1. Introduction
One of the central components of any distributed system is a consensus
protocol, by which the system’s participants can agree on its current
state and use that information to take various actions. Consensus protocols
have been studied for decades in the distributed systems literature, and
classical protocols such as Paxos (paxosmadesimple, ) and PBFT (pbft, ) have
emerged as “gold standards” of sorts, in terms of their ability to guarantee
the crucial properties of safety and liveness even in the face of faulty or
malicious nodes.
The setting of blockchains has renewed interest in consensus protocols,
due largely to two crucial new requirements:
scalability and incentivization. First, classical consensus
protocols were designed for a closed and relatively small set of participants,
whereas in open (or “permissionless”) blockchains the goal is to enable
anyone to join. This requires the design of new consensus protocols that can
both scale to handle a far greater number of participants, and also ones that
can address the question of Sybil attacks (sybil, ), due to the fact that
participants may no longer be well identified.
At heart, one of the biggest obstacles in scaling classical consensus
protocols is in scaling their underlying leader election protocol,
in which one participant or subset of participants is chosen to lead the
decisions around what information should get added to the ledger for a single
round (or set period of time). To elect a leader, participants must coordinate
amongst themselves by exchanging several rounds of messages. If a Sybil is
elected leader, this can result in the adversary gaining control over the
ledger, and if there are too many participants then the exchange of messages
needed to carry out the election may become prohibitively expensive.
Many recent proposals for blockchainbased consensus protocols focus on
solving this first requirement by presenting more scalable leader election
protocols (praos, ; algorand, ; snow, ; thunderella, ).
The second novel requirement of blockchains is the explicit economic
incentivization on behalf of participants. In contrast to classical
consensus protocols, where it is simply assumed that some set of nodes is
interested in coming to consensus, in Bitcoin this
incentivization is created through the use of block rewards and transaction
fees. Again, several recent proposals have worked to address this question of
incentives (ouroboros, ; fruitchains, ; spacemint, ; solidus, ; casper, ). Typically,
however, the
analysis of these proposals has focused on proving that following the protocol
is a Nash equilibrium (NE), which captures the case of rational players but not
ones that are Byzantine (i.e., fully malicious).
Indeed, despite these advances, one could argue that the only consensus
protocol to fully address both requirements is still the one underlying
Bitcoin, which is typically known as
Nakamoto or proofofwork (PoW)based consensus. This has in fact been proved
secure (Garay2015, ; blockchainasynchronous, ), but provides Sybil
resistance only by requiring enormous
amounts of computational power to be expended. As such, it has also been
heavily criticized for the large amount of electricity that it uses.
Furthermore, it has other subtle limitations; e.g., it does not achieve any
notion of fully deterministic finality and some attacks have been found on its
incentive scheme (optimalselfishmining, ; bitcoinwithoutblockreward, ).
Our contributions
In this paper, we propose Fantômette, a new blockchainbased consensus protocol
that fully incorporates an incentive design to prove security properties in a settings
that considers both rational and Byzantine adversaries.
Our
initial observation is that the PoWbased setting contains an implicit
investment on the part of the miners, in the form of the costs of hardware and
electricity. In moving away from PoW, this implicit investment no longer
exists, giving rise to new potential attacks due to the fact that
creating blocks is now costless. It is thus necessary to compensate by adding
explicit punishments into the protocol for participants who misbehave. This
is difficult to do in a regular blockchain setting. In particular,
blockchains do not reveal information about which other blocks miners may have
been aware of at the time they produced their block, so they cannot be
punished for making “wrong” choices. We thus move to the setting of
blockDAGs (spectre, ; phantom, ), which
induce a more complex forkchoice rule and expose more of the decisionmaking
process of participants.
Within this model, we are able to leverage the requirement that players must
place security deposits in advance of participating in the consensus
protocol to achieve two things. First, we can implement punishments by taking
away some of the security deposit, and thus incentivize rational
players to follow the protocol. Second, because this allows the players to
be identified, we can provide a decentralized checkpointing system,
which in turn allows us to achieve a notion of finality.
Along the way, we present in Section 5 a
leader election protocol, Caucus, that is specifically designed for open
blockchains, and that we prove secure in a model presented in
Section 4.
We then use Caucus as a component in the broader Fantômette consensus
protocol, which we present in Section 6 and argue for the
security of in Section 7. Here we rely on Caucus to address the
first requirement of scaling in blockchainbased consensus protocols, so can
focus almost entirely on the second requirement of incentivization.
In summary, we make the following concrete contributions:
(1) we present the design of a leader election
protocol, Caucus. In addition to provably satisfying more traditional
notions of security, Caucus has several “bonus” properties; e.g., it
ensures that leaders are revealed only when they take action, which prevents
them from being subject to the DoS attacks possible when their eligibility is
revealed ahead of time.
(2) we present the design and simulation of a full blockchainbased
consensus protocol, Fantômette, that provides a scheme for incentivization that
is robust against both rational and fully adaptive Byzantine adversaries.
Fantômette is compatible with proofofstake (PoS), but could also be
used for other “proofofX” settings with an appropriate leader election
protocol.
2. Related
The work that most closely resembles ours is the cryptographic literature on
proofofstake (PoS). We evaluate and compare each protocol along the two
requirements outlined in the introduction of scalability and incentivization.
Other nonacademic work proposes PoS
solutions (ppcoin, ; neucoin, ; tendermint, ), which is related to
Fantômette in terms of the recurrent theme of punishment in the case of
misbehavior.
In Ouroboros (ouroboros, ), the honest strategy is a Nash
equilibrium, which addresses the question of incentives. The leader election,
however, is based on a cointossing scheme that requires a relatively large
overhead. This is addressed in Ouroboros Praos (praos, ), which utilizes
the same incentive structure but better addresses the question of scalability
via a more efficient leader election protocol (requiring, as we do in
Caucus, only one broadcast message to prove eligibility). A recent
improvement, Ouroboros Genesis (ouroborosgenesis, ), allows for dynamic
availability; i.e., allows offline parties to safely bootstrap the blockchain
when they come back online.
A comparable protocol is Algorand (algorand, ), which proposes
a scalable Byzantine agreement protocol and the use of a “cryptographic
sortition” leader election protocol, which resembles Caucus. They do not
address the question of incentives.
In Snow White (snow, ), the incentive structure is based on
that of Fruitchains (fruitchains, ), where honest mining is a
NE resilient to coalitions. The incentive structure of
Thunderella (thunderella, ) is also based on Fruitchains, but is PoWbased.
Casper (casperecon, ) is still work in progress, so it is difficult to say
how well it addresses scalability. On the topic of incentivization, it
proposes that following that protocol should be a Nash equilibrium
and that an attacker should lose more in an attack than the victims
of the attack.
A closely related recent paper is HotStuff (hotstuff, ), which
proposes a PBFTstyle consensus protocol that operates in an asynchronous
model. Again, this paper does not address incentivization.
Among other types of consensus protocols, there are several that do closely
consider the topic of incentivization. The first version of
Solidus (solidus, ), which is a consensus protocol based on PoW, provides
a robust equilibrium for any
, although they leave a rigorous proof of this for future work.
SpaceMint (spacemint, ) is a cryptocurrency based on proofofspace, and
they prove that following the protocol is a Nash equilibrium.
In terms of protocols based on PoW, SPECTRE (spectre, ) introduced the
notion of a blockDAG, which was further refined by PHANTOM (phantom, ).
Our Fantômette protocol is inspired by PHANTOM (although translated to a nonPoW
setting), and in particular we leverage the notion of connectivity of blocks
induced by blockDAGs.
Avalanche (avalanche, ), a recent proposal also relying on blockDAG, but in the
context of PoS, recently appeared.
They propose a PBFTstyle
consensus protocol that achieves for some , and is thus more expensive than
Caucus that requires a single message broadcast.
They do not consider the question of incentives.
In terms of economic analyses, Kroll et al. (Kroll_theeconomics, )
studied the economics of PoW and showed that following the protocol is a NE.
Badertscher et al (butwhy, ) analyze Bitcoin in the Rational
Protocol Design setting.
The “selfish mining” series of
attacks (eyal2015minersDilemma, ; verifierdilemma, ; optimalselfishmining, )
show that the incentive structure of Nakamoto consensus is vulnerable.
Carlsten et al. (bitcoinwithoutblockreward, ) also consider an attack on
the incentives in Bitcoin, in the case in which there are no block rewards.
Recently, Gaži et al. (stakebleeding, ) proposed an attack on
PoS protocols that we address here.
Beyond the blockchain setting, Halpern (beyond, )
presents new perspectives from game theory that go beyond Nash equilibria in terms of analyzing incentive structures. One of this concept comes from Abraham et al.
(distributedcomputinggametheory, ), which we use in Section 3.4.To summarize, most existing proposals for nonPoW blockchain consensus protocols provide a basic gametheoretic analysis, using techniques like Nash equilibria, but do not consider more advanced economic analyses that tolerate coalitions or the presence of Byzantine adversaries. Fantômette is thus the first one to place incentivization at the core of its security. In terms of scalability, our protocol is again different as it is not based on a BFTstyle algorithm, but is rather inspired by Nakamoto consensus (leveraging its economic element).
3. Background Definitions and Notation
In this section, we present the underlying definitions we rely on in the rest of the paper. We begin (Sections 3.13.2) with the cryptographic notation and primitives necessary for our leader election protocol, Caucus.
3.1. Preliminaries
If is a
finite set then denotes its size and denotes sampling a
member uniformly from and assigning it to . denotes the
security parameter and denotes its unary representation.
Algorithms are randomized unless explicitly noted otherwise. PT stands
for polynomial time. By we denote running
algorithm on inputs and random coins and assigning
its output to . By we denote for sampled uniformly at random. By
we denote the set of values that have nonzero probability of being output by
on inputs . Adversaries are algorithms. We denote noninteractive algorithms using the font , and denote interactive protocols using the font . We further denote such protocols as , where the th entry of (respectively, ) is used to denote the input to (respectively, output of) the th participant.We say that two probability ensembles and are statistically close over a domain if is negligible; we denote this as . Verifiable Random Functions (VRF), first introduced by Micali et al. (verifiablerandomfunctions, ), generate a pseudorandom number in a publicly verifiable way. Formally, a VRF is defined as follows:
Definition 3.1 ().
A VRF consists in three polynomialtime algorithm that works as follows: (1) outputs a key pair ; (2) outputs a pair ; (3) verifies that using . An VRF satisfies correctness if:

