-662-47854-7_33
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-47853-0
Online ISBN: 978-3-662-47854-7
eBook Packages: Computer ScienceComputer Science (R0)