9 minute read

UCL Course COMP0143 Cryptocurrencies: LEC-03


Byzantine AdversariesPermalink

GoalPermalink

Prevent network systems from achieving their objects

CapabilitiesPermalink

  • Corrupt a subset of f out of n nodes (where fn)

    Adversaries have access to all secrets of nodes in f

    Adversaries control their actions of nodes in f

  • Take actions arbitrarily

    e.g., returning any values at all, sending messages in any order, transmitting corrupt values …

  • Observe all messages from honest nodes before taking actions

    Adversaries who take action last called rushing

Relaxtional Variety: Rational AdversariesPermalink

Definition

Adversaries will act in a utility-maximizing way

i.e they exploit system weakness to maximize profits without causing the system dysfunctional


ConsensusPermalink

GoalPermalink

Protect Distributed Systems

PropertiesPermalink

  • Safety

    Honest nodes have a consistent view of system’s state

    which agree which transactions took place in what order

  • Liveness

    Honest nodes can make progress and update system’s state eventually

  • Fairness

    Nodes are awarded according to their contributions

    This is specific to incentive-driven systems (relevant against rational adversaries)

Note that

The security requirements are based on

|n|=2|f|+1(<50% corrupt nodes) |n|=3|f|+1(<33% corrupt nodes)

which make Byzantine Fault-Tolerant (BFT) consensus meaningful

Requirement: Sybil-ResistantPermalink

Sybil Attacks is to create a large number of presudonyms (called sockpuppets)

to subvert the reputation system of a networked service (the root cause for many security issues)

Note that

The cheaper it is to create a pesudonym in a networked system

The easier it usually becomes to mount Sybil Attacks

The secuirty requirements to create Sybil-Resistant Identities


Bitcoin Solution: Proof-of-WorkPermalink

Proof-of-Work (PoW): Solving computational puzzles

ProcessPermalink

Given the length of blockchain l

  1. Gather transactions from the network into a block Bl

  2. Brute-force search a nonce in the block header of Bl until

    H(Bl)<t

    where H is a Collision-Resistant Hash Function (CRHF)
    and t is a target value which represnets the difficulty of computational puzzles

  3. Once found, broadcast Bl with the specfic nonce as Proof-of-Work to the rest of network

Note that

A block is accepted only if its Proof-of-Work and all included transactions are valid

PropertiesPermalink

  • Permissionless

  • Independence

  • Optimization-free

  • Progress-free

  • Parameterizability

  • Easy-to-verify

  • Hardness-Accimulation

Requirement: Puzzle-FriendlyPermalink

Definition

A Collision-Resistant Hash Function H is puzzle-friendly when

for every possible n-bit output value t, and
for every random valye k chosen from a distribution with high min-entropy:
it is infeasible to find x such that t=H(k||x) in time significantly less thatn 2n

In other words,

players cannot find a better way to hit the target value t than trying random inputs x

Note that

Bitcoin uses H():=SHA-256(SHA-256()) as a puzzle-friendly CRHF

In Bitcoin, the target t is the upper bound for which Proof-of-Works are considered valid.

The target t is based on difficulty d which meets

t=2256232d1

means that the easiest possible target tmax=22241 (system parameter) is when d=20=1

Challenge: Blockchain ForksPermalink

Since Proof-of-Work is a probabilistic process,

it is possible that different nodes broadcast their found blocks at the same time

Type

  • Unintended Forks (probabilistic process)

  • Intended Forks (essential tool to upgrade blockchain)

Solution: Longest Chain RulePermalink

The solution to unintended forks used in Bitcoin is Longest Chain Rule

Process

  • Miners randomly picks one of the longest branches they are aware of to work on

  • Every time there is a new longest chain,

    all honest miners switch to this branch orphaning shorter ones

  • Probability that a fork survives drops of exponentially with each new mined block

  • Eventual Consistency

    To consider a block finalized, it is recommended to wait until several blocks have been mined on top of it

    In Bitcoin, 6 blocks (about 60 min) is recommended

Note:

Longest Chain Rule means that anyone controls > 50% hashing power will control the Bitcoin

hashing power is as a proxy to security requirements since the size of n and f is unknown

In Bitcoin, the required hashing power to mine a block in b second is

p=232db

Putting Everything Together: Nakamoto ConsensusPermalink

Process

Given the length of blockchain l

  1. Gather transactions from the network into a block Bl

    including a hash pointer to a randonly-chosen longest chain

  2. Brute-force search a nonce in the block header of Bl until

    H(Bl)<t

    where H is a Puzzle-Friendly CRyptographic Hash Function (CRHF)
    and tis a target value which represnets the difficulty of computational puzzles