if then

for every there is a unique such that

it verifies pseudorandomness: for any PPT algorithm :
3.2. Coin tossing and random beacons
Coin tossing is closely related to leader election (collectivecoinflipping, ), and allows two or more parties to agree on a single or many random bits (blumcointossing, ; collectivecoinflipping, ; EPRINT:Popov16, ); i.e., to output a value that is statistically close to random. A cointossing protocol must satisfy liveness, unpredictability, and unbiasability (randhound, ), where we define these (in keeping with our definitions for leader election in Section 4) as follows:
Definition 3.2 ().
Let be the fraction of participants controlled by an adversary . Then a cointossing protocol satisfies liveness if it is still possible to agree on a random value even in the face of such an .
Definition 3.3 ().
A cointossing protocol satisfies unpredictability if, prior to some step in the protocol, no PT adversary can produce better than a random guess at the value of .
Definition 3.4 ().
A cointossing protocol is unbiasable if for all PT adversaries controlling an fraction of participants, the output
is still statistically close to a uniformly distributed random string.
A concept related to coin tossing is random beacons. These were first introduced by Rabin (rab81, ) as a service for “emitting at regularly spaced time intervals, randomly chosen integers”. To extend the above definitions to random beacons, as inspired by (EPRINT:BonClaGol15, ), we require that the properties of liveness and unbiasability apply for each iteration of the beacon, or round. We also require that the in the unpredictability definition is at least the beginning of each round.
3.3. Blockchains
Distributed ledgers, or blockchains, have become increasingly popular ever since Bitcoin was first proposed by Satoshi Nakamoto in 2008 (satoshibitcoin, ). Briefly, individual Bitcoin users wishing to pay other users broadcast transactions to a global peertopeer network, and the peers responsible for participating in Bitcoin’s consensus protocol (i.e., for deciding on a canonical ordering of transactions) are known as miners. Miners form blocks, which contain (among other things that we ignore for ease of exposition) the transactions collected since the previous block was mined, which we denote , a pointer to the previous block hash , and a proofofwork (PoW). This PoW is the solution to a computational puzzle. If future miners choose to include this block by incorporating its hash into their own PoW then it becomes part of the global blockchain. A fork is created if two miners find a block at the same time. Bitcoin follows the longest chain rule, meaning that whichever fork creates the longest chain is the one that is considered valid.
BlockDAGs
As the name suggests, a blockchain is a chain of blocks, with each block referring to only one previous block. In contrast, a blockDAG (spectre, ; phantom, ), is a directed acyclic graph (DAG) of blocks. In our paper (which slightly adapts the original definitions), every block still specifies a single parent block, but can also reference other recent blocks of which it is aware. These are referred to as leaf blocks, as they are leaves in the tree (also sometimes referred as the tips of the chain), and are denoted . Blocks thus have the form where is the parent block, is a list of previous leaf blocks, is a proof of some type of eligibility (e.g., a PoW), and is the transactions contained within the block. We denote by the participant that created block . In addition, we define the following notation:

[leftmargin=0.2cm]

denotes a DAG, the DAG according to a participant , and the space of all possible DAGs.

In a block, is a direct parent of , and denotes the set of all blocks that are parents of , either directly or indirectly.

A chain is a set of blocks such that there exists one block for which .

denotes the subDAG consisting of all the blocks that references directly or indirectly.

denotes the set of blocks that directly reference (i.e., that include it in ).

denotes the set of blocks such that and .

denotes the distance between two blocks in the DAG.

