Betting on Blockchain Consensus with Fantomette

1. Introduction

One of the central components of any distributed system is a consensus protocol, by which the system’s participants can agree on its current state and use that information to take various actions. Consensus protocols have been studied for decades in the distributed systems literature, and classical protocols such as Paxos (paxos-made-simple, ) and PBFT (pbft, ) have emerged as “gold standards” of sorts, in terms of their ability to guarantee the crucial properties of safety and liveness even in the face of faulty or malicious nodes.
The setting of blockchains has renewed interest in consensus protocols, due largely to two crucial new requirements: scalability and incentivization. First, classical consensus protocols were designed for a closed and relatively small set of participants, whereas in open (or “permissionless”) blockchains the goal is to enable anyone to join. This requires the design of new consensus protocols that can both scale to handle a far greater number of participants, and also ones that can address the question of Sybil attacks (sybil, ), due to the fact that participants may no longer be well identified.
At heart, one of the biggest obstacles in scaling classical consensus protocols is in scaling their underlying leader election protocol, in which one participant or subset of participants is chosen to lead the decisions around what information should get added to the ledger for a single round (or set period of time). To elect a leader, participants must coordinate amongst themselves by exchanging several rounds of messages. If a Sybil is elected leader, this can result in the adversary gaining control over the ledger, and if there are too many participants then the exchange of messages needed to carry out the election may become prohibitively expensive.
Many recent proposals for blockchain-based consensus protocols focus on solving this first requirement by presenting more scalable leader election protocols (praos, ; algorand, ; snow, ; thunderella, ).
The second novel requirement of blockchains is the explicit economic incentivization on behalf of participants. In contrast to classical consensus protocols, where it is simply assumed that some set of nodes is interested in coming to consensus, in Bitcoin this incentivization is created through the use of block rewards and transaction fees. Again, several recent proposals have worked to address this question of incentives (ouroboros, ; fruitchains, ; spacemint, ; solidus, ; casper, ). Typically, however, the analysis of these proposals has focused on proving that following the protocol is a Nash equilibrium (NE), which captures the case of rational players but not ones that are Byzantine (i.e., fully malicious).
Indeed, despite these advances, one could argue that the only consensus protocol to fully address both requirements is still the one underlying Bitcoin, which is typically known as Nakamoto or proof-of-work (PoW)-based consensus. This has in fact been proved secure (Garay2015, ; blockchain-asynchronous, ), but provides Sybil resistance only by requiring enormous amounts of computational power to be expended. As such, it has also been heavily criticized for the large amount of electricity that it uses. Furthermore, it has other subtle limitations; e.g., it does not achieve any notion of fully deterministic finality and some attacks have been found on its incentive scheme (optimal-selfish-mining, ; bitcoin-without-block-reward, ).

Our contributions

In this paper, we propose Fantômette, a new blockchain-based consensus protocol that fully incorporates an incentive design to prove security properties in a settings that considers both rational and Byzantine adversaries. Our initial observation is that the PoW-based setting contains an implicit investment on the part of the miners, in the form of the costs of hardware and electricity. In moving away from PoW, this implicit investment no longer exists, giving rise to new potential attacks due to the fact that creating blocks is now costless. It is thus necessary to compensate by adding explicit punishments into the protocol for participants who misbehave. This is difficult to do in a regular blockchain setting. In particular, blockchains do not reveal information about which other blocks miners may have been aware of at the time they produced their block, so they cannot be punished for making “wrong” choices. We thus move to the setting of blockDAGs (spectre, ; phantom, ), which induce a more complex fork-choice rule and expose more of the decision-making process of participants. Within this model, we are able to leverage the requirement that players must place security deposits in advance of participating in the consensus protocol to achieve two things. First, we can implement punishments by taking away some of the security deposit, and thus incentivize rational players to follow the protocol. Second, because this allows the players to be identified, we can provide a decentralized checkpointing system, which in turn allows us to achieve a notion of finality.
Along the way, we present in Section 5 a leader election protocol, Caucus, that is specifically designed for open blockchains, and that we prove secure in a model presented in Section 4. We then use Caucus as a component in the broader Fantômette consensus protocol, which we present in Section 6 and argue for the security of in Section 7. Here we rely on Caucus to address the first requirement of scaling in blockchain-based consensus protocols, so can focus almost entirely on the second requirement of incentivization.
In summary, we make the following concrete contributions: (1) we present the design of a leader election protocol, Caucus. In addition to provably satisfying more traditional notions of security, Caucus has several “bonus” properties; e.g., it ensures that leaders are revealed only when they take action, which prevents them from being subject to the DoS attacks possible when their eligibility is revealed ahead of time. (2) we present the design and simulation of a full blockchain-based consensus protocol, Fantômette, that provides a scheme for incentivization that is robust against both rational and fully adaptive Byzantine adversaries. Fantômette is compatible with proof-of-stake (PoS), but could also be used for other “proof-of-X” settings with an appropriate leader election protocol.

2. Related

The work that most closely resembles ours is the cryptographic literature on proof-of-stake (PoS). We evaluate and compare each protocol along the two requirements outlined in the introduction of scalability and incentivization. Other non-academic work proposes PoS solutions (ppcoin, ; neucoin, ; tendermint, ), which is related to Fantômette in terms of the recurrent theme of punishment in the case of misbehavior.
In Ouroboros (ouroboros, ), the honest strategy is a $δ$ -Nash equilibrium, which addresses the question of incentives. The leader election, however, is based on a coin-tossing scheme that requires a relatively large overhead. This is addressed in Ouroboros Praos (praos, ), which utilizes the same incentive structure but better addresses the question of scalability via a more efficient leader election protocol (requiring, as we do in Caucus, only one broadcast message to prove eligibility). A recent improvement, Ouroboros Genesis (ouroboros-genesis, ), allows for dynamic availability; i.e., allows offline parties to safely bootstrap the blockchain when they come back online.
A comparable protocol is Algorand (algorand, ), which proposes a scalable Byzantine agreement protocol and the use of a “cryptographic sortition” leader election protocol, which resembles Caucus. They do not address the question of incentives.
In Snow White (snow, ), the incentive structure is based on that of Fruitchains (fruitchains, ), where honest mining is a NE resilient to coalitions. The incentive structure of Thunderella (thunderella, ) is also based on Fruitchains, but is PoW-based.
Casper (casper-econ, ) is still work in progress, so it is difficult to say how well it addresses scalability. On the topic of incentivization, it proposes that following that protocol should be a Nash equilibrium and that an attacker should lose more in an attack than the victims of the attack. A closely related recent paper is Hot-Stuff (hotstuff, ), which proposes a PBFT-style consensus protocol that operates in an asynchronous model. Again, this paper does not address incentivization.
Among other types of consensus protocols, there are several that do closely consider the topic of incentivization. The first version of Solidus (solidus, ), which is a consensus protocol based on PoW, provides a $(k, t)$ -robust equilibrium for any $k + t < f$ , although they leave a rigorous proof of this for future work. SpaceMint (spacemint, ) is a cryptocurrency based on proof-of-space, and they prove that following the protocol is a Nash equilibrium. In terms of protocols based on PoW, SPECTRE (spectre, ) introduced the notion of a blockDAG, which was further refined by PHANTOM (phantom, ). Our Fantômette protocol is inspired by PHANTOM (although translated to a non-PoW setting), and in particular we leverage the notion of connectivity of blocks induced by blockDAGs. Avalanche (avalanche, ), a recent proposal also relying on blockDAG, but in the context of PoS, recently appeared. They propose a PBFT-style consensus protocol that achieves $O (k n)$ for some $k ≪ n$ , and is thus more expensive than Caucus that requires a single message broadcast. They do not consider the question of incentives.
In terms of economic analyses, Kroll et al. (Kroll_theeconomics, ) studied the economics of PoW and showed that following the protocol is a NE. Badertscher et al (butwhy, ) analyze Bitcoin in the Rational Protocol Design setting. The “selfish mining” series of attacks (eyal2015minersDilemma, ; verifierdilemma, ; optimal-selfish-mining, ) show that the incentive structure of Nakamoto consensus is vulnerable. Carlsten et al. (bitcoin-without-block-reward, ) also consider an attack on the incentives in Bitcoin, in the case in which there are no block rewards. Recently, Gaži et al. (stake-bleeding, ) proposed an attack on PoS protocols that we address here.
Beyond the blockchain setting, Halpern (beyond, )

presents new perspectives from game theory that go beyond Nash equilibria in terms of analyzing incentive structures. One of this concept comes from Abraham et al.

(distributed-computing-game-theory, ), which we use in Section 3.4.
To summarize, most existing proposals for non-PoW blockchain consensus protocols provide a basic game-theoretic analysis, using techniques like Nash equilibria, but do not consider more advanced economic analyses that tolerate coalitions or the presence of Byzantine adversaries. Fantômette is thus the first one to place incentivization at the core of its security. In terms of scalability, our protocol is again different as it is not based on a BFT-style algorithm, but is rather inspired by Nakamoto consensus (leveraging its economic element).

3. Background Definitions and Notation

In this section, we present the underlying definitions we rely on in the rest of the paper. We begin (Sections 3.1-3.2) with the cryptographic notation and primitives necessary for our leader election protocol, Caucus.

3.1. Preliminaries

If $S$ is a finite set then $| S |$ denotes its size and denotes sampling a member uniformly from $S$ and assigning it to $x$ . $λ \in N$ denotes the security parameter and $1^{λ}$ denotes its unary representation.
Algorithms are randomized unless explicitly noted otherwise. PT stands for polynomial time. By $y \leftarrow A (x_{1}, \dots, x_{n}; R)$ we denote running algorithm $A$ on inputs $x_{1}, \dots, x_{n}$ and random coins $R$ and assigning its output to $y$ . By we denote $y \leftarrow A (x_{1}, \dots, x_{n}; R)$ for $R$ sampled uniformly at random. By $[A (x_{1}, \dots, x_{n})]$

we denote the set of values that have non-zero probability of being output by

A

on inputs

x_{1}, \dots, x_{n}

. Adversaries are algorithms. We denote non-interactive algorithms using the font

A l g

, and denote interactive protocols using the font

P r o t

. We further denote such protocols as , where the

i

-th entry of

i n p u t s

(respectively,

o u t p u t s

) is used to denote the input to (respectively, output of) the

i

-th participant.
We say that two probability ensembles

X

and

Y

are statistically close over a domain

D

\frac{1}{2} \sum_{α \in D} | Pr [X = α] - Pr [Y = α] |

is negligible; we denote this as

X \approx Y

. Verifiable Random Functions (VRF), first introduced by Micali et al. (verifiablerandomfunctions, ), generate a pseudo-random number in a publicly verifiable way. Formally, a VRF is defined as follows:

Definition 3.1 ().