  3. Once found, broadcast Bl with the specfic nonce as Proof-of-Work to the rest of network

Attack: 51% of Hashing PowerPermalink

If someone has 51% of hashing power (centraliztion), he/she can take over this cryptocurrency

  • Undermining Convergence: Fork the chain and double spend

  • Undermining Fairness: Reject blocks of all other miners

  • Undermining Liveness: Demand high transaction fees + Censor Transactions

However, 51% Attacks are not common in practice

  • All attacks are highly visible (broadcast)

  • Risk that currency loses value

  • Mining hardware is illiquid: high entry costs and no salvage value

Attack: Selfish MiningPermalink

  • If you get lucky and and find a block then withhold it,

    which means that you do not tell everyone immediately about it to engage in selfish mining

  • If you can mine new blocks fast enough on top of yours,

    then honest miners waste their hash power extending the shorter chain


Proof-of-Work Mining EvolutionPermalink

Energy RequirementsPermalink

Cheap Eletricity & Good Network & Cool Climate

  • Embodied Energy

    For manufacturing of chips and other hardware

  • Electricity

    For the actual operation of the mining devices

  • Cooling Energy

    For the protection of the mining equipment

Mining EquipmentsPermalink

  CPU GPU FPGA ASIC
Throughput 224 H/s 227 H/s 230 H/s 246 H/s
Advantages None Easy to buy and set up
Parallel ALUs
Drive many from one CPU
Overclock
Better performance than GPUs
Good cooling
Extensive customization and optimization
Fastest in history
Designed to be run constantly for life
Disadvantages Slow
Expansive
Poor utilisation of hardware
Poor cooling
Large power draw
Higher power draw than GPUs
High level of expertise required
More expensive
Marginal performance/cost advantage
Designed only for Bitcoin
Need significant expertise
Need long lead-time

CPU - Central Processing Unit
GPU - Graphical Performance Unit
FPGA - Field Programmable Gate Array
ASIC - Application-Specific Integrated Circuits

Mining PoolPermalink

Definition

Pool participants all attempt to mine a block with the same coinbase recipient

which in practice is usually a key owned by the pool manager

Distribute Revenue

which can be based on

  • Per Share

    how much PoW shares they contribute minus a cut for the pool manager

  • Proportional

    since last block (Lower risk for pool manager + More work to verify)

  • Per Last n Shares

    Minimize “Pool hopping”

  • “Pool-hopping”

    The practice of mining in a pool only during the good times, and leaving during the bad times

    Can get more out of the pool than the value they contribute to it,
    increasing their rewards at the expense of other miners

    which is common in Proportional Distribution Method

Features

  • Advantages: Make mining revenue more predictable and enable smaller miners to still contribute

  • Disadvantages: Lead to centralization.


Proof-of-X: Variants and AlternativesPermalink

Ethereum 2.0 Solution: Proof-of-StakePermalink

Idea

Prove your investment in the system to gain voting power and be allowed to participate in consensus

Challenge

  • Nothing-at-Stake: Work on all available forks to ensure/maximize profits (consistency issue)

  • Grinding: Exploit the fact that blocks are cheap to produce to influence consensus (fairness issue)

  • Long-Range Attacks

    Bribe stakers for their old keys to roll back many blocks and create valid forks (consistency and safety issues).


Upgrading Decentralized SystemsPermalink

SituationPermalink

  • Everyone agrees to use a new signature scheme for OP_CHECKSIG

  • Flag Day

    Everyone agrees that at a given block height

    all transactions before are valid using old OP_CHECKSIG

    all transactions after must use the new OP_CHECKSIG

Different Situation 1: Hard ForksPermalink

Some miners do not upgrade in time called Hard Forks

because block produced before and after adoption of the decision are incompatible with each other

Think Deeply

Some full nodes do not upgrade in time

  • Full nodes are absolutely essential to the security of the system

    but cannot be trusted to all update in sync

  • Full nodes that do not change over to the main chain can be vulnerable to attacks

    and form a split currency which threatens economic stability

Real World Example

  • Bitcoin Cash

  • Ethereum Classic

  • Monero

Different Situation 2: Soft ForksPermalink

Some people agree to change the block size to 0.5 MB

can be one specific case of Soft Forks

Problems in Backwords Compatibility

  • People who have changed into smaller block size will reject blocks with old rules

  • People who have not changed will accept blocks from the changed people

Still form a split currency which threatens economic stability

GovernancePermalink

Two important layers in cryptocurrency communities

  • Infrastructure

    Decentralized payment system based on global peer-to-peer network

  • Developers

    Small groups of software engineers

    who have been entrusted with key roles for the development of the technology

Not clear who gets to vote and makes decisions