Ittay Eyal Computer Science, Cornell University The Initiative for Cryptocurrencies and Contracts (IC3)
Distributed Cryptocurrencies and Consensus Ledgers, July 2017 Proof of Work
Moderately hard puzzle B A Proof of Work
• Challenger provides puzzle 16
‘ • Solver expends resources to solve puzzle Ittay Eyal, July Eyal, Ittay 2 Proof of Work A variety of uses [Jakobbson+Juels’99] • Spam protection [Dwork+Naor’92] • construction of digital time capsules [Goldschlag+Stubblebine’89, Rivest+’96] • Server access metering [Franklin+Malkhi’97] • (D)DoS protection [Juels+Brainard’99] • Digital money minting [Rivest+Shamir’01]
• Sybil protection [Apsnes’15]
16 ‘
… but botnets? Ittay Eyal, July Eyal, Ittay 3 How Hard?
Phone? Laptop? Server? A
Datacenter?
16
‘ Ittay Eyal, July Eyal, Ittay 4 PoW for Blockchains
• Bitcoin [Nakamoto’08]: PoW for Sybil protection, With a trick: direct monetary compensation
• The result: Wildly successful and incredibly robust
But also: 16
‘ some surprising properties Ittay Eyal, July Eyal, Ittay 5 A Replicated State Machine Log
퐴1 → 퐵1
16 퐴 → 퐴 ‘ 1 2 퐵1 → 퐶1 C Ittay Eyal, July Eyal, Ittay A B 6 The Blockchain
Log Blockchain
header
block
16
‘ Ittay Eyal, July Eyal, Ittay 7 PoW for Blockchains • Log in blocks • Solve puzzle to add block • Get prize per block • On a fork (a natural event), stronger side wins
4 5 1 2 3
4’ 5’ 6 7
16
‘ Ittay Eyal, July Eyal, Ittay 8 Basic Operation
• Puzzle is a function of current and previous block. (e.g., their hash smaller than target)
4 5 1 2 3 4’ 5’ 6 7
16 •
‘ Real-world participation cost • Burn real-world resources, committing to a
state machine history Ittay Eyal, July Eyal, Ittay 9 PoW in a Blockchain
• Block every set interval (10min, 15sec) • Automatically adjusting difficulty ==> a lottery of sorts
==> bustling mining industry
16
‘ Ittay Eyal, July Eyal, Ittay 10 PoW in a Blockchain
• Block every set interval (10min, 15sec) • Automatically adjusting difficulty ==> a lottery of sorts ==> bustling mining industry
Bitcoin 16 ‘ prize decay ==> FOMO at work
Also finite supply, deflation Ittay Eyal, July Eyal, Ittay 11 Waste? • Real-world waste • Compute power (sha256 ^2) Really power (Watts) • Less useless (Primecoin) • Storage [Miller+’14] • Hardware (PoET)
• No real-world waste
• Permissioned (Hyperledger, Stellar), or 16
‘ • Pending formal discussion (Proof of Stake) Ittay Eyal, July Eyal, Ittay 13 Resilience • Surprisingly stable • Strategic mining (Selfish mining etc. not seen in the wild)
• Few blockchain alternatives • GHOST +variants (Ethereum, DECOR) [Sompolinsky+Zohar’15, Lewenberg+’15] • Bitcoin-NG +variants (Hybrid consensus,
Byzcoin)
16
‘ Ittay Eyal, July Eyal, Ittay 14 Pooled Mining Blockchain Mining
Blockchain Proof of Work
money 16
‘ Constant rate : globally updated Difficulty Ittay Eyal, July Eyal, Ittay 16 Pooled Mining
Many miners Long time to win Constant PoW rate
Miners form pools
Blockchain
16
‘ Ittay Eyal, July Eyal, Ittay 17 Pooled Mining
Many miners Long time to win Constant PoW rate
Miners form pools
Blockchain
16
‘ Ittay Eyal, July Eyal, Ittay 18 Pooled Mining Blockchain
Full PoW 16
‘ money Ittay Eyal, July Eyal, Ittay 19 Pooled Mining Blockchain
Partial PoW
Full PoW 16 ‘ money
Money Ittay Eyal, July Eyal, Ittay 20 Open Pools and Centralization • Miners form pools • Largest are open pools • Lead to centralization
22% 26% 25% 6% 44% 15% 7% 7% 17% 15% 11% 27% 9% 11% 15% 13%
Bitcoin Ethereum Dogecoin Litecoin 16 ‘ April 2015 July 2016 January 2014 April 2015
A threat to the blockchain’s basic premise Ittay Eyal, July Eyal, Ittay 21 Pool Block Withholding Oakland’15
Pool Block Withholding
16
‘ Ittay Eyal, July Eyal, Ittay 23 Pool Block Withholding
Attacker: • Registers as standard miner
• Uses some miners as moles
16
‘ Ittay Eyal, July Eyal, Ittay 24 Pool Block Withholding