A VRF consists in three polynomial-time algorithm $(G e n, P r o v e, V e r i f y)$ that works as follows: (1) $G e n (1^{λ})$ outputs a key pair $(p k, s k)$ ; (2) ${P r o v e}_{s k} (x)$ outputs a pair $(y = G_{s k} (x), p = p_{s k} (x))$ ; (3) $V e r i f y (x, y, p)$ verifies that $y = G_{s k} (x)$ using $p$ . An VRF satisfies correctness if:

if $(y, p) = {P r o v e}_{s k} (x)$ then $V e r i f y (x, y, p) = 1$
for every $(s k, x)$ there is a unique $y$ such that $V e r i f y (x, y, p_{s k} (x)) = 1$
it verifies pseudo-randomness: for any PPT algorithm $A = (A_{E}, A_{J})$ :

$P ⎡ ⎢ ⎢ ⎢ ⎢ ⎢ ⎢ ⎢ ⎣ \begin{matrix} (p k, s k) \leftarrow G e n (1^{λ}); b = b^{'} & (x, A_{s t}) \leftarrow A_{E}^{P r o v e (.)} (p k); y_{0} = G_{s k} (x); y_{1} \leftarrow {0, 1}^{l e n (G)}; b \leftarrow {0, 1}; b^{'} \leftarrow A_{J}^{P r o v e (.)} (y_{b}, A_{s t}) \end{matrix} ⎤ ⎥ ⎥ ⎥ ⎥ ⎥ ⎥ ⎥ ⎦ \leq \frac{1}{2} + n e g l (k)$

3.2. Coin tossing and random beacons

Coin tossing is closely related to leader election (collectivecoinflipping, ), and allows two or more parties to agree on a single or many random bits (blum-cointossing, ; collectivecoinflipping, ; EPRINT:Popov16, ); i.e., to output a value $R$ that is statistically close to random. A coin-tossing protocol must satisfy liveness, unpredictability, and unbiasability (randhound, ), where we define these (in keeping with our definitions for leader election in Section 4) as follows:

Definition 3.2 ().

Let $f_{A}$ be the fraction of participants controlled by an adversary $A$ . Then a coin-tossing protocol satisfies $f_{A}$ -liveness if it is still possible to agree on a random value $R$ even in the face of such an $A$ .

Definition 3.3 ().

A coin-tossing protocol satisfies unpredictability if, prior to some step $b a r r i e r$ in the protocol, no PT adversary can produce better than a random guess at the value of $R$ .

Definition 3.4 ().

A coin-tossing protocol is $f_{A}$ -unbiasable if for all PT adversaries $A$ controlling an $f_{A}$ fraction of participants, the output $R$

is still statistically close to a uniformly distributed random string.

A concept related to coin tossing is random beacons. These were first introduced by Rabin (rab81, ) as a service for “emitting at regularly spaced time intervals, randomly chosen integers”. To extend the above definitions to random beacons, as inspired by (EPRINT:BonClaGol15, ), we require that the properties of $f_{A}$ -liveness and $f_{A}$ -unbiasability apply for each iteration of the beacon, or round. We also require that the $b a r r i e r$ in the unpredictability definition is at least the beginning of each round.

3.3. Blockchains

Distributed ledgers, or blockchains, have become increasingly popular ever since Bitcoin was first proposed by Satoshi Nakamoto in 2008 (satoshi-bitcoin, ). Briefly, individual Bitcoin users wishing to pay other users broadcast transactions to a global peer-to-peer network, and the peers responsible for participating in Bitcoin’s consensus protocol (i.e., for deciding on a canonical ordering of transactions) are known as miners. Miners form blocks, which contain (among other things that we ignore for ease of exposition) the transactions collected since the previous block was mined, which we denote $t x s e t$ , a pointer to the previous block hash $h_{p r e v}$ , and a proof-of-work (PoW). This PoW is the solution to a computational puzzle. If future miners choose to include this block by incorporating its hash into their own PoW then it becomes part of the global blockchain. A fork is created if two miners find a block at the same time. Bitcoin follows the longest chain rule, meaning that whichever fork creates the longest chain is the one that is considered valid.

BlockDAGs

As the name suggests, a blockchain is a chain of blocks, with each block referring to only one previous block. In contrast, a blockDAG (spectre, ; phantom, ), is a directed acyclic graph (DAG) of blocks. In our paper (which slightly adapts the original definitions), every block still specifies a single parent block, but can also reference other recent blocks of which it is aware. These are referred to as leaf blocks, as they are leaves in the tree (also sometimes referred as the tips of the chain), and are denoted $L e a v e s (G)$ . Blocks thus have the form where $B_{p r e v}$ is the parent block, $B_{l e a f}$ is a list of previous leaf blocks, $π$ is a proof of some type of eligibility (e.g., a PoW), and $t x s e t$ is the transactions contained within the block. We denote by $B . s n d$ the participant that created block $B$ . In addition, we define the following notation:

[leftmargin=0.2cm]
$G$ denotes a DAG, $G^{i}$ the DAG according to a participant $i$ , and $G$ the space of all possible DAGs.
In a block, $B_{p r e v}$ is a direct parent of $B$ , and $A n c e s t o r s (B)$ denotes the set of all blocks that are parents of $B$ , either directly or indirectly.
A chain is a set of blocks $M$ such that there exists one block $B$ for which $M = A n c e s t o r s (B)$ .
$P a s t (B)$ denotes the subDAG consisting of all the blocks that $B$ references directly or indirectly.
$D i r e c t F u t u r e (B)$ denotes the set of blocks that directly reference $B$ (i.e., that include it in $B_{l e a f}$ ).
$A n t i c o n e (B)$ denotes the set of blocks $B^{'}$ such that $B^{'} \notin P a s t (B)$ and $B \notin P a s t (B^{'})$ .
$d$ denotes the distance between two blocks in the DAG.
The biggest common prefix DAG ( $B C P D$ ) is the biggest subDAG that is agreed upon by more than 50% of the players.

Figure 1. Example of a blockDAG. A full arrow indicates a bet ( $B_{p r e v}$ ) and a dashed arrow indicates a reference ( $B_{l e a f}$ ).

For example, if we consider the blockDAG in Figure 1, we have that $A n c e s t o r s (H) = {E, A, genesis}$ and ${H, E, A, genesis}$ forms a chain. We also have that $D i r e c t F u t u r e (F) = {H, I}$ , $P a s t (H) = {E, F, A, B, C, genesis}$ , $A n t i c o n e (E) = {D, G, I}$ , and $d (A, H) = 2$ .

Proof-of-stake

By its nature, PoW consumes a lot of energy. Thus, some alternative consensus protocols have been proposed that are more cost-effective; arguably the most popular of these is called proof-of-stake (PoS) (pos-forum, ; ppcoin, ; casper, ). If we consider PoW to be a leader election protocol in which the leader (i.e., the miner with the valid block) is selected in proportion to their amount of computational power, then PoS can be seen as a leader election protocol in which the leader (i.e., the participant who is eligible to propose a new block) is selected in proportion to some “stake” they have in the system (e.g. the amount of coins they have).
As security no longer stems from the fact that it is expensive to create a block, PoS poses several technical challenges (interactivepos, ). The main three are as follows: first, the nothing at stake problem says that miners have no reason to not mine on top of every chain, since mining is costless, so it is more difficult to reach consensus. This is an issue of incentives that, as we present in Section 6, Fantômette aims to solve. We do so by giving rewards to players that follow the protocol and punishing players who mine on concurrent chains.
Second, PoS allows for grinding attacks (interactivepos, ), in which once a miner is elected leader they privately iterate through many valid blocks (again, because mining is costless) in an attempt to find one that may give them an unfair advantage in the future (e.g., make them more likely to be elected leader). This is an issue that we encounter in Section 5 and address using an unbiasable source of randomness.
Finally, in a long-range attack, an attacker may bribe miners into selling their old private keys, which would allow them to re-write the entire history of the blockchain. Such a “stake-bleeding” attack (stake-bleeding, )

can be launched against PoS protocols that adopt a standard longest chain rule and do not have some form of checkpointing. We solve this problem in Fantômette by adding a notion of finality, in the form of decentralized checkpointing.

3.4. Game-theoretic definitions

In game-theoretic terms, we consider the consensus protocol as a game in infinite extensive-form with imperfect information (econ-notes, ), where the utilities depend on the state of the blockDAG. A blockchain-consensus game theoretically has an infinite horizon, but here we consider a finite horizon of some length $T$ unknown to the players. Following our model (which we present in Section 4), we assume that at each node in the game tree player $i$ is in some local state that includes their view of the blockDAG and some private information.
Following Abraham et al. (distributed-computing-game-theory, ), we consider the following framework. With each run of the game that results in a blockDAG $G$ , we associate some utility with player $i$ , denoted $u_{i} (G)$ . A strategy for player $i$ is a (possibly randomized) function from $i$ ’s local state to some set of actions, and tells the player what to do at each step. A joint strategy is a Nash equilibrium if no player can gain any advantage by using a different strategy, given that all the other players do not change their strategies. An extension of Nash equilibria is coalition-proof Nash equilibria (distributed-computing-game-theory, ). A strategy is $k$ -resilient if a coalition of up to a fraction of $k$ players cannot increase their utility function by deviating from the strategy, given that other players follow the strategy. A strategy is $t$ -immune if, even when a group that comprises a fraction $t$ of the players deviate arbitrarily from the protocol, the payoff of the non-deviating players is greater than or equal to their payoff in the case where these players do not deviate. A strategy is a $(k, t)$ -robust equilibrium if it is a $k$ -resilient and $t$ -immune equilibrium. Similarly, in an $ϵ$ - $(k, t)$ -robust equilibrium, players cannot increase their utility by more than $ϵ$ by deviating from the protocol or decrease their utility by more than $1 / ϵ$ in the presence of a fraction of $t$ irrational players.
In addition to the players, we assume there exist some other agents that do not participate in the game but still maintain a view of the blockDAG. These passive agents represent full node, and will not accept blocks that are clearly invalid. The existence of these agents allows us to assume in Section 7 that even adversarial players must create valid blocks.

