Direct Acyclic Graph based Blockchain for Internet of Things: Performance and Security Analysis

05/27/2019 ∙ by Yixin Li, et al. ∙ University of Glasgow Shenzhen University NetEase, Inc 0

Direct Acyclic Graph (DAG) based blockchain and the corresponding consensus mechanism has been identified as a promising technology for Internet of Things (IoT). Compared with Proof-of-Work (PoW) and Proof-of-Stake (PoS) that have been widely used in the existing blockchains, the consensus mechanism designed based on DAG architecture (simply called as DAG consensus) can overcome some shortcomings such as high resource consumption, high transaction fee, low transaction throughput and long confirmation delay. However, the theoretic analysis on the DAG consensus is an untapped venue to be explored. To this end, based on one of the most typical DAG consensuses, Tangle, we investigate the impact of network load on the blockchain performance and security. Considering unsteady network load, we first propose a Markov chain model to capture the behavior of DAG consensus process under dynamic load conditions. The key performance metrics, i.e., cumulative weight and confirmation delay are analysed based on the proposed model. Then, we leverage a stochastic model to analyse the probability of a successful double-spending attack in different network load regimes. The results can provide insightful understanding of DAG consensus process, e.g., how the network load affects the confirmation delay and the probability of a successful attack. Meanwhile, we also demonstrate the trade-off between security level and confirmation delay, which can act as a guidance for practical deployment of DAG based blockchain systems.

READ FULL TEXT VIEW PDF
POST COMMENT

Comments

There are no comments yet.

Authors

page 5

page 6

page 7

page 8

page 9

page 10

page 11

page 14

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

I Introduction

Blockchain is a distributed ledger technology for establishing trust and consensus in peer-to-peer (P2P) networks. It is originally proposed in 2009 as the fundamental technology of crypto-currency, Bitcoin [1]. The decentralization provided by blockchain can be largely attributed to its consensus mechanism, which enables peer-to-peer trading in a distributed manner and leverages the computational power of whole network to ensure the immutability of the stored data. As such a safe decentralization solution, blockchain has been identified as a most promising technology to support the future digital society, and attracted much attention from both industry and academia.

Recently, blockchain has shown a great potential to be used in the Internet of Things (IoT) ecosystems, such as smart vehicles [2], energy trading [3], and supply chain [4]. Blockchain comes with characteristics of decentralization, high security, interoperation, and trust building, which can solve the problem of high cost of infrastructure and maintenance in the traditional centralized IoT systems. According to IBM report [5], to be safe, scalable and efficient, the centralized IoT cloud systems will be transformed to blockchain enabled decentralized systems by 2025.

It is well-known that consensus mechanism plays a key role to establish a blockchain enabled IoT system, which motivates the nodes in the network to efficiently and securely insert the new block into the chain [6]. Considering the IoT systems are typically resource-limited and large-scale, the consensus mechanism adopted in IoT systems must be resource efficiency, low cost and can support high transaction throughput. To this end, we first review the main ideas of two widely used consensus mechanisms in blockchain and discuss their viability for IoT systems.

Proof-of-Work (PoW) based consensus mechanism [7]: The core idea of PoW is the competition of computational power. The miners constantly perform hash algorithm to compete for the right to generate the new block with bonus. The winner is the first miner who obtains a hash value that is lower than the announced target. On the one hand, the computational complexity in PoW must be high enough for preventing forking. But on the other hand, the high computational complexity would cause the deteriorated and meaningless energy consumption.

Proof-of-Stake (PoS) based consensus mechanism [8]: Unlike PoW that relies on computing capability, coin age is used in PoS to avoid the high computational cost of hash operation. The coin age of an unspent asset is defined as its value multiplied by the time period after it was created. In PoS, a higher coin age will result in a higher probability to obtain the right of creating a new block, and in turn the coin age would be consumed (reset as zero) when the winner receives rewards. Since the probability to win is directly determined by coin age, PoS is beneficial to the wealthy miner, and might cause monopoly, which may result in the generation of powerful third party.

