A Survey on Pow-Based Consensus
Total Page:16
File Type:pdf, Size:1020Kb
Annals of Emerging Technologies in Computing (AETiC) Vol. 4, No. 1, 2020 Review Article A Survey on PoW-based Consensus Alessio Meneghetti*, Massimiliano Sala and Daniele Taufer University of Trento, Italy [email protected]; [email protected]; [email protected] *Correspondence: [email protected] Received: 10th November 2019; Accepted: 14th December 2019; Published: 1st January 2020 Abstract: We provide a historical overview of proof-of-work techniques and the fields in which it plunges its roots. We are interested in PoW-techniques applied to blockchain technology and therefore we survey the state-of-the-art protocols employing these methods for consensus algorithms, emphasizing the differences between the efficient hashcash systems and the promising bread pudding protocols. Afterwards, the consensus mechanisms are discussed and some interesting known attacks to these algorithms are collected and classified according to their underlying ideas. Keywords: Proof of Work (PoW); Blockchain; Distributed Digital Ledger; Hashcash; Bread Pudding Protocols; Consensus algorithms 1. Introduction The notion of proof of work (PoW) encloses a wide number of techniques that have been developed in the past decades and whose finality is to demonstrate that a prover has performed a certain amount of computational work in a specified interval of time. The formalization of this concept dates back to 1999 [1], although previous examples of delaying functions used for such a purpose has appeared earlier. In 1992 [2] a PoW-technique has been proposed for fighting junk emails by requiring the sender to compute some moderately expensive function of the message, which constitutes a negligible effort for a sober user of this service but serves as a deterrent to unsolicited mail spam. Trapdoors were also designed for pricing functions, allowing trusted parties to grant bulk mailings with ease. Another forerunner of PoW is the notion of uncheatable benchmark, which appeared in 1993 [3] - 1994 [4] and consists of tasks that enforce a certain computational load on the execution entity, but in this case without privileged users that can shortcut the calculation duties. All these constructions, sometimes referred to as timing function, have been employed and refined in 1997 [5] for metering web-sites accesses in a light and verifiable way. Another application of these ideas was studied in 1998 [6] to develop a lottery scheme that works fairly using only internal information, providing at the same time resistance against coalitions of ticket purchasers and detection of (if any) frauds on the part of the lottery agent. Moreover, a wide variety of PoW-puzzles has been contrived for limiting or controlling decryption time [7] or connection depletion attacks [8] by arbitrarily delaying users who want to access specific resources. The applications mentioned above have subsequently seen thriving research that has highlighted potentialities and limits of PoW-related techniques. As an informative instance, the native idea of developing PoW-systems to face email spam has long been debated and is still an open field of research: in 2004 [9] the PoW-method was proved not to work in its basic formulation and Alessio Meneghetti, Massimiliano Sala and Daniele Taufer, “A Survey on PoW-based Consensus”, Annals of Emerging Technologies in Computing (AETiC), Print ISSN: 2516-0281, Online ISSN: 2516-029X, pp. 8-18, Vol. 4, No. 1, 1st January 2020, Published by International Association of Educators and Researchers (IAER), DOI: 10.33166/AETiC.2020.01.002, Available: http://aetic.theiaer.org/archive/v4/v4n1/p2.html. AETiC 2020, Vol. 4, No. 1 9 under realistic assumptions, as it is often the case, but further research [10, 11] has shown that these ideas are still viable when integrated with reputation models, which dynamically adjust the PoW difficulty. Beyond these purposes, in 2008 another cutting-edge employment of the PoW saw the light: in his first apparition Bitcoin [12] has laid the foundations for the modern cryptocurrencies introducing a PoW-based consensus algorithm, which basically puts miners in competition for solving a cryptographic challenge. Despite many other solutions for achieving consensus have been proposed since then, this latter approach is still considered relevant and for this reason it is summarized here. This essay is organized as follows: in Section 2 we review the most prominent techniques employed for the production of PoW-challenges, juxtaposing the widely adopted hashcash concept and the more polished bread pudding protocols. In Section 3 we discuss how blockchain consensus protocols may be designed on top of those challenges, whereas in Section 4 we report their known weaknesses. 2. PoW-methods In this section we describe some mechanisms of PoW that have been devised over the years, exploiting various types of cryptographic and mathematical challenges. 