4. Modelling Blockchain Consensus

We present in this section a model for blockchain-based consensus, run amongst a set of participants (also called players) $P$ . A block $B$ is considered to be a bet on its ancestors $A n c e s t o r s (B)$ . After introducing the assumptions we make about participants, we present a model for leader election, which is used to determine which participants are eligible to create a block. We then present a model for overall blockchain-based consensus, along with its associated security notions.

4.1. Assumptions

We consider a semi-synchronous model (Dwork:1988, ) where time is divided in units called slots, and each message is delivered within a maximum delay of $Δ$ slots (for $Δ$ unknown to participants). We assume that all players form a well-connected network, in a way similar to Bitcoin, where they can broadcast a message to their peers, and that communication comes “for free.”

Types of players

We follow the BAR model (barmodel, ), which means players are either (1) Byzantine, meaning that they behave in an arbitrary way; (2) altruistic, meaning that they follow the protocol; or (3) rational, meaning that they act to maximize their expected utility. We use $(f_{B}, f_{A}, f_{R})$ to denote the respective fractions of Byzantine, altruistic and rational players. Previous research has shown that altruistic behavior is indeed observed in real-world systems (like Tor or torrenting) (distributed-computing-game-theory, ), so is reasonable to consider. In addition to these types, as stated in Section 3.4 we also consider passive participants. They represent the users of a currency who keep a copy of the blockchain and passively verify every block (i.e., the full nodes). They will not explicitly appear in the protocol, rather we assume that they “force” the creation of valid blocks as we explain in Section 7, since if the chain includes invalid blocks or other obvious forms of misbehavior they will simply abandon or fork the currency. When we say participant or player, we now mean active player unless specified otherwise.
We consider a semi-permissionless setting, meaning that everyone is allowed to join the protocol but they have to place a security deposit locking some of their funds to do so; if they wish to leave the protocol, then they must wait some period of time before they can access these funds again. This allows us to keep the openness of decentralization while preventing Sybils. Moreover we consider a flat-model meaning that one participants account for one unit of stake. Thus saying two-third of participants is equivalent to saying participants that together own two-third of the stake that is in deposit. Most of the paper makes the assumptions of dynamic committee where participants can leave and join as explained above. However, to consider a notion of finality, we will need to strengthen this assumption. We will detail these assumptions in Section 6, but briefly we will allow for a reconfiguration period, and assume that outside of this period the set of participants is fixed.

4.2. A model for leader election

Most of the consensus protocols in the distributed systems literature are leader-based, as it is the optimal solution in term of coordination (leaderless-consensus, ). Perhaps as a result, leader election has in general been very well studied within the distributed systems community (saks-leaderelection, ; russel-leaderelection, ; feige-leaderelection, ; orv-leaderelection, ; king-leaderelection, ). Nevertheless, to the best of our knowledge the problem of leader election has not been given an extensive security-focused treatment, so in this section we provide a threat model in which we consider a variety of adversarial behavior.
Each participant maintains some private state ${s t a t e}_{p r i v}$ , and their view of the public state ${s t a t e}_{p u b}$ . For ease of exposition, we assume each ${s t a t e}_{p r i v}$ includes the public state ${s t a t e}_{p u b}$ . We refer to a message sent by a participant as a transaction, denoted $t x$ , where this transaction can either be broadcast to other participants (as in a more classical consensus protocol) or committed to a public blockchain.
Our model consists of three algorithms and one interactive protocol, which behave as follows:

: [itemsep=1pt,leftmargin=0.2cm]
:: is used by a participant to commit themselves to participating in the leader election. This involves establishing both an initial private state ${s t a t e}_{p r i v}$ and a public announcement ${t x}_{c o m}$ .
:: is run amongst the committed participants, each of whom is given $r n d$ and their own private state ${s t a t e}_{p r i v}^{(i)}$ , in order to update both the public state ${s t a t e}_{p u b}$ and their own private states to prepare the leader election for round $r n d$ .
:: is used by a participant to broadcast a proof of their eligibility ${t x}_{r e v}$ for round $r n d$ (or $⊥$ if they are not eligible).
$0 / 1 \leftarrow V e r i f y ({s t a t e}_{p u b}, {t x}_{r e v})$ :: is used by a participant to verify a claim ${t x}_{r e v}$ .

We would like a leader election protocol to achieve three security properties: liveness, unpredictability, and fairness. The first property maps to the established property of liveness for classical consensus protocols, although as we see below we consider several different flavors of unpredictability that are specific to the blockchain-based setting. The final one, fairness (related to chain quality (Garay2015, )), is especially important in open protocols like blockchains, in which participation must be explicitly incentivized rather than assumed.
We begin by defining liveness, which requires that consensus can be achieved even if some fraction of participants are malicious or inactive.

Definition 4.1 (Liveness).

Let $f_{A}$ be the fraction of participants controlled by an adversary $A$ . Then a leader election protocol satisfies $f_{A}$ -liveness if it is still possible to elect a leader even in the face of such an $A$ ; i.e., if for every public state ${s t a t e}_{p u b}$ that has been produced via $U p d a t e$ with the possible participation of $A$ , it is still possible for at least one participant, in a round $r n d$ , to output a value ${t x}_{r e v}$ such that $V e r i f y ({s t a t e}_{p u b}, {t x}_{r e v}) = 1$ .

Unpredictability requires that participants cannot predict which participants will be elected leader before some time.

Definition 4.2 (Unpredictability).

A leader election protocol satisfies unpredictability if, prior to some step $b a r r i e r$ in the protocol, no PT adversary $A$ can produce better than a random guess at whether or not a given participant will be eligible for round $r n d$ , except with negligible probability. If $b a r r i e r$ is the step in which a participant broadcasts ${t x}_{r e v}$ , and we require $A$ to guess only about the eligibility of honest participants (rather than participants they control), then we say it satisfies delayed unpredictability. If it is still difficult for $A$ to guess even about their own eligibility, we say it satisfies private unpredictability.

Most consensus protocols satisfy only the regular variant of unpredictability we define, where $b a r r i e r$ is the point at which the $U p d a t e$ interaction is “ready” for round $r n d$ (e.g., the participants have completed a coin-tossing). This typically occurs at the start of the round, but may also occur several rounds beforehand.
If an adversary is aware of the eligibility of other participants ahead of time, then it may be able to target these specific participants for a denial-of-service (DoS) attack, which makes achieving liveness more difficult. This also helps to obtain security against a fully adaptive adversary that is able to dynamically update the set of participants it is corrupting. (Since they do not know in advance which participants to corrupt to gain an advantage.) A protocol that satisfies delayed unpredictability solves this issue, however, as participants reveal their own eligibility only when they choose to do so, by which point it may be too late for the adversary to do anything. (For example, in a proof-of-stake protocol, if participants include proofs of eligibility only in the blocks they propose, then by the time the leader is known the adversary has nothing to gain by targeting them for a DoS attack. Similarly, an adversary cannot know which participants to corrupt in advance because it does not know if they will be eligible.)
A protocol that satisfies private unpredictability, in contrast, is able to prevent an adversary from inflating their own role as a leader. For example, if an adversary can predict many rounds into the future what their own eligibility will be, they may attempt to bias the protocol in their favor by grinding through the problem space in order to produce an initial commitment ${t x}_{c o m}$ that yields good future results.
Private unpredictability thus helps to guarantee fairness, which we define as requiring that each committed participant is selected as leader equally often. While for the sake of simplicity our definition considers equal weighting of participants, it can easily be extended to consider participants with respect to some other distribution (e.g., in a proof-of-stake application, participants may be selected as leader in proportion to their represented “stake” in the system).

Definition 4.3 (Fairness).

A leader election protocol is fair if for all PT adversaries $A$ the probability that $A$ is selected as leader is nearly uniform; i.e., for all $r n d$ , ${s t a t e}_{p r i v}$ , ${s t a t e}_{p u b}$ (where again ${s t a t e}_{p u b}$ has been produced by $U p d a t e$ with the possible participation of $A$ ), and ${t x}_{r e v}$ created by $A$ ,

4.3. Blockchain-based consensus

As with leader election, each participant maintains some private state ${s t a t e}_{p r i v}$ and some view of the public state ${s t a t e}_{p u b}$ . We consider the following set of algorithms run by participants:

: [itemsep=1pt,leftmargin=0.2cm]
:: is used to establish the initial state: a public view of the blockchain (that is the same for every player) and their private state. This includes the $C o m m i t$ phase of the leader election protocol.
:: is run by each participant to determine if they are eligible to place a bet on a block $B$ . If so, the algorithm outputs a proof $π$ (and if not it outputs $⊥$ ), that other participants can verify using $V e r i f y ({s t a t e}_{p u b}, π)$ . The $V e r i f y$ algorithm is the same as the one used in the leader election protocol, where $π$ = ${t x}_{r e v}$ .
:: is used to create a new block and bet on some previous block.
$B \leftarrow F C R (G)$ :: defines the fork-choice rule that dictates which block altruistic players should bet on. To do so, it gives an explicit score to different chains, and chooses the tip of the chain with the biggest score.
$0 / 1 \leftarrow V e r i f y B l o c k (G, B)$ :: determines whether or not a block is valid, according to the current state of the blockDAG.
$M \leftarrow L a b e l (G)$ :: defines a function $L a b e l : G \to M$ that takes a view of the blockDAG and associates with every block a label in ${winner, loser, neutral}$ . This is crucial for incentivization, and is used to determine the reward that will be associated with every block. With each map $L a b e l$ , and player $i$ , we associate a utility function $u_{i}^{L a b e l}$ that takes as input a blockDAG and outputs the utility of player $i$ for that blockDAG. We will write $u_{i}^{L a b e l} = u_{i}$ if the label function is clear from context. The list of winning blocks constitutes a chain, which we call the main chain. Every chain of blocks that is not the main chain is called a fork.