Both PoW and PoS work on a “single chain” architecture, where forking is illegal [7]. To reduce the probability of forking and maintain a single version of blockchain ledger among all nodes in the network, the consensus mechanism must slow down the generation rate of new blocks. This design principle causes some bottlenecks of applying blockchain to IoT systems as follows. (i) Resource consumption: the two consensus mechanism need much computational power or coinage, which is too costly for IoT systems deployment. (ii) High Transaction fee: high resource consumption leads to professional and powerful miners. It is a heavy burden to feedback the miners in the IoT systems with frequent micropayments. (iii) Throughput limitation: the capacity and the generation rate of blocks are limited, thus, the transaction throughput is usually limited to dozens, e.g., 7 TPS in Bitcoin [1] and 20 to 30 TPS in Ethereum [9], which is unable to respond to the exponential growth of IoT devices and needs. (iv) Confirmation delay: the confirmation delay is too long for IoT applications, e.g., 60 minutes in Bitcoin and 3 minutes in Ethereum.

Fig. 1: Consensus process of a new transaction

To overcome the above shortcomings of PoW and PoS, DAG consensus is originally proposed in [10] and allows any node to insert a new block into the ledger immediately, as long as they process the earlier transactions. In this way, many forkings would be generated simultaneously. This phenomenon is regarded as a problem in many traditional consensus process since it would cause “double-spending” [11]. However, DAG consensuses use some effective algorithms (e.g., Markov Chain Monte Carlo algorithm [12] and virtual voting algorithm [14]) to address double-spending problem and allow new arrival transactions access the blockchain network in a forking topology. As a result, the confirmation rate and transaction throughput in DAG consensus process will not be limited anymore. Moreover, unlike the single chain design in PoW or PoS, the data stored in DAG is protected by massive forking blocks, thus, the average resource consumption on each node could be very low. Accordingly, the professional miner is not necessary and low or no transaction fee is possible, which is critical to IoT ecosystems.

Despite many advantages for IoT, DAG consensus also faces some challenges. In practical IoT systems, it is impossible that the new transaction arrives quickly and steadily all the time. When the transaction arrival rate becomes low, the confirmation delay will increase significantly since the earlier transactions must wait for the new transactions to process. In [12], the growth curves of cumulative weight in high load and low load regimes are analysed, which are shown in Fig. 1, where represents transaction arrival rate (transactions per second). The cumulative weight relates to confirmation level, and when it reaches the defined threshold, the transaction is confirmed. We can see that the growth rate of cumulative weight in low load regime is much lower than that in high load regime, which will result in a long confirmation delay. In fact, the network load is determined by transaction arrival rate which could be fluctuant in practical IoT systems. In such an unsteady load regime, the performance of DAG consensus process becomes more complicated. Moreover, the network load will also affect the security of system, where a lower load will result in less cumulative blocks, and thus lead to a higher probability of a successful double-spending attack.

Inspired by these observations, this paper aims to investigate the impact of network load on the system performance and security in DAG consensus in an analytical manner. First, we introduce a Markov chain model to capture the impact of network load on the performance of DAG consensus process in terms of cumulative weight growth rate and confirmation delay. Then, we formulate attack strategies and leverage a stochastic model to examine the probability of a successful double-spending attack in different network load regimes. The analytical models and results can provide an insightful understanding of the performance and security in the DAG consensus. The main contributions of this paper can be summarized as follows.

  • We point out the impact of network load on the performance and security of DAG consensus. By classifying four network load regimes, we reflect this impact in a qualitative and quantitative manner.

  • Considering the characteristics of fluctuant network load in practical IoT contexts, we propose Markov chain model for DAG consensus process and capture the dynamic changing of the load mathematically. The proposed model demonstrates the relationship between the action of nodes in DAG network and the corresponding influence to system performance, which offers an insightful observation of DAG consensus process.

  • We examine the attack strategy based on network load using a stochastic model, and derive the expression of the probability to conduct a successful double-spending attack. The equations can indicate the required computational power of attacker for double-spending in different load regimes. This analysis clearly explains the malicious action of attacker, and thus serves as a theoretical guidance to protect the honest transactions.