The biggest common prefix DAG () is the biggest subDAG that is agreed upon by more than 50% of the players.
For example, if we consider the blockDAG in Figure 1, we have that and forms a chain. We also have that , , , and .
Proofofstake
By its nature, PoW consumes a lot of energy. Thus, some alternative consensus
protocols have been proposed that are more costeffective;
arguably the most popular of these is called proofofstake
(PoS) (posforum, ; ppcoin, ; casper, ). If
we consider PoW to be a leader election protocol in which the leader (i.e.,
the miner with the valid block) is selected in proportion to their amount of
computational power, then PoS can be seen as a leader election protocol in
which the leader (i.e., the participant who is eligible to propose a
new block) is selected in proportion to some “stake” they have in the
system (e.g. the amount of coins they have).
As security no longer stems from the fact that it is expensive to create a
block, PoS poses several technical challenges (interactivepos, ). The
main three are as follows: first, the nothing at stake problem says
that miners have no reason to not mine on top of every chain, since mining is
costless, so it is more difficult to reach consensus. This is an issue of
incentives that, as we present in Section 6, Fantômette aims to solve. We do so by giving rewards to players that follow the protocol
and punishing players who mine on concurrent chains.
Second, PoS allows for grinding attacks (interactivepos, ), in
which once a miner is
elected leader they privately iterate through many valid blocks (again,
because mining is costless) in an attempt to find one that may give them an
unfair advantage in the future (e.g., make them more likely to be elected
leader). This is an issue that we encounter in Section 5
and address using an unbiasable source of randomness.
Finally, in a longrange attack, an attacker may bribe miners into
selling their old private keys, which would allow them to rewrite the entire
history of the blockchain. Such a “stakebleeding”
attack (stakebleeding, )
can be launched against PoS protocols that adopt a standard longest chain rule and do not have some form of checkpointing. We solve this problem in Fantômette by adding a notion of finality, in the form of decentralized checkpointing.
3.4. Gametheoretic definitions
In gametheoretic terms, we consider the consensus protocol as
a game in infinite extensiveform with imperfect
information (econnotes, ), where the utilities
depend on the state of the blockDAG.
A blockchainconsensus game theoretically has an infinite horizon, but here
we consider a finite horizon of some length unknown to the players.
Following our model
(which we present in Section 4), we assume that at
each node in the game tree player is in some local state that includes
their view of the blockDAG and some private information.
Following Abraham et al. (distributedcomputinggametheory, ),
we
consider the following framework. With each run of the game that results in a
blockDAG , we associate some utility with player , denoted
. A strategy for player is a (possibly randomized)
function from ’s local state to some set of actions, and tells the player
what to do at each step.
A joint strategy is a Nash equilibrium if no player can
gain any advantage by using a different strategy, given that
all the other players do not change their strategies.
An extension of Nash equilibria is coalitionproof Nash
equilibria (distributedcomputinggametheory, ).
A strategy is resilient if a coalition of up to a fraction of players cannot increase their
utility function by deviating from the strategy, given that other players follow the strategy.
A strategy is immune if, even when a group that comprises a fraction of the players
deviate arbitrarily from the protocol, the payoff of the nondeviating players
is greater than or equal to their payoff in the case where these players do not
deviate.
A strategy is a robust equilibrium if it is a resilient
and immune equilibrium.
Similarly, in an robust equilibrium, players
cannot increase their utility by more than by deviating from the
protocol or decrease their utility by more than in the
presence of a fraction of irrational players.
In addition to the players, we assume there exist some other agents that do
not participate in the game but still maintain a view of the blockDAG. These
passive agents represent full node, and will not accept blocks that are
clearly invalid. The existence of these agents allows us to
assume in Section 7 that even adversarial players must
create valid blocks.
4. Modelling Blockchain Consensus
We present in this section a model for blockchainbased consensus, run amongst a set of participants (also called players) . A block is considered to be a bet on its ancestors . After introducing the assumptions we make about participants, we present a model for leader election, which is used to determine which participants are eligible to create a block. We then present a model for overall blockchainbased consensus, along with its associated security notions.
4.1. Assumptions
We consider a semisynchronous model (Dwork:1988, ) where time is divided in units called slots, and each message is delivered within a maximum delay of slots (for unknown to participants). We assume that all players form a wellconnected network, in a way similar to Bitcoin, where they can broadcast a message to their peers, and that communication comes “for free.”
Types of players
We follow the BAR model (barmodel, ), which
means players are either (1) Byzantine, meaning that they behave in an
arbitrary way; (2) altruistic, meaning that they follow the protocol; or
(3) rational, meaning that they act to maximize their expected utility.
We use to denote the respective fractions of
Byzantine, altruistic and rational players.
Previous research has shown that altruistic behavior is indeed
observed in realworld systems (like Tor or
torrenting) (distributedcomputinggametheory, ), so is reasonable to
consider.
In addition to these types, as stated in Section 3.4 we
also consider passive participants.
They represent the users of a currency who keep a copy of the blockchain and
passively verify
every block (i.e., the
full nodes).
They will not explicitly appear in the
protocol, rather we assume that they “force” the creation of valid blocks as we explain
in Section 7, since if the chain includes invalid blocks or other obvious forms of misbehavior
they will simply abandon or fork the currency.
When we say participant or player,
we now mean active player unless specified otherwise.
We consider a semipermissionless setting, meaning that everyone is allowed to
join the protocol but they have to place a security deposit locking some
of their funds to do so; if they wish to leave the protocol, then they must
wait some period of time before they can access these funds again.
This allows us to keep the openness of decentralization while preventing Sybils.
Moreover we consider a flatmodel meaning that one participants
account for one unit of stake. Thus saying twothird of participants
is equivalent to saying participants that together own twothird of the stake that is in deposit.
Most of the paper makes the assumptions of dynamic committee
where participants can leave and join as explained above. However,
to consider a notion of finality, we will need to strengthen this assumption.
We will detail these assumptions in Section 6,
but briefly we will allow for a reconfiguration period, and assume
that outside of this period the set of participants is fixed.
4.2. A model for leader election
Most of the consensus protocols in the distributed systems literature
are leaderbased, as it is the optimal solution in term of
coordination (leaderlessconsensus, ). Perhaps as a result, leader
election has in general been very well studied within the distributed systems
community (saksleaderelection, ; russelleaderelection, ; feigeleaderelection, ; orvleaderelection, ; kingleaderelection, ).
Nevertheless, to the best of our knowledge the problem of leader election has
not been given an extensive securityfocused treatment, so in
this section we provide a threat model in which we consider a variety of
adversarial behavior.
Each participant maintains some private state
, and their view of the
public state . For ease of exposition, we assume each
includes the public state . We refer to a
message sent by a participant as a transaction, denoted , where
this transaction can either be broadcast to other participants (as in a more
classical consensus protocol) or committed to a public blockchain.
Our model
consists of three algorithms
and one interactive protocol, which behave as follows:

[itemsep=1pt,leftmargin=0.2cm]
 :

is used by a participant to commit themselves to participating in the leader election. This involves establishing both an initial private state and a public announcement .
 :

is run amongst the committed participants, each of whom is given and their own private state , in order to update both the public state and their own private states to prepare the leader election for round .
 :

is used by a participant to broadcast a proof of their eligibility for round (or if they are not eligible).
 :