We would like a blockchain consensus protocol to satisfy a few security properties. Unlike with leader election, these have been carefully considered in the cryptographic literature (Garay2015, ; blockchain-asynchronous, ). As defined by Pass et al. (blockchain-asynchronous, ), there are four desirable properties of blockchain consensus protocols: consistency, future self-consistency, chain growth, and chain quality.
Chain growth (Garay2015, ) corresponds to the concept of liveness in distributed systems, and says the chain maintained by honest players grows with time. Consistency (also called common prefix (Garay2015, )) and future self-consistency both capture the notion of safety traditionally used in the distributed systems literature. Consistency states that any two honest players should agree on their view of the chain except for the last $Y$ blocks, and future self-consistency states that a player and their “future self” agree on their view of the chain except for the last $Y$ blocks (the idea being that a player’s chain will not change drastically over time). In our paper, we consider not just a blockchain-based consensus protocol, but in fact one based on a blockDAG. Participants thus do not keep only the longest chain, but all the blocks they receive, which makes it difficult to use these definitions as is. Instead, we use the notion of convergence,which states that after some time, player converges towards a chain, meaning that no two altruistic players diverge on their view of the main chain except perhaps for the last blocks, and that a block that is in the main chain at some time $τ_{0}$ will still be in the main chain for any time $t > τ_{0}$ . We also ask that this condition holds for a chain of any length, thus capturing the chain growth (or liveness) in the same definition. More formally we define convergence as follows:

Definition 4.4 (Convergence).

For every $k_{0} \in N$ , there exists a chain $C_{k_{0}}^{0}$ of length $k_{0}$ and time $τ_{0}$ such that: for all altruistic players $i$ and time $t > τ_{0}$ : $C_{k_{0}}^{0} \subseteq C^{i, t}$ , except with negligible propability, where $C^{i, t}$ denotes the main chain of $i$ at time $t$ .

Chain quality (Garay2015, ) corresponds to the notion of fairness, and says that honest players contribute some meaningful fraction of all blocks in the chain.

Definition 4.5 (Chain quality).

Chain quality, parameterized by $α$ , says that an adversary controlling a fraction $f_{C} = f_{B} + f_{R}$ of non-altruistic players can contribute at most a fraction $μ = f_{C} + α$ of the blocks in the main chain.

Finally, we define a relatively unexplored property in blockchain consensus, robustness, that explicitly captures the incentivization mechanism. The security notion is not considered by any consensus protocols (except (solidus, ) that states that they leave the proof for future work) and is paramount to capture the security of systems where incentives are at the core.

Definition 4.6 (Robustness).

A protocol is $ϵ$ -robust if given some fractions $(f_{B}, f_{A}, f_{R})$ of BAR players, following the protocol is a $ϵ$ - $(f_{R}, f_{B})$ -robust equilibrium.

5. Caucus: A Leader Election Protocol

In this section, we present Caucus, a leader election protocol with minimal coordination that satisfies fairness, liveness, and strong notions of unpredictability.

5.1. Our construction

: [itemsep=1pt]
$C o m m i t$ ::: A participant commits to their VRF secret key $s k$ by creating a $C o m m i t$ transaction ${t x}_{c o m}$ that contains the VRF public key $p k$ . Each broadcast commitment is added to a list $c$ maintained in ${s t a t e}_{p u b}$ , and that participant is considered eligible to be elected leader after some fixed number of rounds have passed.
$U p d a t e$ ::: Once enough participants are committed, participants run a secure coin-tossing protocol to obtain a random value $R_{1}$ . They output a new ${s t a t e}_{p u b} = (c, R_{1})$ . This interactive protocol is run only for $r n d = 1$ .
$R e v e a l$ ::: For $r n d > 1$ , every participant verifies their own eligibility by checking if $H (y_{r n d}) < t a r g e t$ , where $y_{r n d} = G_{s k} (R_{r n d})$ and $t a r g e t = H_{m a x} / n_{r n d}$ . (Here $n_{r n d}$ is the number of eligible participants; i.e., the number of participants that have committed a sufficient number of rounds before $r n d$ and possibly have not been elected leader in the previous rounds.) The eligible participant, if one exists, then creates a transaction ${t x}_{r e v}$ with their data $y_{r n d}$ and $p_{r n d} = p_{s k} (R_{r n d})$ and broadcasts it to their peers.
$V e r i f y$ ::: Upon receiving a transaction ${t x}_{r e v}$ from a participant $i$ , participants extract $y_{r n d}$ and $p_{r n d}$ from ${t x}_{r e v}$ and check whether or not ${V e r i f y}_{VRF} (R_{r n d}, y_{r n d}, p_{r n d}) = 1$ . If these checks pass, then the public randomness is updated as $R_{r n d + 1} \leftarrow R_{r n d} \oplus y_{r n d}$ and they output $1$ , and otherwise the public state stays the same and they output $0$ .

Figure 2. The Caucus protocol.

The full Caucus protocol is summarized in Figure 2. Our construction is similar to that of Algorand (algorand, ). We, however, add a secure initialization of the random beacon and use Verifiable Random Delays to achieve liveness.
We assume participants have generated signing keypairs and are aware of the public key associated with each other participant (which can easily be achieved at the time participants run $C o m m i t$ ). We omit the process of generating keys from our formal descriptions.
To to be considered as potential leaders, participants must place a security deposit, which involves creating a commitment to their VRF secret key. This means the $C o m m i t$ function runs $G e n$ and returns the VRF secret key as the private state of the participant and the VRF public key (incorporated into a transaction) as the transaction to add to a list of commitments $c$ in the public state.
In the first round, participants must interact to establish a shared random value. This can be done by running a coin-tossing protocol to generate a random value $R_{1}$ . We suggest using SCRAPE (scrape, ), due to its low computational complexity and compatibility with public ledgers. Any solution that instantiates a publicly verifiable secret sharing (PVSS) scheme, however, would also be suitable. The only requirement that we have is that the PVSS should output a value that is of the same type as the value output by the VRF function G.
For each subsequent round, participants then verify whether or not they are eligible to fold their randomness into the global value by checking if $H (G_{s k} (R_{r n d})) < t a r g e t$ , where the value of $t a r g e t$ depends on the number of expected leaders per round (for example, we choose $t a r g e t = H_{m a x} / n_{r n d}$ in order to have on expectation one leader per round). If this holds, then they reveal $y_{r n d} = G_{s k} (R_{r n d})$ and $p_{r n d} = p_{s k} (R_{r n d})$ to the other participants, who can verify that the inequality holds and that ${V e r i f y}_{VRF} (R_{r n d}, y_{r n d}, p_{r n d}) = 1$ . If the participant is in fact eligible, then they are deemed to be the leader for that round and the global randomness is updated as $R_{r n d + 1} \leftarrow R_{r n d} \oplus y_{r n d}$ .

To fully achieve security, we describe two necessary alterations to the basic protocol as presented thus far. First, in order to maintain unpredictability, participants should become eligible only after some fixed number of rounds have passed since they ran $C o m m i t$ . This means updating $V e r i f y$ to also check that ${r n d}_{j o i n e d} > r n d - x$ (where ${r n d}_{j o i n e d}$ is the round in which the participant broadcast ${t x}_{c o m}$ and $x$ is the required number of interim rounds). This has the effect that an adversary controlling $f_{A}$ participants cannot privately predict that they will be elected leader for a few rounds and then grind through potential new secret key values to continue their advantage via new commitments, as the probability will be sufficiently high that at least one honest participant will be elected leader between the time they commit and the time they participate.
Second, it could be the case that in some round, no participant is elected leader. It could also be the case that an adversary is the only elected leader and does not reveal their proof of eligibility and abort. To maintain liveness, we alter the protocol so that if no participant reveals ${t x}_{r e v}$ , we “update” the random beacon as $R_{r n d} \leftarrow F (R_{r n d})$ , where $F$ is a deterministic function that acts as a proof-of-delay (proof-of-delay, ; vdf, ). The simplest example of such a function is $F = H^{p}$ ; i.e., a hash function iterated $p$ times. When a honest player is not eligible on the winning block, they start computing the proof-of-delay and if by the time it is computed no leader has been revealed, they check their eligibility with the updated beacon $F (R_{r n d})$ . One can think of this as re-drawing the lottery after some delay. This allows participants to continue the protocol (and, since it is purely deterministic, is different from proof-of-work), but has the downside that verification is also costly, as it requires participants to re-compute the hashes. Bünz et al. recently proposed an efficient Verifiable Random Delay function (vdf, ) that can be efficiently and publicly verified yet requires sequential steps to compute. This proof-of-delay should be used sparingly so we consider it acceptable that it is expensive. Moreover we make the assumptions that the time $δ$ that it takes to compute the proof-of-delay is bigger than the parameter $Δ$ of our semi-synchronous model.
It could also be the case, however, that there are two or more winners in a round. In a setting such as proof-of-stake, being elected leader comes with a financial reward, and conflicts may arise if two winners are elected (such as the nothing-at-stake problem discussed in Section 3.3). One potential solution (also suggested by Algorand (algorand, )) for electing a single leader is to require all participants to submit their winning values $y_{r n d}$ and then select as the winner the participant whose pre-image $y_{r n d}$ has the lowest bit value. This problem is investigated further in Section 6, where we present the full Fantômette protocol.
Finally, we describe a third, optional alteration designed to improve fairness by forcing more rotation amongst the leaders. To be elected, we require that a participant has not acted as leader in the past $(n_{r n d} - 1) / 2$ rounds, which can be implemented by adding a condition in the $V e r i f y$ function and using $(n_{r n d} + 1) / 2$ in place of $n_{r n d}$ in the computation of the value $t a r g e t$ .