Attacker: • Registers as standard miner
• Uses some miners as moles 16
‘ • Drops full PoW Ittay Eyal, July Eyal, Ittay 25 Pool Block Withholding
Attacker: • Registers as standard miner
• Uses some miners as moles 16
‘ • Drops full PoW Ittay Eyal, July Eyal, Ittay 26 Factors influencing revenue Less direct mining power
Money 16 ‘ Less miners ==> reduced difficulty
Ittay Eyal, July Eyal, Ittay 휋 27 The Pool Game Goal Maximize revenue density
Round
One pool updates infiltration rates
16
‘ Ittay Eyal, July Eyal, Ittay 28 The Pool Game Goal Maximize revenue density
Round One pool updates infiltration rates
Analysis
• Stable state (equilibrium) 16
‘ • Generic (any pool size) Ittay Eyal, July Eyal, Ittay 29 Analysis One Attacker 1 2
푥1,2 Game progress: One round – attacker optimizes 푟1(푥1,2)
Dominant strategy: Attack
16
‘ Ittay Eyal, July Eyal, Ittay 31 Honest pool mining is not an equilibrium
In general:
Honest pool mining is not an equilibrium 16
‘ (For any two pools, one should attack) Ittay Eyal, July Eyal, Ittay 32 Two Attackers 1 2
푥1,2 푥2,1 Game progress Repeatedly: 1. Pool 1 optimizes 푟1(푥1,2, 푥2,1)
2. Pool 2 optimizes 푟2(푥2,1, 푥1,2) 16
‘ A single feasible equilibrium point Ittay Eyal, July Eyal, Ittay 33 The Miner’s Dilemma When both pools are minorities of any size: pool 1 NO ATTACK ATTACK
NO
2 ATTACK pool pool
ATTACK
16
‘ Ittay Eyal, July Eyal, Ittay 34 The Miner’s Dilemma When both pools are minorities of any size: pool 1 NO ATTACK ATTACK
NO
2 ATTACK pool pool
ATTACK
16
‘ Ittay Eyal, July Eyal, Ittay 35 One Attacker Pool size: 24% Infiltration rate: 25% Revenue: +3%
Attacker Victim revenue size
+ density
16
‘ Ittay Eyal, July Eyal, Ittay Attacker size 36 The Miner’s Dilemma When both pools are minorities of any size: pool 1 NO ATTACK ATTACK
NO
2 ATTACK pool pool
ATTACK
16
‘ Ittay Eyal, July Eyal, Ittay 37 The Miner’s Dilemma When both pools are minorities of any size: pool 1 NO ATTACK ATTACK
NO
2 ATTACK pool pool
ATTACK
16
‘ Ittay Eyal, July Eyal, Ittay 38 Two Attackers Pool sizes: 24%, 13% Infiltration rate: 8%, 12% Revenue: -4%, -10%
Pool 2 Pool 1 size Revenue density
16 +
‘ Ittay Eyal, July Eyal, Ittay Pool 1 size 39 The Miner’s Dilemma When both pools are minorities of any size: pool 1 NO ATTACK ATTACK
NO
2 ATTACK pool pool
ATTACK
16
‘ Ittay Eyal, July Eyal, Ittay 40 The Miner’s Dilemma When both pools are minorities of any size: pool 1 NO ATTACK ATTACK
NO
2 ATTACK pool pool
ATTACK
16 ‘
This is good Ittay Eyal, July Eyal, Ittay 41 The Miner’s Dilemma When both pools are minorities of any size: pool 1 NO ATTACK ATTACK
NO
2 ATTACK pool pool
ATTACK
16 ‘ Iterated game with unbounded rounds ==>
Ittay Eyal, July Eyal, Ittay Possible non-equilibrium stable state 42 Countermeasures • Detection
Does not work
16
‘ Ittay Eyal, July Eyal, Ittay 43 Countermeasures • Detection Does not work
• Bonus for full PoW / seniority
Reduces revenue homogeneity
16
‘ Ittay Eyal, July Eyal, Ittay 44 Countermeasures • Detection Does not work
• Bonus for full PoW / seniority Reduces revenue homogeneity
• Honey pot
Wastes resources
16
‘ Ittay Eyal, July Eyal, Ittay 45 Countermeasures • Detection Does not work
• Bonus for full PoW / seniority Reduces revenue homogeneity
• Honey pot
Wastes resources
16 ‘ • Out of band enforcement
Implies small trust circles Ittay Eyal, July Eyal, Ittay 46 System Health
open reduced eligibility smaller
pools pools
16
‘ Ittay Eyal, July Eyal, Ittay 47 Conclusion • Proof of work: cornerstone of open blockchains • Some waste • Effective security (being proven in retrospect)
• Architecture leads to surprising properties • The miner’s dilemma • Pooled mining
• Industrial mining 16 ‘ • Selfish mining • Non-standard proof-of-work
Ittay Eyal, July Eyal, Ittay • Proof of work outsourcing • Proof of work in face of chain forks 48