  • Through extensive experiments, we validate our analysis and obtain insightful results: (i) when the network load changes from high to low, the confirmation delay will be very long (say longer than low load regime). In contrast, when the load changes from low to high, the confirmation happens very fast. (ii) the adaptation period (introduced in section IV) in consensus process can be used to increase the probability of a successful attack. (iii) the trade-off between security level and confirmation delay can provide a guideline to find a suitable confirmation threshold for blockchain protocol design.

The rest of this paper is organized as follows. Section II provides some basic principles in DAG based blockchain. Section III we introduce the Markov chain model for consensus process. Based on the proposed model, Section IV analyses the performance in terms of cumulative weight growth and confirmation delay under different network load regimes. Section V introduces the double-spending attack in Tangle, and use a stochastic model to study the attack process. In Section VI, we examine the attack strategy in DAG consensus process and obtain the probability of a successful attack under different network load regimes. Section VII conducts some experiments for comparisons and discussions. Section VIII reviews some related work, and finally, Section IX concludes the whole paper.

Ii Preliminaries

Ii-a The Basic Principles

The principle of DAG consensus is to attach the new transactions in a forking topology. Under such design, there are several proposed consensus mechanisms, such as Tangle [12], Byteball [13] and Hashgraph [14]. Among them, Tangle is the first proposed one that has attracted much attention in IoT field, and it has the highest market capitalization in DAG based blockchains [15]. Therefore, we adopt it as a typical example to examine DAG consensus process in this paper.

Fig. 2: An example of consensus process in Tangle

Tangle is the mathematical foundation of IOTA, a cryptocurrency for the IoT industry [12]. As a DAG based ledger for recording transactions, Tangle allows different branches to eventually merge into the chain, and thus leads to a much higher overall throughput compared with PoW and PoS based mechanisms. In Tangle, to access the network as a new block, any new transaction has to approve a number of earlier transactions (typically two [12]). Thanks to this, the higher transaction arrival rate, the faster transactions can be confirmed. Moreover, since the workload to create a new block is light, the powerful professional miners are not necessary in Tangle. As a result, all nodes can issue their own transactions without transaction fee. This is critical to the IoT applications, since micro-payments are typical trading scenarios. Some basic concepts in Tangle are listed as follows, and also illustrated in Fig. 2.

Block: all the blocks in Fig. 2 are the storage units to record information including transaction, digital signature, and hash value. Since one block records one transaction in Tangle, a block can be simply called as a transaction. Tip: it is the transaction (or block) which has not been approved yet. Direct approval and indirect approval: as shown in Fig. 2, each edge represents an approval, a direct edge indicates the direct approval, and a path between two transactions with multi-hop indicates the indirect approval. Own weight: the own weight of a transaction is proportional to the amount of work which is put in by its issuer. Cumulative weight: it is the sum of a transaction’s own weight and the overall own weights of the transactions that directly or indirectly approve it. Cumulative weight stands for the confirmation level of a transaction in Tangle network.

Fig. 3: Longest chain in PoW vs. Heaviest Tangle in DAG consensus

Ii-B Consensus Process

To issue a new transaction and let the other nodes accept it (i.e., reach an agreement for the consensus), the main procedures are listed as follows. (i) A node creates a storage unit to store the new transaction. (ii) The node selects two tips with no-conflict according to Markov Chain Monte Carlo (MCMC) tips selection algorithm [12], and adds the hash of the selected tips into its storage unit. (iii) The node finds a nonce to solve a cryptographic puzzle to meet the difficulty target, which is similar to PoW but with a very low difficulty-of-work for avoiding spamming. (iv) The node uses its private key to sign the new transaction and broadcasts it to others. (v) When the other nodes receive it, they check whether it is legal or not based on the digital signature and nonce. For simplicity of later analysis, we define procedures (i) to (v) as the reveal stage of a new transaction.

After that, the successfully checked new transaction will be added as a new tip in DAG based ledger, and then wait for confirmation through direct approval and indirect approval of subsequent transactions till its cumulative weight reaches the defined threshold. This process is defined as the weight accumulation stage of a new transaction.