5.2. Security

In order to prove the security of Caucus as a whole, we first prove the security of its implicit random beacon.

Lemma 5.1 ().

If $H$ is a random oracle and $R$ is initialized using a secure coin-tossing protocol, then the random beacon $R_{r n d}$ is also secure; i.e., it satisfies liveness (Definition 3.2), unbiasability (Definition 3.4), and unpredictability (Definition 3.3) for every subsequent round.

Proof.

For liveness, we observe that after initialization, no coordination is required, so any online participant can communicate their own eligibility to other online participants, allowing them to compute the new random value. The exception is the case where no participant is elected leader, in which case participants can update their random value by $R_{r n d} \leftarrow F (R_{r n d})$ until a leader reveals themselves.
For unpredictability, we must show that, unless the adversary is itself the next leader, it is hard to learn the value of $R_{r n d}$ before it receives ${t x}_{r e v}$ . We have $R_{r n d} = R_{r n d - 1} \oplus y_{r n d - 1}$ , where $R_{r n d - 1}$ is assumed to be known. In the protocol, the adversary sees $p k$ as part of the commitment of the relevant honest participant, and if that participant has run $R e v e a l$ before it may have also seen $y_{r n d}^{'} = G_{s k} (R_{r n d}^{'})$ for ${r n d}^{'} < r n d$ . If the adversary could produce better than a random guess about $R_{r n d}$ then they would also produce better than a random guess about $G_{s k} (R_{r n d})$ which contradicts its pseudo-randomness.
For unbiasability, we proceed inductively. By assumption, $R$ is initialized in a fair way, which establishes the base case. Now, we assume that $R_{r n d - 1}$ is uniformly distributed, and would like to show that $R_{r n d}$ will be as well. By the assumption that $R_{r n d}$ is unpredictable, and thus unknown at the time an adversary commits to their secret key, the distribution of $y_{r n d}$ and $R_{r n d}$ is thus independent. (As the adversary cannot grind through private keys since they do not know $R_{r n d}$ at the time they commit and G verifies unicity.) If we define a value $R$ , and denote $R^{'} \leftarrow R \oplus y_{r n d - 1}$ , then we have

	$Pr [R_{r n d} = R]$	$= Pr [y_{r n d - 1} \oplus R_{r n d - 1} = y_{r n d - 1} \oplus R^{'}]$
		$= Pr [R_{r n d - 1} = R^{'}],$

which we know to be uniformly random by assumption, thus for every $R^{'}$ , we have $Pr [R_{r n d - 1} = R^{'}] \approx 1 / (2^{ℓ} - 1)$ and for every value $R$ , $Pr [R_{r n d} = R] \approx 1 / (2^{ℓ} - 1)$ , proving the fairness of $R_{r n d}$ . (Here $ℓ$ denotes the bitlength of $R$ .) An adversary controlling many winning values for $R_{r n d - 1}$ , however, may decide on the one they reveal, which makes it difficult to argue for unbiasability when the adversary controls many players. This is a limitation of Caucus that we address (or at least quantify) in our analysis of Fantômette in Section 7.

∎

Theorem 5.2 ().

If $H$ is a random oracle and $R$ is initialized as a uniformly random value, then Caucus is a secure leader election protocol; i.e., it satisfies liveness, fairness, delayed unpredictability (where $b a r r i e r$ is the step at which the elected leader reveals their proof), and private unpredictability (where $b a r r i e r$ is the step at which the randomness $R_{r n d}$ is fixed).

Proof.

For liveness, a participant is elected if they broadcast a valid transaction ${t x}_{r e v}$ such that $H (y_{r n d}) < t a r g e t$ . If $U p d a t e$ satisfies $f_{A}$ -liveness then an adversary controlling $f_{A}$ participants cannot prevent honest participants from agreeing on $R_{r n d}$ . In the case where no participants produce a value $y_{r n d}$ such that $H (y_{r n d}) < t a r g e t$ , we update the value of $R_{r n d}$ as described above until one participant is elected. With a similar argument as in the proof of Theorem 5.1, the protocol thus achieves liveness.
For fairness, a participant wins if $H (G_{s k} (R_{r n d})) < {t a r g e t}_{r n d}$ . By the assumption that $R_{r n d}$ is unpredictable, and unknown at the time an adversary commits to their secret, we have that an adversary could not have grind through secret keys to bias $G_{s k} (R_{r n d})$ . Combining this with the assumption that $R_{r n d}$ is unbiasable and thus uniformly distributed, we can argue that $y_{r n d} = G_{s k} (R_{r n d})$ is uniformly distributed. This implies that the probability that the winning condition holds is also uniformly random, as desired.
The argument for delayed unpredictability is almost identical to the one in the proof of Theorem 5.1: even when $R_{r n d}$ is known, if $A$ has not formed $y_{r n d}$ itself then by the pseudo-randomness of G it cannot predict whether $H (G_{s k} (R_{r n d})) < {t a r g e t}_{r n d}$ . (If it could then the adversary could use that to distinguish $G_{s k} (R_{r n d})$ from random with an advantage.)
Finally, private unpredictability follows from the unpredictability of $R_{r n d}$ .
In terms of the fraction $f_{C}$ of malicious participants that we can tolerate, it is $t / n$ , where $t$ is the threshold of the PVSS scheme used to initialize the random beacon. In the context of proof-of-stake, however, we would still need to assume an honest majority. We investigate this in the next section, where we present the full Fantômette protocol. ∎

Even if the initial value was some constant instead of a randomly generated one, we could still argue that the protocol is fair after the point that the randomness of at least one honest participant is incorporated into the beacon. This assumption is weakened the longer the beacon is live, so works especially well in settings where the leader election protocol is used to bootstrap from one form of consensus (e.g., PoW) to another (e.g., PoS), as discussed for Ethereum (casper, ).

6. Fantômette: A Consensus Protocol

In this section, we present Fantômette, our full blockchain consensus protocol. Our focus is on incentives, and in particular on enforcing good behavior even in settings where no natural incentives or investments exist already.
Briefly, Fantômette works as follows: participants bet on the block that has the strongest score, according to their view of the blockDAG. They also reference all the leaves (i.e., the most recent blocks) of which they are aware, to “prove” that they are well connected and following the rules. A block is valid if among all of its references, it is indeed betting on the one with the higher score. We argue for its security more extensively in the next section, but give here some intuition for how it addresses the challenges presented in the PoS setting introduced in Section 3.3. First, Fantômette solves the nothing-at-stake problem by strongly punishing players who do not reference their own blocks, and ensuring that players bet only on the strongest chain they see. As it is not possible for two chains to appear as the strongest at the same time, this prevents players from betting on multiple chains.
The grinding attack is prevented largely due to the unbiasability of the random beacon in Caucus, and the optional requirement that leaders must rotate with sufficient frequency discussed at the end of Section 5.1. Finally, long-range attacks are thwarted by Fantômette’s finality rule, which acts as a form of decentralized checkpointing.

6.1. Protocol specification

We specify how to instantiate the algorithms required for a consensus protocol specified in Section 4.3. The $S e t u p$ and $E l i g i b l e$ algorithms are as described for Caucus in Section 5. Before presenting the rest of the algorithms, we give some additional definitions associated with finality in blockDAGs.
In order to make the following definitions, we assume a static set of players. We then present how to handle a dynamic set. Let’s also recall that thanks to the deposit, the set of players is known to everyone. A candidate block is a block, as its name suggests, that is a candidate for finality. The initial list of candidate blocks consists of every block betting on the genesis block; i.e., every block that uses this as its parent $B_{p r e v}$ . Whenever a block has in its past two-thirds of bets on a candidate, this block acts as a witness to the finality of that block, so is called a witness block. If a block $B_{1}$ is a witness for $B_{0}$ and $B_{2}$ is a witness for $B_{1}$ , we say that $B_{2}$ is a second witness of $B_{0}$ . Finally, candidate blocks belong to a given rank, which we denote by $r k$ . The first set of candidate blocks (after the genesis block) belong to $r k = 1$ . After this every block that bets on a second witness block of rank $r k$ and has a distance of $w$ with this block is a candidate for rank $r k + 1$ . The above process constitutes a decentralized checkpointing.
Using the sample blockDAG in Figure 1, for example, and assuming three players and $w = 0$ , the initial list of candidate blocks is ${A, B, C, D}$ (which all have rank $r k = 1$ ). Block $E$ then bets on $A$ , as does block $H$ (since $A$ is an ancestor of $H$ ), so $H$ can be considered as a witness block for $A$ . Similarly, $I$ acts as a witness block for $C$ . Since this now constitutes two-thirds of the participants, $A$ and $C$ become justified (casper, ). If in turn two-thirds of participants place bets on the associated witness blocks, then the justified block becomes finalized. With $w = 0$ , the second witness blocks are added to the candidate list accordingly, but at rank $r k = 2$ .
In order to handle a dynamic set of players, once a block is finalized (i.e. once there exists at least one second witness block) we allow for a window of $w$ blocks for the players to leave or join the protocol. At the end of this period, the set of players is fixed and the decentralized checkpointing resumes with as new candidate blocks, all blocks that have a distance $w$ with a second witness block for rank $r k$ . We leave as important future work a solution that would allow players to leave and join the protocol even during the checkpointing period.