is used by a participant to verify a claim .
We would like a leader election protocol to achieve three security properties:
liveness, unpredictability, and fairness. The first
property maps to the established property of liveness for
classical consensus protocols, although as we see below we consider several
different flavors of unpredictability that are specific to the
blockchainbased setting. The final one, fairness (related to
chain quality (Garay2015, )), is especially important in open
protocols like blockchains, in which participation must be explicitly
incentivized rather than assumed.
We begin by defining liveness, which requires that consensus can be achieved
even if some fraction of participants are malicious or inactive.
Definition 4.1 (Liveness).
Let be the fraction of participants controlled by an adversary . Then a leader election protocol satisfies liveness if it is still possible to elect a leader even in the face of such an ; i.e., if for every public state that has been produced via with the possible participation of , it is still possible for at least one participant, in a round , to output a value such that .
Unpredictability requires that participants cannot predict which participants will be elected leader before some time.
Definition 4.2 (Unpredictability).
A leader election protocol satisfies unpredictability if, prior to some step in the protocol, no PT adversary can produce better than a random guess at whether or not a given participant will be eligible for round , except with negligible probability. If is the step in which a participant broadcasts , and we require to guess only about the eligibility of honest participants (rather than participants they control), then we say it satisfies delayed unpredictability. If it is still difficult for to guess even about their own eligibility, we say it satisfies private unpredictability.
Most consensus protocols satisfy only the regular variant of unpredictability
we define, where is the point at which the interaction is
“ready” for round (e.g., the participants have completed a
cointossing). This typically occurs
at the start of the round, but may also occur several rounds beforehand.
If an adversary is aware of the eligibility of other participants ahead of
time, then it may be able to target these specific participants for a
denialofservice (DoS) attack, which makes achieving liveness more difficult.
This also helps to obtain security against a fully adaptive adversary that is able to
dynamically update the set of participants it is corrupting. (Since they
do not know in advance which participants to corrupt to gain an advantage.)
A protocol that satisfies delayed
unpredictability solves this issue, however, as participants reveal their
own eligibility only when they choose to do so, by which point it may be too
late for the adversary to do anything. (For example, in a proofofstake
protocol, if participants include proofs of eligibility only in the blocks
they propose, then by the time the leader is known the adversary has nothing
to gain by targeting them for a DoS attack. Similarly, an adversary cannot know
which participants to corrupt in advance because it does not know if they will
be eligible.)
A protocol that satisfies private unpredictability, in contrast, is able to
prevent an adversary from inflating their own role as a leader. For
example, if an adversary can predict many rounds into the future what their
own eligibility will be, they may attempt to bias the protocol in their favor
by grinding through the problem space in order to produce an
initial commitment that yields good future results.
Private unpredictability thus helps to guarantee fairness, which we define as
requiring that each committed participant is selected as leader equally often.
While for the sake of simplicity our definition considers equal weighting of
participants, it can easily be extended to consider participants with respect
to some other distribution (e.g., in a proofofstake application, participants
may be selected as leader in proportion to their represented “stake” in the
system).
Definition 4.3 (Fairness).
A leader election protocol is fair if for all PT adversaries the probability that is selected as leader is nearly uniform; i.e., for all , , (where again has been produced by with the possible participation of ), and created by ,
4.3. Blockchainbased consensus
As with leader election, each participant maintains some private state and some view of the public state . We consider the following set of algorithms run by participants:

[itemsep=1pt,leftmargin=0.2cm]
 :

is used to establish the initial state: a public view of the blockchain (that is the same for every player) and their private state. This includes the phase of the leader election protocol.
 :

is run by each participant to determine if they are eligible to place a bet on a block . If so, the algorithm outputs a proof (and if not it outputs ), that other participants can verify using . The algorithm is the same as the one used in the leader election protocol, where =.
 :

is used to create a new block and bet on some previous block.
 :

defines the forkchoice rule that dictates which block altruistic players should bet on. To do so, it gives an explicit score to different chains, and chooses the tip of the chain with the biggest score.
 :

determines whether or not a block is valid, according to the current state of the blockDAG.
 :