(1)

Ii-C Forking Problem and the Solution

In blockchain, building forking to redo the work is the only way to tamper the data stored in the public ledger. Therefore, to address forking for security, the single chain based blockchain (e.g., Bitcoin) uses the longest chain as the criterion, which is shown in Fig. 3. To maximize its profit, a rational miner should work on the longest chain when forking occurs, since the longest chain has the lowest probability to be orphaned [7]. In Tangle, although DAG based forking topology can support a high performance in consensus process, the forking also should be limited into a reasonable scale for preventing double-spending. Similar with Bitcoin, IOTA uses the heaviest Tangle to address forking problem (sub-Tangle). To this end, a rational node in DAG network should use the MCMC tip selection algorithm to extend the heaviest Tangle, which has the highest overall cumulative weight. Meanwhile, the sub-Tangle with less overall cumulative weight will not be approved by new transactions gradually. In summary, the honest miners in Bitcoin and the honest nodes in Tangle use its own computational power to prevent data from tampering.

Iii Markov Chain Model for Consensus Process

In this section, we propose a Markov chain model to analyse the consensus process of an observed transaction under unsteady network load regimes.

Iii-a System Model

Recall we have divided the consensus process of an observed transaction in Tangle into two stages: reveal stage and weight accumulation stage. Reveal stage is to attach the observed transaction into DAG based ledger, so that the transaction can be seen by all nodes. Let the average duration time in reveal stage be , which is determined by the computation and transmission time. In weight accumulation stage, the cumulative weight of the observed transaction increases from its own weight to confirmation threshold (denoted by ) gradually. Without loss of generality, we normalize the average own weight of each transaction into , and thus the cumulative weight of the observed transaction is plus the overall number of transactions that directly or indirectly approve it.

Considering the nodes in Tangle system are roughly independently distributed in a large scale IoT network, it is reasonable to assume the new transaction arrival follows Poisson process. Let be the arrival rate of the new transactions issued by the honest nodes. When a new transaction arrives, it will select two tips using MCMC algorithm. The principle of MCMC algorithm is to independently place some particles on the old transactions of Tangle ledger and let these particles perform random walks towards the tips. To orphan the sub-Tangle, the particles prefer to go through the transactions with a higher cumulative weight. Since the difference of cumulative weight among neighbouring transactions in the heaviest Tangle is very small, we can approximatively consider that each tip in the heaviest Tangle can be randomly selected by MCMC algorithm with equal probability. On the other hand, the overall cumulative weight of the heaviest Tangle is much larger than that of the sub-Tangle, so that MCMC algorithm will choose tips in the heaviest Tangle and the sub-Tangle generated by attacker will be orphaned.

Moreover, to analyse the impact of network load, we classify the network load into four regimes: High load Regime (HR), Low load Regime (LR), High to Low load Regime (H2LR) and Low to High load Regime (L2HR) as follows.

Iii-B High Load Regime with Steady State

The network load (transaction arrival rate) keeps steady in this regime. Let be the average interarrival time between two transactions. When , it means that the network load is high, and it is defined as HR. In Tangle, after a new transaction directly approves two tips, it will be a new tip and the selected two will be covered (they are no longer tips and the other incoming transactions should not directly approve them). However, when , many new transactions would arrive at the reveal stage of earlier transactions, and the tips selected by earlier transactions have not been broadcast to network. As a result, it is probable that the same tip will be directly approved by several different transactions, and thus the number of tips will keep steady, intuitively.

Let be the number of tips in the heaviest Tangle at time . According to the analysis in [12], fluctuates around a constant value . Based on the stability of tips, we have . Meanwhile, we know that there are new transactions arrive during to on average. As a result, at time , new tips in will replace old tips in . Therefore, we can rewrite , where are the remained old tips, and are the tips chosen by the new transactions during to (they are not tips anymore, but other nodes do not know at this time).

Moreover, when a new transaction arrives at time , it would select tips randomly from . Since are not tips anymore, tips selection from or would affect the number of in the future. If the new transaction selects zero tip in , will increase by ; if it selects one tip in , will remain unchange; otherwise, will decrease by . The expected number of selected tips in can be calculated in equation (1). Based on the stability of , we have . Thus, and .