Fork choice rule

We present a formal specification of our fork choice rule $F C R$ in Algorithm 1. Intuitively, the algorithm chooses blocks with more connections to other blocks. Accordingly, we compute the score of a leaf block $B$ by counting the number of outgoing references for every block in its past. We do not count, however, blocks that have been created by an adversary using the same eligibility proof multiple times. We denote as $D o u b l e$ the set of all blocks that contains the same proof of eligibility but different content. The score of a chain whose tip is $B$ is then the number of edges in the subgraph induced by $P a s t (B) ∖ D o u b l e$ , and we pick as a “winner” the leaf with the highest score. If there is a tie (i.e., two leaf blocks have the same score), we break it by using the block with the smallest hash.¹¹1It is important, to avoid grinding attacks, to use the hash as defined in Caucus, or something else similarly unbiasable.

input : a DAG

G

output : a block

B

representing the latest ‘‘winner’’

1 if $(G = Genesis Block)$ then

2 return

G

w \leftarrow \emptyset

4 for $B \in L e a v e s (G)$ do

5 for $B^{'}$ in $P a s t (B) ∖ D o u b l e$ do

w [B^{'}] = | B^{'} [B_{l e a f}] |

C W \leftarrow {argmax}_{B \in l e a f (G)} w (B)

// if there is a tie choose block with smaller hash

B \leftarrow {argmin}_{B \in C W} H (B)

return

B

Algorithm 1 Fork-choice rule (FCR)

Betting

To place a bet, a participant first identifies the latest winning block as $B \leftarrow F C R (G_{p u b})$ . They then check their latest second witness block (if they have one) and verify that at least one candidate block associated with it is also in $A n c e s t o r s (B)$ (i.e. they verify that the block was not created maliciously as part of a long range attack). They then check to see if they are eligible to act as a leader by computing . If they are (i.e., if $π \neq ⊥$ ), then they form a block with $B$ as the parent, with all other blocks of which they are aware as the leaf blocks, and with their proof of eligibility $π$ and set of transactions.

Block validity

We now define the rules that make a block valid; i.e., the checks performed by $V e r i f y B l o c k (G, B)$ . Intuitively, a valid block must be betting on the block chosen by the fork-choice rule, and its creator must be eligible to bet on that block. If a player is aware of a justified block, then they must bet on either that block or another witness block, but cannot prefer a non-justified block to a justified one.

More formally, a new block is valid only if the following hold:

[leftmargin=0.2cm]
It is betting on the block chosen by the fork choice rule for the blocks of which it is aware; i.e., $B_{p r e v} = F C R (P a s t (B))$ .
The creator is eligible to bet: $E l i g i b l e (B_{p r e v}, {s t a t e}_{p r i v}^{B . s n d}) \neq ⊥$ .
If it references a witness block then it is betting on a witness block; i.e., if there exists a witness block in $P a s t (B)$ then there exists a witness block in $A n c e s t o r s (B)$ .
If it references a second witness block, then it is betting on a block in the past of that block: if there exists a second witness block $B_{s} \in P a s t (B)$ , then $A n c e s t o r s (B) \cap P a s t (B_{s}) \neq \emptyset$ .

6.2. Incentives

Label

We present a formal specification of our label function $L a b e l$ in Algorithm 2. Intuitively, if a block is chosen by the $F C R$ it is labelled winner and so are all of its ancestors. Blocks that bet on winners are labeled neutral. Following the techniques in PHANTOM (phantom, ), all winning and neutral blocks form a subset of the DAG called the blue subset and denoted by $b l u e$ . Every block whose anticone intersects with fewer than $k$ blocks in the blue set is labeled neutral, and otherwise it is labeled loser. The parameter $k$ is called the inter-connectivity parameter, and means that a block is allowed to be “unaware” of $k$ winning blocks, but not more (as, e.g., these blocks may have been created at roughly the same time).

input : A DAG

G

output : A labelling of the block in the DAG

M

1 set

B \leftarrow F C R (G)

b l u e \leftarrow b l u e \cup {B}

M (B) = winner

4 for $B_{i} \in A n c e s t o r s (B)$ do

b l u e \leftarrow b l u e \cup {B_{i}}

M (B_{i}) = winner

7 for $B_{j} \in D i r e c t F u t u r e (B_{i}) ∖ A n c e s t o r s (B)$ do

b l u e \leftarrow b l u e \cup {B_{j}}

M (B_{j}) = neutral

11 for $B_{i} \in G ∖ b l u e$ do

12 if $A n t i c o n e (B_{i}) \cap b l u e \leq k$ then

b l u e \leftarrow b l u e \cup {B_{i}}

M (B_{j}) = neutral

15 else

M (B_{i}) = loser

return

M

Algorithm 2

L a b e l

Utility functions

At the end of the game, which we define to be of length $T$ , as defined in Section 4, we take the $B C P D$ and apply the $L a b e l$ function to it, in order to associate each block with a state. For every winning block that a player has added to the $B C P D$ , they win a reward of $r w d (B)$ , and for every losing block they lose $p u n$ . In addition, if a player creates a block that does not reference one of their own blocks, we add a bigger punishment $b i g p u n$ (for example, blocks that belong to the set $D o u b l e$ defined previously will add this punishment). This punishment is bigger because a player is obviously aware of all their own blocks, so if they do not reference one it is an obvious form of misbehavior (whereas a block might end up being labelled a loser for other reasons).
More formally, we define the following utility function:

(1)

u_{i} (B C P D) = \sum \begin{matrix} B \in B C P D s.t. B . s n d = i and M (B) = winner \end{matrix} r w d (B) - \sum \begin{matrix} B \in B C P D s.t. B . s n d = i and M (B) = loser \end{matrix} p u n + b i g p u n \times | N |

where $M = L a b e l (B C P D)$ and

	$N = {(B_{j}, B_{k}) s.t.$	$B_{j} . s n d = i \land B_{k} . s n d = i \land$

The reward function is proportional to the connectivity of a block; i.e., a block that references many blocks receives more than a block that references only one other block. The reason is that we want to incentivize players to exchange blocks between each other, rather than produce blocks privately (as in a selfish mining attack). In this paper we consider a simple function $r w d (B) = | B_{l e a f} | \times c$ for some constant $c$ , and treat $p u n$ and $b i g p u n$ as constants. We leave the study of more complex reward and punishment mechanisms as interesting future work.
One of the difficulties of dealing with blockchain-based consensus, compared to traditional protocols, is that the enforcement of the payoff is achieved only by consensus; i.e., the utilities depend on whether or not enough players enforce them. In order to enforce the payoff, we thus assume that participants can give a reward to themselves in forming their blocks (similarly to Bitcoin), but that evidence of fraud can be submitted by other players. If another player submits evidence of fraud, the subsequent punishment is taken from the security deposit of the cheating player.

7. Security of Fantômette

In this section, we show that Fantômette is secure, according to the model in Section 4. We support our proofs with a simulation of the protocol as a game played between Byzantine, altruistic, and rational players in Section 7.3.

7.1. Action Space

We discuss the different strategies available to a coalition of players, whether Byzantine or rational. They can take any deviation possible from the game. We do assume, however, that they create valid blocks, as otherwise passive players will simply ignore their chains (as discussed in Section 4).
If an adversary withholds their blocks, it can gain an advantage in subsequent leader elections. To see this, consider that after each block each player has a probability $1 / n$ of being elected leader. Being a leader does not guarantee a winning block, however, as only the block with the smallest hash wins. For each block, the number of subsequent players $k$

that are elected leader follows a binomial distribution parameterized by

n

and

1 / n

. Assuming the leader election is secure, each of these leaders is equally likely to have the winning block, so each player has probability

1 / (k n)

of being the winner. By not revealing a block, this probability goes up to

1 / n

(since other players are simply not aware of it), so by keeping their chain private an adversary can raise their chance of having a winning block. We thus assume that both Byzantine and rational players withhold their blocks and grind through all possible subsequent blocks in order to maximize their advantage.
In terms of the space that players grind through, the main option they have when elected leader is whether to place a bet or not. The protocol dictates that they must bet on the fork-choice rule only, but they may wish to bet on a different block (as, e.g., doing so could increase their chances of being elected leader in the future). In order to still maintain the validity of their blocks, doing so means they must eliminate references in their set

B_{l e a f}

so that their chosen block appears as the fork-choice rule (in accordance with the first check in

V e r i f y B l o c k

). Players are always better off, however, including as many blocks as possible in their references, as it increases the score of their block. Thus, they will remove references to blocks that have higher scores in order to make their block appear as the fork-choice rule, but not more than necessary.
For rational players, there is a trade-off between not revealing their block (which raises their chance of having more winning blocks, as argued above) and revealing their block, which reduces their chance of having more winning blocks but increases their reward because it allows their block to have more references. Our simulation investigates this trade-off. Regardless, the strategy of rational players is to grind through all possible blocks and broadcast the chain that maximizes their utility. Byzantine players, in contrast, do not try to maximize their profit, but instead play irrationally (i.e., they are not deterred by punishment).

7.2. Security arguments

According to the security properties in Section 4.3, we need to argue three things: convergence, chain quality, and robustness. We support these security properties with our simulation in Section 7.3 Before proving each security property, we first prove some general results about the protocol. Assume that two blocks $B_{1}$ and $B_{2}$ are two competing blocks with the same score, betting on the same block. We call the stronger chain the one with the higher score according to a hypothetical oracle node that collates the views of the blockDAG maintained by all participants. We assume that $B_{1}$ is the leaf of the stronger chain.

Claim 7.1 ().

On average, blocks added to the stronger chain add more to its score than blocks added on the weaker chain.

Proof.

Without loss of generality, we prove the result for two chains with the same score $S$ . For simplicity, we assume that the chains do not reference each other (e.g., chains ${A, C}$ and ${B, D}$ in Figure 3). By the definition of scoring in the $F C R$ (Algorithm 1), a block betting on the stronger chain adds a score of $S + 2$ if the leader is aware of the leaf block on the weaker chain, and $S + 2 - 1 = S + 1$ otherwise. (For example, $E$ adds a score of $S + 2$ by referencing both $C$ and $D$ , and $S + 1$ by referencing $C$ and $B$ if it is not aware of $D$ .) The block that they receive first has probability 0.5 of being stronger or weaker as the random beacon has uniform distribution, thus on average, the score added by one block to the stronger chain is $0.5 \cdot (S + 2) + 0.5 \cdot (S + 1) = S + 1.5$ .

Figure 3. Example of two blocks added on competing chains.