defines a function that takes a view of the blockDAG and associates with every block a label in . This is crucial for incentivization, and is used to determine the reward that will be associated with every block. With each map , and player , we associate a utility function that takes as input a blockDAG and outputs the utility of player for that blockDAG. We will write if the label function is clear from context. The list of winning blocks constitutes a chain, which we call the main chain. Every chain of blocks that is not the main chain is called a fork.
We would like a blockchain consensus protocol to satisfy a few
security properties. Unlike with leader election, these have been carefully
considered in the cryptographic
literature (Garay2015, ; blockchainasynchronous, ).
As defined by Pass et al. (blockchainasynchronous, ), there are four
desirable properties of blockchain consensus protocols:
consistency, future selfconsistency, chain growth, and chain quality.
Chain growth (Garay2015, ) corresponds to the concept of liveness in
distributed systems, and says the chain maintained by honest players
grows with time.
Consistency (also called common prefix (Garay2015, )) and future
selfconsistency both capture the notion of safety traditionally used
in the distributed systems literature. Consistency states
that any two honest players should agree on their view of the chain
except for the last blocks, and future selfconsistency states that a
player and their “future self” agree on their view of the chain except for
the last blocks (the idea being that a player’s chain will not change
drastically over time).
In our paper, we consider not just a blockchainbased
consensus protocol, but in fact one based on a blockDAG. Participants thus do
not keep only the longest chain, but all the blocks they receive, which makes
it difficult to use these definitions as is. Instead, we use the notion of
convergence,which states that
after some time,
player converges towards a chain, meaning that no two altruistic players
diverge on their view of the main chain except perhaps for the last blocks,
and that a block that is in the main chain at some time
will still be in the main chain for any time .
We also ask that this condition holds for a chain of any length, thus capturing
the chain growth (or liveness) in the same definition.
More formally we define convergence as follows:
Definition 4.4 (Convergence).
For every , there exists a chain of length and time such that: for all altruistic players and time : , except with negligible propability, where denotes the main chain of at time .
Chain quality (Garay2015, ) corresponds to the notion of fairness, and says that honest players contribute some meaningful fraction of all blocks in the chain.
Definition 4.5 (Chain quality).
Chain quality, parameterized by , says that an adversary controlling a fraction of nonaltruistic players can contribute at most a fraction of the blocks in the main chain.
Finally, we define a relatively unexplored property in blockchain consensus, robustness, that explicitly captures the incentivization mechanism. The security notion is not considered by any consensus protocols (except (solidus, ) that states that they leave the proof for future work) and is paramount to capture the security of systems where incentives are at the core.
Definition 4.6 (Robustness).
A protocol is robust if given some fractions of BAR players, following the protocol is a robust equilibrium.
5. Caucus: A Leader Election Protocol
In this section, we present Caucus, a leader election protocol with minimal coordination that satisfies fairness, liveness, and strong notions of unpredictability.
5.1. Our construction
The full Caucus protocol is summarized in Figure 2.
Our construction is similar to that of Algorand (algorand, ).
We, however, add a secure initialization of the random beacon and use Verifiable
Random Delays to achieve liveness.
We assume participants have generated signing
keypairs and are aware of the public key associated with each
other participant (which can easily be achieved at the time participants
run ). We omit the process of generating keys from our formal
descriptions.
To to be considered as potential leaders, participants must place a
security deposit, which involves creating a commitment to their
VRF secret key.
This means the function runs and returns the
VRF secret key as the private state of the participant and the VRF public key
(incorporated into a transaction) as the transaction to add to a list of
commitments in the public state.
In the first round, participants must interact to establish a shared random
value. This can be done by running a cointossing protocol
to generate a random value . We suggest using
SCRAPE (scrape, ), due to its low
computational complexity and compatibility with public ledgers. Any solution
that instantiates a publicly verifiable secret sharing (PVSS) scheme, however,
would also be suitable. The only requirement that we have is that the PVSS
should output a value that is of the same type as the value output by the VRF function G.
For each subsequent round, participants then verify whether or not they
are eligible to fold their randomness into the global value by
checking if , where the value of depends on the number of
expected leaders per round (for example, we choose
in order to have on expectation one leader per round).
If this
holds, then they reveal
and to the other participants, who can
verify that the inequality holds and that .
If the participant is in fact eligible,
then they are deemed to be the leader for that round and the global
randomness is updated as .
To fully achieve security, we describe two necessary alterations to the basic
protocol as presented thus far. First, in order to maintain unpredictability,
participants should become eligible only after some fixed number of
rounds have passed since they ran . This means updating to
also check that
(where is the
round in which the participant broadcast and is the required
number of interim rounds).
This has the effect that an adversary
controlling participants cannot privately predict that they will be
elected leader for a few rounds and then grind through potential new secret key
values to continue their advantage via new commitments, as the probability
will be sufficiently high that at least one honest participant will be elected
leader between the time they commit and the time they participate.
Second, it could be the case that in some round, no participant is elected
leader. It could also be the case that an adversary is the only elected leader
and does not reveal their proof of eligibility and abort.
To maintain liveness, we alter the protocol so that if no participant
reveals , we “update” the random beacon
as , where is a
deterministic function that acts as a
proofofdelay (proofofdelay, ; vdf, ).
The simplest example of such a
function is ; i.e., a hash function iterated times.
When a honest player is not eligible on the winning block,
they start computing the proofofdelay and if by the time it is computed
no leader has been revealed, they check their eligibility with
the updated beacon .
One can think of this as
redrawing the lottery after some delay.
This allows
participants to continue the protocol (and, since it is purely deterministic,
is different from proofofwork), but has the downside that verification is
also costly, as it requires participants to recompute the hashes.
Bünz et al. recently proposed an efficient Verifiable Random Delay
function (vdf, ) that can be efficiently and publicly verified yet requires
sequential steps to compute.
This
proofofdelay should be used sparingly so we consider it
acceptable that it is expensive.
Moreover we make the assumptions that the time that it takes
to compute the proofofdelay is bigger than the parameter
of our semisynchronous model.
It could also be the
case, however, that there are two or more winners in a round. In a setting such as proofofstake, being
elected leader comes with a financial reward, and conflicts may arise if two
winners are elected (such as the nothingatstake problem discussed in
Section 3.3). One potential solution (also suggested by
Algorand (algorand, )) for electing a single leader is to
require all participants to submit their
winning values and then select
as the winner the participant whose preimage has the lowest bit
value. This problem is investigated further in Section 6,
where we present the full Fantômette protocol.
Finally, we describe a third, optional alteration designed to improve
fairness by forcing more rotation amongst the leaders. To be
elected, we require that a participant has not acted as leader in the past
rounds, which can be implemented by adding a condition in the
function and using in place of
in the computation of the value .
5.2. Security
In order to prove the security of Caucus as a whole, we first prove the security of its implicit random beacon.
Lemma 5.1 ().
Proof.
For liveness, we observe that after initialization, no coordination
is required, so any online participant can communicate their own eligibility
to other online participants, allowing them to compute the new random value.
The exception is the case where no participant is elected leader, in which case participants can update their random value by
until a leader reveals themselves.
For unpredictability, we must show that, unless the adversary is
itself the next leader, it is hard to learn the value of
before it receives . We have
,
where is assumed to be known. In the protocol,
the adversary sees as part
of the commitment of the relevant honest participant, and if that participant