Iii-C Low Load Regime with Steady State

Compared with HR, LR is the situation when . In this case, when a new transaction arrives, the earlier transactions have revealed to DAG network in expectation. Since one transaction covers two tips, the typical number of tips in this regime will decline, and becomes finally. Note that is also available in LR, where based on .

Iii-D High to Low Load Regime with Unsteady State

The consensus process of an observed transaction in steady regime (i.e., HR and LR) have been explored in [12]. In this paper, we focus on the consensus process in unsteady state. The transaction arrival rate is steady in HR and LR, which can be denoted by and , respectively. When the new transaction arrival rate changes from to suddenly, it is an unsteady state and defined as H2LR. Accordingly, the number of tips will decrease from (denoted by ) to gradually.

As a metric of confirmation level, let be a stochastic process representing the cumulative weight of an observed transaction at time . It will increase with the approval of new transactions over time. Meanwhile, the probability to approve the observed transaction is affected by the number of tips based on random selection, and is also a stochastic process. Therefore, when the transaction arrival rate becomes low, we can have the value of

at the next moment only depends on the present and is independent of the past. Furthermore, when the transaction arrival rate is low, we can approximatively consider that the transactions attach to DAG network one by one. Therefore,

can be formulated as a discrete-time Markov chain , where the state changes with the arrival of each new transaction.

Fig. 4: Markov Chain model for the consensus process of an observed transaction under H2LR.

The Markov chain model for an observed transaction under H2LR is shown in Fig. 4. The initial state represents that the observed transaction reveals to DAG network under HR, where , . The observed transaction is confirmed when , where . In each new transaction arrival interval, of the observed transaction will remain the same or increase by based on the result of random selection. Since the new transaction will choose two tips from randomly, the probability to select the observed transaction for is . Alteratively, the probability of not being selected for is . When the new transaction approves two tips, it will be a new tip and the selected two are not tips anymore. In this case, will decrease by in each arrival interval until . Especially, when reduces to , the observed transaction will be approved by the incoming transaction with probability , and thus will increase by and will decrease by . In the following, remains and increases linearly with speed . Based on above analysis, the one-step transition probabilities can be given by

(2)

We adopt the short notation, where .

The first equation in (2) stands for the situation that the observed transaction has been approved by an incoming new transaction, thus and . The second equation stands for the situation that the observed transaction has not been approved, so and . The third indicates that H2LR has transferred to LR. The observed transaction will be approved by the following new transactions with probability , since it has been indirectly approved by all tips.

Note that the above dissuasion is based on the worst case under H2LR, where transaction arrival rate changes from to as soon as the observed transaction reveals in the network and . In contrast, the best case in this regime is that transaction arrival rate changes from to when , which is similar to the consensus process under HR. Moreover, the jump point of transaction arrival rate can be extended to any time by integrating the analysis of HR in [12] and the proposed Markov chain model in H2LR.

Iii-E Low to High Load Regime with Unsteady State

Fig. 5: Markov Chain model for the consensus process of an observed transaction under L2HR.

Compared with H2LR, L2HR happens when the arrival rate increases from to . Accordingly, the number of tips increases from 1 to gradually.

The Markov chain model for an observed transaction under L2HR is illustrated in Fig. 5. Since the observed transaction reveals under LR where , it is fully covered and will be directly or indirectly approved by all the new transactions. As a result, will increase linearly with speed regardless of . The transition probabilities under L2HR are shown as follows.

(3)

where .

Similarly, we use this model to capture the best case in L2HR where transaction arrival rate changes from to when . In contrast, the worst case in L2HR is that transaction arrival rate changes from to when , which can be referred to the consensus process under LR.

Iv Performance Analysis

In the section, we analyse the performance of consensus process in terms of cumulative weight and confirmation delay respectively based on the proposed Markov chain model.