On the weaker chain, in contrast, whether the leader is aware of the stronger leaf block or not does not matter since they cannot reference it while maintaining the validity of their block (according to the first check in $V e r i f y B l o c k$ ). Thus the score added to the weaker chain is $(S - 1) + 2 = S + 1$ , since that block references the stronger chain but not on its latest block. ∎

We show in Theorem 7.2 that for a given rank, all second witnesses share the same set of candidate blocks provided that $f_{B} < 1 / 3$ . The idea is that whenever a block is finalized, all players have agreed on the current set of candidate blocks, and thus they should not accept any other candidate blocks at that rank (as required by the betting algorithm stated in Section 6).

Figure 4. A visual sketch of the proof of Theorem 7.2. A participant placing a bet between $x_{2}$ and $y_{2}$ , and $y_{1}$ and $z_{1}$ must have placed their bet on $x_{2}$ first, thus $z_{1}$ references $x_{2}$ .

Theorem 7.2 (Finality).

If $f_{B} < 1 / 3$ , then once a block at rank $r k$ is finalized, players agree on a list of candidate blocks for rank $r k$ (i.e., this list cannot grow anymore).

Proof.

Assume there exist two finalized blocks $x_{1}$ and $x_{2}$ . Denote by $y_{i}$ the witness block for $x_{i}$ , and by $z_{i}$ the second witness block for $x_{i}$ . By the definition of finality, it must have been the case that more than two-thirds of participants placed bets on $x_{1}$ and $x_{2}$ , which in turn implies that more than a third of them placed bets on both $x_{1}$ and $x_{2}$ . Since only a third of participants are Byzantine, this means that at least one non-Byzantine player placed a bet on both blocks. (Let’s recall that during the decentralized checkpointing the set of players is fixed.) Non-Byzantine players always reference their own block (since there is a large punishment incurred if not); this means that there is one of the witness blocks $y_{i}$ that references “across the chains”; i.e., such that $x_{1}, x_{2} \in P a s t (y_{i})$ .
Without loss of generality, assume that $x_{1}, x_{2} \in P a s t (y_{2})$ . This means that $x_{1} \in P a s t (z_{2})$ and thus $x_{1}, x_{2} \in P a s t (z_{2})$ . Since more than two-thirds of the participants bet on $y_{1}$ , by a similar reasoning as above this means that at least one non-Byzantine player placed a bet on both $y_{1}$ and $x_{2}$ (before $y_{2}$ ). Thus, either (1) $z_{1}$ references $x_{2}$ or (2) $y_{2}$ references $y_{1}$ . Because of the third check in $V e r i f y B l o c k$ , however, this second case is not possible: since $y_{1}$ is a witness block, $y_{2}$ cannot reference it without betting on a justified block, and $x_{2}$ is not justified before $y_{2}$ . We refer the reader to graph 4 for a visual intuition of this. Thus, it must be the case that $z_{1}$ references $x_{2}$ . Thus $z_{i}$ references both $x_{i}$ and $x_{j}$ for $i \neq j$ .
For a set of candidate blocks, all the second witness blocks thus reference all candidate blocks (applying the previous analysis to all the candidates blocks pair-wise). So, after a candidate block is finalized, players must agree on the set of candidate blocks for that rank.
We will investigate the long-range attack in the proof of the convergence theorem. ∎

Next, we show convergence. Intuitively, the main argument here is that if an adversary tries to grow multiple chains to prevent altruistic players from agreeing on a main chain, altruistic players are still very likely to agree on a chain, since the score of the main chain grows faster than the score of other chains. Additonally, since an adversary is unlikely to be elected leader for a consecutive number of blocks, it is unlikely that other players will revert their main chain once they have agreed on one. Even if the adversary somehow manages to build their own private chain (by, e.g., using the proof-of-delay or bribing old participants in a long-range attack), the decentralized checkpointing mechanism in Fantômette provides a notion of finality for blocks. Thus, by the time they succeed in mounting such an attack, it will be too late and other participants will not accept their chain.

Theorem 7.3 (Convergence).

Given a coalition $f_{C} < 1 / 3$ of non-altruistic players, we have: for every $k_{0} \in N$ , there exists a chain $C_{k_{0}}^{0}$ of length $k_{0}$ and time $τ_{0}$ such that: for all altruistic players $i$ and times $t > τ_{0}$ : $C_{k_{0}}^{0} \subseteq C^{i, t}$ , except with negligible propability, where $C^{i, t}$ is the main chain of player $i$ at time $t$ .

Proof.

We start by showing that the length of the longest chain in the DAG, indeed grows. This is relatively straightforward, and follows from the discussion around liveness in Section 6.1. To summarize, even if a Byzantine player is the only leader and chooses not to publish a block, after some delay players will “re-draw” the lottery and an altruistic player will be chosen eventually. We now calculate the worst-case growth rate of the main chain, which happens when the adversary simply aborts. If an adversary controls $n_{C}$ players, then an aborting player is elected leader with probability $1 - (1 - p)^{n_{C}}$ . This means that after each block, the chain will grow normally with probability $(1 - p)^{n_{C}}$ and will grow with a delay of $δ$ (where $δ$ is the delay in the proof-of-delay) with probability $1 - (1 - p)^{n_{C}}$ . Moreover since a block is propagated with a maximum delay of $Δ$ , we have that the worst rate at which a block is created is $(1 - p)^{n_{C}} \cdot Δ + (1 - (1 - p)^{n_{C}}) \cdot (Δ + δ) = Δ + δ \cdot (1 - (1 - p)^{n_{C}})$ . However it could be the case that more than one chain grows in the DAG. We now move on to prove the core of the protocol.
Let $k_{0}$ be an integer. Due to the previous argument about the growth of the chain and the semi-synchrony assumption (all players receive a block before $Δ$ slots), there exists a time $τ_{1}$ such that every honest player have in their DAG at least one chain $C_{k_{0}}$ of length $k_{0}$ . Let’s assume that there exists two such chains $C_{k_{0}}$ and $C_{k_{0}}^{'}$ . We show that, with high probability, after some time $τ_{0}$ one will be “dropped” and thus for the remaining one we will have that for every $t > τ_{0}$ $C_{k_{0}}^{0} \subseteq C^{i, t}$ .
Let’s assume that players start creating blocks on both chains. After some time less or equal than $Δ$ players will be aware of the other chain and thus can start referencing it (remember that $Δ$ is smaller than $δ$ ). Then it has to be the case that the score of one chain will grow faster than the other one as shown in Claim 7.1 (even if both chain keep growing). Now, we argue why it is unlikely that both chain keep growing indefinitely. The weaker chain grows only if the leader on that chain is either Byzantine or hasn’t heard of the latest blocks on the other chain. As explained in the proof of Claim 7.1 for every altruistic player, for two chains of roughly the same length, there’s half a chance that they receive the weaker chain first due to the unbiasability and uniform distribution of the random beacon. Thus for an altruistic player there’s half a chance that they extend the weaker chain.
On the other hand, the stronger chain grows even if the elected leader received the weaker one first (as long as they are not eligible on it, which happens with probability $1 - 1 / n$ ). More formally, in the case where altruistic players are leaders on both chain, the stronger one will be extended with probability $(1 - 1 / n) + 1 / n \cdot 0.5 = 1 - 0.5 \cdot 1 / n$ and the probability that the weaker chain grows is $0.5$ . Thus it is more likely for an altruistic player to extend the stronger chain. This explains why the strongest chain grows with higer probability.
Thus with high probability, there exists a time $τ_{0}$ such that altruistic players will stop extending the weaker chain.
After this time $τ_{0}$ it is very unlikely that players will revert their main chain to another chain. Indeed an adversary that tries to revert the main chain does not succeed except with negligible probability. Let’s assume that at time $τ_{0}$ , the difference between the main chain and the chain that the adversary is trying to extend is $m$ . To revert the chain, they need to create a competitive DAG with at least $m$ references within the fork faster than the main chain grows. As $m$ gets biggers, the adversary will need to create more blocks privately and this attack becomes less lilely to succeed as the probability of creating $ℓ$ blocks privately decreases with $ℓ$ (we will compute this probability in the proof of the next Theorem 7.4). Here we assume that the proof-of-delay is secure, i.e. that even an adversary with enough power will not be able to compute a proof-of-delay faster than expected.
Finally, as explained in Section 3.3, we must consider long-range attacks, where an adversary re-writes the history by bribing old participants. Because we add a decentralized checkpointing, this attack will not succeed. Let’s assume that an adversary has bought old keys from previous participants and re-wrote the history of the blockchain with those. When they receive this new chain, altruistic players are already aware of at least one second witness block (as the reconfiguration period has to start after a second witness block as explained in Section 6.1). According to the betting rule in Section 6.1 once altruistic players know of a second witness block, they will not bet on a block that does not bet on an associated candidate block. Thus altruistic players will never bet on the new adversarial chain. This is also true for rational players since when they see this new chain, they would have to start ignoring all the blocks they have created in order to bet on it (due to the fourth check in $V e r i f y B l o c k$ ), thus losing most of their deposit. Thus the chain created with old keys will not be accepted by current participants.
We have thus shown that after time $τ_{0}$ , altruistic players have agreed on the main chain $C_{k_{0}}$ and that it’s very unlikley they will revert to another main chain. This proves the result. ∎

Next, we show chain quality. Intuitively, this results from the fact that a player is unlikely to be elected a winner for many consecutive blocks and that the proof-of-delay is secure.

Theorem 7.4 (Chain quality).

A coalition $f_{C} < 1 / 3$ of non-altruistic players cannot contribute to a fraction of more than $μ = f_{C} + α$ of the blocks in the main chain. Given our choice of values for the different parameter we have $α = 0.03$ .

Proof.