2.1. Hashcash Hashcash is probably the most known and widespread PoW-system, ideated in 1997 [13] and formally detailed in 2002 [14]. It relies on Hash Functions, which are deterministic functions : ∞ {0,1} {0,1} mapping data of arbitrary size ontoℋ data� of a fixed→ size L and satisfying the following =1 properties: 1. Pre-image resistance: for every {0,1} it is hard to find a message with that given hash, i.e. such that ( ) = . ℎ ∈ 2. Second pre-image resistance: for every message it is difficult to find a different one ℋ ℎ ′ such that ( ′) = ( ). 3. Collision resistance: it is hard to find a pair of different messages ≠ ℋ ℋ ′ with the same hashes, i.e. such that ( ′) = ( ). 4. Uniformity: Every hash value in the output range should be generated with roughly the ≠ ℋ ℋ same probability. The general structure of hashcash systems is the following: to prove that a certain amount of work on some data has been performed, one searches for some bits, called the Nonce, that appended to the original data produce a hash with easily identifiable properties, such as having a prescribed number δ of zeros in the first positions. Figure 1. Hashcash basic structure. Given the above properties of there are no strategies better than testing different randomly generated nonces until the required output property is satisfied. Since is supposed to be uniform, ℋ the probability of achieving the δ-starting-zeros condition is 2 , thus the difficulty of the hashcash ℋ challenge can be easily adjusted by tuning δ, which is called the− difficulty parameter. www.aetic.theiaer.org AETiC 2020, Vol. 4, No. 1 10 The main reason why hashcash has become so popular is the extremely short time required to verify the result of a challenge: despite the average number of hashes needed to find the desired condition is variable and depends on the difficulty parameter, only one hash is needed to check that the proposed nonce provides an output with the desired properties. We list now some hashcash-based PoW-protocols employed by modern cryptocurrencies, emphasizing their peculiarities. ● SHA-256 This function belongs to the Secure Hash Algorithms (SHA) family designed in 2001 by the American agency NSA and chosen by NIST as the U.S. Federal Information Processing Standard (FIPS). A comprehensive description of these functions may be found in [15]. The SHA-2 family is still considered secure (in contrast to SHA-0 and SHA-1 ones), even though the more recent SHA-3, selected by NIST in 2012, appears to have better security properties. The SHA-256 function produces outputs of length L = 256 bits and is used in Bitcoin [12] and related cryptocurrencies such as Bitcoin Cash, Counterparty, MazaCoin, Namecoin and by hybrid systems such as NeuCoin and Peercoin. ● Ethash This function has been specifically designed for the Ethereum consensus protocol, as described in [16]. It is obtained from the Kekkak hash function [17] combined with modified versions of Hashimoto [18] and Dagger [19] algorithms in order to achieve ASIC-resistance by memory-hard computations and light client verifiability. Nonetheless, ASIC miners for Ethash has been announced in 2018 but they are not considered a threat to Ethereum, which is developing a new PoW-system (called ProgPoW) for the near future and a PoS-based consensus algorithm for the long term. ● Scrypt This password-based key-derivation function has been developed to use a large amount of memory compared to other key-derivation functions, by using large vectors of pseudorandom strings that are produced from the last block and accessed in a pseudorandom order to output the derived key [20]. For its memory-hardness it has been adopted as part of the PoW-algorithm of some cryptocurrencies aiming at ASIC-resistance, such as Litecoin and Dogecoin. ● Cryptonote Similar to Scrypt, the Cryptonote [21] protocol relies on random memory access, but it depends on all the previous blocks. It acts as a voting system that is assumed to be egalitarian since it makes use of CryptoNight PoW-algorithm, although dedicated devices are under development. This protocol serves many privacy-oriented PoW-algorithms, such as Monero’s. ● Equihash Another memory-hard PoW system is Equihash [22], which was specifically ideated to limit parallel implementations by memory bandwidth. In a nutshell, given a generic hash function , the prover is required to produce messages 1, . , such that ( 1) . ( ) = 0, i.e. the bitwise ℋ sum of their hashes is the zero vector, and the hash of the concatenated message ( 1|| . || ) = 0 ℋ ⊕ ⊕ ℋ has prescribed properties, such as a given number of leading zeros. Equihash has been adopted by ℋ cryptocurrencies such as ZCash, Bitcoin Gold and Aion. ● Concatenating hashes (e.g. X11) Some hashcash solutions are obtained by concatenating several hash functions, such as X11 hash developed for Dash [23]. It applies the eleven hashes Blake, Bmw, Grøstl, Jh, Keccak, Skein, Luffa, CubeHash, SHAvite-3, Simd and Echo, one after the other, obtaining a heavier, but arguably more secure, hash function.