Iv-a Cumulative Weight

HR: The growth of cumulative weight under steady states, HR and LR, has been discussed in previous work [12]. We briefly review this work as the preliminaries to provide further analysis of confirmation delay and double-spending. The cumulative weight of an observed transaction begins to grow when the reveal stage ends. In HR, the weight accumulation stage has two period: adaptation period and linear growth period. The adaptation period of an observed transaction can be thought as the time until almost all the tips indirectly approve that transaction. The expected cumulative weight of an observed transaction grows with during adaptation period [12]. Next, when the adaptation period ends, all incoming transactions will indirectly approve the observed transaction, and the expected cumulative weight grows with speed , which is called as linear growth period. Let be the duration time of adaptation period. The adaptation period ends when cumulative growth rate becomes , namely . Accordingly, we can obtain and . Hence, the cumulative weight growth of an observed transaction in this regime is

(4)

LR: Since in LR, the incoming new transactions will approve the observed transaction with probability . Consequently, the average cumulative weight growth rate is in this regime. The expected cumulative weight in LR at time can be expressed as

(5)

H2LR: As shown in Fig. 4, when , each column of the state transition diagram stands for all possible states at a specific step . For example, when , the possible state is ; when , the possible states are and ; when , the possible states are . In the case of , the number of possible states will remain . For example, if the step moves from to , the cumulative weight of all possible states will increase by simultaneously, i.e., change from to . The reason is that the observed transaction has been indirectly approved by all tips when .

Based on this, we could obtain the expected cumulative weight at step in H2LR as

(6)

where , and is the -step transition probability which can be calculated from equation (2). If and only if is a possible state at step , the corresponding -step transition probability is greater than .

As mentioned before, the new transaction arrival is a Poisson process. Let be the sequence of interarrival times between two neighboring transactions, where

are independent and identically distributed exponential random variables with mean

under H2LR. According to , equation (6) can be transformed as the expected cumulative weight at time as follows.

(7)

where .

L2HR: In this regime, due to , all new incoming transactions will direct and indirectly approve the observed transaction. As a result, increases by with probability in each transaction arrival interval. The expected cumulative weight with in L2HR is

(8)

The expected cumulative weight in L2HR at time can be expressed as

(9)

where .

Iv-B Confirmation Delay

Confirmation delay is the time from to .

(10)

HR: Let be the expected confirmation delay in HR. Based on equation (4), if confirmation threshold , the observed transaction will be confirmed during adaptation period. Accordingly, we have . Otherwise, the confirmation will happen during linear growth period, where . We can obtain that

(11)

LR: Let be the expected confirmation delay in this regime. Based on the cumulative weight growth of LR in equation (5), we can obtain that

(12)

where .

H2LR: As shown in Fig. 4, there are various paths from the initial state to the confirmation state . Among them, the green path with short dashed is the shortest one, where the transaction will be approved by new incoming transactions with the smallest expected confirmation delay. In contrast, the red path with long dashed is the longest confirmation path that goes through new transactions. Let be the expected confirmation delay in H2LR, which can be expressed as equation (10). Note that is the probability . As shown in Fig. 6, in the case of , the consensus process cannot go through the repeated confirmation path, according to the definition of confirmation delay. Hence, the first line in equation (10) is to ensure that the observed transaction reaches confirmation though the valid pathes in Fig. 6. In the case of , {} is the only state for confirmation.

Fig. 6: Simplified Markov Chain model in H2LR; and

L2HR: In this regime, the cumulative weight of an observed transaction increases by with probability in each transaction arrival interval. The expected confirmation delay in L2HR can be expressed as follows.

(13)

where .

V Double-spending Attack Model

In this section, we first introduce the most typical double-spending attack in Tangle. Then, we use stochastic model to examine the probability of a successful double-spending attack in Tangle network.

V-a Attack Descriptions and Assumptions

In preliminaries, we mentioned that Tangle uses the cumulative computational power of honest nodes to prevent data from tampering, and meanwhile, the cumulative computational power is proportional to cumulative weight. When the transaction arrival rate is low, the cumulative weight growth rate will decrease, and it would be easy for attacker to outweigh the cumulative weight of the branch maintained by the honest nodes for double-spending. Moreover, as we analysed before, the consensus process is affected by network load. Therefore, a rational attacker would optimise its strategy by considering network load to increase the success probability.

Fig. 7: Parasite chain for double-spending attack

To systematically analyse this security problem, we introduce the most typical double-spending attack in Tangle, the parasite chain attack, which is shown in Fig. 7.