The probability that an adversary controlling $n_{C}$ participants can contribute one block is $1 - (1 - p)^{n_{C}}$ . Thus we have that the probability that a player contributes exactly $ℓ$ consecutive blocks, without grinding is $(1 - (1 - p)^{n_{C}})^{ℓ} (1 - p)^{n_{C}}$ . The expected number of consecutive blocks is thus $\sum_{j = 0}^{\infty} j (1 - (1 - p)^{n_{C}})^{j} (1 - p)^{n_{C}} = (1 - p)^{n_{C}} \sum_{j = 0}^{\infty} j (1 - (1 - p)^{n_{C}})^{j} = (1 - p)^{n_{C}} \cdot \frac{(1 - (1 - p)^{n_{C}})}{(1 - (1 - (1 - p)^{n_{C}}))^{2}} = (1 - p)^{n_{C}} / (1 - (1 - p)^{n_{C}})$

. (This is the case where a player re-draw the lottery once each time they are elected leaders.) A quick estimation shows that for

n

big enough the expected number of consecutive blocks for a coalition of a third that plays honestly is 0.395. For a coalition that grinds, the idea is that they will “re-draw” the lottery for each of their winning shares to try and create more blocks. The probability of creating a chain of exactly

ℓ

consecutive blocks when grinding is

\sum_{x_{1}, \dots, x_{ℓ} \in S_{ℓ}} (\frac{n_{C}}{x_{1}}) \dots (\frac{n_{C} x_{ℓ - 1}}{x_{ℓ}}) p^{\sum x_{i}} (1 - p)^{n (1 + \sum_{i = 1}^{ℓ} x_{i}) - \sum_{i = 1}^{ℓ} x_{i}}

, where

S_{ℓ} = {x_{1}, \dots, x_{ℓ} : 1 \leq x_{1} \leq n_{C}; \forall i > 11 \leq x_{i} \leq x_{i - 1} n_{C}}

. (This is a sequence of Bernoulli trials where the number of trials is the number of successes on the previous round times

n_{C}

.) Using the above probability, a player that grinds through all their blocks has an expectation of creating 0.42 blocks. This gives a value of

α = 0.03

. We will confirm this value in the simulation in the next section. We thus see that the advantage gained by grinding is limited, due to our leader election mechanism. Again, we assume that the proof-of-delay is secure. ∎

Finally, we show robustness. The main reason this holds is that, by following the protocol in betting on the $F C R$ , a block gets more references and thus has a higher score than a block not following the protocol. A coalition of players can gain a small advantage by grinding through all the blocks they can create, but when doing so they keep their chain private and thus prevent other players from referencing it. This in turn reduce the rewards associated with these blocks.

Theorem 7.5 (Robustness).

Given the utility function in Equation 1 and the values for $r w d$ and $p u n$ chosen in Section 7.1, following the protocol is a $ϵ$ - $(1 / 3, 1 / 4)$ -robust equilibrium, where $ϵ = 1.1$ .

Proof.

In order to get an intuition behind the proof, we first show that following the protocol is a Nash equilibrium. Recall that the possible choices when elected leader are: (1) whether to bet or not, (2) which leaves to include, and (3) when to broadcast their blocks. We show that for each of these, if other players follow the protocol then a player is incentivized to follow the protocol. If the player is elected leader on the $F C R$ , we want to show that betting on it gives them a higher probability of being a winner. This is because, by definition of the $F C R$ (Algorithm 1), betting on it means betting on the stronger chain. As argued in Claim 7.1, this will add more to its score, and thus again by the definition of the $F C R$ it has a higher probability of being the next block chosen by the $F C R$ . (It could still, however, lose against another bet on the $F C R$ that has a smaller hash, but even in this case the $L a b e l$ function still labels it as neutral.) This establishes (1).
By creating a block on top of a weaker chain, a player needs to ignore the stronger chain, which means referencing fewer blocks (i.e., ignoring blocks of which they are aware). This means that their block will have worse connectivity, however, and thus has a higher chance of being labelled loser and thus getting a punishment. This is because, by the definition of the anticone, worse connectivity means a bigger anticone, which in turns means a bigger intersection with the $b l u e$ set and thus, by the definition of $L a b e l$ (Algorithm 2), a higher chance of being labelled loser. This establishes (2).
To argue about (3), we now show why a rational player is incentivized to reveal their block as soon as possible. By broadcasting their block as soon as they created it, their blocks can get more references (since other player follow the protocol), which again increases the probability of being a winner, and the expected accompanying reward. (A single player has nothing to grind through.)
Now, in order to show that the protocol is robust, we show that a coalition of rational players that deviate from the protocol to raise their utility, can only do so by $ϵ$ (resiliency). We next show that a Byzantine adversary cannot decreases the utility of honest players by more than $1 / ϵ$ (immunity).

Resiliency

We consider a coalition of a fraction $f_{C}$ of rational players. Because it is costless to create blocks, a rational coalition can clearly gain an advantage by grinding through all the blocks they can create in order to find a subDAG that increases their utility. However due to the restrictions imposed by the leader election and assuming the proof-of-delay is secure the advantage they can gain is limited. As shown in Theorem 7.4, the expected number of blocks contributed by an adversary that adopts a grinding strategy is 0.42 versus 0.39 for a coalition that follows the rule. Rational participants can thus increase their gain from $0.39 c$ to $0.42 c$ . We thus achieve $ϵ$ -robustness with $ϵ = 0.42 / 0.39 = 1.077$ . This results will be confirmed by the simulations.

Immunity

We need to show that even in the case where a fraction $t$ of players behave completely irrationally, the outcome of the rest of the players stays unchanged. According to the utility functions, as defined in Section 6, there are three independant components to the utility function that an adversary could try to influence to harm altruistic players: (1) the $r w d$ term (2) the $p u n$ term and (3) the $b i g p u n$ term. To harm the honest player, an adversary could try: (1) preventing an honest players from contributing blocks to the main chain; (2)-(3) increasing the number of blocks from the honest players that gets punished by $p u n$ or $b i g p u n$ . The adversary cannot incur any $b i g p u n$ to the altruistic players since they cannot force them to ignore their own block, thus we only focus on case (1) and (2). To do (1) an adversary cannot indeed prevent players from creating blocks but once they produce it, they can try and create an alternative blockDAG so that the altruistic player’s block does not make it to the main chain. To do (2), the adversary could create an alternative blockDAG that does not reference altruistic players’ blocks to try and incur a punishment to their blocks. (According to the $L a b e l$ function defined in Section 6 a block gets a punishment if its anticone intersects the blue set for more than $k$ blocks and a block that has less connections to other blocks has a bigger anticone.) In both cases the Byzantine adversary harms a player the most when creating the biggest alternative blockDAG that does not reference altruistic players’ blocks.

(a) The length of the longest fork, in the presence of a coalition of Byzantine players.

To incur a punishment to the altruistic players Byzantine players need to create a subDAG of more than $k$ blocks on their own, where $k$ is the interconnectivity paramater. Indeed if they do so then those $k$ blocks will be in the anticone of an altruistic player that contributed a block at that same time and will be labeled a loser according to the $L a b e l$ algorithm in Section 6.1. When choosing $k = 3$ and using similar probabilities as in Theorem 7.4, one can compute that the probability of creating a subDAG of more than 3 blocks is $(1 - p)^{n_{C}} + n_{C} * p * (1 - p)^{2 n_{C} - 1} + (\frac{n}{2}) p^{2} (1 - p)^{3 n_{C} - 2} + (n p (1 - p)^{n_{C} - 1})^{2} (1 - p)^{n_{C}} + (\frac{n_{C}}{3}) p^{3} (1 - p)^{4 n_{C} - 3} + (\frac{n_{C}}{2}) n_{C} p^{3} (1 - p)^{3 n_{C} - 2} + (\frac{n_{C}}{2}) 2 n_{C} p^{3} (1 - p)^{4 n_{C} - 3} + (n_{C} p (1 - p)^{(n_{C} - 1)})^{3} (1 - p)^{n_{C}}$ . An estimation of the previous probability gives 2.5% for an adversary that controls a third of the player.
This means that 2.5% of the blocks the adversary create can incur a punishment of $p u n$ to another player. Since on average two third of the players should contribute to two third of the blocks, we have that a third of Byzantine players will reduce the payoff of the other players from $67 \cdot c$ to $67 \cdot c - 2.5 \cdot p u n$ every hundred blocks. With our numerical value of $p u n = 6$ and $c = 1$ we have that the payoff of the other players is reduced by 67/52=1.29.

Betting on Blockchain Consensus with Fantomette

Authors

Related Research

Winning the Caucus Race: Continuous Leader Election via Public Randomness

Byzantine Generals in the Permissionless Setting

Delayed Blockchain Protocols

MobChain: Three-Way Collusion Resistance in Witness-Oriented Location Proof Systems Using Distributed Consensus

Grafana plugin for visualising vote based consensus mechanisms, and network P2P overlay networks

Be Aware of Your Leaders

StrongChain: Transparent and Collaborative Proof-of-Work Consensus

This week in AI

1. Introduction

Our contributions

2. Related

3. Background Definitions and Notation

3.1. Preliminaries

Definition 3.1 ().

3.2. Coin tossing and random beacons

Definition 3.2 ().

Definition 3.3 ().

Definition 3.4 ().

3.3. Blockchains

BlockDAGs

Proof-of-stake

3.4. Game-theoretic definitions

4. Modelling Blockchain Consensus

4.1. Assumptions

Types of players

4.2. A model for leader election

Definition 4.1 (Liveness).

Definition 4.2 (Unpredictability).

Definition 4.3 (Fairness).

4.3. Blockchain-based consensus

Definition 4.4 (Convergence).

Definition 4.5 (Chain quality).

Definition 4.6 (Robustness).

5. Caucus: A Leader Election Protocol

5.1. Our construction

5.2. Security

Lemma 5.1 ().

Proof.

Theorem 5.2 ().

Proof.

6. Fantômette: A Consensus Protocol

6.1. Protocol specification

Fork choice rule

Betting

Block validity

6.2. Incentives

Label

Utility functions

7. Security of Fantômette

7.1. Action Space

7.2. Security arguments

Claim 7.1 ().

Proof.

Theorem 7.2 (Finality).

Proof.

Theorem 7.3 (Convergence).

Proof.

Theorem 7.4 (Chain quality).

Proof.

Theorem 7.5 (Robustness).

Proof.

Resiliency

Immunity