has run before it may have also seen
for . If the adversary could produce better than a random guess about
then they would also produce better than a random guess about
which contradicts its pseudorandomness.
For unbiasability, we proceed inductively. By assumption, is
initialized in a fair way, which establishes the base case. Now, we assume
that is uniformly distributed, and
would like to show that will be as well. By the
assumption that is unpredictable, and
thus unknown at the time an adversary commits to their secret key, the distribution
of and is thus independent. (As the adversary cannot
grind through private keys since they do not know at the
time they commit and G verifies unicity.)
If we define a value , and
denote , then we have
which we know to be uniformly random by assumption, thus for every , we have and for every value , , proving the fairness of . (Here denotes the bitlength of .) An adversary controlling many winning values for , however, may decide on the one they reveal, which makes it difficult to argue for unbiasability when the adversary controls many players. This is a limitation of Caucus that we address (or at least quantify) in our analysis of Fantômette in Section 7.
∎
Theorem 5.2 ().
If is a random oracle and is initialized as a uniformly random value, then Caucus is a secure leader election protocol; i.e., it satisfies liveness, fairness, delayed unpredictability (where is the step at which the elected leader reveals their proof), and private unpredictability (where is the step at which the randomness is fixed).
Proof.
For liveness, a participant is elected if they broadcast a valid transaction
such that . If
satisfies liveness then an adversary controlling participants
cannot prevent honest participants from agreeing on .
In the case where no participants produce a value such that
, we update the value of as
described above until one participant is elected. With a similar argument as
in the proof of Theorem 5.1, the protocol thus achieves liveness.
For fairness, a participant wins if . By the assumption that is unpredictable, and
unknown at the time an adversary commits to their secret, we have that
an adversary could not have grind through secret keys to bias .
Combining this with the assumption that
is unbiasable and thus uniformly distributed, we can argue that
is uniformly distributed. This implies that the
probability that the winning condition holds is also uniformly random, as
desired.
The argument for delayed unpredictability is almost identical to the
one in the proof of
Theorem 5.1: even when is known, if
has not formed itself then by the pseudorandomness of G
it cannot predict whether .
(If it could then the adversary could use that to distinguish
from random with an advantage.)
Finally, private unpredictability follows from the unpredictability of
.
In terms of the fraction of malicious participants that we
can tolerate, it is , where is the threshold of the PVSS scheme
used to initialize the random beacon.
In the context of proofofstake,
however, we would still need to assume an honest majority. We investigate this
in the next section, where we present the full Fantômette protocol. ∎
Even if the initial value was some constant instead of a randomly generated one, we could still argue that the protocol is fair after the point that the randomness of at least one honest participant is incorporated into the beacon. This assumption is weakened the longer the beacon is live, so works especially well in settings where the leader election protocol is used to bootstrap from one form of consensus (e.g., PoW) to another (e.g., PoS), as discussed for Ethereum (casper, ).
6. Fantômette: A Consensus Protocol
In this section, we present Fantômette, our full blockchain consensus protocol.
Our focus is on incentives, and in particular on enforcing good behavior even
in settings where no natural incentives or investments exist already.
Briefly, Fantômette works as follows: participants bet on the block that has the
strongest score, according to their view of the blockDAG. They also
reference all the leaves (i.e., the most recent blocks) of which they are
aware, to “prove” that they are well connected and following the rules. A
block is valid if among all of its references, it is indeed betting on the
one with the higher score.
We argue for its security more extensively in the next section, but give here
some intuition for how it addresses the challenges presented in the PoS
setting introduced in Section 3.3. First, Fantômette solves the
nothingatstake problem by strongly punishing players who do not reference
their own blocks, and ensuring that players bet only on the strongest chain
they see. As it is not possible for two chains to appear as the strongest at
the same time, this prevents players from betting on multiple chains.
The grinding attack is prevented largely due to the unbiasability of the
random beacon in Caucus, and the optional requirement that leaders must
rotate with sufficient frequency discussed at the end of
Section 5.1.
Finally, longrange attacks are thwarted by Fantômette’s finality rule, which
acts as a form of decentralized checkpointing.
6.1. Protocol specification
We specify how to instantiate the algorithms required for a
consensus protocol specified in Section 4.3. The
and algorithms are as described for Caucus in
Section 5. Before presenting the rest of the algorithms, we
give some additional definitions associated with finality in blockDAGs.
In order to make the following definitions, we assume a static set of
players. We then present how to handle a dynamic set.
Let’s also recall that thanks to the deposit, the set of players is known to everyone.
A candidate block is a block, as its name suggests, that is a
candidate for finality. The initial list of candidate blocks consists of
every block betting on the genesis block; i.e., every block that uses
this as its parent .
Whenever a block has in its past twothirds of bets on a candidate,
this block acts as a witness to the
finality of that block, so is called a witness block. If a block is a
witness for and is a witness for , we say that
is a second witness of . Finally, candidate blocks
belong to a given rank, which we denote by . The first set of
candidate blocks (after the genesis block) belong to .
After this
every block that bets on a second witness block of rank
and has a distance of with this block is a candidate for rank
.
The above process constitutes a decentralized checkpointing.
Using the sample blockDAG in Figure 1, for example, and
assuming three players and , the initial list of
candidate blocks is (which all have rank ). Block
then bets on , as does
block (since is an ancestor of ), so can be considered
as a witness block for . Similarly, acts as a witness block for
. Since this now constitutes twothirds of the participants, and
become justified (casper, ). If in turn twothirds of participants
place bets on the associated witness blocks, then the justified block becomes
finalized. With , the second witness blocks are added to the candidate list accordingly,
but at rank .
In order to handle a dynamic set of players,
once a block is finalized (i.e. once there exists
at least one second witness block)
we allow for a window
of blocks for the players to leave or join the protocol.
At the end of this period, the set of players is fixed and the decentralized
checkpointing resumes with as new candidate blocks, all blocks that have a distance
with a second witness block for rank .
We leave as important future work a solution that would allow players
to leave and join the protocol even during the checkpointing period.
Fork choice rule
We present a formal specification of our fork choice rule in Algorithm 1. Intuitively, the algorithm chooses blocks with more connections to other blocks. Accordingly, we compute the score of a leaf block by counting the number of outgoing references for every block in its past. We do not count, however, blocks that have been created by an adversary using the same eligibility proof multiple times. We denote as the set of all blocks that contains the same proof of eligibility but different content. The score of a chain whose tip is is then the number of edges in the subgraph induced by , and we pick as a “winner” the leaf with the highest score. If there is a tie (i.e., two leaf blocks have the same score), we break it by using the block with the smallest hash.^{1}^{1}1It is important, to avoid grinding attacks, to use the hash as defined in Caucus, or something else similarly unbiasable.
Betting
To place a bet, a participant first identifies the latest winning block as . They then check their latest second witness block (if they have one) and verify that at least one candidate block associated with it is also in (i.e. they verify that the block was not created maliciously as part of a long range attack). They then check to see if they are eligible to act as a leader by computing . If they are (i.e., if ), then they form a block with as the parent, with all other blocks of which they are aware as the leaf blocks, and with their proof of eligibility and set of transactions.
Block validity
We now define the rules that make a block valid; i.e., the checks performed by . Intuitively, a valid block must be betting on the block chosen by the forkchoice rule, and its creator must be eligible to bet on that block. If a player is aware of a justified block, then they must bet on either that block or another witness block, but cannot prefer a nonjustified block to a justified one.
More formally, a new block is valid only if the following hold:

[leftmargin=0.2cm]

It is betting on the block chosen by the fork choice rule for the blocks of which it is aware; i.e., .

The creator is eligible to bet: .

If it references a witness block then it is betting on a witness block; i.e., if there exists a witness block in then there exists a witness block in .

If it references a second witness block, then it is betting on a block in the past of that block: if there exists a second witness block , then .
6.2. Incentives
Label
We present a formal specification of our label function in Algorithm 2. Intuitively, if a block is chosen by the it is labelled winner and so are all of its ancestors. Blocks that bet on winners are labeled neutral. Following the techniques in PHANTOM (phantom, ), all winning and neutral blocks form a subset of the DAG called the blue subset and denoted by . Every block whose anticone intersects with fewer than blocks in the blue set is labeled neutral, and otherwise it is labeled loser. The parameter is called the interconnectivity parameter, and means that a block is allowed to be “unaware” of winning blocks, but not more (as, e.g., these blocks may have been created at roughly the same time).
Utility functions
At the end of the game, which we define to be of length , as defined
in Section 4, we take the and apply the function to it,
in order to associate each block with a state.
For every winning block that a player has added to the , they win a
reward of , and for every losing block they lose .
In addition, if a player creates a block that does not reference one of
their own blocks, we add a bigger punishment (for example,
blocks that belong to the set defined previously
will add this punishment). This punishment is
bigger because a player is obviously aware of all their own blocks, so if they
do not reference one it is an obvious form of misbehavior (whereas a block
might end up being labelled a loser for other reasons).
More formally, we define the following utility function:
(1) 
where and
The reward function is proportional to the connectivity of a block; i.e., a block
that references many blocks receives
more than a block that references only one other block.
The reason is that we want to incentivize players to exchange
blocks between each other, rather than produce blocks privately (as in a
selfish mining attack).
In this paper we
consider a simple function for some constant
, and treat and as constants. We leave the study of more
complex reward and punishment mechanisms as interesting
future work.
One of the difficulties of dealing with blockchainbased consensus, compared to
traditional protocols, is that the enforcement of the payoff is achieved only
by consensus; i.e., the utilities depend on whether or not enough players
enforce them. In order to enforce the payoff, we thus assume that participants
can give a reward to themselves in forming their blocks (similarly to Bitcoin),
but that evidence of fraud can be submitted by other players.
If another player submits evidence of fraud, the subsequent punishment
is taken from the security deposit of the cheating player.
7. Security of Fantômette
In this section, we show that Fantômette is secure, according to the model in Section 4. We support our proofs with a simulation of the protocol as a game played between Byzantine, altruistic, and rational players in Section 7.3.
7.1. Action Space
We discuss the different strategies available to
a coalition of players, whether Byzantine or rational. They
can take any deviation possible from the game. We do assume,
however, that they create valid blocks, as otherwise passive players will
simply ignore their chains (as discussed in Section 4).
If an adversary withholds their blocks, it can gain an advantage in
subsequent leader elections. To see this, consider that after each block
each player has a probability of being elected leader. Being a leader
does not guarantee a winning block, however, as only the block with the
smallest hash wins. For each block, the number of subsequent players
that are elected leader follows a binomial distribution parameterized by
and . Assuming the leader election is secure, each of these leaders is equally likely to have the winning block, so each player has probability of being the winner. By not revealing a block, this probability goes up to (since other players are simply not aware of it), so by keeping their chain private an adversary can raise their chance of having a winning block. We thus assume that both Byzantine and rational players withhold their blocks and grind through all possible subsequent blocks in order to maximize their advantage.In terms of the space that players grind through, the main option they have when elected leader is whether to place a bet or not. The protocol dictates that they must bet on the forkchoice rule only, but they may wish to bet on a different block (as, e.g., doing so could increase their chances of being elected leader in the future). In order to still maintain the validity of their blocks, doing so means they must eliminate references in their set so that their chosen block appears as the forkchoice rule (in accordance with the first check in ). Players are always better off, however, including as many blocks as possible in their references, as it increases the score of their block. Thus, they will remove references to blocks that have higher scores in order to make their block appear as the forkchoice rule, but not more than necessary.
For rational players, there is a tradeoff between not revealing their block (which raises their chance of having more winning blocks, as argued above) and revealing their block, which reduces their chance of having more winning blocks but increases their reward because it allows their block to have more references. Our simulation investigates this tradeoff. Regardless, the strategy of rational players is to grind through all possible blocks and broadcast the chain that maximizes their utility. Byzantine players, in contrast, do not try to maximize their profit, but instead play irrationally (i.e., they are not deterred by punishment).
7.2. Security arguments
According to the security properties in Section 4.3, we need to argue three things: convergence, chain quality, and robustness. We support these security properties with our simulation in Section 7.3 Before proving each security property, we first prove some general results about the protocol. Assume that two blocks and are two competing blocks with the same score, betting on the same block. We call the stronger chain the one with the higher score according to a hypothetical oracle node that collates the views of the blockDAG maintained by all participants. We assume that is the leaf of the stronger chain.
Claim 7.1 ().
On average, blocks added to the stronger chain add more to its score than blocks added on the weaker chain.
Proof.
Without loss of generality, we prove the result for two chains with the same score . For simplicity, we assume that the chains do not reference each other (e.g., chains and in Figure 3). By the definition of scoring in the (Algorithm 1), a block betting on the stronger chain adds a score of if the leader is aware of the leaf block on the weaker chain, and otherwise. (For example, adds a score of by referencing both and , and by referencing and if it is not aware of .) The block that they receive first has probability 0.5 of being stronger or weaker as the random beacon has uniform distribution, thus on average, the score added by one block to the stronger chain is .
On the weaker chain, in contrast, whether the leader is aware of the stronger leaf block or not does not matter since they cannot reference it while maintaining the validity of their block (according to the first check in ). Thus the score added to the weaker chain is , since that block references the stronger chain but not on its latest block. ∎
We show in Theorem 7.2 that for a given rank, all second witnesses share the same set of candidate blocks provided that . The idea is that whenever a block is finalized, all players have agreed on the current set of candidate blocks, and thus they should not accept any other candidate blocks at that rank (as required by the betting algorithm stated in Section 6).
Theorem 7.2 (Finality).
If , then once a block at rank is finalized, players agree on a list of candidate blocks for rank (i.e., this list cannot grow anymore).
Proof.
Assume there exist two finalized blocks and . Denote by the
witness block for , and by the second witness block for .
By the definition of finality, it must have been the case that more than
twothirds of participants placed bets on and , which in turn
implies that more than a third of them placed bets on both and .
Since only a third of participants are Byzantine,
this means that at least one nonByzantine player placed a bet on both blocks.
(Let’s recall that during the decentralized checkpointing the set of
players is fixed.)
NonByzantine players always reference their own block (since there is a large
punishment incurred if not); this means that there is one of
the witness blocks that references “across the chains”; i.e., such that
.
Without loss of generality, assume that . This means
that and thus .
Since more than twothirds of the participants bet on , by a similar
reasoning as above this means that at least one nonByzantine player placed
a bet on both and (before ). Thus, either (1)
references or (2) references . Because of the third check
in , however,
this second case is not possible: since is a witness block, cannot
reference it without betting on a justified block, and is not justified
before .
We refer the reader to graph 4 for a visual intuition of
this. Thus, it must be
the case that references .
Thus references both and for .
For a set of candidate blocks, all the second witness blocks thus reference all
candidate blocks (applying the previous analysis to all the candidates blocks
pairwise). So, after a candidate block is finalized, players must agree on the set
of candidate blocks for that rank.
We will investigate the longrange attack in the proof of the convergence
theorem.
∎
Next, we show convergence. Intuitively, the main argument here is that if an adversary tries to grow multiple chains to prevent altruistic players from agreeing on a main chain, altruistic players are still very likely to agree on a chain, since the score of the main chain grows faster than the score of other chains. Additonally, since an adversary is unlikely to be elected leader for a consecutive number of blocks, it is unlikely that other players will revert their main chain once they have agreed on one. Even if the adversary somehow manages to build their own private chain (by, e.g., using the proofofdelay or bribing old participants in a longrange attack), the decentralized checkpointing mechanism in Fantômette provides a notion of finality for blocks. Thus, by the time they succeed in mounting such an attack, it will be too late and other participants will not accept their chain.
Theorem 7.3 (Convergence).
Given a coalition of nonaltruistic players, we have: for every , there exists a chain of length and time such that: for all altruistic players and times : , except with negligible propability, where is the main chain of player at time .
Proof.
We start by showing that the length of the longest chain in the DAG, indeed grows.
This is relatively straightforward, and follows from the discussion around
liveness in Section 6.1. To summarize, even if a
Byzantine player is the only leader and chooses not to publish a block, after
some delay players will “redraw” the lottery and an altruistic player will be
chosen eventually.
We now calculate the worstcase growth rate of the main chain, which
happens when the adversary simply aborts. If an adversary controls players, then an
aborting player is elected leader with probability . This means that after
each block, the chain will grow normally with probability and will
grow with a delay of (where is the delay in the
proofofdelay) with probability .
Moreover since a block is propagated with a maximum delay of , we have
that the worst rate at which a block is created is .
However it could be the case that more than one chain grows in the DAG.
We now move on to prove the core of the protocol.
Let be an integer.
Due to the previous argument about the growth of the chain
and the semisynchrony assumption (all players receive a block
before slots), there exists a time
such that every honest player have
in their DAG at least one chain of length .
Let’s assume that there exists two such chains and .
We show that, with high probability, after some time one will be “dropped” and