  1. Let be the time when the attacker sends a payment to a merchant and the honest nodes begin to approve it.

  2. Let be the time when the attacker builds an offline branch (called as parasite chain) without any honest node knows that, which contains a transaction that conflicts with the payment. Note that this could be acted before , in an other word, or are both allowed (we will analyse these two cases later).

  3. The attacker continually uses its computational power to perform hash operation, and issues new transaction to extends the parasite chain for increasing its overall cumulative weight.

  4. Let be the time when the payment for merchant reaches confirmation threshold , so the merchant sends goods to the attacker.

  5. As long as the cumulative weight of the parasite chain outweighs the honest chain after , the attacker will broadcast the parasite chain to the whole Tangle network. The honest nodes will select the parasite chain gradually based on MCMC algorithm. The payment for merchant will be orphaned finally, but the goods (e.g., a piece of useful message) have already been sent to the attacker, so the double-spending attack is successful.

Next, we present the assumptions for double-spending analysis. Assume that the process of incoming new transactions issued by honest nodes follows a Poisson process with . Assume that the time of an attacker to perform hash algorithm to meet the targets111The targets are the hash value which begin with a specified number of zero bits announced by system.

is exponentially distributed having mean

[7].

Proof: according to the widely used Keccak-384 hash algorithm [16], all results of hash algorithm are in . As a result, the probability to meet the target is

(14)

Considering the current hashrate of mining pool is in Mar. 2019 [17], the practical hash operation progress () is still much less than . Meanwhile, since the hashrate of honest nodes and attackers in Tangle are much less than mining pool usually, the impact of hash operation progress on the probability to meet the target is negligible. This means hash operation process can be treated as memoryless.

V-B Probability of A Successful Attack

Based on the previous assumption of the own weight of each transaction is , the attack would be successful when the number of transactions issued by attacker are more than that by honest nodes after .

We can divide the competition process between the attacker and honest nodes into multiple rounds. Each round depicts the overall number of issued transactions increasing by . Suppose the attacker creates a parasite chain by extending tips at . The competition begins and the overall number of issued transactions at two branch is at this moment.

Let denote the sequence of interarrival times between two neighbouring transactions, where are independent identically distributed exponential random variables with mean . Let be the sequence of interarrival times of transactions issued by the attacker, where are independent identically distributed exponential random variables with mean .

In the first round, according to [18], we can obtain the probability that one exponential random variable is smaller than another as follows.

(15)
(16)

In the second round, if the first transaction is issued by honest nodes, we have

(17)

Alternatively, if the first transaction is issued by the attacker, we have

(18)

Generally, in any round, we have

(19)
(20)

Let the probability in (19) be and that in (20) be , the attack process can be treated as independent Bernoulli trials.

Accordingly, we analyse the attack process before . In this process, the attacker cannot broadcast its parasite chain even if it outweighs the honest chain at some point, since the merchant has not sent goods yet. Let be the number of transactions issued by honest nodes from to , and be the possible number of transactions issued by the attacker when the honest nodes have issued

transactions. Based on negative binomial distribution theory

[11], the probability mass function of can be given as

(21)

If , the parasite chain double-spending attack will succeed at . Otherwise, in order to win, the attacker should catch up the difference of issued transactions until the parasite chain outweighs the honest chain after . This event is analogous to a Gambler’s Ruin problem [11], the attacker should catch up the difference of transactions at least, and the corresponding probability to catch up is shown as follows,

(22)

In summary, the probability of a successful double-spending attack when is

(23)

Especially, when , the attacker should build the parasite chain as soon as the honest payment is confirmed, and in this case we can have . As a result, the competition before disappears. However, in order to outweigh honest chain, the attacker also should outpace honest nodes by transaction at least after . The probability of a successful attack in the case of is

(24)

By integrating equations (23) and (24), the probability of a successful double-spending attack is

(25)

where , .

Vi Security Analysis

In this section, we analyse the strategy to increase the probability of a successful parasite chain attack on the perspective of attacker. Based on equation (25), the probability of a successful attack is identically equal to when (i.e., ). So we only analyse the situation when .

Vi-a Attack Strategy

Vi-A1 How to attach the parasite chain into Tangle

If the attacker builds a parasite chain on earlier transactions that have been approved by some other transactions at , it needs to catch up the difference between the honest chain and its own from the start, which is generated by the number of transactions from the selected earlier transactions to tips. Let the difference be , at , the attacker should issue at least to succeed. Otherwise, after , the attacker should catch up the difference of transactions. The corresponding probability is

(26)

Especially, when , the attacker should catch up the difference of transactions at least after . The probability of a successful attack for is .

In summary, in the case of earlier transactions selection, the probability of a successful attack is

(27)
Fig. 8: Probability of a successful attack (log scale) vs.
Fig. 9: Probability of a successful attack (log scale) vs.

As a case study, let , the results in Fig. 8 clearly illustrate that the probability of a successful attack decreases with , which shows the impact of on the attack. Moreover, we can see that is generated when the attacker does not choose tips to build the parasite chain. As a result, it is a natural option to choose tips for the attacker if possible, which can increase the probability of a successful attack with the minimum .

Vi-A2 Minimize the number of transactions of honest chain from to

Intuitively, when , the transaction arrival rate on the honest chain is higher than that of parasite chain, and thus the probability of a successful attack would be declined with the increasing of on the honest chain from to . Different from the previous case that shows the impact of , we conduct another case study to investigate the impact of on the probability of a successful attack based on (27), where .

In Fig. 9, we can see that the probability of a successful attack declines obviously with the increasing of , the reason is that the larger indicates the higher cumulative weight of honest chain and it would be safer. As a result, the attacker should invest much more computational power against the larger , otherwise, it is difficult to succeed.

Therefore, the attacker should also minimize to optimise its attack strategy. Moreover, we know that is determined by the time in attack process shown in Fig. 10, and thus the attacker can adjust its action at the right time to minimize as follows. Denote the number of transactions issued by honest nodes from to as , it is a constant value for a specific attack. As shown in Fig. 10, in order to decrease , we can see that the duration between and is the less the better when . In contrast, it is the more the better when .

However, the attacker cannot defer indefinitely for decreasing . By comparing Fig. 8 (the lowest value shown is ) with Fig. 9 (the lowest value shown is ), we could notice that the decline rate of probability in Fig. 8 is faster than that in Fig. 9, which reflects the impact of is higher than . Therefore, to maximize success probability, the attacker should first follow the strategy of building the parasite chain on tips to minimize , then postpone to the time before the honest payment has been indirectly approved by all the tips. Since if is later than that time, the parasite chain for double-spending will indirectly approve the honest payment, and the attack cannot succeed.

In summary, to launch a better parasite chain attack, the attacker should minimize and by choosing the tips to build a parasite chain at the last time before the honest payment has been indirectly approved by all tips.

Vi-B Adopt Attack Strategy in Different Load Regimes

Next, we analyse how to determine the strategy to increase the probability of a successful attack according to the network load. To distinguish the impact of network load on and , let , in HR and , in LR, respectively.

HR: According to the physics meaning of adaptation period in Section IV, the attacker should build the parasite chain at the end of adaptation period, which is the best time for . At this moment, the honest payment will be indirectly approved by all tips very soon, and the expected cumulative weight of the honest payment at is . Meanwhile, based on the definition of , we have . Let , we can obtain the probability of a successful attack in HR based on equation (25), which is expressed as follows.

(28)

LR: As mentioned before, the DAG based ledger can be treated as a single chain since in this regime. The honest payment is indirectly approved by all tips at . According to the analysis of attack strategy, we can know the best in LR is . However, since the honest payment is the only tip as soon as it reveals, the attacker can only attach the parasite chain before it, and thus the best case is . Meanwhile, since the own weight of honest payment is , we can obtain that . Based on , we have . Using equation (27), the probability of a successful attack in LR is

(29)
Fig. 10: The influence of and on

H2LR: In this regime, the number of tips would decrease from to finally. The honest payment will be indirectly approved by all tips when the number of tips becomes , and the attacker should build the parasite chain at this moment. According to the Markov chain in Fig. 4, we can obtain the possible states of the honest payment at is , where . Accordingly, after , the honest payment needs