thus for the remaining one we will have that
for every .
Let’s assume that players start creating blocks on both chains.
After some time less or equal than players will be aware of the
other chain and thus can start referencing it (remember that
is smaller than ).
Then it has to be the case that the score of one chain will grow faster
than the other one as shown in Claim 7.1 (even if both chain keep
growing).
Now, we argue why it is unlikely that both chain keep growing indefinitely.
The weaker chain grows only if the leader on that chain is either Byzantine
or hasn’t heard of the latest blocks on the other chain.
As explained in the proof of Claim 7.1 for every altruistic player,
for two chains of roughly the same length,
there’s half a chance that they receive the weaker chain first due to the unbiasability
and uniform distribution of the random beacon.
Thus for an altruistic player there’s half a chance that
they extend the weaker chain.
On the other hand, the stronger chain grows even if the elected leader received
the weaker one first (as long as they are not eligible on it, which happens with
probability ).
More formally, in the case where altruistic players are leaders on both chain,
the stronger one will be extended with probability
and the probability that the weaker chain grows is .
Thus it is more likely for an altruistic player to extend the stronger chain.
This explains why the strongest chain grows with higer probability.
Thus with high probability, there exists a time
such that altruistic players will stop extending the weaker chain.
After this time it is very unlikely that players
will revert their main chain to another chain.
Indeed an adversary that tries to revert the main chain does not succeed
except with negligible probability.
Let’s assume that at time , the difference between the main chain
and the chain that the adversary is trying to extend is .
To revert the chain, they
need to create a competitive DAG with at least references within the fork faster than the main chain
grows.
As gets biggers, the adversary will need to create more blocks privately and this attack becomes
less lilely to succeed as the probability of creating blocks privately decreases with (we will compute this probability in the proof of the next Theorem 7.4).
Here we assume that the proofofdelay is secure, i.e. that even an adversary
with enough power will not be able to compute a proofofdelay faster than expected.
Finally, as explained in Section 3.3, we must consider
longrange attacks, where an adversary rewrites the history by bribing old
participants. Because we add a decentralized checkpointing, this attack will not succeed.
Let’s assume that an adversary has bought old keys from previous participants
and rewrote the history of the blockchain with those.
When they receive this new chain, altruistic players are already
aware of at least one second witness block (as the reconfiguration
period has to start after a second witness block as explained in Section 6.1).
According to the betting rule in Section 6.1 once altruistic players know of a second witness block,
they will not bet on a block that does not bet on an associated candidate block.
Thus
altruistic players will never bet on the new adversarial chain.
This is also true for rational players since
when they see this new chain, they would have to
start ignoring all the blocks they have created in order to bet on it
(due to the fourth check in ),
thus losing most of their deposit.
Thus the chain created with old keys will not be accepted by current
participants.
We have thus shown that after time , altruistic
players have agreed on the main chain and that it’s very unlikley they will
revert to another main chain.
This proves the result.
∎
Next, we show chain quality. Intuitively, this results from the fact that a player is unlikely to be elected a winner for many consecutive blocks and that the proofofdelay is secure.
Theorem 7.4 (Chain quality).
A coalition of nonaltruistic players cannot contribute to a fraction of more than of the blocks in the main chain. Given our choice of values for the different parameter we have .
Proof.
The probability that an adversary controlling participants can contribute one block is . Thus we have that the probability that a player contributes exactly consecutive blocks, without grinding is . The expected number of consecutive blocks is thus
. (This is the case where a player redraw the lottery once each time they are elected leaders.) A quick estimation shows that for
big enough the expected number of consecutive blocks for a coalition of a third that plays honestly is 0.395. For a coalition that grinds, the idea is that they will “redraw” the lottery for each of their winning shares to try and create more blocks. The probability of creating a chain of exactly consecutive blocks when grinding is , where . (This is a sequence of Bernoulli trials where the number of trials is the number of successes on the previous round times .) Using the above probability, a player that grinds through all their blocks has an expectation of creating 0.42 blocks. This gives a value of . We will confirm this value in the simulation in the next section. We thus see that the advantage gained by grinding is limited, due to our leader election mechanism. Again, we assume that the proofofdelay is secure. ∎Finally, we show robustness. The main reason this holds is that, by following the protocol in betting on the , a block gets more references and thus has a higher score than a block not following the protocol. A coalition of players can gain a small advantage by grinding through all the blocks they can create, but when doing so they keep their chain private and thus prevent other players from referencing it. This in turn reduce the rewards associated with these blocks.
Theorem 7.5 (Robustness).
Proof.
In order to get an intuition behind the proof, we
first show that following the protocol is a Nash equilibrium.
Recall that the possible choices when elected leader are: (1) whether to bet or not,
(2) which leaves to include, and (3) when to broadcast their blocks.
We show that for each of these, if other players follow the protocol then a
player is incentivized to follow the protocol.
If the player is elected leader on the , we want to show that betting on it gives
them a higher probability of being a winner. This is because, by definition of the
(Algorithm 1), betting on it means betting on the stronger
chain. As argued in Claim 7.1, this will add more to
its score, and thus again by the definition of the it has a higher probability of
being the next block chosen by the . (It could still, however, lose against
another bet on the that has a smaller hash, but even in this case
the function still labels it as neutral.) This establishes (1).
By creating a block on top of a weaker chain, a player needs to ignore
the stronger chain, which means referencing fewer blocks (i.e.,
ignoring blocks of which they are aware). This means that their block will have
worse connectivity, however, and thus has a higher chance of being
labelled loser and thus getting a punishment. This is because, by the
definition of the anticone, worse connectivity means a bigger anticone, which
in turns means a bigger intersection with the set and thus, by the
definition of (Algorithm 2), a higher chance of being
labelled loser. This establishes (2).
To argue about (3), we now show why a rational player is incentivized to
reveal their block as soon as possible. By broadcasting their block as soon as they created it,
their blocks can get more references (since other player follow the protocol),
which again increases the probability of being a winner, and the expected
accompanying reward. (A single player has nothing to grind through.)
Now, in order to show that the protocol is robust, we show that a
coalition of rational players that deviate from the protocol to raise
their utility, can only do so by (resiliency).
We next show that a Byzantine adversary cannot decreases the utility
of honest players by more than (immunity).
Resiliency
We consider a coalition of a fraction of rational players. Because it is costless to create blocks, a rational coalition can clearly gain an advantage by grinding through all the blocks they can create in order to find a subDAG that increases their utility. However due to the restrictions imposed by the leader election and assuming the proofofdelay is secure the advantage they can gain is limited. As shown in Theorem 7.4, the expected number of blocks contributed by an adversary that adopts a grinding strategy is 0.42 versus 0.39 for a coalition that follows the rule. Rational participants can thus increase their gain from to . We thus achieve robustness with . This results will be confirmed by the simulations.
Immunity
We need to show that even in the case where a fraction of players behave completely irrationally, the outcome of the rest of the players stays unchanged. According to the utility functions, as defined in Section 6, there are three independant components to the utility function that an adversary could try to influence to harm altruistic players: (1) the term (2) the term and (3) the term. To harm the honest player, an adversary could try: (1) preventing an honest players from contributing blocks to the main chain; (2)(3) increasing the number of blocks from the honest players that gets punished by or . The adversary cannot incur any to the altruistic players since they cannot force them to ignore their own block, thus we only focus on case (1) and (2). To do (1) an adversary cannot indeed prevent players from creating blocks but once they produce it, they can try and create an alternative blockDAG so that the altruistic player’s block does not make it to the main chain. To do (2), the adversary could create an alternative blockDAG that does not reference altruistic players’ blocks to try and incur a punishment to their blocks. (According to the function defined in Section 6 a block gets a punishment if its anticone intersects the blue set for more than blocks and a block that has less connections to other blocks has a bigger anticone.) In both cases the Byzantine adversary harms a player the most when creating the biggest alternative blockDAG that does not reference altruistic players’ blocks.
To incur a punishment to the altruistic players
Byzantine players need to create a subDAG of more than blocks on their own,
where is the interconnectivity paramater.
Indeed if they do so then those blocks will be
in the anticone of an altruistic player that contributed a block
at that same time and will be labeled a loser according to
the algorithm in Section 6.1.
When choosing and using similar probabilities as in Theorem 7.4,
one can compute that
the probability of creating a subDAG of more than 3 blocks
is
.
An estimation of the previous probability gives
2.5% for an adversary that controls a third of the player.
This means that 2.5% of the blocks the adversary create can incur a punishment of to another player. Since on
average two third of the players should contribute to two third
of the blocks, we have that a third of Byzantine players will reduce the
payoff of the other players from to every hundred blocks.
With our numerical value of and we have that the payoff of the other players is reduced
by 67/52=1.29.
For a coalition of a quarter the above probability is 1%, bringing the above ratio
to 67/61=1.1. With ,
we conclude that a coalition of one quarter of Byzantine
player cannot harm the others since they cannot create an alternative blockDAG with
enough advantage.
The protocol is thus immune against a coalition of a quarter.
This will also be confirmed by our simulations Section 7.3.
∎
7.3. Simulations
We next present our simulations, that support and validate the proofs above. As stated in Section 4, we consider three types of players: Byzantine, altruistic, and rational. We simulate the game using different fractions of different types of players. Our simulation is written in Python, and consists of roughly 1,000 lines of code. All players start with the same deposit. To model network latency, we add random delays between the propagation of blocks amongst players. Following Decker and Wattenhofer (informationpropagation, )
, this random delay follow an exponential distribution. Each simulation that we run has 150 players and lasts for 5,000 time slots. All our results are averaged over
runs of the simulation.In addition to the balance of the types of players, there are several different parameters we need to consider: , the interconnectivity parameter;